Schema

Server Configuration

Describes the environment variables required to run the server.

Name	Required	Description	Default
`AWS_PROFILE`	No	The AWS profile to use for authentication

Prompts

Interactive templates invoked by user choice

Name	Description
`system_concise`
`analyze_suspicious_activity`	Provide a prompt for analyzing CloudTrail log entries for indicators of suspicious activity.
`explain_event_details`	Given a specific CloudTrail event log entry (as text), explain its details. Parameters: event_log (str): The raw log data to be explained.
`analyze_athena_query_results`	Given the raw results of an Athena query, identify any patterns of unusual data access (e.g. spikes in GetObject/DeleteObject calls, unexpected source IPs), summarize key findings, and suggest next steps. Parameters: results (str): The Athena query output as a formatted table or JSON.
`interpret_cloudwatch_logs`	Given a set of CloudWatch log entries, detect errors, warnings, or anomalous messages that could indicate security issues or system failures. Summarize the root causes and recommend remediation or escalation steps. Parameters: log_entries (str): The raw log lines or JSON from CloudWatch.
`summarize_guardduty_findings`	Summarize a list of GuardDuty findings, grouping by severity and type. Highlight the most critical alerts, explain what they mean, and suggest priority response actions. Parameters: findings (str): JSON or table of GuardDuty finding summaries.
`summarize_config_compliance`	Given AWS Config compliance summaries, identify non-compliant resources, explain the violated rules, and recommend corrective actions to achieve compliance. Parameters: compliance_data (str): JSON list of ComplianceByResource objects.
`analyze_vpc_flow_logs`	Analyze VPC Flow Logs for signs of lateral movement, data exfiltration, or unusual traffic patterns. Summarize any suspicious IP pairs or ports that warrant further investigation. Parameters: flow_log_data (str): Raw flow log records (CSV or JSON).
`interpret_network_access_analysis`	Given the findings from a Network Access Analyzer scope analysis, explain which paths are reachable or blocked, identify any misconfigurations (security groups, NACLs, route tables), and recommend configuration changes. Parameters: analysis_report (str): JSON or tabular analysis of reachability paths.
`review_iam_access_findings`	Review IAM Access Analyzer findings for resource-based and identity-based policy issues. Identify permissions that are overly permissive or allow unintended access, and suggest least-privilege policy fixes. Parameters: finding_summaries (str): List or JSON of Access Analyzer finding summaries.

Resources

Contextual data attached and managed by the client

Name	Description
No resources

Tools

Functions exposed to the LLM to take actions

Name	Description
cloudtrail_describe_trails	Describe all CloudTrail trails configured in the AWS account.
cloudtrail_lookup_events	Lookup CloudTrail events using filters. If the user request falls into one of these scenarios, use the Athena tools instead: - EventName is a data event (e.g. GetObject, DeleteObject, PutObject); - the user wants to filter by role name; - the user wants to filter by principal ID; - the user wants to filter by IP address; - the user wants to filter by bucket name; - the user wants to filter by file object in buckets; - the user wants to filter using regex; When filtering for EventName, note that the event name is case-sensitive and must match the exact name of the event. If you want to use operators like 'equals', 'not equals', 'contains', etc., you must use the Athena tools instead. <IMPORTANT> Call datetime.datetime.now() to get the current date and time before providing the start and end times. If the user asks for events happened in the last 7 days, run 'datetime.datetime.now() - datetime.timedelta(days=7)' to get the start date. Print out the start and end times to the user. </IMPORTANT> Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. attribute_key (str): The name of the event to search for. Valid attributes keys: EventId \| EventName \| ReadOnly \| Username \| ResourceType \| ResourceName \| EventSource \| AccessKeyId attribute_value (str): The value of the event to search for. If no key-value pair is provided, use 'ReadOnly'='false'. start_time (str): start timestamp with format 'YYYY-MM-DD HH:MM:SS' (e.g. '2025-04-10 12:45:50'). If not provided, use 'datetime.datetime.now() - datetime.timedelta(days=7)' to get the start date. end_time (str): end timestamp with format 'YYYY-MM-DD HH:MM:SS' (e.g. '2025-04-11 12:45:50'). If not provided, use 'datetime.datetime.now()' to get the end date. max_results (int): Maximum number of events to return. Returns: list: A list of CloudTrail events matching the specified criteria.
athena_create_cloudtrail_table	Create an Athena table for CloudTrail logs with partition projection. <IMPORTANT> Before using this tool ask the user for OUTPUT bucket, unless it is provided. This is necessary to create the table correctly. If the API fails, interrupt the process and ask the user for the OUTPUT BUCKET. </IMPORTANT> Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. cloudtrail_bucket (str): The S3 bucket for CloudTrail logs - you can retrieve it using the 'cloudtrail_describe_trails' tool. is_org_trail (bool): Indicates if the trail is for the organization. account_id (str): Your AWS account ID - you can retrieve it. database (str): Athena database name to be used. output_bucket (str): Ask the user if not specified, S3 bucket URI (e.g. 's3://my-athena-query-results/') for query results - different from cloudtrail_bucket. Returns: str: An empty result if successful, or an error message if there was an issue.
athena_query_events	Query Athena for granular granular searches on CloudTrail logs. <IMPORTANT> Before calling this tool, you must call the athena_create_cloudtrail_table tool to create the table. If the user asks for a different region, you must call the athena_create_cloudtrail_table tool to create the table in that region. </IMPORTANT> Parameters: aws_region: The AWS region - use 'us-east-1' if not specified. start_time: ISO string of the start time end_time: ISO string of the end time database: Athena database name to be used - use 'default' if not specified. output_bucket: S3 bucket URI (e.g. 's3://my-athena-query-results/') for query results - different from cloudtrail_bucket. event_names: List of event names to filter on (e.g. ["GetObject", "DeleteObject"]) principal_id: Optional principal ID to filter on. Use the percent sign (%) as a wildcard character. user_arn: Optional user ARN to filter on. Use the percent sign (%) as a wildcard character. user_name: Optional user name to filter on. role_name: Optional role name to filter on. ip_address: Optional IP address to filter on. Use the percent sign (%) as a wildcard character. bucket_name: Optional bucket name to filter on. Use the percent sign (%) as a wildcard character. limit: Maximum number of results to return (default is 50). Returns: str: JSON-formatted result of the Athena query.
cloudwatch_describe_log_groups	Describes available CloudWatch log groups in the specified region. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. log_group_name_pattern (str): The pattern to filter log group names. Pattern: [\.\-_/#A-Za-z0-9]* If you specify a string for this parameter, the operation returns only log groups that have names that match the string based on a case-sensitive substring search. For example, if you specify Foo, log groups named FooBar, aws/Foo, and GroupFoo would match, but foo, F/o/o and Froo would not match. Returns: str: JSON-formatted list of log groups.
cloudwatch_list_log_streams	Lists log streams in a specified CloudWatch log group. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. log_group (str): The name of the log group. limit (int): Maximum number of log streams to return. Returns: str: JSON-formatted list of log streams.
cloudwatch_filter_log_events	Filters log events in a specified CloudWatch log group using FilterLogEvents API. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. log_group (str): The name of the log group. start_time (str): ISO formatted start timestamp (e.g. '2025-04-10T00:00:00Z'). end_time (str): ISO formatted end timestamp (e.g. '2025-04-11T00:00:00Z'). filter_pattern (str): A filter pattern to match events. limit (int): Maximum number of log events to return. Supported regex syntax: - When using regex to search and filter log data, you must surround your expressions with %. - Filter patterns with regex can only include the following: - Alphanumeric characters - An alphanumeric character is a character that is either a letter (from A to Z or a to z) or a digit (from 0 to 9). - Supported symbol characters - These include: '_', '#', '=', '@','/', ';', ',', and '-'. For example, %something!% would be rejected since '!' is not supported. - Supported operators - These include: '^', '$', '?', '[', ']', '{', '}', '\|', '', '*', '+', and '.'. - The ( and ) operators are not supported. You cannot use parentheses to define a subpattern. - Multi-byte characters are not supported. Returns: str: JSON-formatted list of matching log events.
ec2_describe_flow_logs	Describe one or more VPC Flow Logs. If no filter is provided, returns all Flow Logs in the region. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. flow_log_ids (list[str], optional): List of Flow Log IDs to describe. resource_ids (list[str], optional): List of resource IDs to filter by. resource_type (str, optional): Type of resource to filter by (e.g. 'VPC', 'NetworkInterface', 'Subnet'). max_results (int, optional): Maximum number of results to return. Returns: str: JSON-formatted list of Flow Logs.
guardduty_list_detectors	List all GuardDuty detector IDs in the specified AWS region. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. Returns: str: JSON-formatted list of detector IDs.
guardduty_list_findings	List GuardDuty finding IDs for a given detector. Optionally, you can supply a list of finding IDs to retrieve specific findings or a minimum severity threshold to filter findings. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. detector_id (str): The GuardDuty detector ID. finding_ids (list, optional): Specific finding IDs to query. severity_threshold (float, optional): If provided, returns only findings with severity greater than this value. <IMPORTANT> After calling this tool, you should call guardduty_get_findings multiple times with the finding_ids returned by this tool. </IMPORTANT> Returns: str: JSON-formatted list of finding IDs.
guardduty_get_findings	Get detailed information for the specified GuardDuty findings. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. detector_id (str): The GuardDuty detector ID. finding_ids (list): A list of finding IDs for which to retrieve details. <IMPORTANT> The server may crash when the response is too large. To avoid this, pass only max 2 finding IDs at a time. The finding_ids list should contain a maximum of 2 IDs. If guardduty_list_findings returns more than 2 IDs, you should call this tool max 5 times. Then, proceed with your analysis, but remember to notify the user that there may be additional findings not retrieved. </IMPORTANT> Returns: str: JSON-formatted details of the findings.
guardduty_get_finding_statistics	Get summary statistics for GuardDuty findings for a given detector. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. detector_id (str): The GuardDuty detector ID. Returns: str: JSON-formatted statistics about the findings.
config_describe_recorder_status	Describe status of AWS Config recorder(s). Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. Returns: JSON list of ConfigurationRecorderStatus objects.
config_list_discovered_resources	List resource identifiers that AWS Config has discovered. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. resource_type (str): e.g. 'AWS::EC2::Instance'. Returns: JSON list of resourceIdentifier objects.
config_get_resource_config_history	Fetch configuration snapshots for a resource between two ISO timestamps. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. resource_type (str): e.g. 'AWS::S3::Bucket'. resource_id (str): the resource's ARN or ID. start_time (str): ISO timestamp, e.g. '2025-04-01T00:00:00Z'. end_time (str): ISO timestamp. limit (int): Maximum number of configuration items to return. Returns: JSON list of ConfigurationItem objects.
config_describe_compliance_by_resource	List compliance summaries for resources, optionally filtered by type. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. resource_type (str): optional AWS resource type filter. Returns: JSON list of ComplianceByResource objects.
config_describe_config_rules	Describe one or more AWS Config rules, or all rules if none specified. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. rule_names (list): optional list of Config rule names. Returns: JSON list of ConfigRule objects.
networkinsights_list_scopes	Describe all Network Access Scopes in the region. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. Returns: JSON list of NetworkInsightsAccessScope objects.
networkinsights_list_analyses	Describe analyses for one or more scopes. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. scope_id (str): The ID of the access scope to filter by. analysis_ids (list[str]): List of analysis IDs to filter by. Returns: JSON list of NetworkInsightsAccessScopeAnalysis objects.
networkinsights_get_findings	Retrieve all findings for a given analysis. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. analysis_id (str): The ID of the analysis to retrieve findings for. max_results (int): Maximum number of findings to return. Returns: JSON list of NetworkInsightsAccessScopeAnalysisFinding objects.
networkinsights_start_analysis	Start a Network Access Scope analysis. Parameters: aws_region (str): AWS region - use 'us-east-1' if not specified. scope_id (str): The NetworkInsightsAccessScopeId to analyze. dry_run (bool): If True, checks permissions without starting. tag_specifications (list): TagSpecification dicts for annotating the analysis. client_token (str): Idempotency token for the request. Returns: str: JSON representation of the NetworkInsightsAccessScopeAnalysis object.
accessanalyzer_list_analyzers	List all IAM Access Analyzer analyzers in the specified region. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. Returns: str: JSON-formatted list of analyzers.
accessanalyzer_get_analyzer	Retrieve details of a specific analyzer by name. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. analyzer_name (str): The name of the analyzer to retrieve. Returns: str: JSON-formatted details of the analyzer.
accessanalyzer_list_findings	List findings for an analyzer, with optional filter. filter: {'resourceType': {'eq': ['AWS::S3::Bucket']}, ...} Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. analyzer_arn (str): The ARN of the analyzer to list findings for. filter (dict, optional): Filter criteria for findings. max_results (int): Maximum number of findings to return. Returns: str: JSON-formatted list of findings.
accessanalyzer_get_finding	Retrieve detailed information about a single finding. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. analyzer_arn (str): The ARN of the analyzer. finding_id (str): The ID of the finding to retrieve. Returns: str: JSON-formatted details of the finding.