mcpflow/aarora79_aws-cost-explorer-mcp-server

high

Mirror of https://github.com/aarora79/aws-cost-explorer-mcp-server

MCP server (purpose undetermined)

purpose: MCP server (purpose undetermined)threat: network exposed

★ 0◷ May 20, 2026⚙ May 20, 2026GITHUB

◆Vulnerability Analysis[ 3 findings in 3 blocks ]

◷ 5/20/2026

high1 finding

server.py

69    client = boto3.client("logs", region_name=params.region)

server.py:69

// Network-exposed MCP server; attacker can invoke tools to make AWS API calls using the server's IAM credentials.

The server uses boto3 clients without explicit credential configuration, relying on the default credential chain. When exposed over network, an attacker could trigger AWS API calls that use the host's IAM credentials, potentially leading to unauthorized access or cost exposure.

ImpactAn attacker could invoke tools that make AWS API calls, potentially incurring costs or accessing sensitive data if the IAM role has broad permissions.

FixRestrict the IAM role permissions to only the necessary actions (e.g., logs:FilterLogEvents, ce:GetCostAndUsage) and consider using scoped credentials or STS temporary credentials.

medium1 finding

server.py

43    log_group_name: str = Field(
44        description="Bedrock Log Group Name",
45        default=os.environ.get('BEDROCK_LOG_GROUP_NAME', 'BedrockModelInvocationLogGroup')
46    )

server.py:43→server.py:86

// Network-exposed MCP server; attacker can specify any log group name to read logs from.

The BedrockLogsParams model accepts a log_group_name parameter that is used directly in the filter_log_events API call without validation. An attacker could specify any log group name, potentially accessing CloudWatch logs from other services or applications if the IAM role has permissions.

ImpactAn attacker could read arbitrary CloudWatch log groups that the IAM role has access to, leading to information disclosure.

FixValidate the log_group_name against an allowlist of permitted log groups, or remove the parameter and use a fixed value.

medium1 finding

server.py

100                    # Get user prompt from the input messages
101                    prompt = ""
102                    if (
103                        message.get("input", {})
104                        .get("inputBodyJson", {})
105                        .get("messages")
106                    ):
107                        for msg in message["input"]["inputBodyJson"]["messages"]:
108                            if msg.get("role") == "user" and msg.get("content"):
109                                for content in msg["content"]:
110                                    if content.get("text"):
111                                        prompt += content["text"] + " "
112                        prompt = prompt.strip()

server.py:100

// Network-exposed MCP server; attacker could invoke the Bedrock logs tool to retrieve logs containing user prompts.

The get_bedrock_logs function extracts user prompts from Bedrock invocation logs. Although the prompt variable is not returned in the final output, the code parses and processes it, indicating that sensitive user input is accessible. If the tool's output were to include this data (e.g., via future changes or misconfiguration), it could leak sensitive information.

ImpactPotential leakage of user prompts sent to Bedrock models, which may contain sensitive or proprietary information.

FixRemove the prompt extraction code entirely if not needed, or ensure it is never included in any output. Consider filtering out sensitive fields before processing.

◆Heuristic Signals

shell.execaws.integrationenv.exposure

◆Risk Score

LLM-based

high findings+25

medium findings+30