FinOps Tag Compliance MCP Server
Allows importing tagging policies from AWS Organizations to enforce compliance across multiple accounts.
Enables secure storage and retrieval of API keys for authentication in production deployments of the MCP server.
Provides tagging compliance checks for OpenSearch domains, ensuring required tags are present and valid.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@FinOps Tag Compliance MCP ServerShow me untagged EC2 instances with cost impact"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
FinOps Tag Compliance MCP Server
Turn Claude into your AWS tagging compliance assistant — Ask in plain English, get real-time insights on your cloud costs and compliance.
![]()
Table of contents
Related MCP server: kubopt
The problem
According to the FinOps Foundation's 2025 report, 43% of cloud costs lack proper tagging. For large enterprises, that translates to billions in annual spend that cannot be attributed to a team, project, or cost center — the so-called "attribution gap."
Today, fixing tagging compliance means:
Manual audits: Clicking through the AWS Console resource by resource
Custom scripts: Writing and maintaining boto3 scripts that check tags against a spreadsheet
Delayed feedback: Finding violations weeks after resources are launched
No cost context: Knowing a resource is untagged, but not how much money is at stake
The AWS Console can show you what tags exist, but it doesn't tell you whether they're correct, how much you're losing from the gaps, or what values should go there.
What is MCP?
Model Context Protocol (MCP) is an open standard that lets AI assistants like Claude connect to external tools and data sources. Think of it as giving Claude a phone line to your infrastructure.
Without MCP: Claude can only work with what you paste into the chat — it has no access to your live AWS environment.
With MCP: Claude can call specialized tools to query your AWS resources, validate tags, calculate costs, and return real-time insights — all through natural conversation.
MCP servers expose "tools" that Claude invokes automatically based on what you ask. When you say "Which S3 buckets are untagged?", Claude recognizes it needs the find_untagged_resources tool, calls it, gets structured data back, and translates that into a natural language answer.
What is this Tagging MCP?
An MCP server that gives Claude real-time access to your AWS tagging compliance data. Instead of writing boto3 scripts or clicking through the AWS Console, just ask Claude in natural language:
"Run a compliance check on all my EC2 and RDS instances"
"How much of our EC2 spend is unattributable due to missing tags?"
"Suggest tags for this EC2 instance based on its name and similar resources"
"Generate a markdown compliance report for our Q1 review"
Behind the scenes, this MCP server queries your AWS environment, validates resources against your tagging policy, calculates cost impacts, and returns structured insights that Claude translates into natural language.
Beyond simple tag reading
The official AWS MCP can read your resource tags — but that's like having a librarian who can tell you which books exist, not whether they're organized correctly.
This MCP server goes deeper. It validates tags against your organization's policy, quantifies the financial impact when they're wrong or missing, suggests corrections using pattern matching across similar resources, and tracks compliance trends over time.
Features
14 Tools
Tool | Description |
| Scan resources and calculate compliance score |
| Find resources missing required tags with cost impact |
| Validate specific resources by ARN |
| Calculate financial impact of tagging gaps |
| ML-powered tag recommendations with confidence scores |
| View current policy configuration |
| Generate reports in JSON, CSV, or Markdown |
| Track compliance trends over time |
| Find unexpected tag changes since last scan |
| Create Cloud Custodian enforcement YAML |
| Build automated remediation workflows |
| Configure recurring audit schedules |
| Export violations for spreadsheet analysis |
| Import policies from AWS Organizations |
Multi-Region Scanning
Scans all enabled AWS regions in parallel. Global resources (S3, IAM) are always included regardless of region filters.
40+ AWS Resource Types
EC2, S3, RDS, Lambda, ECS, DynamoDB, ElastiCache, EBS, EFS, Bedrock, OpenSearch, and many more. Use "all" to scan everything.
Cost Attribution
Links tagging violations to actual dollar amounts using AWS Cost Explorer. State-aware cost attribution correctly assigns $0 to stopped EC2 instances.
Customizable Policy
Define required and optional tags in a simple JSON file (policies/tagging_policy.json) with allowed values, regex validation, and per-resource-type rules.
Installation
Prerequisites
Python 3.10+
AWS credentials configured (
~/.aws/credentialsor environment variables)Claude Desktop or any MCP-compatible client (VS Code, Cursor, Kiro)
Install from PyPI
pip install finops-tag-compliance-mcpInstall from source
git clone https://github.com/OptimNow/finops-tag-compliance-mcp.git
cd finops-tag-compliance-mcp
pip install -e .AWS Permissions
The server needs read-only AWS permissions. See IAM Permissions Guide for the full policy, but the key permissions are:
ec2:Describe*,rds:Describe*,s3:List*,lambda:List*tag:GetResources(Resource Groups Tagging API)ce:GetCostAndUsage(Cost Explorer — optional, for cost attribution)
No write permissions are needed.
Production deployment
This repository is designed for local use — the MCP server runs on your machine alongside Claude Desktop, Cursor, or VS Code. Your AWS credentials stay local and never leave your laptop.
For production and team environments, we provide a separate deployment repository with the infrastructure to run this MCP server securely on AWS:
CloudFormation templates for VPC, ALB, and EC2/ECS deployment
API key authentication via AWS Secrets Manager
TLS termination and private subnet isolation
CloudWatch logging and security monitoring
CI/CD pipeline setup
See finops-tag-compliance-deploy for the full production stack. For support on deploying in production, contact jean@optimnow.io.
Configuration
Claude Desktop
Add to your claude_desktop_config.json:
Minimal (uses default region and auto-discovers AWS credentials):
{
"mcpServers": {
"finops-tag-compliance": {
"command": "finops-tag-compliance"
}
}
}With options:
{
"mcpServers": {
"finops-tag-compliance": {
"command": "finops-tag-compliance",
"env": {
"AWS_REGION": "us-east-1",
"AWS_PROFILE": "my-profile",
"ALLOWED_REGIONS": "us-east-1,us-west-2,eu-west-1",
"POLICY_PATH": "/path/to/my/tagging_policy.json"
}
}
}
}Config file location:
macOS:
~/Library/Application Support/Claude/claude_desktop_config.jsonWindows:
%APPDATA%\Claude\claude_desktop_config.jsonLinux:
~/.config/Claude/claude_desktop_config.json
Environment variables
Variable | Default | Description |
|
| Default AWS region (e.g. |
| (default) | AWS credentials profile |
| (all enabled) | Comma-separated list of regions to scan |
|
| Max parallel region scans (1-20) |
|
| Path to tagging policy |
|
| Resource types configuration |
|
| Redis URL (optional, for caching) |
|
| Cache TTL for compliance results |
Redis is optional. Without it, results are not cached between invocations.
Tagging policy
Define your organization's tagging rules in policies/tagging_policy.json:
{
"required_tags": [
{
"name": "Environment",
"description": "Deployment environment",
"allowed_values": ["production", "staging", "development"],
"applies_to": ["ec2:instance", "rds:db", "s3:bucket"]
},
{
"name": "CostCenter",
"description": "Cost center for billing",
"validation_regex": "^CC-\\d{4}$",
"applies_to": []
}
],
"optional_tags": [
{
"name": "Project",
"description": "Project name"
}
]
}allowed_values: Tag value must be in this list (case-sensitive)validation_regex: Tag value must match this patternapplies_to: Resource types this tag applies to (empty = all types)
See Tagging Policy Guide for full documentation.
Testing with MCP Inspector
The MCP Inspector lets you test the server interactively in your browser:
npx @modelcontextprotocol/inspector python -m mcp_server.stdio_serverThis opens a UI where you can list tools, execute them with custom arguments, and inspect results.
Kiro Power
This server is also available as a Kiro Power — a packaging format that lets Kiro IDE load the tools on-demand based on conversation context, rather than loading all 14 tool definitions upfront.
Install in Kiro
From GitHub (recommended):
In Kiro, open the Powers panel and select Add power from GitHub, then enter:
OptimNow/finops-tag-compliance-mcpFrom a local clone:
Powers panel → Add power from Local Path → select the repo rootHow it works
When you mention keywords like "tag compliance", "untagged resources", "cost attribution", or "finops" in a Kiro conversation, the power activates automatically and loads the MCP tools and workflow guidance. When you're working on unrelated tasks, the tools stay out of the way.
The power includes steering files (steering/) with step-by-step workflows for compliance checking, cost analysis, remediation, and policy management.
Requirements
Same as the standard MCP installation — Python 3.10+, AWS credentials, and pip install finops-tag-compliance-mcp. See Installation for details.
Architecture
┌─────────────────────────────────────────────────────────────────┐
│ MCP Protocol Layer (stdio) │
│ stdio_server.py → FastMCP with 14 registered tools │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Tools Layer (Adapters) │
│ Thin wrappers: MCP tool calls → service method calls │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Services Layer (Core Library) │
│ ComplianceService, CostService, PolicyService, etc. │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ Protocol-agnostic — no MCP knowledge │
│ Reusable: from mcp_server.services import ComplianceService │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Clients Layer │
│ AWSClient (boto3 + rate limiting), RedisCache, SQLite │
└─────────────────────────────────────────────────────────────────┘The services layer has zero knowledge of MCP. You can import ComplianceService directly into a CLI tool, webhook handler, or any other Python application.
Project structure
finops-tag-compliance-mcp/
├── mcp_server/
│ ├── stdio_server.py # MCP entry point (Claude Desktop)
│ ├── container.py # Service container (dependency injection)
│ ├── config.py # Configuration settings
│ ├── services/ # Core business logic (12 services)
│ ├── tools/ # MCP tool adapters (14 tools)
│ ├── models/ # Pydantic data models (17 files)
│ ├── clients/ # AWS, Redis, database clients
│ └── utils/ # Correlation IDs, validation, error handling
├── policies/ # Tagging policy (JSON)
├── config/ # Resource types configuration
├── examples/ # Claude Desktop config examples
├── tests/ # Unit + property-based tests
├── docs/ # Documentation
├── pyproject.toml # Package configuration
└── LICENSE # Apache 2.0Documentation
Guide | Description |
Practical guide for FinOps practitioners | |
Define your organization's tagging rules | |
Detailed logic for each of the 14 tools | |
Required AWS permissions (read-only) | |
Manage which AWS resource types to scan | |
Getting started with the test suite | |
System architecture, sequence, state, and component diagrams |
Contributing
We welcome contributions! Bug reports, feature requests, documentation improvements, and code contributions are all appreciated.
Fork the repository
Create a feature branch (
git checkout -b feature/my-feature)Run tests (
pytest tests/unit tests/property)Commit your changes
Open a Pull Request
See GitHub Issues for current work.
License
Apache 2.0 — see LICENSE for details.
Built for the FinOps community by OptimNow
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/OptimNow/finops-tag-compliance-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server