aws-security-mcp 0.4.3 → 0.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +18 -9
- package/dist/bin/aws-security-mcp.js +525 -16
- package/dist/bin/aws-security-mcp.js.map +1 -1
- package/dist/src/index.js +525 -16
- package/dist/src/index.js.map +1 -1
- package/package.json +3 -1
package/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# aws-security-mcp
|
|
2
2
|
|
|
3
|
-
MCP server for automated AWS security scanning —
|
|
3
|
+
MCP server for automated AWS security scanning — 19 modules, risk scoring, zero write operations.
|
|
4
4
|
|
|
5
5
|
<!-- badges -->
|
|
6
6
|
|
|
@@ -9,7 +9,7 @@ MCP server for automated AWS security scanning — 17 modules, risk scoring, zer
|
|
|
9
9
|
|
|
10
10
|
## Features
|
|
11
11
|
|
|
12
|
-
- **
|
|
12
|
+
- **19 Security Scan Modules** — 15 unique scanners + 4 aggregation scanners (Security Hub, GuardDuty, Inspector, Trusted Advisor, Config Rules, Access Analyzer, Patch Compliance)
|
|
13
13
|
- **Risk Scoring** — every finding scored 0-10 with severity (CRITICAL/HIGH/MEDIUM/LOW) and priority (P0-P3)
|
|
14
14
|
- **100% Read-Only** — uses only Describe/Get/List API calls; never modifies your AWS resources
|
|
15
15
|
- **Multi-Account Support** — scan all accounts in an AWS Organization via `org_mode` with cross-account role assumption
|
|
@@ -113,7 +113,7 @@ For multi-account scanning across an AWS Organization:
|
|
|
113
113
|
|
|
114
114
|
| Tool | Description |
|
|
115
115
|
|------|-------------|
|
|
116
|
-
| `scan_all` | Run all
|
|
116
|
+
| `scan_all` | Run all 19 security scanners in parallel (supports org_mode) |
|
|
117
117
|
| `detect_services` | Detect enabled AWS security services and assess maturity |
|
|
118
118
|
| `scan_secret_exposure` | Check Lambda env vars and EC2 userData for exposed secrets |
|
|
119
119
|
| `scan_ssl_certificate` | Check ACM certificates for expiry and failed status |
|
|
@@ -131,6 +131,8 @@ For multi-account scanning across an AWS Organization:
|
|
|
131
131
|
| `scan_config_rules_findings` | Aggregate findings from AWS Config Rules |
|
|
132
132
|
| `scan_access_analyzer_findings` | Aggregate findings from IAM Access Analyzer |
|
|
133
133
|
| `scan_patch_compliance_findings` | Aggregate findings from SSM Patch Compliance |
|
|
134
|
+
| `scan_imdsv2_enforcement` | Check EC2 instances for IMDSv2 enforcement |
|
|
135
|
+
| `scan_waf_coverage` | Check internet-facing ALBs for WAF Web ACL protection |
|
|
134
136
|
| `scan_group` | Run a predefined group of scanners for a specific scenario |
|
|
135
137
|
| `list_groups` | List available scan groups |
|
|
136
138
|
| `list_modules` | List available scan modules with descriptions |
|
|
@@ -167,6 +169,8 @@ Attach this policy to the IAM user or role running the scanner. All actions are
|
|
|
167
169
|
"config:DescribeConfigurationRecorders",
|
|
168
170
|
"config:GetComplianceDetailsByConfigRule",
|
|
169
171
|
|
|
172
|
+
"elasticloadbalancing:DescribeLoadBalancers",
|
|
173
|
+
|
|
170
174
|
"ec2:DescribeAddresses",
|
|
171
175
|
"ec2:DescribeInstanceAttribute",
|
|
172
176
|
"ec2:DescribeInstances",
|
|
@@ -229,7 +233,10 @@ Attach this policy to the IAM user or role running the scanner. All actions are
|
|
|
229
233
|
"sts:GetCallerIdentity",
|
|
230
234
|
|
|
231
235
|
"support:DescribeTrustedAdvisorChecks",
|
|
232
|
-
"support:DescribeTrustedAdvisorCheckResult"
|
|
236
|
+
"support:DescribeTrustedAdvisorCheckResult",
|
|
237
|
+
|
|
238
|
+
"wafv2:GetWebACL",
|
|
239
|
+
"wafv2:GetWebACLForResource"
|
|
233
240
|
],
|
|
234
241
|
"Resource": "*"
|
|
235
242
|
}
|
|
@@ -239,7 +246,7 @@ Attach this policy to the IAM user or role running the scanner. All actions are
|
|
|
239
246
|
|
|
240
247
|
## Scan Modules
|
|
241
248
|
|
|
242
|
-
### Unique Scanners (
|
|
249
|
+
### Unique Scanners (15)
|
|
243
250
|
|
|
244
251
|
| Module | What It Checks | Risk Score Range |
|
|
245
252
|
|--------|---------------|-----------------|
|
|
@@ -256,6 +263,8 @@ Attach this policy to the IAM user or role running the scanner. All actions are
|
|
|
256
263
|
| **Config Rules** | AWS Config Rules compliance status | 3.0 - 9.5 |
|
|
257
264
|
| **Access Analyzer** | IAM Access Analyzer external access findings | 3.0 - 9.5 |
|
|
258
265
|
| **Patch Compliance** | SSM Patch Manager compliance status for managed instances | 3.0 - 9.5 |
|
|
266
|
+
| **IMDSv2 Enforcement** | EC2 instances not enforcing IMDSv2 (HttpTokens != required) | 7.5 |
|
|
267
|
+
| **WAF Coverage** | Internet-facing ALBs without WAF Web ACL protection | 7.5 |
|
|
259
268
|
|
|
260
269
|
### Aggregation Scanners (4)
|
|
261
270
|
|
|
@@ -281,16 +290,16 @@ Pre-defined scanner groupings for common scenarios:
|
|
|
281
290
|
|
|
282
291
|
| Group | Description | Modules |
|
|
283
292
|
|-------|-------------|---------|
|
|
284
|
-
| `mlps3_precheck` | GB/T 22239-2019 等保三级预检 |
|
|
285
|
-
| `hw_defense` | 护网蓝队加固 |
|
|
286
|
-
| `exposure` | 公网暴露面评估 |
|
|
293
|
+
| `mlps3_precheck` | GB/T 22239-2019 等保三级预检 | 17 modules |
|
|
294
|
+
| `hw_defense` | 护网蓝队加固 | 14 modules |
|
|
295
|
+
| `exposure` | 公网暴露面评估 | 8 modules |
|
|
287
296
|
| `data_encryption` | 数据加密审计 | 2 modules |
|
|
288
297
|
| `least_privilege` | 最小权限审计 | 3 modules |
|
|
289
298
|
| `log_integrity` | 日志完整性审计 | 2 modules |
|
|
290
299
|
| `disaster_recovery` | 灾备评估 | 2 modules |
|
|
291
300
|
| `idle_resources` | 闲置资源清理 | 2 modules |
|
|
292
301
|
| `tag_compliance` | 资源标签合规 | 1 module |
|
|
293
|
-
| `new_account_baseline` | 新账户基线检查 |
|
|
302
|
+
| `new_account_baseline` | 新账户基线检查 | 7 modules |
|
|
294
303
|
| `aggregation` | 安全服务聚合 | 7 modules |
|
|
295
304
|
|
|
296
305
|
Use `list_groups` to see all available groups with their module lists.
|