{
  "name": "io.github.awslabs/mcp",
  "description": "The official AWS MCP connects an AI agent to an AWS account via standard AWS credentials. Lists resources across the most-used services (EC2, S3, Lambda, RDS, IAM), reads CloudWatch logs and metrics, and runs read-only audits. The MCP is read-only by design — provisioning belongs in Terraform or CloudFormation, not in a conversation.",
  "status": "active",
  "version": "latest",
  "_meta": {
    "com.top-mcps/lastVerified": "2026-06-02",
    "com.top-mcps/score": {
      "value": 89,
      "rubricVersion": "2026-04",
      "lastComputed": "2026-06-02T13:16:41.659Z",
      "methodology": "https://top-mcps.com/about/methodology"
    },
    "com.top-mcps/stats": {
      "fetchedAt": "2026-06-02T13:16:41.398Z",
      "githubStars": 9180,
      "lastCommitAt": "2026-06-02T06:50:22Z"
    }
  },
  "repository": {
    "url": "https://github.com/awslabs/mcp",
    "source": "github"
  },
  "author": {
    "name": "AWS Labs"
  },
  "packages": [
    {
      "registryType": "pypi",
      "registryBaseUrl": "https://pypi.org",
      "identifier": "awslabs.aws-documentation-mcp-server",
      "version": "latest",
      "transport": {
        "type": "stdio"
      },
      "environmentVariables": [
        {
          "name": "AWS_PROFILE",
          "description": "AWS_PROFILE — required credential for AWS.",
          "isRequired": true,
          "isSecret": true
        },
        {
          "name": "AWS_REGION",
          "description": "AWS_REGION — required credential for AWS.",
          "isRequired": true,
          "isSecret": true
        }
      ]
    }
  ],
  "capabilities": {
    "tools": [
      {
        "name": "list_ec2_instances",
        "description": "List EC2 instances in the configured region.",
        "sideEffect": "read"
      },
      {
        "name": "list_s3_buckets",
        "description": "List S3 buckets in the account.",
        "sideEffect": "read"
      },
      {
        "name": "get_cloudwatch_logs",
        "description": "Fetch log events from a CloudWatch log group.",
        "sideEffect": "read",
        "args": [
          {
            "name": "log_group",
            "type": "string",
            "required": true
          },
          {
            "name": "start_time",
            "type": "string",
            "required": false
          }
        ]
      },
      {
        "name": "list_iam_roles",
        "description": "List IAM roles.",
        "sideEffect": "read"
      },
      {
        "name": "get_caller_identity",
        "description": "Return the IAM identity the MCP is acting as.",
        "sideEffect": "read"
      }
    ],
    "security": {
      "scope": "read-only",
      "sandbox": "Authenticates with the standard AWS credential chain — env vars, profile, IMDS, or SSO. Read-only at the tool layer; pair with an IAM role scoped to ReadOnlyAccess (or tighter) for defence in depth.",
      "gotchas": [
        "Never wire the agent to your developer admin profile — create a dedicated read-only IAM role.",
        "CloudWatch Logs has per-request size limits; long log scans require paging.",
        "STS GetCallerIdentity is exposed so the agent can verify which account it is acting against — check this before any cross-account work."
      ]
    }
  },
  "_links": {
    "html": "https://top-mcps.com/mcp/aws",
    "markdown": "https://top-mcps.com/mcp/aws.md",
    "methodology": "https://top-mcps.com/about/methodology"
  }
}