Analyze AWS infrastructure security using Cyntrisec MCP tools. Use when asked about AWS attack paths, security findings, IAM permissions, compliance status, or remediation recommendations. Guides tool selection and workflow patterns for comprehensive security assessments.
Add this skill
npx mdskills install cyntrisec/aws-security-analysisComprehensive AWS security analysis guide with clear workflows and tool selection patterns
Caution:
Beta Software Disclaimer: This tool is currently in BETA. It is provided "as is", without warranty of any kind. While Cyntrisec is a read-only analysis tool by default, the user assumes all responsibility for any actions taken based on its findings. Always review generated remediation plans and Terraform code before application.
AWS capability graph analysis and attack path discovery.
A read-only CLI tool that:
Watch how to discover attack paths and generate fixes using natural language with Claude MCP.
+----------------------------------------------------------------------------------+
| CYNTRISEC CLI |
+----------------------------------------------------------------------------------+
| CLI Layer (Typer) |
| scan analyze cuts waste report comply can diff serve ... |
+-----------------------------+----------------------------------------------------+
| Core Engine | Storage (local) |
| - AWS collectors | ~/.cyntrisec/scans// |
| - Normalization/schema | snapshot.json, assets.json, relationships.json |
| - GraphBuilder -> AwsGraph | findings.json, attack_paths.json |
| - Path search -> paths | ~/.cyntrisec/scans/latest -> |
| - Min-cut + Cost (ROI) | (Windows fallback: latest is a file) |
+-----------------------------+----------------------------------------------------+
| Outputs: JSON/agent, HTML report, remediation plan + Terraform hints |
+----------------------------------------------------------------------------------+
CLI (scan) --AssumeRole--> AWS Session --Describe/Get/List--> AWS APIs (read-only)
|
v
Collectors -> normalize -> Assets + Relationships -> AwsGraph
|
v
Attack path search (BFS/DFS)
|
v
Min-cut (remediation cuts)
|
v
Cost engine (ROI)
Local artifacts: ~/.cyntrisec/scans//*.json
pip install cyntrisec
If you see "cyntrisec is not recognized", the Scripts folder isn't on PATH:
# Option 1: Run with python -m
python -m cyntrisec --help
# Option 2: Add to PATH for current session
$env:PATH += ";$env:APPDATA\Python\Python311\Scripts"
Prerequisite: Ensure you have AWS CLI installed and configured with credentials (e.g.,
aws configure) or environment variables set.terraformis required for the setup step.
# 1. Create the read-only IAM role in your account
cyntrisec setup iam 123456789012 --output role.tf
# 2. Apply the Terraform
cd your-infra && terraform apply
# 3. Run a scan
cyntrisec scan --role-arn arn:aws:iam::123456789012:role/CyntrisecReadOnly
# 4. View attack paths
cyntrisec analyze paths --min-risk 0.5
# 5. Find minimal fixes (prioritized by ROI)
cyntrisec cuts --format json
# 6. Generate HTML report
cyntrisec report --output report.html
| Command | Description |
|---|---|
scan | Scan AWS infrastructure |
analyze paths | View attack paths |
analyze findings | View security findings |
analyze stats | View scan statistics |
analyze business | Business entrypoint analysis |
report | Generate HTML/JSON report |
| Command | Description |
|---|---|
setup iam | Generate IAM role Terraform |
validate-role | Validate IAM role permissions |
| Command | Description |
|---|---|
cuts | Find minimal fixes (Cost & ROI prioritized) |
waste | Find unused IAM permissions |
remediate | Generate or optionally apply Terraform plans (gated) |
| Command | Description |
|---|---|
can | Test "can X access Y?" |
diff | Compare scan snapshots |
comply | Check CIS AWS / SOC2 compliance |
| Command | Description |
|---|---|
manifest | Output machine-readable capabilities |
explain | Natural language explanations |
ask | Query scans in plain English |
serve | Run as MCP server for AI agents |
Run Cyntrisec as an MCP server for AI agent integration:
# Install with MCP support (now included by default)
pip install cyntrisec
cyntrisec serve # Start stdio server
cyntrisec serve --list-tools # List available tools
| Category | Tool | Description |
|---|---|---|
| Discovery | list_tools | List all available tools |
set_session_snapshot | Set active snapshot for session | |
get_scan_summary | Get summary of latest AWS scan | |
| Assets | get_assets | Get assets with type/name filtering |
get_relationships | Get relationships between assets | |
get_findings | Get security findings with severity filtering | |
| Attack Paths | get_attack_paths | Get attack paths with risk scores |
explain_path | Detailed hop-by-hop path breakdown | |
explain_finding | Detailed finding explanation | |
| Remediation | get_remediations | Find optimal fixes for attack paths |
get_terraform_snippet | Generate Terraform code for remediation | |
| Access | check_access | Test if principal can access resource |
get_unused_permissions | Find unused IAM permissions | |
| Compliance | check_compliance | Check CIS AWS or SOC 2 compliance |
compare_scans | Compare scan snapshots |
MacOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"cyntrisec": {
"command": "python",
"args": ["-m", "cyntrisec", "serve"]
}
}
}
Run the following command to configure the server:
claude mcp add cyntrisec -- python -m cyntrisec serve
Locate your agent configuration (e.g., ~/.gemini/antigravity/mcp_config.json) and add:
{
"mcpServers": {
"cyntrisec": {
"command": "python",
"args": ["-m", "cyntrisec", "serve"]
}
}
}
This tool makes read-only API calls to your AWS account. The IAM role
should have only Describe*, Get*, List* permissions.
All data stays on your local machine. Nothing is sent to external servers.
Scan results are stored in ~/.cyntrisec/scans/.
By default, Cyntrisec is read-only and does not modify your AWS infrastructure.
Cyntrisec includes an explicitly gated path that can execute Terraform only if you intentionally enable it.
This mode is:
--enable-unsafe-write-mode--execute-terraform) to run TerraformIf you do not pass these flags, Cyntrisec will never run terraform apply.
Cyntrisec makes no AWS write API calls during scanning and analysis.
The only supported "write" behavior is optional execution of Terraform locally on your machine, and only when explicitly enabled via unsafe flags.
Every AWS API call is logged in CloudTrail under session name cyntrisec-cli.
Cyntrisec runs with a read-only IAM role. Generate the recommended policy with
cyntrisec setup iam and keep permissions to Describe*, Get*,
and List*. Live modes (waste --live, can --live) require extra IAM
permissions; the generated policy and docs cover those additions.
Primary output is JSON to stdout. When stdout is not a TTY, the CLI automatically switches to JSON:
cyntrisec analyze paths --format json | jq '.paths[] | select(.risk_score > 0.7)'
Agent-friendly output wraps results in a structured envelope:
cyntrisec analyze paths --format agent
{
"schema_version": "1.0",
"status": "success",
"data": {...},
"artifact_paths": {...},
"suggested_actions": [...]
}
| Code | Meaning |
|---|---|
| 0 | Success / compliant |
| 1 | Findings / regressions / denied |
| 2 | Usage error |
| 3 | Transient error (retry) |
| 4 | Internal error |
Use in CI/CD:
cyntrisec scan --role-arn $ROLE_ARN || exit 1
cyntrisec diff || echo "Regressions detected"
Scan results are stored locally:
~/.cyntrisec/
|-- scans/
| |-- 2026-01-17_123456_123456789012/
| | |-- snapshot.json
| | |-- assets.json
| | |-- relationships.json
| | |-- findings.json
| | `-- attack_paths.json
| `-- latest -> 2026-01-17_...
`-- config.yaml
2026-01-17_... └── config.yaml
-->
## Versioning
This project follows Semantic Versioning. See `CHANGELOG.md` for release notes.
## License
Apache-2.0
## Links
- [PyPI Package](https://pypi.org/project/cyntrisec/)
- [Website](https://cyntrisec.com/)
- [Twitter/X](https://x.com/cyntrisec)
Install via CLI
npx mdskills install cyntrisec/aws-security-analysisAWS Security Analysis is a free, open-source AI agent skill. Analyze AWS infrastructure security using Cyntrisec MCP tools. Use when asked about AWS attack paths, security findings, IAM permissions, compliance status, or remediation recommendations. Guides tool selection and workflow patterns for comprehensive security assessments.
Install AWS Security Analysis with a single command:
npx mdskills install cyntrisec/aws-security-analysisThis downloads the skill files into your project and your AI agent picks them up automatically.
AWS Security Analysis works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.