Enables interaction with Amazon OpenSearch Service, providing capabilities to list and describe OpenSearch clusters as part of the AWS environment.
Provides tools to interact with Amazon ElastiCache for Redis, enabling users to describe cache clusters, replication groups, and serverless cache instances.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@AWS MCP Serverlist my running EC2 instances and their status"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
AWS MCP Server
A Model Context Protocol (MCP) server that provides Claude Desktop with tools to interact with AWS services using your machine's configured AWS profiles.
Features
208 AWS tools across 57 services: EC2, S3, IAM, Lambda, CloudWatch, ECS, RDS, DynamoDB, SQS, SNS, SES, ECR, ElastiCache, API Gateway, CloudFront, Route53, Cost Explorer, Cognito, MemoryDB, DocumentDB, OpenSearch, EKS, Athena, Glue, MWAA, Firehose, Secrets Manager, SSM, Lake Formation, CloudTrail, CloudFormation, KMS, ACM, Kinesis, EMR, SageMaker, VPC, Organizations, Resource Groups, EventBridge, ELB v2, Auto Scaling, Step Functions, WAF v2, GuardDuty, Security Hub, CodePipeline, CodeBuild, CodeDeploy, Redshift, EFS, AWS Backup, and more
Multi-profile support — use any AWS profile from
~/.aws/configReadonly by default — starts in safe mode; use
--writeto allow mutating operationsSensitive data gate — Secrets Manager and decrypted SSM reads require extra authentication even in write-enabled mode
Structured JSONL logging — every operation is logged to
logs/aws_mcp.jsonlOpenTelemetry tracing (opt-in) — distributed traces are exported only when
OTEL_EXPORTER_OTLP_ENDPOINTis setPre-push security scans — semgrep, gitleaks, trivy, bandit, and pip-audit can block unsafe pushes
Cross-platform — works on Ubuntu/Linux, macOS, and Windows
Requirements
Python 3.12+
AWS CLI configured with profiles (
~/.aws/configand~/.aws/credentials)
Quick Start
1. Setup
cd aws-mcp
chmod +x setup.sh
./setup.shOr manually:
python3 -m venv .venv
source .venv/bin/activate # Linux/macOS
# .venv\Scripts\activate # Windows
pip install -e ".[dev]"2. Test the server
# Verify it starts (will wait for MCP input on stdin, Ctrl+C to stop)
.venv/bin/python main.py3. Configure Claude Desktop
Edit your Claude Desktop configuration file:
OS | Config file path |
Linux |
|
macOS |
|
Windows |
|
Add the server to the mcpServers section:
{
"mcpServers": {
"aws-mcp": {
"command": "/absolute/path/to/aws-mcp/.venv/bin/python",
"args": [
"/absolute/path/to/aws-mcp/main.py"
]
}
}
}See
claude_desktop_config.example.jsonfor a full example with multiple configurations.
Windows configuration
{
"mcpServers": {
"aws-mcp": {
"command": "C:\\path\\to\\aws-mcp\\.venv\\Scripts\\python.exe",
"args": [
"C:\\path\\to\\aws-mcp\\main.py"
]
}
}
}4. Restart Claude Desktop
After saving the configuration, restart Claude Desktop. The AWS tools will appear in the tools menu.
CLI Options
Flag | Description | Default |
| Force readonly mode explicitly | On |
| Allow mutating operations | Off |
| Directory for JSONL log files |
|
| Log verbosity: DEBUG, INFO, WARNING, ERROR |
|
Sensitive Data Access
Some operations can return secret or decrypted data directly to the MCP client. These operations now require an extra approval token even when the server is running with --write.
Protected flows:
aws_secretsmanager_get_secret_valueaws_ssm_get_parameterwithwith_decryption=trueaws_ssm_get_parameters_by_pathwithwith_decryption=trueEquivalent sensitive calls made through
aws_execute
Set an out-of-band token in the server environment:
export AWS_MCP_SENSITIVE_ACCESS_TOKEN="replace-with-a-long-random-token"For protected operations, pass all three fields below:
{
"sensitive_access_token": "replace-with-a-long-random-token",
"sensitive_access_reason": "incident response for production database access",
"sensitive_access_acknowledged": true
}Notes:
SSM decryption now defaults to
false.KMS metadata tools remain read-only. If a future KMS tool can return plaintext, it must use the same gate.
Available Tools (208 total)
Profile Management
Tool | Description | Readonly |
| List all configured AWS profiles and their regions | Allowed |
| Get STS caller identity for a profile | Allowed |
EC2
Tool | Description | Readonly |
| List/describe EC2 instances | Allowed |
| Describe security groups | Allowed |
| Start/stop/reboot instances | DryRun=True |
S3
Tool | Description | Readonly |
| List S3 buckets | Allowed |
| List objects in a bucket | Allowed |
| Download and read an object | Allowed |
| Upload an object | Blocked |
| Delete objects | Blocked |
IAM
Tool | Description | Readonly |
| List IAM users | Allowed |
| List IAM roles | Allowed |
| List IAM policies | Allowed |
Lambda
Tool | Description | Readonly |
| List Lambda functions | Allowed |
| Get function config and metadata | Allowed |
| Invoke a function | InvocationType=DryRun |
CloudWatch Logs
Tool | Description | Readonly |
| List log groups | Allowed |
| Get events from a log stream | Allowed |
| Search logs with a filter pattern | Allowed |
CloudWatch Metrics & Alarms
Tool | Description | Readonly |
| List alarms with state and threshold config | Allowed |
| List available metrics by namespace | Allowed |
| Retrieve time-series data for multiple metrics | Allowed |
| Get statistics for a single metric | Allowed |
ECS
Tool | Description | Readonly |
| List ECS clusters | Allowed |
| Describe cluster details | Allowed |
| List services in a cluster | Allowed |
| Describe service details | Allowed |
| List tasks in a cluster | Allowed |
| Describe task details | Allowed |
RDS
Tool | Description | Readonly |
| Describe RDS instances | Allowed |
| Describe Aurora clusters | Allowed |
DynamoDB
Tool | Description | Readonly |
| List DynamoDB tables | Allowed |
| Describe table schema and settings | Allowed |
| Query a table by key condition | Allowed |
| Scan a table (use sparingly) | Allowed |
SQS
Tool | Description | Readonly |
| List SQS queues | Allowed |
| Get queue attributes (message count, DLQ, etc.) | Allowed |
| Peek messages without deleting | Allowed |
| Send a message to a queue | Blocked |
| Purge all messages from a queue | Blocked |
SNS
Tool | Description | Readonly |
| List SNS topics | Allowed |
| Get topic attributes | Allowed |
| List subscriptions | Allowed |
| Publish a message to a topic | Blocked |
SES
Tool | Description | Readonly |
| List verified email addresses and domains | Allowed |
| Get sending stats (deliveries, bounces, etc.) | Allowed |
| Get sending quota and current usage | Allowed |
| Get verification status | Allowed |
| Send an email | Blocked |
ECR
Tool | Description | Readonly |
| List and describe ECR repositories | Allowed |
| List images in a repository | Allowed |
| Get image metadata (size, scan status, vulns) | Allowed |
| Get repository lifecycle policy | Allowed |
ElastiCache (Redis / Memcached)
Tool | Description | Readonly |
| Describe clusters (engine, node type, endpoints) | Allowed |
| Describe Redis replication groups | Allowed |
| Describe serverless caches | Allowed |
| Get recent events (maintenance, failover, etc.) | Allowed |
ELB v2 (ALB / NLB)
Tool | Description | Readonly |
| List ALBs, NLBs, and Gateway LBs | Allowed |
| List target groups | Allowed |
| Get health of targets in a target group | Allowed |
| List listeners for a load balancer | Allowed |
Auto Scaling
Tool | Description | Readonly |
| List ASGs with capacity and instance details | Allowed |
| List scaling policies | Allowed |
| Get recent scale-out/in events | Allowed |
| List launch configurations | Allowed |
API Gateway
Tool | Description | Readonly |
| List REST APIs (v1) | Allowed |
| List resources/paths for a REST API | Allowed |
| List stages for a REST API | Allowed |
| List HTTP/WebSocket APIs (v2) | Allowed |
| List routes for an HTTP/WS API | Allowed |
| List stages for an HTTP/WS API | Allowed |
CloudFront
Tool | Description | Readonly |
| List distributions with domains/origins | Allowed |
| Get full distribution configuration | Allowed |
| List cache invalidation requests | Allowed |
| Create a cache invalidation | Blocked |
Route53
Tool | Description | Readonly |
| List hosted zones (DNS domains) | Allowed |
| Get zone details and NS records | Allowed |
| List DNS records in a zone | Allowed |
| Create/update/delete DNS records | Blocked |
VPC
Tool | Description | Readonly |
| Describe VPCs | Allowed |
| Describe subnets | Allowed |
| Describe NAT gateways | Allowed |
| Describe internet gateways | Allowed |
| Describe route tables | Allowed |
| Describe VPC peering connections | Allowed |
Cost Explorer
Tool | Description | Readonly |
| Get cost and usage data for a date range | Allowed |
| Forecast future AWS costs | Allowed |
KMS
Tool | Description | Readonly |
| List KMS keys | Allowed |
| Describe a KMS key | Allowed |
| List KMS key aliases | Allowed |
ACM (Certificate Manager)
Tool | Description | Readonly |
| List ACM certificates | Allowed |
| Get full certificate details | Allowed |
Secrets Manager
Tool | Description | Readonly |
| List secrets (names/metadata, not values) | Allowed |
| Get secret metadata and rotation info | Allowed |
| Retrieve actual secret value | Blocked |
SSM (Systems Manager)
Tool | Description | Readonly |
| List Parameter Store parameters | Allowed |
| Get a parameter value (decrypts SecureString) | Allowed |
| Get parameters under a path hierarchy | Allowed |
| List SSM-managed instances | Allowed |
| Create/update a parameter | Blocked |
Cognito
Tool | Description | Readonly |
| List Cognito user pools | Allowed |
| Get user pool configuration details | Allowed |
| List users in a user pool | Allowed |
| List groups in a user pool | Allowed |
EKS
Tool | Description | Readonly |
| List EKS clusters | Allowed |
| Describe cluster details | Allowed |
| List node groups in a cluster | Allowed |
| Describe node group details | Allowed |
| List Fargate profiles | Allowed |
Kinesis
Tool | Description | Readonly |
| List Kinesis data streams | Allowed |
| Describe a stream | Allowed |
| List shards in a stream | Allowed |
Firehose
Tool | Description | Readonly |
| List delivery streams | Allowed |
| Describe stream configuration | Allowed |
Step Functions
Tool | Description | Readonly |
| List state machines | Allowed |
| Get state machine definition | Allowed |
| List executions for a state machine | Allowed |
| Get execution status and output | Allowed |
| Get execution event history | Allowed |
EventBridge
Tool | Description | Readonly |
| List event buses | Allowed |
| List rules on an event bus | Allowed |
| Get full rule configuration | Allowed |
| List targets attached to a rule | Allowed |
WAF v2
Tool | Description | Readonly |
| List Web ACLs (REGIONAL or CLOUDFRONT) | Allowed |
| Get full Web ACL configuration | Allowed |
| Get Web ACL associated with a resource | Allowed |
| List IP sets (allow/block lists) | Allowed |
| List rule groups | Allowed |
GuardDuty
Tool | Description | Readonly |
| List detector IDs | Allowed |
| Get detector configuration | Allowed |
| List finding IDs (filter by severity/type) | Allowed |
| Get full finding details | Allowed |
| Get findings count by severity | Allowed |
Security Hub
Tool | Description | Readonly |
| Get Security Hub configuration | Allowed |
| Get findings from all integrated services | Allowed |
| Get findings count by severity | Allowed |
| List enabled security standards | Allowed |
| List active integrations | Allowed |
CodePipeline
Tool | Description | Readonly |
| List pipelines | Allowed |
| Get pipeline structure | Allowed |
| Get current stage execution state | Allowed |
| List recent executions | Allowed |
CodeBuild
Tool | Description | Readonly |
| List build project names | Allowed |
| Get project configuration details | Allowed |
| List recent build IDs for a project | Allowed |
| Get build details (status, phases, logs) | Allowed |
CodeDeploy
Tool | Description | Readonly |
| List application names | Allowed |
| List deployment groups | Allowed |
| List deployments with status filter | Allowed |
| Get full deployment details | Allowed |
Athena
Tool | Description | Readonly |
| List Athena workgroups | Allowed |
| List databases in a catalog | Allowed |
| List tables in a database | Allowed |
| Start a SQL query | Blocked |
| Get query status | Allowed |
| Get query results | Allowed |
Glue
Tool | Description | Readonly |
| List Glue Data Catalog databases | Allowed |
| List tables in a database | Allowed |
| List Glue ETL jobs | Allowed |
| Get runs for a specific job | Allowed |
| List Glue crawlers | Allowed |
| Start a Glue ETL job | Blocked |
MWAA (Managed Airflow)
Tool | Description | Readonly |
| List MWAA environments | Allowed |
| Get environment details | Allowed |
Lake Formation
Tool | Description | Readonly |
| Get data lake settings | Allowed |
| List permissions on resources | Allowed |
| List registered resources | Allowed |
CloudTrail
Tool | Description | Readonly |
| Describe trails in the account | Allowed |
| Get trail logging status | Allowed |
| Look up recent management events | Allowed |
CloudFormation
Tool | Description | Readonly |
| List stacks with status filter | Allowed |
| Get detailed stack info | Allowed |
| List resources in a stack | Allowed |
| Get stack template body | Allowed |
| Get stack events (for debugging) | Allowed |
Redshift
Tool | Description | Readonly |
| List clusters with status and endpoint | Allowed |
| List manual and automated snapshots | Allowed |
| List parameter group settings | Allowed |
EFS (Elastic File System)
Tool | Description | Readonly |
| List EFS file systems | Allowed |
| List mount targets | Allowed |
| List access points | Allowed |
AWS Backup
Tool | Description | Readonly |
| List backup plans | Allowed |
| List backup vaults | Allowed |
| List backup jobs with status | Allowed |
| List recovery points in a vault | Allowed |
EMR
Tool | Description | Readonly |
| List EMR clusters | Allowed |
| Describe cluster details | Allowed |
| List steps in a cluster | Allowed |
SageMaker
Tool | Description | Readonly |
| List inference endpoints | Allowed |
| Get endpoint configuration | Allowed |
| List notebook instances | Allowed |
| List training jobs | Allowed |
OpenSearch
Tool | Description | Readonly |
| List OpenSearch domain names | Allowed |
| Describe domain configuration | Allowed |
| Get domain cluster health | Allowed |
DocumentDB
Tool | Description | Readonly |
| Describe DocumentDB clusters | Allowed |
| Describe DocumentDB instances | Allowed |
MemoryDB
Tool | Description | Readonly |
| Describe MemoryDB clusters | Allowed |
| Describe MemoryDB snapshots | Allowed |
Organizations
Tool | Description | Readonly |
| Describe the AWS Organization | Allowed |
| List all accounts in the organization | Allowed |
| List OUs for a parent | Allowed |
| List organization roots | Allowed |
Resource Groups & Tag Manager
Tool | Description | Readonly |
| Find resources by tag across all services | Allowed |
| List all tag keys in the account/region | Allowed |
| List all values for a tag key | Allowed |
| List Resource Groups | Allowed |
General
Tool | Description | Readonly |
| Execute any AWS API call | Depends on operation |
Readonly Mode
The server starts in readonly mode by default. When readonly mode is active, it enforces these rules:
Read-only operations (
list*,describe*,get*, etc.) — always allowedMutating operations with DryRun support (e.g., EC2 start/stop, Lambda invoke) — executed with
DryRun=Trueto validate permissions without making changesMutating operations without DryRun (e.g., S3 put/delete, SSM put, SQS send) — blocked with a clear error message
This makes it safe to give Claude access to production AWS accounts for observation and troubleshooting.
Logging
All operations are logged in JSONL format to logs/aws_mcp.jsonl. Each line is a JSON object with fields:
{
"timestamp": "2025-03-25T12:00:00.000000+00:00",
"level": "INFO",
"logger": "aws_mcp",
"message": "Tool 'aws_ec2_describe_instances' completed successfully",
"tool_name": "aws_ec2_describe_instances",
"duration_ms": 342.15,
"aws_profile": "production",
"aws_region": "sa-east-1"
}Telemetry (OpenTelemetry)
Every tool invocation creates an OpenTelemetry span with attributes like tool.name, aws.profile, aws.region, and duration_ms.
To export traces to an observability backend (Jaeger, Grafana Tempo, etc.):
OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317 .venv/bin/python main.pyWithout the environment variable, tracing stays disabled.
Security Hooks
The repository ships with a versioned pre-push hook in .githooks/pre-push. Running ./setup.sh configures core.hooksPath automatically.
The hook runs scripts/security_scan.sh, which executes:
semgrep --config autogitleaks detecttrivy fsbandit -r aws_mcp main.pypip-audit
Required external binaries:
gitleakstrivy
Python-based scanners are installed by default with pip install -e ".[dev]" during ./setup.sh. If you only want runtime dependencies, run INSTALL_DEV_TOOLS=0 ./setup.sh.
Project Structure
aws-mcp/
├── main.py # Entry point
├── aws_mcp/
│ ├── __init__.py # App initialization
│ ├── server.py # MCP server and tool dispatch
│ ├── config.py # CLI argument parsing
│ ├── aws_client.py # boto3 session management
│ ├── readonly_guard.py # Readonly mode enforcement
│ ├── logging_config.py # JSONL logging setup
│ ├── telemetry.py # OpenTelemetry setup
│ └── tools/
│ ├── __init__.py # Tool registry and loader
│ ├── profiles.py # AWS profile / STS tools
│ ├── ec2.py # EC2 tools
│ ├── s3.py # S3 tools
│ ├── iam.py # IAM tools
│ ├── lambda_tool.py # Lambda tools
│ ├── cloudwatch.py # CloudWatch Logs, Metrics & Alarms
│ ├── ecs.py # ECS tools
│ ├── rds.py # RDS tools
│ ├── dynamodb.py # DynamoDB tools
│ ├── sqs.py # SQS tools
│ ├── sns.py # SNS tools
│ ├── ses.py # SES tools
│ ├── ecr.py # ECR tools
│ ├── elasticache.py # ElastiCache (Redis/Memcached)
│ ├── elbv2.py # ALB / NLB / Gateway LB
│ ├── autoscaling.py # Auto Scaling Groups
│ ├── apigateway.py # API Gateway v1 + v2
│ ├── cloudfront.py # CloudFront
│ ├── route53.py # Route53
│ ├── vpc.py # VPC, subnets, gateways
│ ├── kms.py # KMS keys and aliases
│ ├── acm.py # ACM certificates
│ ├── cost_explorer.py # Cost Explorer
│ ├── secretsmanager.py # Secrets Manager
│ ├── ssm.py # SSM Parameter Store
│ ├── cognito.py # Cognito user pools
│ ├── eks.py # EKS clusters and node groups
│ ├── kinesis.py # Kinesis Data Streams
│ ├── firehose.py # Kinesis Firehose
│ ├── stepfunctions.py # Step Functions
│ ├── eventbridge.py # EventBridge
│ ├── wafv2.py # WAF v2
│ ├── guardduty.py # GuardDuty
│ ├── securityhub.py # Security Hub
│ ├── codepipeline.py # CodePipeline
│ ├── codebuild.py # CodeBuild
│ ├── codedeploy.py # CodeDeploy
│ ├── athena.py # Athena
│ ├── glue.py # Glue
│ ├── mwaa.py # MWAA (Managed Airflow)
│ ├── lakeformation.py # Lake Formation
│ ├── cloudtrail.py # CloudTrail
│ ├── cloudformation.py # CloudFormation
│ ├── redshift.py # Redshift
│ ├── efs.py # EFS
│ ├── backup.py # AWS Backup
│ ├── emr.py # EMR
│ ├── sagemaker.py # SageMaker
│ ├── opensearch.py # OpenSearch
│ ├── documentdb.py # DocumentDB
│ ├── memorydb.py # MemoryDB
│ ├── organizations.py # Organizations
│ ├── resourcegroups.py # Resource Groups & Tag Manager
│ └── general.py # General-purpose AWS executor
├── logs/ # JSONL log output
├── pyproject.toml # Package metadata and dependencies
├── setup.sh # Setup script
├── claude_desktop_config.example.json
├── LICENSE
└── README.mdLicense
BSD 3-Clause — see LICENSE for details.
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.