mcpSource-backedReview first Safety ✓ Privacy ✓

AWS CloudWatch MCP Server

Official AWS Labs MCP server that gives troubleshooting agents task-oriented access to Amazon CloudWatch metrics, alarms, logs, and PromQL queries for AI-assisted root-cause analysis and remediation recommendations.

by AWS Labs·added 2026-06-20·

Claude Code Codex Cursor Claude Desktop

HarnessClaude CodeCodexCursorClaude Desktop

Install

Source

uvx awslabs.cloudwatch-mcp-server@latest

Readiness

TrustReview first
Sourcesource-backed
Safety notesPresent
ReviewedYes

Documentation Source repository Registry JSON · LLM text

Review first — review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Canonical URL: https://heyclau.de/entry/mcp/aws-cloudwatch-mcp-server
Source URLs: https://github.com/awslabs/mcp/blob/main/src/cloudwatch-mcp-server/README.md, https://github.com/awslabs/mcp, https://awslabs.github.io/mcp/
Brand: AWS Labs
Brand domain: aws.amazon.com
Brand asset source: brandfetch
Safety notes: This server reads CloudWatch telemetry from your AWS account; scope the AWS credentials/profile to read-only CloudWatch access and the intended accounts and regions., It is designed for observability and troubleshooting (metrics, alarms, logs, PromQL) and does not modify resources, but it can issue many CloudWatch read APIs that may incur AWS request costs., Run it only on a trusted host, since it uses the local machine's AWS credentials to reach your account., Some PromQL tooling is region-limited and may require enabling OTel enrichment (`aws cloudwatch start-otel-enrichment`); review the server docs before relying on it.
Privacy notes: Metric values, alarm states and history, log group contents, namespaces, dimensions, ARNs, and account/region metadata can be returned through tool calls and exposed to the model., Queries and time ranges you ask about are sent to the CloudWatch APIs using your configured credentials; keep account identifiers and credentials out of public prompts, issues, and screenshots.
Author: AWS Labs
Submitted by: jaso0n0818
Claim status: unclaimed
Last verified: 2026-06-20

Safety notes

This server reads CloudWatch telemetry from your AWS account; scope the AWS credentials/profile to read-only CloudWatch access and the intended accounts and regions.
It is designed for observability and troubleshooting (metrics, alarms, logs, PromQL) and does not modify resources, but it can issue many CloudWatch read APIs that may incur AWS request costs.
Run it only on a trusted host, since it uses the local machine's AWS credentials to reach your account.
Some PromQL tooling is region-limited and may require enabling OTel enrichment (`aws cloudwatch start-otel-enrichment`); review the server docs before relying on it.

Privacy notes

Metric values, alarm states and history, log group contents, namespaces, dimensions, ARNs, and account/region metadata can be returned through tool calls and exposed to the model.
Queries and time ranges you ask about are sent to the CloudWatch APIs using your configured credentials; keep account identifiers and credentials out of public prompts, issues, and screenshots.

Prerequisites

An AWS account with CloudWatch telemetry (metrics, alarms, and/or logs).
Python 3.10 or newer and `uv` / `uvx` installed (Astral) to run the package.
AWS credentials configured locally (for example via `aws configure` or `AWS_PROFILE`) with read access to the CloudWatch APIs you intend to use.
An MCP client that supports stdio servers; the server runs locally on the same host as the client.

Schema details

Install type: cli
Troubleshooting: No

Source repository stats

Scope: Source repo

Collection metadata

Estimated setup: 10 minutes
Difficulty: intermediate

Tool listing metadata

Website: https://awslabs.github.io/mcp/
Pricing: open-source
Disclosure: editorial
Application category: DeveloperApplication
Operating system: Cross-platform

Full copyable content

{
  "awslabs.cloudwatch-mcp-server": {
    "command": "uvx",
    "args": ["awslabs.cloudwatch-mcp-server@latest"],
    "env": {
      "AWS_PROFILE": "${AWS_PROFILE}",
      "FASTMCP_LOG_LEVEL": "ERROR"
    }
  }
}

About this resource

Overview

AWS CloudWatch MCP Server is an official AWS Labs Model Context Protocol server that gives troubleshooting agents task-oriented access to Amazon CloudWatch. Rather than wiring up custom CloudWatch API calls, Claude can pull metric data, inspect active alarms and their history, analyze log groups for anomalies and error patterns, and run PromQL queries — then reason over the results for AI-assisted root-cause analysis.

It runs locally over stdio via uvx from the published awslabs.cloudwatch-mcp-server Python package and uses your local AWS credentials, so scope those credentials to read-only CloudWatch access.

Features

Metrics — retrieve metric data (including percentiles and math expressions), get metric metadata, analyze trend/seasonality, and get recommended alarm configurations.
Alarms — list currently active alarms and retrieve alarm state history to understand what triggered an alert.
Logs — describe log groups and analyze a log group for anomalies, message patterns, and error patterns within a time window.
PromQL — run instant and range PromQL queries and discover labels/series for OTLP-ingested and enriched vended AWS metrics (region-limited).

Use Cases

Investigate an incident by correlating active alarms with their related metrics and logs.
Ask Claude to summarize what a metric represents and recommend alarm thresholds.
Analyze a log group for error spikes within a specific time window.
Run PromQL trend queries across services for cross-service observability.

Installation

Claude Code

Install Python 3.10+ and uv.
Configure an AWS profile with read access to CloudWatch.
Add the server with the stdio configuration above (command uvx, package awslabs.cloudwatch-mcp-server@latest, env AWS_PROFILE).
Verify it is connected with claude mcp list.

Claude Desktop / Cursor / Kiro / VS Code

Add the configSnippet above to your client's MCP configuration and set AWS_PROFILE to a profile scoped to read-only CloudWatch access. The first run downloads the package via uvx.

Source And Trust

This entry is based on the official AWS Labs awslabs/mcp repository and the published PyPI package (Apache-2.0). The server is observability-focused and read-oriented, but it uses your AWS credentials and can return account telemetry, so scope permissions tightly and verify the configuration against the linked source before using it in automated workflows.

#aws #cloudwatch #observability #monitoring #aws-labs

Source citations

Source methodology →

Add this badge to your README

Show that AWS CloudWatch MCP Server is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

[![Listed on HeyClaude](https://heyclau.de/badge/mcp/aws-cloudwatch-mcp-server.svg)](https://heyclau.de/entry/mcp/aws-cloudwatch-mcp-server)

How it compares

AWS CloudWatch MCP Server side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

Field	AWS CloudWatch MCP Server Official AWS Labs MCP server that gives troubleshooting agents task-oriented access to Amazon CloudWatch metrics, alarms, logs, and PromQL queries for AI-assisted root-cause analysis and remediation recommendations. Open dossier	Amazon ECS MCP Server Official AWS Labs MCP server for Amazon ECS that helps AI assistants containerize applications, deploy them to ECS, troubleshoot deployments, and explore ECS and ECR resources across the container application lifecycle. Open dossier	Amazon EKS MCP Server Official AWS Labs MCP server for Amazon EKS that gives AI code assistants real-time cluster state visibility and Kubernetes/EKS resource management, from cluster setup through deployment, troubleshooting, and optimization. Open dossier	Amazon Location Service MCP Server Official AWS Labs MCP server for Amazon Location Service that gives AI assistants place search, geocoding, reverse geocoding, nearby and open-now search, and route calculation with waypoint optimization. Open dossier
Trust
Install risk	Review first	Review first	Review first	Review first
Notes	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓
Brand	AWS Labs	AWS Labs	AWS Labs	AWS Labs
Category	mcp	mcp	mcp	mcp
Source	source-backed	source-backed	source-backed	source-backed
Author	AWS Labs	AWS Labs	AWS Labs	AWS Labs
Added	2026-06-20	2026-06-21	2026-06-21	2026-06-21
Platforms	Claude CodeCodexCursorClaude Desktop	Claude CodeClaude Desktop	Claude CodeClaude Desktop	Claude CodeClaude Desktop
Source repo	—	—	—	—
Safety notes	✓This server reads CloudWatch telemetry from your AWS account; scope the AWS credentials/profile to read-only CloudWatch access and the intended accounts and regions. It is designed for observability and troubleshooting (metrics, alarms, logs, PromQL) and does not modify resources, but it can issue many CloudWatch read APIs that may incur AWS request costs. Run it only on a trusted host, since it uses the local machine's AWS credentials to reach your account. Some PromQL tooling is region-limited and may require enabling OTel enrichment (`aws cloudwatch start-otel-enrichment`); review the server docs before relying on it.	✓The configuration above is read-only. Setting `ALLOW_WRITE=true` lets the server create and modify infrastructure (ECR repos, CloudFormation stacks, ECS services) and `ALLOW_SENSITIVE_DATA=true` exposes logs; enable these only deliberately. AWS documents this server as primarily for development, testing, and non-critical environments; keep write/sensitive-data disabled for production accounts and prefer non-production targets while evaluating it. This server acts on real infrastructure with your AWS credentials; scope the profile to the intended account, region, and resources, and run it only on a trusted host.	✓The configuration above is read-only. Adding the `--allow-write` flag lets the server create, update, patch, and delete EKS/Kubernetes resources (including creating clusters via CloudFormation) and `--allow-sensitive-data-access` exposes logs and events; enable these only deliberately. This server acts on real infrastructure with your AWS credentials; scope the profile to the intended account, region, and clusters, and prefer non-production targets while evaluating it. Run it only on a trusted host, and review any generated manifests or CloudFormation actions before applying them.	✓This server calls Amazon Location Service place and route APIs with your AWS credentials; scope the profile to Location Service access and the intended account and region. The tools are query-oriented (search, geocode, route) rather than resource-mutating, but Amazon Location Service API calls may incur AWS usage costs. Run it only on a trusted host, since it uses the local machine's AWS credentials to reach your account.
Privacy notes	✓Metric values, alarm states and history, log group contents, namespaces, dimensions, ARNs, and account/region metadata can be returned through tool calls and exposed to the model. Queries and time ranges you ask about are sent to the CloudWatch APIs using your configured credentials; keep account identifiers and credentials out of public prompts, issues, and screenshots.	✓Cluster, service, task, task-definition, and ECR metadata plus account/region identifiers can be returned through tool calls and exposed to the model. With sensitive-data access enabled, logs and deployment details may be returned; keep account identifiers, credentials, and log contents out of public prompts, issues, and screenshots.	✓Cluster state, resource manifests, ARNs, and account/region metadata can be returned through tool calls and exposed to the model. With sensitive-data access enabled, pod logs and Kubernetes events may be returned; keep account identifiers, credentials, and log contents out of public prompts, issues, and screenshots.	✓Place queries, coordinates, addresses, and waypoints you ask about are sent to Amazon Location Service using your configured credentials. Returned place details, addresses, and route geometry are exposed to the model; keep account identifiers and credentials out of public prompts, issues, and screenshots.
Prerequisites	An AWS account with CloudWatch telemetry (metrics, alarms, and/or logs). Python 3.10 or newer and `uv` / `uvx` installed (Astral) to run the package. AWS credentials configured locally (for example via `aws configure` or `AWS_PROFILE`) with read access to the CloudWatch APIs you intend to use. An MCP client that supports stdio servers; the server runs locally on the same host as the client.	An AWS account with Amazon ECS/ECR and permissions to view (and, if enabled, deploy) the target resources. Docker or Finch for containerization and local image builds. Python 3.10 or newer and `uv` / `uvx` installed (Astral) to run the package. AWS credentials configured locally (for example via `aws configure` or `AWS_PROFILE`) scoped to the intended account, region, and resources.	An AWS account with Amazon EKS and permissions to view (and, if enabled, manage) the target clusters. Python 3.10 or newer and `uv` / `uvx` installed (Astral) to run the package. AWS credentials configured locally (for example via `aws configure` or `AWS_PROFILE`) scoped to the intended account, region, and clusters. An MCP client that supports stdio servers; the server runs locally on the same host as the client.	An AWS account with Amazon Location Service enabled in your chosen region. Python 3.10 or newer and `uv` / `uvx` installed (Astral) to run the package. AWS credentials configured locally (for example via `aws configure` or `AWS_PROFILE`) with permissions for Amazon Location Service place and route APIs. An MCP client that supports stdio servers; the server runs locally on the same host as the client.
Install	`uvx awslabs.cloudwatch-mcp-server@latest`	`uvx --from awslabs-ecs-mcp-server ecs-mcp-server`	`uvx awslabs.eks-mcp-server@latest`	`uvx awslabs.aws-location-mcp-server@latest`
Config	`{ "mcpServers": { "awslabs.cloudwatch-mcp-server": { "command": "uvx", "args": ["awslabs.cloudwatch-mcp-server@latest"], "env": { "AWS_PROFILE": "${AWS_PROFILE}", "FASTMCP_LOG_LEVEL": "ERROR" }, "type": "stdio" } } }`	`{ "mcpServers": { "awslabs.ecs-mcp-server": { "command": "uvx", "args": ["--from", "awslabs-ecs-mcp-server", "ecs-mcp-server"], "env": { "AWS_PROFILE": "${AWS_PROFILE}", "AWS_REGION": "us-east-1", "FASTMCP_LOG_LEVEL": "ERROR", "ALLOW_WRITE": "false", "ALLOW_SENSITIVE_DATA": "false" }, "type": "stdio" } } }`	`{ "mcpServers": { "awslabs.eks-mcp-server": { "command": "uvx", "args": ["awslabs.eks-mcp-server@latest"], "env": { "AWS_PROFILE": "${AWS_PROFILE}", "AWS_REGION": "us-east-1", "FASTMCP_LOG_LEVEL": "ERROR" }, "type": "stdio" } } }`	`{ "mcpServers": { "awslabs.aws-location-mcp-server": { "command": "uvx", "args": ["awslabs.aws-location-mcp-server@latest"], "env": { "AWS_PROFILE": "${AWS_PROFILE}", "AWS_REGION": "us-east-1", "FASTMCP_LOG_LEVEL": "ERROR" }, "type": "stdio" } } }`
Citations	Source repositorygithub.com 2026-06-22T04:30:53+00:00 Documentationgithub.com Websiteawslabs.github.io Submitted by jaso0n08182026-06-20 Source methodology →	Source repositorygithub.com 2026-06-22T04:30:53+00:00 Documentationgithub.com Submitted by jaso0n08182026-06-21 Source methodology →	Source repositorygithub.com 2026-06-22T04:30:53+00:00 Documentationgithub.com Submitted by jaso0n08182026-06-21 Source methodology →	Source repositorygithub.com 2026-06-22T04:30:53+00:00 Documentationgithub.com Submitted by jaso0n08182026-06-21 Source methodology →
Claim	Unclaimed	Unclaimed	Unclaimed	Unclaimed