aws-security-mcp 0.4.3 → 0.5.1

package/dist/bin/aws-security-mcp.js

@@ -237,7 +237,7 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 import { z } from "zod";
 
 // src/version.ts
-var VERSION = "0.4.3";
+var VERSION = "0.5.1";
 
 // src/utils/aws-client.ts
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
@@ -3961,6 +3961,242 @@ var PatchComplianceFindingsScanner = class {
   }
 };
 
+// src/scanners/imdsv2-enforcement.ts
+import {
+  EC2Client as EC2Client6,
+  DescribeInstancesCommand as DescribeInstancesCommand5
+} from "@aws-sdk/client-ec2";
+function makeFinding11(opts) {
+  const severity = severityFromScore(opts.riskScore);
+  return { ...opts, severity, priority: priorityFromSeverity(severity) };
+}
+var Imdsv2EnforcementScanner = class {
+  moduleName = "imdsv2_enforcement";
+  async scan(ctx) {
+    const { region, partition, accountId } = ctx;
+    const startMs = Date.now();
+    const findings = [];
+    const warnings = [];
+    try {
+      const client = createClient(EC2Client6, region, ctx.credentials);
+      const instances = [];
+      let nextToken;
+      do {
+        const resp = await client.send(
+          new DescribeInstancesCommand5({
+            Filters: [{ Name: "instance-state-name", Values: ["running"] }],
+            NextToken: nextToken
+          })
+        );
+        if (resp.Reservations) {
+          for (const reservation of resp.Reservations) {
+            if (reservation.Instances) {
+              instances.push(...reservation.Instances);
+            }
+          }
+        }
+        nextToken = resp.NextToken;
+      } while (nextToken);
+      for (const instance of instances) {
+        const instanceId = instance.InstanceId ?? "unknown";
+        const instanceType = instance.InstanceType ?? "unknown";
+        const state = instance.State?.Name ?? "unknown";
+        const httpTokens = instance.MetadataOptions?.HttpTokens ?? "unknown";
+        const hopLimit = instance.MetadataOptions?.HttpPutResponseHopLimit ?? 1;
+        const instanceArn = `arn:${partition}:ec2:${region}:${accountId}:instance/${instanceId}`;
+        if (httpTokens !== "required") {
+          const description = [
+            `EC2 instance ${instanceId} (type: ${instanceType}, state: ${state}) has HttpTokens set to "${httpTokens}".`,
+            `IMDSv1 is accessible, allowing unauthenticated metadata requests.`
+          ];
+          if (hopLimit > 1) {
+            description.push(`HttpPutResponseHopLimit is ${hopLimit} (>1), which may allow containers to reach IMDS.`);
+          }
+          findings.push(
+            makeFinding11({
+              riskScore: 7.5,
+              title: `EC2 instance ${instanceId} does not enforce IMDSv2`,
+              resourceType: "AWS::EC2::Instance",
+              resourceId: instanceId,
+              resourceArn: instanceArn,
+              region,
+              description: description.join(" "),
+              impact: "IMDSv1 allows attackers to steal IAM role credentials via SSRF attacks",
+              remediationSteps: [
+                "Enforce IMDSv2 by setting HttpTokens to 'required'.",
+                "Run: aws ec2 modify-instance-metadata-options --instance-id " + instanceId + " --http-tokens required --http-endpoint enabled",
+                "Set HttpPutResponseHopLimit to 1 unless running containers that need metadata access.",
+                "Update launch templates and Auto Scaling groups to enforce IMDSv2 for new instances."
+              ]
+            })
+          );
+        } else if (hopLimit > 1) {
+          warnings.push(
+            `Instance ${instanceId} enforces IMDSv2 but HttpPutResponseHopLimit is ${hopLimit} (>1). Verify this is intentional for containerized workloads.`
+          );
+        }
+      }
+      return {
+        module: this.moduleName,
+        status: "success",
+        warnings: warnings.length > 0 ? warnings : void 0,
+        resourcesScanned: instances.length,
+        findingsCount: findings.length,
+        scanTimeMs: Date.now() - startMs,
+        findings
+      };
+    } catch (err) {
+      return {
+        module: this.moduleName,
+        status: "error",
+        error: err instanceof Error ? err.message : String(err),
+        warnings: warnings.length > 0 ? warnings : void 0,
+        resourcesScanned: 0,
+        findingsCount: 0,
+        scanTimeMs: Date.now() - startMs,
+        findings: []
+      };
+    }
+  }
+};
+
+// src/scanners/waf-coverage.ts
+import {
+  ElasticLoadBalancingV2Client,
+  DescribeLoadBalancersCommand
+} from "@aws-sdk/client-elastic-load-balancing-v2";
+import {
+  WAFV2Client,
+  GetWebACLForResourceCommand
+} from "@aws-sdk/client-wafv2";
+function makeFinding12(opts) {
+  const severity = severityFromScore(opts.riskScore);
+  return { ...opts, severity, priority: priorityFromSeverity(severity) };
+}
+var WafCoverageScanner = class {
+  moduleName = "waf_coverage";
+  async scan(ctx) {
+    const { region } = ctx;
+    const startMs = Date.now();
+    const findings = [];
+    const warnings = [];
+    try {
+      const elbClient = createClient(ElasticLoadBalancingV2Client, region, ctx.credentials);
+      const wafClient = createClient(WAFV2Client, region, ctx.credentials);
+      const loadBalancers = [];
+      let marker;
+      do {
+        const resp = await elbClient.send(
+          new DescribeLoadBalancersCommand({ Marker: marker })
+        );
+        if (resp.LoadBalancers) {
+          loadBalancers.push(...resp.LoadBalancers);
+        }
+        marker = resp.NextMarker;
+      } while (marker);
+      const internetFacing = loadBalancers.filter((lb) => lb.Scheme === "internet-facing");
+      for (const lb of internetFacing) {
+        const lbName = lb.LoadBalancerName ?? "unknown";
+        const lbArn = lb.LoadBalancerArn ?? "unknown";
+        const lbType = lb.Type ?? "unknown";
+        if (lbType !== "application") {
+          warnings.push(
+            `Skipping ${lbType} load balancer "${lbName}" \u2014 WAF Web ACL association is only supported for ALBs.`
+          );
+          continue;
+        }
+        try {
+          const wafResp = await wafClient.send(
+            new GetWebACLForResourceCommand({ ResourceArn: lbArn })
+          );
+          if (!wafResp.WebACL) {
+            findings.push(
+              makeFinding12({
+                riskScore: 7.5,
+                title: `Internet-facing ALB ${lbName} has no WAF protection`,
+                resourceType: "AWS::ElasticLoadBalancingV2::LoadBalancer",
+                resourceId: lbName,
+                resourceArn: lbArn,
+                region,
+                description: `Internet-facing Application Load Balancer "${lbName}" does not have a WAF Web ACL associated. Traffic is not inspected for common web exploits.`,
+                impact: "Without WAF, the ALB is exposed to SQL injection, XSS, and other OWASP Top 10 attacks",
+                remediationSteps: [
+                  "Create a WAFv2 Web ACL with managed rule groups (e.g., AWSManagedRulesCommonRuleSet).",
+                  "Associate the Web ACL with the ALB using the REGIONAL scope.",
+                  "Enable WAF logging for visibility into blocked requests.",
+                  "Consider adding rate-based rules to mitigate DDoS at the application layer."
+                ]
+              })
+            );
+          }
+        } catch (wafErr) {
+          const errMsg = wafErr instanceof Error ? wafErr.message : String(wafErr);
+          const errName = wafErr instanceof Error ? wafErr.name ?? "" : "";
+          if (errName === "WAFNonexistentItemException") {
+            findings.push(
+              makeFinding12({
+                riskScore: 7.5,
+                title: `Internet-facing ALB ${lbName} has no WAF protection`,
+                resourceType: "AWS::ElasticLoadBalancingV2::LoadBalancer",
+                resourceId: lbName,
+                resourceArn: lbArn,
+                region,
+                description: `Internet-facing Application Load Balancer "${lbName}" does not have a WAF Web ACL associated. Traffic is not inspected for common web exploits.`,
+                impact: "Without WAF, the ALB is exposed to SQL injection, XSS, and other OWASP Top 10 attacks",
+                remediationSteps: [
+                  "Create a WAFv2 Web ACL with managed rule groups (e.g., AWSManagedRulesCommonRuleSet).",
+                  "Associate the Web ACL with the ALB using the REGIONAL scope.",
+                  "Enable WAF logging for visibility into blocked requests.",
+                  "Consider adding rate-based rules to mitigate DDoS at the application layer."
+                ]
+              })
+            );
+          } else if (errName === "AccessDeniedException" || errName === "WAFInvalidParameterException") {
+            warnings.push(
+              `Could not check WAF for ALB "${lbName}": ${errMsg}. Ensure wafv2:GetWebACLForResource permission is granted.`
+            );
+          } else {
+            warnings.push(`Error checking WAF for ALB "${lbName}": ${errMsg}`);
+          }
+        }
+      }
+      return {
+        module: this.moduleName,
+        status: "success",
+        warnings: warnings.length > 0 ? warnings : void 0,
+        resourcesScanned: internetFacing.length,
+        findingsCount: findings.length,
+        scanTimeMs: Date.now() - startMs,
+        findings
+      };
+    } catch (err) {
+      const errMsg = err instanceof Error ? err.message : String(err);
+      const errName = err instanceof Error ? err.name ?? "" : "";
+      if (errName === "AccessDeniedException" || errName === "UnrecognizedClientException") {
+        return {
+          module: this.moduleName,
+          status: "success",
+          warnings: [`WAF coverage check skipped: ${errMsg}`],
+          resourcesScanned: 0,
+          findingsCount: 0,
+          scanTimeMs: Date.now() - startMs,
+          findings: []
+        };
+      }
+      return {
+        module: this.moduleName,
+        status: "error",
+        error: errMsg,
+        warnings: warnings.length > 0 ? warnings : void 0,
+        resourcesScanned: 0,
+        findingsCount: 0,
+        scanTimeMs: Date.now() - startMs,
+        findings: []
+      };
+    }
+  }
+};
+
 // src/tools/report-tool.ts
 var SEVERITY_ICON = {
   CRITICAL: "\u{1F534}",
@@ -4348,6 +4584,92 @@ function scoreColor(score) {
   if (score >= 50) return "#eab308";
   return "#ef4444";
 }
+var SERVICE_RECOMMENDATIONS = {
+  security_hub_findings: {
+    icon: "\u{1F534}",
+    service: "Security Hub",
+    impact: "\u65E0\u6CD5\u83B7\u53D6 300+ \u9879\u81EA\u52A8\u5316\u5B89\u5168\u68C0\u67E5\uFF08FSBP/CIS/PCI DSS \u6807\u51C6\uFF09",
+    action: "\u542F\u7528 Security Hub \u83B7\u5F97\u6700\u5168\u9762\u7684\u5B89\u5168\u6001\u52BF\u8BC4\u4F30"
+  },
+  guardduty_findings: {
+    icon: "\u{1F534}",
+    service: "GuardDuty",
+    impact: "\u65E0\u6CD5\u68C0\u6D4B\u5A01\u80C1\u6D3B\u52A8\uFF08\u6076\u610F IP\u3001\u5F02\u5E38 API \u8C03\u7528\u3001\u52A0\u5BC6\u8D27\u5E01\u6316\u77FF\u7B49\uFF09",
+    action: "\u542F\u7528 GuardDuty \u83B7\u5F97\u6301\u7EED\u5A01\u80C1\u68C0\u6D4B\u80FD\u529B"
+  },
+  inspector_findings: {
+    icon: "\u{1F7E1}",
+    service: "Inspector",
+    impact: "\u65E0\u6CD5\u626B\u63CF EC2/Lambda/\u5BB9\u5668\u7684\u8F6F\u4EF6\u6F0F\u6D1E\uFF08CVE\uFF09",
+    action: "\u542F\u7528 Inspector \u53D1\u73B0\u5DF2\u77E5\u5B89\u5168\u6F0F\u6D1E"
+  },
+  trusted_advisor_findings: {
+    icon: "\u{1F7E1}",
+    service: "Trusted Advisor",
+    impact: "\u65E0\u6CD5\u83B7\u53D6 AWS \u6700\u4F73\u5B9E\u8DF5\u5B89\u5168\u68C0\u67E5",
+    action: "\u5347\u7EA7\u81F3 Business/Enterprise Support \u8BA1\u5212\u4EE5\u4F7F\u7528 Trusted Advisor \u5B89\u5168\u68C0\u67E5"
+  },
+  config_rules_findings: {
+    icon: "\u{1F7E1}",
+    service: "AWS Config",
+    impact: "\u65E0\u6CD5\u68C0\u67E5\u8D44\u6E90\u914D\u7F6E\u5408\u89C4\u72B6\u6001",
+    action: "\u542F\u7528 AWS Config \u5E76\u914D\u7F6E Config Rules"
+  },
+  access_analyzer_findings: {
+    icon: "\u{1F7E1}",
+    service: "IAM Access Analyzer",
+    impact: "\u65E0\u6CD5\u68C0\u6D4B\u8D44\u6E90\u662F\u5426\u88AB\u5916\u90E8\u8D26\u53F7\u6216\u516C\u7F51\u8BBF\u95EE",
+    action: "\u521B\u5EFA IAM Access Analyzer\uFF08\u8D26\u6237\u7EA7\u6216\u7EC4\u7EC7\u7EA7\uFF09"
+  },
+  patch_compliance_findings: {
+    icon: "\u{1F7E1}",
+    service: "SSM Patch Manager",
+    impact: "\u65E0\u6CD5\u68C0\u67E5\u5B9E\u4F8B\u8865\u4E01\u5408\u89C4\u72B6\u6001",
+    action: "\u5B89\u88C5 SSM Agent \u5E76\u914D\u7F6E Patch Manager"
+  }
+};
+var SERVICE_NOT_ENABLED_PATTERNS = [
+  "not enabled",
+  "not found",
+  "No IAM Access Analyzer",
+  "No SSM-managed instances",
+  "requires AWS Business or Enterprise Support",
+  "not available",
+  "is not enabled"
+];
+function getDisabledServices(modules) {
+  const disabled = [];
+  for (const mod of modules) {
+    const rec = SERVICE_RECOMMENDATIONS[mod.module];
+    if (!rec) continue;
+    if (!mod.warnings?.length) continue;
+    const hasNotEnabled = mod.warnings.some(
+      (w) => SERVICE_NOT_ENABLED_PATTERNS.some((p) => w.includes(p))
+    );
+    if (hasNotEnabled) {
+      disabled.push(rec);
+    }
+  }
+  return disabled;
+}
+function buildServiceReminderHtml(modules) {
+  const disabled = getDisabledServices(modules);
+  if (disabled.length === 0) return "";
+  const items = disabled.map((svc) => `
+    <div style="margin-bottom:12px">
+      <div style="font-weight:600;font-size:15px">${esc(svc.icon)} ${esc(svc.service)} \u672A\u542F\u7528</div>
+      <div style="margin-left:28px;color:#cbd5e1;font-size:13px">\u5F71\u54CD\uFF1A${esc(svc.impact)}</div>
+      <div style="margin-left:28px;color:#cbd5e1;font-size:13px">\u5EFA\u8BAE\uFF1A${esc(svc.action)}</div>
+    </div>`).join("\n");
+  return `
+  <section>
+    <div style="background:#2d1f00;border:1px solid #b45309;border-radius:8px;padding:20px;margin-bottom:32px">
+      <div style="font-size:17px;font-weight:700;margin-bottom:12px">&#9889; \u4EE5\u4E0B\u5B89\u5168\u670D\u52A1\u672A\u542F\u7528\uFF0C\u90E8\u5206\u68C0\u67E5\u65E0\u6CD5\u6267\u884C\uFF1A</div>
+      ${items}
+      <div style="margin-top:12px;font-size:13px;color:#fbbf24;font-weight:500">\u542F\u7528\u4EE5\u4E0A\u670D\u52A1\u540E\u91CD\u65B0\u626B\u63CF\u53EF\u83B7\u5F97\u66F4\u5B8C\u6574\u7684\u5B89\u5168\u8BC4\u4F30\u3002</div>
+    </div>
+  </section>`;
+}
 function sharedCss() {
   return `
     *{margin:0;padding:0;box-sizing:border-box}
@@ -4873,6 +5195,8 @@ ${trendHtml}
 
 ${top5Html}
 
+${buildServiceReminderHtml(modules)}
+
 <section>
   <h2>Scan Statistics</h2>
   <table>
@@ -5069,6 +5393,8 @@ ${unknownNote}
 
 ${trendHtml}
 
+${buildServiceReminderHtml(scanResults.modules)}
+
 ${categorySections}
 
 ${remediationHtml}
@@ -5192,13 +5518,13 @@ var SCAN_GROUPS = {
   mlps3_precheck: {
     name: "\u7B49\u4FDD\u4E09\u7EA7\u9884\u68C0",
     description: "GB/T 22239-2019 \u7B49\u4FDD\u4E09\u7EA7 AWS \u4E91\u79DF\u6237\u5C42\u914D\u7F6E\u68C0\u67E5",
-    modules: ["service_detection", "secret_exposure", "ssl_certificate", "dns_dangling", "network_reachability", "iam_privilege_escalation", "tag_compliance", "disaster_recovery", "security_hub_findings", "guardduty_findings", "inspector_findings", "trusted_advisor_findings", "config_rules_findings", "access_analyzer_findings", "patch_compliance_findings"],
+    modules: ["service_detection", "secret_exposure", "ssl_certificate", "dns_dangling", "network_reachability", "iam_privilege_escalation", "tag_compliance", "disaster_recovery", "security_hub_findings", "guardduty_findings", "inspector_findings", "trusted_advisor_findings", "config_rules_findings", "access_analyzer_findings", "patch_compliance_findings", "imdsv2_enforcement", "waf_coverage"],
     reportType: "mlps3"
   },
   hw_defense: {
     name: "\u62A4\u7F51\u84DD\u961F\u52A0\u56FA",
     description: "\u62A4\u7F51\u524D\u5B89\u5168\u81EA\u67E5 \u2014 \u653B\u51FB\u9762+\u5F31\u70B9\u8BC4\u4F30",
-    modules: ["service_detection", "secret_exposure", "network_reachability", "dns_dangling", "ssl_certificate", "iam_privilege_escalation", "security_hub_findings", "guardduty_findings", "inspector_findings", "config_rules_findings", "access_analyzer_findings", "patch_compliance_findings"],
+    modules: ["service_detection", "secret_exposure", "network_reachability", "dns_dangling", "ssl_certificate", "iam_privilege_escalation", "security_hub_findings", "guardduty_findings", "inspector_findings", "config_rules_findings", "access_analyzer_findings", "patch_compliance_findings", "imdsv2_enforcement", "waf_coverage"],
     findingsFilter: {
       guardDutyTypes: ["Backdoor", "Trojan", "PenTest", "CryptoCurrency"],
       minSeverity: "MEDIUM"
@@ -5207,7 +5533,7 @@ var SCAN_GROUPS = {
   exposure: {
     name: "\u516C\u7F51\u66B4\u9732\u9762\u8BC4\u4F30",
     description: "\u8BC4\u4F30\u516C\u7F51\u53EF\u8FBE\u7684\u8D44\u6E90\u548C\u7AEF\u53E3",
-    modules: ["network_reachability", "dns_dangling", "public_access_verify", "ssl_certificate", "security_hub_findings", "access_analyzer_findings"],
+    modules: ["network_reachability", "dns_dangling", "public_access_verify", "ssl_certificate", "security_hub_findings", "access_analyzer_findings", "imdsv2_enforcement", "waf_coverage"],
     findingsFilter: {
       securityHubCategories: ["network", "public", "exposure", "port"]
     }
@@ -5254,7 +5580,7 @@ var SCAN_GROUPS = {
   new_account_baseline: {
     name: "\u65B0\u8D26\u6237\u57FA\u7EBF\u68C0\u67E5",
     description: "\u65B0 AWS \u8D26\u6237\u5B89\u5168\u57FA\u7EBF",
-    modules: ["service_detection", "secret_exposure", "iam_privilege_escalation", "security_hub_findings", "guardduty_findings", "access_analyzer_findings"]
+    modules: ["service_detection", "secret_exposure", "iam_privilege_escalation", "security_hub_findings", "guardduty_findings", "access_analyzer_findings", "imdsv2_enforcement"]
   },
   aggregation: {
     name: "\u5B89\u5168\u670D\u52A1\u805A\u5408",
@@ -5264,7 +5590,7 @@ var SCAN_GROUPS = {
 };
 
 // src/resources/index.ts
-var SECURITY_RULES_CONTENT = `# AWS Security Scan Modules & Rules (17 modules)
+var SECURITY_RULES_CONTENT = `# AWS Security Scan Modules & Rules (19 modules)
 
 ## 1. Service Detection (service_detection)
 Detects which AWS security services are enabled and assesses overall security maturity.
@@ -5358,6 +5684,21 @@ Checks patch compliance status for SSM-managed instances.
 - Missing non-security patches \u2192 MEDIUM (5.5).
 - Instances without patch data flagged as LOW (3.0) for visibility.
 - Includes platform info, missing/failed counts, and last scan time.
+
+## 18. IMDSv2 Enforcement (imdsv2_enforcement)
+Checks if EC2 instances enforce IMDSv2 (Instance Metadata Service v2).
+- Lists all running EC2 instances and checks MetadataOptions.HttpTokens.
+- **HttpTokens != "required"** \u2014 Risk 7.5: IMDSv1 allows credential theft via SSRF attacks.
+- Also checks HttpPutResponseHopLimit \u2014 values >1 on containerized workloads noted as warning.
+- Remediation: Set HttpTokens to "required" via modify-instance-metadata-options.
+
+## 19. WAF Coverage (waf_coverage)
+Checks if internet-facing ALBs have WAF Web ACL associated for protection.
+- Lists all ELBv2 load balancers, filters to internet-facing only.
+- For each internet-facing ALB, checks WAFv2 Web ACL association.
+- **No WAF Web ACL** \u2014 Risk 7.5: ALB exposed to SQL injection, XSS, and OWASP Top 10 attacks.
+- NLBs (L4) are skipped as WAF does not apply \u2014 noted in warnings.
+- Gracefully handles WAFv2 access denied or unavailable regions.
 `;
 var RISK_SCORING_CONTENT = `# Risk Scoring Model
 
@@ -5422,8 +5763,144 @@ var MODULE_DESCRIPTIONS = {
   trusted_advisor_findings: "Aggregates security checks from AWS Trusted Advisor \u2014 requires Business or Enterprise Support plan.",
   config_rules_findings: "Pulls non-compliant AWS Config Rule evaluation results \u2014 configuration compliance violations across all resource types.",
   access_analyzer_findings: "Pulls active IAM Access Analyzer findings \u2014 resources accessible from outside the account (external principals, public access).",
-  patch_compliance_findings: "Checks SSM Patch Manager compliance \u2014 managed instances with missing or failed security and system patches."
+  patch_compliance_findings: "Checks SSM Patch Manager compliance \u2014 managed instances with missing or failed security and system patches.",
+  imdsv2_enforcement: "Checks if EC2 instances enforce IMDSv2 (HttpTokens: required) \u2014 IMDSv1 allows credential theft via SSRF.",
+  waf_coverage: "Checks if internet-facing ALBs have WAF Web ACL associated for protection against common web exploits."
+};
+var HW_DEFENSE_CHECKLIST = `
+\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550
+\u{1F4CB} \u62A4\u7F51\u884C\u52A8\u8865\u5145\u63D0\u9192\uFF08\u8D85\u51FA\u81EA\u52A8\u5316\u626B\u63CF\u8303\u56F4\uFF09
+\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550
+
+\u4EE5\u4E0B\u4E8B\u9879\u9700\u8981\u4EBA\u5DE5\u786E\u8BA4\u548C\u6267\u884C\uFF1A
+
+\u26A0\uFE0F \u5E94\u6025\u9694\u79BB/\u6B62\u8840\u65B9\u6848
+  \u25A1 \u51C6\u5907\u4E13\u7528\u9694\u79BB\u5B89\u5168\u7EC4\uFF08\u65E0 Inbound/Outbound \u89C4\u5219\uFF09
+  \u25A1 \u5236\u5B9A\u5B9E\u4F8B\u9694\u79BB SOP\uFF1A\u544A\u8B66 \u2192 \u6392\u67E5 \u2192 \u5C01\u9501\u653B\u51FBIP \u2192 \u7F51\u7EDC\u9694\u79BB \u2192 \u5B89\u5168\u5904\u7F6E \u2192 \u8BB0\u5F55\u653B\u51FB\u9879
+  \u25A1 \u660E\u786E\u5404\u7CFB\u7EDF\uFF08\u751F\u4EA7\u6838\u5FC3/\u751F\u4EA7\u975E\u6838\u5FC3/\u6D4B\u8BD5/\u5F00\u53D1\uFF09\u7684\u5E94\u6025\u5904\u7F6E\u65B9\u5F0F
+  \u25A1 \u660E\u786E\u5404\u9879\u76EE\u8D26\u6237\u53CA\u8D44\u6E90\u7684\u8D1F\u8D23\u4EBA\u4E0E\u8054\u7CFB\u65B9\u5F0F
+
+\u26A0\uFE0F \u6D4B\u8BD5/\u5F00\u53D1\u73AF\u5883\u5904\u7F6E
+  \u25A1 \u975E\u6838\u5FC3\u7CFB\u7EDF\u5728\u62A4\u7F51\u671F\u95F4\u5173\u95ED
+  \u25A1 \u6D4B\u8BD5/\u5F00\u53D1\u73AF\u5883\u5173\u95ED\u6216\u4E0E\u751F\u4EA7\u4FDD\u6301\u540C\u7B49\u5B89\u5168\u57FA\u7EBF
+  \u25A1 \u786E\u8BA4\u54EA\u4E9B\u73AF\u5883\u53EF\u4EE5\u7D27\u6025\u5173\u505C\uFF0C\u907F\u514D\u653B\u51FB\u6269\u6563
+
+\u26A0\uFE0F \u503C\u5B88\u56E2\u961F\u7EC4\u5EFA
+  \u25A1 7\xD724 \u76D1\u63A7\u5FEB\u901F\u54CD\u5E94\u56E2\u961F
+  \u25A1 \u6280\u672F\u4E0E\u98CE\u9669\u5206\u6790\u7EC4
+  \u25A1 \u5B89\u5168\u7B56\u7565\u4E0B\u53D1\u7EC4
+  \u25A1 \u4E1A\u52A1\u54CD\u5E94\u7EC4
+  \u25A1 \u660E\u786E AWS TAM/Support \u8054\u7CFB\u65B9\u5F0F\uFF08ES/EOP \u5BA2\u6237\uFF09
+
+\u26A0\uFE0F \u51FA\u5165\u7AD9\u8DEF\u5F84\u67B6\u6784\u56FE
+  \u25A1 \u786E\u4FDD\u6240\u6709\u4E92\u8054\u7F51/DX \u4E13\u7EBF\u51FA\u5165\u7AD9\u8DEF\u5F84\u5728\u67B6\u6784\u56FE\u4E2D\u6E05\u6670\u6807\u6CE8
+  \u25A1 \u660E\u786E\u5404 ELB/Public EC2/S3/DX \u7684\u6570\u636E\u6D41\u5411
+  \u25A1 \u8BC6\u522B\u6240\u6709\u9762\u5411\u4E92\u8054\u7F51\u7684\u6570\u636E\u4EA4\u4E92\u63A5\u53E3
+
+\u26A0\uFE0F \u4E3B\u52A8\u5F0F\u6E17\u900F\u6D4B\u8BD5
+  \u25A1 \u62A4\u7F51\u524D\u8054\u7CFB\u5B89\u5168\u5382\u5546\uFF08\u9752\u85E4/\u957F\u4EAD/\u5FAE\u6B65\u7B49\uFF09\u8FDB\u884C\u6A21\u62DF\u653B\u51FB\u6F14\u7EC3
+  \u25A1 \u57FA\u4E8E\u6E17\u900F\u6D4B\u8BD5\u62A5\u544A\u8FDB\u884C\u6B63\u5F0F\u62A4\u7F51\u524D\u7684\u5B89\u5168\u52A0\u56FA
+  \u25A1 \u5173\u6CE8 AWS \u5B89\u5168\u516C\u544A\uFF08\u5DF2\u77E5\u6F0F\u6D1E\u4E0E\u8865\u4E01\uFF09
+
+\u26A0\uFE0F WAR-ROOM \u5B9E\u65F6\u6C9F\u901A
+  \u25A1 \u521B\u5EFA\u62A4\u7F51\u671F\u95F4\u4E13\u7528\u6C9F\u901A\u6E20\u9053\uFF08\u4F01\u5FAE/\u9489\u9489/\u98DE\u4E66/Chime\uFF09
+  \u25A1 \u4E0E AWS TAM \u5EFA\u7ACB WAR-ROOM \u8054\u7CFB\uFF08\u4F01\u4E1A\u7EA7\u652F\u6301\u5BA2\u6237\uFF09
+  \u25A1 \u7EDF\u4E00\u6848\u4F8B\u6807\u9898\u683C\u5F0F\uFF1A"\u3010\u62A4\u7F51\u3011+ \u95EE\u9898\u63CF\u8FF0"
+
+\u26A0\uFE0F \u5BC6\u7801\u4E0E\u51ED\u8BC1\u7BA1\u7406
+  \u25A1 \u6240\u6709 IAM \u7528\u6237\u7ED1\u5B9A MFA
+  \u25A1 AKSK \u8F6E\u8F6C\u5468\u671F \u2264 90 \u5929
+  \u25A1 \u907F\u514D\u5171\u4EAB\u8D26\u6237\u4F7F\u7528
+  \u25A1 S3/Lambda/\u5E94\u7528\u4EE3\u7801\u4E2D\u65E0\u660E\u6587\u5BC6\u7801
+
+\u26A0\uFE0F \u62A4\u7F51\u540E\u4F18\u5316
+  \u25A1 \u9488\u5BF9\u653B\u51FB\u62A5\u544A\u9010\u9879\u5E94\u7B54\u4E0E\u4FEE\u590D
+  \u25A1 \u4E0E\u5B89\u5168\u56E2\u961F\u5EFA\u7ACB\u5468\u671F\u6027\u5B89\u5168\u7EF4\u62A4\u6D41\u7A0B
+  \u25A1 \u6301\u7EED\u8865\u5168\u5B89\u5168\u98CE\u9669
+
+\u53C2\u8003\uFF1AAWS \u62A4\u7F51\u884C\u52A8 Standard Operation Procedure (Compliance IEM)
+`;
+var SERVICE_RECOMMENDATIONS2 = {
+  security_hub_findings: {
+    icon: "\u{1F534}",
+    service: "Security Hub",
+    impact: "\u65E0\u6CD5\u83B7\u53D6 300+ \u9879\u81EA\u52A8\u5316\u5B89\u5168\u68C0\u67E5\uFF08FSBP/CIS/PCI DSS \u6807\u51C6\uFF09",
+    action: "\u542F\u7528 Security Hub \u83B7\u5F97\u6700\u5168\u9762\u7684\u5B89\u5168\u6001\u52BF\u8BC4\u4F30"
+  },
+  guardduty_findings: {
+    icon: "\u{1F534}",
+    service: "GuardDuty",
+    impact: "\u65E0\u6CD5\u68C0\u6D4B\u5A01\u80C1\u6D3B\u52A8\uFF08\u6076\u610F IP\u3001\u5F02\u5E38 API \u8C03\u7528\u3001\u52A0\u5BC6\u8D27\u5E01\u6316\u77FF\u7B49\uFF09",
+    action: "\u542F\u7528 GuardDuty \u83B7\u5F97\u6301\u7EED\u5A01\u80C1\u68C0\u6D4B\u80FD\u529B"
+  },
+  inspector_findings: {
+    icon: "\u{1F7E1}",
+    service: "Inspector",
+    impact: "\u65E0\u6CD5\u626B\u63CF EC2/Lambda/\u5BB9\u5668\u7684\u8F6F\u4EF6\u6F0F\u6D1E\uFF08CVE\uFF09",
+    action: "\u542F\u7528 Inspector \u53D1\u73B0\u5DF2\u77E5\u5B89\u5168\u6F0F\u6D1E"
+  },
+  trusted_advisor_findings: {
+    icon: "\u{1F7E1}",
+    service: "Trusted Advisor",
+    impact: "\u65E0\u6CD5\u83B7\u53D6 AWS \u6700\u4F73\u5B9E\u8DF5\u5B89\u5168\u68C0\u67E5",
+    action: "\u5347\u7EA7\u81F3 Business/Enterprise Support \u8BA1\u5212\u4EE5\u4F7F\u7528 Trusted Advisor \u5B89\u5168\u68C0\u67E5"
+  },
+  config_rules_findings: {
+    icon: "\u{1F7E1}",
+    service: "AWS Config",
+    impact: "\u65E0\u6CD5\u68C0\u67E5\u8D44\u6E90\u914D\u7F6E\u5408\u89C4\u72B6\u6001",
+    action: "\u542F\u7528 AWS Config \u5E76\u914D\u7F6E Config Rules"
+  },
+  access_analyzer_findings: {
+    icon: "\u{1F7E1}",
+    service: "IAM Access Analyzer",
+    impact: "\u65E0\u6CD5\u68C0\u6D4B\u8D44\u6E90\u662F\u5426\u88AB\u5916\u90E8\u8D26\u53F7\u6216\u516C\u7F51\u8BBF\u95EE",
+    action: "\u521B\u5EFA IAM Access Analyzer\uFF08\u8D26\u6237\u7EA7\u6216\u7EC4\u7EC7\u7EA7\uFF09"
+  },
+  patch_compliance_findings: {
+    icon: "\u{1F7E1}",
+    service: "SSM Patch Manager",
+    impact: "\u65E0\u6CD5\u68C0\u67E5\u5B9E\u4F8B\u8865\u4E01\u5408\u89C4\u72B6\u6001",
+    action: "\u5B89\u88C5 SSM Agent \u5E76\u914D\u7F6E Patch Manager"
+  }
 };
+var SERVICE_NOT_ENABLED_PATTERNS2 = [
+  "not enabled",
+  "not found",
+  "No IAM Access Analyzer",
+  "No SSM-managed instances",
+  "requires AWS Business or Enterprise Support",
+  "not available",
+  "is not enabled"
+];
+function buildServiceReminder(modules) {
+  const disabledServices = [];
+  for (const mod of modules) {
+    const rec = SERVICE_RECOMMENDATIONS2[mod.module];
+    if (!rec) continue;
+    if (!mod.warnings?.length) continue;
+    const hasNotEnabled = mod.warnings.some(
+      (w) => SERVICE_NOT_ENABLED_PATTERNS2.some((p) => w.includes(p))
+    );
+    if (hasNotEnabled) {
+      disabledServices.push(rec);
+    }
+  }
+  if (disabledServices.length === 0) return "";
+  const lines = [
+    "",
+    "\u26A1 \u4EE5\u4E0B\u5B89\u5168\u670D\u52A1\u672A\u542F\u7528\uFF0C\u90E8\u5206\u68C0\u67E5\u65E0\u6CD5\u6267\u884C\uFF1A",
+    ""
+  ];
+  for (const svc of disabledServices) {
+    lines.push(`${svc.icon} ${svc.service} \u672A\u542F\u7528`);
+    lines.push(`   \u5F71\u54CD\uFF1A${svc.impact}`);
+    lines.push(`   \u5EFA\u8BAE\uFF1A${svc.action}`);
+    lines.push("");
+  }
+  lines.push("\u542F\u7528\u4EE5\u4E0A\u670D\u52A1\u540E\u91CD\u65B0\u626B\u63CF\u53EF\u83B7\u5F97\u66F4\u5B8C\u6574\u7684\u5B89\u5168\u8BC4\u4F30\u3002");
+  return lines.join("\n");
+}
 function summarizeResult(result) {
   const { summary } = result;
   const lines = [
@@ -5431,6 +5908,10 @@ function summarizeResult(result) {
     `Total findings: ${summary.totalFindings} (${summary.critical} Critical, ${summary.high} High, ${summary.medium} Medium, ${summary.low} Low)`,
     `Modules: ${summary.modulesSuccess} succeeded, ${summary.modulesError} errored`
   ];
+  const reminder = buildServiceReminder(result.modules);
+  if (reminder) {
+    lines.push(reminder);
+  }
   return lines.join("\n");
 }
 function summarizeScanResult(result) {
@@ -5474,7 +5955,9 @@ function createServer(defaultRegion) {
     new TrustedAdvisorFindingsScanner(),
     new ConfigRulesFindingsScanner(),
     new AccessAnalyzerFindingsScanner(),
-    new PatchComplianceFindingsScanner()
+    new PatchComplianceFindingsScanner(),
+    new Imdsv2EnforcementScanner(),
+    new WafCoverageScanner()
   ];
   const scannerMap = /* @__PURE__ */ new Map();
   for (const s of allScanners) {
@@ -5530,7 +6013,9 @@ function createServer(defaultRegion) {
     { toolName: "scan_trusted_advisor_findings", moduleName: "trusted_advisor_findings", label: "Trusted Advisor Findings" },
     { toolName: "scan_config_rules_findings", moduleName: "config_rules_findings", label: "Config Rules Findings" },
     { toolName: "scan_access_analyzer_findings", moduleName: "access_analyzer_findings", label: "Access Analyzer Findings" },
-    { toolName: "scan_patch_compliance_findings", moduleName: "patch_compliance_findings", label: "Patch Compliance Findings" }
+    { toolName: "scan_patch_compliance_findings", moduleName: "patch_compliance_findings", label: "Patch Compliance Findings" },
+    { toolName: "scan_imdsv2_enforcement", moduleName: "imdsv2_enforcement", label: "IMDSv2 Enforcement" },
+    { toolName: "scan_waf_coverage", moduleName: "waf_coverage", label: "WAF Coverage" }
   ];
   for (const { toolName, moduleName, label } of individualScanners) {
     server.tool(
@@ -5653,12 +6138,17 @@ function createServer(defaultRegion) {
           lines.push("");
           lines.push(`Warning: ${missingModules.length} requested module(s) not available: ${missingModules.join(", ")}`);
         }
-        return {
-          content: [
-            { type: "text", text: lines.join("\n") },
-            { type: "text", text: JSON.stringify(result, null, 2) }
-          ]
-        };
+        const content = [
+          { type: "text", text: lines.join("\n") },
+          { type: "text", text: JSON.stringify(result, null, 2) }
+        ];
+        if (group === "hw_defense") {
+          const summaryContent = content[0];
+          if (summaryContent && summaryContent.type === "text") {
+            summaryContent.text += "\n\n" + HW_DEFENSE_CHECKLIST;
+          }
+        }
+        return { content };
       } catch (err) {
         return { content: [{ type: "text", text: `Error: ${err instanceof Error ? err.message : String(err)}` }], isError: true };
       }
@@ -5962,7 +6452,7 @@ Deploy this as a StackSet from your Management Account to all member accounts.`
   server.resource(
     "security-rules",
     "security://rules",
-    { description: "Describes all 17 scan modules and their check rules", mimeType: "text/markdown" },
+    { description: "Describes all 19 scan modules and their check rules", mimeType: "text/markdown" },
     async () => ({
       contents: [{ uri: "security://rules", text: SECURITY_RULES_CONTENT, mimeType: "text/markdown" }]
     })
@@ -6009,6 +6499,25 @@ ${finding}`
       ]
     })
   );
+  server.prompt(
+    "hw_defense_checklist",
+    "\u62A4\u7F51\u884C\u52A8\u5B8C\u6574\u68C0\u67E5\u6E05\u5355 \u2014 \u5305\u542B\u81EA\u52A8\u5316\u626B\u63CF\u9879\u548C\u4EBA\u5DE5\u68C0\u67E5\u9879",
+    async () => ({
+      messages: [
+        {
+          role: "user",
+          content: {
+            type: "text",
+            text: `\u8BF7\u57FA\u4E8E\u4EE5\u4E0B\u62A4\u7F51\u884C\u52A8\u68C0\u67E5\u6E05\u5355\uFF0C\u5E2E\u52A9\u6211\u5236\u5B9A\u62A4\u7F51\u51C6\u5907\u8BA1\u5212\uFF1A
+
+${HW_DEFENSE_CHECKLIST}
+
+\u81EA\u52A8\u5316\u626B\u63CF\u90E8\u5206\u8BF7\u4F7F\u7528 scan_group hw_defense \u6267\u884C\u3002\u4EE5\u4E0A\u4EBA\u5DE5\u68C0\u67E5\u9879\u8BF7\u9010\u9879\u786E\u8BA4\u5E76\u63D0\u4F9B\u5177\u4F53\u5EFA\u8BAE\u3002`
+          }
+        }
+      ]
+    })
+  );
   return server;
 }
 async function startServer(defaultRegion) {