How AWS MCP Server works with IAM
AWS MCP Server uses a simplified authorization model that works like the AWS Command Line Interface (AWS CLI) and AWS SDKs. The server does not define its own IAM actions, resources, or service-specific condition keys. Instead, it authenticates your request using SigV4, adds standardized condition context keys, and forwards the request to the downstream AWS service. The downstream service performs the authorization check using your existing IAM policies. This means your AI agents work with your existing AWS credentials and service-level permissions, and you do not need to configure separate MCP-specific IAM actions.
Authorization flow
When an AI agent calls the AWS MCP Server, the following authorization flow occurs:
Your agent's request is authenticated with your AWS credentials using SigV4. The MCP Proxy for AWS
handles this signing automatically between your host application and the server. AWS MCP Server authenticates the request and adds the MCP condition context keys (
aws:ViaAWSMCPServiceandaws:CalledViaAWSMCP).AWS MCP Server forwards the request to the target AWS service.
The target AWS service authorizes the request using your existing IAM policies, which can reference the MCP condition context keys for fine-grained control.
MCP condition context keys
AWS MCP Server automatically adds the following global condition context keys to all requests it forwards to downstream AWS services. You can use these keys in IAM policies and service control policies (SCPs) to differentiate between requests made through an AWS managed MCP server and direct API calls.
aws:ViaAWSMCPService-
A Boolean key set to
truefor any request that passes through an AWS managed MCP server. Use this key to allow or deny all actions initiated through any AWS managed MCP server.Type: Boolean
aws:CalledViaAWSMCP-
A single-valued string key containing the service principal of the specific AWS managed MCP server that initiated the request. Use this key to apply controls for a specific MCP server.
Type: String
Example values:
aws-mcp.amazonaws.com– AWS MCP Servereks-mcp.amazonaws.com– Amazon EKS MCP Serverecs-mcp.amazonaws.com– Amazon ECS MCP Server
For more information about global condition context keys, see IAM condition context keys in the IAM User Guide.
Identity-based policies
Supports identity-based policies: Yes
Because AWS MCP Server forwards requests to downstream AWS services using your credentials, the IAM policies attached to your IAM user or role determine what actions the MCP server can perform on your behalf. No additional IAM configuration is required to use AWS MCP Server beyond the permissions you already grant for direct API access.
You can use the MCP condition context keys in your existing policies to apply different permissions when actions are initiated through an MCP server. For examples, see Identity-based policy examples for AWS MCP Server.
Using temporary credentials with AWS MCP Server
Supports temporary credentials: Yes
AWS MCP Server works with temporary credentials obtained through AWS STS. When you authenticate with AWS MCP Server, you can use temporary credentials from IAM roles, federated identities, or assumed roles. The server forwards these credentials to downstream AWS services, which honor the same session policies and permission boundaries as direct API calls.
Deprecated MCP-specific IAM actions
During the preview period, AWS MCP Server required the following service-specific IAM actions:
aws-mcp:InvokeMcpaws-mcp:CallReadOnlyToolaws-mcp:CallReadWriteTool
These actions are no longer required and have no effect. If you previously configured
IAM permissions using these actions, we recommend that you remove them from your
policies. If you used these actions in Deny statements to block access to AWS MCP Server,
you must update your policies to use the aws:ViaAWSMCPService or
aws:CalledViaAWSMCP condition context keys instead.
