Cloud Services·
advanced
·14 min read·Jul 9, 2026

Cloud Infrastructure Auditor: Safe AWS & GCP Config Inspections via MCP

Run automated cloud configuration security audits. Identify leaky S3 buckets, open security group ports, and loose IAM profiles directly from your IDE.

AWSGCPIAMsecuritycloud-servicesauditingcompliance

Cloud Infrastructure Auditor: AWS & GCP Config Inspections

Cloud resource configurations must follow strict security compliance profiles. Connecting AWS and GCP auditing tools to an MCP server lets your AI agent act as a DevOps security engineer. The agent can audit active buckets, verify IAM configurations, and review active firewall rules for leaks—all via natural language conversation.

Prerequisites

  1. An AWS or GCP account.
  2. The AWS CLI or GCP CLI installed on the local machine running the MCP server.
  3. Dedicated IAM credentials generated specifically for this audit.

Access Restrictions & Setup

Critical Rule: Ensure you configure the IAM keys assigned to the MCP server with strict Read-Only / SecurityAudit permissions. Never grant generic administrator credentials (like AdministratorAccess) to an AI agent.

Update your MCP configuration file:

json
{
  "mcpServers": {
    "aws-auditor": {
      "command": "npx",
      "args": ["-y", "mcp-server-aws-audits"],
      "env": {
        "AWS_ACCESS_KEY_ID": "AKIAXXXXXXXXXXXXXXXX",
        "AWS_SECRET_ACCESS_KEY": "secret_key_here",
        "AWS_REGION": "us-east-1"
      }
    }
  }
}

Example Audit Queries

Once connected, you can ask your AI agent to perform complex sweeps:

  • Inspect S3 Buckets: "Audit all S3 buckets. List any bucket that has public access configured and identify the owner."
  • Firewall Check: "Are there any EC2 security groups that allow ingress traffic from 0.0.0.0/0 on port 22 (SSH)?"
  • IAM Review: "Find any IAM users that have not rotated their access keys in the last 90 days."

Best Practices

  • Ephemeral Credentials: Instead of hardcoding static IAM keys, use STS (Security Token Service) to generate temporary session tokens that expire after 1 hour.
  • Scope by Region: If your infrastructure is vast, limit the agent to auditing one region at a time (e.g., us-east-1) to avoid timeouts and massive API billing.

Troubleshooting

  • AccessDenied: The agent attempted to read a resource (like CloudTrail logs) that the SecurityAudit policy does not cover. You may need to attach an inline policy granting specific Describe* or List* permissions.
  • Timeout: Querying all resources in an enterprise AWS account can take too long for an MCP JSON-RPC call. Ask the agent to break down its queries by tag or region.

Using with OpenAI Codex

To use this MCP server with the OpenAI Codex CLI, you can add it to your configuration using the codex mcp add command:

bash
codex mcp add --name cloud-infrastructure-auditor --command "npx @modelcontextprotocol/server-cloud-infrastructure-auditor"

(Note: Depending on the server, you may need to append arguments or use --env flags for environment variables as described in the configuration section above)

Related Guides