Secure AI agent access patterns to AWS resources using Model Context Protocol

This article presents three security principles for securing AI agent access to AWS resources through the Model Context Protocol (MCP), addressing the unique challenges of non-deterministic AI systems.

• Assume all granted permissions could be used by agents operating at machine speed without human judgment
• Design permissions based on acceptable scope of impact, not intended functionality alone
• Provide organizational guidance through role governance, session policies, permission boundaries, and SCPs
• Differentiate AI-driven from human-initiated actions using context keys or session tags
• AWS-managed MCP servers automatically inject context keys for differentiation without configuration
• Self-managed MCP servers require modifying code to add session tags for differentiation
• Implement session policies for code-controlled agents to scope permissions per tool invocation
• Use permission boundaries and SCPs for config-bound agents to enforce maximum permissions
• Monitor CloudTrail logs to audit agent activity and detect unauthorized operations
• Restrict general-purpose tools like bash to prevent agents from bypassing MCP servers

Organizations should implement these three principles in sequence: establish least privilege permissions, enforce organizational controls through role governance, then add differentiation mechanisms based on MCP server type.