PyPI - workspaces-euc-mcp-server - Versions diffs - 0.1.5__tar.gz → 0.1.6__tar.gz - Mend

workspaces-euc-mcp-server 0.1.5tar.gz → 0.1.6tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/CHANGELOG.md RENAMED Viewed

@@ -5,6 +5,18 @@ All notable changes to this project are documented here. The format is based on
 ## [Unreleased]
+## [0.1.6] - 2026-06-02
+### Added
+- `check_directory_health` now surfaces each directory's **registration properties** in its
+  signals — notably the target **OU** (`WorkspaceCreationProperties.DefaultOu`), plus custom
+  security group, local-admin / internet-access / maintenance-mode flags, and directory/workspace
+  type. (AD-backed directories carry an OU; WorkSpaces-managed ones return none.)
+- `get_secure_browser_portal_details` now resolves the portal's **data-protection configuration**
+  when attached: the redacted built-in/custom inline-redaction patterns, global confidence level,
+  and enforced/exempt URLs — not just whether data protection is on. Adds
+  `workspaces-web:GetDataProtectionSettings` to every IAM tier.
 ## [0.1.5] - 2026-06-02
 ### Added

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/DESIGN.md RENAMED Viewed

@@ -117,7 +117,7 @@ and return a synthesized result, not raw API passthroughs.
 | `diagnose_workspace_connectivity` | Correlate a Personal WorkSpace's state + connection status + directory health + CloudWatch into a root-cause narrative | `workspaces:Describe*`, `ds:DescribeDirectories`, `cloudwatch:GetMetricData` |
 | `diagnose_pool` | Why a Pool is unhealthy/queued — capacity status, sessions, errors, scaling | `workspaces:DescribeWorkspacesPool*`, `cloudwatch:GetMetricData` |
 | `diagnose_application_fleet` | Fleet state, capacity, scaling activity, fleet errors | `appstream:DescribeFleets`, `appstream:ListAssociatedStacks`, `cloudwatch:GetMetricData`, `application-autoscaling:DescribeScalingActivities` |
-| `check_directory_health` | Shared dependency: directory reachability/registration (skips `ds` for WorkSpaces-managed `wsd-` directories) | `ds:DescribeDirectories`, `workspaces:DescribeWorkspaceDirectories` |
+| `check_directory_health` | Shared dependency: directory reachability/registration + registration properties (target OU, security group, flags); skips `ds` for WorkSpaces-managed `wsd-` directories | `ds:DescribeDirectories`, `workspaces:DescribeWorkspaceDirectories` |
 **Cost, utilization & performance**
 | Tool | Purpose | IAM actions |
@@ -134,7 +134,7 @@ and return a synthesized result, not raw API passthroughs.
 **Secure Browser**
 | Tool | Purpose | IAM actions |
 |---|---|---|
-| `get_secure_browser_portal_details` | Portal config + associated settings (browser/network/user/IP-access) | `workspaces-web:GetPortal`, `workspaces-web:List*`, `workspaces-web:Get*Settings` |
+| `get_secure_browser_portal_details` | Portal config + associated settings (browser/network/user/IP-access) + resolved data-protection redaction config | `workspaces-web:GetPortal`, `workspaces-web:List*`, `workspaces-web:Get*Settings`, `workspaces-web:GetDataProtectionSettings` |
 | `get_secure_browser_portal_usage` | Portal session/usage metrics | `workspaces-web:ListPortals`, `cloudwatch:GetMetricData` |
 **Reporting & audit**

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: workspaces-euc-mcp-server
-Version: 0.1.5
+Version: 0.1.6
 Summary: MCP server for administering the Amazon WorkSpaces family of End User Computing services (Personal, Pools, Applications, Secure Browser, Core).
 Project-URL: Homepage, https://github.com/bengroeneveldsg/aws-workspaces-euc-mcp
 Project-URL: Repository, https://github.com/bengroeneveldsg/aws-workspaces-euc-mcp
@@ -81,7 +81,7 @@ audit, and governance tools:
 | `diagnose_application_fleet` | A WorkSpaces Applications fleet's health and capacity — fleet state, fleet errors, compute capacity, auto-scaling activity, and insufficient-capacity errors. |
 | `diagnose_pool` | A WorkSpaces Pool's health — state, pool errors, user-session capacity, backing directory health, and session-utilization. |
 | `get_application_fleet_usage` | A WorkSpaces Applications fleet's **usage history** — AWS/AppStream capacity/utilization time-series over a window, with a plain-language summary (e.g. idle running capacity) (Tier 0). |
-| `check_directory_health` | Registration state and AWS Directory Service stage for one or all WorkSpaces-registered directories. |
+| `check_directory_health` | Registration state, AWS Directory Service stage, and **registration properties** (target **OU**, custom security group, local-admin / internet-access / maintenance-mode flags) for one or all WorkSpaces-registered directories. |
 | `analyze_workspace_utilization` | Classifies WorkSpaces Personal desktops as unused / idle / active from the `UserConnected` metric (Tier 1). |
 | `recommend_running_mode` | Flags AlwaysOn desktops with low usage as AutoStop candidates, with an **estimated $/mo saving** where the bundle price can be matched (Tier 1). |
 | `get_workspace_performance` | Native CPU / memory / disk / GPU / latency / uptime metrics per desktop from `AWS/WorkSpaces` — no CloudWatch agent (Tier 0). |
@@ -94,7 +94,7 @@ audit, and governance tools:
 | `audit_application_images` | Audits WorkSpaces Applications (AppStream 2.0) **images and image builders** — flags stale base images (unpatched OS), pinned/old AppStream agents, non-AVAILABLE/errored images, SHARED cross-account visibility, and **image builders left RUNNING** (cost + admin surface) (Tier 0). |
 | `get_euc_audit_trail` | **"Who changed what"** — recent EUC management events from CloudTrail (last 90 days, no trail required) across all services; mutations-only by default, flags destructive actions and errors (e.g. AccessDenied) (Tier 0). |
 | `get_euc_service_quotas` | **Service-quota limits + usage headroom** per EUC service; pairs limits with current usage (where AWS publishes a usage metric) to flag quotas approaching their limit — capacity planning (Tier 0). |
-| `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, and attached policies (Tier 0). |
+| `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, attached policies, and — when configured — the **data-protection redaction config** (which built-in/custom patterns are redacted, confidence level, enforced/exempt URLs) (Tier 0). |
 | `get_secure_browser_portal_usage` | A Secure Browser portal's `AWS/WorkSpacesWeb` session metrics over a window (empty until the portal has sessions; Session Logger gives detail) (Tier 0). |
 | `list_unused_resources` | Unused WorkSpaces desktops and stopped/zero-capacity fleets worth reclaiming (Tier 0). |

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/README.md RENAMED Viewed

@@ -51,7 +51,7 @@ audit, and governance tools:
 | `diagnose_application_fleet` | A WorkSpaces Applications fleet's health and capacity — fleet state, fleet errors, compute capacity, auto-scaling activity, and insufficient-capacity errors. |
 | `diagnose_pool` | A WorkSpaces Pool's health — state, pool errors, user-session capacity, backing directory health, and session-utilization. |
 | `get_application_fleet_usage` | A WorkSpaces Applications fleet's **usage history** — AWS/AppStream capacity/utilization time-series over a window, with a plain-language summary (e.g. idle running capacity) (Tier 0). |
-| `check_directory_health` | Registration state and AWS Directory Service stage for one or all WorkSpaces-registered directories. |
+| `check_directory_health` | Registration state, AWS Directory Service stage, and **registration properties** (target **OU**, custom security group, local-admin / internet-access / maintenance-mode flags) for one or all WorkSpaces-registered directories. |
 | `analyze_workspace_utilization` | Classifies WorkSpaces Personal desktops as unused / idle / active from the `UserConnected` metric (Tier 1). |
 | `recommend_running_mode` | Flags AlwaysOn desktops with low usage as AutoStop candidates, with an **estimated $/mo saving** where the bundle price can be matched (Tier 1). |
 | `get_workspace_performance` | Native CPU / memory / disk / GPU / latency / uptime metrics per desktop from `AWS/WorkSpaces` — no CloudWatch agent (Tier 0). |
@@ -64,7 +64,7 @@ audit, and governance tools:
 | `audit_application_images` | Audits WorkSpaces Applications (AppStream 2.0) **images and image builders** — flags stale base images (unpatched OS), pinned/old AppStream agents, non-AVAILABLE/errored images, SHARED cross-account visibility, and **image builders left RUNNING** (cost + admin surface) (Tier 0). |
 | `get_euc_audit_trail` | **"Who changed what"** — recent EUC management events from CloudTrail (last 90 days, no trail required) across all services; mutations-only by default, flags destructive actions and errors (e.g. AccessDenied) (Tier 0). |
 | `get_euc_service_quotas` | **Service-quota limits + usage headroom** per EUC service; pairs limits with current usage (where AWS publishes a usage metric) to flag quotas approaching their limit — capacity planning (Tier 0). |
-| `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, and attached policies (Tier 0). |
+| `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, attached policies, and — when configured — the **data-protection redaction config** (which built-in/custom patterns are redacted, confidence level, enforced/exempt URLs) (Tier 0). |
 | `get_secure_browser_portal_usage` | A Secure Browser portal's `AWS/WorkSpacesWeb` session metrics over a window (empty until the portal has sessions; Session Logger gives detail) (Tier 0). |
 | `list_unused_resources` | Unused WorkSpaces desktops and stopped/zero-capacity fleets worth reclaiming (Tier 0). |

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/iam/tier0-diagnostics.json RENAMED Viewed

@@ -39,7 +39,8 @@
         "workspaces-web:ListUserSettings",
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
-        "workspaces-web:GetNetworkSettings"
+        "workspaces-web:GetNetworkSettings",
+        "workspaces-web:GetDataProtectionSettings"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/iam/tier1-cost.json RENAMED Viewed

@@ -39,7 +39,8 @@
         "workspaces-web:ListUserSettings",
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
-        "workspaces-web:GetNetworkSettings"
+        "workspaces-web:GetNetworkSettings",
+        "workspaces-web:GetDataProtectionSettings"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/iam/tier2-lifecycle.json RENAMED Viewed

@@ -39,7 +39,8 @@
         "workspaces-web:ListUserSettings",
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
-        "workspaces-web:GetNetworkSettings"
+        "workspaces-web:GetNetworkSettings",
+        "workspaces-web:GetDataProtectionSettings"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/iam/tier3-destructive.json RENAMED Viewed

@@ -39,7 +39,8 @@
         "workspaces-web:ListUserSettings",
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
-        "workspaces-web:GetNetworkSettings"
+        "workspaces-web:GetNetworkSettings",
+        "workspaces-web:GetDataProtectionSettings"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "workspaces-euc-mcp-server"
-version = "0.1.5"
+version = "0.1.6"
 description = "MCP server for administering the Amazon WorkSpaces family of End User Computing services (Personal, Pools, Applications, Secure Browser, Core)."
 readme = "README.md"
 requires-python = ">=3.11"

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/tests/test_diagnostics.py RENAMED Viewed

@@ -161,6 +161,45 @@ def test_directory_health_skips_ds_for_workspaces_managed_directory():
     assert any("WorkSpaces-managed" in f.title for f in d.findings)
+def test_directory_health_surfaces_registration_ou_and_properties():
+    # The registration OU (WorkspaceCreationProperties.DefaultOu) and related properties must be
+    # exposed in the diagnosis signals.
+    workspaces = types.SimpleNamespace(
+        describe_workspace_directories=lambda **_: {
+            "Directories": [
+                {
+                    "DirectoryId": "d-0123456789",
+                    "State": "REGISTERED",
+                    "DirectoryType": "AD_CONNECTOR",
+                    "WorkspaceType": "PERSONAL",
+                    "WorkspaceCreationProperties": {
+                        "DefaultOu": "OU=AmazonWorkspaces,OU=Singapore,DC=bg,DC=local",
+                        "CustomSecurityGroupId": "sg-0abc",
+                        "UserEnabledAsLocalAdministrator": True,
+                        "EnableInternetAccess": False,
+                        "EnableMaintenanceMode": True,
+                    },
+                }
+            ]
+        },
+    )
+    ds = types.SimpleNamespace(
+        describe_directories=lambda **_: {
+            "DirectoryDescriptions": [{"DirectoryId": "d-0123456789", "Stage": "Active"}]
+        },
+    )
+    factory = FakeFactory({consts.WORKSPACES_API: workspaces, consts.DIRECTORY_API: ds})
+    report = diagnostics.check_directory_health_core(factory, "d-0123456789", "us-east-1")
+    sig = report.directories[0].signals
+    assert sig["default_ou"] == "OU=AmazonWorkspaces,OU=Singapore,DC=bg,DC=local"
+    assert sig["directory_type"] == "AD_CONNECTOR"
+    assert sig["custom_security_group_id"] == "sg-0abc"
+    assert sig["user_enabled_as_local_administrator"] is True
+    assert sig["enable_maintenance_mode"] is True
 def test_directory_health_flags_impaired_stage():
     workspaces = types.SimpleNamespace(
         describe_workspace_directories=lambda **_: {

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/tests/test_secure_browser.py RENAMED Viewed

@@ -65,6 +65,49 @@ def test_portal_details_resolves_settings():
     assert d.has_data_protection is False
+def test_portal_details_resolves_data_protection_config():
+    web = types.SimpleNamespace(
+        get_portal=lambda **_: {
+            "portal": {
+                "portalArn": "arn:portal/2",
+                "displayName": "Okta",
+                "dataProtectionSettingsArn": "arn:dp/1",
+            }
+        },
+        get_data_protection_settings=lambda **_: {
+            "dataProtectionSettings": {
+                "displayName": "ip-address-dp",
+                "inlineRedactionConfiguration": {
+                    "inlineRedactionPatterns": [
+                        {"builtInPatternId": "ipAddr"},
+                        {"builtInPatternId": "macAddr"},
+                        {
+                            "customPattern": {
+                                "patternName": "EmployeeId",
+                                "keywordRegex": "EMP-\\d+",
+                            }
+                        },
+                    ],
+                    "globalEnforcedUrls": ["*"],
+                    "globalConfidenceLevel": 2,
+                },
+            }
+        },
+    )
+    factory = FakeFactory({consts.SECURE_BROWSER_API: web})
+    d = secure_browser.get_secure_browser_portal_details_core(factory, "arn:portal/2", "us-east-1")
+    assert d.has_data_protection is True
+    dp = d.data_protection
+    assert dp["display_name"] == "ip-address-dp"
+    assert dp["redacted_pattern_count"] == 3
+    assert dp["builtin_patterns"] == ["ipAddr", "macAddr"]
+    assert dp["custom_patterns"][0]["name"] == "EmployeeId"
+    assert dp["global_confidence_level"] == 2
+    assert dp["global_enforced_urls"] == ["*"]
 def test_portal_usage_empty_explains_session_model():
     cw = types.SimpleNamespace(
         get_metric_data=lambda **_: {"MetricDataResults": []}  # no data

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/workspaces_euc_mcp_server/__init__.py RENAMED Viewed

@@ -3,4 +3,4 @@
 # A copy of the License is located at http://www.apache.org/licenses/LICENSE-2.0
 """MCP server for administering the Amazon WorkSpaces End User Computing portfolio."""
-__version__ = "0.1.5"
+__version__ = "0.1.6"

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/workspaces_euc_mcp_server/models.py RENAMED Viewed

@@ -156,6 +156,13 @@ class SecureBrowserPortalDetails(BaseModel):
     network: dict[str, object] = Field(default_factory=dict)
     has_browser_policy: bool = False
     has_data_protection: bool = False
+    data_protection: dict[str, object] = Field(
+        default_factory=dict,
+        description=(
+            "Resolved inline-redaction configuration when data protection is attached: redacted "
+            "patterns (built-in + custom), global confidence level, and enforced/exempt URLs."
+        ),
+    )
     errors: list[ServiceError] = Field(default_factory=list)

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/workspaces_euc_mcp_server/tools/diagnostics.py RENAMED Viewed

@@ -279,9 +279,22 @@ def _diagnose_directory_into(
     )
     dirs = (reg or {}).get("Directories", [])
     if dirs:
-        reg_state = dirs[0].get("State", "UNKNOWN")
+        d0 = dirs[0]
+        reg_state = d0.get("State", "UNKNOWN")
         if signals is not None:
             signals[f"{signals_prefix}registration_state"] = reg_state
+            signals[f"{signals_prefix}directory_type"] = d0.get("DirectoryType")
+            signals[f"{signals_prefix}workspace_type"] = d0.get("WorkspaceType")
+            # Registration-level WorkspaceCreationProperties — notably the target OU. Only AD-backed
+            # directories carry a DefaultOu; WorkSpaces-managed (Entra/internal) ones return None.
+            wcp = d0.get("WorkspaceCreationProperties") or {}
+            signals[f"{signals_prefix}default_ou"] = wcp.get("DefaultOu")
+            signals[f"{signals_prefix}custom_security_group_id"] = wcp.get("CustomSecurityGroupId")
+            signals[f"{signals_prefix}user_enabled_as_local_administrator"] = wcp.get(
+                "UserEnabledAsLocalAdministrator"
+            )
+            signals[f"{signals_prefix}enable_internet_access"] = wcp.get("EnableInternetAccess")
+            signals[f"{signals_prefix}enable_maintenance_mode"] = wcp.get("EnableMaintenanceMode")
         if reg_state != "REGISTERED":
             findings.append(
                 Finding(

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.6}/workspaces_euc_mcp_server/tools/secure_browser.py RENAMED Viewed

@@ -78,6 +78,19 @@ def get_secure_browser_portal_details_core(
             if key in (ns or {}):
                 network[key] = ns[key]
+    data_protection: dict[str, object] = {}
+    if portal.get("dataProtectionSettingsArn"):
+        dps = try_call(
+            errors,
+            consts.PRODUCT_SECURE_BROWSER,
+            "GetDataProtectionSettings",
+            lambda: web.get_data_protection_settings(
+                dataProtectionSettingsArn=portal["dataProtectionSettingsArn"]
+            ).get("dataProtectionSettings", {}),
+            default={},
+        )
+        data_protection = _summarize_data_protection(dps or {})
     return SecureBrowserPortalDetails(
         portal_arn=portal_arn,
         display_name=portal.get("displayName"),
@@ -87,10 +100,40 @@ def get_secure_browser_portal_details_core(
         network=network,
         has_browser_policy=bool(portal.get("browserSettingsArn")),
         has_data_protection=bool(portal.get("dataProtectionSettingsArn")),
+        data_protection=data_protection,
         errors=errors,
     )
+def _summarize_data_protection(dps: dict[str, Any]) -> dict[str, Any]:
+    """Reduce a data-protection settings object to the policy-relevant redaction configuration."""
+    inline: dict[str, Any] = dps.get("inlineRedactionConfiguration") or {}
+    patterns: list[dict[str, Any]] = inline.get("inlineRedactionPatterns") or []
+    builtin: list[str] = []
+    custom: list[dict[str, Any]] = []
+    for p in patterns:
+        if p.get("builtInPatternId"):
+            builtin.append(p["builtInPatternId"])
+        elif p.get("customPattern"):
+            cp = p["customPattern"]
+            custom.append(
+                {
+                    "name": cp.get("patternName"),
+                    "description": cp.get("patternDescription"),
+                    "keyword_regex": cp.get("keywordRegex"),
+                }
+            )
+    return {
+        "display_name": dps.get("displayName"),
+        "redacted_pattern_count": len(patterns),
+        "builtin_patterns": builtin,
+        "custom_patterns": custom,
+        "global_confidence_level": inline.get("globalConfidenceLevel"),
+        "global_enforced_urls": inline.get("globalEnforcedUrls"),
+        "global_exempt_urls": inline.get("globalExemptUrls"),
+    }
 def _portal_id(portal: str) -> str:
     """Accept a portal ARN or id; the CloudWatch dimension uses the id (last ARN segment)."""
     return portal.rsplit("/", 1)[-1] if "/" in portal else portal
@@ -147,8 +190,10 @@ def register(mcp: Any, factory: ClientFactory) -> None:
         """Resolve a WorkSpaces Secure Browser portal's settings (security-relevant).
         Returns the portal's user settings (clipboard copy/paste, file download/upload, print
-        controls + timeouts), network (VPC/subnets/security groups), and whether a browser policy
-        and data-protection settings are attached. Read-only.
+        controls + timeouts), network (VPC/subnets/security groups), whether a browser policy is
+        attached, and — when data protection is configured — the resolved inline-redaction config
+        (which built-in/custom patterns are redacted, global confidence, enforced/exempt URLs).
+        Read-only.
         Args:
             portal_arn: The portal ARN (from get_euc_inventory_summary / generate_inventory_report).