README.md
Read-only Model Context Protocol server for AWS resources
โ๏ธ AWS MCP Server
Read-only Model Context Protocol server for AWS resources โ multi-region, caching, audit, and AI-ready.
๐ Overview
This MCP server exposes 60+ read-only tools across AWS services: identity, EC2, S3, IAM, Cost Explorer, CloudWatch, GuardDuty, CloudTrail, ELB, WAF, Route53, ECS, EKS, RDS, Lambda, and more.
| Flow | Description |
|---|---|
| ๐ | MCP client connects to this server |
| ๐ ๏ธ | Server invokes AWS APIs (read-only) |
| ๐ค | Returns resources, metrics, cost data to the AI agent |
๐ ๏ธ Tech Stack
| Layer | Technology | Purpose |
|---|---|---|
| โ๏ธ MCP Server | TypeScript, AWS SDK v3 | Protocol handler, tool dispatch |
| ๐ฆ Runtime | Node.js (v18+) | Execution |
| ๐ Auth | AWS credentials (keys, profiles, SSO) | AWS API calls |
๐ฃ๏ธ Languages
| Language | Used In |
|---|---|
| TypeScript | MCP server, tools, CLI, libs |
| JSON | Config (mcp-config.json), MCP schema |
๐ Project Structure
โโโ src/
โ โโโ index.ts # MCP server entry, tool dispatch, resources, prompts
โ โโโ load-env.ts # Loads .env before other modules
โ โโโ clients.ts # Shared AWS clients (one per service)
โ โโโ cli.ts # Local CLI for testing tools
โ โโโ integration.test.ts
โ โโโ lib/ # config, cache, retry, audit, rate-limit, webhook, etc.
โโโ docs/ # TOOLS.md, IAM_PERMISSIONS.md, CONFIG.md, TROUBLESHOOTING.md
โโโ mcp-config.json.example # Optional: webhook, rate limit, defaults (copy to mcp-config.json)
โโโ Dockerfile # Container image for running the server
โโโ .env # AWS credentials (copy from .env.example)
โก Capabilities
| Feature | Description |
|---|---|
| Multi-region | region parameter on EC2, VPCs, RDS, Lambda tools |
| Pagination | max_results on list_iam_users, list_s3_buckets, list_ecs_clusters, list_dynamodb_tables, list_cloudformation_stacks |
| MCP resources | Browse aws://region/service/id (identity, EC2, S3, cost, RDS, Lambda, GuardDuty) |
| MCP prompts | AI guidance for cost, security, and resource-list queries |
| Caching | Optional in-memory cache (TTL via MCP_AWS_CACHE_TTL) |
| Retry | Exponential backoff for throttled AWS calls |
| Audit log | Log tool invocations when MCP_AWS_AUDIT_LOG=true |
| Dry-run | Mock data when MCP_AWS_DRY_RUN=true (no AWS calls) |
| LocalStack | Set AWS_ENDPOINT_URL=http://localhost:4566 |
| Health check | aws_health_check tool to verify credentials |
| IAM policy | get_iam_policy_for_tools generates least-privilege policy |
| CLI | npm run cli -- get_aws_caller_identity for local testing |
| Config file | mcp-config.json for webhook, rate limit, defaults |
| estimate_cost | Rough cost estimate for EC2, Lambda, RDS, S3 |
| scan_secrets_risks | Find Secrets Manager secrets needing attention |
| Tag filter | tag_filter on list_ec2_instances, list_rds_instances |
| SSO / cross-account | See docs/SSO_AND_CROSS_ACCOUNT.md |
๐ Documentation: TOOLS.md ยท IAM_PERMISSIONS.md ยท CONFIG.md ยท TROUBLESHOOTING.md
๐ Quick Start
# 1. Configure environment
cp .env.example .env # Add AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION
# 2. Install and build
npm install
npm run build
# 3. Test locally (dry-run, no AWS calls)
MCP_AWS_DRY_RUN=true npm run cli -- get_aws_caller_identity
MCP Client Configuration
{
"mcpServers": {
"aws-mcp": {
"command": "node",
"args": ["/absolute/path/to/dist/index.js"],
"env": {
"AWS_ACCESS_KEY_ID": "YOUR_ACCESS_KEY",
"AWS_SECRET_ACCESS_KEY": "YOUR_SECRET_KEY",
"AWS_REGION": "us-east-1"
}
}
}
}
๐ฆ Sharing with Your Team
Option A: Git
- Push to a private repo.
- Team clones, runs
npm install && npm run build. - Point MCP client at
dist/index.js(absolute path).
Option B: Package (.tgz)
npm pack # Creates mcp-server-aws-1.0.0.tgz
npm install -g mcp-server-aws-1.0.0.tgz
Then configure MCP client with "command": "mcp-server-aws".
Option C: Docker
docker build -t mcp-server-aws .
docker run -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_REGION mcp-server-aws
๐ง Development
npm run dev # Watch mode
npm run typecheck # TypeScript check (no emit)
npm run cli -- <tool> [--arg key=value] # Test tools locally
npm run lint # ESLint
npm run format # Prettier
npm test # Unit + integration tests (28 tests)
Release: Push a tag (e.g. v1.0.1) to trigger a GitHub release with built artifacts.
๐ค Author
Sergio Sediq
- ๐ GitHub
- ๐ผ
Tools (3)
aws_health_checkVerify AWS credentials and connectivity.get_aws_caller_identityReturns details about the IAM user or role used for authentication.get_iam_policy_for_toolsGenerates a least-privilege IAM policy for the available tools.Environment Variables
AWS_ACCESS_KEY_IDrequiredAWS access key for authenticationAWS_SECRET_ACCESS_KEYrequiredAWS secret key for authenticationAWS_REGIONrequiredDefault AWS regionMCP_AWS_CACHE_TTLTTL for in-memory resource cachingMCP_AWS_AUDIT_LOGEnable logging of tool invocationsMCP_AWS_DRY_RUNEnable mock data mode without making actual AWS callsConfiguration
claude_desktop_config.json
{"mcpServers": {"aws-mcp": {"command": "node", "args": ["/absolute/path/to/dist/index.js"], "env": {"AWS_ACCESS_KEY_ID": "YOUR_ACCESS_KEY", "AWS_SECRET_ACCESS_KEY": "YOUR_SECRET_KEY", "AWS_REGION": "us-east-1"}}}}Try it
โList all S3 buckets in my account and provide a summary of their contents.
โCheck the current status of my EC2 instances in the us-east-1 region.
โGenerate a least-privilege IAM policy for the tools I am currently using.
โEstimate the monthly cost for my current RDS and Lambda resources.
โScan my AWS environment for any secrets in Secrets Manager that need attention.