Cloud Infrastructure Auditor: Safe AWS & GCP Config Inspections via MCP
Run automated cloud configuration security audits. Identify leaky S3 buckets, open security group ports, and loose IAM profiles directly from your IDE.
Cloud Infrastructure Auditor: AWS & GCP Config Inspections
Cloud resource configurations must follow strict security compliance profiles. Connecting AWS and GCP auditing tools to an MCP server lets your AI agent act as a DevOps security engineer. The agent can audit active buckets, verify IAM configurations, and review active firewall rules for leaks—all via natural language conversation.
Prerequisites
- ▸An AWS or GCP account.
- ▸The AWS CLI or GCP CLI installed on the local machine running the MCP server.
- ▸Dedicated IAM credentials generated specifically for this audit.
Access Restrictions & Setup
Critical Rule: Ensure you configure the IAM keys assigned to the MCP server with strict Read-Only / SecurityAudit permissions. Never grant generic administrator credentials (like AdministratorAccess) to an AI agent.
Update your MCP configuration file:
{
"mcpServers": {
"aws-auditor": {
"command": "npx",
"args": ["-y", "mcp-server-aws-audits"],
"env": {
"AWS_ACCESS_KEY_ID": "AKIAXXXXXXXXXXXXXXXX",
"AWS_SECRET_ACCESS_KEY": "secret_key_here",
"AWS_REGION": "us-east-1"
}
}
}
}Example Audit Queries
Once connected, you can ask your AI agent to perform complex sweeps:
- ▸Inspect S3 Buckets: "Audit all S3 buckets. List any bucket that has public access configured and identify the owner."
- ▸Firewall Check: "Are there any EC2 security groups that allow ingress traffic from 0.0.0.0/0 on port 22 (SSH)?"
- ▸IAM Review: "Find any IAM users that have not rotated their access keys in the last 90 days."
Best Practices
- ▸Ephemeral Credentials: Instead of hardcoding static IAM keys, use STS (Security Token Service) to generate temporary session tokens that expire after 1 hour.
- ▸Scope by Region: If your infrastructure is vast, limit the agent to auditing one region at a time (e.g.,
us-east-1) to avoid timeouts and massive API billing.
Troubleshooting
- ▸
AccessDenied: The agent attempted to read a resource (like CloudTrail logs) that theSecurityAuditpolicy does not cover. You may need to attach an inline policy granting specificDescribe*orList*permissions. - ▸
Timeout: Querying all resources in an enterprise AWS account can take too long for an MCP JSON-RPC call. Ask the agent to break down its queries by tag or region.
Using with OpenAI Codex
To use this MCP server with the OpenAI Codex CLI, you can add it to your configuration using the codex mcp add command:
codex mcp add --name cloud-infrastructure-auditor --command "npx @modelcontextprotocol/server-cloud-infrastructure-auditor"(Note: Depending on the server, you may need to append arguments or use --env flags for environment variables as described in the configuration section above)
Related Guides
How to Set Up the Notion MCP Server for Workspace Integration
Connect your Notion workspace to AI agents. Search pages, read databases, create content, and manage your Notion knowledge base through MCP.
Cloud ServicesHow to Use the Cloudflare MCP Server for Edge Infrastructure
Manage Cloudflare Workers, KV stores, R2 buckets, and DNS settings through your AI agent using the Cloudflare MCP server.
Cloud ServicesHow to Use the Google Drive MCP Server for Document Access
Connect Google Drive to your AI agent for searching, reading, and managing documents, spreadsheets, and files stored in your Drive.