All skillsServer (
Sandbox (
CLI Executor (
Transport & Lifecycle (
Resources (
Prompts (
Skillintermediate
AWS MCP Server Development Guide
- Install all deps: `uv pip install --system -e ".[dev]"` - Run tests: `make test` or `python -m pytest -v -m "not integration" --timeout=60` - Run single test: `pytest tests/path/to/test_file.py::test_function_name -v` - Run linter: `ruff check src/ tests/` - Format code: `ruff format src/ tests/` - Run server: `python -m aws_mcp_server` - Run with streamable-http: `AWS_MCP_TRANSPORT=streamable-h
Claude Code Knowledge Pack7/10/2026
Overview
AWS MCP Server Development Guide
Build & Test Commands
- Install all deps:
uv pip install --system -e ".[dev]" - Run tests:
make testorpython -m pytest -v -m "not integration" --timeout=60 - Run single test:
pytest tests/path/to/test_file.py::test_function_name -v - Run linter:
ruff check src/ tests/ - Format code:
ruff format src/ tests/ - Run server:
python -m aws_mcp_server - Run with streamable-http:
AWS_MCP_TRANSPORT=streamable-http python -m aws_mcp_server - Run with sandbox disabled:
AWS_MCP_SANDBOX=disabled python -m aws_mcp_server - Update lockfile:
uv pip compile --system pyproject.toml -o uv.lock - Versioning:
setuptools_scmfrom Git tags — tag asv1.x.yto release
Architecture
Server (server.py)
- Two tools:
aws_cli_help(readOnly) andaws_cli_pipeline(destructive, openWorld) FastMCPinstance withinstructions,icons,SERVER_DESCRIPTION- Tools use
ToolAnnotationsfrommcp.typesfor tool metadata - Tool functions return typed dataclasses (
CommandResult,CommandHelpResult) - All tool failures raise
ToolError— FastMCP setsisError: truein protocol response (SEP-1303)
Sandbox (sandbox.py)
- Landlock LSM for filesystem isolation (Linux only)
- Seccomp-bpf for syscall filtering
- AWS env vars from
SANDBOX_AWS_ENV_VARSare passed through to sandboxed processes AWS_MCP_SANDBOX=disabledto bypass for development;requiredto fail hard if unavailable
CLI Executor (cli_executor.py)
- All commands validated before execution (must start with
aws) - Pipe support: commands can include
| jq,| grep, etc. - Timeout handling with configurable default (300s)
- Returns
{"status": "success"|"error", "output": "..."}dict
Transport & Lifecycle (__main__.py)
- Transports:
stdio(default),streamable-http(recommended for web),sse(deprecated) - On
stdio: background thread monitors for client disconnect viaselect.pollor parent PID - On
sse/streamable-http: binds to0.0.0.0in Docker,127.0.0.1otherwise
Resources (resources.py)
aws://profiles— parses~/.aws/credentialsand~/.aws/configaws://regions— hardcoded list + optional live fetch from EC2 APIaws://config— summary of current AWS config state
Prompts (prompts.py)
- 10+ prompt templates for common AWS tasks (Well-Architected, cost optimization, security)
- Consistent pattern: Pydantic
Field(description=...)for all parameters
Testing Patterns
- Mocking AWS CLI:
unittest.mock.patchonasyncio.create_subprocess_exec - Sandbox tests: separate unit (mocked) and integration (requires Linux + Landlock kernel)
- Fixtures: shared fixtures in
conftest.pyfor mock subprocess results - Integration tests: need actual AWS CLI + credentials — skip in CI with
-m "not integration" - Coverage target: >80% on
src/aws_mcp_server— run with--cov=aws_mcp_server - Timeout: always run with
--timeout=60to avoid CI hangs on sandbox tests
MCP Development Guidelines
- Tool annotations: always set
ToolAnnotationson new tools (readOnlyHint,destructiveHint,openWorldHint) - Error handling: raise
ToolErrorfor all tool failures — never return error status text from tool functions (SEP-1303) - FastMCP patterns:
@mcp.tool(),@mcp.resource(),@mcp.prompt()decorators - Context: accept
ctx: Context | None = Nonein tool functions for progress reporting viactx.info()/ctx.warning() - Field descriptions: use
pydantic.Field(description=...)for all tool parameters — these become tool schema - Icons: server-level icon set via
icons=[Icon(src=..., mimeType=...)]inFastMCP() - Description: server description via
SERVER_DESCRIPTIONprepended toinstructions
Security Notes
- NEVER log or store AWS credentials (access keys, session tokens, profile names with secrets)
- NEVER disable sandbox in production
- AWS env vars (
AWS_ACCESS_KEY_ID, etc.) are inSANDBOX_AWS_ENV_VARS— update if new ones added - Command validation must reject commands that don't start with
awsor pipe to non-allowlisted executables AWS_MCP_SANDBOX=disabledis for development only — never in Dockerfile or production config