Can I use AWS as a CLI?

Yes. KosmoKrator exposes a AWS CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose AWS through MCP?

Yes. The KosmoKrator MCP gateway can expose selected AWS tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are AWS credentials stored?

AWS credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for AWS MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

other

AWS MCP Integration for Claude Agent SDK

Connect AWS to Claude Agent SDK through the local KosmoKrator MCP gateway with scoped tools, credentials, and write policy.

8 functions 7 read 1 write Bearer token auth

Submit AWS feedback View package source

Connect AWS to Claude Agent SDK

Give Claude Agent SDK workflows access to KosmoKrator integrations through a local MCP server.

Add a KosmoKrator stdio MCP server to the Claude Agent SDK options. The gateway is local, scoped to this integration, and starts with --write=deny so Claude Agent SDK can inspect read-capable tools without receiving write access by default.

AWS MCP Config for Claude Agent SDK

Use a narrow integration list so the agent does not load unrelated tools.

{
  "mcpServers": {
    "kosmokrator-aws": {
      "type": "stdio",
      "command": "kosmo",
      "args": [
        "mcp:serve",
        "--integration=aws",
        "--write=deny"
      ]
    }
  }
}

Run the Gateway Manually

kosmokrator mcp:serve --integration=aws --write=deny

Why Use KosmoKrator Here

Scoped tools

Expose only AWS instead of a broad multi-service tool list.

Local credentials

Reuse credentials already configured for the KosmoKrator CLI and Lua runtime.

Write policy

Start read-only, then opt into ask or allow for trusted workspaces.

AWS Tools Visible to Claude Agent SDK

Claude Agent SDK sees stable MCP tool names generated from the AWS integration catalog.

MCP tool	Source function	Type	Description
`integration__aws__aws_list_s3_buckets`	`aws.aws_list_s3_buckets`	Read	List all S3 buckets in the AWS account. Returns bucket names, creation dates, and regions.
`integration__aws__aws_list_ec2_instances`	`aws.aws_list_ec2_instances`	Read	Describe EC2 instances in the AWS account. Returns instance IDs, types, states, and metadata. Supports filtering by instance IDs, states, or tags.
`integration__aws__aws_list_lambda_functions`	`aws.aws_list_lambda_functions`	Read	List all Lambda functions in the AWS account. Returns function names, runtimes, descriptions, and configuration.
`integration__aws__aws_invoke_lambda`	`aws.aws_invoke_lambda`	Write	Invoke an AWS Lambda function with an optional payload. Supports synchronous (RequestResponse) and asynchronous (Event) invocation modes.
`integration__aws__aws_list_dynamodb_tables`	`aws.aws_list_dynamodb_tables`	Read	List all DynamoDB tables in the AWS account. Returns table names and can be used with pagination to enumerate all tables.
`integration__aws__aws_get_cloudwatch_metrics`	`aws.aws_get_cloudwatch_metrics`	Read	Get CloudWatch metric data for AWS resources. Supports querying metrics by namespace, metric name, dimensions, and time range with configurable statistics and periods.
`integration__aws__aws_list_sns_topics`	`aws.aws_list_sns_topics`	Read	List all SNS notification topics in the AWS account. Returns topic ARNs and names.
`integration__aws__aws_get_current_user`	`aws.aws_get_current_user`	Read	Get the current IAM user identity. Returns user ARN, account ID, and user ID. Useful for verifying credentials and understanding which AWS account is being accessed.

Related AWS Pages

AWS CLIUse direct JSON commands instead of MCP discovery. AWS MCPFull gateway reference and MCP tool names. KosmoKrator for Claude Agent SDKClient-level gateway setup.