// MCP TOOL REFERENCE

AWS SECURITY TOOLS

33 tools from the Aws Security MCP Server, categorised by risk level.

View the Aws Security policy → Token cost: 3,055 tokens →
// ALL 33 AWS SECURITY TOOLS
READ 26 tools
Read detect_services Run Security Service Detection security scanner only. Read-only. Does not modify any AWS resources. Read get_setup_template Returns the CloudFormation StackSet template for deploying the cross-account security audit IAM role. Read-... Read list_groups List available scan groups with descriptions. Read-only. Read list_modules List available security scan modules with descriptions. Read-only. Does not modify any AWS resources. Read list_org_accounts List all accounts in the AWS Organization. Useful for discovering accounts before multi-account scanning. R... Read scan_access_analyzer_findings Run Access Analyzer Findings security scanner only. Read-only. Does not modify any AWS resources. Read scan_all Run all security scanners in parallel (including service detection). Read-only. Does not modify any AWS res... Read scan_and_report Run a full security scan AND generate reports in one step. Avoids large data transfer between tools. Report... Read scan_config_rules_findings Run Config Rules Findings security scanner only. Read-only. Does not modify any AWS resources. Read scan_disaster_recovery Run Disaster Recovery security scanner only. Read-only. Does not modify any AWS resources. Read scan_dns_dangling Run Dangling DNS security scanner only. Read-only. Does not modify any AWS resources. Read scan_group Run a predefined group of security scanners for a specific scenario (e.g., MLPS compliance, network defense... Read scan_guardduty_findings Run GuardDuty Findings security scanner only. Read-only. Does not modify any AWS resources. Read scan_iam_privilege_escalation Run IAM Privilege Escalation security scanner only. Read-only. Does not modify any AWS resources. Read scan_idle_resources Run Idle Resources security scanner only. Read-only. Does not modify any AWS resources. Read scan_imdsv2_enforcement Run IMDSv2 Enforcement security scanner only. Read-only. Does not modify any AWS resources. Read scan_inspector_findings Run Inspector Findings security scanner only. Read-only. Does not modify any AWS resources. Read scan_network_reachability Run Network Reachability security scanner only. Read-only. Does not modify any AWS resources. Read scan_patch_compliance_findings Run Patch Compliance Findings security scanner only. Read-only. Does not modify any AWS resources. Read scan_public_access_verify Run Public Access Verify security scanner only. Read-only. Does not modify any AWS resources. Read scan_secret_exposure Run Secret Exposure security scanner only. Read-only. Does not modify any AWS resources. Read scan_security_hub_findings Run Security Hub Findings security scanner only. Read-only. Does not modify any AWS resources. Read scan_ssl_certificate Run SSL Certificate security scanner only. Read-only. Does not modify any AWS resources. Read scan_tag_compliance Run Tag Compliance security scanner only. Read-only. Does not modify any AWS resources. Read scan_trusted_advisor_findings Run Trusted Advisor Findings security scanner only. Read-only. Does not modify any AWS resources. Read scan_waf_coverage Run WAF Coverage security scanner only. Read-only. Does not modify any AWS resources.
WRITE 7 tools
Write generate_html_report Generate a professional HTML security report. Save the output as an .html file. Write generate_hw_defense_report Generate an HTML report organized by HW Defense (护网) SOP checklist categories. Save as .html file. Write generate_maturity_report Generate a security maturity assessment report from scan_all results. Requires service_detection module out... Write generate_mlps3_html_report Generate a professional HTML MLPS Level 3 compliance report (等保三级). Save as .html file. Write generate_mlps3_report Generate a GB/T 22239-2019 等保三级 compliance pre-check report from scan results. Best used with scan_group ml... Write generate_report Generate a Markdown security report from scan results. Read-only. Does not modify any AWS resources. Write save_results Saves scan results to local disk or S3 for dashboard display. Does not modify any AWS resources.
// RUNNING THIS SERVER

The managed route: connect Aws Security through the PolicyLayer gateway — every tool call above is checked against your policy before it runs, with a full audit log.

DIRECT INSTALL (UNMANAGED) npx -y aws-security-mcp
// FAQ
How many tools does the Aws Security MCP server have? +

The Aws Security MCP server exposes 33 tools across 2 categories: Read, Write.

How do I enforce policies on Aws Security tools? +

Route the Aws Security server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard — they are enforced on every call before it reaches the server.

What risk categories do Aws Security tools fall into? +

Aws Security tools are categorised as Read (26), Write (7). Each category has a recommended default policy.

Let agents act without letting them run wild.

Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

SECURE YOUR MCP →

Free to start. No card required.

4,600+ MCP servers and 31,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.