AWS API MCP Server
Official AWS Labs MCP server that executes AWS CLI commands with validation, security policy enforcement, and optional read-only mode. Part of the awslabs/mcp monorepo.
Score Breakdown
Server Info
- Package
- awslabs.aws-api-mcp-server
- Registry
- pypi
- Repository
- awslabs/mcp
- Maintainer
- AWSVendor
- Category
- Cloud & Infrastructure
- Tags
- awscloudinfrastructure
- Last Scanned
- 28 May 2026
Findings
8 issuesAuthentication & Identity
HIGHNo MCP OAuth spec implementation
Server does not implement the MCP OAuth authorization server spec. The platform must handle the full OAuth flow, token management, and credential injection externally.
Implement the MCP OAuth spec (.well-known/oauth-authorization-server) for native per-user authentication.
HIGHEnv var credentials with no rotation mechanism
Credentials (AWS_REGION, AWS_API_MCP_PROFILE_NAME, AWS_API_MCP_TRANSPORT) are read from environment variables at startup. Rotation requires restarting the server process. All requests share the same service account credential.
Support dynamic credential refresh or secrets manager integration.
Tool Schema Quality
CRITICALDangerous execution surface: call_aws: executes arbitrary AWS CLI commands covering the full AWS API surface; shell operators (pipes, redirection, substitution) are blocked by parser validation but the underlying boto3/botocore execution surface is broad
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
Permission Granularity
MEDIUM1 tools combine read and write operations
call_aws is a single tool covering the entire AWS API surface (read and write). READ_OPERATIONS_ONLY env var (READ_OPERATIONS_ONLY=true) restricts to read-only AWS operations using a curated read-only operations index. REQUIRE_MUTATION_CONSENT triggers MCP elicitation before write operations when elicitation is supported. readOnlyHint and destructiveHint annotations set dynamically on call_aws based on READ_OPERATIONS_ONLY_MODE flag. The larger awslabs/mcp monorepo contains 58 additional specialized servers (ecs-mcp, eks-mcp, dynamodb-mcp, s3-tables-mcp, etc.) each with their own tool sets, not audited here.
Split into separate read and write tools.
HIGH1 destructive operations not isolated
Admin/delete tools are mixed with regular operations and cannot be independently disabled.
Namespace admin tools separately for independent access control.
LLM Safety
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remove instructional language. Descriptions should be purely factual.
MEDIUMOverlapping tool descriptions may cause wrong selection
Similar descriptions between tools could cause the LLM to pick the wrong one.
Differentiate descriptions with unique use cases.
Data Exposure
LOWNo field selection on responses
Responses return full records rather than projected fields.
Implement field selection to return only relevant fields.
Tools
3 total| Name | Description | Risk |
|---|---|---|
| suggest_aws_commands | Suggest AWS CLI commands based on a natural language query. This is a FALLBACK tool to use when you are uncertain about the exact AWS CLI command needed to fulfill a user's request. | read |
| call_aws | Execute AWS CLI commands with validation and proper error handling. This is the PRIMARY tool to use when you are confident about the exact AWS CLI command needed to fulfill a user's request. | admin |
| get_execution_plan | Get the execution plan for a compiled AWS workflow. Provides structured, step-by-step guidance for accomplishing a complex task with AWS. (Experimental; only registered if EXPERIMENTAL_AGENT_SCRIPTS=true) | read |
Deploy AWS API MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow