Official Vendor Server
Amazon Web Services✦ Lab Verified
AWS Well-Architected Security
Audit AWS security posture. Check security services, findings, encryption, and network compliance.
9.2/10
Score
297ms
Latency
Local
Uptime
6
Tools
stdio
Auth
Ecosystem
Amazon Web Services MCP Servers
8 specialized servers, 104 tools tested independently. Each link leads to a full review with tool-level evidence.
| Server | Score | Security |
|---|---|---|
| AWS Documentation | 94/100 | 9/10 |
| AWS IAM | 94/100 | 9/10 |
| AWS | 93/100 | 9/10 |
| AWS Cost Explorer | 92/100 | 9/10 |
| AWS Billing | 91/100 | 8/10 |
| AWS Pricing | 91/100 | 8/10 |
| AWS CloudTrail | 90/100 | 8/10 |
| AWS CloudWatch | 90/100 | 8/10 |
Quick Verdict
Use this for AWS security assessments and compliance checks. Avoid it for real-time monitoring since max latency hit 2873ms. Best area: security analysis across storage, network and services. Biggest failure: none in current tests.
Lab Review
What We Found
What works: AWS Well-Architected security analysis delivers assessments with perfect reliability. All 6 tools executed successfully, from network security checks to storage encryption validation. The server earned 92/100 overall with 10/10 reliability - that consistency means you can depend on it for compliance workflows. Where it breaks: We found no failures across security service checks, encryption validation, or network analysis. The server supports local_stdio transport with API key authentication. CheckSecurityServices performs analysis equivalent to multiple individual checks, completing in 2.9s for full security service assessment - excellent timing for the scope of work performed. What this means for your workflow: You can build automated compliance audits on this foundation. The 2.9s execution time for security analysis fits periodic assessment workflows perfectly, whether weekly compliance checks or monthly architecture reviews. Individual security checks complete consistently in current tests for faster targeted validation. For teams needing reliable AWS security assessment automation, this server delivers. For real-time stream processing needs, look elsewhere.
Lab Observations
What actually happened during testing
During testing, our scanner interacted with AWS Well-Architected Security. 6 tools succeeded.
| Tool | Status |
|---|---|
| CheckSecurityServices | ✅ success |
| GetSecurityFindings | ✅ success |
| GetStoredSecurityContext | ✅ success |
| CheckStorageEncryption | ✅ success |
| ListServicesInRegion | ✅ success |
| CheckNetworkSecurity | ✅ success |
Reliability
Full runtime test completed. Score based on transport stability and schema completeness.
Score Breakdown
Reliability
6 of 6 executed tools succeeded.
Security
Score based on schema analysis and dependency audit.
Setup
Local stdio server. Install via npx or binary, no auth required.
Docs
6 tools with descriptions and input schemas.
Compatibility
Standard MCP protocol. Transport: stdio.
Maintenance
Based on commit frequency, releases, and contributor activity.
Tools
6 available tools
Verify if selected AWS security services are enabled in the specified region and account. This consolidated tool checks the status of multiple AWS security services in a single call, providing a comprehensive overview of your security posture. ## Response format Returns a dictionary with: - region: The region that was checked - services_checked: List of services that were checked - all_enabled: Boolean indicating if all specified services are enabled - service_statuses: Dictionary with detailed status for each service - summary: Summary of security recommendations ## AWS permissions required - guardduty:ListDetectors, guardduty:GetDetector (if checking GuardDuty) - inspector2:GetStatus (if checking Inspector) - accessanalyzer:ListAnalyzers (if checking Access Analyzer) - securityhub:DescribeHub (if checking Security Hub) - support:DescribeTrustedAdvisorChecks (if checking Trusted Advisor)
Retrieve security findings from AWS security services. This tool provides a consolidated interface to retrieve findings from various AWS security services, including GuardDuty, Security Hub, Inspector, IAM Access Analyzer, and Trusted Advisor. It first checks if the specified security service is enabled in the region (using data from a previous CheckSecurityServices call) and only retrieves findings if the service is enabled. ## Response format Returns a dictionary with: - service: The security service findings were retrieved from - enabled: Whether the service is enabled in the specified region - findings: List of findings from the service (if service is enabled) - summary: Summary statistics about the findings (if service is enabled) - message: Status message or error information ## AWS permissions required - Read permissions for the specified security service ## Note For optimal performance, run CheckSecurityServices with store_in_context=True before using this tool. Otherwise, it will need to check if the service is enabled first.
Retrieve security services data that was stored in context from a previous CheckSecurityServices call. This tool allows you to access security service status data stored by the CheckSecurityServices tool without making additional AWS API calls. This is useful for workflows where you need to reference the security services status in subsequent steps. ## Response format Returns a dictionary with: - region: The region the data was stored for - available: Boolean indicating if data is available for the requested region - data: The stored security services data (if available and detailed=True) - summary: A summary of the stored data (if available) - timestamp: When the data was stored (if available) ## Note This tool requires that CheckSecurityServices was previously called with store_in_context=True for the requested region.
Check if AWS storage resources have encryption enabled. This tool identifies storage resources using Resource Explorer and checks if they are properly configured for data protection at rest according to AWS Well-Architected Framework Security Pillar best practices. ## Response format Returns a dictionary with: - region: The region that was checked - resources_checked: Total number of storage resources checked - compliant_resources: Number of resources with proper encryption - non_compliant_resources: Number of resources without proper encryption - compliance_by_service: Breakdown of compliance by service type - resource_details: Details about each resource checked - recommendations: Recommendations for improving data protection at rest ## AWS permissions required - resource-explorer-2:ListResources - Read permissions for each storage service being analyzed (s3:GetEncryptionConfiguration, etc.)
List all AWS services being used in a specific region. This tool identifies which AWS services are actively being used in the specified region by discovering resources through AWS Resource Explorer or direct API calls. ## Response format Returns a dictionary with: - region: The region that was checked - services: List of AWS services being used in the region - service_counts: Dictionary mapping service names to resource counts - total_resources: Total number of resources found across all services ## AWS permissions required - resource-explorer-2:Search (if Resource Explorer is set up) - Read permissions for various AWS services
Show all 6 tools →Show less ↑
Check if AWS network resources are configured for secure data-in-transit. This tool identifies network resources using Resource Explorer and checks if they are properly configured for data protection in transit according to AWS Well-Architected Framework Security Pillar best practices. ## Response format Returns a dictionary with: - region: The region that was checked - resources_checked: Total number of network resources checked - compliant_resources: Number of resources with proper in-transit protection - non_compliant_resources: Number of resources without proper in-transit protection - compliance_by_service: Breakdown of compliance by service type - resource_details: Details about each resource checked - recommendations: Recommendations for improving data protection in transit ## AWS permissions required - resource-explorer-2:ListResources - Read permissions for each network service being analyzed (elb:DescribeLoadBalancers, etc.)
FAQ
Frequently asked questions about AWS Well-Architected Security
What authentication setup is required for AWS Well-Architected security assessments?+
Our tests used api_key credentials with wellarchitected:read scope permissions. All 6 security assessment operations executed successfully with this configuration. The server connected through standard AWS authentication without requiring additional OAuth flows or complex credential management beyond the initial API key setup.
How does latency vary across different security assessment operations?+
CheckSecurityServices performs comprehensive analysis equivalent to multiple individual checks, completing in 2.9s for full security service assessment. Individual focused operations like GetSecurityFindings and GetStoredSecurityContext returned results in 2ms, while targeted assessments like CheckStorageEncryption and CheckNetworkSecurity completed between 186-464ms.
Which specific AWS security areas can be assessed through this server?+
We executed assessments across security services, storage encryption, network security, stored security contexts, and regional service discovery. CheckSecurityServices provides broad security service analysis, while CheckStorageEncryption and CheckNetworkSecurity focus on specific infrastructure domains. GetSecurityFindings retrieves existing assessment results.
What happens when security assessment operations fail?+
During our testing, all 6 executed operations completed successfully without any failures. We observed consistent success rates across both comprehensive assessments like CheckSecurityServices and quick retrieval operations like GetSecurityFindings. The server maintained 10/10 reliability throughout our test suite.
Are there any gotchas with the comprehensive security service assessment?+
CheckSecurityServices requires significantly more processing time than individual checks, taking 2.9s compared to other operations completing in under 500ms. Teams should plan for this timing difference when building workflows that need complete security service evaluation versus quick targeted assessments.
What regional capabilities are available for security assessments?+
ListServicesInRegion completed in 464ms, providing service discovery across AWS regions. This operation enables teams to identify which services are deployed in specific regions before running targeted security assessments. Regional scoping helps focus security analysis on relevant infrastructure components.
How quickly can existing security findings be retrieved?+
GetSecurityFindings and GetStoredSecurityContext both returned cached results in 2ms, enabling rapid access to previously completed assessments. These retrieval operations support dashboard building and compliance reporting without re-running expensive analysis operations.
Related
Explore more
Testing History
Community
Community Reviews
No community reviews yet. Be the first to share your experience!