AWS Labs MCP MCP — Сценарии использования, Установка & Живое демо

Name: AWS Labs MCP MCP Server
Author: awslabs

Зачем использовать

Ключевые функции

Per-service MCP servers — install only what you need
Auth via the same credential chain as the AWS CLI (profiles, SSO, env vars, instance role)
Read-only by default; writes gated behind ALLOW_MUTATING_TOOLS=true
CloudWatch Logs Insights + Metrics queries baked in
Maintained by AWS Labs, synced with AWS SDK updates

Живое демо

Как выглядит на практике

aws.replay ▶ готово

0/0

Установка

Выберите клиент

~/Library/Application Support/Claude/claude_desktop_config.json · Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": [
        "awslabs.aws-api-mcp-server"
      ]
    }
  }
}

Откройте Claude Desktop → Settings → Developer → Edit Config. Перезапустите после сохранения.

~/.cursor/mcp.json · .cursor/mcp.json

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": [
        "awslabs.aws-api-mcp-server"
      ]
    }
  }
}

Cursor использует ту же схему mcpServers, что и Claude Desktop. Конфиг проекта приоритетнее глобального.

VS Code → Cline → MCP Servers → Edit

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": [
        "awslabs.aws-api-mcp-server"
      ]
    }
  }
}

Щёлкните значок MCP Servers на боковой панели Cline, затем "Edit Configuration".

~/.codeium/windsurf/mcp_config.json

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": [
        "awslabs.aws-api-mcp-server"
      ]
    }
  }
}

Тот же формат, что и Claude Desktop. Перезапустите Windsurf для применения.

~/.continue/config.json

{
  "mcpServers": [
    {
      "name": "aws",
      "command": "uvx",
      "args": [
        "awslabs.aws-api-mcp-server"
      ]
    }
  ]
}

Continue использует массив объектов серверов, а не map.

~/.config/zed/settings.json

{
  "context_servers": {
    "aws": {
      "command": {
        "path": "uvx",
        "args": [
          "awslabs.aws-api-mcp-server"
        ]
      }
    }
  }
}

Добавьте в context_servers. Zed перезагружается автоматически.

claude mcp add aws -- uvx awslabs.aws-api-mcp-server

Однострочная команда. Проверить: claude mcp list. Удалить: claude mcp remove.

Сценарии использования

Реальные сценарии: AWS Labs MCP

Triage a CloudWatch alarm by correlating logs, metrics, and recent deploys

👤 SRE and on-call engineers ⏱ ~15 min intermediate

Когда использовать: An alarm just fired and you want to go from 'which service, which deploy, which log line' without tabbing through the console.

Предварительные требования

AWS credentials with CloudWatch + CloudFormation read — aws sso login with a role that has ReadOnlyAccess managed policy
aws-cloudwatch-mcp server running — uvx awslabs.cloudwatch-mcp-server — or install the bundle

Поток

Pull the alarm details and affected resources

Describe CloudWatch alarm 'prod-api-5xx-high'. What resource does it watch, what threshold, what's the current state?✓ Скопировано

→ Alarm config plus state history (when it flipped)
Query logs around the breach

Run a Logs Insights query over the /aws/ecs/prod-api log group from 10 minutes before the alarm fired until now. Find ERROR-level log lines grouped by message template.✓ Скопировано

→ Top error templates with counts
Correlate with recent deploys

List CodeDeploy deployments to the prod-api service in the last 6 hours. Does any deploy time correlate with the error spike?✓ Скопировано

→ Deploy timeline lined up against error onset

Итог: A concrete hypothesis like 'deploy abc123 at 14:22 UTC correlates with 5xx onset at 14:23' with the evidence to back it.

Подводные камни

Logs Insights queries against a big log group without a time window cost real money — Always include @timestamp bounds narrower than 1 hour; the MCP won't stop you from billing $$$
Cross-account resources need the right credential profile — Set AWS_PROFILE env var per server invocation; don't assume the default profile is the one you want

Сочетать с: sentry · github

Audit an S3 bucket for public objects and encryption status

👤 Security engineers, compliance reviewers ⏱ ~20 min intermediate

Когда использовать: Before a pen test or audit, you want a quick inventory of bucket posture.

Предварительные требования

S3:List and S3:GetBucket* permissions — Attach SecurityAudit managed policy (read-only)

Поток

List buckets and pull their policies

List all S3 buckets in this account. For each, fetch: Public Access Block config, bucket ACL, bucket policy, default encryption config.✓ Скопировано

→ Per-bucket posture table
Flag risky buckets

Highlight any bucket where Public Access Block is off, OR encryption is off, OR the bucket policy contains Principal: '*'.✓ Скопировано

→ Short list of risky buckets with reasons
Sample a few objects from the flagged buckets

For each flagged bucket, list the first 5 objects and show their ACLs. Are any actually world-readable?✓ Скопировано

→ Object-level confirmation rather than just bucket-level

Итог: A prioritized remediation list for your security review.

Подводные камни

Bucket policies can grant public access even when ACLs look private — Evaluate both; use the GetPublicAccessBlock and GetBucketPolicyStatus APIs, not just ACLs

Сочетать с: filesystem

Find out why this month's AWS bill jumped

👤 Engineering leads, finance ops ⏱ ~25 min intermediate

Когда использовать: Bill's up 30% and you have 48 hours to explain to finance.

Предварительные требования

Cost Explorer API access — Enable Cost Explorer in the billing console; grant ce:GetCostAndUsage to your role

Поток

Get the daily cost deltas

Pull total blended cost per day for the last 60 days. Identify any day where cost jumped >20% vs 7-day trailing average.✓ Скопировано

→ Daily cost series plus flagged anomaly days
Break down by service for the anomaly

For the biggest anomaly day, break down cost by service. Which service drove the spike?✓ Скопировано

→ Service-level driver identified
Break down further by resource

For that service, break down by usage-type and resource tag. Which specific resource is responsible?✓ Скопировано

→ Resource-level culprit — e.g. 'nat gateway in us-east-1 processed 12 TB'

Итог: A one-paragraph answer for finance: 'the spike was X caused by Y; fix is Z'.

Подводные камни

Cost Explorer has up to 24h lag — today's costs aren't fully there yet — Restrict queries to end at least 1 day ago; note the lag explicitly in your answer
Each Cost Explorer API call costs $0.01 — Don't loop queries in a script without bounds; the MCP won't stop you

Сочетать с: filesystem

Debug a failing Lambda by reading its recent invocations and logs

👤 Serverless engineers ⏱ ~15 min intermediate

Когда использовать: A Lambda is throwing errors intermittently and you want to see inputs, errors, and duration trends.

Поток

Describe the function

Describe Lambda function my-api-handler. What runtime, memory, timeout, last modified?✓ Скопировано

→ Config snapshot
Pull recent errors from CloudWatch Logs

Logs Insights: for /aws/lambda/my-api-handler in the last 2 hours, show error lines with their requestId, duration, and init time. Group by error type.✓ Скопировано

→ Error categories with representative requestIds
Fetch one request end-to-end

Pick one failing requestId. Pull the full log stream for that invocation — START, all prints, END, REPORT. Tell me what happened.✓ Скопировано

→ Narrative of a single invocation with cold-start timing and error cause

Итог: Specific error cause plus a fix path (more memory, dep upgrade, retry config, etc.).

Подводные камни

Provisioned concurrency skews cold-start numbers — Filter REPORT lines where Init Duration is present — those are cold starts; ignore them if you're debugging warm invocations

Сочетать с: github · sentry

Detect drift between CloudFormation stacks and live resources

👤 Platform engineers, devops ⏱ ~30 min advanced

Когда использовать: You suspect someone clicked in the console and changed a resource outside IaC.

Поток

List stacks and trigger drift detection

List all ACTIVE CloudFormation stacks. For each, start a drift detection and poll until all complete.✓ Скопировано

→ Drift status per stack: IN_SYNC / DRIFTED / NOT_CHECKED
Dig into drifted stacks

For each stack with status DRIFTED, list which resources drifted and what property differs.✓ Скопировано

→ Resource-level diffs (e.g. 'SG allows 0.0.0.0/0 but template says 10.0.0.0/8')
Decide: update template or revert

For each drift, recommend: is the live state intentional (update the template to match) or accidental (revert the resource)? Base it on the nature of the change.✓ Скопировано

→ Per-drift recommendation with reasoning

Итог: Your IaC back in sync with reality, with a decision log.

Подводные камни

Drift detection doesn't catch every property for every resource type — Check the CloudFormation docs for 'unsupported drift' list; supplement with AWS Config rules for thorough coverage

Сочетать с: github

Комбинации

Сочетайте с другими MCP — эффект x10

aws + github

Correlate a deploy PR with the resulting CloudWatch alarm — identify the breaking commit

CloudWatch alarm prod-latency-p99 fired at 14:22. Find the GitHub PR merged to main closest to that time, summarize its diff, and tell me which hunk most likely caused the regression.✓ Скопировано

aws + postgres

For RDS-hosted Postgres, combine AWS-level observability with SQL access

RDS alarm 'cpu > 80%' on prod-db-01. Correlate with pg_stat_statements — which queries ran most during the spike?✓ Скопировано

aws + filesystem

Export AWS resource inventories to local CSVs for compliance docs

Export every S3 bucket with its encryption config and public-access settings to /reports/s3-audit-2026-04.csv.✓ Скопировано

Инструменты

Что предоставляет этот MCP

Инструмент	Входные данные	Когда вызывать	Стоимость
call_aws	service: str, operation: str, parameters: object	Generic AWS CLI-equivalent — any service, any read operation	usually free; some services (CE) bill per call
describe_stack	stack_name: str	CloudFormation introspection	free
detect_stack_drift / describe_stack_drift_detection_status	stack_name: str	Check IaC-vs-live drift	free
list_functions / get_function / invoke_function	Lambda name, payload?	Manage and test Lambdas — invoke is a write op, gated	invoke costs per Lambda pricing
list_buckets / get_object / list_objects_v2	S3 params	S3 inventory and content access	standard S3 request pricing
start_query / get_query_results (Logs Insights)	logGroupName, queryString, startTime, endTime	Log analytics across one or more log groups	$0.005 per GB scanned
get_metric_data	CloudWatch metric query JSON	Time-series metric pulls	free tier applies
get_cost_and_usage	TimePeriod, Granularity, GroupBy, Metrics	Cost Explorer queries	$0.01 per API call
list_services / describe_services / list_tasks (ECS)	cluster params	ECS cluster/service introspection	free
describe_db_instances (RDS)	identifier?	RDS inventory; use postgres MCP for actual SQL	free

Стоимость и лимиты

Во что обходится

Квота API: Per-service. Most describe/list calls are free; some APIs bill per call (Cost Explorer $0.01, Logs Insights $0.005/GB scanned)
Токенов на вызов: 200-2000 tokens typical; Logs Insights results can be large — always set a row limit
Деньги: MCP itself is free. Your AWS bill reflects whatever API calls the agent makes.
Совет: Bound time windows, bound result rows, cache describe-* output per session. A careless Logs Insights loop over 30 days of verbose logs can scan TB of data.

Безопасность

Права, секреты, радиус поражения

Минимальные скоупы: arn:aws:iam::aws:policy/ReadOnlyAccess (for read-only use)

Хранение учётных данных: Standard AWS credential chain — env vars, ~/.aws/credentials, SSO, or instance role. Never hardcode keys.

Исходящий трафик: Direct to AWS API endpoints (regional). No third party.

Никогда не давайте: AdministratorAccess iam:* write kms:Decrypt on sensitive keys without scoping

The AWS MCPs default to read-only, but several have a mutating mode behind an env flag. Audit which are enabled.
Bedrock/SageMaker operations can spend real money fast. Gate those servers separately.

Устранение неполадок

Частые ошибки и исправления

Could not load credentials from any providers

Run aws sts get-caller-identity — if that fails, fix your CLI setup first. The MCP uses the same chain.

Проверить: aws sts get-caller-identity

AccessDenied on a Describe call

Your role is missing the specific permission. Read the error — it names the missing action. Add to role or switch profile.

Throttling: Rate exceeded

You're hitting service API limits (e.g. CloudFormation 1 req/s). Back off; most SDKs auto-retry but bulk loops blow past. Add explicit sleeps in multi-call prompts.

uvx can't find awslabs.<server>

Package name format: awslabs.<name>-mcp-server. Check the awslabs/mcp repo README for the current list — names changed in late 2025.

Проверить: uvx --help | head

Альтернативы

AWS Labs MCP в сравнении

Альтернатива	Когда использовать	Компромисс
Cloudflare MCP	You run on Cloudflare (Workers/R2/D1) instead of AWS	Different cloud; not a drop-in
Terraform MCP (community)	You want IaC-first workflows across clouds	Less coverage of live-state debugging
Direct `aws` CLI via a shell MCP	You want Claude to run any CLI command, not just pre-approved ones	Much bigger attack surface; avoid unless sandboxed

Ещё

Ресурсы

📖 Читать официальный README на GitHub

🐙 Открытые задачи

🔍 Все 400+ MCP-серверов и Skills