Bug: 'str' object has no attribute 'get' in CheckSecurityServices and GetSecurityFindings #2237
Description
Description
When using the well-architected-security-mcp-server, certain tool calls fail with the error:
Error: 'str' object has no attribute 'get'
This error occurs when parsing AWS API responses, suggesting the code expects a dictionary but receives a string.
Affected Tools
| Tool | Parameters | Result |
|---|---|---|
CheckSecurityServices |
region=eu-west-1, services=[guardduty, securityhub, inspector, accessanalyzer, trustedadvisor, macie] |
❌ Error |
CheckSecurityServices |
region=eu-west-1 (defaults) |
❌ Error |
GetSecurityFindings |
service=inspector, region=eu-west-1 |
❌ Error |
GetSecurityFindings |
service=accessanalyzer, region=eu-west-1 |
❌ Error |
Environment
- AWS Region: eu-west-1
- AWS Account: XXXXXXXXXXXX
- MCP Server: well-architected-security-mcp-server
- Date: 2026-01-23
Steps to Reproduce
- Configure the well-architected-security-mcp-server with valid AWS credentials
- Call
CheckSecurityServiceswith regioneu-west-1 - Call
GetSecurityFindingsforinspectororaccessanalyzerservices
Expected Behavior
The tools should return security service status and findings without errors.
Actual Behavior
Tools return error: 'str' object has no attribute 'get'
Root Cause Hypothesis
The error 'str' object has no attribute 'get' typically occurs when:
- An AWS API response returns an unexpected format (string instead of dict)
- JSON parsing issues where a value is already a string
- Code attempts
.get()on a value that is a string rather than a dictionary
Additional Context
Despite these errors, the job completed successfully because the agent retried with different approaches and was able to generate the security audit report. However, these silent failures reduce the quality of the security assessment.
Reported via automated analysis of job execution logs