AWS EC2#
Version: 1.0.1 · Category: AWS Cloud Security · Plan: Base+
A comprehensive EC2 security analysis integration covering instance inventory and exposure analysis, security groups, key pairs, AMI/snapshot management, and console output forensics.
Tools#
describe_instances — Instance inventory#
List EC2 instances with rich filtering:
- State:
running/stopped/terminated instance_ids: specify one or more instance IDsfilters: EC2 filter syntax (tag, VPC, subnet, image-id, etc.)
Returns:
| Field | Description |
|---|---|
| Instance ID / type | Identifier and hardware type |
| State | running / stopped |
| Network | Public/private IP, DNS name |
| Security groups | Attached security group names and IDs |
| IAM role | Instance profile ARN |
| Key pair | Associated key pair |
| Tags | All instance tags |
get_public_instances — Public instance list#
Quickly list all EC2 instances with a public IP address — attack surface inventory baseline.
analyze_security_groups — Security group analysis#
Deep analysis of security group rules:
| Report type | Content |
|---|---|
| Overly permissive rules | 0.0.0.0/0 or ::/0 ingress rules |
| High-risk port exposure | Port 22 / 3389 / 0-1024 open to the internet |
| Unused security groups | Security groups not attached to any resource |
get_instance_console_output — Console output forensics#
Retrieve the console serial output for an EC2 instance — the primary data source for boot failure diagnosis and kernel panic investigation.
describe_key_pairs — Key pair inventory#
List all EC2 key pairs, including creation time and fingerprint. Helps identify key pairs that should be rotated or removed.
describe_images — AMI list#
Query AMIs you own or have permission to access:
filters: filter by tag, OS name, architecture, etc.owners:self(your account),amazon(AWS official), or a specific account ID
describe_snapshots — Snapshot list#
Query EBS snapshots:
owner_ids: owner account filterrestorable_by_user_ids: filter by who can restore
check_public_snapshots — Public snapshot detection#
One-click detection of all EBS snapshots marked as public — a critical data leakage risk check.
check_amis_public — Public AMI detection#
Detect all AMIs you own that are publicly accessible — potential source of sensitive image exposure.
Configuration#
| Item | Description |
|---|---|
AWS_ACCESS_KEY_ID |
Access Key ID |
AWS_SECRET_ACCESS_KEY |
Secret Access Key |
AWS_DEFAULT_REGION |
Default region (e.g. us-east-1) |
AWS_SESSION_TOKEN |
Optional: temporary session token |
Investigation workflow#
1. get_public_instances
→ List all EC2 instances with public IPs — attack surface inventory
2. analyze_security_groups
→ Check which security groups expose high-risk ports (22/3389) to 0.0.0.0/0
3. describe_instances filters:[{"Name":"instance-id","Values":["i-xxxx"]}]
→ Get full details for a specific instance
4. get_instance_console_output instance_id:"i-xxxx"
→ Get boot log or kernel panic output for forensic analysis
5. check_public_snapshots
check_amis_public
→ Detect publicly accessible snapshots and AMIs — prevent data leakage