USP

Unlike solutions that wrap individual AWS APIs, this server provides complete AWS access by wrapping the CLI itself, allowing Claude to learn and execute commands on-demand using `--help`. Your IAM policy strictly controls what actions Cla…

Use cases

01Automating AWS infrastructure management
02Debugging AWS configurations with AI assistance
03Exploring AWS services and commands
04DevOps task execution
05Cloud resource provisioning

Detected files (1)

CLAUDE.mdclaude_md

Show content (4293 bytes)

# AWS MCP Server Development Guide

## Build & Test Commands

- Install all deps: `uv pip install --system -e ".[dev]"`
- Run tests: `make test` or `python -m pytest -v -m "not integration" --timeout=60`
- Run single test: `pytest tests/path/to/test_file.py::test_function_name -v`
- Run linter: `ruff check src/ tests/`
- Format code: `ruff format src/ tests/`
- Run server: `python -m aws_mcp_server`
- Run with streamable-http: `AWS_MCP_TRANSPORT=streamable-http python -m aws_mcp_server`
- Run with sandbox disabled: `AWS_MCP_SANDBOX=disabled python -m aws_mcp_server`
- Update lockfile: `uv pip compile --system pyproject.toml -o uv.lock`
- Versioning: `setuptools_scm` from Git tags — tag as `v1.x.y` to release

## Architecture

### Server (`server.py`)
- Two tools: `aws_cli_help` (readOnly) and `aws_cli_pipeline` (destructive, openWorld)
- `FastMCP` instance with `instructions`, `icons`, `SERVER_DESCRIPTION`
- Tools use `ToolAnnotations` from `mcp.types` for tool metadata
- Tool functions return typed dataclasses (`CommandResult`, `CommandHelpResult`)
- All tool failures raise `ToolError` — FastMCP sets `isError: true` in protocol response (SEP-1303)

### Sandbox (`sandbox.py`)
- Landlock LSM for filesystem isolation (Linux only)
- Seccomp-bpf for syscall filtering
- AWS env vars from `SANDBOX_AWS_ENV_VARS` are passed through to sandboxed processes
- `AWS_MCP_SANDBOX=disabled` to bypass for development; `required` to fail hard if unavailable

### CLI Executor (`cli_executor.py`)
- All commands validated before execution (must start with `aws`)
- Pipe support: commands can include `| jq`, `| grep`, etc.
- Timeout handling with configurable default (300s)
- Returns `{"status": "success"|"error", "output": "..."}` dict

### Transport & Lifecycle (`__main__.py`)
- Transports: `stdio` (default), `streamable-http` (recommended for web), `sse` (deprecated)
- On `stdio`: background thread monitors for client disconnect via `select.poll` or parent PID
- On `sse`/`streamable-http`: binds to `0.0.0.0` in Docker, `127.0.0.1` otherwise

### Resources (`resources.py`)
- `aws://profiles` — parses `~/.aws/credentials` and `~/.aws/config`
- `aws://regions` — hardcoded list + optional live fetch from EC2 API
- `aws://config` — summary of current AWS config state

### Prompts (`prompts.py`)
- 10+ prompt templates for common AWS tasks (Well-Architected, cost optimization, security)
- Consistent pattern: Pydantic `Field(description=...)` for all parameters

## Testing Patterns

- **Mocking AWS CLI:** `unittest.mock.patch` on `asyncio.create_subprocess_exec`
- **Sandbox tests:** separate unit (mocked) and integration (requires Linux + Landlock kernel)
- **Fixtures:** shared fixtures in `conftest.py` for mock subprocess results
- **Integration tests:** need actual AWS CLI + credentials — skip in CI with `-m "not integration"`
- **Coverage target:** >80% on `src/aws_mcp_server` — run with `--cov=aws_mcp_server`
- **Timeout:** always run with `--timeout=60` to avoid CI hangs on sandbox tests

## MCP Development Guidelines

- **Tool annotations:** always set `ToolAnnotations` on new tools (`readOnlyHint`, `destructiveHint`, `openWorldHint`)
- **Error handling:** raise `ToolError` for all tool failures — never return error status text from tool functions (SEP-1303)
- **FastMCP patterns:** `@mcp.tool()`, `@mcp.resource()`, `@mcp.prompt()` decorators
- **Context:** accept `ctx: Context | None = None` in tool functions for progress reporting via `ctx.info()`/`ctx.warning()`
- **Field descriptions:** use `pydantic.Field(description=...)` for all tool parameters — these become tool schema
- **Icons:** server-level icon set via `icons=[Icon(src=..., mimeType=...)]` in `FastMCP()`
- **Description:** server description via `SERVER_DESCRIPTION` prepended to `instructions`

## Security Notes

- **NEVER** log or store AWS credentials (access keys, session tokens, profile names with secrets)
- **NEVER** disable sandbox in production
- AWS env vars (`AWS_ACCESS_KEY_ID`, etc.) are in `SANDBOX_AWS_ENV_VARS` — update if new ones added
- Command validation must reject commands that don't start with `aws` or pipe to non-allowlisted executables
- `AWS_MCP_SANDBOX=disabled` is for development only — never in Dockerfile or production config

README

AWS MCP Server

Give Claude access to all 200+ AWS services through the AWS CLI.

Demo

What It Does

This MCP server lets Claude run AWS CLI commands on your behalf. Instead of wrapping each AWS API individually, it wraps the CLI itself—giving Claude complete AWS access through just two tools:

Tool	Purpose
`aws_cli_help`	Get documentation for any AWS command
`aws_cli_pipeline`	Execute AWS CLI commands with optional pipes (`jq`, `grep`, etc.)

Claude learns commands on-demand using --help, then executes them. Your IAM policy controls what it can actually do.

flowchart LR
    Claude[Claude] -->|MCP| Server[AWS MCP Server]
    Server --> CLI[AWS CLI]
    CLI --> AWS[AWS Cloud]
    IAM[Your IAM Policy] -.->|controls| AWS

What's New

Streamable HTTP transport — New streamable-http transport for web-based MCP clients, replacing the deprecated sse transport (#33)
Input validation error handling — Validation errors now return proper MCP tool errors (isError: true) instead of regular results (#34)
Server description — Server advertises its purpose to MCP clients via the instructions field (#35)
Server icons — Server provides icon metadata for MCP client display (#36)
Graceful shutdown — Server disconnects cleanly when the MCP client disconnects (#16)

Quick Start

Prerequisites

AWS CLI installed
AWS credentials configured (see AWS Credentials)
uv installed (for uvx)

Claude Code

Add to your MCP settings (Cmd+Shift+P → "Claude: Open MCP Config"):

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": ["aws-mcp"]
    }
  }
}

Claude Desktop

Add to your Claude Desktop config file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": ["aws-mcp"]
    }
  }
}

Docker (More Secure)

Docker provides stronger isolation by running commands in a container:

{
  "mcpServers": {
    "aws": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "-v",
        "~/.aws:/home/appuser/.aws:ro",
        "ghcr.io/alexei-led/aws-mcp-server:latest"
      ]
    }
  }
}

Note: Replace ~/.aws with the full path on Windows (e.g., C:\Users\YOU\.aws).

Docker with Streamable HTTP Transport

For web-based MCP clients, use the streamable-http transport:

docker run --rm -p 8000:8000 \
  -e AWS_MCP_TRANSPORT=streamable-http \
  -v ~/.aws:/home/appuser/.aws:ro \
  ghcr.io/alexei-led/aws-mcp-server:latest

The server will be available at http://localhost:8000/mcp.

Note: The sse transport is deprecated. Use streamable-http instead.

AWS Credentials

The server uses the standard AWS credential chain. Your credentials are discovered automatically from:

Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
Credentials file: ~/.aws/credentials
Config file: ~/.aws/config (for profiles and region)
IAM role: When running on EC2, ECS, or Lambda

To use a specific profile:

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": ["aws-mcp"],
      "env": {
        "AWS_PROFILE": "my-profile"
      }
    }
  }
}

Configuration

AWS Settings

Environment Variable	Description	Default
`AWS_PROFILE`	AWS profile to use	`default`
`AWS_REGION`	AWS region (also accepts `AWS_DEFAULT_REGION`)	`us-east-1`
`AWS_CONFIG_FILE`	Custom path to AWS config file	`~/.aws/config`
`AWS_SHARED_CREDENTIALS_FILE`	Custom path to credentials file	`~/.aws/credentials`

Server Settings

Environment Variable	Description	Default
`AWS_MCP_TIMEOUT`	Command execution timeout in seconds	`300`
`AWS_MCP_MAX_OUTPUT`	Maximum output size in characters	`100000`
`AWS_MCP_TRANSPORT`	Transport protocol (`stdio`, `sse`, or `streamable-http`)	`stdio`
`AWS_MCP_SANDBOX`	Sandbox mode (`auto`, `disabled`, `required`)	`auto`
`AWS_MCP_SANDBOX_CREDENTIALS`	Credential passing (`env`, `aws_config`, `both`)	`both`

Security

Your IAM policy is your security boundary. This server executes whatever AWS commands Claude requests—IAM controls what actually succeeds.

Best practices:

Use a least-privilege IAM role (only permissions Claude needs)
Never use root credentials
Consider Docker for additional host isolation

For detailed security architecture, see Security Documentation.

Documentation

Usage Guide — Tools, resources, and prompt templates
Security Architecture — IAM + Sandbox + Docker model
Development Guide — Contributing and testing

License

MIT License — see LICENSE for details.