Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/h4cd0c/nimbus-mcp

Nimbus - AWS Security Assessment MCP Server | 43 Tools | Multi-Region Scanning | TRA Reports | CIS/NIST/PCI-DSS Compliance
https://github.com/h4cd0c/nimbus-mcp

aws aws-security cis-benchmark cloud-security compliance cybersecurity devsecops eks iam infosec mcp nist pci-dss penetration-testing red-team s3-security security terraform threat-detection vulnerability-scanner

Last synced: 5 months ago
JSON representation

Nimbus - AWS Security Assessment MCP Server | 43 Tools | Multi-Region Scanning | TRA Reports | CIS/NIST/PCI-DSS Compliance

Awesome Lists containing this project

README 

          



# Nimbus - AWS Security Assessment MCP Server



[![Version](https://img.shields.io/badge/version-1.5.8-blue.svg)](https://github.com/h4cd0c/nimbus-mcp)

[![Tools](https://img.shields.io/badge/tools-45-green.svg)](https://github.com/h4cd0c/nimbus-mcp)

[![Tests](https://img.shields.io/badge/tests-95%20passing-brightgreen.svg)](https://jestjs.io/)

[![License](https://img.shields.io/badge/license-MIT-orange.svg)](LICENSE)

[![AWS SDK](https://img.shields.io/badge/AWS%20SDK-v3-yellow.svg)](https://aws.amazon.com/sdk-for-javascript/)

[![Status](https://img.shields.io/badge/status-production%20ready-brightgreen.svg)](https://github.com/h4cd0c/nimbus-mcp)

[![Tests](https://img.shields.io/badge/tests-Jest-green.svg)](https://jestjs.io/)



**Enterprise-grade AWS security assessment toolkit with Attack Chain Builder, 50+ Privesc Patterns & Multi-Region Scanning**



*Designed for security professionals conducting authorized penetration tests, compliance audits, and executive risk reporting*



[Features](#-key-features) β€’ [Quick Start](#-quick-start) β€’ [Documentation](#-documentation) β€’ [Examples](#-example-workflows)






---



## πŸ“– Overview



**Nimbus** is a comprehensive AWS security assessment framework built on the Model Context Protocol (MCP). It provides 45 production-ready tools covering enumeration, vulnerability scanning, **attack chain building**, privilege escalation analysis (50+ patterns), persistence detection, EKS/Kubernetes security, **multi-region scanning**, and compliance reporting for AWS cloud environments.



### 🎯 Use Cases



- **πŸ” Security Assessments** - Identify misconfigurations and vulnerabilities

- **πŸ“Š TRA Meetings** - Generate executive-ready risk assessment reports

- **βœ… Compliance Audits** - Map findings to CIS, NIST, PCI-DSS, HIPAA frameworks

- **πŸ›‘οΈ Penetration Testing** - Discover attack paths and privilege escalation vectors

- **πŸ“ˆ Risk Management** - Automated risk scoring and remediation roadmaps

- **🌐 Multi-Region Scanning** - Scan all 30+ AWS regions in parallel

- **πŸ”— Attack Chain Analysis** - Multi-step attack path discovery ⭐ NEW



### ⚑ Key Highlights



βœ… **100% Read-Only** - Safe for production environments  

βœ… **41 Security Tools** - Comprehensive AWS service coverage  

βœ… **Attack Chain Builder** - Multi-step attack path discovery ⭐ NEW  

βœ… **50+ Privesc Patterns** - Rhino Security Labs & Heimdall research ⭐ NEW  

βœ… **EKS Attack Surface** - IRSA abuse, node role theft, RBAC escalation ⭐ NEW  

βœ… **Multi-Region Scanning** - Scan all 30+ regions in parallel  

βœ… **Multi-Format Reports** - PDF, HTML, CSV, Markdown  

βœ… **TRA Integration** - Risk scoring, compliance mapping, MITRE ATT&CK  

βœ… **Zero Cloud Modifications** - No write/delete operations  

βœ… **Enterprise Ready** - Professional reports for executives and auditors



## 🎯 Key Features



### πŸ” Enumeration (10 Tools)

- **Identity & Access** - IAM users, roles, policies

- **Compute** - EC2 instances, Lambda functions, EKS clusters

- **Storage** - S3 buckets, RDS databases

- **Network** - VPCs, subnets, Security Groups

- **Attack Surface** - Public-facing resources mapping



### πŸ›‘οΈ Security Scanning (25 Tools)

- **S3 Security** - 7 comprehensive checks (encryption, ACLs, policies)

- **IAM Analysis** - Wildcard permissions, 50+ privilege escalation patterns ⭐

- **Attack Chain Builder** - Multi-step attack path discovery ⭐ NEW

- **Network Security** - Security Groups, VPC exposure, egress points

- **Data Protection** - DynamoDB, ElastiCache, RDS encryption

- **API Security** - API Gateway, CloudFront configuration

- **Messaging** - SNS/SQS encryption and access policies

- **Identity** - Cognito pools, MFA bypass vectors

- **Secrets** - KMS keys, Secrets Manager, SSM parameters

- **Threat Detection** - GuardDuty findings

- **IMDS Security** - EC2 metadata exposure (SSRF risk)

- **Resource Policies** - S3, SQS, SNS, Lambda policy analysis



### πŸ”— Attack Chain Analysis (5 Tools) ⭐ NEW

- **build_attack_chains** - Multi-step attack path discovery

- **analyze_eks_attack_surface** - EKS IRSA & node role abuse

- **detect_privesc_patterns** - 50+ IAM privilege escalation patterns

- **hunt_eks_secrets** - Kubernetes secret enumeration

- **scan_eks_service_accounts** - Service account security audit



### Advanced Security (7 Tools)

- **CloudWatch Security** - Missing alarms, monitoring gaps

- **IAM Escalation** - PassRole abuse, AssumeRole chains

- **SSM Security** - Documents, parameters, session logging

- **IMDS Exposure** - IMDSv1 SSRF risks, instance profiles

- **Resource Policies** - Overly permissive access patterns

- **Network Exposure** - VPC, Transit Gateway, egress analysis

- **Data Exfiltration** - S3 replication, Lambda egress paths



### 🎯 50+ Privilege Escalation Patterns



| Category | Patterns | Description |

|----------|----------|-------------|

| **PassRole Abuse** | 7 | Lambda, EC2, Glue, CloudFormation, CodeBuild, SageMaker, ECS |

| **Policy Manipulation** | 6 | AttachPolicy, PutPolicy, CreatePolicyVersion |

| **Credential Access** | 4 | CreateAccessKey, LoginProfile, UpdateAssumeRole |

| **EKS Abuse** | 5 | IRSA, Node role theft, Fargate, Cluster admin |

| **Lambda Abuse** | 3 | UpdateFunctionCode, Layers, Env secrets |

| **SSM Abuse** | 3 | SendCommand, StartSession, GetParameters |

| **S3 Abuse** | 2 | Replication, BucketPolicy |

| **Defense Evasion** | 3 | CloudTrail, GuardDuty disable |



### πŸ“„ Report Formats



| Format | Use Case | Features |

|--------|----------|----------|

| **Markdown** | Quick review, documentation | Human-readable, version control friendly |

| **PDF** | Executive presentations, audits | Professional formatting, color-coded severity, charts |

| **HTML** | Interactive dashboards | Sortable tables, collapsible sections, search |

| **CSV** | Data analysis, Excel import | Structured data export for trending |



## πŸš€ Quick Start



### 1️⃣ Installation



**Option 1: Install from npm (Recommended)**



```bash

# Install globally from npm

npm install -g nimbus-mcp

```



**Option 2: Build from source**



```bash

# Clone the repository

git clone https://github.com/h4cd0c/nimbus-mcp.git

cd nimbus-mcp



# Install dependencies

npm install



# Build the TypeScript project

npm run build

```



### 2️⃣ AWS Authentication



Configure AWS credentials using one of these methods:



| Method | Command | Use Case |

|--------|---------|----------|

| **AWS CLI** | `aws configure` | Local development, testing |

| **Environment Variables** | `export AWS_ACCESS_KEY_ID=...` | CI/CD, automation |

| **IAM Instance Profile** | Automatic | EC2 instances |

| **IAM Roles** | Automatic | AWS services (Lambda, ECS) |



**Recommended Permissions:** `SecurityAudit` or `ReadOnlyAccess` managed policies



### 3️⃣ MCP Configuration

For VS Code: Add to .vscode/mcp.json



```json

{

  "servers": {

    "nimbus": {

      "command": "node",

      "args": ["C:\\path\\to\\nimbus-mcp\\dist\\index.js"],

      "type": "stdio"

    }

  }

}

```



**Restart VS Code** after configuration.



### 4️⃣ Basic Usage Examples



```bash

# πŸ”‘ Identify current AWS identity

#aws_whoami



# 🌐 Find public-facing resources (attack surface)

#aws_enumerate_public_resources region: us-east-1



# πŸ”’ Analyze Security Groups for dangerous rules

#aws_analyze_security_groups region: us-east-1



# πŸͺ£ Deep scan S3 bucket security (7 checks)

#aws_scan_s3_bucket_security bucketName: my-production-bucket



# πŸ“Š Generate executive TRA report (PDF)

#aws_generate_security_report region: us-east-1 format: pdf outputFile: C:\reports\aws-security-2026.pdf

```



### 5️⃣ Output Format Control ⭐ NEW



All 43 security tools now support flexible output formatting via the optional `format` parameter:



**Markdown (Default)** - Human-readable output, perfect for documentation and reports

```bash

#aws_whoami

# Returns: Clean markdown text (backward compatible)

```



**JSON** - Machine-readable structured data with metadata for automation

```bash

#aws_whoami format: json

# Returns: { "tool": "aws_whoami", "format": "json", "timestamp": "...", "data": {...} }

```



**Key Benefits:**

- βœ… **Backward Compatible** - Existing tools work without changes (defaults to markdown)

- βœ… **API Integration** - JSON format enables programmatic consumption

- βœ… **Automation** - Parse structured data for CI/CD pipelines

- βœ… **Metadata** - JSON includes tool name, timestamp, and versioning

- βœ… **Flexible** - Choose format per-tool based on use case



**Supported Tools:** All security scanners, enumerators, and analyzers (43 tools total)



**Example Use Cases:**

```bash

# Export scan results to JSON for automation

#aws_analyze_security_groups region: us-east-1 format: json > results.json



# Human-readable documentation output (default)

#aws_scan_s3_bucket_security bucketName: my-bucket



# Structured data for API integration

#aws_detect_privesc_patterns format: json

```



## πŸ“‹ Complete Tool Reference



πŸ” Enumeration Tools (10) - Click to expand



| Tool | Description | Example |

|------|-------------|---------|

| `aws_whoami` | Identify current AWS identity (user/role, account ID, ARN) | `#aws_whoami` |

| `aws_enumerate_ec2_instances` | List EC2 instances with public IPs and security groups | `region: us-east-1` |

| `aws_enumerate_s3_buckets` | List all S3 buckets in the account | No parameters |

| `aws_enumerate_iam_users` | List IAM users with access key ages and last used dates | No parameters |

| `aws_enumerate_iam_roles` | List IAM roles with trust relationships | No parameters |

| `aws_enumerate_rds_databases` | List RDS instances/clusters with public accessibility | `region: us-east-1` |

| `aws_enumerate_vpcs` | List VPCs with subnets and CIDR blocks | `region: us-east-1` |

| `aws_enumerate_lambda_functions` | List Lambda functions with runtimes and IAM roles | `region: us-east-1` |

| `aws_enumerate_eks_clusters` | List EKS clusters with Kubernetes versions | `region: us-east-1` |

| `aws_enumerate_public_resources` | Map public attack surface (EC2, RDS, S3) | `region: us-east-1` |

| `aws_scan_eks_service_accounts` | Analyze EKS service account security (IRSA, OIDC) | `region, clusterName` |

| `aws_hunt_eks_secrets` | Comprehensive K8s secret hunting guide | `region, clusterName` |



🌐 Multi-Region Scanning Tools (2) - Click to expand ⭐ NEW



| Tool | Description | Example |

|------|-------------|---------|

| `aws_scan_all_regions` | Scan multiple AWS regions for resources in parallel. Supports EC2, Lambda, RDS, EKS, Secrets, GuardDuty, ElastiCache, VPC. | `resourceType: ec2, regions: "us-east-1,eu-west-1"` |

| `aws_list_active_regions` | Quick discovery of which regions have resources deployed. Checks EC2, Lambda, RDS counts per region. | `scanMode: common` or `regions: "us-east-1"` |



**Usage Examples:**

```bash

# Single region scan

scan_all_regions --resourceType ec2 --regions "us-east-1"



# Multiple specific regions

scan_all_regions --resourceType lambda --regions "us-east-1,eu-west-1,ap-southeast-1"



# Preset: Common regions (11 popular regions)

scan_all_regions --resourceType rds --scanMode common



# Preset: All regions (30+ regions)

scan_all_regions --resourceType all --scanMode all --parallelism 10



# Discover active regions first

list_active_regions --scanMode common

```



πŸ›‘οΈ Security Scanning Tools (13) - Click to expand



| Tool | Security Checks | Severity Findings |

|------|----------------|-------------------|

| `aws_scan_s3_bucket_security` | Public access, encryption, ACLs, versioning, logging | πŸ”΄ Critical: Public + unencrypted |

| `aws_analyze_security_groups` | 0.0.0.0/0 rules, open ports (SSH, RDP, DB) | πŸ”΄ Critical: Internet-exposed mgmt ports |

| `check_iam_policies` | Wildcard permissions (`*:*`), overly permissive | πŸ”΄ Critical: Admin access wildcards |

| `check_kms_keys` | Key rotation, key policy analysis | 🟑 Medium: Rotation disabled |

| `aws_scan_secrets_manager` | Rotation enabled, encryption, last rotated date | 🟠 High: No rotation in 90+ days |

| `aws_scan_dynamodb_security` | Encryption at rest, PITR, backup retention | πŸ”΄ Critical: No encryption |

| `aws_scan_api_gateway_security` | Logging, throttling, authorization, SSL certificates | 🟠 High: No logging enabled |

| `aws_scan_cloudfront_security` | TLS versions, HTTPS enforcement, WAF, OAI | πŸ”΄ Critical: TLSv1.0 enabled |

| `aws_scan_elasticache_security` | Encryption in-transit/at-rest, auth tokens | πŸ”΄ Critical: No encryption |

| `aws_get_guardduty_findings` | Active threats, malicious IPs, compromised instances | πŸ”΄ Critical: Active threats |

| `aws_scan_sns_security` | Topic encryption (KMS), access policies, HTTP subscriptions | πŸ”΄ Critical: No encryption |

| `aws_scan_sqs_security` | Queue encryption, dead letter queues, access policies | πŸ”΄ Critical: Public queue access |

| `aws_scan_cognito_security` | Unauthenticated access, MFA, password policies | πŸ”΄ Critical: Unauth access enabled |



🎯 Attack Analysis Tools (2) - Click to expand



| Tool | Analysis | Output |

|------|----------|--------|

| `aws_analyze_attack_paths` | IAM privilege escalation, public β†’ internal vectors | Exploitation scenarios with step-by-step chains |

| `aws_generate_security_report` | Aggregate all findings, risk scoring, remediation | PDF/HTML/CSV/Markdown reports |



πŸ“Š TRA (Threat & Risk Assessment) Tool (1) ⭐ NEW - Click to expand



| Feature | Description | Output |

|---------|-------------|--------|

| **Risk Scoring** | 0-10 automated scale with severity weighting | Risk level: CRITICAL/HIGH/MEDIUM/LOW |

| **Compliance Mapping** | CIS AWS Foundations, NIST 800-53, PCI-DSS, HIPAA | Pass/Fail/Partial for each control |

| **MITRE ATT&CK** | Cloud Matrix tactic and technique mapping | Attack phase classification |

| **Remediation Roadmap** | 4-phase timeline (0-7 days β†’ 3-6 months) | Prioritized action plan |

| **Executive Summary** | One-page risk overview with top 10 critical findings | Board-ready PDF/HTML report |



πŸ“š **[Complete TRA Documentation](TRA_TOOL.md)** - 471 lines with examples and use cases



## πŸ—οΈ Architecture



```

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”

β”‚                     MCP Client (VS Code)                     β”‚

β”‚                  Claude Dev / Cline Extension                β”‚

β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

                       β”‚ MCP Protocol

                       β–Ό

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”

β”‚                  Nimbus MCP Server (Node.js)                β”‚

β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”‚

β”‚  β”‚Enumerationβ”‚  Scanning  β”‚Attack Analysisβ”‚    TRA     β”‚    β”‚

β”‚  β”‚ (10 tools)β”‚ (13 tools) β”‚  (2 tools)   β”‚  (1 tool)  β”‚    β”‚

β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚

β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

                       β”‚ AWS SDK v3 (21 clients)

                       β–Ό

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”

β”‚                        AWS Cloud                            β”‚

β”‚  β”Œβ”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”  β”‚

β”‚  β”‚ IAM β”‚ EC2 β”‚ S3  β”‚ RDS β”‚Lambdaβ”‚EKS β”‚SNS β”‚SQS β”‚Cognitoβ”‚  β”‚

β”‚  β”‚     β”‚     β”‚     β”‚     β”‚     β”‚    β”‚    β”‚    β”‚       β”‚  β”‚

β”‚  β””β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚

β”‚  βœ… READ-ONLY Operations | ❌ NO Write/Delete/Modify       β”‚

β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

```



### πŸ”’ Security Model



| Operation Type | Supported | SDK Commands Used |

|----------------|-----------|-------------------|

| **Read** | βœ… Yes | `Get*`, `List*`, `Describe*` |

| **Write** | ❌ No | Not imported in codebase |

| **Delete** | ❌ No | Not imported in codebase |

| **Modify** | ❌ No | Not imported in codebase |



**Verification:** Even with admin credentials (`*:*` permissions), the tool **cannot** modify AWS resources. All SDK commands are read-only by design.



### πŸ›‘οΈ Input Validation & Auto-Completion ⭐ NEW



**Enhanced Security (OWASP MCP-05 Compliance):**

- **Pattern-Based Validation** - Regex validation for all AWS resource identifiers (ARNs, instance IDs, bucket names, etc.)

- **Whitelist Validation** - Region names and resource types validated against AWS service catalogs

- **Sanitization** - Automatic removal of control characters and length enforcement

- **Clear Error Messages** - Helpful validation errors guide users to correct input formats



**Improved User Experience:**

- **Auto-Completion Support** - Intelligent suggestions for regions, resource types, formats, and scan modes

- **Prefix Filtering** - Type-ahead suggestions as you enter values

- **Context-Aware** - Suggests relevant values based on the current tool and argument



Supported completions:

- `region`/`regions` - All 30 AWS regions + "all", "common"

- `resourceType` - EC2, Lambda, RDS, EKS, Secrets, GuardDuty, ElastiCache, VPC

- `format` - markdown, json, html, pdf, csv

- `scanMode` - common, all

- `severity` - LOW, MEDIUM, HIGH, CRITICAL

- `framework` - nist, iso27001, pci-dss, hipaa, soc2, cis



## πŸ” Security Findings Reference



Severity

Finding Category

Example Issues

Business Impact



πŸ”΄
CRITICAL

Public Exposure

β€’ EC2 with 0.0.0.0/0 on SSH/RDP
β€’ Public RDS databases
β€’ S3 public + unencrypted

Direct Internet access β†’ data breach



Data Protection

β€’ DynamoDB without encryption
β€’ ElastiCache no encryption
β€’ SNS/SQS plaintext messages

Sensitive data exposure at rest/in-transit



Access Control

β€’ SNS/SQS public access (Principal: *)
β€’ Cognito unauthenticated access
β€’ S3 bucket ACL public-read

Anonymous access to AWS resources



TLS/SSL

β€’ CloudFront TLSv1.0 enabled
β€’ API Gateway weak ciphers

Man-in-the-middle attack vulnerability



🟠
HIGH

IAM Security

β€’ Wildcard permissions (*:*)
β€’ Access keys 90+ days old
β€’ No MFA on privileged users

Privilege escalation, credential compromise



Audit & Logging

β€’ API Gateway no logging
β€’ CloudTrail disabled
β€’ No GuardDuty monitoring

No forensic evidence, undetected breaches



Secrets Management

β€’ Secrets not rotated 90+ days
β€’ Hardcoded creds in Lambda env
β€’ KMS keys unrotated

Long-lived credentials increase attack window



🟑
MEDIUM

Resilience

β€’ RDS backup retention < 7 days
β€’ DynamoDB no PITR
β€’ SQS no dead letter queue

Data loss risk, poor disaster recovery



Denial of Service

β€’ API Gateway no throttling
β€’ No WAF on CloudFront
β€’ Lambda no concurrency limits

Service disruption, cost spike attacks



### πŸ“Š Finding Statistics (Typical Enterprise Account)



```

Total Findings: ~80-150

β”œβ”€β”€ πŸ”΄ CRITICAL: 12-25 (15-20%)

β”œβ”€β”€ 🟠 HIGH: 28-45 (35-40%)

β”œβ”€β”€ 🟑 MEDIUM: 30-50 (40-45%)

└── 🟒 LOW: 10-30 (10-15%)



Risk Score: 6.5-7.8 / 10 (HIGH)

Compliance: 60-75% (Typical first scan)

```



## πŸ“š Documentation



| Document | Description | Lines | Link |

|----------|-------------|-------|------|

| **README.md** | Project overview, quick start, tool reference | 350+ | You're here |

| **USAGE.md** | Detailed workflows, examples, best practices | 400+ | [View](USAGE.md) |

| **TRA_TOOL.md** | Complete TRA guide with compliance frameworks | 471 | [View](TRA_TOOL.md) |

| **COMPLETE.md** | Phase completion summary, achievements | 200+ | [View](COMPLETE.md) |

| **Built-in Help** | Interactive command reference | - | `#aws_help` |



## πŸ›‘οΈ Security & Compliance



### Required AWS Permissions



**Recommended Managed Policies:**

- βœ… `SecurityAudit` - AWS managed policy for security auditing

- βœ… `ReadOnlyAccess` - Comprehensive read-only access



**Granular Permissions (Minimum Required):**



Click to expand IAM policy JSON



```json

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": [

        "ec2:Describe*",

        "s3:ListAllMyBuckets",

        "s3:GetBucket*",

        "s3:GetPublicAccessBlock",

        "iam:List*",

        "iam:Get*",

        "rds:Describe*",

        "lambda:List*",

        "lambda:Get*",

        "eks:List*",

        "eks:Describe*",

        "kms:List*",

        "kms:Describe*",

        "secretsmanager:List*",

        "secretsmanager:Describe*",

        "dynamodb:List*",

        "dynamodb:Describe*",

        "apigateway:GET",

        "cloudfront:List*",

        "cloudfront:Get*",

        "elasticache:Describe*",

        "guardduty:List*",

        "guardduty:Get*",

        "sns:List*",

        "sns:Get*",

        "sqs:List*",

        "sqs:Get*",

        "cognito-identity:List*",

        "cognito-identity:Describe*",

        "cognito-idp:List*",

        "cognito-idp:Describe*"

      ],

      "Resource": "*"

    }

  ]

}

```



### Best Practices



| Practice | Recommendation | Rationale |

|----------|---------------|-----------|

| **Authorization** | Obtain written permission from AWS account owner | Legal compliance, audit trail |

| **Environment** | Test in non-production first | Avoid business disruption |

| **Credentials** | Use temporary credentials (STS AssumeRole) | Minimize credential exposure |

| **Logging** | Enable CloudTrail in target account | Audit all API calls |

| **Documentation** | Record all findings and commands executed | Evidence for remediation |

| **Scope** | Define testing scope (regions, services) | Focused assessment |



### Compliance Frameworks



This tool helps assess compliance with:



- βœ… **CIS AWS Foundations Benchmark** - Security baseline controls

- βœ… **NIST 800-53** - Federal security controls (AC, AU, CM, SC families)

- βœ… **PCI-DSS 3.2.1** - Payment card industry requirements

- βœ… **HIPAA** - Healthcare data protection (encryption, access control)

- βœ… **GDPR** - Data privacy and protection (encryption, audit logging)



## πŸŽ“ Example Workflows



### Workflow 1: πŸš€ Quick Security Scan (5 minutes)



**Use Case:** Pre-TRA meeting, rapid assessment



```bash

# Step 1: Verify access

#aws_whoami



# Step 2: Map attack surface

#aws_enumerate_public_resources region: us-east-1



# Step 3: Check network security

#aws_analyze_security_groups region: us-east-1



# Step 4: Generate executive report

#aws_generate_security_report region: us-east-1 format: pdf outputFile: C:\reports\quick-scan.pdf

```



**Expected Output:** 10-20 findings, risk score, top 5 priorities



---



### Workflow 2: πŸ” IAM Security Audit (15 minutes)



**Use Case:** Access control review, privilege escalation testing



```bash

# Step 1: Enumerate all users

#aws_enumerate_iam_users



# Step 2: Enumerate all roles

#aws_enumerate_iam_roles



# Step 3: Check for wildcard permissions

#aws_check_iam_policies



# Step 4: Identify attack paths

#aws_analyze_attack_paths region: us-east-1

```



**Expected Output:** Wildcard policies, old access keys, privilege escalation chains



---



### Workflow 3: πŸ—„οΈ Data Security Assessment (20 minutes)



**Use Case:** Compliance audit (encryption, access control)



```bash

# Step 1: List all S3 buckets

#aws_enumerate_s3_buckets



# Step 2: Deep scan critical buckets

#aws_scan_s3_bucket_security bucketName: production-data



# Step 3: Check RDS encryption

#aws_enumerate_rds_databases region: us-east-1



# Step 4: Check DynamoDB security

#aws_scan_dynamodb_security region: us-east-1



# Step 5: Verify secrets rotation

#aws_scan_secrets_manager region: us-east-1

```



**Expected Output:** Unencrypted buckets, public databases, unrotated secrets



---



### Workflow 4: πŸ“Š Complete TRA Report (30 minutes)



**Use Case:** Board meeting, compliance audit, executive briefing



```bash

# Single command for comprehensive assessment

#aws_generate_security_report region: us-east-1 format: pdf outputFile: C:\reports\TRA-Report-2026-Q4.pdf fullScan: true includeCompliance: true includeRemediation: true

```



**Report Includes:**

- βœ… Risk score (0-10 scale) with trend analysis

- βœ… Compliance mapping (CIS, NIST, PCI, HIPAA)

- βœ… MITRE ATT&CK tactics and techniques

- βœ… Remediation roadmap (4 phases: 0-7 days β†’ 3-6 months)

- βœ… Executive summary (one-page overview)

- βœ… Detailed findings by service (50-100 pages)



πŸ“š **[See TRA_TOOL.md for complete guide](TRA_TOOL.md)**



## 🀝 Contributing



We welcome contributions! Here's how to get started:



### Priority Areas for Enhancement



| Category | Enhancement Ideas | Difficulty |

|----------|------------------|------------|

| **New Services** | AWS Config, Systems Manager, WAF, Load Balancers | Medium |

| **Analysis** | CloudTrail log analysis, cost optimization | High |

| **Compliance** | SOC 2, ISO 27001 mapping | Medium |

| **Automation** | Multi-region scanning, scheduled scans | Medium |

| **Remediation** | Auto-generate Terraform/CloudFormation fixes | High |

| **Integrations** | Security Hub, Jira, Slack notifications | Medium |



### Development Workflow



```bash

# 1. Fork and clone

git clone https://github.com/yourusername/nimbus-mcp.git

cd nimbus-mcp



# 2. Create feature branch

git checkout -b feature/new-service-scanner



# 3. Install and build

npm install

npm run build



# 4. Test your changes

npm test  # (add tests for new features)



# 5. Submit pull request

git push origin feature/new-service-scanner

```



### Code Standards



- βœ… TypeScript strict mode

- βœ… Error handling for AWS SDK calls

- βœ… Severity classification (CRITICAL/HIGH/MEDIUM/LOW)

- βœ… Documentation in README.md and tool descriptions

- βœ… Test coverage for new tools



## ⚠️ Legal Disclaimer






**⚠️ AUTHORIZED USE ONLY ⚠️**



This tool is designed for **authorized security testing and compliance auditing only**.






### User Responsibilities



| Requirement | Description |

|-------------|-------------|

| **Authorization** | Obtain written permission from AWS account owner before testing |

| **Scope** | Only test resources explicitly authorized in writing |

| **Compliance** | Follow AWS Acceptable Use Policy and Customer Agreement |

| **Laws** | Comply with local, state, federal, and international laws |

| **Liability** | Users assume all liability for unauthorized or improper use |



### AWS Acceptable Use Policy



Testing activities must not:

- ❌ Disrupt AWS services or other customers

- ❌ Generate excessive API calls (rate limiting)

- ❌ Access data you don't own

- ❌ Violate privacy or data protection laws



## πŸ“„ License



**MIT License** - See [LICENSE](LICENSE) file for details



Copyright (c) 2026 h4cd0c



---



## πŸ”— Resources & References



### AWS Documentation

- πŸ“˜ [AWS Security Best Practices](https://aws.amazon.com/security/best-practices/)

- πŸ“˜ [IAM Security Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)

- πŸ“˜ [AWS Well-Architected Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html)

- πŸ“˜ [AWS Penetration Testing](https://aws.amazon.com/security/penetration-testing/)



### Compliance Frameworks

- πŸ“‹ [CIS AWS Foundations Benchmark](https://www.cisecurity.org/benchmark/amazon_web_services)

- πŸ“‹ [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)

- πŸ“‹ [PCI-DSS Cloud Guidelines](https://www.pcisecuritystandards.org/)



### Security Tools & Platforms

- πŸ› οΈ [Model Context Protocol](https://modelcontextprotocol.io/)

- πŸ› οΈ [AWS SDK for JavaScript v3](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/)

- πŸ› οΈ [MITRE ATT&CK Cloud Matrix](https://attack.mitre.org/matrices/enterprise/cloud/)



---






## 🌟 Support This Project



If this tool helps your security assessments, please:



⭐ **Star this repository** on GitHub  

πŸ› **Report issues** or suggest features  

🀝 **Contribute** code or documentation  

πŸ“’ **Share** with your security team



**Built with:** TypeScript β€’ AWS SDK v3 β€’ MCP SDK v1.0.4



**Author:** [h4cd0c](https://github.com/h4cd0c)  

**Repository:** [nimbus-mcp](https://github.com/h4cd0c/nimbus-mcp)



---



Made with ❀️ for the security community