// MCP TOOL REFERENCE

AWS TOOLS

58 tools from the AWS MCP Server, categorised by risk level.

View the AWS policy →
// ALL 58 AWS TOOLS
READ 46 tools
Read analyze_log_group Detect anomalies and errors in logs Read analyze_metric Analyse CloudWatch metric trends Read analyze_stack_failures Diagnose failed CloudFormation stacks Read aws___read_documentation Fetch and convert an AWS documentation page to markdown format. ## Usage This tool retrieves the ... Read aws___recommend Get content recommendations for an AWS documentation page. ## Usage This tool provides recommenda... Read aws___search_documentation Search AWS documentation using the official AWS Documentation Search API. ## Usage This tool sear... Read azureterraformbestpractices Get Terraform best practices for Azure Read bedrock_kb_retrieve Query Bedrock knowledge bases Read check_cdk_nag_suppressions Validate CDK Nag suppressions Read describe_log_groups List metadata about CloudWatch log groups Read dynamodb_data_model_validation Validate DynamoDB data models Read dynamodb_data_modeling Interactive DynamoDB data modelling Read explain_cdk_nag_rule Explain specific CDK Nag security rules Read get_active_alarms Identify currently active CloudWatch alarms Read get_alarm_history Retrieve alarm state change history Read get_bestpractices Get AWS development and deployment guidance Read get_cdk_best_practices Retrieve AWS CDK best practices Read get_cloudwatch_logs Access CloudWatch logs for EKS Read get_cloudwatch_metrics Retrieve CloudWatch metrics for EKS Read get_eks_vpc_config Retrieve VPC configuration for EKS Read get_k8s_events List Kubernetes events Read get_logs_insight_query_results Retrieve CloudWatch Insights query results Read get_pod_logs Retrieve Kubernetes pod logs Read get_regional_availability Check regional availability for AWS services Read get_resource Retrieve specific AWS resource details Read get_schema Get CloudFormation schema for resources Read list_api_versions List available Kubernetes API versions Read list_k8s_resources List Kubernetes resources by kind Read list_knowledge_bases List available Bedrock knowledge bases Read list_regions List all AWS regions Read list_resources Enumerate resources of specified types Read query_sql Execute read-only SQL queries against S3 Tables Read read_documentation Retrieve AWS docs as markdown Read retrieve_agent_sop Search AWS operational procedures Read search_cdk_documentation Search CDK docs and constructs Read search_cfn_documentation Query CloudFormation docs and patterns Read search_documentation Search across AWS documentation Read source_db_analyzer Extract schema from existing databases Read suggest_aws_commands Get AWS CLI command syntax help Read tf_init Initialise Terraform working directory Read tf_output Retrieve Terraform output values Read tf_plan Generate Terraform execution plan Read tf_state_list List resources in Terraform state Read tf_validate Validate Terraform configuration Read validate_cfn_security Check CloudFormation compliance Read validate_cfn_template Validate CloudFormation syntax and schema
WRITE 6 tools
Write create_resource Create AWS resources declaratively Write create_table_from_csv Convert CSV files to S3 Tables Write manage_eks_stacks Manage EKS CloudFormation stacks Write manage_k8s_resource Create, update, or delete Kubernetes resources Write tf_apply Apply Terraform changes to infrastructure Write update_resource Update existing AWS resources
DESTRUCTIVE 3 tools
Destructive cancel_logs_insight_query Cancel in-progress CloudWatch queries Destructive delete_resource Delete AWS resources Destructive tf_destroy Destroy Terraform-managed infrastructure
EXECUTE 3 tools
Execute call_aws Execute authenticated AWS API calls Execute execute_log_insights_query Run CloudWatch Logs Insights queries Execute invoke_lambda Execute Lambda functions
// RUNNING THIS SERVER

The managed route: connect AWS through the PolicyLayer gateway — every tool call above is checked against your policy before it runs, with a full audit log.

DIRECT INSTALL (UNMANAGED) npx -y @awslabs/mcp
// FAQ
How many tools does the AWS MCP server have? +

The AWS MCP server exposes 58 tools across 4 categories: Read, Write, Destructive, Execute.

How do I enforce policies on AWS tools? +

Route the AWS server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard — they are enforced on every call before it reaches the server.

What risk categories do AWS tools fall into? +

AWS tools are categorised as Read (46), Write (6), Destructive (3), Execute (3). Each category has a recommended default policy.

Let agents act without letting them run wild.

Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

SECURE YOUR MCP →

Free to start. No card required.

4,600+ MCP servers and 31,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.