Secure AWS Access for AI Agents: AWS MCP Server Now Generally Available

The question of how to give AI agents real, authenticated access to AWS without compromising security has long been a challenge. Today, that challenge has a solution. The AWS MCP Server, part of the Agent Toolkit for AWS, is now generally available. This managed remote Model Context Protocol (MCP) server provides AI agents and coding assistants with secure, authenticated access to all AWS services through a compact, fixed set of tools. Let’s dive into what this means for developers and how it transforms agent capabilities.

1. What is the AWS MCP Server and why was it created?

The AWS MCP Server is a managed remote Model Context Protocol server designed to give AI agents secure, authenticated access to AWS services. It was created to solve a persistent problem: while AI coding agents are useful, they struggle with tasks that require deep AWS integration. Without a secure bridge, agents either lack access to real services or, worse, are handed overly broad permissions that compromise security. The MCP Server addresses this by providing a small, fixed set of tools that use existing IAM credentials, ensuring agents can only perform actions explicitly allowed by policies. This avoids the “keys to the kingdom” problem, making it safe to let agents interact with AWS in production-like scenarios.

2. What problems do AI coding agents face when working with AWS?

AI coding agents often hit roadblocks when dealing with AWS at any meaningful depth. They rely on training data that may be months out of date, missing newer services like Amazon S3 Vectors, Amazon Aurora DSQL, or Amazon Bedrock AgentCore. Without access to current documentation, agents default to outdated methods—for example, they prefer using the AWS CLI over more modern tools like the AWS Cloud Development Kit (CDK) or AWS CloudFormation. Additionally, they generate IAM policies that are far too permissive, which works in a demo but fails production security standards. These issues stem from a lack of real-time, authoritative information and the inability to securely execute complex operations.

3. How does the AWS MCP Server give agents secure access to AWS?

The AWS MCP Server enables secure access through a compact set of tools that do not consume excessive tokens from the model’s context window. The primary tool, call_aws, executes any of the 15,000+ AWS API operations using the agent’s existing IAM credentials. This means permissions are controlled by standard IAM policies, not by the server itself. With the new GA release, support for IAM context keys allows fine-grained access control without a separate permission just to use the server. Additionally, the run_script tool (see question 5) runs code in a sandboxed environment that inherits IAM permissions but has no network access, preventing agents from accessing local files or shells. This layered approach ensures agents operate strictly within defined boundaries.

4. What are the key tools provided by the AWS MCP Server?

The AWS MCP Server offers a fixed set of tools tailored for AWS interactions. The call_aws tool allows agents to execute any AWS API operation—over 15,000 and counting. The search_documentation and read_documentation tools retrieve up-to-date AWS documentation and best practices at query time, so agents are always working with current information. Recently added is the run_script tool, which lets agents write short Python scripts that run server-side in a sandboxed environment. This tool is particularly useful for chaining multiple API calls and filtering results in a single round-trip. Finally, the server supports IAM context keys for granular permissions and reduced token usage per interaction, making multi-step workflows more efficient.

5. How does the run_script tool work and what are its benefits?

The run_script tool allows an agent to write a short Python script that executes server-side in a sandboxed environment. This sandbox inherits the agent’s IAM permissions but has no network access, meaning it can process data without ever touching the local file system or granting a shell. The key benefit is efficiency: instead of making multiple round-trips to call separate APIs and combine results, the agent can chain API calls, filter responses, and compute results in a single round-trip. This reduces token consumption and speeds up complex operations. It also enhances security—agents never get direct access to sensitive environments, only the ability to perform specific tasks under controlled permissions.

6. What new capabilities come with the general availability of the AWS MCP Server?

With general availability, the AWS MCP Server introduces several important enhancements. IAM context keys are now supported, eliminating the need for a separate IAM permission just to use the server and allowing fine-grained access via standard policies. Documentation retrieval no longer requires authentication, simplifying access to up-to-date guides. The token count per interaction has been reduced, which is critical for long, multi-step workflows. The run_script tool (discussed in question 5) is a major addition. Lastly, the transition from Agent SOPs to Skills provides curated guidance and best practices for common tasks, helping agents build more effectively on AWS. These updates make the server more secure, efficient, and developer-friendly.

7. How does the AWS MCP Server help agents use current AWS documentation?

The AWS MCP Server includes dedicated tools—search_documentation and read_documentation—that fetch the latest AWS documentation and best practices at query time. This ensures agents are never working from stale training data. When a new service or API launches, it is supported within days, and the documentation tools automatically reflect those updates. By integrating real-time retrieval, the server prevents agents from relying on outdated CLI commands or generating overly permissive IAM policies. Instead, agents can reference current best practices for services like Amazon S3 Vectors or Amazon Bedrock AgentCore, resulting in infrastructure that is production-ready rather than demo-grade.