AWS’s Managed Model Context Protocol (MCP) server is now generally available, delivering full API coverage, IAM‑based governance and sandboxed Python execution. This article compares the new service with similar offerings from Azure and Google, examines pricing and migration trade‑offs, and outlines the business impact for enterprises building AI‑driven automation pipelines.
AWS MCP Server Reaches GA – Full API Coverage and IAM‑Based Governance
AWS announced that its Managed Model Context Protocol (MCP) server is now generally available (GA). The service exposes all AWS APIs through a standard, language‑agnostic interface, adds IAM‑driven access control, CloudWatch metrics, and CloudTrail audit logs, and supports sandboxed Python execution for multi‑step workflows. In practice, AI coding agents such as Claude Code, Kiro, Cursor or Codex can now call AWS services without possessing long‑lived credentials, while organizations retain full visibility and policy enforcement.
What changed?
| Feature | Preview (re:Invent 2025) | GA (May 2024) |
|---|---|---|
| API coverage | ~70 % of services, limited long‑running ops | 100 % – every AWS API, including multipart uploads and async jobs |
| Execution model | Simple request/response | Sandboxed Python – agents can run short scripts safely, no filesystem or shell access |
| Auth model | IAM‑derived tokens via proxy | IAM + SigV4 native, OAuth 2.1 translation via open‑source MCP Proxy |
| Observability | Basic CloudWatch metrics | Full CloudWatch, CloudTrail, and custom metrics per agent |
| Regions | us‑east‑1 only | us‑east‑1 and eu‑central‑1 (Virginia & Frankfurt) |
| Pricing | Free (resource usage only) | Same model – no server charge, pay for underlying AWS resources |
The GA release also bundles the server into the Agent Toolkit for AWS, an open‑source collection of plugins, documentation crawlers and skill‑discovery helpers that keep agents up‑to‑date with the latest service releases.
Provider comparison – AWS vs. Azure vs. Google
| Aspect | AWS MCP Server | Azure OpenAI Functions | Google Vertex AI Agents |
|---|---|---|---|
| Primary interface | MCP (JSON‑RPC) | OpenAI function‑calling + Azure Resource Manager (ARM) APIs | Vertex AI Agent SDK (gRPC/REST) |
| Scope of covered services | All AWS services (including new offerings like S3 Vectors, Aurora DSQL) | Azure services exposed via Azure OpenAI Service – limited to a curated set (e.g., Storage, Cosmos, AKS) | Google Cloud services via Vertex AI Workbench – covers most GCP APIs but still missing newer beta services |
| Authentication model | IAM + SigV4 (native), optional OAuth proxy | Azure AD + Managed Identity, token‑based | Google Service Accounts + IAM, token‑based |
| Governance & audit | CloudTrail logs per request, CloudWatch metrics, IAM policies per agent | Azure Monitor logs + Activity Log, Policy‑based access via Azure RBAC | Cloud Audit Logs + Monitoring, IAM policies per service account |
| Sandboxed code execution | Python sandbox (no FS/shell) | Azure Functions sandbox (Node/Python/PowerShell) – requires separate deployment | Cloud Run sandbox – containerized, higher latency |
| Pricing model | Free server, pay‑as‑you‑go for underlying resources (API calls, data transfer) | Pay per token + Azure resource consumption; extra cost for Functions execution | Pay per token + Vertex AI usage; extra cost for Cloud Run instances |
| Regional availability (May 2024) | us‑east‑1, eu‑central‑1 | Global (multiple Azure regions) | Global (multiple GCP regions) |
| Ecosystem support | Agent Toolkit (open source), MCP Proxy, community plugins | Azure AI SDK, Azure CLI extensions, Azure Policy for AI | Vertex AI SDK, LangChain‑compatible libraries |
Key take‑aways
- Coverage: AWS leads on breadth – every service is reachable today, which matters for enterprises that already run workloads across dozens of AWS products.
- Governance: All three providers ship audit logs, but AWS’s native CloudTrail integration offers the most granular, per‑request trace without extra configuration.
- Execution model: AWS’s lightweight Python sandbox is less heavyweight than Azure Functions or Cloud Run, reducing cold‑start latency for short‑lived agent tasks.
- Regional reach: Azure and Google have broader global footprints; enterprises needing low‑latency access outside Virginia or Frankfurt must consider a multi‑cloud approach or wait for AWS to expand.
Business impact and migration considerations
1. Faster time‑to‑value for AI‑augmented ops
By exposing the entire AWS API surface through a single, versioned contract, development teams can prototype agent‑driven automation without writing service‑specific SDK wrappers. The built‑in IAM policies let security teams grant least‑privilege permissions per agent (e.g., read‑only access to S3 buckets, write‑only to DynamoDB tables). This reduces the time spent on credential rotation and secret management.
2. Cost predictability
Because the MCP server itself is free, the primary cost drivers are the underlying AWS resources the agents consume. Companies can continue to use existing Cost Explorer and Budgets alerts to track spend. In contrast, Azure’s function‑execution charges add a separate line‑item that can surprise teams unfamiliar with serverless pricing.
3. Migration path from on‑prem or other clouds
| Step | Action | AWS‑specific tip |
|---|---|---|
| Assess existing agent workloads | Inventory scripts, functions, and API calls used by current agents. | Use the MCP Proxy locally to replay calls against a test MCP endpoint – this surfaces any missing permissions early. |
| Define IAM scopes | Create dedicated IAM roles per agent or per business unit. | Leverage IAM policy conditions (aws:RequestedRegion, aws:TagKeys) to enforce regional or tag‑based constraints. |
| Port sandboxed logic | Move multi‑step Python snippets into the MCP sandbox. | Replace any os.system or file‑system access with MCP‑provided helper libraries; the sandbox will reject disallowed calls. |
| Validate observability | Enable CloudWatch metrics and CloudTrail logging for the MCP endpoint. | Set up a CloudWatch Dashboard that surfaces per‑agent request latency, error rates, and token usage. |
| Roll out gradually | Start with low‑risk workloads (e.g., tag cleanup, cost‑report generation). | Use the --scope user flag in the CLI example to limit the initial agent to a single IAM user for testing. |
4. Multi‑cloud orchestration
Enterprises that already use Azure OpenAI Functions or Google Vertex AI Agents can adopt a hybrid gateway pattern: a thin proxy layer routes agent requests to the appropriate provider based on the target resource. The proxy can enforce a unified policy engine (e.g., OPA) and consolidate logs into a central SIEM. This approach mitigates the regional limitation of AWS MCP while preserving the single‑source‑of‑truth for AWS services.
5. Security posture
- Credential exposure: By eliminating static access keys, the attack surface shrinks dramatically. Even if an agent is compromised, the IAM role can be revoked instantly.
- Auditability: CloudTrail records every MCP request, including the signed SigV4 headers, enabling forensic analysis identical to native AWS API calls.
- Sandbox isolation: The Python environment runs without network egress beyond the MCP server, preventing agents from reaching unintended endpoints.
Strategic recommendation
- Adopt AWS MCP for any workload that heavily interacts with AWS services – the coverage and governance advantages outweigh the current two‑region limitation for most North‑American and EU‑based enterprises.
- Implement a policy‑driven proxy if you need to span Azure or Google resources, using OPA or AWS IAM Condition Keys to keep the rule set consistent.
- Invest in observability early – set up CloudWatch dashboards and export CloudTrail logs to your SIEM to detect anomalous agent behavior before it escalates.
- Plan a phased migration: start with read‑only or reporting agents, then extend to provisioning and lifecycle management once confidence in the sandbox and IAM policies is established.
By treating the MCP server as a managed API gateway for AI agents, organizations can unlock rapid automation while preserving the security and compliance controls that enterprise IT expects from traditional cloud services.
Renato Losio is a principal cloud architect and AWS Data Hero based in Berlin. Follow him on LinkedIn.
Further reading
- Official AWS MCP Server documentation – https://aws.amazon.com/mcp
- Open‑source MCP Proxy – https://github.com/aws/mcp-proxy
- Azure OpenAI Functions overview – https://learn.microsoft.com/azure/ai-services/openai/functions
- Google Vertex AI Agents guide – https://cloud.google.com/vertex-ai/docs/agents
Comments
Please log in or register to join the discussion