How to Use MCP Server for Real‑Time AccessKey Security Audits in Cloud Native Environments

1. Security Alert

In the early hours, an operations engineer receives an alarm about an AccessKey (AK) that should have been disabled but performed sensitive actions in production. The incident raises questions about possible intrusion, insider threat, and the extent of damage.

2. Environment Preparation

The company has previously enabled Alibaba Cloud Observability (Cloud Monitor 2.0) to ship operation audit logs to Log Service (SLS). These logs contain key fields such as AccessKey usage, user identity, event type, and timestamps.

The MCP server (MCP-Server-Aliyun-Observability) is an Alibaba Cloud AI assistant that can answer natural‑language queries over SLS logs and ARMS data.

Two operating modes are supported:

stdio mode – the client launches the MCP server as a subprocess and communicates via standard input/output.

SSE mode – the MCP server runs independently and listens on a port for client connections.

Common MCP clients include Claude Desktop, Cursor, Cherry Studio, and VSCode extensions.

Example JSON configuration (replace with actual AK credentials):

{
  "mcpServers": {
    "aliyun_observability": {
      "command": "uvx",
      "args": [
        "mcp-server-aliyun-observability",
        "--access-key-id", "<strong>AlibabaAKId</strong>",
        "--access-key-secret", "<strong>AlibabaAKSecret</strong>"
      ]
    }
  }
}

3. Practical Cases

Case 1: Trace Suspicious AK Activity

Engineer asks: "Check AK 'LN......7' – what has it done recently? List operation types and timestamps."

The MCP server returns that the AK performed a SLS project query during the early morning, flagging it as anomalous.

Case 2: Identify High‑Risk Operations

Engineer asks: "In the past week, who performed delete or update actions? Show the most suspicious users, services, and event names."

The system reports a developer’s AK repeatedly executing delete operations, later traced to malware on the developer’s machine.

Case 3: Monitor Root Account Usage

Engineer asks: "Has anyone used the Root AK in the last month? List users and specific actions."

Root AK usage is highlighted, emphasizing the need for strict monitoring of this privileged key.

Case 4: System Activity Overview

Engineer asks: "Show the latest 10 cloud service access events."

The query returns recent events, giving a macro view of system activity and helping spot abnormal patterns.

4. Summary and Outlook

By integrating operation audit logs with the MCP server, security investigations become interactive, real‑time conversations rather than tedious log digging. This approach enables rapid detection, root‑cause analysis, and proactive defense in cloud‑native environments.