kebabmane/guardduty-mcp
3.2
If you are the rightful owner of guardduty-mcp and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.
The GuardDuty MCP Server is a specialized server designed for integrating AWS GuardDuty with AI assistants, providing secure and efficient access to GuardDuty APIs for enhanced threat detection and security monitoring.
Tools
get_findings
Retrieve and filter GuardDuty findings.
get_malware_scans
Check malware scan results.
start_malware_scan
Initiate malware scan on resources.
get_detector_status
Get GuardDuty detector configuration.
generate_threat_report
Create comprehensive security reports.
list_detectors
List all GuardDuty detectors in the current region.
GuardDuty MCP Server
An MCP (Model Context Protocol) server for AWS GuardDuty integration, providing secure access to GuardDuty APIs for threat detection and security monitoring.
Features
- Real-time Threat Analysis: Monitor and analyze GuardDuty findings with intelligent filtering
- Malware Detection: Automated malware scanning for EC2 instances and S3 buckets
- Threat Intelligence Reports: Generate comprehensive security reports and summaries
- MCP Integration: Standard Model Context Protocol interface for AI assistants
- Secure API Access: Controlled access to GuardDuty APIs through MCP tools
Architecture
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β MCP Client βββββΊβ GuardDuty MCP βββββΊβ AWS GuardDuty β
β (AI Assistant) β β Server β β API (boto3) β
β β β β β β
β - Tool Calls β β - Tool Registry β β - Findings β
β - Responses β β - Request Router β β - Malware Scans β
β - Analysis β β - Response Formatβ β - Detectors β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
Quick Start
Prerequisites
- Python 3.9+
- AWS account with GuardDuty enabled
- AWS credentials configured (IAM role, profile, or access keys)
- pip or poetry for package management
Installation
git clone <repository>
cd guardduty-agent
pip install -e .
Or with poetry:
poetry install
Configuration
- Copy environment template:
cp .env.example .env
- Configure your environment variables:
# AWS Configuration (choose one method)
AWS_REGION=us-east-1
AWS_PROFILE=default
# OR use access keys
# AWS_ACCESS_KEY_ID=your_access_key
# AWS_SECRET_ACCESS_KEY=your_secret_key
# GuardDuty Configuration
GUARDDUTY_DETECTOR_ID=your_detector_id
Usage
Run MCP Server
guardduty-agent server
Start the MCP server for GuardDuty integration.
List Detectors
guardduty-agent list-detectors
List all available GuardDuty detectors in your region.
Available MCP Tools
The MCP server provides the following tools for GuardDuty operations:
get_findings
Retrieve and filter GuardDuty findings
{
"detector_id": "string",
"finding_criteria": {
"severity": ["HIGH", "MEDIUM", "LOW"],
"type": ["ThreatType"],
"updated_at": {"gte": timestamp, "lte": timestamp}
},
"max_results": 50
}
get_malware_scans
Check malware scan results
{
"detector_id": "string",
"scan_id": "optional_scan_id",
"max_results": 50
}
start_malware_scan
Initiate malware scan on resources
{
"detector_id": "string",
"resource_arn": "arn:aws:ec2:region:account:instance/i-1234567890abcdef0"
}
get_detector_status
Get GuardDuty detector configuration
{
"detector_id": "string"
}
generate_threat_report
Create comprehensive security reports
{
"detector_id": "string",
"time_range": {
"start": "2024-01-01T00:00:00Z",
"end": "2024-01-07T23:59:59Z"
},
"format": "summary" | "json"
}
list_detectors
List all GuardDuty detectors in the current region
{}
MCP Server Capabilities
Security Data Access
- Findings Retrieval: Access GuardDuty findings with flexible filtering
- Malware Scanning: Retrieve and initiate malware scans
- Detector Management: Query detector status and configuration
- Threat Reporting: Generate comprehensive threat intelligence reports
Integration Features
- Standard MCP Protocol: Compatible with any MCP-enabled AI assistant
- Secure Access: Controlled API access through well-defined tools
- Flexible Filtering: Advanced query capabilities for targeted data retrieval
- JSON Responses: Structured data format for easy processing
Development
Setting Up Development Environment
# Clone the repository
git clone <repository>
cd guardduty-agent
# Install with development dependencies
pip install -e ".[dev]"
# Or with poetry
poetry install --with dev
Running Tests
# Run all tests
pytest
# Run with coverage
pytest --cov=guardduty_agent
# Run specific test file
pytest tests/test_guardduty_client.py
Code Quality
# Format code
black guardduty_agent/ tests/
# Lint code
ruff check guardduty_agent/ tests/
# Type checking
mypy guardduty_agent/
Project Structure
guardduty-agent/
βββ guardduty_agent/
β βββ __init__.py
β βββ mcp_server.py # MCP server implementation
β βββ guardduty_client.py # AWS GuardDuty client (boto3)
β βββ config.py # Configuration management
β βββ cli.py # Command-line interface
βββ tests/
β βββ __init__.py
β βββ test_guardduty_client.py
β βββ test_config.py
βββ pyproject.toml # Project configuration
βββ .env.example # Environment template
βββ README.md
Security Considerations
IAM Permissions
The agent requires the following AWS IAM permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"guardduty:GetFindings",
"guardduty:ListFindings",
"guardduty:GetDetector",
"guardduty:ListDetectors",
"guardduty:DescribeMalwareScans",
"guardduty:StartMalwareScan"
],
"Resource": "*"
}
]
}
Best Practices
- IAM Roles: Use IAM roles instead of access keys when possible
- Least Privilege: Grant only the minimum required permissions
- Environment Variables: Store sensitive configuration in environment variables
- Audit Logging: Enable audit logging for compliance requirements
- Encryption: All API communications are encrypted in transit
Integration Examples
MCP Server Usage
import asyncio
from guardduty_agent.mcp_server import GuardDutyMCPServer
async def main():
# Start MCP server
server = GuardDutyMCPServer()
await server.run_server()
asyncio.run(main())
Custom Tool Integration
from guardduty_agent.guardduty_client import GuardDutyClient
async def custom_security_check():
client = GuardDutyClient("us-east-1")
# Get high-severity findings
findings = await client.get_findings(
detector_id="detector-123",
finding_criteria={"severity": ["HIGH"]},
max_results=10
)
return findings
Configuration Reference
Environment Variables
| Variable | Default | Description |
|---|---|---|
AWS_REGION | us-east-1 | AWS region |
AWS_PROFILE | - | AWS profile name |
AWS_ACCESS_KEY_ID | - | AWS access key ID |
AWS_SECRET_ACCESS_KEY | - | AWS secret access key |
GUARDDUTY_DETECTOR_ID | - | GuardDuty detector ID |
GUARDDUTY_MAX_RESULTS | 50 | Default max results |
LOG_LEVEL | INFO | Logging level |
Troubleshooting
Common Issues
-
AWS Credentials Not Found
- Ensure AWS credentials are configured
- Check IAM permissions
- Verify region settings
-
GuardDuty Detector Not Found
- Confirm detector ID is correct
- Check if GuardDuty is enabled in the region
- Verify IAM permissions for GuardDuty
-
MCP Connection Issues
- Ensure MCP client is properly configured
- Check server process is running
- Verify tool permissions
Getting Help
For issues and support:
- Check the GitHub Issues
- Review AWS GuardDuty documentation
- Consult MCP documentation
Contributing
- Fork the repository
- Create a feature branch
- Add tests for new functionality
- Ensure all tests pass and code is formatted
- Submit a pull request
License
MIT License - see LICENSE file for details