AWS aws-mcp documentation change
Summary
Restructured and updated the Deployment SOPs documentation. Changes include a new quick start guide, updated deployment types, revised prerequisites focusing on AI models and tooling, expanded security features section, added limitations, and pricing information.
Security assessment
The changes update security documentation by expanding the security features section with specific AWS security best practices (S3 access controls, encryption, HTTPS enforcement, IAM least privilege) but show no evidence of addressing a specific vulnerability. The updates are general security enhancements and documentation improvements.
Diff
diff --git a/aws-mcp/latest/userguide/agent-sops-deployment.md b/aws-mcp/latest/userguide/agent-sops-deployment.md index 90b7085bc..9af1ff2f4 100644 --- a//aws-mcp/latest/userguide/agent-sops-deployment.md +++ b//aws-mcp/latest/userguide/agent-sops-deployment.md @@ -5 +5 @@ -Available Deployment SOPsPrerequisitesSupported Use CasesSecurity Features +Quick startAvailable deployment typesHow the SOPs workPrerequisitesSecurity featuresLimitationsPricing @@ -7 +7 @@ Available Deployment SOPsPrerequisitesSupported Use CasesSecurity Features -# AWS Deployment SOPs +# Deployment SOPs @@ -9 +9 @@ Available Deployment SOPsPrerequisitesSupported Use CasesSecurity Features -The [AWS MCP Server](https://docs.aws.amazon.com/aws-mcp/latest/userguide/getting-started-aws-mcp-server.html) includes Standard Operating Practices (SOPs) that help you deploy applications to AWS. These workflows analyze your application, make necessary code changes, and generate Infrastructure as Code (IaC) that is deployed using [AWS CloudFormation](https://aws.amazon.com/cloudformation/) to host your application on AWS. +The AWS MCP Server includes Standard Operating Procedures (SOPs) that deploy applications to AWS. These SOPs analyze your application, generate Infrastructure as Code (IaC) using the [AWS Cloud Development Kit (CDK)](https://docs.aws.amazon.com/cdk/v2/guide/home.html), and deploy it through [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). @@ -11 +11 @@ The [AWS MCP Server](https://docs.aws.amazon.com/aws-mcp/latest/userguide/gettin -Deployment SOPs support a variety of web frameworks, including Single-Page Applications (React, Vue, Angular, and SvelteKit), Static Site Generators (Next.js static export, Nuxt 2/3, Gatsby, Hugo, Jekyll, Docusaurus, Astro, and Eleventy). +Deployment SOPs support single-page applications, static site generators, Supabase-backed applications (such as Lovable.dev and Bolt.new), and static websites. These SOPs can deploy applications with minimal prompting. For complex applications, your coding agent may require additional information or iterations to complete the deployment. @@ -13 +13 @@ Deployment SOPs support a variety of web frameworks, including Single-Page Appli -These SOPs can deploy applications in as little as one prompt. For more complex applications, your coding agent may require additional information or iterations to complete deployment. Your coding agent receives AWS security best practice recommendations from the SOPs, providing a secure starting point that you can review and customize for your requirements. +Your coding agent is guided by AWS security best practice recommendations from the SOPs, providing a secure starting point from where you can review and customize for your requirements. @@ -15,49 +15 @@ These SOPs can deploy applications in as little as one prompt. For more complex -###### Note - -For best results, run these SOPs with the latest AI models that can handle complex, multi-step tasks. - -###### Deployment documentation - -The SOPs generate documentation files and update `AGENTS.md` in your repository to track deployment progress. This also provides coding agents with context for future deployments and troubleshooting. - -## Available Deployment SOPs - -SOP name | SOP purpose ----|--- -`deploy-web-app` | Checks if your application type is supported and selects the appropriate deployment SOP -`deploy-frontend-app` | Generates [AWS Cloud Development Kit (CDK)](https://aws.amazon.com/cdk/) infrastructure code and deploys it through AWS CloudFormation, providing a shareable preview URL for your website -`setup-pipeline` | Creates a pipeline using [AWS CodePipeline](https://aws.amazon.com/codepipeline/) that automatically verifies and deploys your application when changes are pushed to [GitHub](https://github.com) -`document-deployment` | Generates deployment documentation and tracks progress - -## Prerequisites - -Before you begin, you must ensure that you have set up an AWS account. - -#### Sign up for an AWS account - -If you do not have an AWS account, complete the following steps to create one. - -###### To sign up for an AWS account - - 1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup). - - 2. Follow the online instructions. - -Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad. - -When you sign up for an AWS account, an _AWS account root user_ is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks). - - - - -AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**. - -#### Create a user with administrative access - -After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks. - -###### Secure your AWS account root user - - 1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password. - -For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the _AWS Sign-In User Guide_. +## Quick start @@ -65 +17 @@ For help signing in by using root user, see [Signing in as the root user](https: - 2. Turn on multi-factor authentication (MFA) for your root user. + 1. Install the AWS MCP Server. For instructions, see [Setting up your AWS MCP Server](https://docs.aws.amazon.com/aws-mcp/latest/userguide/getting-started-aws-mcp-server.html). @@ -67 +19 @@ For help signing in by using root user, see [Signing in as the root user](https: -For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the _IAM User Guide_. + 2. Log in to the AWS CLI. For instructions, see [Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html). @@ -68,0 +21 @@ For instructions, see [Enable a virtual MFA device for your AWS account root use + 3. Prompt your coding agent: `Deploy my app to AWS` @@ -72 +24,0 @@ For instructions, see [Enable a virtual MFA device for your AWS account root use -###### Create a user with administrative access @@ -74 +26 @@ For instructions, see [Enable a virtual MFA device for your AWS account root use - 1. Enable IAM Identity Center. +## Available deployment types @@ -76 +28 @@ For instructions, see [Enable a virtual MFA device for your AWS account root use -For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the _AWS IAM Identity Center User Guide_. +Deploys applications built with modern frontend frameworks to [Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and [Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html). Generates CDK infrastructure code and deploys it through AWS CloudFormation, providing a shareable preview URL. @@ -78 +30 @@ For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon - 2. In IAM Identity Center, grant administrative access to a user. +Supported application types: React, Vue, Angular, SvelteKit, Next.js (static export), Nuxt 2/3, Gatsby, Hugo, Jekyll, Docusaurus, Astro, Eleventy. Other frameworks may require you to provide additional guidance to your coding agent, or perform manual updates after the deployment. @@ -80 +32 @@ For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon -For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the _AWS IAM Identity Center User Guide_. +For more information, see [Frontend applications](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment-frontend.html). @@ -81,0 +34 @@ For a tutorial about using the IAM Identity Center directory as your identity so +Deploys applications built with Supabase to your AWS account. Your database and authentication remain in Supabase, while Edge Functions migrate to [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) and [Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html). Stores secrets in [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html). Generates CDK infrastructure code and deploys through CloudFormation, providing a shareable preview URL. @@ -82,0 +36 @@ For a tutorial about using the IAM Identity Center directory as your identity so +Supported application types: Applications with environment-based Supabase configuration (`supabase/config.toml`), such as Lovable.dev and Bolt.new. @@ -83,0 +38 @@ For a tutorial about using the IAM Identity Center directory as your identity so +For more information, see [Supabase applications](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment-supabase.html). @@ -85 +40 @@ For a tutorial about using the IAM Identity Center directory as your identity so -###### Sign in as the user with administrative access +Creates a CI/CD pipeline using [AWS CodePipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html) that automatically builds, tests, and deploys your application when changes are pushed to your source repository. @@ -87 +42 @@ For a tutorial about using the IAM Identity Center directory as your identity so - * To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user. +Supported application types: All applications deployed using Deployment SOPs. @@ -89 +44 @@ For a tutorial about using the IAM Identity Center directory as your identity so -For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the _AWS Sign-In User Guide_. +For more information, see [Set up CodePipeline](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment-pipeline.html). @@ -90,0 +46 @@ For help signing in using an IAM Identity Center user, see [Signing in to the AW +## How the SOPs work @@ -91,0 +48 @@ For help signing in using an IAM Identity Center user, see [Signing in to the AW +The SOPs provide step-by-step instructions that your coding agent follows. Your coding agent inspects the application, generates CDK infrastructure code, and deploys using CloudFormation. Application code is modified to support deployment to AWS, which includes changing how secrets are obtained, how edge functions are wrapped for AWS Lambda, and, in some cases, frontend build configurations. The SOPs instruct your coding agent to avoid modifying application code unless required for deployment. @@ -92,0 +50 @@ For help signing in using an IAM Identity Center user, see [Signing in to the AW +Your coding agent may ask your permission to use a tool or request additional information such as application secret keys. Where possible, your coding agent derives information from available source code. @@ -94,38 +52 @@ For help signing in using an IAM Identity Center user, see [Signing in to the AW -###### Assign access to additional users - - 1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions. - -For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the _AWS IAM Identity Center User Guide_. - - 2. Assign users to a group, and then assign single sign-on access to the group. - -For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the _AWS IAM Identity Center User Guide_. - - - - -Depending on your application, additional prerequisites will vary. The SOP will guide your coding agent to verify these: - - * [AWS MCP Server](https://docs.aws.amazon.com/aws-mcp/latest/userguide/getting-started.html) installed and enabled in your AI coding assistant (such as Kiro or Cursor) - - * [Git Command Line Interface (CLI)](https://git-scm.com/install/) installed and configured - - * [AWS Command Line Interface (CLI)](https://aws.amazon.com/cli/) configured with valid credentials - - * Appropriate package manager (such as `npm`, `yarn`, or `pnpm`) - - - - -## Supported Use Cases - -One-prompt deployment that provides a link (URL) to your website that can be shared with others. - -###### Supported application types - - * Single-Page Applications (SPAs): React, Vue, Angular, SvelteKit - - * Static Site Generators (SSGs): Next.js (static export), Nuxt, Gatsby, Hugo, Jekyll, Docusaurus, Astro, Eleventy - - * Static websites - +The SOPs generate documentation in your repository to track deployment progress and provide context for future deployments. @@ -132,0 +54 @@ One-prompt deployment that provides a link (URL) to your website that can be sha +In some situations, you may need to prompt your coding agent to fix inconsistencies, particularly with larger applications or older models with smaller context windows. @@ -133,0 +56 @@ One-prompt deployment that provides a link (URL) to your website that can be sha +## Prerequisites @@ -135 +58 @@ One-prompt deployment that provides a link (URL) to your website that can be sha -###### Steps the coding agent takes +###### AI model requirements @@ -137 +60 @@ One-prompt deployment that provides a link (URL) to your website that can be sha - 1. Scans project structure to identify the application framework +Testing showed best results with the following models: @@ -139 +62 @@ One-prompt deployment that provides a link (URL) to your website that can be sha - 2. Detects build configuration and adjusts settings as needed + * Anthropic Claude Opus 4.6 (200k, 1M) @@ -141 +64 @@ One-prompt deployment that provides a link (URL) to your website that can be sha - 3. Generates infrastructure code using AWS Cloud Development Kit (CDK) + * Anthropic Claude Opus 4.5 (200k) @@ -143 +66 @@ One-prompt deployment that provides a link (URL) to your website that can be sha - 4. Deploys infrastructure to AWS using AWS CloudFormation + * Anthropic Claude Sonnet 4.5 @@ -145 +68 @@ One-prompt deployment that provides a link (URL) to your website that can be sha - 5. Provides a link (URL) for your application on AWS + * OpenAI GPT-5.2-Codex @@ -146,0 +70 @@ One-prompt deployment that provides a link (URL) to your website that can be sha + * OpenAI GPT-5.3-Codex @@ -147,0 +72 @@ One-prompt deployment that provides a link (URL) to your website that can be sha + * Google Gemini 3 Pro @@ -150 +74,0 @@ One-prompt deployment that provides a link (URL) to your website that can be sha -###### Technical explanation @@ -152 +75,0 @@ One-prompt deployment that provides a link (URL) to your website that can be sha -Your coding agent analyzes your application to determine if it can be deployed as a static website on AWS. It generates AWS CDK code defining the required hosting infrastructure and compiles your application. A personal preview stack is then provisioned using AWS CloudFormation, which uploads your code to [Amazon S3](https://aws.amazon.com/s3/) and serves it through [Amazon CloudFront](https://aws.amazon.com/cloudfront/). The SOP prompts your coding agent to apply security best practices to Amazon S3 and Amazon CloudFront resources. Always review the generated configuration before deploying to production environments. @@ -154 +77 @@ Your coding agent analyzes your application to determine if it can be deployed a -Creates a CI/CD pipeline with GitHub integration and quality gates for deploying to production or staging environments. +###### Tooling prerequisites @@ -156 +79 @@ Creates a CI/CD pipeline with GitHub integration and quality gates for deploying -###### Requirements +Before you begin, ensure that you have an AWS account with appropriate permissions. For instructions, see [Setting up your AWS MCP Server](https://docs.aws.amazon.com/aws-mcp/latest/userguide/getting-started-aws-mcp-server.html). @@ -158 +81 @@ Creates a CI/CD pipeline with GitHub integration and quality gates for deploying -Your application must already be configured as a CDK application. This SOP works best when used after the `deploy-webapp` SOP. +Additional prerequisites vary depending on your application. The SOP guides your coding agent to verify these automatically: @@ -160 +83 @@ Your application must already be configured as a CDK application. This SOP works -###### Manual steps required + * AWS MCP Server — configured in your AI coding assistant (such as Kiro or Cursor). For setup instructions see [Setting up your AWS MCP Server](https://docs.aws.amazon.com/aws-mcp/latest/userguide/getting-started-aws-mcp-server.html) @@ -162 +85 @@ Your application must already be configured as a CDK application. This SOP works - * Requires manual approval of a [AWS CodeConnections](https://docs.aws.amazon.com/dtconsole/latest/userguide/welcome-connections.html) resource to GitHub in web browser. This requires appropriate permissions to install and configure GitHub Apps in your repository or organization. + * [Git CLI](https://git-scm.com/install/) — Installed and configured @@ -163,0 +87 @@ Your application must already be configured as a CDK application. This SOP works + * [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) — Configured with valid credentials. For setup instructions see [Set up the AWS CLI](https://docs.aws.amazon.com/streams/latest/dev/setup-awscli.html)