Automating AWS Service Reviews: Accelerating Cloud Security with Amazon Q and MCP
Discover how to transform your AWS Service Security Certification process from a multi-sprint effort into an automated, workflow using Amazon Q and Model Context Protocol (MCP) servers to automatically generate security baseline documentation and infrastructure-as-code controls.
Balu Mathew
Amazon Employee
Published May 29, 2025
Many AWS customers follow service certification process when adopting new AWS services or features. This process ensures that services and features meet organizational standards, security requirements, and compliance mandates. The resulting documentation serves as a source of truth and guidance around security best practices and required security controls to use the service to meet an organization’s security requirements.
This review process is often manual and time-consuming, requiring security teams to read through extensive AWS documentation, understand security features, and map them to organizational requirements to prepare a security baseline document for the service. In this blog post, we'll explore how to streamline this process using agentic solutions powered by Amazon Q.
The Service Certification process is initiated when:
- A new service has been introduced
- on a continuous basis to keep up with service updates
The traditional process includes evaluating service details and security features manually from AWS Documentation. This process is tedious and can take 1-2 weeks for security teams to prepare a quality documentation, creating a bottleneck in service adoption.
Our solution leverages Amazon Q as a Client to invoke different MCP tools that automate the service review process. The AWS Service Review Agent consists of different MCP servers working together:
- Amazon Bedrock Knowledge Base Retrieval MCP Server **: Understands requirements based on existing Security baseline documentation and template for the organization which are stored in the Bedrock Knowledge Base
- AWS Documentation MCP Server**: Understands the AWS service under review, search AWS Documentation, searches for content and provides required details
- AWS Terraform MCP Server**: Generates infrastructure-as-code to deploy detective and preventative controls based on the Security Baseline document
This automated approach delivers significant advantages:
- Time Savings: Reduces manual effort from weeks to approximately minutes
- Consistency: Ensures standardized security documentation across all services
- Accuracy: Leverages up-to-date AWS documentation for comprehensive reviews
- Governance: Maintains a clear audit trail of service reviews and approvals
The solution leverages Amazon Q Developer and extends its capabilities through specialized MCP servers:
- Set up Amazon Q Developer with the required MCP servers
- Create templates for Security Baseline documentation and security controls
- Create an Amazon Bedrock Knowledge Base as your RAG datasource to store Security Baseline, Organizational Security requirements
MCP Configuration
Prompt
Now Q will apply its chain of thought to gather the required information from different sources such as Amazon Bedrock Knowledge Base, AWS Documentation and Terraform MCP server to generate a comprehensive Security Baseline document and terraform code for the service.
Generated Security Documentation
Terraform Code to Apply Detective Security Controls
Now you can ask Q to apply the Detective Controls based on the generated terraform code in your Sandbox/Dev account. This step serves as a quality gate before you push the code to Git and trigger the deployment pipeline. You can have Q to automate this.
The above implementation using Amazon Q CLI runs locally on a single machine. A desktop application such as an IDE or Q CLI initiates MCP servers locally as child processes and communicates with each of those servers over a long-running stdio stream.
Architecture below shows how to run MCB based agentic solutions on AWS. Here the MCP servers will be running as Containers on Amazon EKS or AWS Fargate based container engine. Your agent/client will also run as a container.
Refer the MCP Server Deployment Guidance and Lambda MCP Server Adapter for Considerations and examples on running the MCP Servers on AWS.
Automating AWS service reviews with Generative AI solutions transforms a time-consuming manual process into an efficient, consistent workflow. By reducing the review time from weeks to minutes, organizations can:
- Accelerate secure adoption of new AWS services
- Maintain consistent security standards across all services
- Free up security engineering resources for higher-value tasks
- Ensure comprehensive documentation and controls for all approved services
- Configure required MCP servers and agent
- Configure the agent prompts based on your organization's security requirements
- Create templates for Baseline documentation and security controls
- Integrate with your existing Git repositories and CI/CD pipelines
- Start with a pilot service review to validate the approach
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.