Labsco
arunsanna logo

AWS MCP

ā˜… 5

from arunsanna

Interact with your AWS environment using natural language. Requires local AWS credentials.

šŸ”„šŸ”„šŸ”„āœ“ VerifiedFreeAdvanced setup

AWS Sage

A production-grade Model Context Protocol (MCP) server for AWS. Connect AI assistants to your AWS infrastructure and manage it through natural conversation.

šŸš€ Works with any MCP-compatible client - just install and configure.

Compatible Clients

ClientStatusNotes
Claude Desktopāœ… Full SupportRecommended
Claude Codeāœ… Full SupportCLI & IDE
Cursorāœ… Full SupportMCP enabled
Clineāœ… Full SupportVS Code extension
Windsurfāœ… Full SupportMCP enabled
Zedāœ… Full SupportMCP enabled
VS Code + Copilotā³ PlannedVia MCP extension

Why AWS Sage?

AWS Labs offers 15 separate MCP servers for different services. AWS Sage takes a different approach:

FeatureAWS Labs MCPAWS Sage
Architecture15 separate servers1 unified server
Tools~45 tools across servers30 intelligent tools
Cross-Service QueriesNoYes - discover resources across all services
Dependency MappingNoYes - "what depends on this resource?"
Impact AnalysisNoYes - "what breaks if I delete this?"
Incident InvestigationNoYes - automated troubleshooting workflows
Cost AnalysisSeparate serverBuilt-in - idle resources, rightsizing, projections
LocalStack SupportNoYes - seamless local development
Multi-AccountNoYes - cross-account via AssumeRole
Docker SupportSeparateBuilt-in with docker-compose
Safety SystemBasic3-tier with 70+ blocked operations
Natural LanguageLimitedFull NLP with intent classification

Features

Core Capabilities

  • Natural Language Queries: "Show me EC2 instances tagged production"
  • Multi-Profile Support: Switch between AWS profiles with SSO support
  • Auto-Pagination: Never miss resources due to pagination limits
  • Smart Formatting: Tabular output for lists, detailed JSON for single resources

Safety System

Three safety modes protect your infrastructure:

ModeDescriptionOperations Allowed
READ_ONLYDefault - exploration onlylist, describe, get
STANDARDNormal operationsread + write (with confirmation)
UNRESTRICTEDFull accessall except denylist

Always Blocked (70+ operations):

  • cloudtrail.delete_trail / stop_logging
  • iam.delete_account_password_policy
  • organizations.leave_organization
  • guardduty.delete_detector
  • kms.schedule_key_deletion
  • And 65+ more critical operations

Unique Differentiators

Cross-Service Resource Discovery

Find resources across your entire AWS account:

"Find all resources tagged Environment=production"
"Discover resources with Name containing api"

Dependency Mapping

Understand resource relationships:

"What resources does my Lambda function depend on?"
"Map dependencies for my ECS service"

Impact Analysis

Know what breaks before you delete:

"What will break if I delete this security group?"
"Show impact of removing this IAM role"

Incident Investigation

Automated troubleshooting workflows:

"Investigate why my Lambda is failing"
"Debug high latency on my ALB"
"Analyze this security alert"

Cost Analysis

Find savings and optimize spending:

"Find idle resources in my account"
"Get rightsizing recommendations for EC2"
"Project costs for 3 t3.large instances"

LocalStack Integration

Develop locally without touching production:

"Switch to LocalStack environment"
"Compare S3 buckets between localstack and production"

Multi-Account Support

Work across AWS accounts:

"Assume role in account 123456789012"
"Switch to production account"

Tools Reference (30 Tools)

Credential Management

ToolDescription
list_profilesList available AWS profiles
select_profileSelect and authenticate with a profile
get_account_infoShow current account ID, region, identity

Safety Controls

ToolDescription
set_safety_modeSwitch between READ_ONLY, STANDARD, UNRESTRICTED

Query Operations (Read-Only)

ToolDescription
aws_queryNatural language AWS queries
validate_operationCheck if an operation is valid without executing

Execute Operations (Require Confirmation)

ToolDescription
aws_executeExecute validated AWS operations

Context & Memory

ToolDescription
get_contextView conversation context and recent resources
set_aliasCreate shortcuts for resources (e.g., "prod-db")
list_aliasesView all defined aliases

Cross-Service Intelligence

ToolDescription
discover_resourcesFind resources by tags across all services
map_dependenciesShow what a resource depends on
impact_analysisPredict what breaks if you modify/delete something
investigate_incidentAutomated incident investigation workflows

AWS Knowledge (Composition)

ToolDescription
search_docsSearch AWS documentation
get_aws_knowledgeQuery built-in AWS knowledge base
get_best_practicesGet service-specific best practices
get_service_limitsShow default service quotas

Cost Analysis

ToolDescription
find_idle_resourcesFind unused EC2/RDS/EBS/EIP resources
get_rightsizing_recommendationsGet EC2 right-sizing suggestions
get_cost_breakdownSpending analysis by service/tag
project_costsEstimate costs before deployment

Environment Management

ToolDescription
list_environmentsList configured environments (production/localstack)
switch_environmentSwitch between LocalStack and production
get_environment_infoCurrent environment details
check_localstackVerify LocalStack connectivity
compare_environmentsDiff resources between environments

Multi-Account Management

ToolDescription
assume_roleAssume role in another account via STS
list_accountsShow configured accounts
switch_accountChange active account context

Architecture

aws-sage/
ā”œā”€ā”€ Dockerfile                  # Container support
ā”œā”€ā”€ docker-compose.yml          # LocalStack + MCP server
│
ā”œā”€ā”€ src/aws_sage/
│   ā”œā”€ā”€ server.py              # FastMCP server (30 tools)
│   ā”œā”€ā”€ config.py              # Configuration & safety modes
│   │
│   ā”œā”€ā”€ core/
│   │   ā”œā”€ā”€ session.py         # AWS session management
│   │   ā”œā”€ā”€ context.py         # Conversation memory
│   │   ā”œā”€ā”€ environment.py     # Environment configuration
│   │   ā”œā”€ā”€ environment_manager.py  # LocalStack/production switching
│   │   ā”œā”€ā”€ multi_account.py   # Cross-account management
│   │   └── exceptions.py      # Custom exceptions
│   │
│   ā”œā”€ā”€ safety/
│   │   ā”œā”€ā”€ classifier.py      # Operation classification
│   │   ā”œā”€ā”€ validator.py       # Pre-execution validation
│   │   └── denylist.py        # Blocked operations (70+)
│   │
│   ā”œā”€ā”€ parser/
│   │   ā”œā”€ā”€ intent.py          # NLP intent classification
│   │   └── service_models.py  # Botocore integration
│   │
│   ā”œā”€ā”€ execution/
│   │   ā”œā”€ā”€ engine.py          # Execution orchestrator
│   │   └── pagination.py      # Auto-pagination
│   │
│   ā”œā”€ā”€ composition/
│   │   ā”œā”€ā”€ docs_proxy.py      # AWS documentation
│   │   └── knowledge_proxy.py # AWS knowledge base + live query
│   │
│   └── differentiators/
│       ā”œā”€ā”€ discovery.py       # Cross-service discovery
│       ā”œā”€ā”€ dependencies.py    # Dependency mapping
│       ā”œā”€ā”€ workflows.py       # Incident investigation
│       ā”œā”€ā”€ cost.py            # Cost analysis
│       └── compare.py         # Environment comparison
│
└── tests/
    ā”œā”€ā”€ unit/                  # Unit tests (145 tests)
    └── integration/           # Integration tests

Development (For Contributors)

Setup

git clone https://github.com/arunsanna/aws-sage
cd aws-sage
pip install -e ".[dev]"

Run Tests

pytest                          # All tests
pytest --cov=aws_sage           # With coverage
pytest tests/unit/test_cost.py  # Specific module

Local Testing with LocalStack

Test against LocalStack without touching real AWS:

# Start LocalStack
docker compose up -d localstack

# In Claude Desktop, say:
# "Switch to localstack environment"
# "Create test bucket my-test-bucket"

Debug Server Directly

For development/debugging (not needed for normal use):

fastmcp dev src/aws_sage/server.py  # Interactive mode
python -m aws_sage.server           # Direct run

Environment Variables

VariableDescriptionDefault
AWS_PROFILEAWS profile to usedefault
AWS_DEFAULT_REGIONDefault AWS regionus-east-1
AWS_SAGE_SAFETY_MODESafety mode (read_only/standard/unrestricted)read_only
AWS_SAGE_LOCALSTACK_ENABLEDEnable LocalStack by defaultfalse
AWS_SAGE_LOCALSTACK_HOSTLocalStack hostlocalhost
AWS_SAGE_LOCALSTACK_PORTLocalStack port4566

Roadmap

v1.0.0 (Current)

  • 30 intelligent tools across 10 categories
  • Cross-service discovery, dependency mapping, impact analysis
  • Cost optimization analyzer
  • LocalStack integration
  • Multi-account support
  • Docker containerization
  • 3-tier safety system with 70+ blocked operations

Future

  • CloudFormation drift detection
  • Custom workflow definitions
  • Terraform state integration
  • Compliance scanning (CIS benchmarks)

References

Contact