sample-well-architected s

This MCP server provides a suite of AWS security assessment tools as part of the Cloud Optimization Assistant. It runs as a specialized MCP server that exposes security-focused evaluation capabilities which are integrated with the Bedrock agents and the overall MCP ecosystem. Use it to perform security posture assessments, identify misconfigurations, and generate actionable remediation guidance that aligns with AWS Well-Architected best practices. The server is designed to be invoked by the larger Cloud Optimization Assistant workflow and can be orchestrated through the MCP framework alongside other self-maintained or remote MCP servers.

To interact with it, deploy the server in your environment (as described in the installation guide) and ensure it is reachable by the MCP orchestration layer. Once running, you can trigger its tools from the central assistant interface or via the MCP API, receive structured analysis results, and incorporate them into reports and dashboards. The server emphasizes modular security checks, enabling you to run the full security suite or select individual tools relevant to your AWS accounts and workloads.

Prerequisites:

• Python 3.8+ installed on the target runtime
• Access to AWS with appropriate IAM permissions for security assessments
• A functioning MCP orchestration environment (as part of the Cloud Optimization Assistant)

Install steps:

1. Clone the repository containing the MCP server or prepare your deployment environment: git clone https://github.com/aws-samples/aws-samples-sample-well-architected-mcp-servers.git cd aws-samples-sample-well-architected-mcp-servers

2. Set up a Python virtual environment (recommended): python -m venv venv source venv/bin/activate # on Windows use: venv\Scripts\activate

3. Install required Python packages (adjust requirements as needed): pip install -r mcp-servers/well-architected-security-mcp-server/requirements.txt

4. Configure environment variables (at minimum): export AWS_REGION=us-east-1 export COGNITO_USER_POOL_ID=your_user_pool_id # optional export COGNITO_CLIENT_ID=your_app_client_id # optional

5. Run the MCP server (module name assumed in this project): python -m wa_security_mcp_server

6. Verify the server starts correctly and is reachable by the MCP orchestrator. Check logs for any missing dependencies or IAM permissions and resolve accordingly.

7. Integrate with the MCP orchestration layer by registering the server in your MCP configuration (see mcp_config section in the deployment docs).

Tips and common considerations:

• The Security MCP Server exposes a set of 6 security assessment tools. Ensure each tool’s prerequisites (e.g., specific AWS service permissions) are granted to the execution role.
• Use least-privilege IAM policies for the agent to access AWS resources during assessments.
• If you deploy behind a VPC, ensure network access between the MCP orchestrator and the security MCP server (security groups, endpoints).
• Enable detailed logging (LOG_LEVEL) during troubleshooting and set to INFO or DEBUG temporarily as needed.
• If Cognito authentication is used, configure COGNITO_USER_POOL_ID and COGNITO_CLIENT_ID to enable SSO and token-based API access.
• Regularly update dependencies and monitor for security advisories related to the BC/Bedrock integration components.
• When using in production, consider containerizing the server and running behind a secure API Gateway or load balancer with health checks.