The standard AWS credential chain — env vars, ~/.aws/credentials profile, IMDS on EC2, or SSO. Set AWS_PROFILE to point at a dedicated read-only profile rather than your admin role.

Yes by design. The MCP intentionally does not expose Put/Create/Delete operations. For provisioning, drive Terraform or CloudFormation from the agent and review the diff before apply.

Which services are covered?

The most-used: EC2, S3, Lambda, RDS, IAM, CloudWatch (logs + metrics), STS, plus a generic boto3 call tool for less-common services. The AWS Labs project is adding service coverage actively.

How do I scope it down?

Use a dedicated IAM role with ReadOnlyAccess as the baseline and trim further. The MCP cannot enforce permissions the role itself does not have.

AWS

Name: Top MCPs — curated MCP directory
Creator: Top MCPs
License: https://creativecommons.org/licenses/by/4.0/

Official

Inspect AWS resources, read CloudWatch logs, and audit IAM from an AI agent.

Score 89(?)AWS LabsApache-2.0 9.2kVerified Jun 2, 2026Top MCPs for Cloud & Infrastructure →

Install View on GitHub

Quick answer

What it does

Wraps the AWS SDK for read operations across EC2, S3, Lambda, RDS, IAM, CloudWatch, and STS. Exposes resource enumeration, log fetch, metric queries, and identity inspection to AI models.

Best for

Incident investigation
IAM and security audits
CloudWatch log search
Cost-tagged resource enumeration

Not for

Provisioning new infrastructure
Unattended writes to production

Setup recipe

Pick your client, then follow the three steps.

Install

claude_desktop_config.jsonjson

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": [
        "awslabs.aws-documentation-mcp-server"
      ],
      "env": {
        "AWS_PROFILE": "${AWS_PROFILE}",
        "AWS_REGION": "${AWS_REGION}"
      }
    }
  }
}

Paste under mcpServers. Fully quit and reopen Claude after editing.

CLI or .mcp.jsonshell

# export AWS_PROFILE=agent-readonly
# export AWS_REGION=us-east-1
claude mcp add aws -- uvx awslabs.aws-documentation-mcp-server

Run from your repo. Commit .mcp.json to share with your team.

.cursor/mcp.jsonjson

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": [
        "awslabs.aws-documentation-mcp-server"
      ],
      "env": {
        "AWS_PROFILE": "${AWS_PROFILE}",
        "AWS_REGION": "${AWS_REGION}"
      }
    }
  }
}

Global path: ~/.cursor/mcp.json. Reload window after editing.

.vscode/mcp.jsonjsonc

{
  "servers": {
    "aws": {
      "command": "uvx",
      "args": [
        "awslabs.aws-documentation-mcp-server"
      ],
      "env": {
        "AWS_PROFILE": "${AWS_PROFILE}",
        "AWS_REGION": "${AWS_REGION}"
      }
    }
  }
}

VS Code uses the "servers" key (not "mcpServers").

~/.codeium/windsurf/mcp_config.jsonjson

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": [
        "awslabs.aws-documentation-mcp-server"
      ],
      "env": {
        "AWS_PROFILE": "${AWS_PROFILE}",
        "AWS_REGION": "${AWS_REGION}"
      }
    }
  }
}

Open via Cascade → hammer icon → Configure.

cline_mcp_settings.jsonjson

{
  "mcpServers": {
    "aws": {
      "command": "uvx",
      "args": [
        "awslabs.aws-documentation-mcp-server"
      ],
      "env": {
        "AWS_PROFILE": "${AWS_PROFILE}",
        "AWS_REGION": "${AWS_REGION}"
      }
    }
  }
}

Open via the Cline sidebar → MCP Servers → Edit.

~/.continue/config.jsonjson

{
  "experimental": {
    "modelContextProtocolServers": [
      {
        "transport": {
          "type": "stdio",
          "command": "uvx",
          "args": [
            "awslabs.aws-documentation-mcp-server"
          ],
          "env": {
            "AWS_PROFILE": "${AWS_PROFILE}",
            "AWS_REGION": "${AWS_REGION}"
          }
        }
      }
    ]
  }
}

Continue uses modelContextProtocolServers with a transport block.

~/.codex/config.tomlshell

# ~/.codex/config.toml
[mcp_servers.aws]
command = "uvx"
args = [
  "awslabs.aws-documentation-mcp-server",
]
env = { AWS_PROFILE = "${AWS_PROFILE}", AWS_REGION = "${AWS_REGION}" }

Codex uses TOML. Each server is a [mcp_servers.<name>] subtable.

~/.config/zed/settings.jsonjsonc

{
  "context_servers": {
    "aws": {
      "command": {
        "path": "uvx",
        "args": [
          "awslabs.aws-documentation-mcp-server"
        ]
      },
      "env": {
        "AWS_PROFILE": "${AWS_PROFILE}",
        "AWS_REGION": "${AWS_REGION}"
      }
    }
  }
}

Zed calls them "context_servers". Settings live-reload on save.

ChatGPT → Apps directorynone

AWS doesn't ship a hosted HTTPS endpoint today. ChatGPT supports remote MCP servers only — to use this server in ChatGPT you'll need to deploy it to a public HTTPS URL first (e.g. via Cloudflare Workers or Vercel) or wait for an official remote build.

2
Set required secrets
Set AWS_PROFILE, AWS_REGION in your shell environment before launching your MCP client.
3
Try a minimum working prompt
Minimum working prompt pending verification. Try any prompt from the MCP’s README once installed.

Tools & permissions

Tool	Description	Args	Side effects
`list_ec2_instances`	List EC2 instances in the configured region.	—	Read
`list_s3_buckets`	List S3 buckets in the account.	—	Read
`get_cloudwatch_logs`	Fetch log events from a CloudWatch log group.	log_group: string, start_time?: string	Read
`list_iam_roles`	List IAM roles.	—	Read
`get_caller_identity`	Return the IAM identity the MCP is acting as.	—	Read

Security & scope

Access scope: Read-only
Sandbox: Authenticates with the standard AWS credential chain — env vars, profile, IMDS, or SSO. Read-only at the tool layer; pair with an IAM role scoped to ReadOnlyAccess (or tighter) for defence in depth.
Gotchas: Never wire the agent to your developer admin profile — create a dedicated read-only IAM role.
CloudWatch Logs has per-request size limits; long log scans require paging.
STS GetCallerIdentity is exposed so the agent can verify which account it is acting against — check this before any cross-account work.

Agent prompt pack

— copy into Claude, Cursor, or ChatGPT.

Paste into Claude, Cursor, or ChatGPT. Edit the [brackets] before sending.

Recommend the best MCP servers for [task: e.g. cloud & infrastructure work] in [client: Claude].

Constraints:
- Prefer tools that are [official | open-source | read-only] — pick what matters for my use case.
- Exclude MCPs that require [e.g. a paid plan, OAuth-only flows, remote-only transport].
- Return at most 3 picks, ranked.

For each pick include:
1. One-sentence rationale.
2. The ready-to-paste install snippet for my client.
3. Any required secrets I need to create before installing.

Cross-check the top-mcps.com listing: https://top-mcps.com/top-mcps-for-cloud-infrastructure

Compare AWS against a real alternative. Swap the second MCP in [brackets] if you want a different match.

Compare AWS MCP vs [Cloudflare MCP] for the following job: [describe the job, e.g. "let an agent create GitHub issues on bug triage"].

Judge them on:
- Setup time and complexity (what a new user hits first).
- Auth model (none / API key / OAuth 2.1) and credential risk.
- Transport (stdio / Streamable HTTP / SSE) and where the server runs.
- Required secrets and the blast radius if they leak.
- Operational risk in an unattended agent loop.
- Which one is "good enough" for a weekend prototype vs. production.

End with one sentence: which should I pick for my scenario, which is: [my scenario].

References:
- https://top-mcps.com/mcp/aws
- top-mcps.com listing for Cloudflare

Asks the agent to install and verify. Works inside Claude Code, Cursor Agent, Codex CLI.

Install the AWS MCP server for my [client: Claude] at the default config path for that client.

Use the exact install snippet published at https://top-mcps.com/mcp/aws (fetch https://top-mcps.com/mcp/aws.json for the canonical server.json if you can read URLs).

Before finishing:
1. Create the required secrets (AWS_PROFILE, AWS_REGION) and put them in the appropriate env block — do not hard-code them.
2. Restart or reload the client so it picks up the new server.
3. Verify the server is connected (green / running state) and at least one tool is listed.
4. If anything fails, read the client's MCP logs and report the exact error — do not silently retry.

Confirm when done and list the tools the server now exposes.

Frequently asked questions

What changed

— 2 updates tracked.

Jun 2, 2026
Refreshed install snippets and fact sheet; verified for 2026.
Apr 15, 2025
Initial directory listing.

More Cloud & Infrastructure MCPs

Other tools in the same category worth evaluating.

Supabase

Full Supabase access: database, auth, storage, and edge functions.

supabasedatabasebackendpostgres

5 minLow

Stripe

Official

Manage payments, customers, and subscriptions through Stripe.

stripepaymentsbillingcommerce

5 minMedium

Cloudflare

Official

Manage Workers, R2 buckets, DNS, and edge policies on Cloudflare.

cloudflareedgeworkersdns

10 minMedium

Compared with AWS

Side-by-side breakdowns for the choices people most often weigh against this MCP.

AWSvsCloudflare AWSvsSupabase AWSvsDigitalOcean AWSvsVercel (MCP server)

Exploring Top MCPs for Cloud & Infrastructure? See all Cloud & Infrastructure MCPs →

Quick answer

What it does

Best for

Not for

Setup recipe

Install

Set required secrets

Try a minimum working prompt

Tools & permissions

Security & scope

Agent prompt pack

Full details

Frequently asked questions

How does auth work?

Read-only?

Which services are covered?

How do I scope it down?

What changed

More Cloud & Infrastructure MCPs

Supabase

Stripe

Cloudflare

Compared with AWS