playbooks

home / mcp / aws ireveal mcp server

AWS IReveal MCP Server

MCP server for incident response in AWS

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "brucedh-aws-ireveal-mcp": {
      "command": "uv",
      "args": [
        "--directory",
        "/path_to_your/aws-ireveal-mcp",
        "run",
        "server.py"
      ],
      "env": {
        "AWS_PROFILE": "<YOUR_PROFILE>"
      }
    }
  }
}

AWS‑IReveal‑MCP is a Model Context Protocol server that unifies access to AWS services for security investigations. By connecting it to an MCP client, you can run queries and analyses across CloudTrail, Athena, CloudWatch, GuardDuty, Config, VPC Flow Logs, Network Access Analyzer, and IAM Access Analyzer from your ML/ILI workspace, enabling you to trace activity, inspect data events, search logs, surface alerts, and verify network reachability in a consolidated interface.

How to use

Connect the server to your MCP client to start investigative queries across AWS services. Use natural prompts or structured intent to explore activity timelines, inspect specific roles or IPs, search for data events, review guardDuty findings, and check network reachability. Typical workflows include tracing who did what, when, and where, examining detailed log data across multiple services, and proposing remediations for high-risk findings.

How to install

Prerequisites you need to prepare before running the server.

curl -Ls https://astral.sh/uv/install.sh | sh
```

```
git clone https://github.com/Brucedh/aws-ireveal-mcp.git
cd aws-ireveal-mcp
uv venv
source .venv/bin/activate

Configuration and run instructions

Configure your MCP client to connect to the AWS‑IReveal‑MCP server using the following settings. This configuration runs the server via UV in a local directory you specify.

{
  "mcpServers": {
    "aws-ireveal": {
      "command": "uv",
      "args": [
        "--directory",
        "/path_to_your/aws-ireveal-mcp",
        "run",
        "server.py"
      ],
      "env": {
        "AWS_PROFILE": "<YOUR_PROFILE>"
      }
    }
  }
}

Notes on usage and environment

- Ensure you replace /path_to_your/aws-ireveal-mcp with the actual path to your cloned repository. - Set AWS_PROFILE to the AWS CLI profile you want the MCP server to use. - Start the MCP client after configuring to establish a session with the server. - The server exposes multiple AWS services through a unified interface for investigation workflows.

Additional sections

Security and access considerations: Treat access to the MCP server as you would any sensitive investigation tooling. Use least privilege profiles in AWS, rotate credentials regularly, and enforce time-bound access where possible. Monitor and audit who connects to the MCP server and what queries are executed. Troubleshooting tips: If the server fails to start, verify that the directory path is correct, your virtual environment is activated, and the AWS profile has the necessary permissions to access CloudTrail, CloudWatch, GuardDuty, Config, IAM Access Analyzer, and Network services.

Examples of common prompts you can run include: - analyze activity by IP x.x.x.x in the last 5 days - analyze activity by role 'sysadmin' in the last 24 hours - investigate suspicious activity on cloudtrail in the last 7 days - is there any data event on buckets with name containing 'customers' in the last 7 days? - investigate cloudwatch logs related to Bedrock - propose remediations for GuardDuty findings with high risk happened in the last 2 days - identify non-compliant resources, explain violated rules, and suggest remediation