33 tools from the Aws Security MCP Server, categorised by risk level.
View the Aws Security policy →detect_services Run Security Service Detection security scanner only. Read-only. Does not modify any AWS resources. get_setup_template Returns the CloudFormation StackSet template for deploying the cross-account security audit IAM role. Read-only. list_groups List available scan groups with descriptions. Read-only. list_modules List available security scan modules with descriptions. Read-only. Does not modify any AWS resources. list_org_accounts List all accounts in the AWS Organization. Useful for discovering accounts before multi-account scanning. Read-only. scan_access_analyzer_findings Run Access Analyzer Findings security scanner only. Read-only. Does not modify any AWS resources. scan_all Run all security scanners in parallel (including service detection). Read-only. Does not modify any AWS resources. Supports multi-account org scann... 2/5 scan_and_report Run a full security scan AND generate reports in one step. Avoids large data transfer between tools. Reports are saved to ~/.aws-security/reports/ scan_config_rules_findings Run Config Rules Findings security scanner only. Read-only. Does not modify any AWS resources. scan_disaster_recovery Run Disaster Recovery security scanner only. Read-only. Does not modify any AWS resources. scan_dns_dangling Run Dangling DNS security scanner only. Read-only. Does not modify any AWS resources. scan_group Run a predefined group of security scanners for a specific scenario (e.g., MLPS compliance, network defense). Read-only. Supports multi-account org... scan_guardduty_findings Run GuardDuty Findings security scanner only. Read-only. Does not modify any AWS resources. scan_iam_privilege_escalation Run IAM Privilege Escalation security scanner only. Read-only. Does not modify any AWS resources. scan_idle_resources Run Idle Resources security scanner only. Read-only. Does not modify any AWS resources. scan_imdsv2_enforcement Run IMDSv2 Enforcement security scanner only. Read-only. Does not modify any AWS resources. scan_inspector_findings Run Inspector Findings security scanner only. Read-only. Does not modify any AWS resources. scan_network_reachability Run Network Reachability security scanner only. Read-only. Does not modify any AWS resources. scan_patch_compliance_findings Run Patch Compliance Findings security scanner only. Read-only. Does not modify any AWS resources. scan_public_access_verify Run Public Access Verify security scanner only. Read-only. Does not modify any AWS resources. scan_secret_exposure Run Secret Exposure security scanner only. Read-only. Does not modify any AWS resources. scan_security_hub_findings Run Security Hub Findings security scanner only. Read-only. Does not modify any AWS resources. scan_ssl_certificate Run SSL Certificate security scanner only. Read-only. Does not modify any AWS resources. scan_tag_compliance Run Tag Compliance security scanner only. Read-only. Does not modify any AWS resources. scan_trusted_advisor_findings Run Trusted Advisor Findings security scanner only. Read-only. Does not modify any AWS resources. scan_waf_coverage Run WAF Coverage security scanner only. Read-only. Does not modify any AWS resources. generate_html_report Generate a professional HTML security report. Save the output as an .html file. 2/5 generate_hw_defense_report Generate an HTML report organized by HW Defense (护网) SOP checklist categories. Save as .html file. 2/5 generate_maturity_report Generate a security maturity assessment report from scan_all results. Requires service_detection module output. Read-only. 2/5 generate_mlps3_html_report Generate a professional HTML MLPS Level 3 compliance report (等保三级). Save as .html file. 2/5 generate_mlps3_report Generate a GB/T 22239-2019 等保三级 compliance pre-check report from scan results. Best used with scan_group mlps3_precheck results. Read-only. 2/5 generate_report Generate a Markdown security report from scan results. Read-only. Does not modify any AWS resources. 2/5 save_results Saves scan results to local disk or S3 for dashboard display. Does not modify any AWS resources. 2/5 The Aws Security MCP server exposes 33 tools across 2 categories: Read, Write.
Use Intercept, the open-source MCP proxy. Write YAML rules for each tool — rate limits, argument validation, or deny rules — then run Intercept in front of the Aws Security server.
Aws Security tools are categorised as Read (26), Write (7). Each category has a recommended default policy.
Open source. One binary. Zero dependencies.
npx -y @policylayer/intercept