feat: Add AWS documentation integration to security recommendations (PR #4) #1462
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 3 commits
October 6, 2025 13:55
Add comprehensive security analysis functionality for ECS clusters with interactive user workflow and AWS Trusted Advisor-style recommendations. Features: - Interactive cluster selection workflow (prevents automatic analysis) - Security checks for Container Insights, exec logging, CloudWatch encryption - Color-coded recommendations (red/yellow/green) with severity levels - Two-section output: Critical/High priority + Medium/Low priority - Comprehensive error handling and user guidance Implementation: - Module layer: FastMCP tool registration with detailed documentation - API layer: DataAdapter and SecurityAnalyzer classes - Test suite: 75 tests with 97% coverage using parameterized tests Files: - awslabs/ecs_mcp_server/api/security_analysis.py (478 lines) - awslabs/ecs_mcp_server/modules/security_analysis.py (198 lines) - tests/unit/test_security_analysis.py (405 lines) - awslabs/ecs_mcp_server/main.py (2 lines added) All quality checks passed: formatting, linting, type checking, DRY principle
… instance and capacity provider checks - Add container instance security checks (agent version, connectivity, instance types) - Add capacity provider security checks (termination protection, scaling config) - Implement data collection methods for container instances and capacity providers - Add comprehensive test coverage (94%) with 60+ new tests - Follow color-coded severity pattern (🔴 High, 🟡 Medium, 🟢 Low) - Include actionable CLI remediation steps for all recommendations Closes #<issue-number>
Add comprehensive IAM security checks for ECS clusters: - Service-linked role verification for ECS Exec operations - Service-linked role validation for capacity providers - General IAM configuration review recommendations Implementation details: - Added _analyze_cluster_iam_security() method (~145 lines) - Integrated IAM checks into security analysis workflow - Updated module documentation with IAM security features - Added 9 comprehensive test cases with 95%+ coverage Security checks: - Verifies AWSServiceRoleForECS exists for ECS Exec - Validates service-linked role for Auto Scaling integration - Provides IAM best practices and least privilege guidance - Includes remediation steps with AWS CLI commands Test coverage: - Parameterized tests for various IAM configurations - Service-linked role recommendation validation - IAM category summary verification - All required fields validation Closes: Requirement 1.2 (IAM Security Analysis) Related: PR #1 (Foundation), PR #2 (Enhanced Cluster Security)
nzuresh
requested review from
a team,
biagic,
guitar80ep,
matthewgoodman13,
nineonine and
tusharbabbar
as code owners
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1462 +/- ##
==========================================
- Coverage 89.45% 89.40% -0.05%
==========================================
Files 726 728 +2
Lines 50305 50594 +289
Branches 7942 7989 +47
==========================================
+ Hits 44998 45236 +238
- Misses 3452 3495 +43
- Partials 1855 1863 +8 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Add include_aws_docs parameter, implement parallel documentation fetching with caching and graceful degradation, enhance MCP client presentation guidelines, and add comprehensive test suite (22 new tests, 99 total). Changes: 3 files, 1009 insertions, 89 deletions
nzuresh
force-pushed
the
feature/pr4-aws-docs-integration
branch
from
107cfdf to
41ebd3f
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes
Summary
Changes
This PR adds AWS documentation integration to the ECS security analysis tool, enriching security recommendations with contextual AWS best practices documentation.
Key additions:
include_aws_docsoptional parameter toanalyze_ecs_securitytoolaws_documentationfield to security recommendation structureSecurityAnalyzer.analyzemethod async to support parallel operationsTechnical implementation:
aws_knowledge_proxymodule for documentation fetchinginclude_aws_docs=false)Files changed:
awslabs/ecs_mcp_server/api/security_analysis.py: +175 linesawslabs/ecs_mcp_server/modules/security_analysis.py: +123 linestests/unit/test_security_analysis.py: +800 lines (22 new test cases)User experience
Before:
Users receive security recommendations with severity, description, and remediation steps, but no direct links to AWS documentation for additional context.
After:
When
include_aws_docs=trueis specified, users receive the same security recommendations enhanced with relevant AWS documentation snippets that provide:The feature gracefully degrades if documentation fetching fails, ensuring the core security analysis always completes successfully.
Checklist
If your change doesn't seem to apply, please leave them unchecked.
Is this a breaking change? (Y/N): N
RFC issue number: N/A
Checklist:
Acknowledgment
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.