servers / awslabs-well-architected-security-mcp-server

awslabs.well-architected-security-mcp-server

communityunknownpythonwrite capablehealthy

AWS Well-Architected Security Assessment Tool MCP Server

53
/ 100

01Tools · 6
ToolRiskSide effectsApproval
CheckSecurityServices
Verify if selected AWS security services are enabled in the specified region and account. This consolidated tool checks the status of multiple AWS security services in a single call, providing a comprehensive overview of your security posture. ## Response format Returns a dictionary with: - region: The region that was checked - services_checked: List of services that were checked - all_enabled: Boolean indicating if all specified services are enabled - service_statuses: Dictionary with detailed status for each service - summary: Summary of security recommendations ## AWS permissions required - guardduty:ListDetectors, guardduty:GetDetector (if checking GuardDuty) - inspector2:GetStatus (if checking Inspector) - accessanalyzer:ListAnalyzers (if checking Access Analyzer) - securityhub:DescribeHub (if checking Security Hub) - support:DescribeTrustedAdvisorChecks (if checking Trusted Advisor)
readfalseunknown
GetSecurityFindings
Retrieve security findings from AWS security services. This tool provides a consolidated interface to retrieve findings from various AWS security services, including GuardDuty, Security Hub, Inspector, IAM Access Analyzer, and Trusted Advisor. It first checks if the specified security service is enabled in the region (using data from a previous CheckSecurityServices call) and only retrieves findings if the service is enabled. ## Response format Returns a dictionary with: - service: The security service findings were retrieved from - enabled: Whether the service is enabled in the specified region - findings: List of findings from the service (if service is enabled) - summary: Summary statistics about the findings (if service is enabled) - message: Status message or error information ## AWS permissions required - Read permissions for the specified security service ## Note For optimal performance, run CheckSecurityServices with store_in_context=True before using this tool. Otherwise, it will need to check if the service is enabled first.
writetrueunknown
GetStoredSecurityContext
Retrieve security services data that was stored in context from a previous CheckSecurityServices call. This tool allows you to access security service status data stored by the CheckSecurityServices tool without making additional AWS API calls. This is useful for workflows where you need to reference the security services status in subsequent steps. ## Response format Returns a dictionary with: - region: The region the data was stored for - available: Boolean indicating if data is available for the requested region - data: The stored security services data (if available and detailed=True) - summary: A summary of the stored data (if available) - timestamp: When the data was stored (if available) ## Note This tool requires that CheckSecurityServices was previously called with store_in_context=True for the requested region.
readfalseunknown
CheckStorageEncryption
Check if AWS storage resources have encryption enabled. This tool identifies storage resources using Resource Explorer and checks if they are properly configured for data protection at rest according to AWS Well-Architected Framework Security Pillar best practices. ## Response format Returns a dictionary with: - region: The region that was checked - resources_checked: Total number of storage resources checked - compliant_resources: Number of resources with proper encryption - non_compliant_resources: Number of resources without proper encryption - compliance_by_service: Breakdown of compliance by service type - resource_details: Details about each resource checked - recommendations: Recommendations for improving data protection at rest ## AWS permissions required - resource-explorer-2:ListResources - Read permissions for each storage service being analyzed (s3:GetEncryptionConfiguration, etc.)
readfalseunknown
ListServicesInRegion
List all AWS services being used in a specific region. This tool identifies which AWS services are actively being used in the specified region by discovering resources through AWS Resource Explorer or direct API calls. ## Response format Returns a dictionary with: - region: The region that was checked - services: List of AWS services being used in the region - service_counts: Dictionary mapping service names to resource counts - total_resources: Total number of resources found across all services ## AWS permissions required - resource-explorer-2:Search (if Resource Explorer is set up) - Read permissions for various AWS services
writetrueunknown
CheckNetworkSecurity
Check if AWS network resources are configured for secure data-in-transit. This tool identifies network resources using Resource Explorer and checks if they are properly configured for data protection in transit according to AWS Well-Architected Framework Security Pillar best practices. ## Response format Returns a dictionary with: - region: The region that was checked - resources_checked: Total number of network resources checked - compliant_resources: Number of resources with proper in-transit protection - non_compliant_resources: Number of resources without proper in-transit protection - compliance_by_service: Breakdown of compliance by service type - resource_details: Details about each resource checked - recommendations: Recommendations for improving data protection in transit ## AWS permissions required - resource-explorer-2:ListResources - Read permissions for each network service being analyzed (elb:DescribeLoadBalancers, etc.)
readfalseunknown

02Install & source
uvx awslabs.well-architected-security-mcp-server
uvx
pip install awslabs.well-architected-security-mcp-server
pip

03Access granted
Manage cloud infra · write

The access this server can exercise, inferred from its verified tools — not a declared OAuth scope.


04Trust reasoning
  • 0
    Community server
    official_status
  • -3
    No clear license
    license
  • -3
    Exposes write tools
    tool_risk
  • +10
    MCP handshake verified
    verification
  • +5
    tools/list verified
    verification
  • +4
    Capabilities independently verified and fully risk-labeled
    risk_transparency

05Provenance & freshness
sourcesPyPI [p4]
last_checked2026-07-01 08:34Z
next_check2026-07-03 07:47Z
cadenceevery 48h
verifiedtools_list:passed handshake:passed metadata:passed metadata:passed metadata:passed
index_statusindex6 unique facts >= 5

06Badge

Show your MCPExplorer trust badge in your README. awslabs.well-architected-security-mcp-server on MCPExplorer

[![MCPExplorer](https://mcpexplorer.com/badge/awslabs-well-architected-security-mcp-server.svg)](https://mcpexplorer.com/servers/awslabs-well-architected-security-mcp-server)

Next step

Want agents that act within guardrails? Apex is the live governed-agent product — paced, capped, and fully-logged actions with approval queues before anything runs.

Explore Apex →