AWS Model Context Protocol Server

# AWS MCP Server Security Configuration Example # Place this file at a location specified by AWS_MCP_SECURITY_CONFIG environment variable # --------------------------------------------------------------------------------- # 🔒 Security Rules Overview 🔒 # --------------------------------------------------------------------------------- # The AWS MCP Server security system uses three layers of protection: # # 1. DANGEROUS_COMMANDS: Block specific commands that could compromise security # or lead to account takeover, privilege escalation, or audit tampering # # 2. SAFE_PATTERNS: Allow read-only and explicitly safe operations that # match dangerous patterns but are needed for normal operation # # 3. REGEX_RULES: Complex pattern matching for security risks that can't # be captured by simple command patterns # # How the layers work together: # - First, the system checks if a command matches any dangerous pattern # - If it does, the system then checks if it matches any safe pattern # - If it matches a safe pattern, it's allowed despite being dangerous # - Finally, the command is checked against all regex rules # - Any match with a regex rule will block the command, regardless of other checks # # Security Mode: # - Set AWS_MCP_SECURITY_MODE=strict (default) to enforce all rules # - Set AWS_MCP_SECURITY_MODE=permissive to log warnings but allow execution # --------------------------------------------------------------------------------- # --------------------------------------------------------------------------------- # 🔑 Identity and Access Control Security Rules # --------------------------------------------------------------------------------- # These rules focus on preventing identity-based attacks such as: # - Account takeover via creation of unauthorized users/credentials # - Privilege escalation by attaching permissive policies # - Credential exposure through access key creation # - Console password creation and MFA device manipulation # --------------------------------------------------------------------------------- # Commands considered dangerous by security category # Keys are AWS service names, values are lists of command prefixes to block dangerous_commands: # Identity and Access Management - core of security iam: # User management (potential backdoor accounts) - "aws iam create-user" # Creates new IAM users that could persist after compromise - "aws iam update-user" # Updates existing user properties # Credential management (theft risk) - "aws iam create-access-key" # Creates long-term credentials that can be exfiltrated - "aws iam update-access-key" # Changes status of access keys (enabling/disabling) - "aws iam create-login-profile" # Creates console passwords for existing users - "aws iam update-login-profile" # Updates console passwords # Authentication controls - "aws iam create-virtual-mfa-device" # Creates new MFA devices - "aws iam deactivate-mfa-device" # Removes MFA protection from accounts - "aws iam delete-virtual-mfa-device" # Deletes MFA devices - "aws iam enable-mfa-device" # Enables/associates MFA devices # Privilege escalation via policy manipulation - "aws iam attach-user-policy" # Attaches managed policies to users - "aws iam attach-role-policy" # Attaches managed policies to roles - "aws iam attach-group-policy" # Attaches managed policies to groups - "aws iam create-policy" # Creates new managed policies - "aws iam create-policy-version" # Creates new versions of managed policies - "aws iam set-default-policy-version" # Changes active policy version # Inline policy manipulation (harder to detect) - "aws iam put-user-policy" # Creates/updates inline policies for users - "aws iam put-role-policy" # Creates/updates inline policies for roles - "aws iam put-group-policy" # Creates/updates inline policies for groups # Trust relationship manipulation - "aws iam update-assume-role-policy" # Changes who can assume a role - "aws iam update-role" # Updates role properties # Security Token Service - temporary credentials sts: - "aws sts assume-role" # Assumes roles with potentially higher privileges - "aws sts get-federation-token" # Gets federated access tokens # AWS Organizations - multi-account management organizations: - "aws organizations create-account" # Creates new AWS accounts - "aws organizations invite-account-to-organization" # Brings accounts under org control - "aws organizations leave-organization" # Removes accounts from organization - "aws organizations remove-account-from-organization" # Removes accounts from organization - "aws organizations disable-policy-type" # Disables policy enforcement - "aws organizations create-policy" # Creates organization policies - "aws organizations attach-policy" # Attaches organization policies # --------------------------------------------------------------------------------- # 🔍 Audit and Logging Security Rules # --------------------------------------------------------------------------------- # These rules prevent attackers from covering their tracks by: # - Disabling or deleting audit logs (CloudTrail) # - Turning off compliance monitoring (Config) # - Disabling threat detection (GuardDuty) # - Removing alarm systems (CloudWatch) # --------------------------------------------------------------------------------- # CloudTrail - AWS activity logging cloudtrail: - "aws cloudtrail delete-trail" # Removes audit trail completely - "aws cloudtrail stop-logging" # Stops collecting audit logs - "aws cloudtrail update-trail" # Modifies logging settings (e.g., disabling logging) - "aws cloudtrail put-event-selectors" # Changes what events are logged - "aws cloudtrail delete-event-data-store" # Deletes storage for CloudTrail events # AWS Config - configuration monitoring config: - "aws configservice delete-configuration-recorder" # Removes configuration tracking - "aws configservice stop-configuration-recorder" # Stops recording configuration changes - "aws configservice delete-delivery-channel" # Stops delivering configuration snapshots - "aws configservice delete-remediation-configuration" # Removes auto-remediation # GuardDuty - threat detection guardduty: - "aws guardduty delete-detector" # Disables threat detection completely - "aws guardduty disable-organization-admin-account" # Disables central security - "aws guardduty update-detector" # Modifies threat detection settings # CloudWatch - monitoring and alerting cloudwatch: - "aws cloudwatch delete-alarms" # Removes security alarm configurations - "aws cloudwatch disable-alarm-actions" # Disables alarm action triggers - "aws cloudwatch delete-dashboards" # Removes monitoring dashboards # --------------------------------------------------------------------------------- # 🔐 Data Security Rules # --------------------------------------------------------------------------------- # These rules prevent data exposure through: # - Secret and encryption key management # - Storage bucket permission controls # - Encryption settings management # --------------------------------------------------------------------------------- # Secrets Manager - sensitive credential storage secretsmanager: - "aws secretsmanager put-secret-value" # Changes stored secrets - "aws secretsmanager update-secret" # Updates secret properties - "aws secretsmanager restore-secret" # Restores deleted secrets - "aws secretsmanager delete-secret" # Removes sensitive secrets # KMS - encryption key management kms: - "aws kms disable-key" # Disables encryption keys - "aws kms delete-alias" # Removes key aliases - "aws kms schedule-key-deletion" # Schedules deletion of encryption keys - "aws kms cancel-key-deletion" # Cancels pending key deletion - "aws kms revoke-grant" # Revokes permissions to use keys # S3 - object storage security s3: - "aws s3api put-bucket-policy" # Changes bucket permissions - "aws s3api put-bucket-acl" # Changes bucket access controls - "aws s3api delete-bucket-policy" # Removes bucket protection policies - "aws s3api delete-bucket-encryption" # Removes encryption settings - "aws s3api put-public-access-block" # Changes public access settings # --------------------------------------------------------------------------------- # 🌐 Network Security Rules # --------------------------------------------------------------------------------- # These rules prevent network-based attacks through: # - Security group modification (firewall rules) # - Network ACL changes # - VPC endpoint manipulation # --------------------------------------------------------------------------------- # EC2 network security ec2: - "aws ec2 authorize-security-group-ingress" # Opens inbound network access - "aws ec2 authorize-security-group-egress" # Opens outbound network access - "aws ec2 revoke-security-group-ingress" # Removes inbound security rules - "aws ec2 revoke-security-group-egress" # Removes outbound security rules - "aws ec2 modify-vpc-endpoint" # Changes VPC endpoint settings - "aws ec2 create-flow-logs" # Creates network flow logs - "aws ec2 delete-flow-logs" # Removes network flow logs - "aws ec2 modify-instance-attribute" # Changes security attributes of instances # --------------------------------------------------------------------------------- # ✓ Safe Patterns # --------------------------------------------------------------------------------- # These patterns explicitly allow read-only operations that don't modify resources # and pose minimal or no security risk, even if they match dangerous patterns. # --------------------------------------------------------------------------------- # Safe patterns that override dangerous commands safe_patterns: # Universal safe patterns for any service general: - "--help" # Getting command help documentation - "help" # Getting command help documentation - "--version" # Checking AWS CLI version - "--dry-run" # Testing without making changes - "--generate-cli-skeleton" # Generating skeleton templates # Read-only IAM operations iam: - "aws iam get-" # All get operations (reading resources) - "aws iam list-" # All list operations (listing resources) - "aws iam generate-" # Report generation - "aws iam simulate-" # Policy simulation (no changes) - "aws iam tag-" # Adding organizational tags is generally safe # Read-only STS operations sts: - "aws sts get-caller-identity" # Checking current identity - "aws sts decode-authorization-message" # Decoding error messages # Read-only Organizations operations organizations: - "aws organizations describe-" # Reading organization details - "aws organizations list-" # Listing organization resources # Read-only CloudTrail operations cloudtrail: - "aws cloudtrail describe-" # Reading trail configurations - "aws cloudtrail get-" # Getting trail settings - "aws cloudtrail list-" # Listing trails/events - "aws cloudtrail lookup-events" # Searching audit events # Read-only AWS Config operations config: - "aws configservice describe-" # Reading configuration details - "aws configservice get-" # Getting configuration settings - "aws configservice list-" # Listing configuration resources - "aws configservice select-resource-config" # Querying resources # Read-only GuardDuty operations guardduty: - "aws guardduty describe-" # Reading detector configurations - "aws guardduty get-" # Getting detector settings/findings - "aws guardduty list-" # Listing detectors/findings # Read-only CloudWatch operations cloudwatch: - "aws cloudwatch describe-" # Reading alarm configurations - "aws cloudwatch get-" # Getting metric data - "aws cloudwatch list-" # Listing metrics/alarms # Read-only Secrets Manager operations secretsmanager: - "aws secretsmanager list-" # Listing secrets (metadata only) - "aws secretsmanager describe-" # Reading metadata about secrets # Read-only KMS operations kms: - "aws kms describe-" # Reading key details - "aws kms get-" # Getting key settings - "aws kms list-" # Listing keys and aliases # Read-only S3 operations s3: - "aws s3 ls" # Listing buckets/objects - "aws s3api get-" # Getting bucket settings/objects - "aws s3api list-" # Listing buckets/objects - "aws s3api head-" # Getting object metadata # Read-only EC2 network operations ec2: - "aws ec2 describe-" # Reading network configurations - "aws ec2 get-" # Getting network settings # --------------------------------------------------------------------------------- # 🔎 Regex Pattern Rules # --------------------------------------------------------------------------------- # These complex patterns detect security risks that can't be caught with simple # command prefix matching. They use regular expressions to identify risky # command patterns that could compromise security. # --------------------------------------------------------------------------------- # Complex pattern matching using regular expressions regex_rules: # Global security patterns (apply to all services) general: # Identity and authentication risks - pattern: "aws .* --profile\\s+(root|admin|administrator)" description: "Prevent use of sensitive profiles" error_message: "Using sensitive profiles (root, admin) is restricted for security reasons." # Protocol security risks - pattern: "aws .* --no-verify-ssl" description: "Prevent disabling SSL verification" error_message: "Disabling SSL verification is not allowed for security reasons." # Data exposure risks - pattern: "aws .* --output\\s+text\\s+.*--query\\s+.*Password" description: "Prevent password exposure in text output" error_message: "Outputting sensitive data like passwords in text format is restricted." # Debug mode risks - pattern: "aws .* --debug" description: "Prevent debug mode which shows sensitive info" error_message: "Debug mode is restricted as it may expose sensitive information." # IAM-specific security patterns iam: # Privileged user creation - pattern: "aws iam create-user.*--user-name\\s+(root|admin|administrator|backup|security|finance|billing)" description: "Prevent creation of privileged-sounding users" error_message: "Creating users with sensitive names is restricted for security reasons." # Privilege escalation via policies - pattern: "aws iam attach-user-policy.*--policy-arn\\s+.*Administrator" description: "Prevent attaching Administrator policies" error_message: "Attaching Administrator policies is restricted for security reasons." - pattern: "aws iam attach-user-policy.*--policy-arn\\s+.*FullAccess" description: "Prevent attaching FullAccess policies to users" error_message: "Attaching FullAccess policies directly to users is restricted (use roles instead)." # Unrestricted permissions in policies - pattern: "aws iam create-policy.*\"Effect\":\\s*\"Allow\".*\"Action\":\\s*\"\*\".*\"Resource\":\\s*\"\*\"" description: "Prevent creation of policies with * permissions" error_message: "Creating policies with unrestricted (*) permissions is not allowed." # Password policy weakening - pattern: "aws iam create-login-profile.*--password-reset-required\\s+false" description: "Enforce password reset for new profiles" error_message: "Creating login profiles without requiring password reset is restricted." - pattern: "aws iam update-account-password-policy.*--require-uppercase-characters\\s+false" description: "Prevent weakening password policies" error_message: "Weakening account password policies is restricted." # S3 security patterns s3: # Public bucket exposure - pattern: "aws s3api put-bucket-policy.*\"Effect\":\\s*\"Allow\".*\"Principal\":\\s*\"\*\"" description: "Prevent public bucket policies" error_message: "Creating public bucket policies is restricted for security reasons." # Disabling public access blocks - pattern: "aws s3api put-public-access-block.*--public-access-block-configuration\\s+.*\"BlockPublicAcls\":\\s*false" description: "Prevent disabling public access blocks" error_message: "Disabling S3 public access blocks is restricted for security reasons." # Public bucket creation outside approved regions - pattern: "aws s3api create-bucket.*--region\\s+(?!eu|us-east-1).*--acl\\s+public" description: "Prevent public buckets outside of allowed regions" error_message: "Creating public buckets outside allowed regions is restricted." # EC2 network security patterns ec2: # Open security groups for sensitive ports - pattern: "aws ec2 authorize-security-group-ingress.*--cidr\\s+0\\.0\\.0\\.0/0.*--port\\s+(?!80|443)[0-9]+" description: "Prevent open security groups for non-web ports" error_message: "Opening non-web ports to the entire internet (0.0.0.0/0) is restricted." # Unsafe user-data scripts - pattern: "aws ec2 run-instances.*--user-data\\s+.*curl.*\\|.*sh" description: "Detect potentially unsafe user-data scripts" error_message: "Running scripts from remote sources in user-data presents security risks." # CloudTrail integrity patterns cloudtrail: # Disabling global event logging - pattern: "aws cloudtrail update-trail.*--no-include-global-service-events" description: "Prevent disabling global event logging" error_message: "Disabling CloudTrail logging for global service events is restricted." # Making trails single-region - pattern: "aws cloudtrail update-trail.*--no-multi-region" description: "Prevent making trails single-region" error_message: "Changing CloudTrail trails from multi-region to single-region is restricted."