aws-security-mcp
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| region | No | AWS region to scope scans (defaults to configured region) |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
| prompts | {
"listChanged": true
} |
| resources | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| scan_allA | Run all security scanners in parallel (including service detection). Read-only. Does not modify any AWS resources. Supports multi-account org scanning. |
| detect_servicesA | Run Security Service Detection security scanner only. Read-only. Does not modify any AWS resources. |
| scan_secret_exposureB | Run Secret Exposure security scanner only. Read-only. Does not modify any AWS resources. |
| scan_ssl_certificateA | Run SSL Certificate security scanner only. Read-only. Does not modify any AWS resources. |
| scan_dns_danglingA | Run Dangling DNS security scanner only. Read-only. Does not modify any AWS resources. |
| scan_network_reachabilityA | Run Network Reachability security scanner only. Read-only. Does not modify any AWS resources. |
| scan_iam_privilege_escalationA | Run IAM Privilege Escalation security scanner only. Read-only. Does not modify any AWS resources. |
| scan_public_access_verifyA | Run Public Access Verify security scanner only. Read-only. Does not modify any AWS resources. |
| scan_tag_complianceB | Run Tag Compliance security scanner only. Read-only. Does not modify any AWS resources. |
| scan_idle_resourcesB | Run Idle Resources security scanner only. Read-only. Does not modify any AWS resources. |
| scan_disaster_recoveryA | Run Disaster Recovery security scanner only. Read-only. Does not modify any AWS resources. |
| scan_security_hub_findingsA | Run Security Hub Findings security scanner only. Read-only. Does not modify any AWS resources. |
| scan_guardduty_findingsA | Run GuardDuty Findings security scanner only. Read-only. Does not modify any AWS resources. |
| scan_inspector_findingsA | Run Inspector Findings security scanner only. Read-only. Does not modify any AWS resources. |
| scan_trusted_advisor_findingsA | Run Trusted Advisor Findings security scanner only. Read-only. Does not modify any AWS resources. |
| scan_config_rules_findingsA | Run Config Rules Findings security scanner only. Read-only. Does not modify any AWS resources. |
| scan_access_analyzer_findingsA | Run Access Analyzer Findings security scanner only. Read-only. Does not modify any AWS resources. |
| scan_patch_compliance_findingsA | Run Patch Compliance Findings security scanner only. Read-only. Does not modify any AWS resources. |
| scan_imdsv2_enforcementA | Run IMDSv2 Enforcement security scanner only. Read-only. Does not modify any AWS resources. |
| scan_waf_coverageA | Run WAF Coverage security scanner only. Read-only. Does not modify any AWS resources. |
| scan_groupA | Run a predefined group of security scanners for a specific scenario (e.g., MLPS compliance, network defense). Read-only. Supports multi-account org scanning. |
| list_groupsA | List available scan groups with descriptions. Read-only. |
| generate_reportA | Generate a Markdown security report from scan results. Read-only. Does not modify any AWS resources. |
| generate_mlps3_reportA | Generate a GB/T 22239-2019 等保三级 compliance pre-check report from scan results. Best used with scan_group mlps3_precheck results. Read-only. |
| generate_html_reportC | Generate a professional HTML security report. Save the output as an .html file. |
| generate_mlps3_html_reportC | Generate a professional HTML MLPS Level 3 compliance report (等保三级). Save as .html file. |
| get_ai_summary_promptA | Return a report-type-tailored prompt (with a grounded findings digest) that the CALLING AI should run to produce an AI security summary. Then pass the generated text back via the |
| generate_hw_defense_reportB | Generate an HTML report organized by HW Defense (护网) SOP checklist categories. Save as .html file. |
| generate_maturity_reportB | Generate a security maturity assessment report from scan_all results. Requires service_detection module output. Read-only. |
| save_resultsA | Saves scan results to local disk or S3 for dashboard display. Does not modify any AWS resources. |
| list_modulesA | List available security scan modules with descriptions. Read-only. Does not modify any AWS resources. |
| list_org_accountsA | List all accounts in the AWS Organization. Useful for discovering accounts before multi-account scanning. Read-only. |
| get_setup_templateA | Returns the CloudFormation StackSet template for deploying the cross-account security audit IAM role. Read-only. |
| scan_and_reportB | Run a full security scan AND generate reports in one step. Avoids large data transfer between tools. Reports are saved to ~/.aws-security/reports/ |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
| security-scan | Run a full AWS security scan workflow: scan all modules, generate a report, and summarize findings. |
| analyze-finding | Deep analysis of a specific security finding. |
| hw_defense_checklist | 护网行动完整检查清单 — 包含自动化扫描项和人工检查项 |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
| security-rules | Describes all 19 scan modules and their check rules |
| risk-scoring | Describes the risk scoring model and severity/priority mapping |
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/jowhee327/aws-security-agent'
If you have feedback or need assistance with the MCP directory API, please join our Discord server