AWS Security MCP is a server that implements the Model Context Protocol (MCP), allowing AI assistants like Claude to perform comprehensive AWS security analysis through natural language. It automatically discovers resources across multiple AWS accounts and provides security insights without requiring deep AWS CLI knowledge.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CrossAccountAccess",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::*:role/aws-security-mcp-cross-account-access"
},
{
"Sid": "OrganizationDiscovery",
"Effect": "Allow",
"Action": [
"organizations:ListAccounts"
],
"Resource": "*"
}
]
}
You must attach the AWS managed SecurityAudit policy to your MCP Server's IAM user or role:
Policy ARN: arn:aws:iam::aws:policy/SecurityAudit
This policy is essential for AWS Security MCP functionality, providing read-only access to AWS security services.
Clone the repository
git clone https://github.com/groovyBugify/aws-security-mcp.git
Configure AWS Credentials (optional if you already have AWS credentials configured)
Start the Server
chmod +x run_aws_security.sh
./run_aws_security.sh sse
Configure MCP Client
# Install mcp-proxy
uv tool install mcp-proxy
# Check location of mcp-proxy
which mcp-proxy
# Add to Claude Desktop config
{
"mcpServers": {
"aws-security": {
"command": "/path/to/mcp-proxy",
"args": ["http://localhost:8000/sse"]
}
}
}
Edit config.yaml in the project root:
aws:
region: "us-east-1"
profile: null
server:
log_level: "info"
startup_quiet: false
tool_quiet: false
cross_account:
role_name: "aws-security-mcp-cross-account-access"
auto_setup_on_startup: true
max_concurrent_assumptions: 5
Environment variables take precedence over YAML configuration:
export MCP_LOG_LEVEL=debug
export MCP_STARTUP_QUIET=false
export AWS_DEFAULT_REGION=eu-west-1
Query: "Can you share a list of running ec2 instances?"
Query: "Share all the secrets stored on env variables of Lambda functions, and share a list of functions for remediating this issue."
Query: "Check my 'prod-ecs-cluster' and share more details about the 'user-login' service, is it deployed?"
Query: "Show all GuardDuty findings from the last 7 days, and priortise based on the risk of exposure."
Query: "Analyze IAM roles with administrative privileges"
Query: "Generate blast radius analysis for IP 172.16.1.10"
Query: "Fetch more details about the ip - 172.22.141.11, and share a network map for this resource."
Query: "List all connected AWS accounts"
Query: "Refresh my AWS session"
Query: "Find resources tagged Team:Security across all accounts"
Query: "Show compliance status across organization"
AWS Security MCP uses a hub-and-spoke model for multi-account access:
Role Name: aws-security-mcp-cross-account-access
Trust Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::YOUR-MASTER-ACCOUNT-ID:root"
},
"Action": "sts:AssumeRole"
}
]
}
Permissions: Attach AWS managed policy arn:aws:iam::aws:policy/SecurityAudit
AWS Security MCP can integrate with Amazon Athena for advanced log analysis. The following log sources are recommended:
Example queries:
Query: "Show all failed login attempts from external IPs in the last 24 hours"
Query: "Can you share what did '[email protected]' did in past 24 hours on my aws account? and share a timeline report?"
Query: "Correlate GuardDuty findings with CloudTrail and VPC Flow logs events"
docker build -t aws-security-mcp .
docker run -p 8000:8000 \
-e AWS_ACCESS_KEY_ID=your_key \
-e AWS_SECRET_ACCESS_KEY=your_secret \
aws-security-mcp
Tool Discovery Fails
# Check AWS credentials
aws sts get-caller-identity
# Verify cross-account role exists
aws iam get-role --role-name aws-security-mcp-cross-account-access
Cross-Account Access Denied
# Test role assumption manually
aws sts assume-role \
--role-arn arn:aws:iam::TARGET-ACCOUNT:role/aws-security-mcp-cross-account-access \
--role-session-name test-session
Enable Debug Mode
export MCP_LOG_LEVEL=debug
export MCP_STARTUP_QUIET=false
python3 aws_security_mcp/main.py sse
To add this MCP server to Claude Code, run this command in your terminal:
claude mcp add-json "aws-security" '{"command":"/path/to/mcp-proxy","args":["http://localhost:8000/sse"]}'See the official Claude Code MCP documentation for more details.
There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.
If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.
To add a global MCP server go to Cursor Settings > Tools & Integrations and click "New MCP Server".
When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:
{
"mcpServers": {
"aws-security": {
"command": "/path/to/mcp-proxy",
"args": [
"http://localhost:8000/sse"
]
}
}
}To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.
Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.
The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.
You can also explicitly ask the agent to use the tool by mentioning the tool name and describing what the function does.
To add this MCP server to Claude Desktop:
1. Find your configuration file:
~/Library/Application Support/Claude/claude_desktop_config.json%APPDATA%\Claude\claude_desktop_config.json~/.config/Claude/claude_desktop_config.json2. Add this to your configuration file:
{
"mcpServers": {
"aws-security": {
"command": "/path/to/mcp-proxy",
"args": [
"http://localhost:8000/sse"
]
}
}
}3. Restart Claude Desktop for the changes to take effect