Last updated: Dec 10, 2025, 06:48 PM UTC

AWS CloudWatch MCP Setup Notes

1. Create read-only credentials

  1. Sign in with a root/admin capable of changing billing + optimizer settings.
  2. Activate IAM access to billing: https://console.aws.amazon.com/billing/home#/account β†’ β€œIAM User and Role Access to Billing Information” β†’ check Activate IAM Access.
  3. Enable Cost Explorer: https://console.aws.amazon.com/cost-management/home#/cost-explorer β†’ Enable (first-time fill can take ~24h).
  4. Enroll Cost Optimization Hub & Compute Optimizer:
    aws cost-optimization-hub update-enrollment-status --status Active
aws compute-optimizer update-enrollment-status --status Active
  5. Create an IAM user/role (e.g., sasha-cloudwatch-readonly).
  6. Attach AWS-managed policies:
    aws iam attach-user-policy \
  --user-name sasha-cloudwatch-readonly \
  --policy-arn arn:aws:iam::aws:policy/job-function/Billing

aws iam attach-user-policy \
  --user-name sasha-cloudwatch-readonly \
  --policy-arn arn:aws:iam::aws:policy/ComputeOptimizerReadOnlyAccess

aws iam attach-user-policy \
  --user-name sasha-cloudwatch-readonly \
  --policy-arn arn:aws:iam::aws:policy/AWSTrustedAdvisorReadOnlyAccess
  7. (Optional) attach an inline policy granting CloudWatch metric + Logs Insights reads:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:DescribeAlarms",
        "cloudwatch:DescribeAlarmHistory",
        "cloudwatch:GetMetricData",
        "cloudwatch:ListMetrics"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeQueryDefinitions",
        "logs:ListLogAnomalyDetectors",
        "logs:ListAnomalies",
        "logs:StartQuery",
        "logs:GetQueryResults",
        "logs:StopQuery"
      ],
      "Resource": "*"
    }
  ]
}
  1. Optional: grant Storage Lens/Athena read access if you expect Sasha to use those analytics.
  2. Generate an access key (or assume the role for temporary creds).

2. Provide credentials to Sasha

  1. Open Settings β†’ Tools β†’ AWS CloudWatch.
  2. Paste the Access Key ID, Secret Access Key, and optional Session Token (for temporary creds).
  3. Pick the primary AWS region (defaults to us-east-1).
  4. (Optional) Provide default log group / metric namespace hints.
  5. Save β†’ Test β†’ Register.

Secrets are encrypted at rest in /home/sasha/config/mcp/aws-cloudwatch.json.

Optional Storage Lens & Athena policy snippet

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "athena:StartQueryExecution",
        "athena:GetQueryExecution",
        "athena:GetQueryResults"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::<storage-lens-manifest-bucket>",
        "arn:aws:s3:::<storage-lens-manifest-bucket>/*",
        "arn:aws:s3:::<storage-lens-output-bucket>",
        "arn:aws:s3:::<storage-lens-output-bucket>/*"
      ]
    }
  ]
}

3. Operational checklist

  • uv installed (uv --version inside container).
  • run-aws-cloudwatch-mcp.sh executable.
  • /home/sasha/config/mcp/aws-cloudwatch.json persisted.
  • Smoke test (node integrations/mcp/aws-cloudwatch/smoke-test.js) passes locally, UI β€œTest Connection” passes.
  • claude mcp list shows aws-cloudwatch registered.

4. Security reminders

  • Rotate keys regularly; re-run smoke test after each rotation.
  • Prefer short-lived credentials (STS) and rotate regularly.
  • Limit optional Storage Lens/Athena access to the specific buckets you need.
  • Monitor CloudTrail for AWS accesses performed by Sasha.