AWS made AI agent authentication to cloud services genuinely keyless this week. The AWS MCP Server reached general availability on July 9, adding a Skills Framework, enterprise audit trails, and CloudWatch metrics that separate agent actions from human ones. A day later, OAuth 2.1 support arrived — meaning Claude Code, Kiro, Cursor, and any MCP-compatible client can now authenticate to AWS using the same browser sign-in developers use for the Console. No long-lived keys stored on laptops. No MCP proxy to install.
This is not a marginal improvement. It closes a genuine security gap that has been quietly damaging real teams.
The Problem Worth Understanding
Before you can appreciate what AWS shipped, you need the context. According to a 2026 analysis of public MCP servers, 53% rely on static API keys or personal access tokens. Seventy-nine percent handle credentials in plaintext. A developer published a post this month titled “The MCP Server I Trusted Just Stole My AWS Key.” In June, CVE-2026-12957 (CVSS 8.5) demonstrated that a single malicious config file dropped in a repo could hijack a developer’s live AWS session. The attack required no elevated privileges — just a compromised file and a live credential.
AWS’s OAuth implementation doesn’t fix third-party MCP servers. Those remain a minefield. What it fixes is the specific, pervasive problem of long-lived AWS credentials sitting on developer machines so AI agents can call AWS APIs.
How OAuth Auth Works Now
Setup takes two commands. First, register the MCP endpoint:
claude mcp add --transport http aws-mcp https://aws-mcp.us-east-1.api.aws/mcp
Then run /mcp in Claude Code, trigger authentication, and your browser opens a standard AWS Sign-In page. Complete your normal login — MFA, SSO, whatever your organization requires — and the client receives a short-lived access token (one hour) plus a refresh token (up to twelve hours). If you’re already signed in to the AWS Console in that browser, the redirect completes without re-entering credentials.
There’s no manual OAuth client registration. Dynamic Client Registration handles it transparently. To enable it, attach one managed policy to your IAM role:
aws iam attach-role-policy \
--role-name MyRole \
--policy-arn arn:aws:iam::aws:policy/AWSMCPSignInOAuthAccessPolicy
For CI pipelines and headless environments, there’s a non-interactive path using aws signin create-oauth2-token-with-iam with the client_credentials grant type. That token is valid for 3,600 seconds and does not auto-refresh — you’ll need to re-issue it. And if you work across multiple AWS accounts using profile switching, this OAuth flow doesn’t support that yet. Multi-account workflows must keep the SigV4 proxy approach. That’s a real limitation for enterprise teams, not a footnote.
What General Availability Actually Added
The GA release wasn’t just the OAuth headline. The Skills Framework is quietly the more durable improvement. AWS service teams now contribute curated instruction packages — validated workflows, step-by-step procedures, and troubleshooting guides — that agents load on demand. The practical effect: fewer hallucinated API calls, less token burn on trial-and-error, and agents that produce infrastructure matching current AWS best practices rather than what the model was trained on years ago.
Documentation retrieval no longer requires authentication, removing friction for read-only queries. CloudWatch metrics appear under the AWS-MCP namespace, making agent activity distinct from human operations in monitoring dashboards. CloudTrail logging captures every operation with full audit trails — and for teams that need to demonstrate compliance, that matters.
The full picture: 15,000+ AWS API operations available, sandboxed Python script execution server-side, and open-source Agent Skills contributed by AWS service teams and discoverable at runtime.
The Enterprise Layer: Claude Apps Gateway
Organizations deploying Claude Code or Claude Desktop across development teams have a new governance option. The Claude Apps Gateway is a self-hosted control plane — a stateless container running on ECS, EKS, or EC2 — that sits between your developers and Claude’s API. It connects to any OIDC provider (Okta, Ping, IAM Identity Center), enforces spend caps per user or group, and routes inference to Amazon Bedrock or Claude Platform on AWS. With Bedrock routing, data stays within the AWS security boundary.
Developer experience: claude /login opens corporate SSO, returns a short-lived token, managed policies apply automatically. Engineering managers get centralized control over which models are accessible and what each developer can spend. No distributing credentials across laptops.
What to Do This Week
The AWS MCP Server is available at no charge — you pay only for AWS resources the agent provisions. It’s live in US East (N. Virginia) and Europe (Frankfurt).
If you’re using Claude Code with AWS today and storing credentials locally so your agent can call AWS APIs, this is the week to switch. Two commands, browser login, done. Check the multi-account limitation before committing — if your workflow requires cross-account role assumption, stay on SigV4 for now. If you’re an engineering manager evaluating Claude Code for your team, the OAuth launch and Claude Apps Gateway together represent the governance story your security team has been asking for.
The broader MCP security problem isn’t solved. Third-party servers still carry the risks that have defined MCP’s security reputation in 2026. But for the specific use case of AI agents accessing AWS, the gap between “this feels dangerous” and “this is production-ready” just closed significantly.













