AWS MCP Server
Connect AI agents to AWS — query and operate cloud resources across 15,000+ AWS API operations.
Updated
What is AWS MCP?
The AWS MCP server is a Model Context Protocol server, hosted and managed by Amazon Web Services, that gives AI agents and coding assistants secure access to query AWS documentation and operate live cloud resources across AWS services.
It is a managed remote server reached at https://aws-mcp.us-east-1.api.aws/mcp (with a Frankfurt endpoint, https://aws-mcp.eu-central-1.api.aws/mcp, also available). The endpoint itself requires no separate API key or signup — instead, requests are authenticated with your existing AWS IAM credentials. Because MCP clients speak OAuth while AWS uses SigV4, you connect through the open-source MCP Proxy for AWS, which signs each request with your IAM identity. This means the agent's permissions are exactly your IAM permissions, and you can constrain them further with IAM condition keys.
Beyond read-only documentation lookups, the server can execute real operations: the call_aws tool runs any of the 15,000+ AWS API operations, while run_script executes Python in a sandboxed environment for multi-step, cross-service workflows. It works with Claude Code, Cursor, Kiro, Claude Desktop, and any MCP-compatible client.
Tools the AWS MCP server exposes
| Tool | What it does |
|---|---|
| call_aws | Execute authenticated AWS API calls with syntax validation and error handling — supports most of the 15,000+ AWS APIs. |
| run_script | Run Python in a sandboxed environment with AWS API access for parallel calls, multi-step, and cross-service workflows. |
| get_presigned_url | Generate pre-signed Amazon S3 URLs for uploading or downloading files. |
| get_tasks | Poll the status of long-running tasks started by call_aws or run_script. |
| search_documentation | Search across all AWS documentation, including API references, best practices, service guides, and skills. |
| read_documentation | Retrieve and convert AWS documentation pages to markdown for easy consumption by AI assistants. |
| recommend | Get content recommendations for AWS documentation pages based on related and commonly viewed topics. |
| retrieve_skill | Retrieve domain-specific AWS expertise — workflows, best practices, decision frameworks, and step-by-step procedures. |
| list_regions | Retrieve a list of all AWS regions, including their identifiers and names. |
| get_regional_availability | Check AWS regional availability for services, features, SDK APIs, and CloudFormation resources. |
Connect the AWS MCP server
Claude Code
- 1
Install prerequisites
Install the AWS CLI (v2.32.0+) and uv. uvx runs the MCP Proxy for AWS that signs requests with SigV4.
- 2
Sign in to AWS
Run `aws login`, then verify with `aws sts get-caller-identity`. Your IAM credentials authorize every agent action.
- 3
Add the server
Run: claude mcp add aws-mcp -- uvx mcp-proxy-for-aws==1.6.2 https://aws-mcp.us-east-1.api.aws/mcp --metadata AWS_REGION=us-east-1
- 4
Verify
Restart Claude Code and run /mcp. Ask "What AWS regions are available?" to confirm the tools loaded.
Cursor
- 1
Install prerequisites
Install the AWS CLI (v2.32.0+) and uv, then run `aws login` to obtain IAM credentials.
- 2
Edit MCP config
In Cursor's mcp.json add an aws-mcp server with command "uvx" and args ["mcp-proxy-for-aws==1.6.2", "https://aws-mcp.us-east-1.api.aws/mcp", "--metadata", "AWS_REGION=us-east-1"].
- 3
Reload and verify
Reload Cursor, confirm aws-mcp shows tools like aws___call_aws and aws___search_documentation, then prompt the agent to query AWS.
Sample use cases
An agent audits cloud resources by listing them and checking properties across services
Faster, natural-language infrastructure inspection without hand-writing AWS CLI commands.
A developer asks an agent to look up current AWS service docs and best practices while coding
Up-to-date guidance pulled live from AWS documentation at query time.
A scheduled workflow runs cross-service checks and surfaces drift or misconfiguration
Automated, repeatable cloud-operations checks bounded by IAM permissions.
Security & permissions
The AWS MCP server endpoint requires no separate API key — but it is not unauthenticated. Every request is authenticated with your AWS IAM credentials via SigV4, bridged from MCP's OAuth through the open-source MCP Proxy for AWS. The agent therefore inherits exactly your IAM permissions: it can read and operate only the AWS resources your identity is allowed to. Scope this down with least-privilege IAM policies and IAM condition keys to restrict which actions an agent can take. aws login issues short-lived credentials that rotate automatically (default sessions up to 12 hours), limiting exposure. Note that call_aws and run_script can perform write/destructive operations, so grant only the permissions a given workflow needs.
Using AWS MCP with Gamut
In a Gamut workflow, an agent can use the AWS MCP server as a tool to inspect and act on cloud infrastructure on a schedule or in response to an event — for example, a scheduled run that audits S3 bucket settings, summarizes a CloudWatch metric, or checks resource availability across regions, then posts the result to Slack. Gamut manages the connection and AWS credentials so the agent calls tools like call_aws and search_documentation directly within the run. Because actions are bounded by the underlying IAM permissions, scope the connected identity to least privilege for the specific task.
Frequently asked questions
What is the AWS MCP server?
It is a managed, AWS-hosted Model Context Protocol server that lets AI agents and coding assistants query AWS documentation and execute real AWS API operations across your account. It exposes tools such as call_aws (run any of 15,000+ AWS APIs), run_script, and search_documentation, reached at https://aws-mcp.us-east-1.api.aws/mcp.
Is the AWS MCP server free?
Yes — there is no additional charge for the AWS MCP server itself. You only pay for the AWS resources you create through it and any applicable data transfer costs, billed to your normal AWS account.
How do I connect the AWS MCP server to Claude or Cursor?
Install the AWS CLI and uv, run `aws login` to get IAM credentials, then add the server using the MCP Proxy for AWS: command `uvx` with args `mcp-proxy-for-aws==1.6.2 https://aws-mcp.us-east-1.api.aws/mcp --metadata AWS_REGION=us-east-1`. The proxy signs each request with SigV4 from your IAM identity.
Is the AWS MCP server hosted or self-hosted?
It is AWS-hosted (a managed remote server) with endpoints in US East (N. Virginia) and Europe (Frankfurt). You run only the lightweight MCP Proxy for AWS locally to authenticate requests; the server logic itself runs on AWS, and it can operate on resources in any region.