aws-security-mcp 0.7.2 → 0.7.4

package/README.md

@@ -14,7 +14,7 @@ MCP server for automated AWS security scanning — 19 modules, risk scoring, zer
 - **100% Read-Only** — uses only Describe/Get/List API calls; never modifies your AWS resources
 - **Multi-Account Support** — scan all accounts in an AWS Organization via `org_mode` with cross-account role assumption
 - **Parallel Execution** — all modules run concurrently via `Promise.allSettled`
-- **Report Generation** — Markdown, professional HTML, and MLPS Level 3 compliance reports
+- **Report Generation** — Markdown, professional HTML, MLPS Level 3 compliance, and HW Defense reports
 - **React Dashboard** — local or S3-hosted dashboard with 30-day trend charts
 - **MCP Resources** — embedded security rules and risk scoring model documentation
 - **MCP Prompts** — pre-built workflows for full scans and finding analysis
@@ -141,6 +141,7 @@ For multi-account scanning across an AWS Organization:
 | `generate_html_report` | Generate a professional HTML report |
 | `generate_mlps3_report` | Generate a MLPS Level 3 compliance report |
 | `generate_mlps3_html_report` | Generate a MLPS Level 3 HTML compliance report |
+| `generate_hw_defense_report` | Generate an HW Defense HTML report (SOP-organized, findings grouped by CVE/control-ID) |
 | `generate_maturity_report` | Generate a security maturity assessment |
 | `save_results` | Save scan results for the dashboard |
 | `get_setup_template` | Get CloudFormation StackSet template for cross-account audit role |
@@ -282,7 +283,7 @@ Pre-defined scanner groupings for common scenarios:
 | Group | Description | Modules |
 |-------|-------------|---------|
 | `mlps3_precheck` | GB/T 22239-2019 等保三级预检 | 17 modules |
-| `hw_defense` | 护网蓝队加固 | 14 modules |
+| `hw_defense` | 护网蓝队加固 — attacker-focused hardening | 11 modules |
 | `exposure` | 公网暴露面评估 | 8 modules |
 | `data_encryption` | 数据加密审计 | 2 modules |
 | `least_privilege` | 最小权限审计 | 3 modules |
@@ -347,6 +348,15 @@ The `generate_report` tool produces a Markdown report with:
 - **Scan Statistics** — per-module resource counts and status
 - **Recommendations** — prioritized action items
 
+## HW Defense Report
+
+The `generate_hw_defense_report` tool produces a dedicated HTML report for 护网 (HW) blue-team hardening exercises. Key features:
+
+- **SOP checklist organization** — findings are grouped by standard operating procedure categories rather than by scanner module
+- **Grouped findings** — duplicate and related findings are collapsed by CVE ID, control ID, or title, reducing noise
+- **Attacker-focused perspective** — the `hw_defense` scan group (11 modules) prioritizes checks that mirror real-world red-team attack chains: privilege escalation, network exposure, secret leakage, missing detection services, and patch gaps
+- **Collapsible sections** — categories default to collapsed for quick executive overview, expandable for detailed review
+
 ## License
 
 MIT

package/dist/bin/aws-security-mcp.js

@@ -16,7 +16,7 @@ __export(dashboard_exports, {
 });
 import { createServer as createServer2 } from "http";
 import { readFile } from "fs/promises";
-import { join as join3, extname, resolve } from "path";
+import { join as join3, extname, resolve, sep } from "path";
 import { existsSync as existsSync2, copyFileSync } from "fs";
 import { fileURLToPath as fileURLToPath2 } from "url";
 import { exec } from "child_process";
@@ -48,7 +48,7 @@ Expected: ${dashboardDir}`
     let filePath = resolve(
       join3(dashboardDir, url === "/" ? "index.html" : url)
     );
-    if (!filePath.startsWith(resolvedBase + "/") && filePath !== resolvedBase) {
+    if (!filePath.startsWith(resolvedBase + sep) && filePath !== resolvedBase) {
       res.writeHead(403);
       res.end("Forbidden");
       return;
@@ -116,9 +116,7 @@ import { join as join4, extname as extname2, relative } from "path";
 import { fileURLToPath as fileURLToPath3 } from "url";
 import {
   S3Client as S3Client5,
-  PutObjectCommand,
-  PutBucketWebsiteCommand,
-  PutBucketPolicyCommand
+  PutObjectCommand
 } from "@aws-sdk/client-s3";
 function collectFiles(dir) {
   const files = [];
@@ -155,38 +153,8 @@ Expected: ${dashboardDir}`
     );
   }
   const s3 = new S3Client5({ region });
-  console.log(`Configuring s3://${bucket} for static website hosting...`);
-  await s3.send(
-    new PutBucketWebsiteCommand({
-      Bucket: bucket,
-      WebsiteConfiguration: {
-        IndexDocument: { Suffix: "index.html" },
-        ErrorDocument: { Key: "index.html" }
-        // SPA fallback
-      }
-    })
-  );
-  const partition = region.startsWith("cn-") ? "aws-cn" : "aws";
-  console.log(`Setting public read bucket policy on s3://${bucket}...`);
-  await s3.send(
-    new PutBucketPolicyCommand({
-      Bucket: bucket,
-      Policy: JSON.stringify({
-        Version: "2012-10-17",
-        Statement: [
-          {
-            Sid: "PublicReadGetObject",
-            Effect: "Allow",
-            Principal: "*",
-            Action: "s3:GetObject",
-            Resource: `arn:${partition}:s3:::${bucket}/*`
-          }
-        ]
-      })
-    })
-  );
   const files = collectFiles(dashboardDir);
-  console.log(`Uploading ${files.length} files to s3://${bucket}...`);
+  console.log(`Uploading ${files.length} files to s3://${bucket}/ ...`);
   for (const filePath of files) {
     const key = relative(dashboardDir, filePath);
     const ext = extname2(filePath);
@@ -202,14 +170,14 @@ Expected: ${dashboardDir}`
     );
     console.log(`  ${key}`);
   }
-  const domain = region.startsWith("cn-") ? "amazonaws.com.cn" : "amazonaws.com";
-  const websiteUrl = `http://${bucket}.s3-website.${region}.${domain}`;
   console.log(`
-Dashboard deployed successfully!`);
-  console.log(`Website URL: ${websiteUrl}`);
-  console.log(
-    "\nNote: Ensure S3 Block Public Access is disabled on this bucket for the website to be accessible.\n"
-  );
+\u2705 Dashboard uploaded to s3://${bucket}/`);
+  console.log(`
+S3 bucket remains private (Block Public Access enabled).`);
+  console.log(`Access control is managed via IAM permissions.`);
+  console.log(`
+To view the dashboard locally:`);
+  console.log(`  aws-security-mcp dashboard --port 3000`);
 }
 var __filename2, __dirname2, CONTENT_TYPES;
 var init_deploy_dashboard = __esm({
@@ -237,7 +205,7 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 import { z } from "zod";
 
 // src/version.ts
-var VERSION = "0.7.2";
+var VERSION = "0.7.4";
 
 // src/utils/aws-client.ts
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
@@ -313,6 +281,25 @@ async function listOrgAccounts(region) {
 }
 
 // src/scanners/runner.ts
+var DEFAULT_CONCURRENCY = 5;
+async function runWithConcurrency(tasks, limit) {
+  const results = [];
+  const executing = /* @__PURE__ */ new Set();
+  for (let i = 0; i < tasks.length; i++) {
+    const idx = i;
+    const p = tasks[idx]().then((value) => {
+      results[idx] = { status: "fulfilled", value };
+    }).catch((reason) => {
+      results[idx] = { status: "rejected", reason };
+    }).finally(() => {
+      executing.delete(p);
+    });
+    executing.add(p);
+    if (executing.size >= limit) await Promise.race(executing);
+  }
+  await Promise.all(executing);
+  return results;
+}
 var AGGREGATION_MODULES = /* @__PURE__ */ new Set([
   "security_hub_findings",
   "guardduty_findings",
@@ -360,8 +347,8 @@ function buildSummary(modules) {
     modulesError
   };
 }
-async function runScannersWithContext(scanners, ctx) {
-  const settled = await Promise.allSettled(scanners.map((s) => s.scan(ctx)));
+async function runScannersWithContext(scanners, ctx, concurrency = DEFAULT_CONCURRENCY) {
+  const settled = await runWithConcurrency(scanners.map((s) => () => s.scan(ctx)), concurrency);
   return settled.map((result, i) => {
     if (result.status === "fulfilled") {
       for (const f of result.value.findings) {
@@ -882,6 +869,25 @@ import {
   DescribeInstancesCommand,
   DescribeInstanceAttributeCommand
 } from "@aws-sdk/client-ec2";
+var USERDATA_CONCURRENCY = 5;
+async function runWithConcurrency2(tasks, limit) {
+  const results = [];
+  const executing = /* @__PURE__ */ new Set();
+  for (let i = 0; i < tasks.length; i++) {
+    const idx = i;
+    const p = tasks[idx]().then((value) => {
+      results[idx] = { status: "fulfilled", value };
+    }).catch((reason) => {
+      results[idx] = { status: "rejected", reason };
+    }).finally(() => {
+      executing.delete(p);
+    });
+    executing.add(p);
+    if (executing.size >= limit) await Promise.race(executing);
+  }
+  await Promise.all(executing);
+  return results;
+}
 var SECRET_PATTERNS = [
   { name: "AWS Access Key", pattern: /AKIA[0-9A-Z]{16}/, matchType: "value" },
   { name: "Private Key", pattern: /-----BEGIN.*PRIVATE KEY-----/, matchType: "value" },
@@ -981,25 +987,28 @@ var SecretExposureScanner = class {
           nextToken = resp.NextToken;
         } while (nextToken);
         resourcesScanned += instances.length;
-        for (const inst of instances) {
+        const userDataTasks = instances.map((inst) => async () => {
+          const instId = inst.InstanceId ?? "unknown";
+          const attrResp = await ec2.send(
+            new DescribeInstanceAttributeCommand({
+              InstanceId: instId,
+              Attribute: "userData"
+            })
+          );
+          const raw = attrResp.UserData?.Value;
+          return { instId, userData: raw ? Buffer.from(raw, "base64").toString("utf-8") : void 0 };
+        });
+        const settled = await runWithConcurrency2(userDataTasks, USERDATA_CONCURRENCY);
+        for (let i = 0; i < instances.length; i++) {
+          const result = settled[i];
+          const inst = instances[i];
           const instId = inst.InstanceId ?? "unknown";
           const instArn = `arn:${partition}:ec2:${region}:${accountId}:instance/${instId}`;
-          let userData;
-          try {
-            const attrResp = await ec2.send(
-              new DescribeInstanceAttributeCommand({
-                InstanceId: instId,
-                Attribute: "userData"
-              })
-            );
-            const raw = attrResp.UserData?.Value;
-            if (raw) {
-              userData = Buffer.from(raw, "base64").toString("utf-8");
-            }
-          } catch (e) {
-            warnings.push(`Could not read userData for ${instId}: ${e instanceof Error ? e.message : String(e)}`);
+          if (result.status === "rejected") {
+            warnings.push(`Could not read userData for ${instId}: ${result.reason instanceof Error ? result.reason.message : String(result.reason)}`);
             continue;
           }
+          const userData = result.value.userData;
           if (!userData) continue;
           for (const sp of SECRET_PATTERNS) {
             if (sp.matchType === "name") continue;
@@ -2190,6 +2199,7 @@ import {
 import {
   S3Client as S3Client3,
   ListBucketsCommand as ListBucketsCommand2,
+  GetBucketLocationCommand as GetBucketLocationCommand2,
   GetBucketTaggingCommand
 } from "@aws-sdk/client-s3";
 var DEFAULT_REQUIRED_TAGS = ["Environment", "Project", "Owner"];
@@ -2306,8 +2316,19 @@ var TagComplianceScanner = class {
         for (const bucket of buckets) {
           const name = bucket.Name ?? "unknown";
           const arn = `arn:${partition}:s3:::${name}`;
+          let bucketClient;
           try {
-            const taggingResp = await s3Client.send(
+            const locResp = await s3Client.send(new GetBucketLocationCommand2({ Bucket: name }));
+            const rawLoc = locResp.LocationConstraint || "us-east-1";
+            const bucketRegion = rawLoc === "EU" ? "eu-west-1" : rawLoc;
+            bucketClient = bucketRegion === region ? s3Client : createClient(S3Client3, bucketRegion, ctx.credentials);
+          } catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            warnings.push(`Bucket ${name}: could not determine region, skipping: ${msg}`);
+            continue;
+          }
+          try {
+            const taggingResp = await bucketClient.send(
               new GetBucketTaggingCommand({ Bucket: name })
             );
             const tags = (taggingResp.TagSet ?? []).map((t) => ({
@@ -2609,6 +2630,7 @@ import {
 import {
   S3Client as S3Client4,
   ListBucketsCommand as ListBucketsCommand3,
+  GetBucketLocationCommand as GetBucketLocationCommand3,
   GetBucketVersioningCommand,
   GetBucketReplicationCommand
 } from "@aws-sdk/client-s3";
@@ -2783,8 +2805,19 @@ var DisasterRecoveryScanner = class {
       resourcesScanned += bucketNames.length;
       for (const name of bucketNames) {
         const arn = `arn:${partition}:s3:::${name}`;
+        let bucketClient;
+        try {
+          const locResp = await s3Client.send(new GetBucketLocationCommand3({ Bucket: name }));
+          const rawLoc = locResp.LocationConstraint || "us-east-1";
+          const bucketRegion = rawLoc === "EU" ? "eu-west-1" : rawLoc;
+          bucketClient = bucketRegion === region ? s3Client : createClient(S3Client4, bucketRegion, ctx.credentials);
+        } catch (e) {
+          const msg = e instanceof Error ? e.message : String(e);
+          warnings.push(`Bucket ${name}: could not determine region, skipping: ${msg}`);
+          continue;
+        }
         try {
-          const ver = await s3Client.send(
+          const ver = await bucketClient.send(
             new GetBucketVersioningCommand({ Bucket: name })
           );
           if (ver.Status !== "Enabled") {
@@ -2810,7 +2843,7 @@ var DisasterRecoveryScanner = class {
           warnings.push(`Bucket ${name} versioning check failed: ${msg}`);
         }
         try {
-          await s3Client.send(
+          await bucketClient.send(
             new GetBucketReplicationCommand({ Bucket: name })
           );
         } catch (e) {
@@ -9950,7 +9983,7 @@ var HELP = `Usage: aws-security-mcp [command] [options]
 Commands:
   (default)            Start MCP server (stdio, for Kiro/Claude Code)
   dashboard            Start local HTTP server serving the security dashboard
-  deploy-dashboard     Deploy dashboard to an S3 bucket as a static website
+  deploy-dashboard     Upload dashboard files to a private S3 bucket
 
 Options:
   --region <region>    AWS region (default: AWS_REGION env or us-east-1)