Architecting Secure MCP Solutions on AWS: From Threats to Mitigations

This post is co-authored by Luca Perrozzi.

As the Model Context Protocol (MCP) gains traction as a way to connect large language models (LLMs) with external tools and data sources, it's essential to understand the security implications of implementing MCP in AWS environments. This blog post examines the technical architecture of MCP, explores potential security threats, reviews AWS-specific implementation options, and provides actionable strategies to mitigate risks.

What is Model Context Protocol (MCP): Technical Overview

The Model Context Protocol (MCP) is an open standard developed by Anthropic that enables standardized communication between Large Language Models (LLMs) like Claude and external tools, APIs, and data sources. Think of MCP as a universal translation layer that offers APIs to LLMs in the form of tools and functions.

Architecture Components

MCP follows a client-server architecture with three main components:

MCP Hosts: These are LLM applications like Claude Desktop, Cursor IDE, or other AI tools that require access to data through MCP.
MCP Clients: Each host runs one or multiple MCP clients that maintain a 1:1 relationship with MCP servers.
MCP Servers: These servers run the tools that hosts want to call, either locally or on remote infrastructure.

Transport Layer

The MCP specification currently allows for several transport mechanisms:

Stdio (standard input/output): Enables communication through input and output streams, useful for local integrations and command-line tools.
HTTP with SSE (Server-Sent Events): Uses Server-Sent Events for server-to-client messages and HTTP POST for client-to-server messages.
Streamable HTTP: A newer addition to the specification (March 2025) enabling simpler network communication.

All transports use JSON-RPC 2.0 for message exchange, with standardized message types including Requests, Results, Errors, and Notifications.

MCP Capabilities

MCP servers provide three primary capabilities:

Resources: Allow MCP servers to expose data that can be used as context for LLM interactions.
Prompts: Enable servers to define reusable prompt templates and workflows.
Tools: Perhaps the most significant capability, tools allow servers to expose executable functionality to clients, enabling LLMs to interact with external systems.

Connection and Messaging Lifecycle
The MCP lifecycle consists of two flows:

Connection lifecycle: Initialization between client and server, where capabilities are exchanged.
Messaging lifecycle: The actual exchange of requests and responses between the client and server.

MCP Security Threats and Risks

Despite its benefits, MCP introduces several significant security risks that organizations must address:

1. Tool Poisoning Attacks

Tool poisoning occurs when malicious instructions are hidden in tool descriptions themselves—visible to the LLM but not normally displayed to users. For example, a seemingly innocent tool like add() might contain hidden instructions that direct the LLM to read sensitive files and exfiltrate their contents to an external server. (https://simonwillison.net/2025/Apr/9/mcp-prompt-injection/)

2. Rug Pull and Tool Shadowing Attacks

MCP tools can change their definitions after installation without user notification. A tool might initially appear safe but later modify its behavior to perform malicious actions. Similarly, with multiple servers connected to the same agent, a malicious server can override or intercept calls made to a trusted one.
(https://simonwillison.net/2025/Apr/9/mcp-prompt-injection/)

3. Prompt Injection Vulnerabilities

MCP-integrated AI systems are susceptible to prompt injection attacks where attackers craft inputs that cause the AI to execute unintended commands. This risk is particularly concerning given the difficulty distinguishing between legitimate and malicious prompts. (https://blog.treblle.com/model-context-protocol-ai-security/)

4. Over-Privileged Access

Improper configuration of MCP can result in AI models obtaining excessive privileges, granting them unauthorized access to sensitive systems or data. Most MCP servers, both official and unofficial, do not offer native mechanisms to restrict which downstream functions an LLM can access. (https://blog.treblle.com/model-context-protocol-ai-security/)

5. Supply Chain Vulnerabilities

Integrating third-party tools through MCP introduces supply chain risks. If these external tools are compromised, they can serve as attack vectors, jeopardizing the security of the entire AI system. (https://protectai.com/blog/mcp-security-101)

6. Data Leakage and Privacy Concerns

MCP's design requires sharing data between AI models and external tools, raising concerns about potential data leakage and privacy violations. Without stringent data handling and encryption protocols, sensitive information may be exposed during these interactions. (https://blog.treblle.com/model-context-protocol-ai-security/)

7. Lack of Observability

Without built-in monitoring, it becomes difficult to trace activity or correlate actions back to specific prompts, making auditing and incident response significantly harder. (https://protectai.com/blog/mcp-security-101)

8. No Approval Workflows

MCP currently lacks out-of-the-box, human-in-the-loop workflows for critical actions. There is no way for users or centralized IT and security teams to review and approve high-risk function calls before execution. (https://blog.treblle.com/model-context-protocol-ai-security/)

Real-World Examples

Recent security research has demonstrated several concerning exploit scenarios (https://simonwillison.net/2025/Apr/9/mcp-prompt-injection/):

WhatsApp MCP Exploit: Researchers demonstrated how a malicious MCP server could exfiltrate a user's entire WhatsApp message history by using a tool-shadowing technique that redirected messages to an attacker-controlled number.
Remote Code Execution: Improperly secured MCP servers can lead to remote code execution vulnerabilities, such as passing unescaped strings to os.system().
Obfuscation Techniques: Attackers can hide malicious content using UI elements like scrollbars and whitespace to make it difficult for users to detect data exfiltration.

Current Solutions for Building MCP on AWS

AWS offers several approaches for building and deploying MCP servers in a secure, scalable manner:

1. AWS MCP Servers

AWS has developed a suite of specialized MCP servers that help users get the most out of AWS services (please refer to Link 1, Link 2, Link 3):

Core MCP Server: Manages and coordinates other AWS Labs MCP servers with features like automatic MCP Server Management and centralized configuration.
AWS Documentation MCP Server: Provides tools to access AWS documentation, search for content, and get recommendations.
Amazon Bedrock Knowledge Bases Retrieval MCP Server: Enables accessing Amazon Bedrock Knowledge Bases with features for discovering knowledge bases and querying them with natural language.
AWS CDK MCP Server: Provides AWS CDK best practices, infrastructure as code patterns, and security compliance with CDK Nag.
Cost Analysis MCP Server: Enables analyzing and visualizing AWS costs, querying cost data with natural language, and generating cost reports.
Amazon Nova Canvas MCP Server: Allows generating images using Amazon Nova Canvas with text-based and color-guided image generation capabilities.
AWS Diagram MCP Server: Supports creating diagrams using the Python diagrams package DSL.
AWS Lambda MCP Server: Acts as a bridge between MCP clients and AWS Lambda functions, allowing models to access and run Lambda functions as tools.

2. Deployment Options on AWS

There are several ways to deploy MCP servers on AWS:

Amazon ECS: Deploy MCP servers as containerized applications on Amazon ECS. This approach treats MCP servers like any other backend service.
Amazon Bedrock Agents: Use Amazon Bedrock inline agents which now support connecting to MCP servers. This requires setting up the MCP servers with proper AWS credentials to access services like Cost Explorer API and CloudWatch Logs.
Custom Implementation: Build custom MCP clients using Spring AI or directly on the Amazon Bedrock Converse API using AWS SDKs or REST APIs.

Mitigating MCP Security Risks on AWS

To secure MCP implementations on AWS, organizations should implement a defense-in-depth approach:

1. Apply Identity and Access Management Best Practices

Implement the Principle of Least Privilege:

Grant only the permissions necessary for MCP servers to function.
Use AWS IAM Access Analyzer to identify overly permissive policies.
Implement AWS Permission Boundaries to limit the actions that MCP servers can perform.
Use Service Control Policies to set permission boundaries at the account level.

Strong Authentication:

Enable Multi-Factor Authentication (MFA) for all AWS users who manage MCP resources.
Use IAM roles for services instead of long-term access keys.
Rotate AWS access keys regularly if they must be used.
Implement OAuth 2.1 for authorization between MCP components when possible.

Third-Party Access Control:

Require External IDs for third-party roles that interact with MCP servers.
Track and audit third-party activity regularly.

2. Secure Data Handling and Network Protection

Encryption:

Encrypt data at rest using AWS Key Management Service (KMS).
Use Transport Layer Security (TLS) for all data transmitted between AI agents and MCP servers.
Implement end-to-end encryption for both stored and in-transit context information.

Network Security:

Configure security groups to restrict inbound traffic to MCP servers, allowing access only from specific IP addresses or networks.
Use VPCs and network ACLs to further isolate MCP workloads.
Implement Web Application Firewalls (WAF) to protect publicly exposed API endpoints.

3. Implement Robust Monitoring and Response

Enable Comprehensive Logging:

Use AWS CloudTrail to monitor and record all API activities related to MCP servers.
Enable AWS Config Rules to detect and respond to configuration changes.
Implement continuous monitoring systems to detect suspicious activities like repeated session replays or prompt anomalies.

Observability Solutions:

Establish metrics and alerts for MCP server activity using Amazon CloudWatch.
Consider using AWS Security Hub to aggregate and prioritize security findings related to MCP implementations.
Develop and maintain incident response protocols to promptly address and mitigate the impact of security breaches.

4. MCP-Specific Security Controls

Tool Validation and Verification:

Only use verified MCP servers from trusted sources like AWS Labs.
Implement regular scanning and validation of MCP server code before deployment.
Apply traditional supply chain security controls like cryptographic signing, version pinning, and package verification to MCP dependencies.

Context Validation:

Implement input validation and sanitization for all data processed by MCP servers.
Conduct regular context auditing and sanitization to prevent injection attacks.

Approval Workflows:

Implement human-in-the-loop approval workflows for sensitive MCP operations.
Consider using tools like HumanLayer to enforce review workflows for sensitive downstream operations.

5. Practical Implementation Steps for AWS

Infrastructure as Code (IaC):

Define and deploy MCP infrastructure consistently with AWS CloudFormation or AWS CDK.
Use the AWS CDK MCP Server to ensure infrastructure follows AWS Well-Architected principles.

Container Security:

If deploying MCP servers as containers on ECS or elsewhere, implement container security best practices.
Scan container images for vulnerabilities before deployment.

Secure Configuration:

When configuring MCP servers on AWS, avoid using default settings and instead apply security-focused configurations.
Regularly review security groups and network ACLs associated with MCP resources.

Conclusion

The Model Context Protocol represents a significant advancement in how LLMs interact with external tools and data sources, but it also introduces new security challenges that must be addressed proactively. By understanding the architecture of MCP, recognizing potential threats, and implementing robust security controls on AWS, organizations can safely leverage this powerful protocol while minimizing risks.
AWS provides numerous services and tools that can help secure MCP implementations, from comprehensive identity and access management to robust monitoring and encryption capabilities. By following the guidance outlined in this blog post, you can build MCP servers on AWS that are both powerful and secure.
As MCP continues to evolve, staying informed about the latest security best practices and AWS capabilities will be essential for maintaining a strong security posture. Remember that security is a shared responsibility between AWS and you as the customer, particularly when implementing emerging technologies like MCP.

Authors

Roberto Catalano

Roberto is a Solutions Architect at Amazon Web Services (AWS), based in Switzerland. With over 6 years of expertise in consulting, cloud computing, solutions architecture, and cyber security, he is an ardent technology enthusiast. His practical knowledge spans various domains, encompassing cyber security, networking, and IoT deployments.

Luca Perrozzi

Luca is a Sr. Solutions Architect at Amazon Web Services (AWS), based in Switzerland. He focuses on innovation topics at AWS, especially in the area on Data Analytics and Artificial Intelligence. Luca holds a PhD in particle physics and has 15 years of hands-on experience as a research scientist and software engineer.

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Site Terms, Privacy, and more.