AWS Compliance MCP Server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@AWS Compliance MCP ServerShow my Security Hub score and critical findings"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
AWS Compliance MCP Server
A Model Context Protocol (MCP) server that connects an LLM (Claude, GPT-4, etc.) to real AWS infrastructure and performs automated compliance scanning against:
PCI-DSS v3.2.1 (18 controls across 8 requirements)
CIS AWS Foundations Benchmark v1.4 (19 controls across 5 sections)
AWS Well-Architected Framework (14 checks across all 5 pillars)
Architecture
Claude / Any MCP Client
│ MCP Protocol (stdio)
▼
aws-compliance-mcp (FastMCP server)
├── ConfigTools → AWS Config APIs
├── SecurityHubTools → Security Hub APIs
└── ComplianceScanner → Rule mappings + scoringRelated MCP server: code-guard-ai
Prerequisites
Python 3.10+
AWS credentials with read access to Config and Security Hub
AWS Config and Security Hub enabled in your target region
Installation
# Clone the repo
git clone https://github.com/YOUR_USERNAME/aws-compliance-mcp.git
cd aws-compliance-mcp
# Create virtual environment
python -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
# Install the package
pip install -e ".[dev]"
# Or with pip from requirements
pip install -r requirements.txt
pip install -r requirements-dev.txtConfiguration
cp .env.example .env
# Edit .env with your AWS region and optional profile.env.example:
AWS_REGION=us-east-1
# AWS_PROFILE=my-profile # Uncomment to use a named profileRunning the Server
# Run directly
python -m aws_compliance_mcp.server
# Or via installed script
aws-compliance-mcpConnect to Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS):
{
"mcpServers": {
"aws-compliance": {
"command": "/path/to/.venv/bin/python",
"args": ["-m", "aws_compliance_mcp.server"],
"env": {
"AWS_REGION": "us-east-1",
"AWS_PROFILE": "your-profile"
}
}
}
}Available MCP Tools
Tool | Description |
| Full PCI-DSS v3.2.1 scan |
| CIS Benchmark v1.4 scan |
| Well-Architected scan (all pillars or single) |
| Unified scan with overall risk score |
| Step-by-step fix for a specific control |
| Audit-ready report with top-10 priorities |
| Overall Config rule compliance % |
| All Config rules + compliance state |
| Single rule details + failing resources |
| NON_COMPLIANT resources |
| Finding counts by severity |
| Filtered findings list |
| Pass/fail ratio per standard |
Example Claude prompts
"Run a full PCI-DSS compliance scan in us-east-1 and tell me what's failing."
"What are my top 10 remediation priorities across all frameworks?"
"Give me step-by-step remediation for PCI.10.1"
"What's my Security Hub score and how many CRITICAL findings do I have?"MCP Resources
URI | Description |
| Full PCI-DSS control catalog |
| Full CIS control catalog |
| Well-Architected pillar checks |
Running Tests
# All tests
make test
# With coverage
make coverage
# Lint
make lint
# Or directly
pytest tests/ -vTests use moto to mock all AWS API calls — no real AWS account needed.
Project Structure
aws-compliance-mcp/
├── src/aws_compliance_mcp/
│ ├── server.py # FastMCP server + all tool/resource definitions
│ ├── aws_client.py # Shared boto3 client with retry config
│ ├── tools/
│ │ ├── config_tools.py # AWS Config API wrapper
│ │ ├── securityhub_tools.py # Security Hub API wrapper
│ │ └── compliance_scanner.py # Framework scanning + reporting
│ └── rules/
│ ├── pcidss.py # PCI-DSS v3.2.1 control mappings
│ ├── cis.py # CIS Benchmark v1.4 control mappings
│ └── well_architected.py # Well-Architected checks
├── tests/
│ ├── conftest.py
│ ├── test_config_tools.py
│ ├── test_securityhub_tools.py
│ └── test_compliance_scanner.py
├── pyproject.toml
├── Makefile
└── .env.exampleRequired IAM Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"config:DescribeComplianceByConfigRule",
"config:GetComplianceSummaryByConfigRule",
"config:GetComplianceDetailsByConfigRule",
"config:DescribeComplianceByResource",
"config:DescribeConfigRules",
"securityhub:GetFindings",
"securityhub:GetEnabledStandards",
"securityhub:DescribeStandardsControls"
],
"Resource": "*"
}
]
}CI/CD
GitHub Actions runs tests on Python 3.10 and 3.12 on every push. See .github/workflows/ci.yml.
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/aditya0529/AWS-Compliance-MCP-Server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server