Securing an LLM-Powered MCP Server for a Million-Company B2B Platform on AWS

In this Q&A, we explore the engineering challenges and solutions behind building a secure Model Context Protocol (MCP) server on AWS that provides an LLM client with access to a B2B intelligence platform containing over one million company profiles. The goal was to allow natural language queries like 'find SaaS companies in Germany with 50-200 employees' while preventing unsafe data access.

1. What was the core engineering challenge when exposing a B2B intelligence platform to an LLM via an MCP server?

The primary challenge was enabling a large language model (LLM) client to query a massive B2B dataset—over one million company profiles—without creating an unsafe bridge between the LLM and production data. A direct connection could allow the LLM to inadvertently expose sensitive information, execute unintended commands, or leak confidential business insights. The team needed to design a MCP server architecture that could translate natural language requests into secure, structured database queries while filtering out any harmful or unauthorized operations. Additionally, the system had to handle complex queries like “find SaaS companies in Germany with 50-200 employees” and return accurate results in real time without compromising data integrity or violating access controls.

2. How did the team ensure security while allowing natural language queries against production data?

Security was achieved by implementing a multi-layered defense approach. First, the MCP server acts as an intermediary that never exposes raw database schemas or credentials to the LLM. Instead, it uses a predefined set of safe query templates and parameterized inputs. Second, all user queries are parsed and validated through an intent classification layer that restricts actions to read-only operations. Third, the server enforces strict role-based access controls (RBAC) and encrypts all data in transit and at rest using AWS Key Management Service (KMS). Finally, logs are monitored via Amazon CloudWatch to detect anomalies. These measures ensure that even if the LLM generates malicious prompts, the backend remains isolated and protected.

3. What architecture choices were made to scale the MCP server for a million-company database?

The team chose a serverless architecture on AWS to automatically handle variable loads and reduce operational overhead. AWS Lambda functions execute the core MCP logic, scaling seamlessly with request volume. The company dataset resides in Amazon DynamoDB (or optionally Amazon Aurora for more complex joins) to provide low-latency access. For full-text search capabilities, Amazon OpenSearch Service indexes the company profiles. The LLM client communicates with the MCP server via Amazon API Gateway, which adds an additional security layer with throttling and authorization. This design ensures the system can support thousands of concurrent queries while maintaining sub-second response times.

4. How does the MCP server handle user queries like “find SaaS companies in Germany with 50-200 employees”?

When a user submits such a query through an LLM client, the MCP server first receives the natural language prompt. The server then uses an integrated natural language understanding (NLU) component—often powered by a smaller, specialized LLM—to extract key entities: industry (“SaaS”), location (“Germany”), and company size (“50-200 employees”). These entities are mapped to SQL or search parameters without directly exposing the underlying database. For instance, “Germany” is matched to an ISO country code, and “50-200 employees” becomes a range filter. The query is executed against the secure data store, and only the matching company names and non-sensitive fields are returned to the LLM for presentation. All results are paginated and rate-limited to prevent data scraping.

5. What role does AWS play in the security of the MCP server?

AWS provides foundational security services that are integral to the solution. AWS Identity and Access Management (IAM) defines fine-grained permissions for each service component, ensuring that the MCP Lambda function can only access DynamoDB or OpenSearch indices with the minimal required privileges. AWS KMS encrypts data at rest, while Amazon VPC isolates the backend resources from the public internet. AWS WAF in front of API Gateway filters common attack patterns like SQL injection or cross-site scripting. Additionally, Amazon GuardDuty monitors for suspicious activity, and AWS CloudTrail logs all API calls for auditability. These services collectively create a defense-in-depth security posture that meets enterprise compliance requirements.

6. How does the system prevent data leaks or injection attacks?

To prevent data leaks, the MCP server enforces a strict output filter that only returns predefined fields (e.g., company name, industry, employee count) and strips any identifiers that could be used for reidentification. Injection attacks are mitigated by using parameterized queries instead of string concatenation, ensuring user input is never directly executed. All prompts from the LLM client are sanitized to remove escape characters and special syntax. Additionally, the server uses a whitelist of allowed query patterns—any deviation triggers an automatic rejection and logs the event for review. This layered approach ensures that even if the LLM generates unexpected output, the database remains secure.

7. What lessons were learned from building this secure MCP server for a large B2B platform?

Key lessons include the importance of early testing with real-world queries to identify edge cases in natural language understanding, and the need for comprehensive monitoring to spot unusual patterns that may indicate a security breach. The team also learned that strict output filtering can sometimes limit the usefulness of results, so a feedback loop with users helped refine which data fields are safe to expose. Finally, using AWS managed services reduced the operational burden but required careful configuration of IAM roles and network policies. The success of this project demonstrates that with proper design, it's possible to provide powerful LLM-driven access to large databases without compromising security.