Skip to content

MCP Tools Reference – 16 AWS Security Tools for AI Clients

These tools are automatically available in Claude Desktop once connected. Claude decides which tool to call based on your question — you never invoke them directly. Just ask naturally.


Returns security findings from your most recent scan. Supports filtering by severity, AWS service, keyword, and date range.

Example prompts

  • “What are my critical findings?”
  • “Show me all IAM issues”
  • “Any S3 misconfigurations from this week?”
  • “List high and critical findings in us-east-1”

Returns the full detail on a specific finding — description, risk explanation, remediation steps, CLI command, and Terraform snippet.

Example prompts

  • “Tell me more about that S3 finding”
  • “How do I fix the IAM finding you just mentioned?”
  • “Give me the Terraform for remediating that RDS issue”

Returns all findings for a specific AWS resource by exact name or ARN. More precise than keyword search when you know the resource.

Example prompts

  • “What’s wrong with arn:aws:s3:::my-bucket?”
  • “Show me all issues with the deploy-bot-prod role”
  • “Any findings on my prod RDS instance?“

Searches across resource names, check titles, and descriptions by keyword. Use when you want to explore rather than target a specific resource.

Example prompts

  • “Find anything related to my-prod-bucket”
  • “Search for anything mentioning encryption”
  • “Any findings about public access?”

Returns an executive summary of your AWS security posture: overall risk level, finding counts by severity, top 3 critical issues, and trend vs your previous scan.

Example prompts

  • “What’s my security posture?”
  • “How bad is it?”
  • “Give me a board-level summary”
  • “Am I better or worse than last week?“

Returns your highest-impact active findings ranked by a combined score that factors in severity, environment (production vs staging), and data sensitivity (PII, financial). The first result is always your top priority.

This is the best tool to use when you want a focused, actionable list rather than a full finding dump.

Example prompts

  • “What should I fix first?”
  • “What are my most critical risks right now?”
  • “Where should I focus remediation this sprint?”
  • “Give me the top 5 things I need to fix”

Returns failing findings grouped by SOC2 trust service criteria (CC6.1, CC7.2, etc.) with pass/fail counts per criterion.

Example prompts

  • “Am I ready for SOC2?”
  • “What do I need to fix for my audit?”
  • “Show me my SOC2 compliance gaps”
  • “Which CC controls are failing?“

Returns findings in recommended fix order with estimated effort and remediation code (CLI + Terraform) for each step.

Example prompts

  • “Where should I start?”
  • “Give me a fix plan”
  • “What should I prioritise this sprint?”
  • “Create a remediation roadmap for our critical issues”

Returns your current security posture score, trend direction, and a breakdown by severity. See Posture Score for a full explanation of what the score means and what drives it.

Example prompts

  • “What’s my posture score?”
  • “How is my security trending?”
  • “Give me a security health check”

Returns your posture score history over a time window (default 30 days, up to 90). Useful for showing improvement over time or spotting regressions.

Example prompts

  • “Is my security getting better over time?”
  • “Show me my score for the last 3 months”
  • “How has my posture trended since we started remediating?”

Returns findings filtered by their current lifecycle state. Use this to understand what changed since your last scan rather than looking at everything at once.

See Finding Lifecycle for a full explanation of each state.

StateWhat it means
activePresent in the latest scan, unchanged
regressedSeverity increased since the previous scan
resolvedWas present before, now gone
acceptedYour team accepted the risk

Example prompts

  • “What’s new since my last scan?”
  • “What got worse?”
  • “What did we fix this week?”
  • “Show me any regressions”
  • “Which findings are currently accepted?”

Starts a new AWS security scan on your connected account. Scans take 2–5 minutes to complete.

Example prompts

  • “Run a new scan”
  • “Check my account for new issues”
  • “Scan my production account”

Returns the status of your most recent scan — queued, running, complete, or failed — plus finding counts by severity once complete.

Example prompts

  • “Is my scan done?”
  • “What’s the status of the scan I just triggered?”
  • “How many findings did the last scan find?“

Lists your connected AWS accounts with alias, account ID, status, and last scan date.

Example prompts

  • “Which AWS accounts are connected?”
  • “What environments am I monitoring?”
  • “When was my production account last scanned?”

Formally accepts the risk on a specific finding — recording a business reason and optionally setting an expiry date after which the acceptance is automatically revoked.

See Risk Acceptance for when and how to use this.

Example prompts

  • “Accept the risk on that S3 finding — we’re decommissioning that bucket next quarter”
  • “Mark that IAM finding as accepted, expires in 90 days”
  • “We’ve decided to accept that VPC finding for now, reason: network team reviewed and approved”

Lists all active risk acceptances for your organisation — who accepted each, when, the reason given, and expiry date if set.

Example prompts

  • “What risks have we accepted?”
  • “Show me our risk register”
  • “Which findings are currently waived?”
  • “Are any risk acceptances expiring soon?”