Secure AI Agent Access to AWS: The New MCP Server Explained

The AWS MCP Server is now generally available, offering a secure, managed way for AI agents and coding assistants to interact with AWS services. Instead of handing agents broad permissions that could risk your environment, this server provides a controlled set of tools. Below, we answer key questions about what it is, how it works, and what's new.

What is the AWS MCP Server and why was it created?

The AWS MCP Server is a managed remote Model Context Protocol (MCP) server that gives AI agents and coding assistants secure, authenticated access to all AWS services through a small, fixed set of tools. It was created to solve a common problem: how to provide agents with real AWS access without exposing full administrative privileges. Previously, agents often relied on outdated training data or generated overly broad IAM policies, leading to infrastructure that isn't production-ready. The server uses your existing IAM credentials and offers tools like call_aws to execute any of 15,000+ AWS API operations, search_documentation and read_documentation to fetch current AWS best practices, and run_script for server-side Python execution. It's part of the Agent Toolkit for AWS, which also includes skills and plugins to help coding agents build more effectively.

How does the AWS MCP Server solve the problem of outdated documentation?

AI coding agents often struggle because their training data can be months out of date—they might not know about newer services like Amazon S3 Vectors, Amazon Aurora DSQL, or Amazon Bedrock AgentCore. The AWS MCP Server addresses this with dedicated tools: search_documentation and read_documentation retrieve current AWS documentation and best practices at query time, ensuring the agent always works from up-to-date information. This means agents no longer rely on stale knowledge and can produce modern, secure architectures. Plus, documentation retrieval no longer requires authentication, making it faster and easier to use. The server also uses a compact set of tools that do not consume your model’s context window, so you get fresh information without sacrificing performance.

What new capabilities come with the general availability?

With the general availability launch, several important features were introduced. First, the server now supports IAM context keys, so you no longer need a separate IAM permission to use the server—you can express fine-grained access controls directly in a standard IAM policy. Second, documentation retrieval no longer requires authentication, streamlining workflows. Third, the number of tokens required per interaction has been reduced, which is especially helpful for complex, multi-step agent tasks. The most significant addition is the transition from Agent SOPs to Skills. Skills provide curated guidance and best practices for common tasks, helping agents produce more secure and optimized code. This shift improves consistency and makes it easier for developers to define agent behaviors.

How does the run_script tool work and what are its benefits?

The run_script tool allows an agent to write a short Python script that executes server-side in a sandboxed environment. This sandbox inherits your IAM permissions but has no network access, so the agent can process data without ever touching your local file system or a shell. The key benefit is efficiency: when an agent needs to call multiple APIs and combine results, making individual calls one at a time is slow and burns context tokens. With run_script, the agent can chain API calls, filter responses, and compute results in a single round-trip. This is both faster and more context-efficient—critical for complex workflows. It also adds a layer of security, as the agent cannot access external networks or your local environment.

What are Skills and how are they different from Agent SOPs?

Skills are a new offering that replaces the older Agent SOPs (Standard Operating Procedures). While Agent SOPs provided basic guidance, Skills go further by offering curated, best-practice recommendations for specific tasks—like building a serverless application or setting up a data pipeline. Skills are more comprehensive and are designed to be easily updated as AWS services evolve. They help agents produce production-ready infrastructure by steering them toward modern tools like AWS Cloud Development Kit (CDK) or AWS CloudFormation instead of relying on the AWS Command Line Interface (CLI). Skills also include IAM policy examples that are scoped appropriately, avoiding the overly broad permissions that agents often generate. This transition makes it simpler for developers to define and maintain agent behaviors.

How does the AWS MCP Server ensure secure access without giving full IAM permissions?

The server uses your existing IAM credentials and supports IAM context keys to express fine-grained access controls directly in standard IAM policies. This means you can grant the agent exactly the permissions it needs—no more, no less—without requiring a separate permission to use the server itself. Additionally, the run_script tool runs in a sandboxed environment that inherits your IAM permissions but has no network access, preventing the agent from making external calls. The server's tool set is intentionally compact and focused: the call_aws tool executes any AWS API operation, but only through your authenticated credentials. By combining IAM context keys, sandboxed execution, and a limited tool surface, you can give agents real AWS access while maintaining strict security boundaries.

Why is the AWS MCP Server better than using the AWS CLI directly?

When left to their own devices, AI coding agents often reach for the AWS Command Line Interface (CLI) to build infrastructure. This leads to several problems: CLI commands produce scripts that aren't idempotent, they rely on outdated manual steps, and they tend to generate overly permissive IAM policies. The AWS MCP Server steers agents toward modern infrastructure-as-code tools like AWS CDK or AWS CloudFormation through its Skills and documentation tools. It also reduces context consumption by bundling API calls into single round-trips via run_script. The server's tools are always current—new AWS APIs are supported within days of launch. And because it uses a secure, sandboxed execution model, you avoid the security risks of giving an agent direct shell access. For production-ready, secure, and efficient AWS automation, the MCP Server is a clear improvement over raw CLI usage.