awslabs.cloudtrail-mcp-server 0.0.2__tar.gz → 0.0.4__tar.gz

{awslabs_cloudtrail_mcp_server-0.0.2 → awslabs_cloudtrail_mcp_server-0.0.4}/CHANGELOG.md

@@ -5,6 +5,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.0.3] - 2025-09-22
+
+### Changed
+
+- Update the context to include event schema for better generation of SQL.
+
+## [0.0.1] - 2025-08-25
+
+### Added
+
+- Tools for CloudTrail Lookup and Lake.
+
 ## Unreleased
 
 ### Added

{awslabs_cloudtrail_mcp_server-0.0.2 → awslabs_cloudtrail_mcp_server-0.0.4}/Dockerfile

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # dependabot should continue to update this to the latest hash.
-FROM public.ecr.aws/sam/build-python3.10@sha256:e78695db10ca8cb129e59e30f7dc9789b0dbd0181dba195d68419c72bac51ac1 AS uv
+FROM public.ecr.aws/docker/library/python:3.13-alpine@sha256:070342a0cc1011532c0e69972cce2bbc6cc633eba294bae1d12abea8bd05303b AS uv
 
 # Install the project into `/app`
 WORKDIR /app
@@ -33,38 +33,48 @@ ENV UV_FROZEN=true
 # Copy the required files first
 COPY pyproject.toml uv.lock uv-requirements.txt ./
 
+# Python optimization and uv configuration
+ENV PIP_NO_CACHE_DIR=1 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1
+
+# Install system dependencies and Python package manager
+RUN apk update && \
+    apk add --no-cache --virtual .build-deps \
+    build-base \
+    gcc \
+    musl-dev \
+    libffi-dev \
+    openssl-dev \
+    cargo
+
 # Install the project's dependencies using the lockfile and settings
 RUN --mount=type=cache,target=/root/.cache/uv \
-    pip install --require-hashes --requirement uv-requirements.txt && \
-    uv sync --frozen --no-install-project --no-dev --no-editable
+    pip install --require-hashes --requirement uv-requirements.txt --no-cache-dir && \
+    uv sync --python 3.13 --frozen --no-install-project --no-dev --no-editable
 
 # Then, add the rest of the project source code and install it
 # Installing separately from its dependencies allows optimal layer caching
 COPY . /app
 RUN --mount=type=cache,target=/root/.cache/uv \
-    uv sync --frozen --no-dev --no-editable
+    uv sync --python 3.13 --frozen --no-dev --no-editable
 
 # Make the directory just in case it doesn't exist
 RUN mkdir -p /root/.local
 
-FROM public.ecr.aws/sam/build-python3.10@sha256:e78695db10ca8cb129e59e30f7dc9789b0dbd0181dba195d68419c72bac51ac1
+FROM public.ecr.aws/docker/library/python:3.13-alpine@sha256:070342a0cc1011532c0e69972cce2bbc6cc633eba294bae1d12abea8bd05303b
 
 # Place executables in the environment at the front of the path and include other binaries
-ENV PATH="/app/.venv/bin:$PATH:/usr/sbin"
-
-# Install lsof for the healthcheck
-# Install other tools as needed for the MCP server
-# Add non-root user and ability to change directory into /root
-RUN yum update -y && \
-    yum install -y lsof && \
-    yum clean all -y && \
-    rm -rf /var/cache/yum && \
-    groupadd --force --system app && \
-    useradd app -g app -d /app && \
-    chmod o+x /root
-
-# Get the project from the uv layer
-COPY --from=uv --chown=app:app /root/.local /root/.local
+ENV PATH="/app/.venv/bin:$PATH" \
+    PYTHONUNBUFFERED=1
+
+# Install runtime dependencies and create application user
+RUN apk update && \
+    apk add --no-cache ca-certificates && \
+    update-ca-certificates && \
+    addgroup -S app && \
+    adduser -S app -G app -h /app
+
+# Copy application artifacts from build stage
 COPY --from=uv --chown=app:app /app/.venv /app/.venv
 
 # Get healthcheck script
@@ -74,5 +84,5 @@ COPY ./docker-healthcheck.sh /usr/local/bin/docker-healthcheck.sh
 USER app
 
 # When running the container, add --db-path and a bind mount to the host's db file
-HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "docker-healthcheck.sh" ]
+HEALTHCHECK --interval=60s --timeout=10s --start-period=10s --retries=3 CMD ["docker-healthcheck.sh"]
 ENTRYPOINT ["awslabs.cloudtrail-mcp-server"]

{awslabs_cloudtrail_mcp_server-0.0.2 → awslabs_cloudtrail_mcp_server-0.0.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: awslabs.cloudtrail-mcp-server
-Version: 0.0.2
+Version: 0.0.4
 Summary: An AWS Labs Model Context Protocol (MCP) server for cloudtrail
 Project-URL: homepage, https://awslabs.github.io/mcp/
 Project-URL: docs, https://awslabs.github.io/mcp/servers/cloudtrail-mcp-server/

{awslabs_cloudtrail_mcp_server-0.0.2 → awslabs_cloudtrail_mcp_server-0.0.4}/awslabs/cloudtrail_mcp_server/__init__.py

@@ -14,5 +14,5 @@
 
 """awslabs.cloudtrail-mcp-server"""
 
-__version__ = '0.0.2'
+__version__ = '0.0.4'
 MCP_SERVER_VERSION = __version__

{awslabs_cloudtrail_mcp_server-0.0.2 → awslabs_cloudtrail_mcp_server-0.0.4}/awslabs/cloudtrail_mcp_server/tools.py

@@ -254,14 +254,104 @@ class CloudTrailTools:
         IMPORTANT LIMITATIONS:
         - CloudTrail Lake only supports SELECT statements using Trino-compatible SQL syntax
         - INSERT, UPDATE, DELETE, CREATE, DROP, and other DDL/DML operations are not supported
+        - Do not use Common Table Expression (CTE)
         - Your SQL query MUST include a valid Event Data Store (EDS) ID in the FROM clause
         - Use the list_event_data_stores tool first to get available EDS IDs, then reference the EDS ID
           directly in your FROM clause
-
-        Valid SQL query examples:
-        - SELECT eventname, count(*) FROM 0233062b-51c6-4d18-8dec-a8c90da840d9 WHERE eventtime > '2023-01-01' GROUP BY eventname
-        - SELECT useridentity.username, eventname, eventtime FROM your-eds-id WHERE errorcode IS NOT NULL
-        - SELECT DISTINCT awsregion FROM your-eds-id WHERE eventname = 'CreateUser'
+        - Always use a start and end time using eventtime or have a limit on total output by default
+
+        CLOUDTRAIL EVENT SCHEMA:
+        All CloudTrail events contain these key fields that you can query:
+
+        Core Fields (Always Present):
+        - eventTime: UTC timestamp when request completed
+        - eventVersion: Log format version (current: 1.11)
+        - eventSource: AWS service name (e.g., "s3.amazonaws.com")
+        - eventName: API action name
+        - awsRegion: AWS region where request was made
+        - sourceIPAddress: IP address of requester
+        - eventID: Unique GUID for this event
+        - eventType: AwsApiCall, AwsServiceEvent, AwsConsoleAction, AwsConsoleSignIn, AwsVpceEvent
+        - eventCategory: Management, Data, NetworkActivity, Insight
+
+        UserIdentity Object (Always Present):
+        - userIdentity.type: Root, IAMUser, AssumedRole, Role, FederatedUser, Directory, AWSAccount, AWSService, IdentityCenterUser, SAMLUser, WebIdentityUser, Unknown
+        - userIdentity.principalId: Unique identifier for the entity
+        - userIdentity.arn: ARN of the principal
+        - userIdentity.accountId: Account that owns the entity
+        - userIdentity.accessKeyId: Access key used (may be empty for security)
+        - userIdentity.userName: Friendly name (when available)
+        - userIdentity.invokedBy: AWS service that made the request
+        - userIdentity.identityProvider: External identity provider (SAML/Web)
+        - userIdentity.credentialId: Bearer token credential ID
+        - userIdentity.sessionContext: For temporary credentials (AssumedRole, FederatedUser)
+          - sessionIssuer.type: Source type (Root, IAMUser, Role)
+          - sessionIssuer.principalId: Internal ID of issuer
+          - sessionIssuer.arn: ARN of issuer
+          - sessionIssuer.accountId: Account of issuer
+          - sessionIssuer.userName: Name of credential issuer
+          - attributes.mfaAuthenticated: "true"/"false" if MFA was used
+          - attributes.creationDate: When credentials were issued (ISO 8601)
+          - webIdFederationData.federatedProvider: Identity provider name
+          - webIdFederationData.attributes: Provider-specific attributes
+          - sourceIdentity: Original user identity for role chaining
+          - ec2RoleDelivery: "1.0" or "2.0" for IMDS version
+          - assumedRoot: True for AssumeRoot sessions
+        - userIdentity.onBehalfOf: IAM Identity Center user info
+          - userId: Identity Center user ID
+          - identityStoreArn: Identity store ARN
+        - userIdentity.inScopeOf: Service scope information
+          - sourceArn: Invoking resource ARN
+          - sourceAccount: Source account ID
+          - issuerType: Credential issuer type
+          - credentialsIssuedTo: Credential target resource
+
+        Optional Fields (Conditionally Present):
+        - userAgent: Client that made the request (max 1KB)
+        - errorCode: AWS service error code if request failed (max 1KB)
+        - errorMessage: Error description if request failed (max 1KB)
+        - requestParameters: Request parameters (object, max 100KB)
+        - responseElements: Response elements for write operations (object, max 100KB)
+        - additionalEventData: Additional event data (object, max 28KB)
+        - requestID: Service-generated request identifier (max 1KB)
+        - apiVersion: API version for AwsApiCall events
+        - managementEvent: True if management event
+        - readOnly: true/false if read-only operation
+        - resources: Array of resources accessed
+          - resources[].type: Resource type (e.g., "AWS::S3::Object", "AWS::DynamoDB::Table")
+          - resources[].ARN: Resource ARN
+          - resources[].accountId: Resource owner account
+        - recipientAccountId: Account that received the event
+        - serviceEventDetails: Service event details (object, max 100KB)
+        - sharedEventID: Shared GUID for cross-account events
+        - vpcEndpointId: VPC endpoint identifier (for network events)
+        - vpcEndpointAccountId: VPC endpoint owner account
+        - addendum: Information about delayed/updated events
+          - reason: Why event was delayed (DELIVERY_DELAY, UPDATED_DATA, SERVICE_OUTAGE)
+          - updatedFields: Event record fields updated by addendum
+          - originalRequestID: Original unique ID of request
+          - originalEventID: Original event ID
+        - sessionCredentialFromConsole: "true" if from console session
+        - eventContext: Enriched event context (tags, IAM conditions)
+          - requestContext: IAM condition keys evaluated during authorization
+          - tagContext: Tags associated with resources and IAM principals
+            - resourceTags: Array of resource tag information
+              - resourceTags[].arn: ARN of the tagged resource
+              - resourceTags[].tags: Object containing tag key-value pairs
+            - principalTags: Tags associated with the IAM principal making the request
+        - edgeDeviceDetails: Edge device information (object, max 28KB)
+        - tlsDetails: TLS connection information
+          - tlsVersion: TLS version used
+          - cipherSuite: Cipher suite used
+          - clientProvidedHostHeader: Client-provided hostname
+
+        Example SQL queries:
+        - SELECT eventname, count(*) FROM eds-id WHERE eventtime > '2025-01-01 00:00:00' GROUP BY eventname
+        - SELECT errorcode, errormessage, eventname FROM eds-id WHERE errorcode IS NOT NULL OR errormessage IS NOT NULL LIMIT 10
+        - SELECT eventname, resources FROM eds-id WHERE any_match(resources, x -> x.type = 'AWS::S3::Object') LIMIT 10
+        - SELECT useridentity.sessioncontext.sessionissuer.username FROM eds-id WHERE useridentity.type = 'AssumedRole' LIMIT 10
+        - SELECT sourceipaddress, count(*) FROM eds-id WHERE eventname = 'ConsoleLogin' GROUP BY sourceipaddress LIMIT 10
+        - SELECT eventname, filter(resources, x -> x.type = 'AWS::Lambda::Function') as lambda_resources FROM eds-id WHERE cardinality(filter(resources, x -> x.type = 'AWS::Lambda::Function')) > 0 LIMIT 5
 
         Returns:
         --------

{awslabs_cloudtrail_mcp_server-0.0.2 → awslabs_cloudtrail_mcp_server-0.0.4}/docker-healthcheck.sh

@@ -1,5 +1,4 @@
 #!/bin/sh
-
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,13 +13,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-if [ "$(lsof +c 0 -p 1 | grep -e "^awslabs\..*\s1\s.*\sunix\s.*socket$" | wc -l)" -ne "0" ]; then
-  echo -n "$(lsof +c 0 -p 1 | grep -e "^awslabs\..*\s1\s.*\sunix\s.*socket$" | wc -l) awslabs.* streams found";
+SERVER="cloudtrail-mcp-server"
+
+# Check if the server process is running
+if pgrep -P 0 -a -l -x -f "/app/.venv/bin/python3 /app/.venv/bin/awslabs.$SERVER" > /dev/null; then
+  echo -n "$SERVER is running";
   exit 0;
-else
-  echo -n "Zero awslabs.* streams found";
-  exit 1;
 fi;
 
-echo -n "Never should reach here";
-exit 99;
+# Unhealthy
+exit 1;

{awslabs_cloudtrail_mcp_server-0.0.2 → awslabs_cloudtrail_mcp_server-0.0.4}/pyproject.toml

@@ -2,7 +2,7 @@
 name = "awslabs.cloudtrail-mcp-server"
 
 # NOTE: "Patch"=9223372036854775807 bumps next release to zero.
-version = "0.0.2"
+version = "0.0.4"
 
 description = "An AWS Labs Model Context Protocol (MCP) server for cloudtrail"
 readme = "README.md"

{awslabs_cloudtrail_mcp_server-0.0.2 → awslabs_cloudtrail_mcp_server-0.0.4}/uv-requirements.txt

@@ -1,4 +1,5 @@
 # This file was autogenerated by uv via the following command:
+#    echo "uv==0.8.10" > uv-requirements.in
 #    uv pip compile --generate-hashes --output-file=uv-requirements.txt --strip-extras --python=3.10 uv-requirements.in
 uv==0.8.10 \
     --hash=sha256:31e4fc37ee94b94c032384a0957ad32ba7dce4ce6c04b4880fd3e31e25e51a82 \

{awslabs_cloudtrail_mcp_server-0.0.2 → awslabs_cloudtrail_mcp_server-0.0.4}/uv.lock

@@ -46,7 +46,7 @@ wheels = [
 
 [[package]]
 name = "awslabs-cloudtrail-mcp-server"
-version = "0.0.2"
+version = "0.0.4"
 source = { editable = "." }
 dependencies = [
     { name = "boto3" },