AWS Security#
Version: 1.0.1 · Category: AWS Cloud Security · Plan: Base+
A unified entry point for AWS security service status and alert querying, integrating four services: GuardDuty, Security Hub, Inspector, and Macie.
Tools#
GuardDuty#
list_detectors — Detector list#
List all GuardDuty detectors in the current account, including:
- Enable status
- Service role ARN
- Data source configuration
get_findings — Findings#
Retrieve GuardDuty finding details, supporting filters by:
- Finding ID list
- Severity (
HIGH,MEDIUM,LOW) - Finding type (e.g.
UnauthorizedAccess:EC2/SSHBruteForce) - Time range
list_findings — Finding list#
List all GuardDuty finding IDs in the current detector, supporting multi-dimensional sorting and filtering.
get_threat_intel_sets — Threat intelligence sets#
List threat intelligence IP sets and domain lists uploaded by the customer.
Security Hub#
get_security_hub_findings — Security Hub findings#
Aggregate findings from all integrated security tools:
| Supported sources | Description |
|---|---|
| GuardDuty | Threat detection findings |
| Inspector | Vulnerability assessment findings |
| Macie | Sensitive data discovery |
| IAM Access Analyzer | Resource exposure analysis |
| AWS Config | Configuration compliance |
| Third-party integrations | Crowdstrike, Palo Alto, etc. |
Supports filtering by Workflow State (NEW / IN_PROGRESS / RESOLVED) and Compliance Status.
get_security_hub_insights — Security Hub insights#
Query Security Hub Insights — pre-built aggregated views of grouped security findings:
- Top high-severity resources
- Non-compliant resources by region
- Resources with most unresolved findings
Inspector#
list_inspector_findings — Inspector vulnerability findings#
List all Inspector vulnerability assessment results:
- Severity: CRITICAL / HIGH / MEDIUM / LOW / INFORMATIONAL
- Resource type: EC2 / ECR image / Lambda
- CVE details and EPSS scores
Macie#
list_macie_findings — Macie sensitive data findings#
List Macie sensitive data discovery results:
- Sensitive data category (credentials, financial, personal information, etc.)
- S3 bucket and object path
- Number of occurrences and sample data
get_macie_finding — Macie finding details#
Retrieve detailed information for a specific Macie finding.
Configuration#
| Item | Description |
|---|---|
AWS_ACCESS_KEY_ID |
Access Key ID |
AWS_SECRET_ACCESS_KEY |
Secret Access Key |
AWS_DEFAULT_REGION |
Default region (e.g. us-east-1) |
AWS_SESSION_TOKEN |
Optional: temporary session token |
Investigation workflow#
1. get_security_hub_findings workflow_status:"NEW" severity:["CRITICAL","HIGH"]
→ Get all unresolved critical and high findings across all tools
2. get_findings severity_list:["HIGH","MEDIUM"]
→ Retrieve current active GuardDuty alerts
3. list_inspector_findings severity:["CRITICAL"]
→ Prioritize most critical unpatched vulnerabilities
4. list_macie_findings
→ Check whether sensitive data has been exposed in S3 buckets
5. get_security_hub_insights
→ View pre-aggregated insight data for a quick overall security posture overview