Skip to main content
mcpFirst-partyLow risk Safety Privacy
AWS logo

AWS Services MCP Server - MCP Servers

Comprehensive AWS cloud services integration for infrastructure management, deployment, and monitoring

HarnessClaude CodeCodexCursorClaude Desktop

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Brand
AWS
Brand domain
aws.amazon.com
Brand asset source
brandfetch
Package URL
/downloads/mcp/aws-services-mcp-server.mcpb
Package SHA256
36c5b42a87926bb71ca8bf7a878e163cc8b6f8f28fe4fd6c55394f32659ae580
Safety notes
Scope AWS credentials to the intended accounts, regions, and services because infrastructure actions can affect production resources.
Privacy notes
AWS resource names, configuration, metrics, logs, ARNs, and account metadata may be exposed through tool calls and responses.
Author
AWS Labs
Claim status
unclaimed
Last verified
2025-09-16

Decision playbook

Ready to evaluate for your workflow

Signals are comparatively strong, but you should still validate source, privacy posture, and package provenance for your environment.

Compare context
Selected

0

Current score

96

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as first-party.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Complete

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    Package marked verified.

    Done
  • Checksum metadata

    SHA-256 hash is present.

    Done

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Package install

Copy-ready — paste the snippet to get started.

2 minutes

Install command

Provided

Config snippet

Provided

Copy snippet

Provided

Prerequisites

10 to clear

Platforms

4 listed

Difficulty

0/100

Adoption plan

Balanced adoption plan

Current risk score 0/100. Use staged verification before broader rollout.

Risk 0

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    Package verification/checksum metadata is available.

    Done

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (6/6 signals complete).

Risk 0

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Present

Package integrity metadata is present.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

6/6 steps complete with no blocking gaps for this preset.

Risk 0

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is available.

Done

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

10 prerequisites to line up before setup. Have accounts and credentials ready first.

0/10 ready
Account & credentials2Install & runtime3Configuration2Permissions & scopes1Network & hosting1General12 minutes

Safety & privacy surface

Safety & privacy surface

1 safety and 1 privacy notes across 2 risk areas. Review closely: credentials & tokens.

2 areas
  • SafetyCredentials & tokensScope AWS credentials to the intended accounts, regions, and services because infrastructure actions can affect production resources.
  • PrivacyData retentionAWS resource names, configuration, metrics, logs, ARNs, and account metadata may be exposed through tool calls and responses.

Safety notes

  • Scope AWS credentials to the intended accounts, regions, and services because infrastructure actions can affect production resources.

Privacy notes

  • AWS resource names, configuration, metrics, logs, ARNs, and account metadata may be exposed through tool calls and responses.

Prerequisites

  • Python 3.8+ installed for running uvx commands
  • uv package manager installed (provides uvx command for running Python packages)
  • AWS account with active credentials and appropriate IAM permissions
  • AWS credentials configured via one of: IAM access keys (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), AWS profile (~/.aws/credentials), or IAM role (for EC2/ECS)
  • AWS CLI installed and configured (optional but recommended for testing authentication with `aws sts get-caller-identity`)
  • AWS region configured (default: us-east-1, configurable via AWS_REGION environment variable)
  • IAM permissions for target AWS services (e.g., AmazonEC2FullAccess, AmazonS3FullAccess, AWSLambda_FullAccess, AmazonRDSFullAccess, CloudWatchFullAccess, etc.)
  • Internet connection for accessing AWS APIs (https://*.amazonaws.com endpoints)
  • Claude Desktop 0.7.0+ or Claude Code with MCP support
  • Understanding of AWS service concepts (regions, IAM policies, resource IDs, CloudFormation templates)

Schema details

Install type
package
Reading time
1 min
Difficulty score
0
Troubleshooting
Yes
Breaking changes
No
Source repository stats
Scope
Source repo
Package metadata
Package verified
Yes
SHA-256
36c5b42a87926bb71ca8bf7a878e163cc8b6f8f28fe4fd6c55394f32659ae580
Skill and platform metadata
Retrieval sources
https://github.com/awslabs/mcp
Collection metadata
Estimated setup
2 minutes
Difficulty
intermediate
Full copyable content
{
  "aws": {
    "env": {
      "AWS_REGION": "${AWS_REGION:-us-east-1}",
      "AWS_PROFILE": "${AWS_PROFILE}",
      "FASTMCP_LOG_LEVEL": "${FASTMCP_LOG_LEVEL:-ERROR}"
    },
    "args": [
      "awslabs.core-mcp-server@latest"
    ],
    "command": "uvx"
  }
}

About this resource

Content

Comprehensive AWS cloud services integration for infrastructure management, deployment, and monitoring.

Features

  • EC2 instance management and monitoring
  • S3 bucket and object operations
  • Lambda function deployment and invocation
  • RDS database management
  • CloudWatch metrics and alarms
  • VPC and networking configuration
  • IAM user and role management
  • CloudFormation stack deployment
  • Auto Scaling group management
  • Load balancer configuration

Use Cases

  • Deploy and manage EC2 instances for web applications
  • Automate S3 bucket creation and file operations
  • Deploy Lambda functions for serverless computing
  • Monitor application performance with CloudWatch
  • Manage RDS databases and create read replicas
  • Configure VPC networking and security groups
  • Deploy infrastructure using CloudFormation templates
  • Set up auto-scaling for high availability
  • Implement cost optimization strategies
  • Manage IAM roles and policies for security

Installation

Claude Code

  1. Run: uvx awslabs.core-mcp-server@latest
  2. Verify installation: claude mcp list
  3. Test connection: claude mcp status aws-services

Claude Desktop

  1. Install the AWS MCP server: uvx awslabs.core-mcp-server@latest
  2. Open your Claude Desktop configuration file
  3. Add the AWS MCP server configuration with your credentials
  4. Configure AWS authentication (IAM keys, profile, or roles)
  5. Restart Claude Desktop

Requirements

  • Python 3.8+ installed for running uvx commands
  • uv package manager installed (provides uvx command for running Python packages)
  • AWS account with active credentials and appropriate IAM permissions
  • AWS credentials configured via one of: IAM access keys (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), AWS profile (~/.aws/credentials), or IAM role (for EC2/ECS)
  • AWS CLI installed and configured (optional but recommended for testing authentication with aws sts get-caller-identity)
  • AWS region configured (default: us-east-1, configurable via AWS_REGION environment variable)
  • IAM permissions for target AWS services (e.g., AmazonEC2FullAccess, AmazonS3FullAccess, AWSLambda_FullAccess, AmazonRDSFullAccess, CloudWatchFullAccess, etc.)
  • Internet connection for accessing AWS APIs (https://*.amazonaws.com endpoints)
  • Claude Desktop 0.7.0+ or Claude Code with MCP support
  • Understanding of AWS service concepts (regions, IAM policies, resource IDs, CloudFormation templates)

Configuration

{
  "aws": {
    "env": {
      "AWS_REGION": "${AWS_REGION:-us-east-1}",
      "AWS_PROFILE": "${AWS_PROFILE}",
      "FASTMCP_LOG_LEVEL": "${FASTMCP_LOG_LEVEL:-ERROR}"
    },
    "args": ["awslabs.core-mcp-server@latest"],
    "command": "uvx"
  }
}

Examples

Launch a new EC2 instance with custom tags

Common usage pattern for this MCP server

Ask Claude: "Launch a new EC2 instance with custom tags"

Create an S3 bucket with versioning enabled

Common usage pattern for this MCP server

Ask Claude: "Create an S3 bucket with versioning enabled"

Deploy a Lambda function with environment variable...

Common usage pattern for this MCP server

Ask Claude: "Deploy a Lambda function with environment variables"

Set up CloudWatch alarms for application monitorin...

Common usage pattern for this MCP server

Ask Claude: "Set up CloudWatch alarms for application monitoring"

Create an RDS instance with automated backups

Common usage pattern for this MCP server

Ask Claude: "Create an RDS instance with automated backups"

Deploy a complete web application stack via CloudF...

Common usage pattern for this MCP server

Ask Claude: "Deploy a complete web application stack via CloudFormation"

Security

  • Support for IAM user credentials and roles
  • AWS Profile-based authentication
  • Least privilege access with specific permissions
  • CloudTrail integration for audit logging
  • Secrets Manager for credential management
  • VPC security groups and network ACLs
  • AWS IAM credentials and access keys must be securely stored and never exposed in client-side code or public repositories - use AWS IAM roles, environment variables, and AWS Secrets Manager for credential management
  • AWS service configurations and resource ARNs may expose infrastructure architecture and resource identifiers - ensure AWS resource identifiers are kept private and not shared in public configurations
  • AWS CloudTrail logging and audit trail management are critical for AWS MCP servers - implement proper CloudTrail integration and log retention policies for security compliance and audit requirements
  • AWS credentials (access keys, secret keys, session tokens) must be securely stored using AWS IAM roles, environment variables, or secure credential stores - never hardcode credentials or expose them in client-side code
  • AWS IAM policies should follow the principle of least privilege with minimal required permissions for MCP server operations - regularly audit IAM policies and remove unused permissions
  • AWS CloudTrail logging should be enabled to monitor all API calls made through the MCP server for security auditing and compliance requirements

Troubleshooting

AWS credentials not found or authentication failure

Run aws configure to set access keys. Verify AWS_PROFILE matches profile in ~/.aws/credentials. Test with aws sts get-caller-identity command to confirm authentication.

IAM permissions denied for specific AWS service operations

Attach required IAM policy (AmazonEC2FullAccess, AmazonS3FullAccess, etc). Use AWS Policy Simulator to test permissions. Verify principal has necessary actions in IAM policy document.

Resources not found - wrong AWS region configured

Verify AWS_REGION environment variable matches resource location (us-east-1, eu-west-1, etc). Update with aws configure set region REGION_NAME. Check region in AWS Console matches CLI.

CloudFormation template validation errors or syntax issues

Validate with aws cloudformation validate-template --template-body file://template.yaml. Check resource types match AWS documentation exactly. Verify parameter types and AllowedValues constraints.

API throttling or RequestLimitExceeded errors

Implement exponential backoff for retries (wait 2^n seconds). Reduce concurrent requests to max 10. Request service quota increase at AWS Service Quotas console for sustained high usage.

AWS MCP server authentication errors with IAM credentials

Verify IAM credentials are valid and not expired. Check IAM policy permissions match required AWS service access. Ensure credential format is correct (access key ID and secret access key). For IAM roles, verify role trust relationships and assume role permissions.

AWS service rate limiting or throttling errors

Implement exponential backoff retry logic with jitter. Use AWS SDK built-in retry mechanisms. Monitor AWS service quotas and request rate limits. Implement request queuing and throttling to stay within service limits.

AWS MCP server connection timeouts or network errors

Check network connectivity and firewall settings. Verify AWS service endpoints are accessible. Increase request timeout values. Implement connection pooling and retry mechanisms with exponential backoff. Check VPC and security group configurations if using private endpoints.

AWS MCP server authentication errors with IAM credentials

Verify AWS credentials are valid and not expired. Check IAM user/role has required permissions. Ensure credentials are properly configured in environment variables or AWS credential files. For temporary credentials, verify session token hasn't expired.

AWS service access denied errors despite valid credentials

Verify IAM policy includes required service permissions and resource ARNs. Check service-specific permissions (e.g., S3 bucket access, EC2 instance permissions). Review IAM policy conditions and resource restrictions. Use AWS IAM Policy Simulator to test permissions.

AWS MCP server rate limiting or throttling errors

Implement exponential backoff retry logic with jitter. Use AWS SDK built-in retry mechanisms. Monitor service quotas and request rate limits. Consider using AWS service quotas API to check current usage and request increases if needed.

Source citations

Add this badge to your README

Show that AWS Services MCP Server - MCP Servers is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/mcp/aws-services-mcp-server.svg)](https://heyclau.de/entry/mcp/aws-services-mcp-server)

How it compares

AWS Services MCP Server - MCP Servers side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

2 trust signals differ across this comparison (Package trust, Submitter).

Field

Comprehensive AWS cloud services integration for infrastructure management, deployment, and monitoring

Open dossier

Official AWS Labs MCP server for Amazon ECS that helps AI assistants containerize applications, deploy them to ECS, troubleshoot deployments, and explore ECS and ECR resources across the container application lifecycle.

Open dossier

Official AWS Labs MCP server for Amazon EKS that gives AI code assistants real-time cluster state visibility and Kubernetes/EKS resource management, from cluster setup through deployment, troubleshooting, and optimization.

Open dossier

Official AWS Labs MCP server that gives troubleshooting agents task-oriented access to Amazon CloudWatch metrics, alarms, logs, and PromQL queries for AI-assisted root-cause analysis and remediation recommendations.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustDiffersPackage verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
SubmitterDiffersjaso0n0818jaso0n0818jaso0n0818
Install riskLow riskReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
BrandAWS logoAWSAWS Labs logoAWS LabsAWS Labs logoAWS LabsAWS Labs logoAWS Labs
Categorymcpmcpmcpmcp
Sourcefirst-partysource-backedsource-backedsource-backed
AuthorAWS LabsAWS LabsAWS LabsAWS Labs
Added2025-09-162026-06-212026-06-212026-06-20
Platforms
Claude CodeCodexCursorClaude Desktop
Claude CodeClaude Desktop
Claude CodeClaude Desktop
Claude CodeClaude Desktop
Source repo
Safety notesScope AWS credentials to the intended accounts, regions, and services because infrastructure actions can affect production resources.The configuration above is read-only. Setting `ALLOW_WRITE=true` lets the server create and modify infrastructure (ECR repos, CloudFormation stacks, ECS services) and `ALLOW_SENSITIVE_DATA=true` exposes logs; enable these only deliberately. AWS documents this server as primarily for development, testing, and non-critical environments; keep write/sensitive-data disabled for production accounts and prefer non-production targets while evaluating it. This server acts on real infrastructure with your AWS credentials; scope the profile to the intended account, region, and resources, and run it only on a trusted host.The configuration above is read-only. Adding the `--allow-write` flag lets the server create, update, patch, and delete EKS/Kubernetes resources (including creating clusters via CloudFormation) and `--allow-sensitive-data-access` exposes logs and events; enable these only deliberately. This server acts on real infrastructure with your AWS credentials; scope the profile to the intended account, region, and clusters, and prefer non-production targets while evaluating it. Run it only on a trusted host, and review any generated manifests or CloudFormation actions before applying them.This server reads CloudWatch telemetry from your AWS account; scope the AWS credentials/profile to read-only CloudWatch access and the intended accounts and regions. It is designed for observability and troubleshooting (metrics, alarms, logs, PromQL) and does not modify resources, but it can issue many CloudWatch read APIs that may incur AWS request costs. Run it only on a trusted host, since it uses the local machine's AWS credentials to reach your account. Some PromQL tooling is region-limited and may require enabling OTel enrichment (`aws cloudwatch start-otel-enrichment`); review the server docs before relying on it.
Privacy notesAWS resource names, configuration, metrics, logs, ARNs, and account metadata may be exposed through tool calls and responses.Cluster, service, task, task-definition, and ECR metadata plus account/region identifiers can be returned through tool calls and exposed to the model. With sensitive-data access enabled, logs and deployment details may be returned; keep account identifiers, credentials, and log contents out of public prompts, issues, and screenshots.Cluster state, resource manifests, ARNs, and account/region metadata can be returned through tool calls and exposed to the model. With sensitive-data access enabled, pod logs and Kubernetes events may be returned; keep account identifiers, credentials, and log contents out of public prompts, issues, and screenshots.Metric values, alarm states and history, log group contents, namespaces, dimensions, ARNs, and account/region metadata can be returned through tool calls and exposed to the model. Queries and time ranges you ask about are sent to the CloudWatch APIs using your configured credentials; keep account identifiers and credentials out of public prompts, issues, and screenshots.
Prerequisites
  • Python 3.8+ installed for running uvx commands
  • uv package manager installed (provides uvx command for running Python packages)
  • AWS account with active credentials and appropriate IAM permissions
  • AWS credentials configured via one of: IAM access keys (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), AWS profile (~/.aws/credentials), or IAM role (for EC2/ECS)
  • An AWS account with Amazon ECS/ECR and permissions to view (and, if enabled, deploy) the target resources.
  • Docker or Finch for containerization and local image builds.
  • Python 3.10 or newer and `uv` / `uvx` installed (Astral) to run the package.
  • AWS credentials configured locally (for example via `aws configure` or `AWS_PROFILE`) scoped to the intended account, region, and resources.
  • An AWS account with Amazon EKS and permissions to view (and, if enabled, manage) the target clusters.
  • Python 3.10 or newer and `uv` / `uvx` installed (Astral) to run the package.
  • AWS credentials configured locally (for example via `aws configure` or `AWS_PROFILE`) scoped to the intended account, region, and clusters.
  • An MCP client that supports stdio servers; the server runs locally on the same host as the client.
  • An AWS account with CloudWatch telemetry (metrics, alarms, and/or logs).
  • Python 3.10 or newer and `uv` / `uvx` installed (Astral) to run the package.
  • AWS credentials configured locally (for example via `aws configure` or `AWS_PROFILE`) with read access to the CloudWatch APIs you intend to use.
  • An MCP client that supports stdio servers; the server runs locally on the same host as the client.
Install
uvx awslabs.core-mcp-server@latest && claude mcp list
uvx --from awslabs-ecs-mcp-server ecs-mcp-server
uvx awslabs.eks-mcp-server@latest
uvx awslabs.cloudwatch-mcp-server@latest
Config
{
  "mcpServers": {
    "aws": {
      "env": {
        "AWS_REGION": "${AWS_REGION:-us-east-1}",
        "AWS_PROFILE": "${AWS_PROFILE}",
        "FASTMCP_LOG_LEVEL": "${FASTMCP_LOG_LEVEL:-ERROR}"
      },
      "args": [
        "awslabs.core-mcp-server@latest"
      ],
      "command": "uvx",
      "type": "stdio"
    }
  }
}
{
  "mcpServers": {
    "awslabs.ecs-mcp-server": {
      "command": "uvx",
      "args": ["--from", "awslabs-ecs-mcp-server", "ecs-mcp-server"],
      "env": {
        "AWS_PROFILE": "${AWS_PROFILE}",
        "AWS_REGION": "us-east-1",
        "FASTMCP_LOG_LEVEL": "ERROR",
        "ALLOW_WRITE": "false",
        "ALLOW_SENSITIVE_DATA": "false"
      },
      "type": "stdio"
    }
  }
}
{
  "mcpServers": {
    "awslabs.eks-mcp-server": {
      "command": "uvx",
      "args": ["awslabs.eks-mcp-server@latest"],
      "env": {
        "AWS_PROFILE": "${AWS_PROFILE}",
        "AWS_REGION": "us-east-1",
        "FASTMCP_LOG_LEVEL": "ERROR"
      },
      "type": "stdio"
    }
  }
}
{
  "mcpServers": {
    "awslabs.cloudwatch-mcp-server": {
      "command": "uvx",
      "args": ["awslabs.cloudwatch-mcp-server@latest"],
      "env": {
        "AWS_PROFILE": "${AWS_PROFILE}",
        "FASTMCP_LOG_LEVEL": "ERROR"
      },
      "type": "stdio"
    }
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.