Yes. The AWS Labs MCP servers are free and open source under Apache 2.0; you pay only for the AWS resources your commands touch.

Does it support remote/OAuth?

It runs locally over stdio using your AWS credential chain (no OAuth). For remote setups it can be launched as a streamable-HTTP endpoint, but the default and recommended mode is local stdio.

AWS (AWS Labs) MCP server

OfficialAWS Labs9,170Config last verified Jun 1, 2026

Run any AWS CLI command from an agent, with validation, read-only mode, and command suggestions.

AWS Labs ships a large suite of open-source MCP servers — sixty-plus specialized servers for individual services and use cases such as documentation, CloudFormation, DynamoDB, Bedrock AgentCore, and Cost Explorer. This record covers the general-purpose AWS API MCP server, which gives an agent a single typed surface over the entire AWS CLI: it validates and executes any aws command against your account and can suggest the right command from a natural-language description when the model is unsure. It is the broadest, most popular entry point in the suite and replaces the older, now-removed Core proxy server.

It runs locally over stdio via uvx (package awslabs.aws-api-mcp-server) and authenticates using your standard AWS credential chain — environment variables, a named profile, or an IAM role — so no AWS secrets are passed to the MCP layer itself. Set READ_OPERATIONS_ONLY=true to restrict it to read calls, a sensible default when pointing an agent at production, and REQUIRE_MUTATION_CONSENT to force explicit confirmation on writes. AWS_REGION defaults to us-east-1. The server can also run as a streamable-HTTP endpoint for remote setups.

Quick install

Copy-paste configs are provided for all 8 supported clients. Pick your client below.

Add to ~/.claude.json

~/.claude.json

json

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": [
        "awslabs.aws-api-mcp-server@latest"
      ],
      "env": {
        "AWS_REGION": "<AWS_REGION>",
        "AWS_API_MCP_PROFILE_NAME": "<AWS_API_MCP_PROFILE_NAME>",
        "READ_OPERATIONS_ONLY": "<READ_OPERATIONS_ONLY>"
      }
    }
  }
}

Or via CLI

bash

claude mcp add aws -- uvx awslabs.aws-api-mcp-server@latest

Step-by-step guides

Available tools

Tool	Description
call_aws	Execute one or more AWS CLI commands with validation and error handling. The primary tool when the exact command is known.
suggest_aws_commands	Suggest AWS CLI commands from a natural-language description. A fallback for when the exact command is uncertain.
get_execution_plan	Produce a step-by-step agent-script workflow for a complex AWS task (experimental, enabled via a flag).

Required configuration

AWS_REGIONOptional
Default AWS region for commands (defaults to us-east-1).
AWS_API_MCP_PROFILE_NAMEOptional
Named AWS CLI profile to use for credentials (defaults to the default profile).
READ_OPERATIONS_ONLYOptional
Set to true to restrict the server to read-only AWS operations.
REQUIRE_MUTATION_CONSENTOptional
Set to true to require explicit consent before any write operation runs.
AWS_API_MCP_WORKING_DIROptional
Working directory used by the server for file operations.

What you can do with it

Operate AWS in read-only mode

Run the server with READ_OPERATIONS_ONLY=true and let the agent describe instances, list buckets, and inspect IAM without any risk of a mutating call.

Translate intent into CLI

Describe what you want in plain English; the agent uses suggest_aws_commands to find the right invocation and call_aws to run it, even for services beyond the model's training cutoff.

FAQ

Is it free?: Yes. The AWS Labs MCP servers are free and open source under Apache 2.0; you pay only for the AWS resources your commands touch.
Does it support remote/OAuth?: It runs locally over stdio using your AWS credential chain (no OAuth). For remote setups it can be launched as a streamable-HTTP endpoint, but the default and recommended mode is local stdio.

← Browse all cloud-infra servers