AWS Security Remediation MCP Server
Provides tools for automated security incident remediation in AWS environments, including quarantining S3 objects, restricting IAM access, and updating security groups.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@AWS Security Remediation MCP ServerQuarantine the malicious file 'malware.exe' in bucket 'my-bucket'."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
AWS Security Remediation MCP Server
An MCP (Model Context Protocol) server that provides automated security incident remediation tools for AWS environments. Designed to work with GuardDuty findings for real-time threat response.
Tools
Tool | Description |
| Move a malicious S3 object to a quarantine bucket and delete the original |
| Block all access for a compromised IAM user or role by attaching a deny-all policy |
| Remove overly permissive inbound rules (0.0.0.0/0) from a security group |
Related MCP server: SamiGPT
Prerequisites
Python 3.10+
AWS credentials configured (environment variables,
~/.aws/credentials, or IAM role)QUARANTINE_BUCKETenvironment variable set (required forquarantine_s3_object)
Required IAM Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:CopyObject"
],
"Resource": [
"arn:aws:s3:::SOURCE-BUCKET/*",
"arn:aws:s3:::QUARANTINE-BUCKET/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PutUserPolicy",
"iam:PutRolePolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
}
]
}Installation
pip install -e .Usage
As a CLI tool (stdio transport)
QUARANTINE_BUCKET=my-quarantine-bucket security-remediation-mcp-serverWith Claude Desktop / Amazon Q / Cline
Add to your MCP configuration:
{
"mcpServers": {
"security-remediation": {
"command": "security-remediation-mcp-server",
"env": {
"QUARANTINE_BUCKET": "my-quarantine-bucket",
"AWS_REGION": "us-east-1"
}
}
}
}With Docker
docker build -t security-remediation-mcp-server .
docker run --rm \
-e AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY \
-e AWS_REGION=us-east-1 \
-e QUARANTINE_BUCKET=my-quarantine-bucket \
-p 8000:8000 \
security-remediation-mcp-serverTool Details
quarantine_s3_object
Moves a malicious S3 object to a quarantine bucket with a date-based path structure, then deletes the original.
Parameters:
bucket_name(str): Source S3 bucket nameobject_key(str): Object key (path) to quarantine
Example response:
{
"action_type": "quarantine_s3_object",
"status": "SUCCESS",
"target_resource": "s3://source-bucket/malware.txt",
"details": "Moved to quarantine bucket: s3://quarantine-bucket/2026/03/02/source-bucket/malware.txt"
}restrict_iam_access
Attaches an inline deny-all policy (ACO-EmergencyDenyAll) to an IAM user or role, immediately revoking all permissions.
Parameters:
principal_arn(str): Full ARN of the IAM user or role
update_security_group
Removes all inbound rules that allow traffic from 0.0.0.0/0 (any IP address).
Parameters:
security_group_id(str): Security group ID (e.g.,sg-0123456789abcdef0)
Use Case: GuardDuty Automated Response
This MCP server is designed to be used with an AI agent that receives GuardDuty findings and automatically takes remediation actions:
GuardDuty detects a threat (e.g., malware in S3)
EventBridge routes the finding to an AI agent
Agent analyzes the finding and calls the appropriate tool
Tool executes the remediation (quarantine, block, cleanup)
Agent reports the result
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/yslee96/security-remeidation-mcp-sever'
If you have feedback or need assistance with the MCP directory API, please join our Discord server