Replace your AWS DevOps with Claude
Introduction
Claude and cloud goes together like chocolate and peanut butter. As of June 2026, the easiest and cheapest way to use Claude for AWS DevOps is the official AWS MCP Server. This recommended setup bypasses all the hassle of AWS Bedrock or AWS Marketplace.
Once you complete this setup, Claude will be your AWS subject matter expert on AWS Well-Architected best practices.
Setup
Create IAM Roles for AI
For infrastructure safety, do not use your regular AWS login for your AI agents. Create separate read-only and read-write AWS IAM roles for each of your environments. For this example, I created 4 roles:ai-dev-ro,ai-dev-rw,ai-prod-ro, andai-prod-rw.For the read-only role, I assign it the ReadOnlyAccess policy. For the read-write role, I assign it the AdministratorAccess policy and attach a custom
DenyDeleteForAwsMcpIAM policy to prevent accidental deletions.{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyDeleteForAwsMcp", "Effect": "Deny", "Action": [ "ec2:Terminate*", "ec2:Delete*", "s3:Delete*", "rds:Delete*", "dynamodb:Delete*", "iam:Delete*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaAWSMCP": "aws-mcp.amazonaws.com" } } } ] }Set up authentication configuration the same way as the AWS CLI.
Install uv
uv is the modern Python package manager. We need it to download and manage the MCP Proxy for AWS.On macOS and Linux
curl -LsSf https://astral.sh/uv/install.sh | shOn Windows
powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"Configure Claude to use the AWS MCP Server
Run the command below to add the AWS MCP Server to Claude AI. ReplaceAWS_MCP_PROXY_PROFILESwith the IAM roles created in step 1 andAWS_REGIONwith the default AWS region.
If you are not in the US, replace the URL withhttps://aws-mcp.eu-central-1.api.aws/mcpclaude mcp add aws-mcp --scope user \ --env AWS_MCP_PROXY_PROFILES="ai-dev-ro ai-dev-rw ai-prod-ro ai-prod-rw" \ -- uvx mcp-proxy-for-aws==1.6.2 https://aws-mcp.us-east-1.api.aws/mcp \ --metadata AWS_REGION=us-west-1Confirm the AWS MCP was successfully added
claude mcp listEdit CLAUDE.md
Ensure Claude uses AWS best practices by adding the official AWS AI agent rules. Edit~/.claude/CLAUDE.mdand add the contents of aws-agent-rules.md.
Behind the Scene
The AWS Model Context Protocol (MCP) Server acts as a translator between Claude and AWS. It searches the latest AWS documentation for the most current answers and can execute AWS API calls on your behalf. In order to access your AWS infrastructure, Claude passes your configured AWS IAM authentication credentials to the AWS MCP Server via the MCP Proxy for AWS using the SigV4 protocol.
Reduce Hallucinations
Claude's knowledge ends on the training date cutoff of the AI model. For example, Sonnet 4.6 training date cutoff was May 2025. If you ask Sonnet 4.6 the maximum size of an S3 object, it will answer 5 TB, which was the correct answer on May 2025.
However in December 2025, AWS increased the maximum S3 object size to 50 TB. If you use the AWS MCP Server, Claude will use the most current official AWS documentation to give you the correct answer. (I do appreciate the little apology Claude gave me for the first wrong answer).
Claude for Observability
Claude can use your read-only AWS credentials to analyze your AWS infrastructure. As a simple example, I asked Claude to list all my Simple Storage Service (S3) buckets using the read-only AWS dev account. As other examples, you can ask Claude:
- "Search for CloudWatch log errors in the Lambda function my-message-broker"
- "Find all EC2 VMs using more than 90% CPU"
Claude as AWS Well-Architected Expert
Amazon publishes an official set of AI skills for AWS. The AWS MCP Server automatically loads these skills without you having to do any additional complicated setup.
Using Claude and the aws-serverless skill, I was able to create and deploy a Lambda function coded with Node.js with full AWS CDK infrastructure-as-code in about 6 minutes. If I did this by hand before AI, it would have taken me much longer than 6 minutes with equivalent results.
How expensive is this setup?
Good news, it's free (mostly).
The AWS MCP server is free to use. Of course, you still pay for Claude token usage and any AWS resources created. Sometimes, the MCP Server will need to create an S3 bucket to store objects in your account.
How secure is this setup?
This setup passed rigorous review by the AWS security team. You can read the full technical details. In summary, the communication is end-to-end encrypted and uses your IAM permission setup. In addition, no information is permanently stored on AWS servers.
Monitoring your AI
The AWS MCP Server stores its metrics under CloudWatch > AWS-MCP > ToolName .
All commands executed by the AWS MCP server on your AWS account are auditable in CloudTrail under Event Source aws-mcp.amazonaws.com
The Downsides
As an official AWS service, this AI setup uses CloudFormation/SAM/CDK as the infrastructure-as-code language. Like 97% of the DevOps community, you most likely use Terraform/OpenTofu. Additional steps are required to convert the answer into Terraform HCL
You may not like the answers if you disagree with the AWS Well-Architected framework.
Claude and most AI systems still offer questionable advice about Day 2 infrastructure operations such as upgrades and maintenance of existing resources. It will sometimes advise to delete infrastructure like databases instead of attempting to modify it.
What about GCP and Azure?
Check out our DevOps AI section for information how to set up MCP servers for GCP and Azure.
Conclusion
By powering up Claude with the AWS MCP Server, it feels like having an AWS DevOps expert sit next to you and offer knowledgable answers. On top of that, Claude can do the mundane task of creating, deploying, and monitoring AWS infrastructure. This frees you to concentrate on the important stuff, like creative ideas and business strategies.
