aws-security-mcp 0.6.1 → 0.6.2

package/README.md

@@ -125,11 +125,11 @@ For multi-account scanning across an AWS Organization:
 | `scan_idle_resources` | Find unused/idle resources |
 | `scan_disaster_recovery` | Assess disaster recovery readiness |
 | `scan_security_hub_findings` | Aggregate findings from AWS Security Hub |
-| `scan_guardduty_findings` | Aggregate findings from Amazon GuardDuty |
-| `scan_inspector_findings` | Aggregate findings from Amazon Inspector |
+| `scan_guardduty_findings` | Check if GuardDuty is enabled (findings via Security Hub) |
+| `scan_inspector_findings` | Check if Inspector is enabled (findings via Security Hub) |
 | `scan_trusted_advisor_findings` | Aggregate findings from AWS Trusted Advisor |
-| `scan_config_rules_findings` | Aggregate findings from AWS Config Rules |
-| `scan_access_analyzer_findings` | Aggregate findings from IAM Access Analyzer |
+| `scan_config_rules_findings` | Check if Config is enabled (findings via Security Hub) |
+| `scan_access_analyzer_findings` | Check if Access Analyzer is enabled (findings via Security Hub) |
 | `scan_patch_compliance_findings` | Aggregate findings from SSM Patch Compliance |
 | `scan_imdsv2_enforcement` | Check EC2 instances for IMDSv2 enforcement |
 | `scan_waf_coverage` | Check internet-facing ALBs for WAF Web ACL protection |
@@ -206,8 +206,6 @@ Attach this policy to the IAM user or role running the scanner. All actions are
         "lambda:ListFunctions",
         "lambda:GetFunction",
 
-        "macie2:GetMacieSession",
-
         "organizations:ListAccounts",
 
         "rds:DescribeDBInstances",
@@ -248,7 +246,7 @@ Attach this policy to the IAM user or role running the scanner. All actions are
 
 | Module | What It Checks | Risk Score Range |
 |--------|---------------|-----------------|
-| **Service Detection** | Enabled security services (Security Hub, GuardDuty, Inspector, Config, Macie, CloudTrail) and maturity level | 5.0 - 7.5 |
+| **Service Detection** | Enabled security services (Security Hub, GuardDuty, Inspector, Config, CloudTrail) and maturity level | 5.0 - 7.5 |
 | **Secret Exposure** | Lambda env vars and EC2 userData for exposed secrets (AWS keys, private keys, passwords) | 7.0 - 9.5 |
 | **SSL Certificate** | ACM certificate expiry, failed status, upcoming renewals | 5.5 - 9.0 |
 | **Dangling DNS** | Route53 CNAME records pointing to non-existent resources (subdomain takeover) | 7.0 - 8.5 |

package/dist/bin/aws-security-mcp.js

@@ -237,7 +237,7 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 import { z } from "zod";
 
 // src/version.ts
-var VERSION = "0.6.1";
+var VERSION = "0.6.2";
 
 // src/utils/aws-client.ts
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
@@ -502,10 +502,6 @@ import {
   ConfigServiceClient,
   DescribeConfigurationRecordersCommand
 } from "@aws-sdk/client-config-service";
-import {
-  Macie2Client,
-  GetMacieSessionCommand
-} from "@aws-sdk/client-macie2";
 import {
   CloudTrailClient,
   DescribeTrailsCommand
@@ -549,7 +545,7 @@ function isNotEnabled(err) {
   err.name === "DisabledException" || err.message.includes("not enabled") || err.message.includes("not subscribed");
 }
 function computeMaturityLevel(enabledCount) {
-  if (enabledCount >= 6) return "comprehensive";
+  if (enabledCount >= 5) return "comprehensive";
   if (enabledCount >= 4) return "advanced";
   if (enabledCount >= 2) return "intermediate";
   return "basic";
@@ -853,53 +849,6 @@ var ServiceDetectionScanner = class {
         services.push({ name: "AWS Config", enabled: null, details: "Detection error" });
       }
     }
-    if (region.startsWith("cn-")) {
-      services.push({ name: "Macie", enabled: null, details: "Not available in China regions" });
-      warnings.push("Macie is not available in AWS China regions.");
-    } else {
-      try {
-        const mc = createClient(Macie2Client, region, ctx.credentials);
-        await mc.send(new GetMacieSessionCommand({}));
-        services.push({
-          name: "Macie",
-          enabled: true,
-          details: "Sensitive data detection active"
-        });
-      } catch (err) {
-        if (isAccessDenied(err)) {
-          warnings.push("Macie: insufficient permissions to check status");
-          services.push({ name: "Macie", enabled: null, details: "Access denied" });
-        } else if (isNotEnabled(err)) {
-          services.push({
-            name: "Macie",
-            enabled: false,
-            recommendation: "Enable Macie to detect sensitive data in S3",
-            freeTrialAvailable: true
-          });
-          findings.push(
-            makeFinding({
-              riskScore: 5,
-              title: "Amazon Macie is not enabled",
-              resourceType: "AWS::Macie::Session",
-              resourceId: "macie",
-              resourceArn: `arn:${partition}:macie2:${region}:${accountId}:session`,
-              region,
-              description: "Amazon Macie is not enabled in this region. Macie uses machine learning to discover and protect sensitive data stored in S3.",
-              impact: "Detects sensitive data (PII, credentials, financial data) in S3 buckets. Without it, sensitive data exposure may go unnoticed.",
-              remediationSteps: [
-                "Open the Amazon Macie console.",
-                "Click 'Get Started' and enable Macie.",
-                "Macie offers a 30-day free trial for sensitive data discovery.",
-                "Configure automated sensitive data discovery jobs."
-              ]
-            })
-          );
-        } else {
-          warnings.push(`Macie detection failed: ${err instanceof Error ? err.message : String(err)}`);
-          services.push({ name: "Macie", enabled: null, details: "Detection error" });
-        }
-      }
-    }
     const knownServices = services.filter((s) => s.enabled !== null);
     const enabledCount = services.filter((s) => s.enabled === true).length;
     const coveragePercent = knownServices.length > 0 ? Math.round(enabledCount / knownServices.length * 100) : 0;
@@ -3955,6 +3904,44 @@ var zhI18n = {
     "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883": "\u56DB\u3001\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
     "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3": "\u4E94\u3001\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3"
   },
+  // Module display names
+  moduleNames: {
+    service_detection: "\u5B89\u5168\u670D\u52A1\u68C0\u6D4B",
+    secret_exposure: "\u5BC6\u94A5\u66B4\u9732",
+    ssl_certificate: "SSL \u8BC1\u4E66",
+    dns_dangling: "\u60AC\u6302 DNS",
+    network_reachability: "\u7F51\u7EDC\u53EF\u8FBE\u6027",
+    iam_privilege_escalation: "IAM \u63D0\u6743\u5206\u6790",
+    public_access_verify: "\u516C\u7F51\u8BBF\u95EE\u9A8C\u8BC1",
+    tag_compliance: "\u6807\u7B7E\u5408\u89C4",
+    idle_resources: "\u95F2\u7F6E\u8D44\u6E90",
+    disaster_recovery: "\u707E\u5907\u8BC4\u4F30",
+    security_hub_findings: "Security Hub",
+    guardduty_findings: "GuardDuty",
+    inspector_findings: "Inspector",
+    trusted_advisor_findings: "Trusted Advisor",
+    config_rules_findings: "Config Rules",
+    access_analyzer_findings: "Access Analyzer",
+    patch_compliance_findings: "\u8865\u4E01\u5408\u89C4",
+    imdsv2_enforcement: "IMDSv2 \u5F3A\u5236",
+    waf_coverage: "WAF \u8986\u76D6",
+    // Security Hub sub-categories
+    "sh:FSBP": "\u5B89\u5168\u6700\u4F73\u5B9E\u8DF5",
+    "sh:Inspector": "\u8F6F\u4EF6\u6F0F\u6D1E",
+    "sh:GuardDuty": "\u5A01\u80C1\u68C0\u6D4B",
+    "sh:Config": "\u914D\u7F6E\u5408\u89C4",
+    "sh:Access Analyzer": "\u5916\u90E8\u8BBF\u95EE",
+    "sh:Other": "\u5176\u4ED6\u5B89\u5168\u53D1\u73B0"
+  },
+  // Security Hub sub-categories
+  securityHubSubCategories: {
+    FSBP: { label: "\u5B89\u5168\u6700\u4F73\u5B9E\u8DF5" },
+    Inspector: { label: "\u8F6F\u4EF6\u6F0F\u6D1E" },
+    GuardDuty: { label: "\u5A01\u80C1\u68C0\u6D4B" },
+    Config: { label: "\u914D\u7F6E\u5408\u89C4" },
+    "Access Analyzer": { label: "\u5916\u90E8\u8BBF\u95EE" },
+    Other: { label: "\u5176\u4ED6\u5B89\u5168\u53D1\u73B0" }
+  },
   // Service Recommendations
   notEnabled: "\u672A\u542F\u7528",
   serviceRecommendations: {
@@ -4187,6 +4174,44 @@ var enI18n = {
     "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883": "IV. Computing Environment Security",
     "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3": "V. Security Management Center"
   },
+  // Module display names
+  moduleNames: {
+    service_detection: "Security Service Detection",
+    secret_exposure: "Secret Exposure",
+    ssl_certificate: "SSL Certificate",
+    dns_dangling: "Dangling DNS",
+    network_reachability: "Network Reachability",
+    iam_privilege_escalation: "IAM Privilege Escalation",
+    public_access_verify: "Public Access Verification",
+    tag_compliance: "Tag Compliance",
+    idle_resources: "Idle Resources",
+    disaster_recovery: "Disaster Recovery",
+    security_hub_findings: "Security Hub",
+    guardduty_findings: "GuardDuty",
+    inspector_findings: "Inspector",
+    trusted_advisor_findings: "Trusted Advisor",
+    config_rules_findings: "Config Rules",
+    access_analyzer_findings: "Access Analyzer",
+    patch_compliance_findings: "Patch Compliance",
+    imdsv2_enforcement: "IMDSv2 Enforcement",
+    waf_coverage: "WAF Coverage",
+    // Security Hub sub-categories
+    "sh:FSBP": "Security Best Practices",
+    "sh:Inspector": "Software Vulnerabilities",
+    "sh:GuardDuty": "Threat Detection",
+    "sh:Config": "Configuration Compliance",
+    "sh:Access Analyzer": "External Access",
+    "sh:Other": "Other Security Findings"
+  },
+  // Security Hub sub-categories
+  securityHubSubCategories: {
+    FSBP: { label: "Security Best Practices" },
+    Inspector: { label: "Software Vulnerabilities" },
+    GuardDuty: { label: "Threat Detection" },
+    Config: { label: "Configuration Compliance" },
+    "Access Analyzer": { label: "External Access" },
+    Other: { label: "Other Security Findings" }
+  },
   // Service Recommendations
   notEnabled: "Not Enabled",
   serviceRecommendations: {
@@ -4391,7 +4416,7 @@ function generateMarkdownReport(scanResults, lang) {
   for (const m of modules) {
     const status = m.status === "success" ? "\u2705" : "\u274C";
     lines.push(
-      `| ${m.module} | ${m.resourcesScanned} | ${m.findingsCount} | ${status} |`
+      `| ${t.moduleNames[m.module] ?? m.module} | ${m.resourcesScanned} | ${m.findingsCount} | ${status} |`
     );
   }
   lines.push("");
@@ -7234,6 +7259,22 @@ var SEV_COLOR = {
   LOW: "#22c55e"
 };
 var SEVERITY_ORDER2 = ["CRITICAL", "HIGH", "MEDIUM", "LOW"];
+function getRecommendationTemplate(rem) {
+  return rem.replace(/\b(i-[0-9a-f]+)\b/g, "{instance}").replace(/\b(vol-[0-9a-f]+)\b/g, "{volume}").replace(/\b(sg-[0-9a-f]+)\b/g, "{sg}").replace(/\b(eipalloc-[0-9a-f]+)\b/g, "{eip}").replace(/\b(arn:aws[-\w]*:[^"\s]+)\b/g, "{arn}").replace(/"[^"]+"/g, "{name}").replace(/bucket \S+/g, "bucket {name}").replace(/instance \S+/g, "instance {id}").replace(/volume \S+/g, "volume {id}").replace(/rule \S+/g, "rule {name}");
+}
+function getSecurityHubSource(finding) {
+  const impact = finding.impact ?? "";
+  const match = impact.match(/^Source:\s*([^(]+)/);
+  if (!match) return "Other";
+  const product = match[1].trim();
+  if (product === "Security Hub" || product.includes("Foundational")) return "FSBP";
+  if (product === "Inspector" || product.includes("Inspector")) return "Inspector";
+  if (product === "GuardDuty" || product.includes("GuardDuty")) return "GuardDuty";
+  if (product === "Config" || product.includes("Config")) return "Config";
+  if (product === "IAM Access Analyzer" || product.includes("Access Analyzer")) return "Access Analyzer";
+  return "Other";
+}
+var SECURITY_HUB_SUB_CAT_ORDER = ["FSBP", "Inspector", "GuardDuty", "Config", "Access Analyzer", "Other"];
 function scoreColor(score) {
   if (score >= 80) return "#22c55e";
   if (score >= 50) return "#eab308";
@@ -7611,6 +7652,47 @@ function generateHtmlReport(scanResults, history, lang) {
   const allFindings = modules.flatMap(
     (m) => m.findings.map((f) => ({ ...f, module: f.module ?? m.module }))
   );
+  const shModule = modules.find((m) => m.module === "security_hub_findings");
+  const shSubCats = [];
+  if (shModule && shModule.findingsCount > 0) {
+    const catMap = {};
+    for (const f of shModule.findings) {
+      const cat = getSecurityHubSource(f);
+      if (!catMap[cat]) catMap[cat] = [];
+      catMap[cat].push(f);
+    }
+    for (const cat of SECURITY_HUB_SUB_CAT_ORDER) {
+      const catFindings = catMap[cat];
+      if (catFindings && catFindings.length > 0) {
+        const meta = t.securityHubSubCategories[cat];
+        const shLabel = t.moduleNames[`sh:${cat}`] ?? meta?.label ?? cat;
+        shSubCats.push({
+          key: cat,
+          label: shLabel,
+          count: catFindings.length,
+          findings: catFindings
+        });
+      }
+    }
+  }
+  const DETECTION_ONLY_MODULES = /* @__PURE__ */ new Set([
+    "guardduty_findings",
+    "inspector_findings",
+    "config_rules_findings",
+    "access_analyzer_findings"
+  ]);
+  const barChartModules = modules.flatMap((m) => {
+    if (DETECTION_ONLY_MODULES.has(m.module)) return [];
+    if (m.module === "security_hub_findings" && shSubCats.length > 0) {
+      return shSubCats.map((sc) => ({
+        ...m,
+        module: t.moduleNames[`sh:${sc.key}`] ?? sc.key,
+        findingsCount: sc.count,
+        findings: sc.findings
+      }));
+    }
+    return [{ ...m, module: t.moduleNames[m.module] ?? m.module }];
+  });
   let top5Html = "";
   if (allFindings.length > 0) {
     const top5 = [...allFindings].sort((a, b) => b.riskScore - a.riskScore).slice(0, 5);
@@ -7676,34 +7758,51 @@ ${rest}
       if (!moduleMap.has(mod)) moduleMap.set(mod, []);
       moduleMap.get(mod).push(f);
     }
-    const moduleEntries = [...moduleMap.entries()].sort((a, b) => {
+    const expandedEntries = [];
+    for (const [mod, findings] of moduleMap.entries()) {
+      if (DETECTION_ONLY_MODULES.has(mod)) continue;
+      if (mod === "security_hub_findings" && shSubCats.length > 0) {
+        for (const sc of shSubCats) {
+          expandedEntries.push([sc.key, sc.findings, sc.label]);
+        }
+      } else {
+        expandedEntries.push([mod, findings, null]);
+      }
+    }
+    const moduleEntries = expandedEntries.sort((a, b) => {
       const aHasCritHigh = a[1].some((f) => f.severity === "CRITICAL" || f.severity === "HIGH");
       const bHasCritHigh = b[1].some((f) => f.severity === "CRITICAL" || f.severity === "HIGH");
       if (aHasCritHigh !== bHasCritHigh) return aHasCritHigh ? -1 : 1;
       return b[1].length - a[1].length;
     });
-    findingsHtml = moduleEntries.map(([modName, modFindings]) => {
-      const sevCounts = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 };
-      for (const f of modFindings) sevCounts[f.severity]++;
-      const badges = SEVERITY_ORDER2.filter((sev) => sevCounts[sev] > 0).map((sev) => `<span class="badge badge-${sev.toLowerCase()}">${sevCounts[sev]} ${sev.charAt(0) + sev.slice(1).toLowerCase()}</span>`).join(" ");
-      const sevGroups = SEVERITY_ORDER2.map((sev) => {
-        const findings = modFindings.filter((f) => f.severity === sev);
-        if (findings.length === 0) return "";
-        findings.sort((a, b) => b.riskScore - a.riskScore);
+    const renderSeverityGroups = (findings) => {
+      return SEVERITY_ORDER2.map((sev) => {
+        const sevFindings = findings.filter((f) => f.severity === sev);
+        if (sevFindings.length === 0) return "";
+        sevFindings.sort((a, b) => b.riskScore - a.riskScore);
         const emoji = SEV_EMOJI[sev] ?? "";
         const label = sev.charAt(0) + sev.slice(1).toLowerCase();
         return `<details class="severity-group-fold">
-          <summary><h4>${emoji} ${label} (${findings.length})</h4></summary>
-          ${renderCards(findings)}
+          <summary><h4>${emoji} ${label} (${sevFindings.length})</h4></summary>
+          ${renderCards(sevFindings)}
         </details>`;
       }).filter(Boolean).join("\n");
+    };
+    const renderModuleBadges = (findings) => {
+      const sevCounts = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 };
+      for (const f of findings) sevCounts[f.severity]++;
+      return SEVERITY_ORDER2.filter((sev) => sevCounts[sev] > 0).map((sev) => `<span class="badge badge-${sev.toLowerCase()}">${sevCounts[sev]} ${sev.charAt(0) + sev.slice(1).toLowerCase()}</span>`).join(" ");
+    };
+    findingsHtml = moduleEntries.map(([modName, modFindings, subCatLabel]) => {
+      const badges = renderModuleBadges(modFindings);
+      const displayName = subCatLabel ?? (t.moduleNames[modName] ?? modName);
       return `<details class="module-fold">
         <summary>
-          <h3>&#128274; ${esc(modName)} (${modFindings.length})</h3>
+          <h3>&#128274; ${esc(displayName)} (${modFindings.length})</h3>
           <span class="module-badges">${badges}</span>
         </summary>
         <div class="module-body">
-          ${sevGroups}
+          ${renderSeverityGroups(modFindings)}
         </div>
       </details>`;
     }).join("\n");
@@ -7723,8 +7822,29 @@ ${rest}
       </div>
     </section>`;
   }
-  const statsRows = modules.map(
-    (m) => `<tr><td>${esc(m.module)}</td><td>${m.resourcesScanned}</td><td>${m.findingsCount}</td><td>${m.status === "success" ? "&#10003;" : "&#10007;"}</td></tr>`
+  const isModuleDisabled = (m) => {
+    if (!m.warnings?.length) return void 0;
+    const w = m.warnings.find(
+      (w2) => SERVICE_NOT_ENABLED_PATTERNS.some((p) => w2.includes(p))
+    );
+    return w;
+  };
+  const statsRows = modules.flatMap(
+    (m) => {
+      if (DETECTION_ONLY_MODULES.has(m.module)) return [];
+      if (m.module === "security_hub_findings" && shSubCats.length > 0) {
+        return shSubCats.map(
+          (sc) => `<tr><td>${esc(sc.label)}</td><td>${m.resourcesScanned}</td><td>${sc.count}</td><td>&#10003;</td></tr>`
+        );
+      }
+      const disabledWarning = isModuleDisabled(m);
+      if (disabledWarning) {
+        const rec = t.serviceRecommendations[m.module];
+        const reason = rec ? rec.action : disabledWarning;
+        return [`<tr><td>${esc(t.moduleNames[m.module] ?? m.module)}</td><td>-</td><td>-</td><td style="color:#eab308">&#9888; ${esc(reason)}</td></tr>`];
+      }
+      return [`<tr><td>${esc(t.moduleNames[m.module] ?? m.module)}</td><td>${m.resourcesScanned}</td><td>${m.findingsCount}</td><td>${m.status === "success" ? "&#10003;" : "&#10007;"}</td></tr>`];
+    }
   ).join("\n");
   let recsHtml = "";
   if (summary.totalFindings > 0) {
@@ -7732,6 +7852,9 @@ ${rest}
     const kbPatches = [];
     let kbSeverity = "LOW";
     let kbUrl;
+    const cveList = [];
+    let cveSeverity = "LOW";
+    let cveUrl;
     const genericPatterns = ["See References", "None Provided", "Review the finding", "Review and remediate."];
     for (const f of allFindings) {
       const rem = f.remediationSteps[0] ?? "Review and remediate.";
@@ -7744,6 +7867,13 @@ ${rest}
         if (!kbUrl && url) kbUrl = url;
         continue;
       }
+      const cveMatch = f.title.match(/CVE-[\d-]+/);
+      if (cveMatch && (f.module === "security_hub_findings" || f.module === "inspector_findings")) {
+        cveList.push(cveMatch[0]);
+        if (SEVERITY_ORDER2.indexOf(f.severity) < SEVERITY_ORDER2.indexOf(cveSeverity)) cveSeverity = f.severity;
+        if (!cveUrl && url) cveUrl = url;
+        continue;
+      }
       if (f.module === "security_hub_findings") {
         const controlMatch = f.title.match(/^([A-Z][A-Za-z0-9]*\.\d+)\s/);
         if (controlMatch) {
@@ -7760,6 +7890,23 @@ ${rest}
           continue;
         }
       }
+      if (f.module !== "security_hub_findings" && f.module !== "inspector_findings") {
+        const template = getRecommendationTemplate(rem);
+        if (template !== rem) {
+          const templateKey = `tmpl:${f.module}:${template}`;
+          const existingTmpl = recMap.get(templateKey);
+          if (existingTmpl) {
+            existingTmpl.count++;
+            if (!existingTmpl.url && url) existingTmpl.url = url;
+            if (SEVERITY_ORDER2.indexOf(f.severity) < SEVERITY_ORDER2.indexOf(existingTmpl.severity)) {
+              existingTmpl.severity = f.severity;
+            }
+            continue;
+          }
+          recMap.set(templateKey, { text: rem, severity: f.severity, count: 1, url });
+          continue;
+        }
+      }
       const existing = recMap.get(rem);
       if (existing) {
         existing.count++;
@@ -7776,8 +7923,14 @@ ${rest}
       const kbList = unique.slice(0, 5).join(", ") + (unique.length > 5 ? ", \u2026" : "");
       recMap.set("__kb__", { text: t.installWindowsPatches(unique.length, kbList), severity: kbSeverity, count: 1, url: kbUrl });
     }
+    if (cveList.length > 0) {
+      const unique = [...new Set(cveList)];
+      const cveDisplay = unique.slice(0, 5).join(", ") + (unique.length > 5 ? ", \u2026" : "");
+      const cveText = (lang ?? "zh") === "zh" ? `\u4FEE\u590D ${unique.length} \u4E2A\u8F6F\u4EF6\u6F0F\u6D1E (${cveDisplay})\uFF0C\u66F4\u65B0\u53D7\u5F71\u54CD\u7684\u8F6F\u4EF6\u5305\u5230\u6700\u65B0\u7248\u672C` : `Fix ${unique.length} software vulnerabilities (${cveDisplay}) \u2014 update affected packages to latest patched versions`;
+      recMap.set("__cve__", { text: cveText, severity: cveSeverity, count: 1, url: cveUrl });
+    }
     for (const [key, rec] of recMap) {
-      if (key.startsWith("ctrl:") && rec.count > 1) {
+      if ((key.startsWith("ctrl:") || key.startsWith("tmpl:")) && rec.count > 1) {
         rec.text += ` \u2014 ${t.affectedResources(rec.count)}`;
         rec.count = 1;
       }
@@ -7844,7 +7997,7 @@ ${remaining.map(renderRec).join("\n")}
   </div>
   <div class="chart-box">
     <div class="chart-title">${esc(t.findingsByModule)}</div>
-    ${barChart(modules, t.allModulesClean)}
+    ${barChart(barChartModules, t.allModulesClean)}
   </div>
 </section>
 
@@ -8017,6 +8170,9 @@ ${itemsHtml}
     const mlpsKbPatches = [];
     let mlpsKbSeverity = "LOW";
     let mlpsKbUrl;
+    const mlpsCveList = [];
+    let mlpsCveSeverity = "LOW";
+    let mlpsCveUrl;
     const mlpsGenericPatterns = ["See References", "None Provided", "Review the finding", "Review and remediate."];
     for (const r of failedResults) {
       for (const f of r.relatedFindings) {
@@ -8030,6 +8186,13 @@ ${itemsHtml}
           if (!mlpsKbUrl && url) mlpsKbUrl = url;
           continue;
         }
+        const cveMatch = f.title.match(/CVE-[\d-]+/);
+        if (cveMatch) {
+          mlpsCveList.push(cveMatch[0]);
+          if (SEVERITY_ORDER2.indexOf(f.severity) < SEVERITY_ORDER2.indexOf(mlpsCveSeverity)) mlpsCveSeverity = f.severity;
+          if (!mlpsCveUrl && url) mlpsCveUrl = url;
+          continue;
+        }
         if (f.module === "security_hub_findings") {
           const controlMatch = f.title.match(/^([A-Z][A-Za-z0-9]*\.\d+)\s/);
           if (controlMatch) {
@@ -8046,6 +8209,23 @@ ${itemsHtml}
             continue;
           }
         }
+        if (f.module !== "security_hub_findings" && f.module !== "inspector_findings") {
+          const template = getRecommendationTemplate(rem);
+          if (template !== rem) {
+            const templateKey = `tmpl:${f.module}:${template}`;
+            const existingTmpl = mlpsRecMap.get(templateKey);
+            if (existingTmpl) {
+              existingTmpl.count++;
+              if (!existingTmpl.url && url) existingTmpl.url = url;
+              if (SEVERITY_ORDER2.indexOf(f.severity) < SEVERITY_ORDER2.indexOf(existingTmpl.severity)) {
+                existingTmpl.severity = f.severity;
+              }
+              continue;
+            }
+            mlpsRecMap.set(templateKey, { text: rem, severity: f.severity, count: 1, url });
+            continue;
+          }
+        }
         const existing = mlpsRecMap.get(rem);
         if (existing) {
           existing.count++;
@@ -8063,8 +8243,14 @@ ${itemsHtml}
       const kbList = unique.slice(0, 5).join(", ") + (unique.length > 5 ? ", \u2026" : "");
       mlpsRecMap.set("__kb__", { text: t.installWindowsPatches(unique.length, kbList), severity: mlpsKbSeverity, count: 1, url: mlpsKbUrl });
     }
+    if (mlpsCveList.length > 0) {
+      const unique = [...new Set(mlpsCveList)];
+      const cveDisplay = unique.slice(0, 5).join(", ") + (unique.length > 5 ? ", \u2026" : "");
+      const cveText = (lang ?? "zh") === "zh" ? `\u4FEE\u590D ${unique.length} \u4E2A\u8F6F\u4EF6\u6F0F\u6D1E (${cveDisplay})\uFF0C\u66F4\u65B0\u53D7\u5F71\u54CD\u7684\u8F6F\u4EF6\u5305\u5230\u6700\u65B0\u7248\u672C` : `Fix ${unique.length} software vulnerabilities (${cveDisplay}) \u2014 update affected packages to latest patched versions`;
+      mlpsRecMap.set("__cve__", { text: cveText, severity: mlpsCveSeverity, count: 1, url: mlpsCveUrl });
+    }
     for (const [key, rec] of mlpsRecMap) {
-      if (key.startsWith("ctrl:") && rec.count > 1) {
+      if ((key.startsWith("ctrl:") || key.startsWith("tmpl:")) && rec.count > 1) {
         rec.text += ` \u2014 ${t.affectedResources(rec.count)}`;
         rec.count = 1;
       }
@@ -8360,7 +8546,6 @@ Detects which AWS security services are enabled and assesses overall security ma
 - **GuardDuty not enabled** \u2014 Risk 7.5: Provides continuous threat detection.
 - **Inspector not enabled** \u2014 Risk 6.0: Scans for software vulnerabilities.
 - **AWS Config not enabled** \u2014 Risk 6.0: Tracks configuration changes.
-- **Macie not enabled** \u2014 Risk 5.0: Detects sensitive data in S3 (not available in China regions).
 - CloudTrail detection is included for coverage metrics.
 
 ### Maturity Levels
@@ -8368,8 +8553,8 @@ Detects which AWS security services are enabled and assesses overall security ma
 |------------------|-------|
 | 0\u20131 | Basic |
 | 2\u20133 | Intermediate |
-| 4\u20135 | Advanced |
-| 6   | Comprehensive |
+| 4   | Advanced |
+| 5   | Comprehensive |
 
 ## 2. Security Hub Findings (security_hub_findings)
 Aggregates active findings from AWS Security Hub. Replaces individual config scanners (SG, S3, IAM, CloudTrail, RDS, EBS, VPC, etc.) with centralized compliance checks from FSBP, CIS, and PCI DSS standards.
@@ -8503,7 +8688,7 @@ import { readFileSync as readFileSync2 } from "fs";
 import { join as join2, dirname } from "path";
 import { fileURLToPath } from "url";
 var MODULE_DESCRIPTIONS = {
-  service_detection: "Detects which AWS security services (Security Hub, GuardDuty, Inspector, Config, Macie) are enabled and assesses security maturity.",
+  service_detection: "Detects which AWS security services (Security Hub, GuardDuty, Inspector, Config) are enabled and assesses security maturity.",
   secret_exposure: "Checks Lambda env vars and EC2 userData for exposed secrets (AWS keys, private keys, passwords).",
   ssl_certificate: "Checks ACM certificates for expiry, failed status, and upcoming renewals.",
   dns_dangling: "Checks Route53 CNAME records for dangling DNS (subdomain takeover risk).",
@@ -8938,14 +9123,12 @@ function createServer(defaultRegion) {
           "Security Hub": "+300 security checks",
           "GuardDuty": "Threat detection",
           "Inspector": "Vulnerability scanning",
-          "AWS Config": "Configuration tracking",
-          "Macie": "Sensitive data detection"
+          "AWS Config": "Configuration tracking"
         };
         const serviceFreeTrials = {
           "Security Hub": true,
           "GuardDuty": true,
-          "Inspector": true,
-          "Macie": true
+          "Inspector": true
         };
         const services = detection.services;
         const coveragePercent = detection.coveragePercent;
@@ -8980,7 +9163,7 @@ function createServer(defaultRegion) {
           lines.push("");
           lines.push("### Recommendations (Priority Order)");
           lines.push("");
-          const priorityOrder = ["Security Hub", "GuardDuty", "Inspector", "AWS Config", "Macie", "CloudTrail"];
+          const priorityOrder = ["Security Hub", "GuardDuty", "Inspector", "AWS Config", "CloudTrail"];
           const sorted = disabled.sort(
             (a, b) => priorityOrder.indexOf(a.name) - priorityOrder.indexOf(b.name)
           );
@@ -9003,7 +9186,7 @@ function createServer(defaultRegion) {
           const nextMilestones = {
             basic: { level: "Intermediate", target: 2, suggestions: ["Security Hub", "GuardDuty"] },
             intermediate: { level: "Advanced", target: 4, suggestions: ["Inspector", "AWS Config"] },
-            advanced: { level: "Comprehensive", target: 6, suggestions: ["Macie"] }
+            advanced: { level: "Comprehensive", target: 5, suggestions: ["CloudTrail"] }
           };
           const next = nextMilestones[maturityLevel];
           if (next) {