aws-security-audit
AWS Security Audit
MCP Servers
- IAM MCP:
uvx awslabs.iam-mcp-server@latest --readonly(stdio transport) - CloudTrail MCP:
uvx awslabs.cloudtrail-mcp-server@latest(stdio transport) - Requires:
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_REGION(orAWS_PROFILE)
Key Capabilities
IAM (Identity & Access Management)
- Users: List IAM users, access keys, MFA status, last activity
- Roles: List roles, trust policies, attached permissions
- Policies: Inspect policy documents, identify overly permissive policies
- Groups: List groups and their memberships
- Read-only mode:
--readonlyflag prevents any IAM modifications
CloudTrail (API Audit Trail)
- Event history: Search recent API calls by user, service, or resource
- Lookup events: Filter by event name, resource type, username
- Time-based queries: Narrow to specific time windows around incidents
- Multi-region: Trail events across all enabled regions
Workflow: Network Security Audit
When a user asks "audit our AWS network security":
- IAM roles for network services: Check roles used by VPC, TGW, Network Firewall
- Overly permissive policies: Find policies with
ec2:*or*:*actions - Unused access keys: Identify stale credentials that should be rotated
- MFA compliance: Check which users lack MFA
- CloudTrail check: Recent
AuthorizeSecurityGroupIngress,CreateNetworkAcl,ModifyVpcAttributeevents - Report: Security posture summary with remediation recommendations
Workflow: Incident Investigation
When investigating a security event:
- CloudTrail lookup: Search events by time window and suspected user/role
- Identify actions: What API calls were made?
DeleteSecurityGroup,ModifySubnetAttribute? - Source IP: Where did the API calls originate from?
- IAM context: What permissions does the user/role have? Should they?
- Blast radius: What resources were affected?
- Report: Timeline of events with impact assessment
Workflow: Compliance Check
When checking AWS security compliance:
- Root account: Check for root access key usage in CloudTrail
- MFA enforcement: List users without MFA enabled
- Access key rotation: Find keys older than 90 days
- Unused credentials: Identify users with no recent activity
- Policy review: Check for policies granting
*on sensitive services - Report: Compliance scorecard with findings
Common CloudTrail Network Events
| Event Name | What It Means |
|---|---|
AuthorizeSecurityGroupIngress |
Security group rule added (inbound) |
AuthorizeSecurityGroupEgress |
Security group rule added (outbound) |
RevokeSecurityGroupIngress |
Security group rule removed (inbound) |
CreateNetworkAclEntry |
NACL rule added |
CreateRoute |
Route table entry added |
ModifyVpcAttribute |
VPC setting changed |
CreateVpnConnection |
New VPN tunnel created |
AttachInternetGateway |
IGW attached to VPC |
CreateTransitGatewayRoute |
TGW route added |
UpdateFirewallRuleGroupRuleList |
Network Firewall rule changed |
IAM Best Practices for Network Teams
| Check | Why It Matters |
|---|---|
No ec2:* policies |
Prevent accidental network changes |
| Separate roles per service | Least privilege for VPC, TGW, Firewall |
| MFA on all humans | Protect against credential theft |
| No root access keys | Root should use MFA console only |
| Key rotation < 90 days | Limit exposure of compromised keys |
| CloudTrail enabled | Audit trail for all API changes |
Important Rules
- IAM MCP runs in read-only mode — cannot create, modify, or delete IAM resources
- CloudTrail has event history limits — default 90-day lookback for management events
- Region-specific for CloudTrail — unless using organization trail
- Record in GAIT — log all security investigations for audit trail
Environment Variables
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_REGION(orAWS_PROFILE)
More from automateyournetwork/netclaw
pyats-topology
Network topology discovery via CDP/LLDP neighbors, ARP tables, routing peers, and interface mapping to build complete network maps. Use when mapping the network, building a diagram, discovering what is connected to what, or documenting device neighbors and links.
20drawio-diagram
Generate draw.io network diagrams — native .drawio files with CLI export (PNG/SVG/PDF), plus browser-based Mermaid/XML/CSV via MCP server. Use when creating network topology diagrams, generating architecture visuals, exporting diagrams to PNG or PDF, or building draw.io files from discovery data.
19aws-architecture-diagram
AWS architecture diagrams — generate visual network topology diagrams from live AWS infrastructure. Use when drawing AWS network diagrams, visualizing VPCs, mapping Transit Gateway topology, or generating architecture documentation.
19grafana-observability
Grafana observability platform — dashboards, Prometheus PromQL, Loki LogQL, alerting, incidents, OnCall schedules, annotations, datasource queries, panel rendering (75+ tools). Use when querying Grafana dashboards, running PromQL for interface metrics, searching Loki logs for syslog events, investigating firing alerts, or checking who is on call.
18pyats-health-check
Comprehensive network device health monitoring - CPU, memory, interfaces, hardware, NTP, logging, environment, and uptime analysis. Use when running a device health check, monitoring CPU or memory usage, checking interface errors, or validating NTP sync.
17aws-cloud-monitoring
AWS CloudWatch monitoring — metrics, alarms, log queries, VPC flow log analysis, network performance. Use when checking AWS alarms, analyzing VPC flow logs, investigating network latency, or monitoring VPN and NAT Gateway metrics.
15