Skip to content

feat: Add cluster-level IAM security analysis (PR #3) #1460

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: Add cluster-level IAM security analysis (PR #3) #1460

wants to merge 3 commits into from

Conversation

nzuresh
Copy link

@nzuresh nzuresh commented Oct 7, 2025

Fixes #[issue-number]

Summary

Changes

This PR adds cluster-level IAM security analysis to the ECS security analysis tool, implementing comprehensive checks for service-linked roles and IAM best practices.

Implementation:

  • Added _analyze_cluster_iam_security() method (~145 lines) to analyze IAM configurations
  • Integrated IAM security checks into the main security analysis workflow
  • Updated module documentation to reflect new IAM security capabilities
  • Added 9 comprehensive test cases achieving 95%+ coverage

Security Checks:

  1. ECS Exec Service-Linked Role Verification (Medium severity)

    • Verifies AWSServiceRoleForECS exists when ECS Exec is configured
    • Provides remediation steps for creating and validating the role

  2. Capacity Provider Service-Linked Role Validation (Medium severity)

    • Ensures service-linked role exists for Auto Scaling integration
    • Validates permissions for capacity provider operations

  3. General IAM Configuration Review (Low severity)

    • Recommends periodic IAM audits following least privilege principle
    • Provides guidance on using IAM Access Analyzer

Code Changes:

  • awslabs/ecs_mcp_server/api/security_analysis.py: +150 lines
  • awslabs/ecs_mcp_server/modules/security_analysis.py: +6 lines
  • tests/unit/test_security_analysis.py: +246 lines, -9 lines
  • Total: 393 lines added, 9 lines deleted

User experience

Before this change:

  • Users could analyze cluster configuration, logging, container instances, and capacity providers
  • No visibility into IAM security posture for ECS clusters
  • Missing guidance on service-linked role requirements

After this change:

  • Users receive IAM security recommendations when analyzing ECS clusters
  • Clear identification of missing or misconfigured service-linked roles
  • Actionable remediation steps with AWS CLI commands for IAM issues
  • Better understanding of IAM requirements for ECS Exec and capacity providers

Example output:
🟡 Verify ECS Service-Linked Role Configuration Severity: Medium | Category: IAM | Resource: my-cluster

Issue: Cluster has ECS Exec configured, which requires the AWSServiceRoleForECS service-linked role. Verify it exists and has correct permissions.

Remediation:

Check if the service-linked role exists:
aws iam get-role --role-name AWSServiceRoleForECS

If missing, create it:
aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com

Checklist

If your change doesn't seem to apply, please leave them unchecked.

  • I have reviewed the contributing guidelines
  • I have performed a self-review of this change
  • Changes have been tested
  • Changes are documented

Is this a breaking change? N

RFC issue number: N/A

Related PRs:

Testing:

  • ✅ 77/77 tests passing
  • ✅ 95%+ test coverage (exceeds 90% requirement)
  • ✅ All quality checks passing (ruff format, ruff lint, pyright, pre-commit)
  • ✅ Parameterized tests for various IAM configurations
  • ✅ Service-linked role recommendation validation
  • ✅ IAM category summary verification

Checklist:

  • Migration process documented (N/A - not a breaking change)
  • Implement warnings (if it can live side by side) (N/A - additive change)

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

Suresh Natarajan added 3 commits October 6, 2025 13:55
feat: Add ECS security analysis tool with interactive workflow
1675f82 
Add comprehensive security analysis functionality for ECS clusters with
interactive user workflow and AWS Trusted Advisor-style recommendations.

Features:
- Interactive cluster selection workflow (prevents automatic analysis)
- Security checks for Container Insights, exec logging, CloudWatch encryption
- Color-coded recommendations (red/yellow/green) with severity levels
- Two-section output: Critical/High priority + Medium/Low priority
- Comprehensive error handling and user guidance

Implementation:
- Module layer: FastMCP tool registration with detailed documentation
- API layer: DataAdapter and SecurityAnalyzer classes
- Test suite: 75 tests with 97% coverage using parameterized tests

Files:
- awslabs/ecs_mcp_server/api/security_analysis.py (478 lines)
- awslabs/ecs_mcp_server/modules/security_analysis.py (198 lines)
- tests/unit/test_security_analysis.py (405 lines)
- awslabs/ecs_mcp_server/main.py (2 lines added)

All quality checks passed: formatting, linting, type checking, DRY principle
feat(security): add enhanced cluster security analysis with container…
20e77dc 
… instance and capacity provider checks

- Add container instance security checks (agent version, connectivity, instance types)
- Add capacity provider security checks (termination protection, scaling config)
- Implement data collection methods for container instances and capacity providers
- Add comprehensive test coverage (94%) with 60+ new tests
- Follow color-coded severity pattern (🔴 High, 🟡 Medium, 🟢 Low)
- Include actionable CLI remediation steps for all recommendations

Closes #<issue-number>
feat(security): add cluster-level IAM security analysis
2be4552 
Add comprehensive IAM security checks for ECS clusters:
- Service-linked role verification for ECS Exec operations
- Service-linked role validation for capacity providers
- General IAM configuration review recommendations

Implementation details:
- Added _analyze_cluster_iam_security() method (~145 lines)
- Integrated IAM checks into security analysis workflow
- Updated module documentation with IAM security features
- Added 9 comprehensive test cases with 95%+ coverage

Security checks:
- Verifies AWSServiceRoleForECS exists for ECS Exec
- Validates service-linked role for Auto Scaling integration
- Provides IAM best practices and least privilege guidance
- Includes remediation steps with AWS CLI commands

Test coverage:
- Parameterized tests for various IAM configurations
- Service-linked role recommendation validation
- IAM category summary verification
- All required fields validation

Closes: Requirement 1.2 (IAM Security Analysis)
Related: PR #1 (Foundation), PR #2 (Enhanced Cluster Security)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@guitar80ep guitar80ep Awaiting requested review from guitar80ep guitar80ep is a code owner

@matthewgoodman13 matthewgoodman13 Awaiting requested review from matthewgoodman13 matthewgoodman13 is a code owner

@nineonine nineonine Awaiting requested review from nineonine nineonine is a code owner

@biagic biagic Awaiting requested review from biagic biagic is a code owner

@tusharbabbar tusharbabbar Awaiting requested review from tusharbabbar tusharbabbar is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

awslabs/mcp Project
Status: To triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nzuresh