AWS MCP Plugin Puts Agents Under CloudTrail AWS released an open-source Agent Toolkit for AWS that provides an MCP server and plugins for coding agents like Claude Code, Codex, and Cursor, enabling auditable, IAM-scoped access to AWS services with CloudTrail logging and sandboxed Python execution. The toolkit aims to replace unrestricted shell access with narrow, logged, skill-shaped interactions, reducing security risks for teams using AI agents to manage cloud infrastructure. Cloud & Infra https://sourcefeed.dev/c/cloud Article AWS MCP Plugin Puts Agents Under CloudTrail Official skills, sandboxed Python, and IAM-scoped calls turn coding agents into auditable cloud operators. Emeka Okafor https://sourcefeed.dev/u/emeka okafor Handing a coding agent your cloud account used to mean a bad bargain: either you give it shell-level power and pray, or you spend days wiring IAM, endpoints, and ad-hoc skills so it does not wander. AWS https://aws.amazon.com ’s Agent Toolkit for AWS is an attempt to make that bargain less stupid. It ships an official MCP server plus installable plugins so tools like Claude Code https://code.claude.com/docs/en/mcp , Codex, and Cursor can search docs, run sandboxed Python, and follow curated AWS skills through one authenticated surface, with CloudTrail on every API call. That is not a novelty chat widget. It is the cloud side of the same pattern vendors keep converging on: narrow, logged, skill-shaped access instead of unrestricted shell. For teams already living in AWS, it is production-adjacent plumbing. For everyone else, it is a clear signal of where agent-to-infrastructure interfaces are going. What actually ships The Agent Toolkit for AWS https://github.com/aws/agent-toolkit-for-aws is open source and bundles two pieces. First, the AWS MCP Server: a managed Model Context Protocol endpoint agents can point at. Documentation search and service information do not require auth. Anything that mutates state API calls, sandboxed Python, curated skills authenticates with your existing IAM credentials. Second, agent plugins that package MCP config and a skill set so you are not hand-editing endpoints and installing skills one by one. AWS documents plugins for Claude Code, Codex, and Cursor. Kiro talks to the MCP server directly. Any other MCP-capable client can wire the server in manually. Claude Code install is short: /plugin install aws-core@claude-plugins-official /reload-plugins aws-core is the recommended default. It covers service selection, infrastructure as code CDK and CloudFormation , serverless, containers, storage, observability, billing, SDK usage, and deployment. A second plugin, aws-agents , adds more agent-oriented capabilities. Consolidation is the point: one endpoint, IAM controls, CloudWatch metrics, and CloudTrail for every agent-issued API call. Why the threat model is the real product Raw “agent with cloud credentials” is a security incident waiting for a prompt. Free-form agents with broad keys invent resources, open security groups, and leave no useful trail of why something happened. The toolkit’s design choices push the opposite way. Audit by default. CloudTrail records API calls the agent makes. Security teams do not need a parallel logging story for the bot; they use the same paper trail they already trust for humans and CI. Sandbox over shell. Python execution is sandboxed rather than unrestricted local or account shell. That is not a full isolation story you still have to scope IAM correctly , but it is a hard step up from “the model can aws anything your laptop can.” Skills over vibes. Bundled skills encode recommended workflows for IaC, serverless, containers, and the rest. Agents still hallucinate; curated paths reduce the chance that “deploy my app” becomes an unreviewable snowflake stack. This is the same direction the broader agent ecosystem is taking: MCP as the integration bus, remote HTTP transports for cloud services, and plugins that ship both config and domain knowledge. The AWS move matters because infrastructure is where agent mistakes get expensive and regulated. What changes in day-to-day work If you already run Claude Code or Cursor/Codex against AWS, the practical shift is less ceremony and more enforceable scope. Who feels it first. Platform engineers and backend teams that live in CDK/CloudFormation, Lambda, containers, and observability. Startup stacks on S3/DynamoDB/Lambda get the most immediate win from the default skill pack. Multi-cloud shops get a template, not a portable product: the pattern travels; the skills do not. What it replaces. Hand-rolled MCP configs, one-off “AWS helper” tools, and the tribal knowledge of which IAM policy the agent needs this week. You still design least privilege. You stop reinventing doc search, skill packaging, and audit plumbing. How you adopt it without regret. - Install aws-core in a throwaway account or a tightly scoped role first. Do not aim a fresh agent at production admin keys. - Map skills to real workflows: generate a CDK stack, inspect CloudWatch, compare billing signals, propose a serverless change. Keep human review on apply/deploy steps until you trust the skill paths. - Treat IAM as the product surface. The agent inherits your credentials; if the role can delete the account, so can the agent. Prefer short-lived credentials, service-scoped policies, and separate agent roles from human break-glass roles. - Wire CloudTrail and CloudWatch into the same review process you use for CI bots. If you cannot answer “what did the agent change last night,” you are not ready for unattended runs. Trade-offs are real. Skills bias the agent toward AWS’s preferred paths, which is usually good and sometimes wrong for nonstandard estates. Doc search without auth is convenient; execution still needs credentials, so secrets handling and local credential sources remain your problem. Multi-agent shops Claude Code plus Cursor plus something custom get a common MCP target, but skill quality and plugin coverage will differ by client. And none of this removes the need for policy-as-code and change review; it just makes the agent a first-class, logged actor instead of a shadow operator. How this fits the wider Claude-on-AWS story Separately, Anthropic’s Claude Platform on AWS is generally available as a path alongside Bedrock: native Claude API access with IAM auth, Marketplace billing, CloudTrail, Managed Agents, MCP connector, Files API, and Skills, with day-one feature parity commitments relative to the native API. That stack is about hosting and calling Claude under AWS identity and billing. The Agent Toolkit is about coding agents operating AWS resources through MCP. They reinforce each other without being the same product. Platform-on-AWS is for teams that want Anthropic’s tool surface with AWS IAM and billing, accepting that data is processed by Anthropic unlike Bedrock’s AWS-perimeter model . The MCP toolkit is for developers who already use agentic IDEs and want those agents to touch S3, Lambda, IaC, and observability under CloudTrail. Bedrock remains the choice when data residency and AWS-native guardrails dominate the threat model. Initial Claude Platform regions are Americas and Europe only; Asia-Pacific is absent. That latency and compliance gap does not block the open-source MCP toolkit the same way, but it does shape how far “all Claude, all AWS, one account story” goes for global teams. Verdict This is a genuine shift in packaging, not a new model capability. AWS is productizing the boring, necessary layer: auth, audit, sandbox, and recommended skills so agents stop being black boxes next to production. It is ready for careful use in non-prod and tightly scoped roles today. Broad unattended production control is still a policy and IAM problem, not a plugin install. Who wins: teams standardized on AWS and MCP-capable coding agents, plus security orgs that finally get CloudTrail for bot actions. Who loses: brittle custom “give the agent the keys” glue, and the fantasy that free-form prompts are a substitute for scoped interfaces. If you run agents near infrastructure, the pattern is worth adopting even if you only steal the ideas: one protocol surface, curated skills, sandbox execution, and an audit trail that treats the agent like any other privileged principal. Sources & further reading - AWS Just Made Claude Code Cloud-Native: The Official AWS MCP Server Plugin https://dev.to/terminalblog/aws-just-made-claude-code-cloud-native-the-official-aws-mcp-server-plugin-3442 — dev.to - Anthropic Brings Claude Platform to AWS: Native API + Managed Agents + MCP — How It Differs from Bedrock | Claude API https://apito.ai/en/blog/news/claude-platform-aws-launch/ — apito.ai - Connect Claude Code to tools via MCP - Claude Code Docs https://code.claude.com/docs/en/mcp — code.claude.com - Install AWS – Best Claude Code Plugin Setup July 2026 | Claude Directory https://www.claudedirectory.org/plugins/aws — claudedirectory.org Emeka Okafor https://sourcefeed.dev/u/emeka okafor · Security Editor Emeka has spent over a decade tracking threat actors, vulnerability disclosures, and the evolving landscape of application security, bringing a sharp continent-spanning perspective to his reporting. He's known for translating dense CVE advisories into clear, actionable context that developers and security teams alike actually read. Discussion 0 No comments yet Be the first to weigh in.