servers / awslabs-well-architected-security-mcp-server
awslabs.well-architected-security-mcp-server
communityunknownpythonwrite capablehealthy
AWS Well-Architected Security Assessment Tool MCP Server
53/ 100
01Tools · 6
| Tool | Risk | Side effects | Approval |
|---|---|---|---|
| CheckSecurityServices Verify if selected AWS security services are enabled in the specified region and account.
This consolidated tool checks the status of multiple AWS security services in a single call,
providing a comprehensive overview of your security posture.
## Response format
Returns a dictionary with:
- region: The region that was checked
- services_checked: List of services that were checked
- all_enabled: Boolean indicating if all specified services are enabled
- service_statuses: Dictionary with detailed status for each service
- summary: Summary of security recommendations
## AWS permissions required
- guardduty:ListDetectors, guardduty:GetDetector (if checking GuardDuty)
- inspector2:GetStatus (if checking Inspector)
- accessanalyzer:ListAnalyzers (if checking Access Analyzer)
- securityhub:DescribeHub (if checking Security Hub)
- support:DescribeTrustedAdvisorChecks (if checking Trusted Advisor)
| read | false | unknown |
| GetSecurityFindings Retrieve security findings from AWS security services.
This tool provides a consolidated interface to retrieve findings from various AWS security
services, including GuardDuty, Security Hub, Inspector, IAM Access Analyzer, and Trusted Advisor.
It first checks if the specified security service is enabled in the region (using data from
a previous CheckSecurityServices call) and only retrieves findings if the service is enabled.
## Response format
Returns a dictionary with:
- service: The security service findings were retrieved from
- enabled: Whether the service is enabled in the specified region
- findings: List of findings from the service (if service is enabled)
- summary: Summary statistics about the findings (if service is enabled)
- message: Status message or error information
## AWS permissions required
- Read permissions for the specified security service
## Note
For optimal performance, run CheckSecurityServices with store_in_context=True
before using this tool. Otherwise, it will need to check if the service is enabled first.
| write | true | unknown |
| GetStoredSecurityContext Retrieve security services data that was stored in context from a previous CheckSecurityServices call.
This tool allows you to access security service status data stored by the CheckSecurityServices tool
without making additional AWS API calls. This is useful for workflows where you need to reference
the security services status in subsequent steps.
## Response format
Returns a dictionary with:
- region: The region the data was stored for
- available: Boolean indicating if data is available for the requested region
- data: The stored security services data (if available and detailed=True)
- summary: A summary of the stored data (if available)
- timestamp: When the data was stored (if available)
## Note
This tool requires that CheckSecurityServices was previously called with store_in_context=True
for the requested region.
| read | false | unknown |
| CheckStorageEncryption Check if AWS storage resources have encryption enabled.
This tool identifies storage resources using Resource Explorer and checks if they
are properly configured for data protection at rest according to AWS Well-Architected
Framework Security Pillar best practices.
## Response format
Returns a dictionary with:
- region: The region that was checked
- resources_checked: Total number of storage resources checked
- compliant_resources: Number of resources with proper encryption
- non_compliant_resources: Number of resources without proper encryption
- compliance_by_service: Breakdown of compliance by service type
- resource_details: Details about each resource checked
- recommendations: Recommendations for improving data protection at rest
## AWS permissions required
- resource-explorer-2:ListResources
- Read permissions for each storage service being analyzed (s3:GetEncryptionConfiguration, etc.)
| read | false | unknown |
| ListServicesInRegion List all AWS services being used in a specific region.
This tool identifies which AWS services are actively being used in the specified region
by discovering resources through AWS Resource Explorer or direct API calls.
## Response format
Returns a dictionary with:
- region: The region that was checked
- services: List of AWS services being used in the region
- service_counts: Dictionary mapping service names to resource counts
- total_resources: Total number of resources found across all services
## AWS permissions required
- resource-explorer-2:Search (if Resource Explorer is set up)
- Read permissions for various AWS services
| write | true | unknown |
| CheckNetworkSecurity Check if AWS network resources are configured for secure data-in-transit.
This tool identifies network resources using Resource Explorer and checks if they
are properly configured for data protection in transit according to AWS Well-Architected
Framework Security Pillar best practices.
## Response format
Returns a dictionary with:
- region: The region that was checked
- resources_checked: Total number of network resources checked
- compliant_resources: Number of resources with proper in-transit protection
- non_compliant_resources: Number of resources without proper in-transit protection
- compliance_by_service: Breakdown of compliance by service type
- resource_details: Details about each resource checked
- recommendations: Recommendations for improving data protection in transit
## AWS permissions required
- resource-explorer-2:ListResources
- Read permissions for each network service being analyzed (elb:DescribeLoadBalancers, etc.)
| read | false | unknown |
02Install & source
uvx awslabs.well-architected-security-mcp-server
uvxpip install awslabs.well-architected-security-mcp-server
pip03Access granted
Manage cloud infra · write
The access this server can exercise, inferred from its verified tools — not a declared OAuth scope.
04Trust reasoning
- 0Community serverofficial_status
- -3No clear licenselicense
- -3Exposes write toolstool_risk
- +10MCP handshake verifiedverification
- +5tools/list verifiedverification
- +4Capabilities independently verified and fully risk-labeledrisk_transparency
05Provenance & freshness
sourcesPyPI [p4]
last_checked2026-07-01 08:34Z
next_check2026-07-03 07:47Z
cadenceevery 48h
verifiedtools_list:passed handshake:passed metadata:passed metadata:passed metadata:passed
index_statusindex — 6 unique facts >= 5
06Badge
Show your MCPExplorer trust badge in your README.
[](https://mcpexplorer.com/servers/awslabs-well-architected-security-mcp-server)
Next step
Want agents that act within guardrails? Apex is the live governed-agent product — paced, capped, and fully-logged actions with approval queues before anything runs.
Explore Apex →