{"id":44190192,"url":"https://github.com/h4cd0c/nimbus-mcp","last_synced_at":"2026-02-14T13:04:12.023Z","repository":{"id":332381665,"uuid":"1112235116","full_name":"h4cd0c/nimbus-mcp","owner":"h4cd0c","description":"Nimbus - AWS Security Assessment MCP Server | 43 Tools | Multi-Region Scanning | TRA Reports | CIS/NIST/PCI-DSS Compliance","archived":false,"fork":false,"pushed_at":"2026-02-02T14:23:06.000Z","size":286,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-02-03T03:23:59.074Z","etag":null,"topics":["aws","aws-security","cis-benchmark","cloud-security","compliance","cybersecurity","devsecops","eks","iam","infosec","mcp","nist","pci-dss","penetration-testing","red-team","s3-security","security","terraform","threat-detection","vulnerability-scanner"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/h4cd0c.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-08T10:43:32.000Z","updated_at":"2026-02-02T14:23:10.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/h4cd0c/nimbus-mcp","commit_stats":null,"previous_names":["jaikumar3/nimbus-mcp"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/h4cd0c/nimbus-mcp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h4cd0c%2Fnimbus-mcp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h4cd0c%2Fnimbus-mcp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h4cd0c%2Fnimbus-mcp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h4cd0c%2Fnimbus-mcp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/h4cd0c","download_url":"https://codeload.github.com/h4cd0c/nimbus-mcp/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h4cd0c%2Fnimbus-mcp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29273141,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-09T13:47:44.167Z","status":"ssl_error","status_checked_at":"2026-02-09T13:47:43.721Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-security","cis-benchmark","cloud-security","compliance","cybersecurity","devsecops","eks","iam","infosec","mcp","nist","pci-dss","penetration-testing","red-team","s3-security","security","terraform","threat-detection","vulnerability-scanner"],"created_at":"2026-02-09T17:03:14.901Z","updated_at":"2026-02-14T13:04:12.016Z","avatar_url":"https://github.com/h4cd0c.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# Nimbus - AWS Security Assessment MCP Server\n\n[![Version](https://img.shields.io/badge/version-1.5.8-blue.svg)](https://github.com/h4cd0c/nimbus-mcp)\n[![Tools](https://img.shields.io/badge/tools-45-green.svg)](https://github.com/h4cd0c/nimbus-mcp)\n[![Tests](https://img.shields.io/badge/tests-95%20passing-brightgreen.svg)](https://jestjs.io/)\n[![License](https://img.shields.io/badge/license-MIT-orange.svg)](LICENSE)\n[![AWS SDK](https://img.shields.io/badge/AWS%20SDK-v3-yellow.svg)](https://aws.amazon.com/sdk-for-javascript/)\n[![Status](https://img.shields.io/badge/status-production%20ready-brightgreen.svg)](https://github.com/h4cd0c/nimbus-mcp)\n[![Tests](https://img.shields.io/badge/tests-Jest-green.svg)](https://jestjs.io/)\n\n**Enterprise-grade AWS security assessment toolkit with Attack Chain Builder, 50+ Privesc Patterns \u0026 Multi-Region Scanning**\n\n*Designed for security professionals conducting authorized penetration tests, compliance audits, and executive risk reporting*\n\n[Features](#-key-features) • [Quick Start](#-quick-start) • [Documentation](#-documentation) • [Examples](#-example-workflows)\n\n\u003c/div\u003e\n\n---\n\n## 📖 Overview\n\n**Nimbus** is a comprehensive AWS security assessment framework built on the Model Context Protocol (MCP). It provides 45 production-ready tools covering enumeration, vulnerability scanning, **attack chain building**, privilege escalation analysis (50+ patterns), persistence detection, EKS/Kubernetes security, **multi-region scanning**, and compliance reporting for AWS cloud environments.\n\n### 🎯 Use Cases\n\n- **🔍 Security Assessments** - Identify misconfigurations and vulnerabilities\n- **📊 TRA Meetings** - Generate executive-ready risk assessment reports\n- **✅ Compliance Audits** - Map findings to CIS, NIST, PCI-DSS, HIPAA frameworks\n- **🛡️ Penetration Testing** - Discover attack paths and privilege escalation vectors\n- **📈 Risk Management** - Automated risk scoring and remediation roadmaps\n- **🌐 Multi-Region Scanning** - Scan all 30+ AWS regions in parallel\n- **🔗 Attack Chain Analysis** - Multi-step attack path discovery ⭐ NEW\n\n### ⚡ Key Highlights\n\n✅ **100% Read-Only** - Safe for production environments  \n✅ **41 Security Tools** - Comprehensive AWS service coverage  \n✅ **Attack Chain Builder** - Multi-step attack path discovery ⭐ NEW  \n✅ **50+ Privesc Patterns** - Rhino Security Labs \u0026 Heimdall research ⭐ NEW  \n✅ **EKS Attack Surface** - IRSA abuse, node role theft, RBAC escalation ⭐ NEW  \n✅ **Multi-Region Scanning** - Scan all 30+ regions in parallel  \n✅ **Multi-Format Reports** - PDF, HTML, CSV, Markdown  \n✅ **TRA Integration** - Risk scoring, compliance mapping, MITRE ATT\u0026CK  \n✅ **Zero Cloud Modifications** - No write/delete operations  \n✅ **Enterprise Ready** - Professional reports for executives and auditors\n\n## 🎯 Key Features\n\n\u003ctable\u003e\n\u003ctr\u003e\n\u003ctd width=\"50%\"\u003e\n\n### 🔍 Enumeration (10 Tools)\n- **Identity \u0026 Access** - IAM users, roles, policies\n- **Compute** - EC2 instances, Lambda functions, EKS clusters\n- **Storage** - S3 buckets, RDS databases\n- **Network** - VPCs, subnets, Security Groups\n- **Attack Surface** - Public-facing resources mapping\n\n\u003c/td\u003e\n\u003ctd width=\"50%\"\u003e\n\n### 🛡️ Security Scanning (25 Tools)\n- **S3 Security** - 7 comprehensive checks (encryption, ACLs, policies)\n- **IAM Analysis** - Wildcard permissions, 50+ privilege escalation patterns ⭐\n- **Attack Chain Builder** - Multi-step attack path discovery ⭐ NEW\n- **Network Security** - Security Groups, VPC exposure, egress points\n- **Data Protection** - DynamoDB, ElastiCache, RDS encryption\n- **API Security** - API Gateway, CloudFront configuration\n- **Messaging** - SNS/SQS encryption and access policies\n- **Identity** - Cognito pools, MFA bypass vectors\n- **Secrets** - KMS keys, Secrets Manager, SSM parameters\n- **Threat Detection** - GuardDuty findings\n- **IMDS Security** - EC2 metadata exposure (SSRF risk)\n- **Resource Policies** - S3, SQS, SNS, Lambda policy analysis\n\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd width=\"50%\"\u003e\n\n### 🔗 Attack Chain Analysis (5 Tools) ⭐ NEW\n- **build_attack_chains** - Multi-step attack path discovery\n- **analyze_eks_attack_surface** - EKS IRSA \u0026 node role abuse\n- **detect_privesc_patterns** - 50+ IAM privilege escalation patterns\n- **hunt_eks_secrets** - Kubernetes secret enumeration\n- **scan_eks_service_accounts** - Service account security audit\n\n\u003c/td\u003e\n\u003ctd width=\"50%\"\u003e\n\n### Advanced Security (7 Tools)\n- **CloudWatch Security** - Missing alarms, monitoring gaps\n- **IAM Escalation** - PassRole abuse, AssumeRole chains\n- **SSM Security** - Documents, parameters, session logging\n- **IMDS Exposure** - IMDSv1 SSRF risks, instance profiles\n- **Resource Policies** - Overly permissive access patterns\n- **Network Exposure** - VPC, Transit Gateway, egress analysis\n- **Data Exfiltration** - S3 replication, Lambda egress paths\n\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\n### 🎯 50+ Privilege Escalation Patterns\n\n| Category | Patterns | Description |\n|----------|----------|-------------|\n| **PassRole Abuse** | 7 | Lambda, EC2, Glue, CloudFormation, CodeBuild, SageMaker, ECS |\n| **Policy Manipulation** | 6 | AttachPolicy, PutPolicy, CreatePolicyVersion |\n| **Credential Access** | 4 | CreateAccessKey, LoginProfile, UpdateAssumeRole |\n| **EKS Abuse** | 5 | IRSA, Node role theft, Fargate, Cluster admin |\n| **Lambda Abuse** | 3 | UpdateFunctionCode, Layers, Env secrets |\n| **SSM Abuse** | 3 | SendCommand, StartSession, GetParameters |\n| **S3 Abuse** | 2 | Replication, BucketPolicy |\n| **Defense Evasion** | 3 | CloudTrail, GuardDuty disable |\n\n### 📄 Report Formats\n\n| Format | Use Case | Features |\n|--------|----------|----------|\n| **Markdown** | Quick review, documentation | Human-readable, version control friendly |\n| **PDF** | Executive presentations, audits | Professional formatting, color-coded severity, charts |\n| **HTML** | Interactive dashboards | Sortable tables, collapsible sections, search |\n| **CSV** | Data analysis, Excel import | Structured data export for trending |\n\n## 🚀 Quick Start\n\n### 1️⃣ Installation\n\n**Option 1: Install from npm (Recommended)**\n\n```bash\n# Install globally from npm\nnpm install -g nimbus-mcp\n```\n\n**Option 2: Build from source**\n\n```bash\n# Clone the repository\ngit clone https://github.com/h4cd0c/nimbus-mcp.git\ncd nimbus-mcp\n\n# Install dependencies\nnpm install\n\n# Build the TypeScript project\nnpm run build\n```\n\n### 2️⃣ AWS Authentication\n\nConfigure AWS credentials using one of these methods:\n\n| Method | Command | Use Case |\n|--------|---------|----------|\n| **AWS CLI** | `aws configure` | Local development, testing |\n| **Environment Variables** | `export AWS_ACCESS_KEY_ID=...` | CI/CD, automation |\n| **IAM Instance Profile** | Automatic | EC2 instances |\n| **IAM Roles** | Automatic | AWS services (Lambda, ECS) |\n\n**Recommended Permissions:** `SecurityAudit` or `ReadOnlyAccess` managed policies\n\n### 3️⃣ MCP Configuration\nFor VS Code: Add to .vscode/mcp.json\n\n```json\n{\n  \"servers\": {\n    \"nimbus\": {\n      \"command\": \"node\",\n      \"args\": [\"C:\\\\path\\\\to\\\\nimbus-mcp\\\\dist\\\\index.js\"],\n      \"type\": \"stdio\"\n    }\n  }\n}\n```\n\n**Restart VS Code** after configuration.\n\n### 4️⃣ Basic Usage Examples\n\n```bash\n# 🔑 Identify current AWS identity\n#aws_whoami\n\n# 🌐 Find public-facing resources (attack surface)\n#aws_enumerate_public_resources region: us-east-1\n\n# 🔒 Analyze Security Groups for dangerous rules\n#aws_analyze_security_groups region: us-east-1\n\n# 🪣 Deep scan S3 bucket security (7 checks)\n#aws_scan_s3_bucket_security bucketName: my-production-bucket\n\n# 📊 Generate executive TRA report (PDF)\n#aws_generate_security_report region: us-east-1 format: pdf outputFile: C:\\reports\\aws-security-2026.pdf\n```\n\n### 5️⃣ Output Format Control ⭐ NEW\n\nAll 43 security tools now support flexible output formatting via the optional `format` parameter:\n\n**Markdown (Default)** - Human-readable output, perfect for documentation and reports\n```bash\n#aws_whoami\n# Returns: Clean markdown text (backward compatible)\n```\n\n**JSON** - Machine-readable structured data with metadata for automation\n```bash\n#aws_whoami format: json\n# Returns: { \"tool\": \"aws_whoami\", \"format\": \"json\", \"timestamp\": \"...\", \"data\": {...} }\n```\n\n**Key Benefits:**\n- ✅ **Backward Compatible** - Existing tools work without changes (defaults to markdown)\n- ✅ **API Integration** - JSON format enables programmatic consumption\n- ✅ **Automation** - Parse structured data for CI/CD pipelines\n- ✅ **Metadata** - JSON includes tool name, timestamp, and versioning\n- ✅ **Flexible** - Choose format per-tool based on use case\n\n**Supported Tools:** All security scanners, enumerators, and analyzers (43 tools total)\n\n**Example Use Cases:**\n```bash\n# Export scan results to JSON for automation\n#aws_analyze_security_groups region: us-east-1 format: json \u003e results.json\n\n# Human-readable documentation output (default)\n#aws_scan_s3_bucket_security bucketName: my-bucket\n\n# Structured data for API integration\n#aws_detect_privesc_patterns format: json\n```\n\n## 📋 Complete Tool Reference\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e🔍 Enumeration Tools (10)\u003c/b\u003e - Click to expand\u003c/summary\u003e\n\n| Tool | Description | Example |\n|------|-------------|---------|\n| `aws_whoami` | Identify current AWS identity (user/role, account ID, ARN) | `#aws_whoami` |\n| `aws_enumerate_ec2_instances` | List EC2 instances with public IPs and security groups | `region: us-east-1` |\n| `aws_enumerate_s3_buckets` | List all S3 buckets in the account | No parameters |\n| `aws_enumerate_iam_users` | List IAM users with access key ages and last used dates | No parameters |\n| `aws_enumerate_iam_roles` | List IAM roles with trust relationships | No parameters |\n| `aws_enumerate_rds_databases` | List RDS instances/clusters with public accessibility | `region: us-east-1` |\n| `aws_enumerate_vpcs` | List VPCs with subnets and CIDR blocks | `region: us-east-1` |\n| `aws_enumerate_lambda_functions` | List Lambda functions with runtimes and IAM roles | `region: us-east-1` |\n| `aws_enumerate_eks_clusters` | List EKS clusters with Kubernetes versions | `region: us-east-1` |\n| `aws_enumerate_public_resources` | Map public attack surface (EC2, RDS, S3) | `region: us-east-1` |\n| `aws_scan_eks_service_accounts` | Analyze EKS service account security (IRSA, OIDC) | `region, clusterName` |\n| `aws_hunt_eks_secrets` | Comprehensive K8s secret hunting guide | `region, clusterName` |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e🌐 Multi-Region Scanning Tools (2)\u003c/b\u003e - Click to expand ⭐ NEW\u003c/summary\u003e\n\n| Tool | Description | Example |\n|------|-------------|---------|\n| `aws_scan_all_regions` | Scan multiple AWS regions for resources in parallel. Supports EC2, Lambda, RDS, EKS, Secrets, GuardDuty, ElastiCache, VPC. | `resourceType: ec2, regions: \"us-east-1,eu-west-1\"` |\n| `aws_list_active_regions` | Quick discovery of which regions have resources deployed. Checks EC2, Lambda, RDS counts per region. | `scanMode: common` or `regions: \"us-east-1\"` |\n\n**Usage Examples:**\n```bash\n# Single region scan\nscan_all_regions --resourceType ec2 --regions \"us-east-1\"\n\n# Multiple specific regions\nscan_all_regions --resourceType lambda --regions \"us-east-1,eu-west-1,ap-southeast-1\"\n\n# Preset: Common regions (11 popular regions)\nscan_all_regions --resourceType rds --scanMode common\n\n# Preset: All regions (30+ regions)\nscan_all_regions --resourceType all --scanMode all --parallelism 10\n\n# Discover active regions first\nlist_active_regions --scanMode common\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e🛡️ Security Scanning Tools (13)\u003c/b\u003e - Click to expand\u003c/summary\u003e\n\n| Tool | Security Checks | Severity Findings |\n|------|----------------|-------------------|\n| `aws_scan_s3_bucket_security` | Public access, encryption, ACLs, versioning, logging | 🔴 Critical: Public + unencrypted |\n| `aws_analyze_security_groups` | 0.0.0.0/0 rules, open ports (SSH, RDP, DB) | 🔴 Critical: Internet-exposed mgmt ports |\n| `check_iam_policies` | Wildcard permissions (`*:*`), overly permissive | 🔴 Critical: Admin access wildcards |\n| `check_kms_keys` | Key rotation, key policy analysis | 🟡 Medium: Rotation disabled |\n| `aws_scan_secrets_manager` | Rotation enabled, encryption, last rotated date | 🟠 High: No rotation in 90+ days |\n| `aws_scan_dynamodb_security` | Encryption at rest, PITR, backup retention | 🔴 Critical: No encryption |\n| `aws_scan_api_gateway_security` | Logging, throttling, authorization, SSL certificates | 🟠 High: No logging enabled |\n| `aws_scan_cloudfront_security` | TLS versions, HTTPS enforcement, WAF, OAI | 🔴 Critical: TLSv1.0 enabled |\n| `aws_scan_elasticache_security` | Encryption in-transit/at-rest, auth tokens | 🔴 Critical: No encryption |\n| `aws_get_guardduty_findings` | Active threats, malicious IPs, compromised instances | 🔴 Critical: Active threats |\n| `aws_scan_sns_security` | Topic encryption (KMS), access policies, HTTP subscriptions | 🔴 Critical: No encryption |\n| `aws_scan_sqs_security` | Queue encryption, dead letter queues, access policies | 🔴 Critical: Public queue access |\n| `aws_scan_cognito_security` | Unauthenticated access, MFA, password policies | 🔴 Critical: Unauth access enabled |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e🎯 Attack Analysis Tools (2)\u003c/b\u003e - Click to expand\u003c/summary\u003e\n\n| Tool | Analysis | Output |\n|------|----------|--------|\n| `aws_analyze_attack_paths` | IAM privilege escalation, public → internal vectors | Exploitation scenarios with step-by-step chains |\n| `aws_generate_security_report` | Aggregate all findings, risk scoring, remediation | PDF/HTML/CSV/Markdown reports |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e📊 TRA (Threat \u0026 Risk Assessment) Tool (1) ⭐ NEW\u003c/b\u003e - Click to expand\u003c/summary\u003e\n\n| Feature | Description | Output |\n|---------|-------------|--------|\n| **Risk Scoring** | 0-10 automated scale with severity weighting | Risk level: CRITICAL/HIGH/MEDIUM/LOW |\n| **Compliance Mapping** | CIS AWS Foundations, NIST 800-53, PCI-DSS, HIPAA | Pass/Fail/Partial for each control |\n| **MITRE ATT\u0026CK** | Cloud Matrix tactic and technique mapping | Attack phase classification |\n| **Remediation Roadmap** | 4-phase timeline (0-7 days → 3-6 months) | Prioritized action plan |\n| **Executive Summary** | One-page risk overview with top 10 critical findings | Board-ready PDF/HTML report |\n\n📚 **[Complete TRA Documentation](TRA_TOOL.md)** - 471 lines with examples and use cases\n\n\u003c/details\u003e\n\n## 🏗️ Architecture\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│                     MCP Client (VS Code)                     │\n│                  Claude Dev / Cline Extension                │\n└──────────────────────┬──────────────────────────────────────┘\n                       │ MCP Protocol\n                       ▼\n┌─────────────────────────────────────────────────────────────┐\n│                  Nimbus MCP Server (Node.js)                │\n│  ┌───────────┬────────────┬──────────────┬────────────┐    │\n│  │Enumeration│  Scanning  │Attack Analysis│    TRA     │    │\n│  │ (10 tools)│ (13 tools) │  (2 tools)   │  (1 tool)  │    │\n│  └───────────┴────────────┴──────────────┴────────────┘    │\n└──────────────────────┬──────────────────────────────────────┘\n                       │ AWS SDK v3 (21 clients)\n                       ▼\n┌─────────────────────────────────────────────────────────────┐\n│                        AWS Cloud                            │\n│  ┌─────┬─────┬─────┬─────┬─────┬─────┬─────┬─────┬─────┐  │\n│  │ IAM │ EC2 │ S3  │ RDS │Lambda│EKS │SNS │SQS │Cognito│  │\n│  │     │     │     │     │     │    │    │    │       │  │\n│  └─────┴─────┴─────┴─────┴─────┴────┴────┴────┴───────┘  │\n│  ✅ READ-ONLY Operations | ❌ NO Write/Delete/Modify       │\n└─────────────────────────────────────────────────────────────┘\n```\n\n### 🔒 Security Model\n\n| Operation Type | Supported | SDK Commands Used |\n|----------------|-----------|-------------------|\n| **Read** | ✅ Yes | `Get*`, `List*`, `Describe*` |\n| **Write** | ❌ No | Not imported in codebase |\n| **Delete** | ❌ No | Not imported in codebase |\n| **Modify** | ❌ No | Not imported in codebase |\n\n**Verification:** Even with admin credentials (`*:*` permissions), the tool **cannot** modify AWS resources. All SDK commands are read-only by design.\n\n### 🛡️ Input Validation \u0026 Auto-Completion ⭐ NEW\n\n**Enhanced Security (OWASP MCP-05 Compliance):**\n- **Pattern-Based Validation** - Regex validation for all AWS resource identifiers (ARNs, instance IDs, bucket names, etc.)\n- **Whitelist Validation** - Region names and resource types validated against AWS service catalogs\n- **Sanitization** - Automatic removal of control characters and length enforcement\n- **Clear Error Messages** - Helpful validation errors guide users to correct input formats\n\n**Improved User Experience:**\n- **Auto-Completion Support** - Intelligent suggestions for regions, resource types, formats, and scan modes\n- **Prefix Filtering** - Type-ahead suggestions as you enter values\n- **Context-Aware** - Suggests relevant values based on the current tool and argument\n\nSupported completions:\n- `region`/`regions` - All 30 AWS regions + \"all\", \"common\"\n- `resourceType` - EC2, Lambda, RDS, EKS, Secrets, GuardDuty, ElastiCache, VPC\n- `format` - markdown, json, html, pdf, csv\n- `scanMode` - common, all\n- `severity` - LOW, MEDIUM, HIGH, CRITICAL\n- `framework` - nist, iso27001, pci-dss, hipaa, soc2, cis\n\n## 🔍 Security Findings Reference\n\n\u003ctable\u003e\n\u003ctr\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003cth\u003eFinding Category\u003c/th\u003e\n\u003cth\u003eExample Issues\u003c/th\u003e\n\u003cth\u003eBusiness Impact\u003c/th\u003e\n\u003c/tr\u003e\n\n\u003ctr\u003e\n\u003ctd rowspan=\"4\"\u003e🔴\u003cbr\u003e\u003cb\u003eCRITICAL\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cb\u003ePublic Exposure\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003e• EC2 with 0.0.0.0/0 on SSH/RDP\u003cbr\u003e• Public RDS databases\u003cbr\u003e• S3 public + unencrypted\u003c/td\u003e\n\u003ctd\u003eDirect Internet access → data breach\u003c/td\u003e\n\u003c/tr\u003e\n\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eData Protection\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003e• DynamoDB without encryption\u003cbr\u003e• ElastiCache no encryption\u003cbr\u003e• SNS/SQS plaintext messages\u003c/td\u003e\n\u003ctd\u003eSensitive data exposure at rest/in-transit\u003c/td\u003e\n\u003c/tr\u003e\n\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eAccess Control\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003e• SNS/SQS public access (Principal: *)\u003cbr\u003e• Cognito unauthenticated access\u003cbr\u003e• S3 bucket ACL public-read\u003c/td\u003e\n\u003ctd\u003eAnonymous access to AWS resources\u003c/td\u003e\n\u003c/tr\u003e\n\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eTLS/SSL\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003e• CloudFront TLSv1.0 enabled\u003cbr\u003e• API Gateway weak ciphers\u003c/td\u003e\n\u003ctd\u003eMan-in-the-middle attack vulnerability\u003c/td\u003e\n\u003c/tr\u003e\n\n\u003ctr\u003e\n\u003ctd rowspan=\"3\"\u003e🟠\u003cbr\u003e\u003cb\u003eHIGH\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cb\u003eIAM Security\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003e• Wildcard permissions (*:*)\u003cbr\u003e• Access keys 90+ days old\u003cbr\u003e• No MFA on privileged users\u003c/td\u003e\n\u003ctd\u003ePrivilege escalation, credential compromise\u003c/td\u003e\n\u003c/tr\u003e\n\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eAudit \u0026 Logging\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003e• API Gateway no logging\u003cbr\u003e• CloudTrail disabled\u003cbr\u003e• No GuardDuty monitoring\u003c/td\u003e\n\u003ctd\u003eNo forensic evidence, undetected breaches\u003c/td\u003e\n\u003c/tr\u003e\n\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eSecrets Management\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003e• Secrets not rotated 90+ days\u003cbr\u003e• Hardcoded creds in Lambda env\u003cbr\u003e• KMS keys unrotated\u003c/td\u003e\n\u003ctd\u003eLong-lived credentials increase attack window\u003c/td\u003e\n\u003c/tr\u003e\n\n\u003ctr\u003e\n\u003ctd rowspan=\"2\"\u003e🟡\u003cbr\u003e\u003cb\u003eMEDIUM\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cb\u003eResilience\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003e• RDS backup retention \u003c 7 days\u003cbr\u003e• DynamoDB no PITR\u003cbr\u003e• SQS no dead letter queue\u003c/td\u003e\n\u003ctd\u003eData loss risk, poor disaster recovery\u003c/td\u003e\n\u003c/tr\u003e\n\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eDenial of Service\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003e• API Gateway no throttling\u003cbr\u003e• No WAF on CloudFront\u003cbr\u003e• Lambda no concurrency limits\u003c/td\u003e\n\u003ctd\u003eService disruption, cost spike attacks\u003c/td\u003e\n\u003c/tr\u003e\n\n\u003c/table\u003e\n\n### 📊 Finding Statistics (Typical Enterprise Account)\n\n```\nTotal Findings: ~80-150\n├── 🔴 CRITICAL: 12-25 (15-20%)\n├── 🟠 HIGH: 28-45 (35-40%)\n├── 🟡 MEDIUM: 30-50 (40-45%)\n└── 🟢 LOW: 10-30 (10-15%)\n\nRisk Score: 6.5-7.8 / 10 (HIGH)\nCompliance: 60-75% (Typical first scan)\n```\n\n## 📚 Documentation\n\n| Document | Description | Lines | Link |\n|----------|-------------|-------|------|\n| **README.md** | Project overview, quick start, tool reference | 350+ | You're here |\n| **USAGE.md** | Detailed workflows, examples, best practices | 400+ | [View](USAGE.md) |\n| **TRA_TOOL.md** | Complete TRA guide with compliance frameworks | 471 | [View](TRA_TOOL.md) |\n| **COMPLETE.md** | Phase completion summary, achievements | 200+ | [View](COMPLETE.md) |\n| **Built-in Help** | Interactive command reference | - | `#aws_help` |\n\n## 🛡️ Security \u0026 Compliance\n\n### Required AWS Permissions\n\n**Recommended Managed Policies:**\n- ✅ `SecurityAudit` - AWS managed policy for security auditing\n- ✅ `ReadOnlyAccess` - Comprehensive read-only access\n\n**Granular Permissions (Minimum Required):**\n\n\u003cdetails\u003e\n\u003csummary\u003eClick to expand IAM policy JSON\u003c/summary\u003e\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"ec2:Describe*\",\n        \"s3:ListAllMyBuckets\",\n        \"s3:GetBucket*\",\n        \"s3:GetPublicAccessBlock\",\n        \"iam:List*\",\n        \"iam:Get*\",\n        \"rds:Describe*\",\n        \"lambda:List*\",\n        \"lambda:Get*\",\n        \"eks:List*\",\n        \"eks:Describe*\",\n        \"kms:List*\",\n        \"kms:Describe*\",\n        \"secretsmanager:List*\",\n        \"secretsmanager:Describe*\",\n        \"dynamodb:List*\",\n        \"dynamodb:Describe*\",\n        \"apigateway:GET\",\n        \"cloudfront:List*\",\n        \"cloudfront:Get*\",\n        \"elasticache:Describe*\",\n        \"guardduty:List*\",\n        \"guardduty:Get*\",\n        \"sns:List*\",\n        \"sns:Get*\",\n        \"sqs:List*\",\n        \"sqs:Get*\",\n        \"cognito-identity:List*\",\n        \"cognito-identity:Describe*\",\n        \"cognito-idp:List*\",\n        \"cognito-idp:Describe*\"\n      ],\n      \"Resource\": \"*\"\n    }\n  ]\n}\n```\n\n\u003c/details\u003e\n\n### Best Practices\n\n| Practice | Recommendation | Rationale |\n|----------|---------------|-----------|\n| **Authorization** | Obtain written permission from AWS account owner | Legal compliance, audit trail |\n| **Environment** | Test in non-production first | Avoid business disruption |\n| **Credentials** | Use temporary credentials (STS AssumeRole) | Minimize credential exposure |\n| **Logging** | Enable CloudTrail in target account | Audit all API calls |\n| **Documentation** | Record all findings and commands executed | Evidence for remediation |\n| **Scope** | Define testing scope (regions, services) | Focused assessment |\n\n### Compliance Frameworks\n\nThis tool helps assess compliance with:\n\n- ✅ **CIS AWS Foundations Benchmark** - Security baseline controls\n- ✅ **NIST 800-53** - Federal security controls (AC, AU, CM, SC families)\n- ✅ **PCI-DSS 3.2.1** - Payment card industry requirements\n- ✅ **HIPAA** - Healthcare data protection (encryption, access control)\n- ✅ **GDPR** - Data privacy and protection (encryption, audit logging)\n\n## 🎓 Example Workflows\n\n### Workflow 1: 🚀 Quick Security Scan (5 minutes)\n\n**Use Case:** Pre-TRA meeting, rapid assessment\n\n```bash\n# Step 1: Verify access\n#aws_whoami\n\n# Step 2: Map attack surface\n#aws_enumerate_public_resources region: us-east-1\n\n# Step 3: Check network security\n#aws_analyze_security_groups region: us-east-1\n\n# Step 4: Generate executive report\n#aws_generate_security_report region: us-east-1 format: pdf outputFile: C:\\reports\\quick-scan.pdf\n```\n\n**Expected Output:** 10-20 findings, risk score, top 5 priorities\n\n---\n\n### Workflow 2: 🔐 IAM Security Audit (15 minutes)\n\n**Use Case:** Access control review, privilege escalation testing\n\n```bash\n# Step 1: Enumerate all users\n#aws_enumerate_iam_users\n\n# Step 2: Enumerate all roles\n#aws_enumerate_iam_roles\n\n# Step 3: Check for wildcard permissions\n#aws_check_iam_policies\n\n# Step 4: Identify attack paths\n#aws_analyze_attack_paths region: us-east-1\n```\n\n**Expected Output:** Wildcard policies, old access keys, privilege escalation chains\n\n---\n\n### Workflow 3: 🗄️ Data Security Assessment (20 minutes)\n\n**Use Case:** Compliance audit (encryption, access control)\n\n```bash\n# Step 1: List all S3 buckets\n#aws_enumerate_s3_buckets\n\n# Step 2: Deep scan critical buckets\n#aws_scan_s3_bucket_security bucketName: production-data\n\n# Step 3: Check RDS encryption\n#aws_enumerate_rds_databases region: us-east-1\n\n# Step 4: Check DynamoDB security\n#aws_scan_dynamodb_security region: us-east-1\n\n# Step 5: Verify secrets rotation\n#aws_scan_secrets_manager region: us-east-1\n```\n\n**Expected Output:** Unencrypted buckets, public databases, unrotated secrets\n\n---\n\n### Workflow 4: 📊 Complete TRA Report (30 minutes)\n\n**Use Case:** Board meeting, compliance audit, executive briefing\n\n```bash\n# Single command for comprehensive assessment\n#aws_generate_security_report region: us-east-1 format: pdf outputFile: C:\\reports\\TRA-Report-2026-Q4.pdf fullScan: true includeCompliance: true includeRemediation: true\n```\n\n**Report Includes:**\n- ✅ Risk score (0-10 scale) with trend analysis\n- ✅ Compliance mapping (CIS, NIST, PCI, HIPAA)\n- ✅ MITRE ATT\u0026CK tactics and techniques\n- ✅ Remediation roadmap (4 phases: 0-7 days → 3-6 months)\n- ✅ Executive summary (one-page overview)\n- ✅ Detailed findings by service (50-100 pages)\n\n📚 **[See TRA_TOOL.md for complete guide](TRA_TOOL.md)**\n\n## 🤝 Contributing\n\nWe welcome contributions! Here's how to get started:\n\n### Priority Areas for Enhancement\n\n| Category | Enhancement Ideas | Difficulty |\n|----------|------------------|------------|\n| **New Services** | AWS Config, Systems Manager, WAF, Load Balancers | Medium |\n| **Analysis** | CloudTrail log analysis, cost optimization | High |\n| **Compliance** | SOC 2, ISO 27001 mapping | Medium |\n| **Automation** | Multi-region scanning, scheduled scans | Medium |\n| **Remediation** | Auto-generate Terraform/CloudFormation fixes | High |\n| **Integrations** | Security Hub, Jira, Slack notifications | Medium |\n\n### Development Workflow\n\n```bash\n# 1. Fork and clone\ngit clone https://github.com/yourusername/nimbus-mcp.git\ncd nimbus-mcp\n\n# 2. Create feature branch\ngit checkout -b feature/new-service-scanner\n\n# 3. Install and build\nnpm install\nnpm run build\n\n# 4. Test your changes\nnpm test  # (add tests for new features)\n\n# 5. Submit pull request\ngit push origin feature/new-service-scanner\n```\n\n### Code Standards\n\n- ✅ TypeScript strict mode\n- ✅ Error handling for AWS SDK calls\n- ✅ Severity classification (CRITICAL/HIGH/MEDIUM/LOW)\n- ✅ Documentation in README.md and tool descriptions\n- ✅ Test coverage for new tools\n\n## ⚠️ Legal Disclaimer\n\n\u003cdiv align=\"center\"\u003e\n\n**⚠️ AUTHORIZED USE ONLY ⚠️**\n\nThis tool is designed for **authorized security testing and compliance auditing only**.\n\n\u003c/div\u003e\n\n### User Responsibilities\n\n| Requirement | Description |\n|-------------|-------------|\n| **Authorization** | Obtain written permission from AWS account owner before testing |\n| **Scope** | Only test resources explicitly authorized in writing |\n| **Compliance** | Follow AWS Acceptable Use Policy and Customer Agreement |\n| **Laws** | Comply with local, state, federal, and international laws |\n| **Liability** | Users assume all liability for unauthorized or improper use |\n\n### AWS Acceptable Use Policy\n\nTesting activities must not:\n- ❌ Disrupt AWS services or other customers\n- ❌ Generate excessive API calls (rate limiting)\n- ❌ Access data you don't own\n- ❌ Violate privacy or data protection laws\n\n## 📄 License\n\n**MIT License** - See [LICENSE](LICENSE) file for details\n\nCopyright (c) 2026 h4cd0c\n\n---\n\n## 🔗 Resources \u0026 References\n\n### AWS Documentation\n- 📘 [AWS Security Best Practices](https://aws.amazon.com/security/best-practices/)\n- 📘 [IAM Security Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)\n- 📘 [AWS Well-Architected Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html)\n- 📘 [AWS Penetration Testing](https://aws.amazon.com/security/penetration-testing/)\n\n### Compliance Frameworks\n- 📋 [CIS AWS Foundations Benchmark](https://www.cisecurity.org/benchmark/amazon_web_services)\n- 📋 [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)\n- 📋 [PCI-DSS Cloud Guidelines](https://www.pcisecuritystandards.org/)\n\n### Security Tools \u0026 Platforms\n- 🛠️ [Model Context Protocol](https://modelcontextprotocol.io/)\n- 🛠️ [AWS SDK for JavaScript v3](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/)\n- 🛠️ [MITRE ATT\u0026CK Cloud Matrix](https://attack.mitre.org/matrices/enterprise/cloud/)\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n## 🌟 Support This Project\n\nIf this tool helps your security assessments, please:\n\n⭐ **Star this repository** on GitHub  \n🐛 **Report issues** or suggest features  \n🤝 **Contribute** code or documentation  \n📢 **Share** with your security team\n\n**Built with:** TypeScript • AWS SDK v3 • MCP SDK v1.0.4\n\n**Author:** [h4cd0c](https://github.com/h4cd0c)  \n**Repository:** [nimbus-mcp](https://github.com/h4cd0c/nimbus-mcp)\n\n---\n\nMade with ❤️ for the security community\n\n\u003c/div\u003e\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fh4cd0c%2Fnimbus-mcp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fh4cd0c%2Fnimbus-mcp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fh4cd0c%2Fnimbus-mcp/lists"}