When it comes to cloud security and compliance, visibility into API activity is everything. Organizations rely on AWS CloudTrail to capture and analyze every action taken in their AWS environments—but analyzing massive amounts of CloudTrail data has always been complex.
That’s why AWS recently launched the CloudTrail MCP (Model Context Protocol) Server, now available as an open-source project in the AWS Labs MCP repository. This new server enables AI-powered assistants to directly query CloudTrail logs and CloudTrail Lake analytics using natural language—eliminating the need for custom integrations or manual queries.
In this post, we’ll break down what the CloudTrail MCP server is, why it matters, and how you can use it to strengthen cloud security, compliance, and investigations.
🔍 What Is the AWS CloudTrail MCP Server?
The CloudTrail MCP server is an open-source integration that connects AI agents with AWS CloudTrail data.
Instead of running manual SQL queries or digging through event logs, security teams can now simply ask natural language questions such as:
- “Show me all failed login attempts in the last 24 hours.”
- “Which IAM users created or deleted security groups this week?”
- “List API calls from suspicious IP addresses in the last 90 days.”
Behind the scenes, the MCP server uses:
- CloudTrail LookupEvents API → Search through 90 days of management events.
- CloudTrail Lake (via Trino SQL queries) → Run deep queries on event data stored for up to 10 years.
This makes it a powerful tool for AI-driven security analysis.
⚡ Key Features of the CloudTrail MCP Server
Here’s what makes this release a game-changer:
- AI-Powered Security Analysis
- Query CloudTrail logs in plain English with the help of AI agents.
- Detect anomalies, track user activity, and investigate suspicious behavior seamlessly.
- 90-Day Event Lookup
- Quickly access recent CloudTrail events without needing to configure external log pipelines.
- 10-Year Historical Analytics
- Use CloudTrail Lake to store and query long-term event data for compliance audits and forensic investigations.
- No Custom Integrations Needed
- The MCP server provides a standardized interface for AI tools, avoiding complex custom API work.
- Open Source & Extensible
- Built by AWS Labs, the MCP server is open-source, community-driven, and extensible to future workflows.
🌍 Availability and Supported Regions
The AWS CloudTrail MCP server is available in all regions where:
- CloudTrail LookupEvents API is supported
- CloudTrail Lake is available
This ensures global reach for enterprises running workloads across multiple regions and accounts.
📘 Getting Started with CloudTrail MCP Server
Here’s how you can start using the new server today:
- Download from GitHub
Clone the AWS Labs MCP repository to set up the CloudTrail MCP server. - Read the Documentation
Review the CloudTrail MCP server docs for environment setup, authentication, and configuration. - Connect an AI Agent
Configure your AI assistant (e.g., a chatbot or automation tool) to interact with the MCP server. - Run Queries with Natural Language
Example prompts you can try:- “Who created new IAM users last week?”
- “Show me root account activity in the past 30 days.”
- “List all security group changes in the last quarter.”
- Automate Compliance Checks
Extend MCP with custom workflows for PCI DSS, HIPAA, SOC 2, or ISO 27001 compliance reporting.
💡 Benefits of AI for Cloud Security and Compliance
The launch of the CloudTrail MCP server is part of a broader industry trend: embedding AI-driven automation into security operations. Key benefits include:
- Faster Security Investigations – Move from hours of log analysis to minutes with conversational queries.
- Simplified Compliance Audits – Generate reports for regulators using natural language instead of complex queries.
- Accessibility for Non-Experts – Even teams without deep AWS or SQL expertise can interact with logs.
- Scalable Security – Ideal for organizations with multi-account, multi-region AWS architectures.
🚀 Why the CloudTrail MCP Server Matters
For years, security teams have relied on manual log queries to perform audits and investigations in AWS. The CloudTrail MCP server fundamentally changes this approach by making cloud audit data AI-native.
Instead of treating logs as raw data, the MCP model turns them into actionable insights accessible via natural language. This shift has major implications for:
- Security Operations (SecOps)
- Compliance Reporting
- Incident Response
- Cloud Governance
It also lays the foundation for a new wave of AI-native DevSecOps tooling that integrates seamlessly into the developer and operations workflow.
📥 Resources
- Download CloudTrail MCP Server: AWS Labs MCP Repository on GitHub
- Read Documentation: CloudTrail MCP Server Docs
- Learn More: AWS CloudTrail Overview
✅ Conclusion
The AWS CloudTrail MCP server is a major step toward AI-native cloud security. By simplifying how teams analyze audit logs and perform compliance checks, AWS is giving organizations the tools they need to stay secure and compliant at scale.
If your organization is exploring AI assistants for cloud operations, the CloudTrail MCP server is the perfect place to start.
