guide13 min read1d ago

AWS MCP Servers: The Complete 2026 Guide (10 Tools That Make Claude a Cloud Engineer)

Ranked guide to the 10 most useful AWS MCP servers for 2026. Covers AWS Documentation, S3, Lambda, DynamoDB, CloudWatch, RDS, CDK, Cost Explorer, and the full official awslabs/mcp suite. Setup, IAM scoping, and real workflows.

P

Priya Iyer

May 29, 2026

Share𝕏in
AWS MCP Servers: The Complete 2026 Guide (10 Tools That Make Claude a Cloud Engineer)
aws mcp serversawslabs mcpamazon s3 mcpaws lambda mcpdynamodb mcpcloudwatch mcpaws cdkmodel context protocol

TL;DR — AWS MCP Servers: 10 Tools That Turn Claude Into a Cloud Engineer

AWS Labs maintains a fast-growing suite of official Model Context Protocol servers that expose AWS services to desktop AI clients. Connect them and Claude can search S3 buckets, tail CloudWatch logs, query DynamoDB, deploy Lambda functions, draft CDK stacks, and watch your monthly spend in real time. We ranked the 10 most useful AWS MCP servers for 2026: Documentation, Knowledge, Core, S3, Lambda, DynamoDB, CloudWatch Logs, RDS, CDK, and Cost Explorer. All free, all official, all production-ready with the right IAM scoping.

Curated from 200+ AWS-related MCP entries indexed on Skiln · Updated daily

Table of Contents

  1. What Are AWS MCP Servers?
  2. Why Not Just the AWS CLI?
  3. The Official AWS Labs MCP Suite
  4. Top 10 AWS MCP Servers for 2026
  5. Quick Comparison Table
  6. Installation Walkthrough
  7. IAM Scoping: The Safe Setup
  8. Real Workflows Engineers Are Running
  9. Frequently Asked Questions

What Are AWS MCP Servers?

An AWS MCP server is a small program that translates between the Model Context Protocol spec (published by Anthropic in late 2024 and adopted by every major AI client through 2025) and AWS service APIs. The MCP server runs locally alongside your AI client and exposes AWS operations as callable tools. When you ask Claude to list S3 buckets or check Lambda errors, the client picks the right MCP tool and the MCP server makes the underlying boto3 call.

The big shift in 2026 is that AWS Labs now publishes an entire official MCP suite under the awslabs/mcp umbrella. More than 20 services have first-party servers, with new ones landing roughly every six weeks. That official-first availability is a big reason AWS work has shifted toward conversational AI clients faster than any other cloud provider.

Skiln tracks the full official suite plus 100+ community AWS MCPs. Use the best desktop MCP servers roundup if you want the broader landscape, then return here for the AWS-specific picks.

Why Not Just the AWS CLI?

The AWS CLI is excellent and is not going anywhere. AWS MCP servers complement it rather than replace it. The differences in day-to-day workflow:

  • Plain English instead of flag soup. "Find every S3 bucket created in the last 30 days that does not have versioning enabled" is one sentence in Claude. As a CLI invocation it is a multi-step pipeline.
  • Cross-service reasoning happens in the same context. Claude can read CloudWatch metrics, pull the relevant Lambda config, check the IAM role, and propose a fix in a single conversation. Stitching that together by hand across aws logs, aws lambda, and aws iam is significantly slower.
  • Documentation is built in. With the AWS Documentation MCP installed, Claude grounds every recommendation in actual AWS docs. That cuts down on hallucinated CLI flags, which has historically been a sharp edge of LLMs touching cloud infra.

The CLI still wins for scripts, CI/CD pipelines, and Infrastructure-as-Code generation. The MCP servers win for exploration, debugging, and ad-hoc operations.

The Official AWS Labs MCP Suite

AWS Labs maintains the canonical MCP servers in a single monorepo. As of mid-2026, the suite covers:

  • Knowledge and documentation — Documentation MCP, Knowledge MCP, Bedrock Knowledge Base MCP.
  • Compute — Lambda MCP, ECS MCP, Batch MCP.
  • Storage — S3 MCP, EFS MCP, EBS Snapshot MCP.
  • Databases — DynamoDB MCP, RDS MCP, Aurora MCP, Redshift MCP.
  • Observability — CloudWatch Logs MCP, CloudWatch Metrics MCP, X-Ray MCP.
  • Governance — IAM MCP, Organizations MCP, Cost Explorer MCP, Service Quotas MCP.
  • Developer tools — CDK MCP, CodeCommit MCP, CodePipeline MCP.

The suite ships under MIT license. Each server has its own install command (most are uvx awslabs.-mcp-server), its own README, and its own IAM permission requirements. The Skiln directory tracks new releases automatically — check /mcps filtered by aws for the live catalog.

Top 10 AWS MCP Servers for 2026

1. AWS Documentation MCP

Read-only access to the full AWS documentation corpus, searchable through Claude. No credentials, no IAM policy, zero risk of touching real resources. The first AWS MCP every engineer should install. See the in-depth AWS Docs MCP review.

Best for: Looking up service limits, IAM action names, CLI flags, CloudFormation property reference, and best-practice patterns from inside a Claude chat instead of switching tabs.

Install: uvx awslabs.aws-documentation-mcp-server

2. AWS Knowledge MCP Server

Sister to the Documentation MCP. Queries AWS Knowledge Base content — blog posts, whitepapers, re:Invent transcripts, Well-Architected guidance. Like the Documentation MCP it is read-only and requires no AWS credentials.

Best for: Architecture decisions, post-mortem research, Well-Architected reviews, and answering "what does AWS officially recommend for X?" without leaving the chat.

Install: uvx awslabs.aws-knowledge-mcp-server

3. AWS Core MCP (Account & IAM)

The lowest-risk write-capable MCP in the suite. Exposes account-level metadata (which region, which profile, current account ID), IAM user and role inspection, and STS get-caller-identity. Critical context-setting tool for any chat session that will touch AWS.

Best for: Verifying which account Claude is about to act on, listing IAM principals, reading role trust policies, sanity-checking the active credential before destructive operations.

Install: uvx awslabs.core-mcp-server

4. Amazon S3 MCP

Full S3 control plane in Claude: list buckets, list objects, get/put objects, manage bucket policies, set lifecycle rules, configure CORS, query inventory. With versioning-aware semantics so Claude does not silently overwrite production data.

Best for: Bucket audits, lifecycle rule drafting, public-access-block enforcement, "find the object I uploaded last Thursday" needle-in-haystack queries.

Install: uvx awslabs.s3-mcp-server

5. AWS Lambda MCP

Read and write access to Lambda functions, layers, aliases, versions, and event source mappings. Combined with the CloudWatch Logs MCP it becomes a complete "debug my Lambda" loop — read the function code, fetch the latest invocation logs, deploy a fix, watch the next log stream.

Best for: Function deployment, log-driven debugging, cold start investigation, runtime upgrades (Node 18 to 20, Python 3.10 to 3.12).

Install: uvx awslabs.lambda-mcp-server

6. Amazon DynamoDB MCP

Table management plus item-level read/write. Claude can model new tables from a schema description, scan existing tables for hot keys, propose GSI changes, and execute targeted PartiQL queries. Defaults to read-only mode unless explicit write actions are granted in the IAM policy.

Best for: Schema design, capacity tuning, ad-hoc PartiQL queries, GSI redesign before production rollout.

Install: uvx awslabs.dynamodb-mcp-server

7. Amazon CloudWatch Logs MCP

The most-used AWS MCP in our internal usage data. Queries CloudWatch Logs Insights, tails live log streams, and filters across log groups. Read-only by default. Pair this with the Lambda MCP and you have a full incident-response loop driven by chat.

Best for: Log triage, error pattern hunting, on-call response, latency investigation, cross-service log correlation.

Install: uvx awslabs.cloudwatch-logs-mcp-server

8. Amazon RDS MCP

Inspect RDS instances, clusters, snapshots, parameter groups, and option groups. Initiate snapshot restores, modify instance classes, manage automated backups. Critical operations like delete-instance require an explicit IAM grant the MCP refuses to assume by default.

Best for: Instance class right-sizing, backup posture audits, parameter group migration, planning major-version upgrades.

Install: uvx awslabs.rds-mcp-server

9. AWS CDK MCP

AWS CDK construct library knowledge plus local CDK project introspection. Claude can suggest construct patterns, generate boilerplate stacks, and explain existing CDK code with full type awareness. Pairs especially well with the Documentation MCP for cross-checking construct properties.

Best for: CDK project scaffolding, construct selection, refactoring L1 to L2 constructs, type-aware CDK code review.

Install: uvx awslabs.cdk-mcp-server

10. AWS Cost Explorer MCP

The MCP that pays for itself. Queries Cost Explorer for service-level spend, anomaly detection, savings plan utilization, and forecasted spend. Read-only and reliably accurate because it talks directly to the same data the Cost Explorer dashboard uses.

Best for: Monthly cost reviews, anomaly investigation, savings plan sizing, FinOps reporting, finding the EC2 instance someone forgot to terminate last quarter.

Install: uvx awslabs.cost-explorer-mcp-server

Quick Comparison Table

MCP ServerUse CaseBackendIAM NeededDefault Mode
AWS Documentation MCPDoc searchPublic docsNoneRead-only
AWS Knowledge MCPKnowledge basePublic knowledgeNoneRead-only
AWS Core MCPAccount & IAMSTS, IAMRead-only IAMRead-only
Amazon S3 MCPObject storageS3S3 R/W or ROConfigurable
AWS Lambda MCPServerless computeLambdaLambda R/W or ROConfigurable
Amazon DynamoDB MCPNoSQL DBDynamoDBDynamoDB R/W or ROConfigurable
CloudWatch Logs MCPLog searchCloudWatchLogs read-onlyRead-only
Amazon RDS MCPRelational DB opsRDSRDS R/W or ROConfigurable
AWS CDK MCPIaC authorCDK constructsNone (local files)Read-only
AWS Cost Explorer MCPFinOpsCost Explorer APIce:Get*Read-only

Installation Walkthrough

The official AWS suite installs via uvx (the uv tool runner). One-time setup:

  1. Install uv. curl -LsSf https://astral.sh/uv/install.sh | sh on macOS or Linux, or powershell -c "irm https://astral.sh/uv/install.ps1 | iex" on Windows.
  2. Configure AWS credentials. The MCP servers reuse whatever the AWS CLI sees — ~/.aws/credentials, AWS_PROFILE, or environment variables. Run aws sts get-caller-identity once to confirm.
  3. Add the server to your AI client config. Example for Claude Desktop:

{   "mcpServers": {     "aws-docs": {       "command": "uvx",       "args": ["awslabs.aws-documentation-mcp-server"]     },     "aws-s3": {       "command": "uvx",       "args": ["awslabs.s3-mcp-server"],       "env": { "AWS_PROFILE": "skiln-dev", "AWS_REGION": "us-east-1" }     }   } }

  1. Restart Claude Desktop. The new MCPs appear in the tools sidebar within a few seconds. If they do not, check the Claude Desktop log file — almost every silent failure is either a missing uv install or wrong AWS profile.
  2. Verify with a read-only query first. "List my S3 buckets" is the safest first prompt against any new AWS MCP install. If it returns a real bucket list, you are wired up correctly.

For Claude Code, use claude mcp add instead of hand-editing JSON. The Skiln Config Generator can bundle the entire AWS suite into a single paste-ready config file.

IAM Scoping: The Safe Setup

AWS MCP servers are only as safe as the IAM policy attached to the profile they run under. Two patterns we recommend:

Pattern 1: Dedicated read-only AI profile. Create an IAM user (or role) called claude-readonly-dev with a single attached policy:

{   "Version": "2012-10-17",   "Statement": [     { "Effect": "Allow", "Action": ["s3:List", "s3:Get"], "Resource": "" },     { "Effect": "Allow", "Action": ["lambda:List", "lambda:Get"], "Resource": "" },     { "Effect": "Allow", "Action": ["logs:Describe", "logs:Filter", "logs:Get", "logs:StartQuery", "logs:GetQueryResults"], "Resource": "" },     { "Effect": "Allow", "Action": ["ce:Get", "ce:Describe"], "Resource": "*" }   ] }

This policy covers 80% of day-to-day AI usage with zero blast radius if Claude misinterprets a request.

Pattern 2: Separate profiles per environment. Use AWS_PROFILE=skiln-dev for the dev account and never connect an MCP to a profile that has write access to production. Pair this with a .aws/config mfa_serial line so even your dev profile requires an MFA touch every session.

The combination — read-only by default, separate profiles per environment, MFA on dev — gives you the fastest AI feedback loop without exposing prod. We document the equivalent patterns for other cloud MCPs in our MCP servers for enterprise teams guide.

Real Workflows Engineers Are Running

Patterns we have seen succeed in production over the last six months of AWS MCP usage:

  • The on-call triage loop. CloudWatch Logs MCP plus Lambda MCP plus CDK MCP. When a function pages out, ask Claude to fetch the last 50 errors, show the relevant Lambda code, and propose a CDK change. Three MCPs working together replace a 30-minute manual investigation.
  • The cost autopsy. Cost Explorer MCP plus S3 MCP plus RDS MCP. End of month, ask "what drove our spend higher in us-east-1 versus last month?" Claude pulls the Cost Explorer data, identifies the service responsible, then drills into the underlying resource (the rogue NAT gateway, the unrightsized RDS instance).
  • The bucket policy audit. S3 MCP plus Documentation MCP. Claude inspects every bucket policy, cross-references the latest AWS security best practices, and produces a delta report. Faster than a Trusted Advisor scan and the output is in the same conversation where you can ask follow-ups.
  • The migration kickoff. CDK MCP plus Lambda MCP. Hand Claude an existing CloudFormation template, ask for a CDK port with constructs at the L2 level, and have it explain the diff. The Documentation MCP catches every property rename that has shipped since the CFN template was written.

Building your AWS-aware Claude setup? Skiln indexes the full awslabs/mcp suite plus 100+ community AWS MCPs — install commands, IAM examples, and trust scores included.

Browse Now →

Frequently Asked Questions

What is an AWS MCP server?

An AWS MCP server is a Model Context Protocol server that exposes AWS APIs (S3, Lambda, DynamoDB, CloudWatch, IAM, EC2, RDS, and more) as tools that a desktop AI client like Claude Desktop, Claude Code, Cursor, or Windsurf can call. Instead of running aws s3 ls in the terminal, you ask Claude to list buckets in plain English and the MCP server makes the boto3 call for you.

Are AWS MCP servers official?

Yes. AWS Labs maintains an entire suite of official MCP servers in the awslabs/mcp GitHub repository. Coverage spans more than 20 services as of 2026, including Documentation, S3, Lambda, DynamoDB, CloudWatch, IAM, CDK, and Cost Explorer. Community MCPs exist for niche services not yet covered by the official suite, but for production work the official ones are the safer bet.

Do AWS MCP servers cost money?

The MCP servers themselves are free and open source. You pay for the underlying AWS resources you query or modify, exactly as you would using the AWS CLI or SDK. There is no per-call surcharge for going through MCP. We recommend pairing every AWS MCP with the AWS Cost Explorer MCP so Claude can monitor and warn you about budget impact in real time.

Which AWS MCP server should I install first?

The AWS Documentation MCP is the safest starting point because it is read-only and requires no AWS credentials. It lets Claude search and quote authoritative AWS docs inside your chat. Once you are comfortable, add the AWS Knowledge MCP (also read-only) and then layer on a service-specific MCP like S3 or Lambda with a tightly scoped IAM role.

How do I limit what an AWS MCP can do?

Two ways. First, create a dedicated IAM role for each MCP server with only the actions and resources it needs (read-only S3 access, for example, instead of full power-user). Second, use AWS_PROFILE or environment-injected temporary credentials so MCPs that should not touch prod literally cannot. Skiln walks through both patterns in the IAM Scoping section of every AWS MCP review.

Can the AWS MCP server modify production resources?

It can if you give it credentials with write permission. That is by design. The MCP protocol does not have a built-in dry-run flag, so the safety belt has to come from your IAM policy. For production accounts, prefer read-only MCPs (Documentation, Knowledge, CloudWatch Logs, Cost Explorer) and reserve write-capable ones (S3, Lambda, DynamoDB) for dev and staging environments.

Will AWS MCP servers work with non-AWS clouds?

No. The AWS MCP suite is AWS-specific. Google Cloud, Azure, Cloudflare, and Hetzner all have their own MCP servers in the Skiln directory. The skills you learn setting up the AWS suite transfer directly though, since the install pattern (npx or uvx command plus credentials) is identical across cloud providers.

Where can I find every AWS MCP server in one place?

Skiln indexes the full awslabs/mcp suite plus every community AWS MCP across PulseMCP, Smithery, Glama, and LobeHub. Filter by aws or cloud at /mcps to see the current catalog. As of 2026, there are 200+ AWS-related MCP entries between official and community sources.

Last updated: May 29, 2026 · Skiln tracks new awslabs/mcp releases daily and re-scores the full AWS MCP catalog weekly.

Frequently Asked Questions

What is an AWS MCP server?
An AWS MCP server is a Model Context Protocol server that exposes AWS APIs (S3, Lambda, DynamoDB, CloudWatch, IAM, EC2, RDS, and more) as tools that a desktop AI client like Claude Desktop, Claude Code, Cursor, or Windsurf can call. Instead of running aws s3 ls in the terminal, you ask Claude to list buckets in plain English and the MCP server makes the boto3 call for you.
Are AWS MCP servers official?
Yes. AWS Labs maintains an entire suite of official MCP servers in the awslabs/mcp GitHub repository. Coverage spans more than 20 services as of 2026, including Documentation, S3, Lambda, DynamoDB, CloudWatch, IAM, CDK, and Cost Explorer. Community MCPs exist for niche services not yet covered by the official suite, but for production work the official ones are the safer bet.
Do AWS MCP servers cost money?
The MCP servers themselves are free and open source. You pay for the underlying AWS resources you query or modify, exactly as you would using the AWS CLI or SDK. There is no per-call surcharge for going through MCP. We recommend pairing every AWS MCP with the AWS Cost Explorer MCP so Claude can monitor and warn you about budget impact in real time.
Which AWS MCP server should I install first?
The AWS Documentation MCP is the safest starting point because it is read-only and requires no AWS credentials. It lets Claude search and quote authoritative AWS docs inside your chat. Once you are comfortable, add the AWS Knowledge MCP (also read-only) and then layer on a service-specific MCP like S3 or Lambda with a tightly scoped IAM role.
How do I limit what an AWS MCP can do?
Two ways. First, create a dedicated IAM role for each MCP server with only the actions and resources it needs (read-only S3 access, for example, instead of full power-user). Second, use AWS_PROFILE or environment-injected temporary credentials so MCPs that should not touch prod literally cannot. Skiln walks through both patterns in the IAM Scoping section of every AWS MCP review.
Can the AWS MCP server modify production resources?
It can if you give it credentials with write permission. That is by design. The MCP protocol does not have a built-in dry-run flag, so the safety belt has to come from your IAM policy. For production accounts, prefer read-only MCPs (Documentation, Knowledge, CloudWatch Logs, Cost Explorer) and reserve write-capable ones (S3, Lambda, DynamoDB) for dev and staging environments.
Will AWS MCP servers work with non-AWS clouds?
No. The AWS MCP suite is AWS-specific. Google Cloud, Azure, Cloudflare, and Hetzner all have their own MCP servers in the Skiln directory. The skills you learn setting up the AWS suite transfer directly though, since the install pattern (npx or uvx command plus credentials) is identical across cloud providers.
Where can I find every AWS MCP server in one place?
Skiln indexes the full awslabs/mcp suite plus every community AWS MCP across PulseMCP, Smithery, Glama, and LobeHub. Filter by aws or cloud at /mcps to see the current catalog. As of 2026, there are 200+ AWS-related MCP entries between official and community sources.

Stay in the Loop

Join 1,000+ developers. Get the best new Skills & MCPs weekly.

No spam. Unsubscribe anytime.

AWS MCP Servers: Complete 2026 Guide to the awslabs/mcp Suite