Command Palette

Search for a command to run...

UnylyUnyly
Browse all

AWS Compliance Server

FreeNot checked

Enables LLMs to perform automated compliance scanning of AWS infrastructure against PCI-DSS, CIS, and Well-Architected frameworks. It provides tools for scannin

GitHubEmbed

About

Enables LLMs to perform automated compliance scanning of AWS infrastructure against PCI-DSS, CIS, and Well-Architected frameworks. It provides tools for scanning, remediation, and audit report generation.

README

A Model Context Protocol (MCP) server that connects an LLM (Claude, GPT-4, etc.) to real AWS infrastructure and performs automated compliance scanning against:

  • PCI-DSS v3.2.1 (18 controls across 8 requirements)
  • CIS AWS Foundations Benchmark v1.4 (19 controls across 5 sections)
  • AWS Well-Architected Framework (14 checks across all 5 pillars)

Architecture

Claude / Any MCP Client
        │  MCP Protocol (stdio)
        ▼
aws-compliance-mcp (FastMCP server)
    ├── ConfigTools        → AWS Config APIs
    ├── SecurityHubTools   → Security Hub APIs
    └── ComplianceScanner  → Rule mappings + scoring

Prerequisites

  • Python 3.10+
  • AWS credentials with read access to Config and Security Hub
  • AWS Config and Security Hub enabled in your target region

Installation

# Clone the repo
git clone https://github.com/YOUR_USERNAME/aws-compliance-mcp.git
cd aws-compliance-mcp

# Create virtual environment
python -m venv .venv
source .venv/bin/activate        # Windows: .venv\Scripts\activate

# Install the package
pip install -e ".[dev]"

# Or with pip from requirements
pip install -r requirements.txt
pip install -r requirements-dev.txt

Configuration

cp .env.example .env
# Edit .env with your AWS region and optional profile

.env.example:

AWS_REGION=us-east-1
# AWS_PROFILE=my-profile   # Uncomment to use a named profile

Running the Server

# Run directly
python -m aws_compliance_mcp.server

# Or via installed script
aws-compliance-mcp

Connect to Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS):

{
  "mcpServers": {
    "aws-compliance": {
      "command": "/path/to/.venv/bin/python",
      "args": ["-m", "aws_compliance_mcp.server"],
      "env": {
        "AWS_REGION": "us-east-1",
        "AWS_PROFILE": "your-profile"
      }
    }
  }
}

Available MCP Tools

Tool Description
scan_pcidss_compliance Full PCI-DSS v3.2.1 scan
scan_cis_compliance CIS Benchmark v1.4 scan
scan_well_architected Well-Architected scan (all pillars or single)
scan_all_frameworks Unified scan with overall risk score
get_remediation_steps Step-by-step fix for a specific control
generate_audit_report Audit-ready report with top-10 priorities
get_config_compliance_summary Overall Config rule compliance %
list_config_rules All Config rules + compliance state
get_config_rule_status Single rule details + failing resources
get_noncompliant_resources NON_COMPLIANT resources
get_security_hub_summary Finding counts by severity
get_security_hub_findings Filtered findings list
get_security_hub_score Pass/fail ratio per standard

Example Claude prompts

"Run a full PCI-DSS compliance scan in us-east-1 and tell me what's failing."

"What are my top 10 remediation priorities across all frameworks?"

"Give me step-by-step remediation for PCI.10.1"

"What's my Security Hub score and how many CRITICAL findings do I have?"

MCP Resources

URI Description
compliance://pcidss/controls Full PCI-DSS control catalog
compliance://cis/controls Full CIS control catalog
compliance://well-architected/pillars Well-Architected pillar checks

Running Tests

# All tests
make test

# With coverage
make coverage

# Lint
make lint

# Or directly
pytest tests/ -v

Tests use moto to mock all AWS API calls — no real AWS account needed.


Project Structure

aws-compliance-mcp/
├── src/aws_compliance_mcp/
│   ├── server.py              # FastMCP server + all tool/resource definitions
│   ├── aws_client.py          # Shared boto3 client with retry config
│   ├── tools/
│   │   ├── config_tools.py    # AWS Config API wrapper
│   │   ├── securityhub_tools.py  # Security Hub API wrapper
│   │   └── compliance_scanner.py # Framework scanning + reporting
│   └── rules/
│       ├── pcidss.py          # PCI-DSS v3.2.1 control mappings
│       ├── cis.py             # CIS Benchmark v1.4 control mappings
│       └── well_architected.py  # Well-Architected checks
├── tests/
│   ├── conftest.py
│   ├── test_config_tools.py
│   ├── test_securityhub_tools.py
│   └── test_compliance_scanner.py
├── pyproject.toml
├── Makefile
└── .env.example

Required IAM Permissions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "config:DescribeComplianceByConfigRule",
        "config:GetComplianceSummaryByConfigRule",
        "config:GetComplianceDetailsByConfigRule",
        "config:DescribeComplianceByResource",
        "config:DescribeConfigRules",
        "securityhub:GetFindings",
        "securityhub:GetEnabledStandards",
        "securityhub:DescribeStandardsControls"
      ],
      "Resource": "*"
    }
  ]
}

CI/CD

GitHub Actions runs tests on Python 3.10 and 3.12 on every push. See .github/workflows/ci.yml.


License

MIT

from github.com/aditya0529/AWS-Compliance-MCP-Server

Install AWS Compliance Server in Claude Desktop, Claude Code & Cursor

Recommended · one command, every IDE
unyly install aws-compliance-mcp-server

Installs into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.

First time? Get the CLI: curl -fsSL https://unyly.org/install | sh

Or configure manually

Run in your terminal:

claude mcp add aws-compliance-mcp-server -- uvx --from git+https://github.com/aditya0529/AWS-Compliance-MCP-Server aws-compliance-mcp

FAQ

Is AWS Compliance Server MCP free?

Yes, AWS Compliance Server MCP is free — one-click install via Unyly at no cost.

Does AWS Compliance Server need an API key?

No, AWS Compliance Server runs without API keys or environment variables.

Is AWS Compliance Server hosted or self-hosted?

A hosted option is available: Unyly runs the server in the cloud, no local setup required.

How do I install AWS Compliance Server in Claude Desktop, Claude Code or Cursor?

Open AWS Compliance Server on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.

Related MCPs

Compare AWS Compliance Server with

Not sure what to pick?

Find your stack in 60 seconds

Author?

Embed badge for your README

Browse similar

All development MCPs