MCP server for AWS S3 — list buckets, browse objects, upload/download, presigned URLs
by ofershapTypeScript
Last 12 weeks · 0 commits
2 of 6 standards met
I have analyzed the implementation of the S3 MCP server and found that it lacks any validation of the bucket names provided by the user. Vulnerability: In functions like , , , and , the parameter is taken directly from the tool input and passed to the AWS SDK without any checks. Example from : async function getObject(bucket: string, key: string) { const client = createClient(); const result = await client.send( new GetObjectCommand({ Bucket: bucket, Key: key }), ); // ... } If the MCP server is running with an IAM role that has access to multiple S3 buckets (or broadly to s3:*), any user of the MCP server can access, modify, or delete data in any of those buckets, even if they were not intended to be exposed via this server. Attack Scenario: 1. An attacker calls to discover all available buckets in the account. 2. The attacker identifies a sensitive bucket (e.g., 'company-private-backups'). 3. The attacker uses and to exfiltrate sensitive data from that bucket. Recommendation: Implement a whitelist of allowed buckets in the server configuration. Verify that the requested bucket is in the allowlist before executing any AWS SDK command. Ensure the server's IAM role follows the principle of least privilege, granting access only to the specifically required buckets.
I have discovered a critical security vulnerability in the server's implementation of S3 operations. Vulnerability: The server provides tools for listing buckets, listing objects, getting, putting, and deleting objects. However, none of these functions implement any form of authorization or access control. The and parameters are passed directly from the MCP tool arguments to the AWS SDK. PoC: An attacker can: 1. Call to discover all buckets available in the AWS account. 2. Call with any discovered bucket name to explore its contents. 3. Call or on any bucket/key combination. This allows any user of the MCP server to access, modify, or delete any data in any S3 bucket that the server's AWS credentials have access to. Recommendation: Implement a strict access control list (ACL) or a whitelist of allowed buckets and prefixes. Ensure that the server validates whether the current user is authorized to access the requested bucket and key before calling the AWS SDK.
This PR adds a badge for the mcp-server-s3 server listing in Glama MCP server directory. Glama performs regular codebase and documentation checks to: Confirm that the MCP server is working as expected Confirm that there are no obvious security issues Extract server characteristics such as tools, resources, prompts, and required parameters. This badge helps your users to quickly assess that the MCP server is safe, server capabilities, and instructions for installing the server.
Repository: ofershap/mcp-server-s3. Description: MCP server for AWS S3 — list buckets, browse objects, upload/download, presigned URLs Stars: 2, Forks: 1. Primary language: TypeScript. Languages: TypeScript (98.5%), JavaScript (1.5%). License: MIT. Topics: ai, aws, claude, cloud, cursor, llm, mcp, mcp-server, model-context-protocol, s3, storage, typescript. Open PRs: 0, open issues: 2. Last activity: 3mo ago. Community health: 42%. Top contributors: oferlmntr, ofershap.