AWS IReveal MCP server

AWS-IReveal-MCP is a Model Context Protocol (MCP) server that provides security teams and incident responders with a unified interface to AWS services for investigation purposes. It allows you to run queries and analyses across multiple AWS services directly from any MCP client like Claude Desktop or Cline, streamlining your security investigation workflow.

Features

AWS-IReveal-MCP integrates with these AWS services:

• CloudTrail — Management event logs for API activity
• Amazon Athena — SQL queries over CloudTrail logs
• CloudWatch — Operational logs and ad hoc analysis
• Amazon GuardDuty — Threat detection and finding investigation
• AWS Config — Resource configuration history and compliance status
• VPC Flow Logs — Network traffic metadata for forensic analysis
• Network Access Analyzer — Reachability checks across SG/NACL/VPC
• IAM Access Analyzer — Policy and resource-based access findings

Installation

Prerequisites

Before installing AWS-IReveal-MCP, ensure you have:

• Python 3
• MCP Python SDK (mcp[cli])
• boto3 (AWS SDK for Python)
• AWS credentials configured

Setup

1. Install the required packages:

pip install mcp[cli] boto3

2. Configure your AWS credentials if you haven't already:

aws configure

Configuration

Add the following configuration to your MCP client's settings file:

{
  "mcpServers": {
    "aws-ireveal": {
      "command": "uv",
      "args": [
        "run",
        "/path/to/aws-ireveal-mcp/server.py"
      ],
      "env": {
        "AWS_PROFILE": "<YOUR_PROFILE>"
      }
    }
  }
}

Replace /path/to/aws-ireveal-mcp/server.py with the actual path to the server script and <YOUR_PROFILE> with your AWS profile name.

Usage

Example Prompts

You can use natural language prompts in your MCP client to interact with AWS services. Here are some examples:

• Analyze IP activity:

  analyze activity by IP x.x.x.x in the last 5 days
  

• Monitor role activity:

  analyze activity by role 'sysadmin' in the last 24 hours
  

• Investigate CloudTrail:

  investigate suspicious activity on cloudtrail in the last 7 days on us-west-2
  

• Check data events:

  is there any data event on buckets with name containing 'customers' in the last 7 days?
  

• Analyze CloudWatch logs:

  investigate cloudwatch logs related to Bedrock
  

• Review GuardDuty findings:

  propose remediations for GuardDuty findings with high risk happened in the last 2 days
  

• Check compliance:

  identify non-compliant resources, explain violated rules, and suggest remediation
  

How to add this MCP server to Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > MCP and click "Add new global MCP server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "cursor-rules-mcp": {
            "command": "npx",
            "args": [
                "-y",
                "cursor-rules-mcp"
            ]
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explictly ask the agent to use the tool by mentioning the tool name and describing what the function does.