playbooks

home / mcp / aws security mcp server

AWS Security MCP Server

A Model Context Protocol server that connects AI assistants like Claude to AWS security services, allowing them to autonomously query, inspect, and analyze AWS infrastructure for security issues and misconfigurations.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "groovybugify-aws-security-mcp": {
      "command": "/path/to/mcp-proxy",
      "args": [
        "http://localhost:8000/sse"
      ],
      "env": {
        "AWS_ACCESS_KEY_ID": "AKIA...",
        "AWS_SESSION_TOKEN": "AQoDYXdzEJr...",
        "AWS_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7..."
      }
    }
  }
}

You can analyze and monitor AWS security across multiple accounts with an MCP server that translates natural language queries into security findings. It integrates with AWS Security services, maps infrastructure, and analyzes logs to help you detect issues, map blast radii, and explore threat scenarios using everyday language.

How to use

Interact with your MCP client to ask questions in plain English. You can request cross-account visibility, pull GuardDuty or SecurityHub findings, map network topology, and perform log analytics using Athena-backed queries. The MCP server handles resource discovery, cross-account access, and security data aggregation, so you don’t need deep AWS CLI expertise.

How to install

Prerequisites and setup are designed to get you up and running quickly. You will use Python, a package manager, and an MCP client to connect to the server.

# Install runtime and MCP proxy tooling
# Install Python 3.11+ if not already installed

# Install uv (the package manager used here)
# (follow your platform’s instructions to install uvx/uv as needed)

# Install MCP proxy tooling via uv
uv tool install mcp-proxy

# Verify location of mcp-proxy
which mcp-proxy

# Add MCP server configuration to your MCP client (example)
# This configures the client to start the local MCP proxy and connect to the SSE endpoint
{
  "mcpServers": {
    "aws_security": {
      "command": "/path/to/mcp-proxy",
      "args": ["http://localhost:8000/sse"]
    }
  }
}

Additional configuration and notes

Security and IAM setup is critical. You will need appropriate AWS permissions for cross-account discovery and log analysis. The server uses a cross-account role to access resources in member accounts and requires read-only access to security services for analysis.

Available tools

cross_account_discovery

Discovers AWS Organization accounts and establishes cross-account access for MCP operations.

natural_language_interface

Parses plain English queries and maps them to AWS security queries and actions.

security_analysis

Aggregates findings from GuardDuty, SecurityHub, and Access Analyzer for a unified security view.

infrastructure_mapping

Generates network topology, threat models, and blast radius analyses based on discovered resources.

log_analytics

Runs Athena-backed queries on CloudTrail, VPC Flow Logs, and security events to surface insights.

athena_integration

Configures and runs Athena queries, joins with Glue catalogs, and returns results.