cd /news/ai-agents/mcp-for-aws-security-engineers-build… · home topics ai-agents article
[ARTICLE · art-61828] src=dev.to ↗ pub= topic=ai-agents verified=true sentiment=· neutral

MCP for AWS Security Engineers: Build a Read-Only Security Hub Triage Agent

AWS has introduced a managed Model Context Protocol (MCP) path for security engineers to build read-only Security Hub triage agents. The approach uses AWS Agent Toolkit and managed MCP Server to connect AI coding agents to AWS documentation and APIs while enforcing security boundaries through IAM, SCPs, and tool approval. The architecture separates the AI model from the control layer, ensuring that IAM policies—not the model—determine what actions are permitted.

read22 min views1 publishedJul 16, 2026

For AWS-heavy security work, I would start with AWS Agent Toolkit for AWS and the managed AWS MCP Server, not a custom MCP server.

The reason is practical. AWS now provides a managed MCP path that can connect AI coding agents to AWS documentation, AWS APIs, AWS skills, and existing IAM credentials. The Agent Toolkit also provides plugin-based setup for supported agents such as Claude Code and Codex.

For security teams, that is the right starting point because the enforcement point remains AWS IAM, not the model.

The initial operating model should be strict:

That is the same posture I would use for a governed Claude Code or Codex rollout: named identities, SSO, scoped credentials, default deny, tool approval, audit logs, and security evidence tied back to tickets, pull requests, CI logs, and cloud findings.

This article walks through a practical security workflow:

A read-only Security Hub triage assistant that helps a junior security engineer produce a daily or weekly findings summary, remediation backlog, and evidence pack without allowing the agent to modify AWS.

The agent will be able to:

The agent will not be able to:

This is not a generic AI demo. This is a security-controlled workflow where MCP gives the agent access to context, while IAM, SCPs, tool approval, and human review define the real boundary.

MCP stands for Model Context Protocol.

In plain English, MCP is a standard way for an AI assistant to connect to external systems such as cloud platforms, source code repositories, ticketing systems, databases, monitoring tools, documentation, and security platforms.

A simple mental model:

LLM / Agent
   |
   | asks for context or tool execution
   v
MCP Client
   |
   | speaks MCP
   v
MCP Server
   |
   | exposes approved tools and data
   v
AWS / GitHub / Jira / Security Hub / Internal APIs

MCP is not the model.

MCP is not Claude.

MCP is not Codex.

MCP is the connector layer that lets an AI tool interact with approved external capabilities in a consistent way.

A practical comparison:

Component What it is Example
AI model The reasoning engine Claude, GPT, Nova, Qwen
Agent client The user-facing agent tool Claude Code, Codex, Cursor, Kiro
MCP server The tool and data connector AWS MCP Server, GitHub MCP Server
Tool An action exposed by the server
securityhub:GetFindings , documentation search
Resource Read-only context exposed by the server Documentation, metadata, finding details
IAM / policy The enforcement layer AWS role, SCP, permission boundary

The important security point is simple:

MCP gives the agent hands. IAM decides what those hands are allowed to touch.

An MCP server exposes capabilities to an AI agent.

Those capabilities usually fall into three areas:

MCP capability Meaning Security impact
Tools Callable functions or actions Can be read-only or mutating
Resources Context or data the model can read Usually safer, but can expose sensitive data
Prompts Reusable task templates Useful for standardized workflows

That matters because a junior engineer may think, “The model only answers questions.”

That assumption is no longer safe once tools are attached.

With MCP, the model may be able to:

That is why the first security decision is not:

Which model should we use?

The first security decision is:

What tool permissions will this agent have, and where are those permissions enforced?

For production security work, the model must never be treated as the control boundary.

The control boundary must be:

A useful operating model is:

Prompt -> Agent loop -> MCP tools -> External systems -> Evidence/output

The agent loop is the cycle where the model reasons, requests a tool, receives the result, reasons again, and continues until the task is complete.

The harness is everything around that loop: tool permissions, context management, project rules, logs, approval gates, hooks, and safety boundaries.

For security work, MCP sits inside the harness.

Claude Code / Codex
   |
   | project rules, approval mode, permissions
   v
MCP client
   |
   | approved tool calls only
   v
AWS MCP Server
   |
   | authenticated AWS API access
   v
AWS IAM role / permission set
   |
   | read-only Security Hub permissions
   v
AWS Security Hub

That distinction is important.

The model can recommend. The harness controls. IAM enforces.

Security work is context-heavy.

A security engineer rarely needs a generic answer. We need the assistant to understand:

Without MCP, the engineer manually copies and pastes data into the AI tool.

With MCP, the agent can retrieve approved read-only data directly and produce a consistent investigation output.

Useful security workflows include:

But MCP is not magic.

It does not replace security ownership, SOC judgment, IAM design, threat modeling, change control, CI/CD gates, incident commander decisions, or audit evidence review.

MCP should reduce manual collection and improve consistency. It should not become an ungoverned SOAR platform.

Recommendation: use official or vendor-supported MCP servers first. Build your own only when you have a specific internal workflow that existing servers cannot safely support.

For AWS security work, start with:

Use case Build your own MCP server? Recommended path
AWS documentation lookup No AWS Agent Toolkit / AWS MCP Server
Security Hub read-only triage No, initially AWS MCP Server with read-only IAM
GuardDuty / Inspector / Macie review No, initially AWS MCP Server with scoped read-only permissions
Jira ticket drafting Usually no Vendor MCP server or local draft output
GitHub repo analysis Usually no GitHub MCP or native repo context with repo-scoped permissions
Internal CMDB enrichment Maybe Internal read-only MCP server
Internal GRC evidence register Maybe Private MCP server or API wrapper
Automated remediation Not initially Keep outside MCP until governance is mature
Security Hub suppression/update No for junior workflow Human and SOC-approved process only

Use this priority order for MCP servers:

Be careful with random public MCP servers.

For a security team, an MCP server is not a harmless browser extension. It is a privileged integration point.

A malicious or poorly written MCP server can become:

Treat MCP servers like production integrations.

AWS Agent Toolkit provides plugins that bundle AWS MCP Server configuration and curated AWS skills for agent workflows.

For the workflow in this article, the relevant AWS MCP Server capabilities are:

Capability Use in this workflow Initial recommendation
Documentation search Explain Security Hub controls and AWS service behavior Allow
AWS API calls Read Security Hub, GuardDuty, Inspector, Config, and CloudTrail context Allow only through read-only IAM
Sandboxed script execution Run multi-step AWS checks Disable or require explicit approval at pilot stage
Presigned URL generation File transfer support Disable unless specifically needed
Long-running task polling Check status of API/script tasks Allow only if required

For a read-only security workflow, I would allow documentation tools and controlled AWS API calls. I would deny or require approval for script execution initially, especially for junior engineers.

Security Engineer
   |
   | asks question in Claude Code or Codex
   v
Claude Code / Codex
   |
   | MCP client
   v
AWS Agent Toolkit / AWS MCP Server
   |
   | authenticated request
   v
AWS IAM Identity Center profile: sec-mcp-readonly
   |
   | read-only permissions only
   v
AWS Security Hub
   |
   | Get / List / Describe / BatchGet only
   v
Local output files
   |
   | markdown summary, CSV backlog, JSON evidence
   v
Human review
   |
   | Jira / Slack / audit evidence

The key design choice is that the agent can read and reason, but it cannot change the environment.

This aligns with a production cloud security baseline: least privilege, centralized identity, MFA, guardrails, logging, evidence retention, and clear owner accountability.

Use IAM Identity Center if available.

Create a permission set:

Permission set name: SecMCPReadOnly
Session duration: 4 hours
Assigned group: SecurityEngineering-MCP-ReadOnly
Accounts: security tooling account and selected workload accounts
MFA: required through IdP / IAM Identity Center

Do not use:

Use a named human identity with SSO. The goal is that every MCP-driven AWS API call is attributable to a real engineer.

AWS provides managed read-only policies, but for this workflow I prefer a custom policy because the scope is explicit and easier to explain during audit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowIdentityCheck",
      "Effect": "Allow",
      "Action": [
        "sts:GetCallerIdentity"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowSecurityHubReadOnly",
      "Effect": "Allow",
      "Action": [
        "securityhub:Get*",
        "securityhub:List*",
        "securityhub:Describe*",
        "securityhub:BatchGet*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadOnlyInvestigationContext",
      "Effect": "Allow",
      "Action": [
        "cloudtrail:LookupEvents",
        "guardduty:GetFindings",
        "guardduty:ListFindings",
        "guardduty:ListDetectors",
        "inspector2:ListFindings",
        "access-analyzer:ListFindings",
        "access-analyzer:GetFinding",
        "organizations:DescribeOrganization",
        "organizations:ListAccounts",
        "config:SelectResourceConfig",
        "config:GetResourceConfigHistory"
      ],
      "Resource": "*"
    },
    {
      "Sid": "DenyWriteActionsForMCPPilot",
      "Effect": "Deny",
      "Action": [
        "securityhub:BatchUpdateFindings",
        "securityhub:BatchImportFindings",
        "securityhub:Update*",
        "securityhub:Delete*",
        "securityhub:Disable*",
        "securityhub:Enable*",
        "securityhub:Create*",
        "securityhub:TagResource",
        "securityhub:UntagResource",
        "iam:*",
        "s3:Put*",
        "s3:Delete*",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupEgress",
        "kms:Put*",
        "kms:ScheduleKeyDeletion",
        "config:Put*",
        "config:Delete*",
        "guardduty:Update*",
        "guardduty:Delete*",
        "inspector2:Update*",
        "inspector2:BatchUpdate*"
      ],
      "Resource": "*"
    }
  ]
}

The explicit deny is not there because the allow statement grants those actions. It does not.

The explicit deny is there because real environments are messy.

A user may later inherit another permission set, a group policy, or a temporary role that adds write access. Explicit deny reduces the chance that the MCP workflow accidentally gains mutation capability through permission creep.

For production accounts, pair this with an SCP or permission boundary where possible.

For production accounts, I would add an organization-level safety net.

Example SCP concept:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PreventMCPReadOnlyRoleFromMutatingSecurityHub",
      "Effect": "Deny",
      "Action": [
        "securityhub:BatchUpdateFindings",
        "securityhub:Update*",
        "securityhub:Delete*",
        "securityhub:Disable*",
        "securityhub:Enable*",
        "securityhub:Create*"
      ],
      "Resource": "*",
      "Condition": {
        "ArnLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_SecMCPReadOnly_*"
          ]
        }
      }
    }
  ]
}

Test this carefully in a non-production account before applying it broadly.

The SCP should not block the SOC, security tooling account, CI/CD remediation roles, or incident response break-glass roles.

The objective is narrow:

This MCP read-only role must never mutate Security Hub findings or configuration.

Install or update the AWS CLI, then configure SSO:

aws configure sso --profile sec-mcp-readonly

Validate the identity:

aws sts get-caller-identity --profile sec-mcp-readonly

Expected output:

{
  "UserId": "AROAXXXXX:security.engineer@example.com",
  "Account": "123456789012",
  "Arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_SecMCPReadOnly_xxxxx/security.engineer@example.com"
}

Then test Security Hub read access:

aws securityhub get-findings \
  --profile sec-mcp-readonly \
  --region us-east-1 \
  --max-results 5

Now test that write access fails:

aws securityhub batch-update-findings \
  --profile sec-mcp-readonly \
  --region us-east-1 \
  --finding-identifiers '[{"Id":"test","ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub"}]' \
  --workflow '{"Status":"SUPPRESSED"}'

Expected result:

AccessDeniedException

Keep that negative-control result as rollout evidence.

In Claude Code, install the AWS plugin:

/plugin install aws-core@claude-plugins-official
/reload-plugins

Then validate that the AWS MCP server is visible:

/mcp

For the pilot, I would configure Claude Code so AWS API calls require approval and script execution is denied or requires explicit human approval.

The point is not to slow engineers down. The point is to prevent the first rollout from quietly becoming an unapproved automation channel.

For Codex, AWS documents plugin setup through the Codex plugin marketplace:

codex plugin marketplace add aws/agent-toolkit-for-aws

Then open Codex and use:

/plugins

Install the aws-core

plugin.

For the pilot, configure Codex so MCP tools are explicitly approved and write-capable tools are disabled or denied.

The exact approval configuration may vary by Codex version, so validate against the current Codex configuration reference before publishing your internal runbook.

If you cannot use the plugin flow, configure the AWS MCP Server directly through the MCP Proxy for AWS.

Example Claude Code configuration:

claude mcp add-json aws-mcp --scope user \
'{
  "command": "uvx",
  "args": [
    "mcp-proxy-for-aws",
    "https://aws-mcp.us-east-1.api.aws/mcp",
    "--metadata",
    "AWS_REGION=us-east-1"
  ],
  "env": {
    "AWS_PROFILE": "sec-mcp-readonly"
  }
}'

For Codex, place the MCP server configuration in your Codex config file.

Example concept:

[mcp_servers.aws-mcp]
command = "uvx"
args = [
  "mcp-proxy-for-aws",
  "https://aws-mcp.us-east-1.api.aws/mcp",
  "--metadata",
  "AWS_REGION=us-east-1"
]

[mcp_servers.aws-mcp.env]
AWS_PROFILE = "sec-mcp-readonly"

For multi-account security teams, configure an explicit profile allowlist. Do not let the agent discover or use every AWS profile on the workstation.

Example concept:

AWS_MCP_PROXY_PROFILES="sec-mcp-readonly prod-readonly security-readonly"

The default profile should be read-only.

The security posture should be tool-specific.

Recommended pilot posture:

Tool type Pilot setting Rationale
AWS documentation search Allow Low risk and high value
AWS read-only API call Ask / approve Lets the engineer verify account and region
AWS script execution Deny or ask Can create broad data access and complex behavior
Presigned URL generation Deny Not needed for Security Hub triage
File write to local project Allow to approved output folder Needed for evidence pack
Shell command execution Ask Can expose local files or environment variables
Git operations Ask Prevents accidental commits or pushes

A good project rule is:

This project is a read-only AWS Security Hub triage workflow.

The agent may:
- Read Security Hub, GuardDuty, Inspector, Config, CloudTrail, and AWS documentation using the sec-mcp-readonly profile.
- Write markdown, CSV, and JSON files only under ./output.
- Draft remediation recommendations.

The agent must not:
- Modify AWS resources.
- Suppress, archive, import, or update Security Hub findings.
- Read secrets, credentials, environment files, customer PII, or raw sensitive logs.
- Commit, push, merge, deploy, or approve changes.
- Run remediation automatically.
mkdir -p securityhub-mcp-triage/{prompts,filters,output,evidence}
cd securityhub-mcp-triage

Recommended structure:

securityhub-mcp-triage/
  prompts/
    securityhub-triage.md
  filters/
    securityhub-critical-high.json
  output/
  evidence/

Keep this folder separate from application repositories. It should not contain source code, credentials, .env

files, or customer data.

Create filters/securityhub-critical-high.json

:

{
  "WorkflowStatus": [
    {
      "Value": "NEW",
      "Comparison": "EQUALS"
    },
    {
      "Value": "NOTIFIED",
      "Comparison": "EQUALS"
    }
  ],
  "RecordState": [
    {
      "Value": "ACTIVE",
      "Comparison": "EQUALS"
    }
  ],
  "SeverityLabel": [
    {
      "Value": "CRITICAL",
      "Comparison": "EQUALS"
    },
    {
      "Value": "HIGH",
      "Comparison": "EQUALS"
    }
  ]
}

Optional CLI validation:

aws securityhub get-findings \
  --profile sec-mcp-readonly \
  --region us-east-1 \
  --filters file://filters/securityhub-critical-high.json \
  --max-results 25 \
  > evidence/securityhub-critical-high-sample.json

This gives the engineer a known-good baseline before asking the agent to reason over the findings.

Create prompts/securityhub-triage.md

:

You are supporting a read-only AWS Security Hub triage workflow.

Operating constraints:
- Use AWS profile: sec-mcp-readonly.
- Use region: us-east-1 unless findings indicate another region.
- Read only. Do not modify AWS resources.
- Do not suppress, archive, import, update, or resolve findings.
- Do not access secrets, credentials, customer PII, or raw sensitive incident logs.
- Do not run remediation.
- Do not commit, push, merge, deploy, or approve changes.
- Write outputs only under ./output.

Task:
1. Retrieve active CRITICAL and HIGH Security Hub findings using filters/securityhub-critical-high.json.
2. Group findings by:
   - AWS account
   - Region
   - Severity
   - Product/source
   - Resource type
   - Control ID or finding type
3. For each group, explain:
   - Why it matters
   - Failure mode
   - Likely owner
   - Recommended remediation
   - Evidence required
   - Whether it is immediate risk or backlog
4. Produce the following files:
   - output/securityhub-executive-summary.md
   - output/securityhub-technical-findings.md
   - output/securityhub-remediation-backlog.csv
   - output/securityhub-evidence-index.md
5. Include a final section called "Human review required" listing anything that must be confirmed manually.

Prioritization rules:
- Internet exposure in production is immediate.
- Privileged IAM or access analyzer findings are immediate.
- Critical exploitable vulnerabilities on internet-facing workloads are immediate.
- Missing encryption on sensitive data stores is high priority.
- Missing logging or monitoring is high priority, but may be backlog if compensating controls exist.
- Anything involving possible data exposure must be escalated to the SOC or incident commander.

This prompt does three important things:

That is what makes the workflow repeatable.

Open Claude Code in the project folder.

cd securityhub-mcp-triage
claude

Then run:

Use prompts/securityhub-triage.md and perform the Security Hub triage workflow.
Before using any AWS MCP tool, show me the planned tool call, account/profile, region, and purpose.

During tool approval, verify:

sec-mcp-readonly

.If the agent asks to use a write action, stop the run and fix the permissions or project rules.

In Codex:

cd securityhub-mcp-triage
codex

Prompt:

Use prompts/securityhub-triage.md and produce the required output files.
Use only the configured AWS MCP server and the sec-mcp-readonly profile.
Ask before each AWS API tool call.
Do not run write actions or remediation.

Same review logic applies:

The workflow should produce four local files.

output/securityhub-executive-summary.md

This file should be leadership-readable.

Example structure:


Date: 2026-07-16
AWS profile: sec-mcp-readonly
Region: us-east-1
Scope: Active CRITICAL/HIGH findings

## Summary

Total active CRITICAL/HIGH findings reviewed: 42

Immediate action required: 6
High priority remediation: 18
Backlog / owner validation: 18

## Key risk themes

1. Public exposure on internet-facing resources
2. Privileged IAM misconfiguration
3. Inspector critical vulnerabilities on production EC2
4. Missing encryption on data stores
5. Security logging gaps

## Immediate escalation

The following findings require same-day owner response...

output/securityhub-technical-findings.md

This file should be engineer-readable.

Example:

## Finding group: Public S3 bucket exposure

Priority: Immediate

Affected resources:
- arn:aws:s3:::example-prod-export-bucket

Why it matters:
A public S3 bucket in a production account creates direct data exposure risk.
If the bucket contains logs, exports, backups, or customer data, the issue may become a reportable incident.

Failure mode:
An attacker or external party can access exposed objects without authentication.
If bucket contents include credentials, logs, exports, or regulated data, this can lead to data breach, credential compromise, and compliance exposure.

Required remediation:
- Confirm business owner.
- Validate whether bucket is intentionally public.
- Enable S3 Block Public Access at account and bucket level unless explicitly approved.
- Review bucket policy and ACL.
- Review CloudTrail data events if enabled.
- Assess object sensitivity.
- Open incident if sensitive data was exposed.

Evidence required:
- Security Hub finding JSON.
- S3 bucket policy export.
- Public access block configuration.
- Object sensitivity confirmation from data owner.
- CloudTrail access review.

output/securityhub-remediation-backlog.csv

Example columns:

priority,severity,account,region,resource_type,resource_id,finding_title,recommended_owner,remediation_action,evidence_required,sla,notes
Immediate,CRITICAL,123456789012,us-east-1,S3,bucket-name,Public bucket exposure,Data Platform,Disable public access and validate exposure,Finding JSON; bucket policy; access review,Same day,Escalate if sensitive data exists

output/securityhub-evidence-index.md

Example:


## Evidence collected

- Security Hub finding export
- Finding group summary
- AWS account and region
- Resource identifiers
- Remediation backlog
- Negative-control test showing write actions fail

## Evidence not collected

- Raw customer logs
- Secrets
- PII
- Full object contents

Use a practical triage model.

Priority Criteria Response expectation
Immediate Active internet exposure, privileged IAM risk, possible data exposure, exploited vulnerability, production blast radius Same-day owner response and SOC visibility
High Security control failure on sensitive or production resources Remediation ticket with SLA
Medium Misconfiguration with limited exposure or compensating controls Backlog with owner and due date
Informational Hygiene issue, duplicate finding, non-production low impact Track, tune, or suppress through approved process

Priority is not only the Security Hub severity label.

Security Hub severity matters, but real prioritization should also consider:

That is where the agent can help, but the human still owns the decision.

Keep these artifacts:

Evidence Why it matters
IAM permission set export Shows least privilege scope
IAM policy JSON Shows allowed and denied actions
SCP or permission boundary export Shows preventive guardrail
AWS CLI identity check Proves named identity
Security Hub finding export Shows source evidence
Output files Shows triage result
Negative-control test Proves write actions fail
Tool approval log or session transcript Shows human oversight
Jira tickets Shows remediation ownership
Slack or incident notes Shows escalation path

Do not store:

A safe rollout must include a negative-control test.

Test one prohibited write action in a non-production or controlled environment:

aws securityhub batch-update-findings \
  --profile sec-mcp-readonly \
  --region us-east-1 \
  --finding-identifiers '[{"Id":"test","ProductArn":"arn:aws:securityhub:us-east-1::product/aws/securityhub"}]' \
  --workflow '{"Status":"SUPPRESSED"}'

Expected result:

AccessDeniedException

Keep the result as evidence.

If the command succeeds, the design is not approved.

Failure mode What can go wrong Required control
Agent gains write access Findings are suppressed or resources are modified IAM explicit deny, SCP, permission boundary
Prompt injection through finding text Agent follows malicious instructions embedded in external content Treat findings as untrusted data, use strict project rules
Excessive data retrieval Agent pulls sensitive logs or PII into local files Data minimization, deny secret/PII access, output path controls
Wrong AWS account Agent queries or reports the wrong account SSO profile naming, sts:GetCallerIdentity , account allowlist
Poor prioritization Critical exposure is treated as backlog Human review and explicit prioritization rules
No audit trail Outputs cannot be defended in audit Tool logs, CloudTrail, evidence index, ticket linkage
Auto-remediation drift AI makes changes outside change control No write access, CI/CD remains release authority
Public or untrusted MCP server Credentials or data are exposed Use official/vendor/internal MCP servers only

For a single engineer or small pilot, AWS Agent Toolkit plus read-only IAM is enough.

For enterprise use, evaluate AWS AgentCore Gateway.

The reason is governance.

As MCP usage grows, security teams eventually need:

Recommended maturity path:

Pilot: AWS Agent Toolkit + AWS MCP Server + read-only IAM profile
Scale: Add centralized governance and gateway controls
Custom: Build private MCP servers only for internal systems that are not covered

Do not start by building a custom MCP platform unless you already have a clear internal integration gap.

Best first use case.

Input:

Output:

Risk: low if read-only.

The agent can help explain:

Do not let the agent disable keys, quarantine instances, or modify policies automatically.

The agent can group Inspector findings by:

The output can be a CSV remediation backlog.

Do not let the agent patch systems automatically.

The agent can summarize:

Do not let the agent change IAM policy.

The agent can collect read-only evidence for:

This is useful before audits, risk reviews, and architecture reviews.

I would not frame this as Claude Code versus Codex.

I would use both where they are strongest.

Tool Best use Security posture
Claude Code Deep reasoning, architecture review, long-form security analysis, runbook drafting Strong project rules and tool approval
Codex Code changes, CLI-driven development workflow, reproducible implementation tasks Sandbox, approval policy, repo controls
AWS MCP Server AWS documentation and authenticated AWS API access IAM-enforced read-only first
CI/CD Tests, scanning, deployment, policy gates Release authority remains outside the AI tool

For security work, the safest split is:

Claude Code: analyze and explain
Codex: implement controlled code changes
AWS MCP Server: retrieve AWS context
CI/CD: validate and release
Human owner: approve risk and remediation

The AI tool can accelerate the workflow, but it should not become the approval authority.

Use this workflow for daily or weekly triage.

Confirm:

sec-mcp-readonly

../output

.aws sts get-caller-identity

.prompts/securityhub-triage.md

.Security Hub:

AWS Console -> Security Hub -> Findings

GuardDuty:

AWS Console -> GuardDuty -> Findings

Inspector:

AWS Console -> Inspector -> Findings

CloudTrail:

AWS Console -> CloudTrail -> Event history

Config:

AWS Console -> AWS Config -> Resources / Advanced queries

S3 public access:

AWS Console -> S3 -> Bucket -> Permissions -> Block Public Access / Bucket policy

Manual validation matters because MCP output is an aid, not evidence by itself.

Fix in this order:

The top of the list is about blast radius and business impact, not just severity labels.

Even with read-only IAM and MCP controls, some risk remains.

Residual risks include:

Acceptable residual risk for a pilot:

Read-only triage and evidence drafting with human review.

Not acceptable for a pilot:

Automated suppression, remediation, policy changes, deployments, or risk acceptance.
Decision: Approved with conditions.

We can pilot AWS MCP Server through AWS Agent Toolkit for a read-only Security Hub triage workflow.

Approved scope:
- Read Security Hub findings.
- Read limited investigation context from GuardDuty, Inspector, Config, CloudTrail, Organizations, and Access Analyzer.
- Generate local markdown/CSV/JSON summaries.
- Draft remediation tickets and Slack summaries.

Not approved:
- Security Hub suppression or updates.
- AWS resource changes.
- IAM changes.
- Secret or PII access.
- Automated remediation.
- AI-approved exception, merge, deploy, or risk acceptance.

Required controls:
- Named SSO identity.
- Dedicated SecMCPReadOnly permission set.
- Explicit deny for write actions.
- SCP or permission boundary for production where possible.
- MCP tool approval enabled.
- Script execution denied or separately approved.
- CloudTrail audit visibility.
- Negative-control test proving write actions fail.

Residual risk is acceptable for a read-only pilot with human review.

Start with a narrow, governed workflow:

Use case: Security Hub triage
Agent: Claude Code or Codex
Connector: AWS Agent Toolkit / AWS MCP Server
AWS identity: SecMCPReadOnly
Permissions: read-only + explicit deny
Output: executive summary, technical findings, remediation backlog, evidence index
Approval: human review before tickets, suppression, remediation, or risk acceptance

Do not build a custom MCP server first.

Do not give the agent production write access.

Do not let the agent suppress findings or approve exceptions.

Get the read-only triage workflow working, prove the controls, collect evidence, and then decide whether more advanced workflows are justified.

That is the safe path from AI-assisted security work to production-grade security operations.

── more in #ai-agents 4 stories · sorted by recency
── more on @aws 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/mcp-for-aws-security…] indexed:0 read:22min 2026-07-16 ·