Compliance-Manager-MCP-Server by vb30 - MCP Server

Google Cloud Compliance Manager MCP Server

This is an MCP (Model Context Protocol) server for interacting with Google Cloud Compliance Manager, part of Security Command Center Enterprise.

Overview

The Compliance Manager MCP Server enables AI assistants like Claude to interact with Google Cloud's Compliance Manager service. It provides tools to:

Discover compliance frameworks (CIS, NIST, FedRAMP, etc.)
Inspect cloud controls and their configurations
Deploy compliance frameworks to organizations, folders, and projects
Monitor framework and cloud control deployments
Manage compliance posture across your Google Cloud infrastructure

This server is built using the Model Context Protocol, allowing seamless integration with MCP-compatible AI assistants.

Features

Available Tools

list_frameworks(organization_id, location="global", page_size=50)
- Description: Lists all compliance frameworks available in an organization. Frameworks can be built-in (e.g., CIS, NIST, FedRAMP) or custom-defined.
- Parameters:
  - organization_id (required): The Google Cloud organization ID (e.g., '123456789012').
  - location (optional): The location for the frameworks. Defaults to 'global'.
  - page_size (optional): Maximum number of frameworks to return. Defaults to 50.
get_framework(organization_id, framework_id, location="global")
- Description: Gets detailed information about a specific compliance framework, including its cloud controls and regulatory control mappings.
- Parameters:
  - organization_id (required): The Google Cloud organization ID.
  - framework_id (required): The ID of the framework to retrieve.
  - location (optional): The location for the framework. Defaults to 'global'.
list_cloud_controls(organization_id, location="global", page_size=50)
- Description: Lists all cloud controls available in an organization. Cloud controls are technical items that help meet compliance requirements.
- Parameters:
  - organization_id (required): The Google Cloud organization ID.
  - location (optional): The location for the cloud controls. Defaults to 'global'.
  - page_size (optional): Maximum number of cloud controls to return. Defaults to 50.
get_cloud_control(organization_id, cloud_control_id, location="global")
- Description: Gets detailed information about a specific cloud control, including its rules, parameters, and enforcement mode.
- Parameters:
  - organization_id (required): The Google Cloud organization ID.
  - cloud_control_id (required): The ID of the cloud control to retrieve.
  - location (optional): The location for the cloud control. Defaults to 'global'.
list_framework_deployments(parent, location="global", page_size=50)
- Description: Lists all framework deployments for a given parent resource (organization, folder, or project).
- Parameters:
  - parent (required): The parent resource in format 'organizations/{org_id}', 'folders/{folder_id}', or 'projects/{project_id}'.
  - location (optional): The location for the deployments. Defaults to 'global'.
  - page_size (optional): Maximum number of deployments to return. Defaults to 50.
get_framework_deployment(parent, framework_deployment_id, location="global")
- Description: Gets detailed information about a specific framework deployment, including its state and configuration.
- Parameters:
  - parent (required): The parent resource in format 'organizations/{org_id}', 'folders/{folder_id}', or 'projects/{project_id}'.
  - framework_deployment_id (required): The ID of the framework deployment to retrieve.
  - location (optional): The location for the deployment. Defaults to 'global'.
create_framework_deployment(parent, framework_deployment_id, framework_name, location="global", target_resource=None)
- Description: Creates a new framework deployment on a target resource. This applies a compliance framework to an organization, folder, or project.
- Parameters:
  - parent (required): The parent resource in format 'organizations/{org_id}', 'folders/{folder_id}', or 'projects/{project_id}'.
  - framework_deployment_id (required): The ID for the new framework deployment.
  - framework_name (required): The full name of the framework to deploy (e.g., 'organizations/{org_id}/locations/global/frameworks/{framework_id}').
  - location (optional): The location for the deployment. Defaults to 'global'.
  - target_resource (optional): The target resource name. If not provided, uses the parent resource.
delete_framework_deployment(parent, framework_deployment_id, location="global")
- Description: Deletes a framework deployment. This removes the compliance framework from the target resource.
- Parameters:
  - parent (required): The parent resource in format 'organizations/{org_id}', 'folders/{folder_id}', or 'projects/{project_id}'.
  - framework_deployment_id (required): The ID of the framework deployment to delete.
  - location (optional): The location for the deployment. Defaults to 'global'.
list_cloud_control_deployments(parent, location="global", page_size=50)
- Description: Lists all cloud control deployments for a given parent resource.
- Parameters:
  - parent (required): The parent resource in format 'organizations/{org_id}', 'folders/{folder_id}', or 'projects/{project_id}'.
  - location (optional): The location for the deployments. Defaults to 'global'.
  - page_size (optional): Maximum number of deployments to return. Defaults to 50.
get_cloud_control_deployment(parent, cloud_control_deployment_id, location="global")
- Description: Gets detailed information about a specific cloud control deployment, including its enforcement mode and state.
- Parameters:
  - parent (required): The parent resource in format 'organizations/{org_id}', 'folders/{folder_id}', or 'projects/{project_id}'.
  - cloud_control_deployment_id (required): The ID of the cloud control deployment to retrieve.
  - location (optional): The location for the deployment. Defaults to 'global'.

Configuration

MCP Server Configuration

Add the following configuration to your MCP client's settings file:

NOTE: For OSX users, if you used this one-liner to install uv, use the full path to the uv binary for the "command" value below, as uv will not be placed in the system path for Claude to use! For example: /Users/yourusername/.local/bin/uv instead of just uv.

{
  "mcpServers": {
    "compliance-manager-mcp": {
      "command": "uv",
      "args": [
        "--env-file=/path/to/your/env",
        "--directory",
        "/path/to/the/repo",
        "run",
        "compliance_manager_mcp.py"
      ],
      "env": {},
      "disabled": false,
      "autoApprove": []
    }
  }
}

Authentication

The server uses Google Cloud's authentication mechanisms. Ensure you have one of the following configured in the environment where the server runs:

Application Default Credentials (ADC) set up (e.g., via gcloud auth application-default login).
The GOOGLE_APPLICATION_CREDENTIALS environment variable pointing to a valid service account key file.

Required IAM Permissions

Appropriate IAM permissions are required on the target Google Cloud organization(s):

Compliance Manager: roles/securitycenter.complianceManager or roles/securitycenter.adminEditor
For read-only operations: roles/securitycenter.adminViewer

License

Apache 2.0

Quick Start

See for detailed installation and setup instructions.

Installation

# Install uv package manager
curl -LsSf https://astral.sh/uv/install.sh | sh

# Clone the repository
git clone https://github.com/yourusername/compliance-manager-mcp-server.git
cd compliance-manager-mcp-server

# Install dependencies
uv pip install -e .

# Set up authentication
gcloud auth application-default login

Running the Server

uv run compliance_manager_mcp.py

Documentation

- Get started in minutes
- Detailed examples and use cases
- How to contribute to the project

Project Structure

compliance-manager-mcp-server/
├── compliance_manager_mcp.py    # Main MCP server implementation
├── pyproject.toml               # Project dependencies and metadata
├── setup.py                     # Setup configuration
├── README.md                    # This file
├── QUICKSTART.md                # Quick start guide
├── USAGE.md                     # Detailed usage examples
├── CONTRIBUTING.md              # Contributing guidelines
├── LICENSE                      # Apache 2.0 license
├── .env.example                 # Example environment configuration
├── .gitignore                   # Git ignore rules
├── mcp_settings.json.example    # Example MCP client configuration
└── test_import.py               # Import test script

About Compliance Manager

Compliance Manager in Google Cloud helps ensure that your Google Cloud infrastructure, workloads, and data meet security and regulatory requirements. It allows you to:

Define and deploy compliant and secure configurations
View dashboards showing alignment with compliance requirements
Audit cloud environments and generate assessment reports
Use software-defined controls for multiple compliance programs

For more information, see the Compliance Manager documentation.

Support

Issues: Report bugs or request features via GitHub Issues
Documentation: See the docs
Community: Join discussions in the repository

Acknowledgments

This project is inspired by the Google MCP Security repository and follows similar patterns for MCP server implementation.