@sureshgururajan/aws-console-private-access-validator 1.0.0

package/README.md

@@ -0,0 +1,88 @@
+# AWS Console Private Access Validator MCP Server
+
+An MCP (Model Context Protocol) server that validates CloudFormation templates for AWS Console Private Access requirements.
+
+## Features
+
+Validates CloudFormation templates for:
+- Required VPC endpoints (Console, Signin, SSM, EC2Messages, SSMMessages, S3)
+- Endpoint policies restricting access to specific accounts
+- Route53 private hosted zones for console and signin
+- Security group configuration for HTTPS access
+- EC2 instance setup with IAM roles
+- NAT Gateway for private subnet egress
+- Network configuration and routing
+
+## Installation
+
+```bash
+npm install
+```
+
+## Build
+
+```bash
+npm run build
+```
+
+## Running the MCP Server
+
+```bash
+npm start
+```
+
+The server will listen on stdin/stdout for MCP protocol messages.
+
+## Testing
+
+Test the validator against a CloudFormation template:
+
+```bash
+npm test -- /path/to/template.json
+```
+
+## Usage
+
+### Tool: `validate-cloudformation`
+
+Validates a CloudFormation template for AWS Console Private Access requirements.
+
+**Input Parameters:**
+- `template` (string, required): CloudFormation template as JSON string
+- `region` (string, optional): AWS region (default: "us-east-1")
+
+**Output:**
+```json
+{
+  "valid": true/false,
+  "checks": [
+    {
+      "name": "Check name",
+      "status": "pass" | "fail" | "warning",
+      "message": "Description of what was checked",
+      "details": "Additional details if needed"
+    }
+  ],
+  "summary": "Overall validation summary"
+}
+```
+
+## Validation Checks
+
+1. **VPC Endpoints** - Verifies all required interface and gateway endpoints exist
+2. **Endpoint Policies** - Checks that policies are attached and properly configured
+3. **Route53 Hosted Zones** - Validates private hosted zones for console and signin
+4. **Security Groups** - Checks for HTTPS (port 443) access rules
+5. **EC2 Instance** - Verifies instance exists with IAM role (optional)
+6. **NAT Gateway** - Checks for NAT Gateway for private subnet egress
+7. **Network Configuration** - Validates private subnets and route tables
+
+## Example
+
+```bash
+# Generate CloudFormation template
+npx cdk synth > template.json
+
+# Validate the template
+echo '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"validate-cloudformation","arguments":{"template":"<template-json>"}}}' | npm start
+```

package/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "@sureshgururajan/aws-console-private-access-validator",
+  "version": "1.0.0",
+  "type": "module",
+  "description": "MCP server for validating AWS Console Private Access CloudFormation templates",
+  "main": "dist/index.js",
+  "scripts": {
+    "build": "tsc",
+    "start": "node dist/index.js",
+    "test": "node dist/test.js",
+    "dev": "ts-node src/index.ts"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^0.5.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "typescript": "^5.0.0",
+    "ts-node": "^10.9.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}
+

package/src/index.ts

@@ -0,0 +1,110 @@
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema,
+  Tool,
+} from '@modelcontextprotocol/sdk/types.js';
+import { ConsolePrivateAccessValidator } from './validator.js';
+import { CloudFormationTemplate } from './types.js';
+
+const server = new Server(
+  {
+    name: 'aws-console-private-access-validator',
+    version: '1.0.0',
+  },
+  {
+    capabilities: {
+      tools: {},
+    },
+  }
+);
+
+const tools: Tool[] = [
+  {
+    name: 'validate-cloudformation',
+    description:
+      'Validates a CloudFormation template for AWS Console Private Access requirements',
+    inputSchema: {
+      type: 'object' as const,
+      properties: {
+        template: {
+          type: 'string',
+          description: 'CloudFormation template as JSON string',
+        },
+        region: {
+          type: 'string',
+          description: 'AWS region (default: us-east-1)',
+          default: 'us-east-1',
+        },
+      },
+      required: ['template'],
+    },
+  },
+];
+
+server.setRequestHandler(ListToolsRequestSchema, async () => ({
+  tools,
+}));
+
+server.setRequestHandler(CallToolRequestSchema, async (request) => {
+  if (request.params.name === 'validate-cloudformation') {
+    const { template, region = 'us-east-1' } = request.params.arguments as {
+      template: string;
+      region?: string;
+    };
+
+    try {
+      const parsedTemplate: CloudFormationTemplate = JSON.parse(template);
+      const validator = new ConsolePrivateAccessValidator(parsedTemplate, region);
+      const result = validator.validate();
+
+      return {
+        content: [
+          {
+            type: 'text',
+            text: JSON.stringify(result, null, 2),
+          },
+        ],
+      };
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      return {
+        content: [
+          {
+            type: 'text',
+            text: JSON.stringify(
+              {
+                valid: false,
+                checks: [],
+                summary: `Error parsing template: ${errorMessage}`,
+              },
+              null,
+              2
+            ),
+          },
+        ],
+        isError: true,
+      };
+    }
+  }
+
+  return {
+    content: [
+      {
+        type: 'text',
+        text: `Unknown tool: ${request.params.name}`,
+      },
+    ],
+    isError: true,
+  };
+});
+
+async function main() {
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+
+main().catch((error) => {
+  process.exit(1);
+});

package/src/test.ts

@@ -0,0 +1,31 @@
+import fs from 'fs';
+import { ConsolePrivateAccessValidator } from './validator.js';
+
+// Read the CloudFormation template
+const templatePath = process.argv[2] || '/tmp/template.json';
+const templateContent = fs.readFileSync(templatePath, 'utf-8');
+const template = JSON.parse(templateContent);
+
+// Run validation
+const validator = new ConsolePrivateAccessValidator(template, 'us-east-1');
+const result = validator.validate();
+
+// Print results
+console.log('\n=== AWS Console Private Access Validation Results ===\n');
+console.log(`Valid: ${result.valid ? '✓ YES' : '✗ NO'}\n`);
+
+console.log('Checks:');
+result.checks.forEach((check) => {
+  const icon = check.status === 'pass' ? '✓' : check.status === 'fail' ? '✗' : '⚠';
+  console.log(`  ${icon} ${check.name}`);
+  console.log(`    Status: ${check.status}`);
+  console.log(`    Message: ${check.message}`);
+  if (check.details) {
+    console.log(`    Details: ${check.details}`);
+  }
+});
+
+console.log(`\nSummary: ${result.summary}\n`);
+
+// Exit with appropriate code
+process.exit(result.valid ? 0 : 1);

package/src/types.ts

@@ -0,0 +1,18 @@
+export interface ValidationCheck {
+  name: string;
+  status: 'pass' | 'fail' | 'warning';
+  message: string;
+  details?: string;
+}
+
+export interface ValidationResult {
+  valid: boolean;
+  checks: ValidationCheck[];
+  summary: string;
+}
+
+export interface CloudFormationTemplate {
+  Resources?: Record<string, any>;
+  Outputs?: Record<string, any>;
+  Parameters?: Record<string, any>;
+}

package/src/validator.ts

@@ -0,0 +1,310 @@
+import { ValidationCheck, ValidationResult, CloudFormationTemplate } from './types';
+
+export class ConsolePrivateAccessValidator {
+  private template: CloudFormationTemplate;
+  private region: string;
+  private checks: ValidationCheck[] = [];
+
+  constructor(template: CloudFormationTemplate, region: string = 'us-east-1') {
+    this.template = template;
+    this.region = region;
+  }
+
+  validate(): ValidationResult {
+    this.checks = [];
+
+    this.checkVpcEndpoints();
+    this.checkEndpointPolicies();
+    this.checkRoute53HostedZones();
+    this.checkSecurityGroups();
+    this.checkEc2Instance();
+    this.checkNatGateway();
+    this.checkNetworkConfiguration();
+
+    const failCount = this.checks.filter(c => c.status === 'fail').length;
+    const valid = failCount === 0;
+
+    return {
+      valid,
+      checks: this.checks,
+      summary: this.generateSummary(valid, failCount),
+    };
+  }
+
+  private getServiceName(serviceName: any): string | null {
+    if (typeof serviceName === 'string') {
+      return serviceName;
+    }
+    if (serviceName?.['Fn::Join']) {
+      const parts = serviceName['Fn::Join'][1];
+      if (Array.isArray(parts)) {
+        // Handle Ref to AWS::Region by replacing with actual region
+        return parts
+          .map((part: any) => {
+            if (typeof part === 'string') {
+              return part;
+            }
+            if (part?.Ref === 'AWS::Region') {
+              return this.region;
+            }
+            return '';
+          })
+          .join('');
+      }
+    }
+    return null;
+  }
+
+  private checkVpcEndpoints(): void {
+    const requiredEndpoints = [
+      { name: 'console', service: `com.amazonaws.${this.region}.console` },
+      { name: 'signin', service: `com.amazonaws.${this.region}.signin` },
+      { name: 'ssm', service: `com.amazonaws.${this.region}.ssm` },
+      { name: 'ec2messages', service: `com.amazonaws.${this.region}.ec2messages` },
+      { name: 'ssmmessages', service: `com.amazonaws.${this.region}.ssmmessages` },
+    ];
+
+    const resources = this.template.Resources || {};
+    const interfaceEndpoints = Object.values(resources).filter(
+      (r: any) => r.Type === 'AWS::EC2::VPCEndpoint' && r.Properties?.VpcEndpointType === 'Interface'
+    );
+
+    for (const endpoint of requiredEndpoints) {
+      const found = interfaceEndpoints.some((e: any) => {
+        const serviceName = this.getServiceName(e.Properties?.ServiceName);
+        return serviceName && serviceName.includes(endpoint.service);
+      });
+
+      this.checks.push({
+        name: `VPC Endpoint: ${endpoint.name}`,
+        status: found ? 'pass' : 'fail',
+        message: found
+          ? `Interface VPC endpoint for ${endpoint.name} found`
+          : `Missing interface VPC endpoint for ${endpoint.name}`,
+      });
+    }
+
+    // Check for S3 Gateway endpoint
+    const s3Gateway = Object.values(resources).some(
+      (r: any) => {
+        const serviceName = this.getServiceName(r.Properties?.ServiceName);
+        return (
+          r.Type === 'AWS::EC2::VPCEndpoint' &&
+          r.Properties?.VpcEndpointType === 'Gateway' &&
+          serviceName &&
+          serviceName.includes('s3')
+        );
+      }
+    );
+
+    this.checks.push({
+      name: 'VPC Endpoint: S3 Gateway',
+      status: s3Gateway ? 'pass' : 'fail',
+      message: s3Gateway ? 'S3 Gateway VPC endpoint found' : 'Missing S3 Gateway VPC endpoint',
+    });
+  }
+
+  private checkEndpointPolicies(): void {
+    const resources = this.template.Resources || {};
+    const consoleEndpoint = Object.entries(resources).find(
+      ([_, r]: [string, any]) => {
+        const serviceName = this.getServiceName(r.Properties?.ServiceName);
+        return (
+          r.Type === 'AWS::EC2::VPCEndpoint' &&
+          serviceName &&
+          serviceName.includes('console')
+        );
+      }
+    );
+
+    const signinEndpoint = Object.entries(resources).find(
+      ([_, r]: [string, any]) => {
+        const serviceName = this.getServiceName(r.Properties?.ServiceName);
+        return (
+          r.Type === 'AWS::EC2::VPCEndpoint' &&
+          serviceName &&
+          serviceName.includes('signin')
+        );
+      }
+    );
+
+    for (const [name, endpoint] of [
+      ['Console', consoleEndpoint],
+      ['Signin', signinEndpoint],
+    ]) {
+      if (!endpoint) continue;
+
+      const [_, resource] = endpoint as [string, any];
+      const hasPolicy = resource.Properties?.PolicyDocument;
+
+      this.checks.push({
+        name: `Endpoint Policy: ${name}`,
+        status: hasPolicy ? 'pass' : 'fail',
+        message: hasPolicy
+          ? `${name} endpoint has a policy attached`
+          : `${name} endpoint is missing a policy`,
+        details: hasPolicy
+          ? this.validatePolicyContent(resource.Properties.PolicyDocument)
+          : undefined,
+      });
+    }
+  }
+
+  private validatePolicyContent(policy: any): string {
+    if (!policy.Statement || policy.Statement.length === 0) {
+      return 'Policy has no statements';
+    }
+
+    const statement = policy.Statement[0];
+    const hasAccountCondition = statement.Condition?.StringEquals?.['aws:PrincipalAccount'];
+
+    if (hasAccountCondition) {
+      return 'Policy restricts access to specific account(s)';
+    }
+
+    return 'Policy does not restrict access by account';
+  }
+
+  private checkRoute53HostedZones(): void {
+    const resources = this.template.Resources || {};
+    const hostedZones = Object.values(resources).filter(
+      (r: any) => r.Type === 'AWS::Route53::HostedZone'
+    );
+
+    const requiredZones = ['console.aws.amazon.com', 'signin.aws.amazon.com'];
+
+    for (const zone of requiredZones) {
+      const found = hostedZones.some((hz: any) => {
+        const zoneName = hz.Properties?.Name;
+        // Route53 zone names may have a trailing dot
+        return zoneName === zone || zoneName === `${zone}.`;
+      });
+
+      this.checks.push({
+        name: `Route53 Hosted Zone: ${zone}`,
+        status: found ? 'pass' : 'fail',
+        message: found
+          ? `Private hosted zone for ${zone} found`
+          : `Missing private hosted zone for ${zone}`,
+      });
+    }
+
+    // Check for Route53 records
+    const recordSets = Object.values(resources).filter(
+      (r: any) => r.Type === 'AWS::Route53::RecordSet'
+    );
+
+    this.checks.push({
+      name: 'Route53 Records',
+      status: recordSets.length > 0 ? 'pass' : 'warning',
+      message:
+        recordSets.length > 0
+          ? `Found ${recordSets.length} Route53 records`
+          : 'No Route53 records found',
+    });
+  }
+
+  private checkSecurityGroups(): void {
+    const resources = this.template.Resources || {};
+    const securityGroups = Object.values(resources).filter(
+      (r: any) => r.Type === 'AWS::EC2::SecurityGroup'
+    );
+
+    const hasHttpsIngress = securityGroups.some((sg: any) => {
+      const ingress = sg.Properties?.SecurityGroupIngress || [];
+      return ingress.some(
+        (rule: any) =>
+          (rule.FromPort === 443 || rule.IpProtocol === 'tcp') &&
+          (rule.ToPort === 443 || rule.IpProtocol === 'tcp')
+      );
+    });
+
+    this.checks.push({
+      name: 'Security Group: HTTPS Access',
+      status: hasHttpsIngress ? 'pass' : 'warning',
+      message: hasHttpsIngress
+        ? 'Security group allows HTTPS (port 443) traffic'
+        : 'No security group rule found for HTTPS (port 443)',
+    });
+  }
+
+  private checkEc2Instance(): void {
+    const resources = this.template.Resources || {};
+    const instance = Object.values(resources).find((r: any) => r.Type === 'AWS::EC2::Instance');
+
+    this.checks.push({
+      name: 'EC2 Instance',
+      status: instance ? 'pass' : 'warning',
+      message: instance ? 'EC2 instance found' : 'No EC2 instance found (optional)',
+    });
+
+    if (instance) {
+      const hasIamRole = (instance as any).Properties?.IamInstanceProfile;
+      this.checks.push({
+        name: 'EC2 IAM Role',
+        status: hasIamRole ? 'pass' : 'warning',
+        message: hasIamRole
+          ? 'EC2 instance has IAM instance profile'
+          : 'EC2 instance missing IAM instance profile',
+      });
+    }
+  }
+
+  private checkNatGateway(): void {
+    const resources = this.template.Resources || {};
+    const natGateway = Object.values(resources).find((r: any) => r.Type === 'AWS::EC2::NatGateway');
+
+    this.checks.push({
+      name: 'NAT Gateway',
+      status: natGateway ? 'pass' : 'warning',
+      message: natGateway
+        ? 'NAT Gateway found for private subnet egress'
+        : 'No NAT Gateway found (required for private subnet internet access)',
+    });
+  }
+
+  private checkNetworkConfiguration(): void {
+    const resources = this.template.Resources || {};
+
+    // Check for private subnets
+    const privateSubnets = Object.values(resources).filter(
+      (r: any) =>
+        r.Type === 'AWS::EC2::Subnet' &&
+        !r.Properties?.MapPublicIpOnLaunch
+    );
+
+    this.checks.push({
+      name: 'Private Subnets',
+      status: privateSubnets.length > 0 ? 'pass' : 'fail',
+      message:
+        privateSubnets.length > 0
+          ? `Found ${privateSubnets.length} private subnet(s)`
+          : 'No private subnets found',
+    });
+
+    // Check for route tables
+    const routeTables = Object.values(resources).filter(
+      (r: any) => r.Type === 'AWS::EC2::RouteTable'
+    );
+
+    this.checks.push({
+      name: 'Route Tables',
+      status: routeTables.length > 0 ? 'pass' : 'warning',
+      message:
+        routeTables.length > 0
+          ? `Found ${routeTables.length} route table(s)`
+          : 'No route tables found',
+    });
+  }
+
+  private generateSummary(valid: boolean, failCount: number): string {
+    const passCount = this.checks.filter(c => c.status === 'pass').length;
+    const warningCount = this.checks.filter(c => c.status === 'warning').length;
+
+    if (valid) {
+      return `✓ Validation passed. All required checks passed (${passCount} passed, ${warningCount} warnings).`;
+    }
+
+    return `✗ Validation failed. ${failCount} check(s) failed, ${passCount} passed, ${warningCount} warnings.`;
+  }
+}

package/tsconfig.json

@@ -0,0 +1,20 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "esnext",
+    "lib": ["ES2020"],
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "moduleResolution": "node"
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules"]
+}