TL;DR - AWS MCP Quick Start
Manage your cloud infrastructure with AI - Query S3, monitor resources, and automate operations.
🆕 2025: AWS released official MCP servers for EKS, ECS, and Lambda! Managed MCP servers provide AI-powered DevOps with Amazon Q Developer.
Quick Setup (S3 Example):
{
"mcpServers": {
"aws-s3": {
"command": "npx",
"args": ["-y", "mcp-server-aws-s3"],
"env": {
"AWS_REGION": "us-east-1",
"AWS_ACCESS_KEY_ID": "AKIA...",
"AWS_SECRET_ACCESS_KEY": "..."
}
}
}
}What you can do:
- 🪣 S3: List, read, and manage objects
- 🖥️ EC2: Query instances and status
- 📊 CloudWatch: Read metrics and logs
- ⚡ Lambda: Check function status
- 🗄️ DynamoDB: Query tables
Example conversation:
You: List all S3 buckets and their sizes
Claude: Here are your S3 buckets:
| Bucket Name | Size | Objects | Region |
|---------------------|---------|---------|-----------|
| prod-assets | 45.2 GB | 12,340 | us-east-1 |
| backup-data | 128 GB | 5,678 | us-west-2 |
| dev-uploads | 2.1 GB | 890 | us-east-1 |⚠️ Security First: Always use least-privilege IAM credentials.
AWS MCP Landscape
Several MCP servers exist for different AWS services:
| Server | Services | Maintainer |
|---|---|---|
mcp-server-aws-s3 | S3 buckets and objects | Community |
mcp-server-aws-ec2 | EC2 instances | Community |
aws-kb-retriever | Knowledge bases, Bedrock | Anthropic |
mcp-server-cloudwatch | Metrics and logs | Community |
| Various others | Lambda, DynamoDB, etc. | Community |
📌 Note: The AWS MCP ecosystem is growing. Check mcp.so for the latest servers. For an introduction to MCP, see the MCP Introduction guide.
2025: AWS Official MCP Servers
| Server | Description | Release |
|---|---|---|
| Amazon EKS MCP | Kubernetes cluster management | Nov 2025 |
| Amazon ECS MCP | Container service orchestration | Nov 2025 |
| AWS Lambda MCP | Serverless function integration | 2025 |
| AWS API MCP | Natural language AWS API access | Jul 2025 |
🤖 Amazon Q Developer: Integrates with MCP servers for AI-powered infrastructure management. For more on AI agents, see the AI Agents guide.
Prerequisites
1. AWS Account and Credentials
You’ll need AWS credentials. The recommended approach:
Option A: IAM User Credentials
- Create an IAM user in AWS Console
- Attach appropriate policies
- Generate access keys
- Configure in MCP
Option B: AWS CLI Profile
aws configure --profile mcp-access
# Enter access key, secret, regionOption C: IAM Role (EC2/Lambda) If running on AWS infrastructure, use IAM roles.
2. Creating Least-Privilege Access
For S3 Read-Only:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:s3:::*/*"
]
}
]
}For EC2 Read-Only:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}3. Node.js v18+
node --version # Should be v18+S3 MCP Configuration
Installation
{
"mcpServers": {
"aws-s3": {
"command": "npx",
"args": ["-y", "mcp-server-aws-s3"],
"env": {
"AWS_REGION": "us-east-1",
"AWS_ACCESS_KEY_ID": "AKIA...",
"AWS_SECRET_ACCESS_KEY": "your-secret-key"
}
}
}
}Using AWS Profile
{
"mcpServers": {
"aws-s3": {
"command": "npx",
"args": ["-y", "mcp-server-aws-s3"],
"env": {
"AWS_PROFILE": "mcp-access",
"AWS_REGION": "us-east-1"
}
}
}
}Available S3 Operations
| Operation | Description | Example Prompt |
|---|---|---|
| List buckets | Show all S3 buckets | ”List my S3 buckets” |
| List objects | Objects in a bucket | ”What’s in prod-assets bucket?” |
| Get object | Read object content | ”Read config.json from bucket” |
| Get metadata | Object size, type, date | ”Get metadata for this file” |
EC2 MCP Configuration
Installation
{
"mcpServers": {
"aws-ec2": {
"command": "npx",
"args": ["-y", "mcp-server-aws-ec2"],
"env": {
"AWS_REGION": "us-east-1",
"AWS_ACCESS_KEY_ID": "AKIA...",
"AWS_SECRET_ACCESS_KEY": "..."
}
}
}
}Available EC2 Operations
| Operation | Description | Example Prompt |
|---|---|---|
| List instances | All EC2 instances | ”Show my EC2 instances” |
| Instance details | Specific instance info | ”Details of i-1234567890” |
| Security groups | List security groups | ”What security groups exist?” |
| VPC info | VPC configuration | ”Show VPC details” |
CloudWatch MCP Configuration
Installation
{
"mcpServers": {
"cloudwatch": {
"command": "npx",
"args": ["-y", "mcp-server-cloudwatch"],
"env": {
"AWS_REGION": "us-east-1",
"AWS_ACCESS_KEY_ID": "AKIA...",
"AWS_SECRET_ACCESS_KEY": "..."
}
}
}
}Available CloudWatch Operations
| Operation | Description | Example Prompt |
|---|---|---|
| List metrics | Available metrics | ”What metrics are available?” |
| Get metric data | Retrieve metric values | ”CPU usage for last hour” |
| List log groups | CloudWatch log groups | ”Show log groups” |
| Query logs | Search log data | ”Errors in API logs today” |
Practical Workflows
Workflow 1: Infrastructure Inventory
Get a complete view of your AWS resources:
You: Give me an inventory of my AWS infrastructure
Claude: Querying AWS resources...
**AWS Infrastructure Inventory**
**EC2 Instances (12):**
| Name | Type | State | IP |
|---------------|-----------|---------|---------------|
| prod-api-1 | t3.medium | running | 10.0.1.45 |
| prod-api-2 | t3.medium | running | 10.0.1.46 |
| prod-web-1 | t3.large | running | 10.0.2.12 |
| staging-api | t3.small | running | 10.0.3.22 |
| dev-server | t3.micro | stopped | - |
...
**S3 Buckets (8):**
- prod-assets (45 GB)
- prod-backups (320 GB)
- logs-archive (12 GB)
...
**Monthly Estimate:** ~$485Workflow 2: Cost Analysis
Understand your AWS spending:
You: Analyze my S3 storage costs by bucket
Claude: Analyzing S3 storage...
**S3 Cost Analysis**
| Bucket | Size | Storage Class | Monthly Cost |
|------------------|---------|---------------|--------------|
| prod-backups | 320 GB | Standard | $7.36 |
| media-archive | 850 GB | Glacier | $3.40 |
| prod-assets | 45 GB | Standard | $1.04 |
| logs-archive | 12 GB | IA | $0.15 |
| dev-uploads | 2 GB | Standard | $0.05 |
**Total Monthly:** ~$11.95
**Recommendations:**
- Move prod-backups older than 90 days to Glacier (-$4/mo)
- logs-archive could use Glacier Deep Archive (-$0.10/mo)Workflow 3: Security Audit
Review security configurations:
You: Audit my EC2 security groups for overly permissive rules
Claude: Auditing security groups...
**Security Group Audit**
⚠️ **Issues Found (3):**
1. **sg-abc123** (web-servers)
- Port 22 open to 0.0.0.0/0
- Recommendation: Restrict to VPN IP range
2. **sg-def456** (legacy-app)
- Port 3306 open to 0.0.0.0/0
- CRITICAL: MySQL exposed to internet!
- Recommendation: Restrict to app security group
3. **sg-ghi789** (dev-testing)
- All ports open to 0.0.0.0/0
- Recommendation: Delete or restrict this SG
✅ **Compliant (15):**
- All other security groups properly restrictedWorkflow 4: Log Analysis
Search and analyze CloudWatch logs:
You: Find all ERROR logs in the API log group from the last hour
Claude: Querying CloudWatch logs...
**Error Logs (Last Hour)**
Found 23 errors in /aws/lambda/api-handler:
| Time | Error Type | Count |
|----------|---------------------|-------|
| 14:45:32 | TimeoutException | 12 |
| 14:52:18 | ValidationError | 8 |
| 15:01:45 | DatabaseConnection | 3 |
**Top Error:**TimeoutException: Task timed out after 30 seconds at /var/task/handlers/process.js:45 Affected requests: 12
**Recommendation:**
Consider increasing Lambda timeout or optimizing
the database query causing delays.Workflow 5: Resource Monitoring
Real-time resource monitoring:
You: How are my production EC2 instances performing?
Claude: Fetching CloudWatch metrics...
**EC2 Performance Dashboard**
| Instance | CPU | Memory* | Network I/O | Status |
|-------------|-----|---------|-------------|--------|
| prod-api-1 | 45% | 72% | 125 MB/s | ✅ OK |
| prod-api-2 | 52% | 68% | 118 MB/s | ✅ OK |
| prod-web-1 | 23% | 41% | 45 MB/s | ✅ OK |
| prod-db-1 | 78% | 89% | 234 MB/s | ⚠️ High |
**Alerts:**
- prod-db-1: CPU and memory elevated
- Recommendation: Consider scaling or query optimization
*Memory requires CloudWatch agentExample Prompts
S3 Operations
# Bucket listing
"List all my S3 buckets"
"Show buckets in us-west-2"
"Which buckets have public access?"
# Object operations
"List objects in prod-assets bucket"
"Show files uploaded today to uploads/"
"Read the config.json from settings bucket"
# Analysis
"How much storage am I using across all buckets?"
"Which bucket has the most objects?"
"Find large files over 1GB"EC2 Operations
# Instance listing
"Show all running EC2 instances"
"List instances by tag 'Environment=Production'"
"Which instances are in the us-east-1a availability zone?"
# Instance details
"Get details of i-0abc123def456"
"What security groups are attached to my web servers?"
"Show the launch configuration for prod instances"
# Cost and sizing
"Which instances are over-provisioned?"
"Show instance hours for this month"
"List instances that have been stopped for over 30 days"CloudWatch Operations
# Metrics
"Show CPU utilization for the last 24 hours"
"Get memory usage for prod-api instances"
"What's the average latency for my API?"
# Logs
"Search for errors in the last hour"
"Find logs mentioning 'timeout'"
"Show logs from the payment service"
# Alarms
"List active CloudWatch alarms"
"Which alarms are in ALARM state?"
"Show alarm history for this week"Multiple AWS Accounts
For multi-account management:
{
"mcpServers": {
"aws-prod": {
"command": "npx",
"args": ["-y", "mcp-server-aws-s3"],
"env": {
"AWS_PROFILE": "production",
"AWS_REGION": "us-east-1"
}
},
"aws-staging": {
"command": "npx",
"args": ["-y", "mcp-server-aws-s3"],
"env": {
"AWS_PROFILE": "staging",
"AWS_REGION": "us-east-1"
}
},
"aws-dev": {
"command": "npx",
"args": ["-y", "mcp-server-aws-s3"],
"env": {
"AWS_PROFILE": "development",
"AWS_REGION": "us-west-2"
}
}
}
}Then specify which account:
You: Using the production AWS account, list S3 buckets
You: Check EC2 instances in stagingSecurity Best Practices
Credential Management
| ✅ Do | ❌ Don’t |
|---|---|
| Use IAM users/roles | Use root account credentials |
| Apply least-privilege | Grant admin access |
| Rotate keys regularly | Keep old keys active |
| Use AWS profiles | Hardcode in config files |
| Audit access logs | Ignore CloudTrail |
For more on AI security best practices, see the Understanding AI Safety, Ethics, and Limitations guide.
IAM Policy Examples
Minimal S3 Read:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
}
]
}EC2 Describe Only:
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}Audit Trail
Enable CloudTrail to track all API calls:
You: Show recent API calls made by the MCP IAM user
Claude: CloudTrail events for mcp-user (last 24h):
- s3:ListBuckets (45 calls)
- s3:GetObject (23 calls)
- ec2:DescribeInstances (12 calls)
No suspicious activity detected.Combining with Other MCPs
AWS + Slack
Alert team about issues:
You: Check for any AWS alarms in ALARM state and notify #ops
Claude: [Uses AWS to check alarms]
[Uses Slack to notify]
Posted to #ops:
🚨 **AWS Alarm Alert**
- HighCPU-ProdAPI: i-abc123 at 95% CPU
- DatabaseConnections: RDS connections maxedAWS + Filesystem
Export AWS data:
You: Export EC2 inventory to a CSV file
Claude: [Uses AWS to query EC2]
[Uses Filesystem to save CSV]
Saved to: /reports/ec2-inventory.csv
- 12 instances documented
- Includes: name, type, state, IPsAWS + Memory
Remember infrastructure patterns:
You: Learn my AWS infrastructure and remember it
Claude: [Uses AWS to analyze resources]
[Uses Memory to store patterns]
Memorized:
- 3 environments: prod, staging, dev
- Naming convention: env-service-number
- Regions: us-east-1 (prod), us-west-2 (dev)Troubleshooting
Issue: “Access Denied”
Symptoms: Permission errors
Solutions:
| Cause | Solution |
|---|---|
| Missing IAM permissions | Add required policies |
| Wrong credentials | Check keys are correct |
| Wrong region | Verify region in config |
| Resource policy blocking | Check bucket/resource policies |
Issue: “Credential not found”
Symptoms: Authentication fails
Solutions:
- Check env variables are set
- Verify AWS profile exists
- Ensure credentials aren’t expired
- Check AWS STS for temporary creds
Issue: “Rate limited”
Symptoms: Too many requests
Solutions:
- Add delays between operations
- Reduce query scope
- Check AWS service limits
Related MCP Servers
| Server | Complements AWS By… |
|---|---|
| Slack MCP | Alerting and notifications |
| Filesystem MCP | Saving AWS data locally |
| Memory MCP | Remembering infrastructure |
| PostgreSQL MCP | Correlating with app data |
Summary
AWS MCP Servers bring AI to cloud infrastructure:
- ✅ S3 - Bucket and object management
- ✅ EC2 - Instance monitoring and details
- ✅ CloudWatch - Metrics and logs
- ✅ Multi-account - Manage multiple environments
- ✅ Secure - IAM-based access control
- ✅ Official AWS (2025) - EKS, ECS, Lambda MCP servers
2025 AWS MCP Ecosystem:
- Amazon EKS MCP - Kubernetes cluster management
- Amazon ECS MCP - Container service orchestration
- AWS Lambda MCP - Serverless function integration
- AWS API MCP - Natural language AWS API access
- Amazon Q Developer - AI-powered infrastructure
Best use cases:
- Infrastructure inventory
- Cost analysis
- Security audits
- Log analysis
- Resource monitoring
Security checklist:
- ☐ Create dedicated IAM user for MCP
- ☐ Apply least-privilege policies
- ☐ Enable CloudTrail logging
- ☐ Rotate credentials regularly
- ☐ Never use root credentials
Next: Learn about Cloudflare MCP Server → for edge infrastructure.
Questions about AWS MCP? Check the AWS MCP servers on GitHub or the MCP Registry.