MCP Tools Reference – 16 AWS Security Tools for AI Clients
These tools are automatically available in Claude Desktop once connected. Claude decides which tool to call based on your question — you never invoke them directly. Just ask naturally.
Finding discovery
Section titled “Finding discovery”get_findings
Section titled “get_findings”Returns security findings from your most recent scan. Supports filtering by severity, AWS service, keyword, and date range.
Example prompts
- “What are my critical findings?”
- “Show me all IAM issues”
- “Any S3 misconfigurations from this week?”
- “List high and critical findings in us-east-1”
get_finding_detail
Section titled “get_finding_detail”Returns the full detail on a specific finding — description, risk explanation, remediation steps, CLI command, and Terraform snippet.
Example prompts
- “Tell me more about that S3 finding”
- “How do I fix the IAM finding you just mentioned?”
- “Give me the Terraform for remediating that RDS issue”
get_findings_by_resource
Section titled “get_findings_by_resource”Returns all findings for a specific AWS resource by exact name or ARN. More precise than keyword search when you know the resource.
Example prompts
- “What’s wrong with arn:aws:s3:::my-bucket?”
- “Show me all issues with the deploy-bot-prod role”
- “Any findings on my prod RDS instance?“
search_findings
Section titled “search_findings”Searches across resource names, check titles, and descriptions by keyword. Use when you want to explore rather than target a specific resource.
Example prompts
- “Find anything related to my-prod-bucket”
- “Search for anything mentioning encryption”
- “Any findings about public access?”
Risk intelligence
Section titled “Risk intelligence”get_risk_summary
Section titled “get_risk_summary”Returns an executive summary of your AWS security posture: overall risk level, finding counts by severity, top 3 critical issues, and trend vs your previous scan.
Example prompts
- “What’s my security posture?”
- “How bad is it?”
- “Give me a board-level summary”
- “Am I better or worse than last week?“
get_top_risks_by_impact
Section titled “get_top_risks_by_impact”Returns your highest-impact active findings ranked by a combined score that factors in severity, environment (production vs staging), and data sensitivity (PII, financial). The first result is always your top priority.
This is the best tool to use when you want a focused, actionable list rather than a full finding dump.
Example prompts
- “What should I fix first?”
- “What are my most critical risks right now?”
- “Where should I focus remediation this sprint?”
- “Give me the top 5 things I need to fix”
get_soc2_gaps
Section titled “get_soc2_gaps”Returns failing findings grouped by SOC2 trust service criteria (CC6.1, CC7.2, etc.) with pass/fail counts per criterion.
Example prompts
- “Am I ready for SOC2?”
- “What do I need to fix for my audit?”
- “Show me my SOC2 compliance gaps”
- “Which CC controls are failing?“
get_remediation_plan
Section titled “get_remediation_plan”Returns findings in recommended fix order with estimated effort and remediation code (CLI + Terraform) for each step.
Example prompts
- “Where should I start?”
- “Give me a fix plan”
- “What should I prioritise this sprint?”
- “Create a remediation roadmap for our critical issues”
Posture & trends
Section titled “Posture & trends”get_posture_score
Section titled “get_posture_score”Returns your current security posture score, trend direction, and a breakdown by severity. See Posture Score for a full explanation of what the score means and what drives it.
Example prompts
- “What’s my posture score?”
- “How is my security trending?”
- “Give me a security health check”
get_posture_trend
Section titled “get_posture_trend”Returns your posture score history over a time window (default 30 days, up to 90). Useful for showing improvement over time or spotting regressions.
Example prompts
- “Is my security getting better over time?”
- “Show me my score for the last 3 months”
- “How has my posture trended since we started remediating?”
Finding lifecycle
Section titled “Finding lifecycle”get_finding_lifecycle
Section titled “get_finding_lifecycle”Returns findings filtered by their current lifecycle state. Use this to understand what changed since your last scan rather than looking at everything at once.
See Finding Lifecycle for a full explanation of each state.
| State | What it means |
|---|---|
active | Present in the latest scan, unchanged |
regressed | Severity increased since the previous scan |
resolved | Was present before, now gone |
accepted | Your team accepted the risk |
Example prompts
- “What’s new since my last scan?”
- “What got worse?”
- “What did we fix this week?”
- “Show me any regressions”
- “Which findings are currently accepted?”
Scanning
Section titled “Scanning”trigger_scan
Section titled “trigger_scan”Starts a new AWS security scan on your connected account. Scans take 2–5 minutes to complete.
Example prompts
- “Run a new scan”
- “Check my account for new issues”
- “Scan my production account”
get_scan_status
Section titled “get_scan_status”Returns the status of your most recent scan — queued, running, complete, or failed — plus finding counts by severity once complete.
Example prompts
- “Is my scan done?”
- “What’s the status of the scan I just triggered?”
- “How many findings did the last scan find?“
get_connections
Section titled “get_connections”Lists your connected AWS accounts with alias, account ID, status, and last scan date.
Example prompts
- “Which AWS accounts are connected?”
- “What environments am I monitoring?”
- “When was my production account last scanned?”
Risk acceptance
Section titled “Risk acceptance”accept_risk
Section titled “accept_risk”Formally accepts the risk on a specific finding — recording a business reason and optionally setting an expiry date after which the acceptance is automatically revoked.
See Risk Acceptance for when and how to use this.
Example prompts
- “Accept the risk on that S3 finding — we’re decommissioning that bucket next quarter”
- “Mark that IAM finding as accepted, expires in 90 days”
- “We’ve decided to accept that VPC finding for now, reason: network team reviewed and approved”
list_acceptances
Section titled “list_acceptances”Lists all active risk acceptances for your organisation — who accepted each, when, the reason given, and expiry date if set.
Example prompts
- “What risks have we accepted?”
- “Show me our risk register”
- “Which findings are currently waived?”
- “Are any risk acceptances expiring soon?”