All skills
Skillintermediate

Security Architecture

The AWS MCP Server implements a clear three-layer security model with separation of concerns.

Claude Code Knowledge Pack7/10/2026

Overview

Security Architecture

The AWS MCP Server implements a clear three-layer security model with separation of concerns.

Security Model

Command → Sandbox → AWS CLI → IAM Policy → AWS Cloud
LayerResponsibilityWhat It Controls
IAM PoliciesAWS API permissionsWhat AWS operations succeed or fail
SandboxProcess isolationFilesystem access, process restrictions
DockerContainer isolationAvailable binaries, attack surface

Layer 1: IAM Policies (Primary Security)

IAM is your primary security control. The MCP server does not filter AWS commands - security is delegated to IAM policies.

The server executes AWS CLI commands using the credentials you provide (via mounted ~/.aws or environment variables).

Key Principles

  • Least Privilege: Configure IAM with minimum necessary permissions
  • No Root Credentials: Never use AWS account root user credentials
  • Scoped Permissions: Use resource-based conditions when possible

Example: Read-Only Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "ec2:Describe*",
        "cloudwatch:GetMetricData"
      ],
      "Resource": "*"
    }
  ]
}

With this policy, attempts to run aws iam create-user will return AccessDenied.

Layer 2: Sandbox Execution

When running outside Docker, the server provides OS-level process isolation.

Supported Backends

PlatformBackendRequirements
LinuxLandlock LSMKernel 5.13+ with Landlock enabled
LinuxBubblewrapbwrap installed (fallback)
macOSSeatbeltBuilt-in (sandbox-exec)

Configuration

VariableValuesDefault
AWS_MCP_SANDBOXauto, disabled, requiredauto
AWS_MCP_SANDBOX_CREDENTIALSenv, aws_config, bothboth

Sandbox Restrictions

  • Read-only access to system paths (/usr, /bin, /lib, /etc)
  • Write access limited to /tmp and current directory
  • Network access enabled (required for AWS API calls)

Layer 3: Docker Container

Docker provides the strongest isolation with a hardened container.

Container Hardening

SettingPurpose
read_only: trueRead-only filesystem
tmpfs mountsWritable /tmp with size limits
no-new-privileges:truePrevents privilege escalation
cap_drop: ALLDrops all Linux capabilities
pids_limit: 100Prevents fork bomb attacks

Minimal Image

The Docker image contains only essential packages:

  • Included: AWS CLI, jq, basic text processing (grep, head, tail, sort, wc)
  • Excluded: Debug tools, compilers, package managers

This minimal image limits what piped commands can execute.

Volume Mounts

volumes:
  - ~/.aws:/home/appuser/.aws:ro

Credentials are mounted read-only.

Why No Application-Layer Command Filtering?

Previous versions attempted complex command filtering. This was removed because:

  1. Wrong Layer: AWS permissions belong in IAM, not application code
  2. Inconsistent: Piped commands bypassed filtering anyway
  3. False Security: Pattern matching can be circumvented
  4. Maintenance Burden: Keeping rules current is error-prone

The current model follows the principle: use the right tool for each job.

Trusted User Model

The server assumes the end-user interacting with the MCP client is the same trusted individual who configured the server.

  • Do not expose the server to untrusted users
  • IAM policies are the defense against credential misuse

Best Practices

  1. Use Docker for production deployments
  2. Apply least-privilege IAM - this is your primary security control
  3. Enable sandbox when not using Docker
  4. Monitor CloudTrail - track all API activity
  5. Regular IAM audits - review permissions periodically

Deployment

Production (Docker)

docker compose up -d

Set AWS_MCP_SANDBOX=disabled - Docker provides isolation.

Development (Native)

python -m aws_mcp_server

# Require sandbox
AWS_MCP_SANDBOX=required python -m aws_mcp_server