# Amazon Q Developer - Setup MCP Server for CloudTrail | Security Investigation ## Метаданные - **Канал:** Loi Liang Yang - **YouTube:** https://www.youtube.com/watch?v=bq_LlPXIgkQ ## Содержание ### [0:00](https://www.youtube.com/watch?v=bq_LlPXIgkQ) Segment 1 (00:00 - 05:00) So this is so important in terms of when you're using an artificial intelligence agent to help you query into cloud trail because this simplifies the way your AI agent can talk to cloud trail. And what cloud trail does is that it records everything that is happening inside your AWS account. And setting this up is super easy and there are several features that's really powerful. One is event lookup. So you can see the following search cloud trail events by various attributes including username, event name, resource name and more. So this is really powerful. Next up if you are also using for example like cloud trail link analytics. So you can execute advanced SQL queries against cloud trail lake for complex analytics filtering aggregation and so on. You can do user activity analysis, right? Track and analyze user activities across ADL services by filtering events by username, access key or other user related attributes, API call tracking and so on so forth. So really powerful, super easy to set up as well. I'm going to show you how that looks like. So in terms of the architecture of things, this is how it looks like. So on the right side we have for example Q developer and of course your best friend forever Mr. Hackaloy is going to be using the IDE version of this which is installed into my computer. And what we can do here is to set up the MCP server itself. And once we have set up the MCP server, this will allow us very quickly to be able to query over into Cloud Trail. So what exactly is Cloud Trail then? Cloud trail will allow us the ability to investigate and track and log who say Mr. Hackaloy or any other user is doing what on their AWS account and with Q developer integrated with the cloud MCP server we can place in those parameters very cleanly very quickly over and help us speed up our investigation process using the AI agent. So yeah you literally have Mr. Hackaloy at your disposal. So right here I set up my Visual Studio Code and integrated development environment. And the first thing you need is of course making sure that your Amazon Q extension is available. So you can see on the left side I have Amazon Q extension installed and it's up and running. So before we go any further, the first thing we need to do is to configure our AWS credentials so that it is accessible by Amazon Q as well as the MCP server that we'll be setting up. So the first thing we need to do is enter the following AWS configure SSO. Hit enter on that. Give the SSO session a name say Ly. I hit enter on this and it says the following right. There are four AWS accounts available to you. So in my case I will select onto developer Loy. Okay I will have a CLI default client region and I will have CLI default output format and then the CLI profile name. Let's enter Loy for that. And you can see the following. All right. So AWS S3 LS- profile LOY. Hit enter on this and we'll be able to list the S3 buckets directly from the command line interface. Now moving forward is about adding the MCP server of CRO here. So you can see there is a configure MCP servers. So go ahead and click onto that and right here we can select onto the plus icon at MCP servers to extend Q's capabilities. Go ahead and select onto that and right here this is the place where we'll be adding in the information. So in my case I'm entering say cloud trail. All right, the command I can enter uvx. Again, all these are directly available in the documentation. For example, this is the one. So, we have the arguments over here. So, I can do a rightclick, copy, head back over into my IDE. I can paste it as an argument. All right. And then heading back again to the documentation, it states the following AWS profile. Let's copy on that. Head back over to the IDE and enter the value of LY. And then finally the timeout settings. All right. So go ahead and click save on that. Activating MCP server. So once we are done we can close on this one. Head back over to chat and say the following of giving a prompt and say is there any suspicious activities from user hacker Ly in cloud trail over the past 1 hour. And what we can do now is go ahead and hit enter on this. And you can see right now Amazon Q developer is checking and it is setting up a lookup_events for us. And you can see the tool icon right here indicating that we are using the MCP server. And all we have to do now is to authorize it by clicking run. All right. Right here is working. It received response. All right. No cloud events were found for the user. Okay. So if I scroll down further, you can see the following. Okay. hacker lawy in the past hour in a US East1 region. This ### [5:00](https://www.youtube.com/watch?v=bq_LlPXIgkQ&t=300s) Segment 2 (05:00 - 06:00) user hasn't performed any AWS API activities in the past hour. The user doesn't exist or the username is incorrect. Activities occurred in a different AWS region and so on and so forth. Okay, so this is something that you can easily run from. So what I'm going to do now is I'm going to go ahead and log over into the AWS account and start doing some things and see whether Amazon Q developer can help us pick that up. All right, so I ran a couple of things inside the AWS account and what we can do now is to post the question back again using Amazon Q developer to help us investigate what's going on. So what I can do now is there any suspicious activities from user hackery in cloud trail over the past say 30 minutes? Let me know. All right, hit enter on this and same thing. What is going to happen right now is that Amazon Q developer, your AI agent is going to head over into the cloud MCP server is going to put in the following parameters. As you can see right here, it will run and retrieve those information for us and then begin to analyze what is going on. Right? So in this case, we need a smaller result set to avoid the character limit. And you can see it automatically updated the max results. If I click run right now, you can see the following information working. We got the response or the result. And here's the following information. All right. Based on the cloud throw event for user hackal in the past 30 minutes, here's what I found. Okay. Actively using cloud trail and adables console services, all activities appears to be legitimate administrative tasks rather than suspicious behavior. Okay. So, multiple lookup events. I was setting up certain information. All right. You can see I'm using a Firefox browser. So really powerful and very quickly we're able to get this details through the analysis from Amazon Q developer. Okay. --- *Источник: https://ekstraktznaniy.ru/video/38738*