If you've let a coding agent loose on AWS, you've watched it guess. It invents API parameters that don't exist, or hands you an S3 bucket a security review will bounce on sight. The Agent Toolkit for AWS is built to stop that. By the end of this post you'll have it running in whatever editor you use, plus a tour of what's in it and three workflows worth pointing it at.
I use Kiro day to day, so I'll walk through that setup first. It also works with Codex, Claude Code, Cursor, and any other agent that speaks MCP, the Model Context Protocol, which is the open standard agents use to connect to outside tools and data. I'll cover those too.
The Agent Toolkit for AWS is a free, AWS-supported set of tools that gives AI coding agents secure access to AWS, current documentation they can read mid-task, and tested procedures for the work they tend to fumble. It plugs into the agent you already use rather than asking you to switch. In practice, that shows up in a few ways, all detailed in the AWS user guide.
The agent stops guessing about APIs it never saw. The models behind these agents trained on data that's months or years old, so anything AWS shipped recently is missing or wrong in their heads, and the toolkit hands them current docs and references at request time. For multi-step work like least-privilege IAM or a production serverless stack, it follows a vetted skill instead of reconstructing the steps from half-memory. Every call goes through your own IAM credentials, shows up in CloudWatch, and gets logged to CloudTrail, so you can scope an agent to read-only even when your role can write. And the toolkit costs nothing on its own; you pay only for the AWS resources the agent creates.
It's the successor to the MCP servers, skills, and plugins AWS shipped under AWS Labs in 2025. Two things make me reach for it over a raw MCP setup: condition keys that let a policy tell an agent apart from a human, and skills that have been evaluated end to end rather than thrown over the wall.
Four components work together (reference).
The AWS MCP Server is the access layer, a single endpoint that reaches 300+ AWS services. It runs in two modes depending on what you ask for. Searching AWS docs, pulling service info, and discovering skills need no credentials at all, so the server is useful the moment you connect it. Anything that touches your account, real API calls and the sandboxed Python run_script
tool, runs as you through your local AWS credentials. It also stamps two condition keys on every request, aws:ViaAWSMCPService
and aws:CalledViaAWSMCP
, so your policies can single out agent traffic.
Skills are curated packages of instructions, scripts, and reference material for one task. The agent loads a skill only when it needs it, so they barely touch your context until they're relevant.
Plugins bundle the MCP config and a curated skill set into one install. They're available for Claude Code, Codex, and Cursor; Kiro and other MCP agents connect to the server directly instead, which I cover in the setup steps below. Four ship today:
| Plugin | Covers |
|---|---|
aws-core |
|
| Service selection, CDK/CloudFormation, serverless, containers, storage, observability, billing, SDK usage, deployment. Start here. | |
aws-agents |
|
| Building AI agents on AWS with Amazon Bedrock and AgentCore. | |
aws-data-analytics |
|
| Data lake, analytics, and ETL with S3 Tables, AWS Glue, and Athena. | |
aws-agents-for-devsecops |
|
| Incident investigation, code review, UAT, vulnerability scanning, and pen testing with AWS DevOps Agent and AWS Security Agent. |
Rules files are project-level config that sets guardrails: use the MCP Server, find a skill before acting, check the docs, prefer infrastructure-as-code. Rules decide how the agent behaves; skills supply what it does for a given job.
The skills are the part I underestimated at first. There are around 64 today (browse the skills/ directory for the live list), split into core and specialized.
Core skills, which ship with aws-core
:
amazon-bedrock
, aws-billing-and-cost-management
, aws-blocks
, aws-cdk
, aws-cloudformation
, aws-containers
, aws-iam
, aws-messaging-and-streaming
, aws-observability
, aws-sdk-js-v3-usage
, aws-sdk-python-usage
, aws-sdk-swift-usage
, aws-serverless
, signing-in-to-aws
.
Specialized skills, grouped by domain (a few from each):
connecting-lambda-to-api-gateway
, connecting-lambda-to-dynamodb
, debugging-lambda-timeouts
, processing-s3-uploads-with-step-functions
querying-data-lake
, ingesting-into-data-lake
, managing-amazon-msk
, amazon-opensearch-service
amazon-aurora-postgresql
, amazon-elasticache
, exporting-rds-to-s3
, rds-db2
creating-production-vpc-multi-az
, routing-traffic-with-route53-and-cloudfront
securing-s3-buckets
, creating-data-lake-table
, storing-and-querying-vectors
Don't memorize the list. When you ask for "a Lambda behind API Gateway writing to DynamoDB," the agent pulls the matching skills on its own.
A handful of things need to be in place first. None take long.
run_script
need them. The proxy reads the standard AWS credential chain, so aws configure
, an SSO login, a named profile, or the usual environment variables all work. New to this? brew install uv
on macOS, or the uvx
command in the Kiro config below comes bundled with it.npx
command used to install skills. If npx --version
prints nothing, install it from 2.35.0
or lateraws --version
.The quickest route is the AWS CLI wizard, which configures every agent you have at once. Prefer to do it by hand, or only use one editor? Skip to the per-agent steps below.
On a recent AWS CLI, one command detects your installed agents, installs default skills, and configures the MCP Server for all of them:
aws configure agent-toolkit
One gotcha worth calling out, because I hit it. On an older CLI you'll see:
aws: [ERROR]: argument subcommand: Found invalid choice 'agent-toolkit'
That means your AWS CLI predates 2.35.0
. Update it (instructions), confirm with aws --version
, and rerun. Restart your agent afterward so it picks up the new MCP config.
If you only use one agent, or you want to see exactly what gets wired up, the per-agent steps below do the same thing by hand.
Open your Kiro MCP config and add the AWS server. Use .kiro/settings/mcp.json
for the current project, or ~/.kiro/settings/mcp.json
to turn it on everywhere. Create the file if it doesn't exist yet:
{
"mcpServers": {
"aws": {
"command": "uvx",
"args": [
"mcp-proxy-for-aws@1.6.3",
"https://aws-mcp.us-east-1.api.aws/mcp",
"--metadata", "AWS_REGION=us-west-2"
]
}
}
}
If your config already lists other servers under mcpServers
, add the aws
entry next to them instead of replacing the block, and keep the JSON valid (mind the commas). Change AWS_REGION
to the region you work in.
Pin the proxy version rather than tracking latest. You get reproducible behavior and a guard against a bad release. Check PyPI every few weeks and bump it on purpose.
Then install the skills:
npx skills add aws/agent-toolkit-for-aws/skills
Open Kiro's MCP Server view (the Kiro panel in the sidebar, or search "MCP" in the command palette), reconnect the aws
server, and you're live.
Add the marketplace, then install from inside Codex:
codex plugin marketplace add aws/agent-toolkit-for-aws
Launch Codex, run /plugins
, and install aws-core
.
The plugins live on the official Anthropic marketplace, included by default:
/plugin install aws-core@claude-plugins-official
Hit Plugin not found
? Refresh the index with /plugin marketplace update claude-plugins-official
and try again. Add aws-agents
, aws-data-analytics
, or aws-agents-for-devsecops
the same way.
Add the repo as a team marketplace: Settings → Plugins → Team Marketplaces → Add Marketplace → Import from Repo, pointed at aws/agent-toolkit-for-aws
. Open the Plugins panel and install aws-core
first, then the others as needed.
Anything that speaks MCP works, including Windsurf and Cline. Configure the AWS MCP Server directly (see the server setup guide), then run npx skills add aws/agent-toolkit-for-aws/skills
.
Start a fresh conversation and ask: "What AWS Regions are available?" If the agent returns a list, the MCP Server is connected. For a skill check, ask it to "secure an S3 bucket" and watch it load securing-s3-buckets
before it writes anything. An authentication error instead means your local credentials aren't reaching the server; see Prerequisites for how to set them up.
Setup is the boring part. The workflows below are where it pays off, and each one names the skills and components doing the work.
Prompt: "Build a REST API: API Gateway in front of a Lambda that reads and writes a DynamoDB table, deployed with CDK."
This is the kind of task agents usually botch, because it spans four services and the IAM glue between them. The agent pulls aws-serverless
, connecting-lambda-to-api-gateway
, connecting-lambda-to-dynamodb
, and aws-cdk
, then uses the MCP Server's API tools to provision and the run_script
sandbox for multi-step setup. The skills carry the wiring, so the Lambda role scopes to your specific table instead of granting access to everything (*
), and the CDK stack follows current patterns instead of a 2023 blog post the model half-remembers.
Prompt: "My checkout Lambda times out intermittently and error rates spiked this morning. Help me find why."
Point the agent at the symptom and it follows a real diagnostic path. debugging-lambda-timeouts
and troubleshooting-application-failures
give it the procedure, while aws-observability
and querying-aws-cloudwatch
let it read the actual logs and metrics through the MCP Server. It checks the configured timeout against duration metrics, looks for cold starts, and inspects downstream calls that block, then tells you what it found. You get an actual investigation rather than a guess.
Prompt: "Audit this account's S3 buckets and secrets, and flag anything risky."
This is the workflow that separates the toolkit from wiring up a raw MCP server. Before you run it, scope the agent's IAM role to read-only with the condition keys the MCP Server attaches, aws:ViaAWSMCPService
and aws:CalledViaAWSMCP
, so it can inspect and plan but cannot change anything, even though your own role can. Writing that policy is an advanced step, and the user guide explains how the condition keys fit in; you can skip it the first time through and still get value from the audit. The agent uses securing-s3-buckets
and creating-secrets-using-best-practices
as its rubric for what counts as risky, and every call lands in CloudTrail for you to review later.
On AWS CLI 2.35.0+
, the aws agent-toolkit
command group manages skills across all your agents from the terminal:
aws agent-toolkit list-installed-skills
aws agent-toolkit add-skill --skill-name aws-serverless
aws agent-toolkit update-skill --skill-name aws-serverless
aws agent-toolkit remove-skill --skill-name aws-cdk --agent kiro
There's also search-skills
, list-available-skills
, and get-skill-metadata
for browsing the catalog from the terminal. Without the CLI, re-run npx skills add aws/agent-toolkit-for-aws/skills
to pull new skills, and remove them with npx skills remove <skill-name>
. The MCP Server itself is AWS-hosted, so its API coverage and docs stay current on their own. The one thing you pin and bump yourself is the proxy version in your config.
Is the Agent Toolkit for AWS free?
Yes. The toolkit costs nothing to install or use. You pay only standard AWS rates for the resources your agent creates or calls.
Which AWS CLI version do I need for aws configure agent-toolkit?
Found invalid choice 'agent-toolkit'
. Check yours with aws --version
.How do I fix "Found invalid choice 'agent-toolkit'"?
Upgrade the AWS CLI to 2.35.0 or later, since the command shipped in that release. On macOS with Homebrew, run brew upgrade awscli
, then confirm with aws --version
.
Do I need an AWS account and credentials?
Credentials are needed only for actions that touch your account, like API calls and run_script
. Documentation search and skill discovery work with no credentials. Anything that provisions or reads real resources needs an AWS account.
Which coding agents does it work with?
Kiro, Claude Code, Codex, and Cursor have first-class setups, and any MCP-compatible agent works too, including Windsurf and Cline. Plugins cover Claude Code, Codex, and Cursor; Kiro and the rest connect to the MCP server directly.
How is it different from the AWS Labs MCP servers?
It's the successor to AWS Labs. The differences that matter: IAM condition keys that separate agent actions from human ones, CloudWatch and CloudTrail on every request, and skills evaluated end to end.
How do I give a coding agent read-only access to AWS?
Scope its IAM role with the condition keys the MCP server attaches, aws:ViaAWSMCPService
and aws:CalledViaAWSMCP
, to allow reads and deny writes. The agent can inspect and plan but not change anything, even when your own role can.
How do I update or remove skills?
On AWS CLI 2.35.0+, use aws agent-toolkit update-skill
and aws agent-toolkit remove-skill
. Otherwise re-run npx skills add aws/agent-toolkit-for-aws/skills
to update, and npx skills remove <skill-name>
to remove.
setting-up-cloudwatch-alarm-notifications
and watch it connect the alarm to an SNS topic.Saurabh Dahal is a developer advocate at AWS, working with the latest agentic and AI tools for developers to help boost developer productivity. He set up the Agent Toolkit for AWS across Kiro, Codex, Claude Code, and Cursor for this guide.
Published June 30, 2026. Last updated June 30, 2026.