SOC 2 for MCP servers: securing tool access without losing the audit trail (on AWS)

How can you prove to a SOC 2 auditor that your MCP servers are both secure and fully auditable?

Many organizations run MCP (Model‑Control‑Process) servers as internal tools that automate deployment pipelines, data processing, or configuration management. In practice, engineers often grant themselves permanent credentials, embed service‑account keys in scripts, or allow any authenticated user to invoke the server without any visibility into what commands were run. The result is a sprawling surface of standing access where a single compromised token can issue destructive actions, and the audit team is left with vague cloud‑provider logs that do not show the exact request payloads or the human decision that authorized them.

Even when an organization adopts least‑privilege identities, the request still travels directly to the MCP endpoint. The identity provider verifies the token, but once the request leaves the IdP there is no checkpoint that can enforce policy, record the exact query, or mask sensitive fields before they reach the server. The auditor therefore sees a gap: the control matrix shows “access is limited to service accounts,” yet the evidence does not demonstrate that each invocation was reviewed, logged, or protected against data leakage.

Why the data path matters for SOC 2 evidence

SOC 2 requires that an organization can produce concrete artifacts for the following criteria:

• Logical access controls that restrict who can invoke the tool.
• Complete, immutable logs of every request, including user identity, timestamp, and request payload.
• Evidence that sensitive response data is protected, either by masking or by redaction, before it is stored or displayed.
• Just‑in‑time (JIT) approval workflows that demonstrate a human decision for high‑risk operations.

These artifacts must be generated at the point where the request is made, not after it reaches the MCP server. If the enforcement layer lives only in the identity provider (the Setup stage), the auditor cannot verify that the request was examined or altered before execution. The missing link is a gateway that sits in the data path and applies the required controls.

Introducing hoop.dev as the enforcement layer

hoop.dev is an open‑source Layer 7 gateway that proxies every connection to MCP servers. It sits between the authenticated identity and the target service, inspecting the wire‑protocol payloads in real time. Because hoop.dev is the sole conduit, it can enforce three core SOC 2 outcomes:

• Session recording. hoop.dev records each request and response, attaching the user’s OIDC claims and a precise timestamp. Because the recording is performed by the gateway, it provides an auditable trail independent of the MCP server.
• Inline data masking. Sensitive fields, such as API keys, passwords, or personal identifiers, are redacted before the response is handed to the client or persisted in logs.
• Just‑in‑time approval. For operations flagged as high‑risk, hoop.dev routes the request to an approval workflow, requiring a designated reviewer to approve or deny before the command reaches the MCP server.

All of these actions are performed by hoop.dev, not by the MCP server itself. The gateway’s policy engine runs in a separate process, guaranteeing that the enforcement outcomes exist only because hoop.dev is present in the data path.

How hoop.dev satisfies each SOC 2 trust service principle

Security – logical access. The gateway validates OIDC tokens, extracts group membership, and matches it against a policy that defines which users may invoke which MCP endpoints. Because the check occurs at the gateway, any attempt to bypass the policy by calling the server directly is blocked.

Availability – controlled execution. JIT approvals prevent accidental or malicious execution of destructive commands. The approval step adds a human checkpoint without introducing downtime, because the request simply waits in the gateway queue until an approver signs off.

Processing integrity – audit trails. Session logs capture the full request/response cycle, preserving the exact command that was run, the user who issued it, and the outcome. The logs can be exported to a SIEM or retained for the audit period required by SOC 2.

Confidentiality – data masking. Inline masking ensures that any sensitive data returned by the MCP server never appears in clear text in downstream systems, satisfying the confidentiality criterion without requiring changes to the server code.

Privacy – evidence of consent. The approval workflow records who approved a request and when, providing the consent evidence that privacy auditors look for when personal data is processed.

Putting the pieces together: setup, data path, and outcomes

The overall architecture follows three distinct layers:

1. Setup. Identity providers (Okta, Azure AD, Google Workspace) issue OIDC tokens. Service accounts are provisioned with the minimal set of permissions needed to reach the gateway.
2. The data path. hoop.dev receives the request, validates the token, applies policy, and forwards the request to the MCP server only after all checks pass.
3. Enforcement outcomes. hoop.dev records the session, masks sensitive fields, and logs the approval decision. These artifacts are the exact evidence an auditor expects for SOC 2 compliance.

Without the gateway, the Setup stage alone cannot produce the required logs or masking. The presence of hoop.dev in the data path is the decisive factor that turns a loosely governed tool into a SOC 2‑ready service.

Getting started quickly

To try this approach, follow the getting‑started guide to deploy the gateway alongside your MCP servers. The documentation on the learn site explains how to define policies, configure JIT approvals, and enable inline masking. All configuration is expressed as declarative resources, so you can version‑control the policy set alongside your infrastructure code.

Because hoop.dev is open source, you can review the implementation, contribute improvements, or extend the policy engine to match your organization’s specific SOC 2 controls.

Call to action

Explore the source code, submit issues, or contribute new features on GitHub.

FAQ

Does hoop.dev replace the need for IAM policies on the MCP server?

No. IAM policies still define the baseline permissions for the gateway’s service account. hoop.dev adds an additional enforcement layer that records, masks, and approves each request before it reaches the server.

Can I use hoop.dev with existing monitoring tools?

Yes. Session logs and approval records can be streamed to a SIEM, log‑aggregation service, or other storage for long‑term retention, allowing you to integrate with your existing audit pipeline.

Is the masking performed on the client side?

Masking is applied by hoop.dev in the data path, before the response is sent back to the client. This guarantees that no clear‑text sensitive data leaves the gateway.