Skip to content

k9securityio/security-agent-demo

BranchesTags

Repository files navigation

Cloud Security Agent Demo

This project demonstrates how to build a Cloud Security Agent with Strands and deployed to AWS AgentCore.

The agent analyzes and prioritizes issues in Security Hub and recommends remediations. The agent will make use of tools to query SecurityHub for findings in OCSF format. The user is able to chat with the agent about security issues and ask simple questions like:

  • What are the most important issues in Security Hub for AWS account ID 12345679012?
  • Can you recommend a remediation for finding ABC-1234?

Configure

Configure a Bedrock Agentcore deployment by running the agentcore configure command.

The following resources are helpful:

Agent

agentcore configure -e app.py --name security_agent

MCP Server

Recommendation: Read Deploy MCP servers in AgentCore Runtime before deploying the MCP server to understand the general process.

Before configuring the MCP server deployment, setup Cognito to authenticate and authorize requests. You will need the OAuth2 discoveryUrl and a client ID for the MCP configuration process.

agentcore configure -e mcp_server_agentcore.py --protocol MCP --name security_agent_mcp

Deploy

You can use the following commands to deploy the Security Agent demo.

Deploy all components:

agentcore launch

Deploy only the MCP:

agentcore launch --agent security_agent_mcp

Integration with Claude Desktop

You can integrate Claude Desktop with your remote MCP running on AgentCore by:

  1. Obtaining a Bearer Token for the server
  2. Configuring an MCP server that uses mcp-remote to talk to your remote MCP server running on AgentCore

First, obtain a BEARER_TOKEN for the OAuth2 client allowed by MCP server:

aws cognito-idp initiate-auth  --output=json  --region us-east-1  --client-id "$CLIENT_ID" \
  --auth-flow USER_PASSWORD_AUTH  --auth-parameters USERNAME='testuser',PASSWORD='PERMANENT_PASSWORD' \
  | jq -r '.AuthenticationResult.AccessToken'

Second, configure a connection to your remote MCP server using mcp-remote:

Note: mcp-remote requires Node v18 or later and Claude uses the version of node found in your system path unless you specify it directly as below. It is recommended to directly specify the path to a v18+ version of node.

Here is an example MCP server configuration where you will need to update:

  • cwd - directory to your security-agent-demo source code
  • paths - specify a path to a version of node v18 or later
  • args - replace the ARN to the MCP server on AgentCore
  • AUTH_HEADER - replace the BEARER_TOKEN with the value from step one
{
  "mcpServers": {
    "security-agent": {
      "command": "npx",
      "cwd": "/path/to/security-agent-demo",
      "paths": [
        "/Users/YOUR-USERID/.nvm/versions/node/v22.12.0/bin",
        "/usr/local/bin",
        "/opt/homebrew/bin",
        "/usr/bin",
        "/bin",
        "/usr/sbin",
        "/sbin"
      ],
      "args": [
        "mcp-remote",
        "https://bedrock-agentcore.us-east-1.amazonaws.com/runtimes/arn%3Aaws%3Abedrock-agentcore%3Aus-east-1%3A123456789012%3Aruntime%2Fsecurity_agent_mcp-EXAMPLE/invocations?qualifier=DEFAULT",
        "--header",
        "Content-Type: application/json",
        "--header",
        "Authorization:${AUTH_HEADER}"
      ],
      "env": {
        "AUTH_HEADER": "Bearer BEARER_TOKEN"
      }
    }
  }
}

About

A cloud security AI agent demo using AWS AgentCore and Strands

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages