guidance-for-deploying-model-context-protocol s-on-aws

This MCP deployment guidance describes how to run Model Context Protocol servers on AWS with secure authentication using Amazon Cognito, aligned with the 2025-06-18 MCP specification and RFC9728 for OAuth 2.0 Protected Resource Metadata. The solution stacks leverage CloudFront, Application Load Balancer, ECS Fargate, and Lambda to host stateless MCP servers that are accessible remotely via a secure StreamableHTTP transport. The deployment uses AWS CDK to provision a four-stack environment (VPC, Security, CloudFront WAF, and MCP Server stacks) and integrates Cognito as the OAuth 2.0 authorization server.

What you can expect from this deployment is a scalable, standards-compliant MCP hosting environment on AWS that supports remote clients through secure authentication, data exchange over StreamableHTTP, and a serverless/containerized architecture for maintainability. The included guidance also provides validation steps to confirm Cognito setup, CloudFormation stack status, and infrastructure readiness (CloudFront, ALB, and ECS services). If you want to test MCP clients against the deployed servers, you can use the sample Python MCP client included in the repository to exercise the OAuth 2.0 Protected Resource Metadata flow and StreamableHTTP transport.

To use it, follow the deployment steps to provision the infrastructure, validate the Cognito configuration, and then deploy or update the MCP server components as needed. After deployment, you can generate tokens via Cognito, obtain access tokens for MCP endpoints, and interact with the servers using the StreamableHTTP-based client tooling described in the guidance.

Prerequisites

• An AWS account with permissions to create CloudFormation stacks, ECS, Lambda, Cognito, VPC, CloudFront, and related services
• Operating system: Amazon Linux 2 or compatible
• Prerequisite tools: AWS CLI, Node.js (v14+), AWS CDK (npm install -g aws-cdk)

Install steps

1. Install and configure prerequisites

• Install AWS CLI and configure credentials:
  • aws configure
• Install Node.js (v14 or later) and npm
• Install AWS CDK globally:
  • npm install -g aws-cdk

2. Prepare the repository

• Clone the guidance repository:
  • git clone <repository-url>
• Navigate to the AWS guidance project location (examples path may vary):
  • cd guidance-for-deploying-model-context-protocol-servers-on-aws

3. Bootstrap CDK (one-time per account/region)

• cdk bootstrap

4. Deploy infrastructure stacks (MCP server hosting on AWS)

• Install dependencies for the CDK project:
  • cd source/cdk/ecs-and-lambda
  • npm install
• Deploy all stacks (default configuration):
  • cdk deploy --all
• If you need domain/HTTPS configuration, supply context values when deploying:
  • cdk deploy --all --context cdnCertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc123 --context albCertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc123 --context customDomain=mcp-server.example.com

5. Deploy or update MCP Server definitions

• Without domain configuration:
  • cdk deploy MCP-Server
• With domain configuration:
  • cdk deploy MCP-Server --context cdnCertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc123 --context albCertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc123 --context customDomain=mcp-server.example.com

Notes

• The guidance uses AWS CDK to provision a four-stack deployment: VPC, Security, CloudFront WAF, and MCP Server stacks. Ensure you have permissions to create these resources.
• The included sample Python MCP client demonstrates OAuth 2.0 Protected Resource Metadata (RFC9728) authentication and StreamableHTTP transport; you can run it after deployment to validate end-to-end flows.

Tips and considerations:

• Costs: running the AWS-based MCP guidance incurs ongoing AWS service costs (VPC, ALB, ECS/Fargate, Cognito, CloudFront, WAF, Lambda, etc.). Monitor budgets using AWS Cost Explorer.
• Certificates: When using domain names, ensure ACM certificates are valid in the specified region and that domain DNS records point to the CloudFront distribution or ALB as configured.
• Cognito: Plan user pool and app client configurations in advance. Store Cognito identifiers and client IDs securely as part of deployment outputs.
• Region and endpoints: Some contexts (like multi-region certificate configurations) require region-aware ARNs. Align the CDK context values with your target region(s).
• Validation steps: After deployment, verify CloudFormation stacks, Cognito user pool/app client, CloudFront distribution status, ALB health, and ECS service status before issuing test tokens to MCP endpoints.
• Updates: Use the MCP-Server stack to redeploy or update server configurations without tearing down the entire stack.
• Security: Maintain least-privilege IAM roles for CDK and service roles for ECS/Lambda; restrict access to Cognito and API endpoints as appropriate.