logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

Cloud Governance Toolkit for LLM Context

A collection of specialized servers facilitating secure, compliant interaction with Amazon Web Services (AWS) resources. This tooling ensures that Large Language Model (LLM) applications operate within established security parameters, incorporating best practices derived from infrastructure-as-code development principles. It supports rigorous analysis of CDK deployments and adherence to security standards, reflecting the concept of protection from hostile or unwanted change in digital environments.

Author

Cloud Governance Toolkit for LLM Context logo

awslabs

Apache License 2.0

Quick Info

GitHub GitHub Stars 6585
NPM Weekly Downloads 0
Tools 1
Last Updated 2026-02-19

Actions

GitHub View on GitHub

Tags

awslabsawsworkflowssecurity awslabsaws developmentmanage aws

Introduction

The Model Context Protocol (MCP) facilitates the secure integration of generative AI applications with external data and tooling. This package provides AWS-centric MCP servers designed to embed necessary context into LLMs, ensuring outputs align with necessary governance and security standards. Security, fundamentally defined as protection from potential harm or unwanted coercion, is paramount in this framework, applying both to physical and virtual assets, such as cloud infrastructure definitions.

Server Sent Events Support Removal

Support for Server Sent Events (SSE) was discontinued in the latest major releases of all MCP servers on May 26th, 2025. This reflects alignment with the Model Context Protocol specification's evolving backward compatibility guidelines. Effort is currently directed toward implementing Streamable HTTP for future transport mechanisms. Users relying on SSE must temporarily utilize the preceding major server versions until migrating to these newer transport methods.

Why AWS MCP Servers?

These servers significantly enhance the utility of foundational models (FMs) in cloud engineering contexts. They reduce instances of inaccurate generation by supplying up-to-date technical data regarding AWS services. MCP servers translate routine cloud management operations, such as those involving CDK or Terraform, into actionable tools for the AI assistant. This contextual enrichment ensures that generated code and operational recommendations adhere to current AWS architectural guidance and service specifications.

Available MCP Servers: Quick Installation

Installation for various development environments is streamlined using one-click options for Cursor and VS Code. The primary prerequisite is the uv package manager, obtained from Astral, followed by Python installation, typically version 3.10.

🚀 Getting Started with AWS

Start with these core servers for general AWS interaction and up-to-date knowledge retrieval.

Server Name Description Install
AWS API MCP Server Core AWS API access with validation for operations and controls. Install
Install VS Code
AWS Knowledge MCP Server Managed remote server providing access to current AWS documentation and architectural references. Install
Install VS Code

🏗️ Infrastructure & Deployment

These utilities assist in defining and validating cloud resources using established Infrastructure as Code methodologies.

Server Name Description Install
AWS CDK MCP Server Facilitates AWS CDK workflows, prioritizing security compliance and established patterns. Install
Install on VS Code
AWS Terraform MCP Server Integrates security analysis directly into Terraform infrastructure management routines. Install
Install on VS Code

👨‍💻 Vibe Coding & Development

Core tools supporting the developer experience, providing essential contextual information during active coding sessions.

Server Name Description Install
Core MCP Server Offers intelligent planning and orchestration of other available MCP servers. Install
Install on VS Code
Git Repo Research MCP Server Enables semantic code search and detailed analysis across source code repositories. Install
Install on VS Code

MCP AWS Lambda Handler Module

A specialized Python module simplifies the creation of serverless HTTP handlers adhering to the Model Context Protocol using AWS Lambda. This library offers a structured means to expose MCP capabilities via serverless endpoints. It features modular session handling, including a default DynamoDB backend for persistence, alongside customizable mechanisms for authentication and access control. Comprehensive usage documentation resides in src/mcp-lambda-handler/README.md.

When to use Local vs Remote MCP Servers?

Server deployment strategy requires considering operational needs and data locality. Local execution is ideal for debugging and testing requiring minimal network delay. Remote execution across the AWS cloud ensures broader accessibility and scalability for team collaboration. Some servers, such as the AWS Knowledge MCP Server, are offered as fully managed cloud services, requiring zero user infrastructure setup.

Local MCP Servers

Use local servers for development and rapid iteration cycles. They offer direct resource control and reduced latency, especially beneficial when internet connectivity is unstable. They also keep sensitive access credentials confined to the local machine.

Remote MCP Servers

Remote deployment promotes standardized configurations across a development group. Utilizing cloud resources handles spikes in processing demands effectively. Managed remote servers automatically receive feature updates and critical security patches.

Installation and Setup

After installing uv and a compatible Python version, configure your AWS credentials. Configuration is managed via JSON files specific to the consuming application client.

Example global configuration for Amazon Q Developer CLI (~/.aws/amazonq/mcp.json):

{
  "mcpServers": {
    "awslabs.core-mcp-server": {
      "command": "uvx",
      "args": [
        "awslabs.core-mcp-server@latest"
      ],
      "env": {
        "FASTMCP_LOG_LEVEL": "ERROR"
      }
    }
  }
}

For Windows environments using uv, the execution command structure adapts slightly:

{
  "mcpServers": {
    "awslabs.core-mcp-server": {
      "disabled": false,
      "timeout": 60,
      "type": "stdio",
      "command": "uv",
      "args": [
        "tool",
        "run",
        "--from",
        "awslabs.core-mcp-server@latest",
        "awslabs.core-mcp-server.exe"
      ],
      "env": {
        "FASTMCP_LOG_LEVEL": "ERROR"
      }
    }
  }
}

Manual testing of server startup and argument adherence can be performed using the timeout command, which checks execution within a specified duration:

# Run MCP server manually with timeout 15s
$ timeout 15s uv tool run <MCP Name> <args> 2>&1 || echo "Command completed or timed out"

To force a refresh of a specific server version from the cache, use the following command structure, omitting the "@latest" suffix for stable local cache use:

  • uv cache clean <tool>: Removes the specified tool from cache for a fresh install.
  • uvx <tool>@latest: Refreshes the tool to the most recent version in the cache.

Running MCP servers in containers

Containerized deployment utilizes official images from the public AWS ECR registry (public.ecr.aws/awslabs-mcp). Since environment variables defined in the JSON configuration are inaccessible within the container runtime, they must be passed explicitly using Docker flags.

An example illustrating the execution of the Nova Canvas server using environment files and volumes:

{
  "mcpServers": {
    "awslabs.nova-canvas-mcp-server": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "--interactive",
        "--env",
        "FASTMCP_LOG_LEVEL=ERROR",
        "--env",
        "AWS_REGION=us-east-1",
        "--env-file",
        "/full/path/to/.env",
        "--volume",
        "/full/path/to/.aws:/app/.aws",
        "public.ecr.aws/awslabs-mcp/awslabs/nova-canvas-mcp-server:latest"
      ],
      "env": {}
    }
  }
}

Local development builds require updating the tag in the MCP configuration to point to your locally built image instead of the ECR reference.

  • The Model Context Protocol (MCP) standardizes AI tool interaction.
  • Infrastructure as Code (IaC) principles govern resource provisioning.
  • AWS Well-Architected Framework provides guidance on secure cloud operations.
  • Hallucination Reduction is achieved by providing accurate, real-time context.
  • Cyber Security focuses on protecting virtual assets and information systems.
  • Resilience is the capability of a system to recover from failures or attacks.

Extra Details

This collection emphasizes secure cloud development. By integrating tools like the AWS CDK MCP Server and AWS IAM MCP Server, users ensure that any infrastructure provisioned via AI assistance adheres to least-privilege principles and established security postures. The concept of security extends to data handling; for example, the Amazon Bedrock Data Automation MCP Server allows analysis of sensitive media while managing access permissions.

Getting Started with Amazon Q Developer CLI

To enable MCP servers for the Amazon Q Developer CLI, configure the settings file, typically located at ~/.aws/amazonq/mcp.json for global access. Ensure necessary AWS credentials permit API calls for the selected servers.

~/.aws/amazonq/mcp.json

{
  "mcpServers": {
    "awslabs.core-mcp-server": {
      "command": "uvx",
      "args": ["awslabs.core-mcp-server@latest"],
      "env": {
        "FASTMCP_LOG_LEVEL": "ERROR"
      }
    }
  }
}

Getting Started with Cline and Amazon Bedrock

Using Cline with Amazon Bedrock requires enabling the desired foundation models within your AWS account, as interaction incurs standard AWS charges. After installing the Cline VS Code Extension, access the MCP Server configuration panel.

When configuring servers, note that using the AWS Profile authentication method is preferred over static credentials for better credential rotation and security.

When defining the core server entry in cline_mcp_settings.json, specify the execution utility and arguments:

cline_mcp_settings.json

json { "mcpServers": { "awslabs.core-mcp-server": { "command": "uvx", "args": ["awslabs.core-mcp-server@latest"], "env": { "FASTMCP_LOG_LEVEL": "ERROR", "MCP_SETTINGS_PATH": "path to your mcp settings file" } } } } }

It is vital to set a custom instruction within Cline to mandate the use of the mcp-core server at the beginning of every processing cycle to guarantee contextual grounding.

Security

Security controls are integrated across many of these tools, for instance, the AWS IAM MCP Server helps enforce least-privilege access definitions. Before deploying any infrastructure suggested by an AI assistant utilizing these servers, always review the generated code to maintain accountability and confirm compliance with organizational security mandates.

Conclusion

These AWS MCP Servers standardize the mechanism by which large language models securely access timely, accurate information regarding AWS services and infrastructure patterns. By leveraging this framework, developers enhance their productivity while ensuring that AI-assisted cloud operations are built upon a foundation of robust technical knowledge and strong security practices. This approach aids in maintaining system integrity against potential vulnerabilities arising from outdated or incomplete knowledge.

See Also

MCP
Servers Mcp
MCP
Servers Mcp
Man Pages
security Man Pages
MCP
Mcp Mcp
Man Pages
core Man Pages
☁️
Cloud Emojis
MCP
Infrastructure-state-persistence-engine Mcp
Command
Command PNG Icons
Man Pages
Using Man Pages
← Back to Security🙏  Credits & Acknowledgments
`