Python
AWS-IReveal-MCP provides a unified interface for querying and analyzing AWS services for incident response and security investigations via the Model Context Protocol. You can use it to:
- CloudTrail: Investigate management and data events with granular filtering by IP, role, user, and bucket.
- Athena: Run SQL queries against CloudTrail logs for detailed analysis.
- CloudWatch: Search, filter, and analyze log groups and streams for operational insights.
- GuardDuty: List detectors, retrieve findings, and get statistics to identify threats.
- AWS Config: Track recorder status, discovered resources, configuration history, and compliance status.
- VPC Flow Logs: Describe and analyze network traffic metadata.
- Network Access Analyzer: List scopes, start analyses, and retrieve findings for network reachability.
- IAM Access Analyzer: Examine access policies and findings to identify potential security issues.
Provides a unified interface to AWS services for security investigation, including CloudTrail, Athena, CloudWatch, GuardDuty, AWS Config, VPC Flow Logs, Network Access Analyzer, and IAM Access Analyzer for tracing activities, examining data events, searching logs, and analyzing security alerts.
AWS‑IReveal‑MCP
AWS‑IReveal‑MCP is a Model Context Protocol (MCP) server designed to give security teams and incident responders a unified interface to AWS services useful for investigation. By connecting AWS‑IReveal‑MCP to any MCP client (such as Claude Desktop or Cline), you can invoke queries and analyses across multiple AWS services without leaving your LLM‑driven workspace.
Features
AWS‑IReveal‑MCP integrates with the following AWS services and functionalities:
- CloudTrail — Management event logs for API activity
- Amazon Athena — SQL queries over CloudTrail logs
- CloudWatch — Operational logs and ad hoc analysis
- Amazon GuardDuty — Threat detection and finding investigation
- AWS Config — Resource configuration history and compliance status
- VPC Flow Logs — Network traffic metadata for forensic analysis
- Network Access Analyzer — Reachability checks across SG/NACL/VPC
- IAM Access Analyzer — Policy and resource‑based access findings
Together, these services let you
- Trace “who did what, when, and where” (CloudTrail, Config)
- Examine detailed data events (Athena)
- Search and visualize logs (CloudWatch, VPC Flow Logs)
- Surface security alerts (GuardDuty, IAM Access Analyzer)
- Verify network reachability and configuration (Network Access Analyzer)
Example Prompts
- analyze activity by IP x.x.x.x in the last 5 days
- analyze activity by role 'sysadmin' in the last 24 hours
- investigate suspicious activity on cloudtrail in the last 7 days on us-west-2
- is there any data event on buckets with name containing 'customers' in the last 7 days?
- investigate cloudwatch logs related to Bedrock
- propose remediations for GuardDuty findings with high risk happened in the last 2 days
- identify non-compliant resources, explain violated rules, and suggest remediation
Installation
Prerequisites
- Python 3
- MCP Python SDK (
mcp[cli]) boto3(AWS SDK for Python)- AWS credentials configured
Configuration
Add the following configuration to your MCP client's settings file:
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
Tools
AWS‑IReveal‑MCP
Related Resources
Related MCP Servers
- MIT License
- PythonMIT License
- PythonMIT License