AWS Security Audit

Audit AWS security posture via IAM and CloudTrail MCP servers — inspect users, roles, policies, and trace API activity for incident investigation and compliance.

MCP Servers

IAM MCP: uvx awslabs.iam-mcp-server@latest --readonly (stdio transport)
CloudTrail MCP: uvx awslabs.cloudtrail-mcp-server@latest (stdio transport)
Requires: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION (or AWS_PROFILE)

Key Capabilities

IAM (Identity & Access Management)

Users: List IAM users, access keys, MFA status, last activity
Roles: List roles, trust policies, attached permissions
Policies: Inspect policy documents, identify overly permissive policies
Groups: List groups and their memberships
Read-only mode: --readonly flag prevents any IAM modifications

CloudTrail (API Audit Trail)

Event history: Search recent API calls by user, service, or resource
Lookup events: Filter by event name, resource type, username
Time-based queries: Narrow to specific time windows around incidents
Multi-region: Trail events across all enabled regions

Workflow: Network Security Audit

When a user asks "audit our AWS network security":

IAM roles for network services: Check roles used by VPC, TGW, Network Firewall
Overly permissive policies: Find policies with ec2:* or *:* actions
Unused access keys: Identify stale credentials that should be rotated
MFA compliance: Check which users lack MFA
CloudTrail check: Recent AuthorizeSecurityGroupIngress, CreateNetworkAcl, ModifyVpcAttribute events
Report: Security posture summary with remediation recommendations

Workflow: Incident Investigation

When investigating a security event:

CloudTrail lookup: Search events by time window and suspected user/role
Identify actions: What API calls were made? DeleteSecurityGroup, ModifySubnetAttribute?
Source IP: Where did the API calls originate from?
IAM context: What permissions does the user/role have? Should they?
Blast radius: What resources were affected?
Report: Timeline of events with impact assessment

Workflow: Compliance Check

When checking AWS security compliance:

Root account: Check for root access key usage in CloudTrail
MFA enforcement: List users without MFA enabled
Access key rotation: Find keys older than 90 days
Unused credentials: Identify users with no recent activity
Policy review: Check for policies granting * on sensitive services
Report: Compliance scorecard with findings

Common CloudTrail Network Events

Event Name	What It Means
`AuthorizeSecurityGroupIngress`	Security group rule added (inbound)
`AuthorizeSecurityGroupEgress`	Security group rule added (outbound)
`RevokeSecurityGroupIngress`	Security group rule removed (inbound)
`CreateNetworkAclEntry`	NACL rule added
`CreateRoute`	Route table entry added
`ModifyVpcAttribute`	VPC setting changed
`CreateVpnConnection`	New VPN tunnel created
`AttachInternetGateway`	IGW attached to VPC
`CreateTransitGatewayRoute`	TGW route added
`UpdateFirewallRuleGroupRuleList`	Network Firewall rule changed

IAM Best Practices for Network Teams

Check	Why It Matters
No `ec2:*` policies	Prevent accidental network changes
Separate roles per service	Least privilege for VPC, TGW, Firewall
MFA on all humans	Protect against credential theft
No root access keys	Root should use MFA console only
Key rotation < 90 days	Limit exposure of compromised keys
CloudTrail enabled	Audit trail for all API changes

Important Rules

IAM MCP runs in read-only mode — cannot create, modify, or delete IAM resources
CloudTrail has event history limits — default 90-day lookback for management events
Region-specific for CloudTrail — unless using organization trail
Record in GAIT — log all security investigations for audit trail

Environment Variables

AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION (or AWS_PROFILE)

aws-security-audit