ghost-dev-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@ghost-dev-mcpCheck the dead letter queue for the order-service and tell me what failed."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
AWS Ghost Developer — MCP Serverless Agent
Version: 1.0
An MCP (Model Context Protocol) server running on AWS Lambda that acts as a secure proxy between an AI assistant (Claude, Cursor) and your AWS infrastructure. It gives the AI read-only access to your systems so it can help investigate incidents without needing human copy-paste of logs.
What it does (v1.0)
This version focuses on triage — collecting raw data from two sources fast enough that an AI can summarize what is failing and where.
Tool | What it answers |
| "Which Dead Letter Queues have messages piling up?" |
| "What do those failed messages look like?" |
| "Which CloudWatch log groups exist for this service?" |
| "What errors appeared in these log groups recently?" |
Honest scope
v1.0 helps an AI identify symptoms (error messages, failed payloads) but does not determine root cause automatically. It is most useful for:
On-call triage at odd hours — reduce time-to-data from 30+ minutes to under a minute
Letting a junior engineer hand off context to an AI before escalating
Situations where copy-pasting logs manually is the main bottleneck
It does not (yet) cover: X-Ray service maps, deployment correlation, infrastructure metrics.
Related MCP server: Log Analyzer with MCP
Architecture
Claude / Cursor
│ HTTPS + x-api-key header
▼
API Gateway (HTTP API)
│
▼ Lambda Authorizer (validates API key via Secrets Manager)
▼
Lambda: mcp-router
├── SQS → list_dlqs, inspect_dlq_payload
└── Logs → search_log_groups, get_error_tracesTwo CloudFormation stacks:
aws-ghost-developer-secrets-{env}— manages the API key in Secrets Manageraws-ghost-developer-{env}— Lambda, API Gateway, IAM roles (deployed via SAM)
Prerequisites
AWS CLI configured (
aws configure)AWS SAM CLI (
pip install aws-sam-cli)Python 3.12+
openssl(available on macOS/Linux by default; on Windows use Git Bash or WSL)
Setup
1. Clone and install dependencies
git clone <repo-url>
cd aws-ghost-developer
pip install -r requirements.txt2. Configure region in samconfig.toml
Open samconfig.toml and update the region to match where you want to deploy:
[default.deploy.parameters]
region = "ap-southeast-1" # change this to your target regionNote:
bootstrap.shreadsAWS_DEFAULT_REGIONat runtime, butsam deployalso picks upregionfromsamconfig.toml. Keep them in sync to avoid deploying to the wrong region.
3. Run bootstrap (one command does everything)
export AWS_DEFAULT_REGION=ap-southeast-1 # must match samconfig.toml
./scripts/bootstrap.sh prodThis will:
Generate a cryptographically secure API key
Deploy
infra/secrets.yamlto store the key in Secrets ManagerBuild and deploy the SAM stack
Print the MCP endpoint URL and config snippet
For other environments:
./scripts/bootstrap.sh dev
./scripts/bootstrap.sh stagingAt the end you will see output like:
{
"mcpServers": {
"aws-ghost-developer": {
"url": "https://<api-id>.execute-api.ap-southeast-1.amazonaws.com/mcp",
"transport": "http",
"headers": {
"x-api-key": "<generated-key>"
}
}
}
}Copy the url and x-api-key values — you will need them in the next step.
4. Add to your MCP client
Claude Code CLI (recommended)
claude mcp add --transport http aws-ghost-developer \
https://<api-id>.execute-api.<region>.amazonaws.com/mcp \
--header "x-api-key:<your-generated-key>"Verify it was added:
claude mcp get aws-ghost-developerClaude Desktop (macOS)
Edit ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"aws-ghost-developer": {
"url": "https://<api-id>.execute-api.<region>.amazonaws.com/mcp",
"transport": "http",
"headers": {
"x-api-key": "<your-generated-key>"
}
}
}
}Cursor
Edit .cursor/mcp.json in your project root (or the global Cursor MCP config):
{
"mcpServers": {
"aws-ghost-developer": {
"url": "https://<api-id>.execute-api.<region>.amazonaws.com/mcp",
"transport": "http",
"headers": {
"x-api-key": "<your-generated-key>"
}
}
}
}Usage examples
Once connected, you can ask the AI naturally:
"Check if there are any failed messages in our SQS queues for the payment service"
"Look at the dead letter queue for order-processor and tell me what's failing"
"Find the CloudWatch logs for the auth service and show me errors from the last hour"
"Search log groups for 'checkout' and query them for 5xx errors in the last 30 minutes"
Project structure
aws-ghost-developer/
├── src/
│ ├── handler.py # Lambda entrypoint, MCP JSON-RPC router
│ ├── authorizer.py # Lambda authorizer — validates x-api-key
│ ├── transport/
│ │ └── sse.py # MCP response/error formatters
│ ├── tools/
│ │ ├── __init__.py # Tool registry
│ │ ├── list_dlqs.py # List SQS Dead Letter Queues
│ │ ├── inspect_dlq.py # Peek at DLQ messages
│ │ ├── search_log_groups.py # Discover CloudWatch log groups
│ │ └── get_error_traces.py # Query Logs Insights (async-safe)
│ └── utils/
│ ├── redact.py # Auto-redact secrets from responses
│ └── secrets.py # Secrets Manager wrapper with TTL cache
├── infra/
│ └── secrets.yaml # CloudFormation — Secrets Manager stack
├── scripts/
│ ├── bootstrap.sh # Full setup: secrets + SAM deploy
│ └── gen-secret.sh # Secrets only (for key rotation)
├── tests/
│ └── unit/
├── template.yaml # SAM template — Lambda + API Gateway
├── samconfig.toml # SAM deploy defaults
└── requirements.txtSecurity
All tools are read-only. No write/delete permissions are granted.
API key is stored in AWS Secrets Manager, never in environment variables.
The Lambda authorizer validates every request using constant-time comparison.
IAM role follows least-privilege — each permission is scoped to the minimum required action.
DLQ messages are peeked with a 30-second visibility timeout and never deleted.
Sensitive values (passwords, tokens) in message payloads are automatically redacted before being returned to the AI.
Rotating the API key
./scripts/gen-secret.sh prodThen update mcp_config.json with the new key. No redeployment needed.
Running tests
pip install pytest
python -m pytest tests/unit/ -vRoadmap
v1.0 covers triage. Planned for future versions:
v1.1 — X-Ray service map (
get_service_map) to trace which service in a chain is failingv1.2 — Deployment correlation (
get_recent_deployments) via CloudTrail to link errors to releasesv2.0 — Multi-region support, structured RCA report generation
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/KiOnCloud/ghost-dev-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server