AWS MCP Server has been announced for use in Preview at #AWSreInvent
This page has been translated by machine translation. View original
Hello, this is Morita.
An update has been announced that AWS MCP Server is now available in Preview.
What is AWS MCP Server
A fully managed remote Model Context Protocol (MCP) server that provides secure and authenticated access to AWS services.
Previously, a local MCP server for local execution was published in the official AWS awslabs repository.
The new AWS MCP Server integrates the functionality of the "AWS API MCP server" and "AWS Knowledge MCP server" that were provided in the above awslabs, and turns them into a fully managed service.
Therefore, when using AWS MCP Server, you need to remove the "AWS API MCP server" and "AWS Knowledge MCP server" due to feature conflicts.
Benefits
Compared to using the traditional "AWS API MCP server" and "AWS Knowledge MCP server", there are the following benefits:
- Only need to set up one MCP server
- Authentication and authorization via IAM
- New control possible through Actions:
aws-mcp:InvokeMCP,aws-mcp:CallReadOnlyTool, andaws-mcp:CallReadWriteTool
- New control possible through Actions:
- Logging with AWS CloudTrail
- Ability to check API calls and user activities
In this blog, I will focus especially on "IAM authentication and authorization" and "Logging with AWS CloudTrail".
IAM Authentication and Authorization
Action
Currently, the following Actions can be set in IAM policies:
- aws-mcp:InvokeMcp
- aws-mcp:CallReadOnlyTool
- aws-mcp:CallReadWriteTool
After checking the following documentation, I also found mentions of ConsoleAccess and ReadOnly.
It seems highly likely that in the future, MCP Server resources will be manageable through the management console.
AWS CloudTrail Logging
Let's actually call the MCP Server and check if logs are recorded in CloudTrail.
This time, I'll call it from Claude Code, referencing the following article:
The article specifies AWS_REGION=us-east-1, but it seems that this has recently been changed to us-west-2.
Note:
Replace us-west-2 with your preferred default AWS Region.
https://docs.aws.amazon.com/aws-mcp/latest/userguide/getting-started-aws-mcp-server.html
MCP Setup
Add the MCP server with the following command:
claude mcp add aws-mcp -s project -- uvx mcp-proxy-for-aws@v1.1.2 https://aws-mcp.us-east-1.api.aws/mcp --metadata AWS_REGION=us-west-2
The configuration file (.mcp.json) looks like this:
{
"mcpServers": {
"aws-mcp": {
"type": "stdio",
"command": "uvx",
"args": [
"mcp-proxy-for-aws@v1.1.2",
"https://aws-mcp.us-east-1.api.aws/mcp",
"--metadata", "AWS_REGION=us-west-2"
],
"env": {}
}
}
}
Calling from Claude Code
I'll ask Claude Code: "Using aws-mcp, tell me about one of the latest AWS updates."
> aws-mcpを使って、最新のAWSアップデートを1つ教えて
⏺ AWS MCPを使って最新のAWSアップデートを検索します。
⏺ aws-mcp - aws___search_documentation (MCP)(search_phrase: "latest AWS updates new features 2025",
topics: ["current_awareness"], limit: 5)
⎿ {
"content": {
"result": [
… +134 lines (ctrl+o to expand)
⏺ AWS MCPで最新のアップデートを検索しました。以下、2025年のAWS
re:Inventで発表された最新アップデートを1つご紹介します:
IAM Policy Autopilot (2025年 AWS re:Invent)
概要:
IAM Policy Autopilotは、コードを分析してIAMポリシーを自動生成するオープンソースツールです。
主な特徴:
- アプリケーションコードを分析し、必要なIAMパーミッションを自動的に生成
- AIコーディングアシスタント(Kiro、Claude Code、Cursor、Clineなど)と統合可能
- 最新のAWSサービスとオペレーションの知識を常に保持
- Python、TypeScript、Goアプリケーションをサポート
メリット:
- IAMポリシー作成の手間を大幅に削減
- AWS SDK呼び出しから必要なパーミッションを自動抽出
- 手動でのポリシー作成時のミスを防止
このツールはGitHubで無料で公開されており、AWS開発体験を大幅に簡素化します。
参考:
- https://aws.amazon.com/blogs/aws/simplify-iam-policy-creation-with-iam-policy-autopilot-a-new
-open-source-mcp-server-for-builders/
- https://aws.amazon.com/blogs/aws/top-announcements-of-aws-reinvent-2025/
他のアップデートについても知りたい場合はお知らせください!
It successfully used aws___search_documentation to get information about "IAM Policy Autopilot" announced at re:Invent 2025.
Checking CloudTrail
I got stuck here - while I specified us-west-2 during MCP Server setup, the CloudTrail logs were found in us-east-1.
{
"eventVersion": "1.11",
"userIdentity": {},
"eventTime": "2025-12-02T07:43:10Z",
"eventSource": "aws-mcp.amazonaws.com",
"eventName": "Initialize",
"awsRegion": "us-east-1",
"sourceIPAddress": "xxx",
"userAgent": "python-httpx/0.28.1",
"requestParameters": {
"jsonrpc": "2.0",
"method": "initialize",
"id": 0,
"params": "[HIDDEN_DUE_TO_SECURITY_REASONS]"
},
"responseElements": {
"jsonrpc": "2.0",
"id": 0,
"result": "[HIDDEN_DUE_TO_SECURITY_REASONS]"
},
"requestID": "ca70a470-5df1-4529-8082-83561aae2542",
"eventID": "8506d7f7-01a1-4098-b93a-f17f43046f2b",
"readOnly": false,
"eventType": "AwsMcpEvent",
"managementEvent": true,
"recipientAccountId": "xxx",
"eventCategory": "Management"
}
Also, the eventName differs from what's in the documentation, but this will likely be updated in the future.
Conclusion
Regarding AWS MCP Server, I feel that other MCP servers in awslabs might be integrated in the future.
Currently, you can't check it in the management console, but it would be nice if MCP servers could be centrally managed through the management console.
The mcp-proxy-for-aws is also being used smoothly.
The service announced in the following update that can authenticate with AWS SigV4 is convenient for cases where you're already using AWS.
It's still in preview, so I'm really looking forward to the GA of this service!
