Constructing AIOps with Amazon Q Developer CLI and MCP Server

IT groups face mounting challenges as they handle more and more advanced infrastructure and functions, usually spending numerous hours manually figuring out operational points, troubleshooting issues, and performing repetitive upkeep duties. This operational burden diverts invaluable technical sources from innovation and strategic initiatives. Synthetic intelligence for IT operations (AIOps) presents a transformative answer, utilizing AI to automate operational workflows, detect anomalies, and resolve incidents with minimal human intervention. Organizations can optimize their operational effectivity whereas sustaining safety as they handle their infrastructure and functions.

You need to use Amazon Q Developer CLI and Mannequin Context Protocol (MCP) servers to construct highly effective AIOps options that may scale back guide effort by way of pure language interactions. Amazon Q Developer might help builders and IT professionals with a lot of their duties—from coding, testing, and deploying, to troubleshooting, performing safety scanning and fixes, modernizing functions, optimizing AWS sources, and creating knowledge engineering pipelines. The MCP extends these capabilities by enabling Amazon Q to attach with customized instruments and companies by way of a standardized interface, permitting for extra refined operational automations.

On this submit, we talk about how you can implement a low-code no-code AIOps answer that helps organizations monitor, determine, and troubleshoot operational occasions whereas sustaining their safety posture. We present how these applied sciences work collectively to automate repetitive duties, streamline incident response, and improve operational effectivity throughout your group.

That is the third submit in a sequence on AIOps utilizing generative AI companies on AWS. Discuss with the next two posts for constructing AIOps utilizing Amazon Bedrock and Amazon Q Enterprise:

Answer overview

MCP servers act like a common connector for AI fashions, enabling them to work together with exterior methods, fetch reside knowledge, and combine with numerous instruments seamlessly. This helps Amazon Q present extra contextually related help by accessing the knowledge it wants in actual time. The next structure diagram illustrates how you should use a single configuration file, mcp.json, to configure MCP servers in Amazon Q Developer CLI to hook up with exterior methods.

The workflow consists of the next steps:

1. The consumer configures an MCP shopper in Amazon Q Developer CLI utilizing the mcp.json file.
2. The consumer logs in to Amazon Q Developer CLI and asks operational queries in pure language.
3. Relying in your question, Amazon Q decides which MCP servers that you simply configured or current instruments to invoke to carry out the duty.
4. The MCP server interacts with the respective exterior system to get the reside knowledge that’s utilized by Amazon Q to carry out the required job.

On this submit, we present how you can use Amazon Q Developer CLI to handle the next operational points:

Conditions

Full the next conditions earlier than you begin organising the demo:

Configure MCP in Amazon Q Developer CLI

MCP configuration in Amazon Q Developer CLI is managed by way of JSON recordsdata. You’ll configure the Amazon Bedrock Information Base Retrieval MCP Server. On the time of writing, solely the stdio transport is supported in Amazon Q Developer CLI.

Amazon Q Developer CLI helps two ranges of MCP configuration:

• World configuration – Makes use of ~/.aws/amazonq/mcp.json and applies to all workspaces
• Workspace configuration – Makes use of .amazonq/mcp.json and is restricted to the present workspace

For this submit, we use the workspace configuration, however you will have choice to make use of both of them.

1. Create a brand new workspace folder, and inside that folder, create the file .amazonq/mcp.json with the next content material:

{
  "mcpServers": {
    "awslabs.bedrock-kb-retrieval-mcp-server": {
      "command": "uvx",
      "args": ["awslabs.bedrock-kb-retrieval-mcp-server@latest"],
      "env": {
        "AWS_PROFILE": "your-profile-name ",
        "AWS_REGION": "your-region",
        "FASTMCP_LOG_LEVEL": "ERROR",
        "KB_INCLUSION_TAG_KEY": "title=aiops-knowledge-base",
        "BEDROCK_KB_RERANKING_ENABLED": "false"
      },
      "disabled": false,
      "autoApprove": []
    }  
  }
}

See the AWS MCP Servers GitHub repository for an up to date record of accessible MCP servers.

2. Open a terminal, navigate to the workspace folder that you simply created, and run the next command to log in to Amazon Q Developer CLI:

3. Observe the directions to log in to Amazon Q Developer on the command line.
4. Provoke the chat session by working q after which run /instruments to validate that the Amazon Bedrock Information Base Retrieval MCP server is configured.

Device permissions have two doable states:

• Trusted – Amazon Q can use the instrument with out asking for affirmation every time
• Per-request – Amazon Q should ask in your affirmation every time earlier than utilizing the instrument

By default, this instrument won’t be trusted.

5. Run /instruments belief awslabsbedrock_kb_retrieval_mcp_server___QueryKnowledgeBases to belief the MCP server.

6. Run the /instruments command once more to validate it.

Deploy AWS sources

Deploy the next AWS CloudFormation template to deploy the AWS sources that you’ll use to check AIOps. You’ll be able to deploy this template in both the us-east-1 or us-west-2 AWS Area. You’ll be able to deploy it in different Areas by updating the relevant AMI IDs within the template. This template will deploy two EC2 situations and three S3 buckets.

This CloudFormation template is for demo functions solely and never meant for manufacturing utilization.

AWSTemplateFormatVersion: '2010-09-09'
Description: >-
  This template creates the required AWS sources which might be used to check AIOps utilizing 
  Amazon Q Developer CLI with MCP server integration.
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Community
        Parameters:
          - SecurityGroupIngressCidrIp
      - Label:
          default: Common
        Parameters:
          - Prefix
    ParameterLabels:
      SecurityGroupIngressCidrIp:
        default: Safety group ingress CIDR IP
Parameters:
  Prefix:
    Kind: String
    Description: Distinctive title prefix for sources which can be created by the stack.
    ConstraintDescription: >-
      should not begin with a splash, and should solely comprise lowercase a-z, digits,
      and a splash.
    AllowedPattern: ^[a-z0-9][a-z0-9-]+$
    MinLength: 1
    MaxLength: 30
    Default: aiops-qdevcli
  SecurityGroupIngressCidrIp:
    Kind: String
    Description: >-
      IPv4 tackle in CIDR format for allowed incoming site visitors to the EC2 occasion. Defaults to permitting all IPs.
    ConstraintDescription: >-
      have to be within the type x.x.x.x/s, the place x is 0-255, and s is 0-32.
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(/([0-9]|[1-2][0-9]|3[0-2]))$
    Default: 0.0.0.0/0
Assets:
  # AIOps Amazon S3 bucket1
  AIOpsQDeveloperCliS3Bucket1:
    Kind: AWS::S3::Bucket
    Properties:
      AccessControl: Non-public
      BucketName:
        Fn::Sub: ${Prefix}-bucket1-${AWS::AccountId}
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  # AIOps Amazon S3 bucket2
  AIOpsQDeveloperCliS3Bucket2:
    Kind: AWS::S3::Bucket
    Properties:
      AccessControl: Non-public
      BucketName:
        Fn::Sub: ${Prefix}-bucket2-${AWS::AccountId}
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  # AIOps Amazon S3 bucket3
  AIOpsQDeveloperCliS3Bucket3:
    Kind: AWS::S3::Bucket
    Properties:
      AccessControl: Non-public
      BucketName:
        Fn::Sub: ${Prefix}-bucket3-${AWS::AccountId}
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  # AIOps Knowledgebase S3 bucket
  AIOpsQDeveloperKBS3Bucket:
    Kind: AWS::S3::Bucket
    Properties:
      AccessControl: Non-public
      BucketName:
        Fn::Sub: ${Prefix}-kb-${AWS::AccountId}
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  # AIOps VPC sources
  AIOpsQDeveloperCliVPC:
    Kind: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      Tags:
        - Key: Identify
          Worth: AIOpsQDeveloperCliVPC
  AIOpsQDeveloperCliSubnet1:
    Kind: AWS::EC2::Subnet
    Properties:
      CidrBlock: 10.0.1.0/24
      VpcId:
        Ref: AIOpsQDeveloperCliVPC
      AvailabilityZone: !Choose 
        - 0
        - !GetAZs 
          Ref: 'AWS::Area'
      Tags:
        - Key: Identify
          Worth: AIOpsQDeveloperCliSubnet1
  AIOpsQDeveloperCliSubnet2:
    Kind: AWS::EC2::Subnet
    Properties:
      CidrBlock: 10.0.3.0/24
      VpcId:
        Ref: AIOpsQDeveloperCliVPC
      AvailabilityZone: !Choose 
        - 1
        - !GetAZs 
          Ref: 'AWS::Area'
      Tags:
        - Key: Identify
          Worth: AIOpsQDeveloperCliSubnet2
  AIOpsQDeveloperIGW:
    Kind: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Identify
          Worth: AIOpsQDeveloperIGW
  AIOpsQDeveloperCliVPCGatewayAttachment:
    Kind: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId:
        Ref: AIOpsQDeveloperIGW
      VpcId:
        Ref: AIOpsQDeveloperCliVPC
  AIOpsQDeveloperCliRT:
    Kind: AWS::EC2::RouteTable
    Properties:
      VpcId:
        Ref: AIOpsQDeveloperCliVPC
      Tags:
        - Key: Identify
          Worth: AIOpsQDeveloperCliRT
  AIOpsRoute:
    Kind: AWS::EC2::Route
    DependsOn:
      - AIOpsQDeveloperCliVPCGatewayAttachment
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId:
        Ref: AIOpsQDeveloperIGW
      RouteTableId:
        Ref: AIOpsQDeveloperCliRT
  AIOpsQDeveloperCliSubnetRouteTableAssociation1:
    Kind: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId:
        Ref: AIOpsQDeveloperCliRT
      SubnetId:
        Ref: AIOpsQDeveloperCliSubnet1
  AIOpsQDeveloperCliSubnetRouteTableAssociation2:
    Kind: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId:
        Ref: AIOpsQDeveloperCliRT
      SubnetId:
        Ref: AIOpsQDeveloperCliSubnet2
  AIOpsQDeveloperCliSG1:
    Kind: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: >-
        Permits incoming site visitors on port 5080 and denies all outgoing site visitors.
      SecurityGroupEgress:
        - Description: Denies all outgoing site visitors.
          IpProtocol: -1
          CidrIp: 0.0.0.0/32
      SecurityGroupIngress:
        - Description: Permits incoming TCP site visitors on port 22.
          IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp:
            Ref: SecurityGroupIngressCidrIp        
      VpcId:
        Ref: AIOpsQDeveloperCliVPC
      Tags:
        - Key: Identify
          Worth: AIOpsQDeveloperCliSG1
  AIOpsQDeveloperCliSG2:
    Kind: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: >-
        Permits incoming site visitors on port 5080 and denies all outgoing site visitors.
      SecurityGroupEgress:
        - Description: Denies all outgoing site visitors.
          IpProtocol: -1
          CidrIp: 0.0.0.0/32
      SecurityGroupIngress:
        - Description: Permits incoming TCP site visitors on port 5080.
          IpProtocol: tcp
          FromPort: 5080
          ToPort: 5080
          CidrIp:
            Ref: SecurityGroupIngressCidrIp
        - Description: Permits incoming TCP site visitors on port 22.
          IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp:
            Ref: SecurityGroupIngressCidrIp        
      VpcId:
        Ref: AIOpsQDeveloperCliVPC
      Tags:
        - Key: Identify
          Worth: AIOpsQDeveloperCliSG2
  EC2KeyPair:
    Kind: AWS::EC2::KeyPair
    Properties:
      KeyName: 
        Fn::Sub: ${Prefix}-keypair-${AWS::AccountId}
  # EC2 occasion to demo excessive CPU Utilization AIOps  
  EC2InstanceHighCPUUtilDemo:
    Kind: AWS::EC2::Occasion
    Properties:
      InstanceType: t2.micro
      KeyName: !Ref EC2KeyPair      
      ImageId: !FindInMap [RegionMap, !Ref 'AWS::Region', AL2023]
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: 0
          SubnetId: !Ref AIOpsQDeveloperCliSubnet1
          GroupSet: 
            - !Ref AIOpsQDeveloperCliSG1
      Tags:
        - Key: Identify
          Worth:
            Fn::Sub: ${Prefix}-high-cpu-util
  # EC2 occasion to demo undesirable open port detection AIOps  
  EC2InstanceOpenPortDemo:
    Kind: AWS::EC2::Occasion
    Properties:
      InstanceType: t2.micro
      KeyName: !Ref EC2KeyPair      
      ImageId: !FindInMap [RegionMap, !Ref 'AWS::Region', AL2023]
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: 0
          SubnetId: !Ref AIOpsQDeveloperCliSubnet1
          GroupSet: 
            - !Ref AIOpsQDeveloperCliSG2
      Tags:
        - Key: Identify
          Worth:
            Fn::Sub: ${Prefix}-open-port-demo
  CPUUtilizationAlarm:
    Kind: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: 
        Fn::Sub: ${Prefix}-EC2-Occasion-CPU-Utilization
      AlarmDescription: Alarm when server CPU exceeds 70%
      ComparisonOperator: GreaterThanThreshold
      EvaluationPeriods: 1
      MetricName: CPUUtilization
      Namespace: AWS/EC2
      Interval: 60
      Statistic: Common
      Threshold: 70.0
      ActionsEnabled: false
      Dimensions:
        - Identify: InstanceId
          Worth: !Ref EC2InstanceHighCPUUtilDemo
      Unit: %
Mappings:
  RegionMap:
    us-east-1:
      AL2023: ami-085ad6ae776d8f09c
    us-west-2:
      AL2023: ami-0005ee01bca55ab66
Outputs:
  AIOpsQDeveloperCliS3Bucket1:
    Description: S3 bucket created for testing AIOps
    Worth:
      Ref: AIOpsQDeveloperCliS3Bucket1
  AIOpsQDeveloperCliS3Bucket2:
    Description: S3 bucket created for testing AIOps
    Worth:
      Ref: AIOpsQDeveloperCliS3Bucket2
  AIOpsQDeveloperCliS3Bucket3:
    Description: S3 bucket created for testing AIOps
    Worth:
      Ref: AIOpsQDeveloperCliS3Bucket3
  AIOpsQDeveloperKBS3Bucket:
    Description: S3 bucket created for testing AIOps
    Worth:
      Ref: AIOpsQDeveloperKBS3Bucket
  EC2InstanceHighCPUUtilDemo:
    Description: EC2 occasion for testing AIOps
    Worth:
      Ref: EC2InstanceHighCPUUtilDemo
  EC2InstanceOpenPortDemo:
    Description: EC2 occasion for testing AIOps
    Worth:
      Ref: EC2InstanceOpenPortDemo

Validate that the template deployed two EC2 situations, that are in Operating state.

Moreover, validate that the template created three S3 buckets with the names aiops-qdevcli-bucketX- and one bucket with the title aiops-qdevcli- in your chosen Area.

Create an Amazon Bedrock data base

Add the pattern excessive CPU utilization runbook to the aiops-qdevcli- bucket. Create a data base pointing to the bucket, and word the data base ID to make use of within the first instance use case.

Use case 1: Determine and remediate excessive CPU utilization in an EC2 occasion

On this use case, you introduce CPU stress in one of many EC2 situations after which use Amazon Q Developer CLI to determine and remediate it.

1. On the Amazon EC2 console, log in to the aiops-qdevcli-high-cpu-util occasion utilizing EC2 Occasion Join.
2. Run the next command to put in stress-ng:

sudo dnf set up stress-ng

3. Run the next command to emphasize the EC2 occasion for 1 hour:

stress-ng --cpu 1 --timeout 3600s

You could wait roughly 10 minutes for the Amazon CloudWatch alarm to get triggered.

4. Return to the Amazon EC2 console and examine that the aiops-qdevcli-high-cpu-util occasion is at the moment in Alarm state.
5. From the Amazon Q Developer CLI, use a pure language question to examine for operation points in your account. Use the data base ID that you simply saved within the earlier part.

Amazon Q Developer CLI autocorrects the errors that it encountered whereas working the instructions.

Watch the next video for extra particulars.

Because of the inherent nondeterministic nature of the FMs, the responses you obtain from Amazon Q Developer CLI may not be precisely the identical as these proven within the demo.

Use case 2: Determine and take away public entry from an S3 bucket

On this use case, you’ll simulate an unintended safety problem by unblocking public entry for one of many buckets after which use Amazon Q Developer CLI to determine and remediate the difficulty.

1. On the Amazon S3 console, open one of many aiops-qdevcli-xxxx buckets, and on the Permissions tab, select Edit and alter Block all public entry to Off.

2. Return to the Amazon Q Developer CLI and ask questions in pure language to determine and remediate the operational problem.

Watch the next video for extra particulars.

Use case 3: Determine and block a particular undesirable open port for inbound connection to an EC2 occasion

On this use case, you’ll use Amazon Q Developer CLI to determine the EC2 occasion that has a particular port open after which shut the port.

1. On the Amazon EC2 console, word that the aiops-qdevcli-open-port-demo occasion has port 5080 open for all inbound TCP connections. That is an undesirable safety threat that you simply need to determine and remediate.

2. Return to Amazon Q Developer CLI and use pure language queries to determine the EC2 occasion with port 5080 open and repair the difficulty.

Watch the next video for particulars.

Clear up

Correctly decommissioning provisioned AWS sources is a crucial greatest observe to optimize prices and improve safety posture after concluding proofs of idea and demonstrations. Full the next steps to delete the sources created in your AWS account:

1. On the Amazon Bedrock console, delete the Amazon Bedrock data base.
2. On the Amazon S3 console, empty the aiops-qdevcli-kb-xxx bucket.
3. On the AWS CloudFormation console, delete the CloudFormation stack.

In its place, attempt the previous steps utilizing pure language queries in Amazon Q Developer CLI.

4. Lastly, delete the .amazonq/mcp.json file out of your workspace folder to take away the MCP configuration for Amazon Q Developer CLI.

Conclusion

On this submit, we confirmed how Amazon Q Developer CLI interprets pure language queries, mechanically converts them into applicable instructions, and identifies the required instruments for execution. The answer’s clever error-handling capabilities analyze logs and carry out auto-corrections, minimizing guide intervention. By implementing Amazon Q Developer CLI, you’ll be able to improve your crew’s operational effectivity, scale back human errors, and handle advanced environments extra successfully by way of a conversational interface.We encourage you to discover extra use instances and share your suggestions with us. For extra data on Amazon Q Developer CLI and AWS MCP servers, check with the next sources:

Concerning the authors

Biswanath Mukherjee is a Senior Options Architect at Amazon Net Providers. He works with giant strategic clients of AWS by offering them technical steering emigrate and modernize their functions on AWS Cloud. Together with his intensive expertise in cloud structure and migration, he companions with clients to develop revolutionary options that leverage the scalability, reliability, and agility of AWS to fulfill their enterprise wants. His experience spans numerous industries and use instances, enabling clients to unlock the total potential of the AWS Cloud.

Upendra V is a Senior Options Architect at Amazon Net Providers, specializing in Generative AI and cloud options. He helps enterprise clients design and deploy production-ready Generative AI workloads, implement Massive Language Fashions (LLMs) and Agentic AI methods, and optimize cloud deployments. With experience in cloud adoption and machine studying, he allows organizations to construct and scale AI-driven functions effectively.