aws_execute
Execute AWS API calls for services and operations not covered by other tools, with safety controls for read-only mode and sensitive data access.
Instructions
Execute any AWS API call by specifying service, method, and parameters. Use this for AWS operations not covered by other tools. In --readonly mode: read-only operations pass through, mutating operations with DryRun support run as dry-run, and all other mutations are blocked.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| profile | No | AWS profile name from ~/.aws/config (e.g., 'default', 'production') | |
| region | No | AWS region override (e.g., 'us-east-1', 'sa-east-1') | |
| sensitive_access_token | No | Out-of-band approval token configured in AWS_MCP_SENSITIVE_ACCESS_TOKEN. Required for operations that can return decrypted or secret values. | |
| sensitive_access_reason | No | Short human reason for retrieving sensitive data. Required for auditability. | |
| sensitive_access_acknowledged | No | Must be true to confirm that the response may contain secret or decrypted data. | |
| service | Yes | AWS service name as used by boto3 (e.g., 'ec2', 's3', 'lambda', 'ecs', 'rds', 'dynamodb', 'sqs', 'sns') | |
| method | Yes | API method name in snake_case (e.g., 'describe_instances', 'list_buckets', 'get_function') | |
| parameters | No | Method parameters as key-value pairs matching the boto3 API (e.g., {"InstanceIds": ["i-1234"], "DryRun": false}) |