AWS Labs MCP MCP — Use Cases, Install & Live Demo

Name: AWS Labs MCP MCP Server
Author: awslabs

Why use it

Key features

Per-service MCP servers — install only what you need
Auth via the same credential chain as the AWS CLI (profiles, SSO, env vars, instance role)
Read-only by default; writes gated behind ALLOW_MUTATING_TOOLS=true
CloudWatch Logs Insights + Metrics queries baked in
Maintained by AWS Labs, synced with AWS SDK updates

Live Demo

What it looks like in practice

aws.replay ▶ ready

0/0

Install

Pick your client

~/Library/Application Support/Claude/claude_desktop_config.json · Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": [
        "awslabs.aws-api-mcp-server"
      ]
    }
  }
}

Open Claude Desktop → Settings → Developer → Edit Config. Restart after saving.

~/.cursor/mcp.json · .cursor/mcp.json

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": [
        "awslabs.aws-api-mcp-server"
      ]
    }
  }
}

Cursor uses the same mcpServers schema as Claude Desktop. Project config wins over global.

VS Code → Cline → MCP Servers → Edit

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": [
        "awslabs.aws-api-mcp-server"
      ]
    }
  }
}

Click the MCP Servers icon in the Cline sidebar, then "Edit Configuration".

~/.codeium/windsurf/mcp_config.json

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": [
        "awslabs.aws-api-mcp-server"
      ]
    }
  }
}

Same shape as Claude Desktop. Restart Windsurf to pick up changes.

~/.continue/config.json

{
  "mcpServers": [
    {
      "name": "aws",
      "command": "uvx",
      "args": [
        "awslabs.aws-api-mcp-server"
      ]
    }
  ]
}

Continue uses an array of server objects rather than a map.

~/.config/zed/settings.json

{
  "context_servers": {
    "aws": {
      "command": {
        "path": "uvx",
        "args": [
          "awslabs.aws-api-mcp-server"
        ]
      }
    }
  }
}

Add to context_servers. Zed hot-reloads on save.

claude mcp add aws -- uvx awslabs.aws-api-mcp-server

One-liner. Verify with claude mcp list. Remove with claude mcp remove.

Use Cases

Real-world ways to use AWS Labs MCP

Triage a CloudWatch alarm by correlating logs, metrics, and recent deploys

👤 SRE and on-call engineers ⏱ ~15 min intermediate

When to use: An alarm just fired and you want to go from 'which service, which deploy, which log line' without tabbing through the console.

Prerequisites

AWS credentials with CloudWatch + CloudFormation read — aws sso login with a role that has ReadOnlyAccess managed policy
aws-cloudwatch-mcp server running — uvx awslabs.cloudwatch-mcp-server — or install the bundle

Flow

Pull the alarm details and affected resources

Describe CloudWatch alarm 'prod-api-5xx-high'. What resource does it watch, what threshold, what's the current state?✓ Copied

→ Alarm config plus state history (when it flipped)
Query logs around the breach

Run a Logs Insights query over the /aws/ecs/prod-api log group from 10 minutes before the alarm fired until now. Find ERROR-level log lines grouped by message template.✓ Copied

→ Top error templates with counts
Correlate with recent deploys

List CodeDeploy deployments to the prod-api service in the last 6 hours. Does any deploy time correlate with the error spike?✓ Copied

→ Deploy timeline lined up against error onset

Outcome: A concrete hypothesis like 'deploy abc123 at 14:22 UTC correlates with 5xx onset at 14:23' with the evidence to back it.

Pitfalls

Logs Insights queries against a big log group without a time window cost real money — Always include @timestamp bounds narrower than 1 hour; the MCP won't stop you from billing $$$
Cross-account resources need the right credential profile — Set AWS_PROFILE env var per server invocation; don't assume the default profile is the one you want

Combine with: sentry · github

Audit an S3 bucket for public objects and encryption status

👤 Security engineers, compliance reviewers ⏱ ~20 min intermediate

When to use: Before a pen test or audit, you want a quick inventory of bucket posture.

Prerequisites

S3:List and S3:GetBucket* permissions — Attach SecurityAudit managed policy (read-only)

Flow

List buckets and pull their policies

List all S3 buckets in this account. For each, fetch: Public Access Block config, bucket ACL, bucket policy, default encryption config.✓ Copied

→ Per-bucket posture table
Flag risky buckets

Highlight any bucket where Public Access Block is off, OR encryption is off, OR the bucket policy contains Principal: '*'.✓ Copied

→ Short list of risky buckets with reasons
Sample a few objects from the flagged buckets

For each flagged bucket, list the first 5 objects and show their ACLs. Are any actually world-readable?✓ Copied

→ Object-level confirmation rather than just bucket-level

Outcome: A prioritized remediation list for your security review.

Pitfalls

Bucket policies can grant public access even when ACLs look private — Evaluate both; use the GetPublicAccessBlock and GetBucketPolicyStatus APIs, not just ACLs

Combine with: filesystem

Find out why this month's AWS bill jumped

👤 Engineering leads, finance ops ⏱ ~25 min intermediate

When to use: Bill's up 30% and you have 48 hours to explain to finance.

Prerequisites

Cost Explorer API access — Enable Cost Explorer in the billing console; grant ce:GetCostAndUsage to your role

Flow

Get the daily cost deltas

Pull total blended cost per day for the last 60 days. Identify any day where cost jumped >20% vs 7-day trailing average.✓ Copied

→ Daily cost series plus flagged anomaly days
Break down by service for the anomaly

For the biggest anomaly day, break down cost by service. Which service drove the spike?✓ Copied

→ Service-level driver identified
Break down further by resource

For that service, break down by usage-type and resource tag. Which specific resource is responsible?✓ Copied

→ Resource-level culprit — e.g. 'nat gateway in us-east-1 processed 12 TB'

Outcome: A one-paragraph answer for finance: 'the spike was X caused by Y; fix is Z'.

Pitfalls

Cost Explorer has up to 24h lag — today's costs aren't fully there yet — Restrict queries to end at least 1 day ago; note the lag explicitly in your answer
Each Cost Explorer API call costs $0.01 — Don't loop queries in a script without bounds; the MCP won't stop you

Combine with: filesystem

Debug a failing Lambda by reading its recent invocations and logs

👤 Serverless engineers ⏱ ~15 min intermediate

When to use: A Lambda is throwing errors intermittently and you want to see inputs, errors, and duration trends.

Flow

Describe the function

Describe Lambda function my-api-handler. What runtime, memory, timeout, last modified?✓ Copied

→ Config snapshot
Pull recent errors from CloudWatch Logs

Logs Insights: for /aws/lambda/my-api-handler in the last 2 hours, show error lines with their requestId, duration, and init time. Group by error type.✓ Copied

→ Error categories with representative requestIds
Fetch one request end-to-end

Pick one failing requestId. Pull the full log stream for that invocation — START, all prints, END, REPORT. Tell me what happened.✓ Copied

→ Narrative of a single invocation with cold-start timing and error cause

Outcome: Specific error cause plus a fix path (more memory, dep upgrade, retry config, etc.).

Pitfalls

Provisioned concurrency skews cold-start numbers — Filter REPORT lines where Init Duration is present — those are cold starts; ignore them if you're debugging warm invocations

Combine with: github · sentry

Detect drift between CloudFormation stacks and live resources

👤 Platform engineers, devops ⏱ ~30 min advanced

When to use: You suspect someone clicked in the console and changed a resource outside IaC.

Flow

List stacks and trigger drift detection

List all ACTIVE CloudFormation stacks. For each, start a drift detection and poll until all complete.✓ Copied

→ Drift status per stack: IN_SYNC / DRIFTED / NOT_CHECKED
Dig into drifted stacks

For each stack with status DRIFTED, list which resources drifted and what property differs.✓ Copied

→ Resource-level diffs (e.g. 'SG allows 0.0.0.0/0 but template says 10.0.0.0/8')
Decide: update template or revert

For each drift, recommend: is the live state intentional (update the template to match) or accidental (revert the resource)? Base it on the nature of the change.✓ Copied

→ Per-drift recommendation with reasoning

Outcome: Your IaC back in sync with reality, with a decision log.

Pitfalls

Drift detection doesn't catch every property for every resource type — Check the CloudFormation docs for 'unsupported drift' list; supplement with AWS Config rules for thorough coverage

Combine with: github

Combinations

Pair with other MCPs for X10 leverage

aws + github

Correlate a deploy PR with the resulting CloudWatch alarm — identify the breaking commit

CloudWatch alarm prod-latency-p99 fired at 14:22. Find the GitHub PR merged to main closest to that time, summarize its diff, and tell me which hunk most likely caused the regression.✓ Copied

aws + postgres

For RDS-hosted Postgres, combine AWS-level observability with SQL access

RDS alarm 'cpu > 80%' on prod-db-01. Correlate with pg_stat_statements — which queries ran most during the spike?✓ Copied

aws + filesystem

Export AWS resource inventories to local CSVs for compliance docs

Export every S3 bucket with its encryption config and public-access settings to /reports/s3-audit-2026-04.csv.✓ Copied

Tools

What this MCP exposes

Tool	Inputs	When to call	Cost
call_aws	service: str, operation: str, parameters: object	Generic AWS CLI-equivalent — any service, any read operation	usually free; some services (CE) bill per call
describe_stack	stack_name: str	CloudFormation introspection	free
detect_stack_drift / describe_stack_drift_detection_status	stack_name: str	Check IaC-vs-live drift	free
list_functions / get_function / invoke_function	Lambda name, payload?	Manage and test Lambdas — invoke is a write op, gated	invoke costs per Lambda pricing
list_buckets / get_object / list_objects_v2	S3 params	S3 inventory and content access	standard S3 request pricing
start_query / get_query_results (Logs Insights)	logGroupName, queryString, startTime, endTime	Log analytics across one or more log groups	$0.005 per GB scanned
get_metric_data	CloudWatch metric query JSON	Time-series metric pulls	free tier applies
get_cost_and_usage	TimePeriod, Granularity, GroupBy, Metrics	Cost Explorer queries	$0.01 per API call
list_services / describe_services / list_tasks (ECS)	cluster params	ECS cluster/service introspection	free
describe_db_instances (RDS)	identifier?	RDS inventory; use postgres MCP for actual SQL	free

Cost & Limits

What this costs to run

API quota: Per-service. Most describe/list calls are free; some APIs bill per call (Cost Explorer $0.01, Logs Insights $0.005/GB scanned)
Tokens per call: 200-2000 tokens typical; Logs Insights results can be large — always set a row limit
Monetary: MCP itself is free. Your AWS bill reflects whatever API calls the agent makes.
Tip: Bound time windows, bound result rows, cache describe-* output per session. A careless Logs Insights loop over 30 days of verbose logs can scan TB of data.

Security

Permissions, secrets, blast radius

Minimum scopes: arn:aws:iam::aws:policy/ReadOnlyAccess (for read-only use)

Credential storage: Standard AWS credential chain — env vars, ~/.aws/credentials, SSO, or instance role. Never hardcode keys.

Data egress: Direct to AWS API endpoints (regional). No third party.

Never grant: AdministratorAccess iam:* write kms:Decrypt on sensitive keys without scoping

The AWS MCPs default to read-only, but several have a mutating mode behind an env flag. Audit which are enabled.
Bedrock/SageMaker operations can spend real money fast. Gate those servers separately.

Troubleshooting

Common errors and fixes

Could not load credentials from any providers

Run aws sts get-caller-identity — if that fails, fix your CLI setup first. The MCP uses the same chain.

Verify: aws sts get-caller-identity

AccessDenied on a Describe call

Your role is missing the specific permission. Read the error — it names the missing action. Add to role or switch profile.

Throttling: Rate exceeded

You're hitting service API limits (e.g. CloudFormation 1 req/s). Back off; most SDKs auto-retry but bulk loops blow past. Add explicit sleeps in multi-call prompts.

uvx can't find awslabs.<server>

Package name format: awslabs.<name>-mcp-server. Check the awslabs/mcp repo README for the current list — names changed in late 2025.

Verify: uvx --help | head

Alternatives

AWS Labs MCP vs others

Alternative	When to use it instead	Tradeoff
Cloudflare MCP	You run on Cloudflare (Workers/R2/D1) instead of AWS	Different cloud; not a drop-in
Terraform MCP (community)	You want IaC-first workflows across clouds	Less coverage of live-state debugging
Direct `aws` CLI via a shell MCP	You want Claude to run any CLI command, not just pre-approved ones	Much bigger attack surface; avoid unless sandboxed

More

Resources

📖 Read the official README on GitHub

🐙 Browse open issues

🔍 Browse all 400+ MCP servers and Skills