AgentReadyHomeAgent Listing

← aws-s3-connector-mcp

aws-s3-connector-mcp — agentic threat model

9.1AIVSS 9.1 · Critical

This agent acts as a direct bridge between LLMs and AWS S3, presenting high risk due to its write/upload capabilities and reliance on external AWS IAM configurations to prevent unauthorized data exfiltration or destruction via prompt injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.6AARS uplift 0.53Factor sum 3.6/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.60
Goal-Driven Planning
0.30
Self-Modification
0.00
Dynamic Tool Use
0.80
Persistent Memory
0.10
Contextual Awareness
0.40
Dynamic Identity
0.50
Multi-Agent Interactions
0.20
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the connector is model-agnostic and relies on the host MCP client's LLM. The primary threat is that the underlying model is susceptible to prompt injection, which could be weaponized to abuse the S3 read/write tools.

L2 · Data Operations✓ mapped

Directly handles S3 object data across multiple formats. Threats include data exfiltration of sensitive bucket contents via read operations, and data poisoning or malicious file uploads via write operations.

L3 · Agent Frameworks✓ mapped

Exposes powerful S3 tools (list, read, upload) to the MCP framework. Insecure tool integration or lack of input validation on bucket names and object keys could allow path traversal or arbitrary bucket access.

L4 · Deployment & Infrastructure✓ mapped

Requires AWS credentials to operate. If the hosting environment or MCP client is compromised, these credentials (which have write scope) could be leaked, leading to broader cloud infrastructure compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in logging, audit trails for S3 transactions, or guardrails to detect and block anomalous data transfer volumes or unauthorized file types.

L6 · Security & Compliance (cross-cutting)✓ mapped

Relies entirely on external AWS IAM policies for authorization. If over-broad IAM permissions are granted, the agent inherits them, creating a compliance gap regarding the principle of least privilege.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, it can be orchestrated by other agents. A compromised or malicious orchestrator agent could abuse this connector to exfiltrate enterprise data to public buckets.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).