Devlery
BlogSkillsTags
Blog/AI

AWS MCP Packs 15,000 APIs Into a New Boundary for Cloud Agents

AWS Agent Toolkit and the AWS MCP Server GA show how coding agents can reach cloud accounts through IAM, CloudWatch, and CloudTrail.

AWS MCP Packs 15,000 APIs Into a New Boundary for Cloud Agents
AI 요약
  • What happened: AWS moved the AWS MCP Server to general availability and bundled it into Agent Toolkit for AWS.
    • It exposes call_aws, documentation search, skill retrieval, and sandboxed Python execution through one MCP surface.
  • The number: Agents can reach more than 300 AWS services and over 15,000 API actions through the server.
  • Why it matters: Cloud access for coding agents is moving from local CLI convenience into an operational boundary with IAM, CloudWatch, and CloudTrail attached.
  • Watch: MCP is also a new infrastructure attack surface. Least privilege, audit logs, and approval paths matter as much as the tool choice.

AWS announced the general availability of the AWS MCP Server on May 6, 2026. At first glance, this looks like a straightforward product update: AWS now has a generally available MCP server. For builders, the more important shift is broader. A cloud provider is starting to treat what coding agents can see, execute, and leave behind in logs as a first-class operating model.

The announcement sits inside the larger Agent Toolkit for AWS. The toolkit combines the managed AWS MCP Server, agent skills, and agent plugins. AWS says it can connect to MCP-compatible coding agents such as Claude Code, Codex, Kiro, and Cursor. The GitHub repository is public, and the plugin bundles are split into areas such as aws-core, aws-agents, and aws-data-analytics.

The real question is not whether agents can use AWS more fluently. Many developers already give Claude Code, Codex, Cursor, or Gemini CLI access to the aws CLI. That can be enough for a small experiment. The problem starts after that. When the account belongs to a company, when multiple regions are involved, when cost controls, private data, and production IAM roles are on the table, an agent's AWS calls are no longer a convenience feature. They are an operational risk. AWS's announcement pulls that risk into the product surface.

Official AWS Agent Toolkit product image

AWS Is Pointing at Stale Model Knowledge

The AWS News Blog is direct about the problem it is trying to solve. When coding agents work deeply with AWS but cannot see current documentation, several failures repeat. They miss services or features released after the model's training cutoff. AWS names Amazon S3 Vectors, Amazon Aurora DSQL, and Amazon Bedrock AgentCore as examples. It also says agents can prefer direct AWS CLI commands over AWS CDK or CloudFormation when asked to create infrastructure, and that they can generate IAM policies broader than necessary.

That pattern will feel familiar to anyone who uses AI coding tools. A model can produce plausible code while missing today's API shape or a provider rule that changed last week. In application code, tests and type errors often catch part of the problem. Cloud infrastructure fails differently. A wrong API name, missing region condition, excessive IAM action, or broken resource policy can land in a real account.

The AWS MCP Server tries to close that gap through current documentation lookup and controlled API execution. According to the official documentation, documentation search and service information retrieval can be used without authentication. AWS API calls, sandboxed Python script execution, and curated skill usage authenticate through existing IAM credentials. That draws a line between a documentation retrieval tool and an operational tool.

The Weight of Putting 15,000 APIs Behind One Tool

The number AWS highlights is large. The AWS MCP Server's call_aws tool is described as covering more than 300 AWS services and over 15,000 API actions. That is a useful capability story, but it also shows the size of the risk. Opening a cloud API surface to an agent means S3 bucket listing, IAM policy changes, CloudFormation stack operations, cost exploration, and log analysis can all enter the same conversation.

That is why the surrounding machinery matters more than call_aws by itself. The official tool list includes aws___search_documentation, aws___read_documentation, aws___retrieve_skill, aws___call_aws, aws___suggest_aws_commands, aws___run_script, aws___get_presigned_url, and aws___get_tasks. Knowledge tools and execution tools live inside the same server, but they play different roles. Skills provide workflows and best practices. Knowledge tools bring in current information. API tools pass through authentication and authorization before doing real work.

This shape matches where agent platforms are generally moving. The pattern is less "show every tool to the model at once" and more "keep a small tool surface, retrieve skills when needed, follow verified procedures, and make execution auditable." AWS also describes a move from Agent SOPs to Skills. Those skills are maintained by AWS service teams and give agents curated guidance for tasks they often get wrong. AWS says this keeps the tool list shorter and more predictable, which is also a practical way to reduce hallucinated calls.

ComponentWhat the agent getsWhat operations teams should inspect
Knowledge toolsCurrent AWS docs, API references, and service capability lookupDocumentation lookup can work without authentication, so information access and execution rights should remain separate.
API toolsCalls to more than 15,000 AWS API actionsIAM policies, SCPs, and approval workflows become the real safety controls.
Sandboxed scriptMultiple API calls, aggregation, and retries handled in PythonTeams should review whether filesystem and network isolation are enough for each task type.
SkillsTask procedures for CDK, CloudFormation, data pipelines, and serverless workTeams need a policy for skills that conflict with internal standards.

From Local CLI Calls to Auditable Execution

The most practical part of the AWS announcement is an IAM context key. The product page and GitHub README point to aws:CalledViaAWSMCP. With that condition key, a team can write policy that distinguishes direct human calls from calls routed through the MCP server, even when the same underlying IAM role is involved. One policy shape could allow a human to perform mutating operations while limiting MCP-routed calls to read-only access.

That is not a minor distinction. So far, many agent tools have borrowed the user's local shell and run AWS CLI commands from there. CloudTrail can still record the resulting API calls, but it is hard to separate whether a human directly issued a command or whether an agent proposed and executed it. Teams then have to preserve local terminal logs and chat session history separately, while the policy still applies to the user's full authority.

The AWS MCP Server tries to move that path through a separate managed surface. CloudWatch metrics are split into the AWS-MCP namespace, and CloudTrail records the API calls. That separation matters in enterprise environments. Security and platform teams need to see agent call volume, failure rates, heavily used APIs, and which roles attempted MCP-routed changes. That visibility creates a practical middle ground between banning agent access and allowing it inside clear boundaries.

Developer or coding agent

AWS MCP Server: documentation, skills, API tools, sandboxed script

IAM policy and aws:CalledViaAWSMCP condition key

AWS API call, CloudWatch metric, CloudTrail audit record

run_script Is Both Convenience and a New Boundary

Another feature worth watching is run_script. AWS says an agent can write a short Python script and execute it in a server-side sandbox. The sandbox inherits the user's IAM permissions, but AWS says it does not have local filesystem or network access. The purpose is clear: instead of forcing an agent to call APIs one by one while spending context and time, the agent can bundle multiple API calls, filter and compute the result, and return a smaller answer.

Imagine checking resource state across several accounts or regions, finding missing tags, aggregating cost metrics, or summarizing failed CloudFormation stack events. If an interactive agent pulls every API response into model context, token use and latency grow quickly. A Python script can handle intermediate aggregation so the model can focus on the final summary and the next decision.

But this feature is also a new boundary because it is server-side code execution. Even if AWS blocks network and local filesystem access, the script still calls AWS APIs with IAM authority. Platform teams should decide which roles can use run_script, what combinations of API actions are possible, and how failed scripts or long-running tasks are recorded. There should be an approval step between information gathering and changing the environment.

Agent Toolkit Brings AWS Labs Experiments Into the Supported Path

The Agent Toolkit for AWS repository frames this launch as a continuation of the AWS Labs work. Since 2025, AWS Labs has released MCP servers, skills, and plugins. The toolkit moves parts of that experimentation into an AWS-supported shape. AWS says the Labs assets will keep working and accepting contributions, while useful pieces are gradually moved into the toolkit.

That connects with a broader move among large AI and cloud companies. Anthropic created MCP and then acquired Stainless, strengthening the pipeline for SDK, CLI, and MCP server generation. Google is productizing the way agents read domain rules through Gemini API managed agents and Android Agent Skills. GitHub is pulling coding agents into GitHub's own work surfaces through Copilot CLI, cloud agents, the Copilot app, and review feedback handoff.

AWS is different because its leverage is not the model or the IDE. It owns the cloud execution layer. If an agent eventually touches deployments, logs, IAM, data pipelines, cost, VPCs, containers, or serverless resources, it has to enter the cloud provider's policy and audit system. Agent Toolkit sits exactly at that junction. It treats MCP not just as a standard for calling tools, but as a control surface for cloud authority.

The Community Mood Is More Cautious Than Celebratory

For the original Korean article, I checked the current Hacker News and GeekNews lists alongside the official sources. Hacker News was more focused on themes such as DeepSeek Reasonix, LLM agent fragility, and AI chip memory cost. GeekNews was showing agent-native development tools and AI-assisted coding practice posts such as Zero, agentmemory, and Herdr. AWS Agent Toolkit itself did not appear to be the center of a large discussion.

The surrounding reaction is closer to a security question: are MCP servers and sandboxes becoming a new infrastructure attack surface? A recent r/sysadmin thread treated MCP servers and agent sandboxes as 2026 infrastructure questions, especially around secrets, API keys, and database credentials flowing into agent context. ByteVanguard made a similar argument, saying MCP servers should be treated less like harmless AI configuration and more like web applications, API gateways, or internal services.

That makes the AWS announcement more interesting, not less. It is probably not an accident that AWS foregrounds CloudWatch, CloudTrail, and IAM context keys. The market has already moved beyond "connect tools to agents" and into "who is responsible when those tools carry production authority?"

The Practical Questions for Development Teams

Development teams now have three immediate questions to ask. First, when an agent works with AWS, should it call a local CLI directly or pass through a managed boundary such as MCP Server? The first option is faster for personal experiments. The second may be more explainable for team operations.

Second, should agent IAM permissions be designed differently from human permissions? A condition key such as aws:CalledViaAWSMCP only matters if IAM policies and service control policies reflect it. The attitude that "our developers already have admin, so the agent can have the same access" underestimates repeated execution, misunderstanding, and prompt injection risk.

Third, how should skills and documentation retrieval line up with internal standards? AWS-maintained skills can be a useful starting point, but every company's network, tagging, encryption, approval, and cost policies differ. Following an official best practice is not always the same as following an internal guardrail. Even with AWS Toolkit, teams still need repository-level instructions, internal rule files, preflight checks, and CI policy.

Conclusion: MCP Is Moving From Connection Standard to Operations Standard

The AWS MCP Server GA is more than a single product launch. It shows MCP moving from "a convenient way to attach tools to a model" toward "a standard path for agents exercising real infrastructure authority." In that world, the number of tools is not the main advantage. The harder questions are which tools to expose, when to retrieve skills, how to narrow permissions, how to log execution, and how to recover from failure.

AWS has wrapped more than 15,000 API actions into one MCP server. It has also attached an IAM condition key, CloudWatch metrics, and CloudTrail audit records. That combination is likely to become a reference point other clouds and agent platforms cannot ignore. If coding agents take on real work, they will need to enter the same system of authority, logs, and accountability as humans.

So the core news is not simply that AWS supports MCP. It is that the next competition in cloud agents is shifting from model performance and IDE UX toward operational control and auditability. The developer question changes with it. Instead of asking only whether an agent can call AWS, teams need to ask which boundary that call crosses, what record it leaves, and what approval happened before it ran.