I get an access denied error when using AWS MCP Server My Deny policy using aws-mcp actions no longer blocks access

Troubleshooting AWS MCP Server identity and access

Use the following information to help you diagnose and fix common issues when working with AWS MCP Server and IAM.

Topics

I get an access denied error when using AWS MCP Server
My Deny policy using aws-mcp actions no longer blocks access

I get an access denied error when using AWS MCP Server

If you receive an AccessDenied error when AWS MCP Server calls a downstream AWS service on your behalf, check the following:

Verify that your IAM role or user has the required permissions for the target AWS service action. AWS MCP Server uses your credentials, so you need the same permissions as you would for a direct API call.
Check whether any SCPs or permission boundaries include Deny statements that use aws:ViaAWSMCPService or aws:CalledViaAWSMCP conditions that block MCP server access.
If you previously used aws-mcp:InvokeMcp in Allow statements, note that these actions no longer have any effect. Your permissions for the downstream service are what matter.

My Deny policy using aws-mcp actions no longer blocks access

If you previously used Deny statements with aws-mcp:InvokeMcp, aws-mcp:CallReadOnlyTool, or aws-mcp:CallReadWriteTool to block access to AWS MCP Server, these actions no longer have any effect. Update your policies to use the condition context keys instead:


{
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "Bool": {
            "aws:ViaAWSMCPService": "true"
        }
    }
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identity-based policy examples

Compliance validation