AWS for Beginners — MCP & AI Agents Edition

Chapter 1

The services you'll actually use

AWS has 200+ services. When building MCP servers and AI Agents, you'll realistically touch fewer than 15. Here are the essential ones.

Think of AWS as a city. EC2 instances are your office buildings, S3 is the warehouse district, IAM is the security desk, and Lambda is a courier service that only shows up when you call it.

// The city analogy — keep it in mind as you read

💻

EC2

Elastic Compute Cloud

A virtual computer in the cloud you can rent by the hour. You choose the OS, CPU, memory, and storage. Your MCP server can run on an EC2 instance 24/7.

🏢 Like renting an office — you get the space, you manage what's inside.

compute

🪣

Simple Storage Service

Infinite file storage in the cloud. You create "buckets" (like folders) and store any files — PDFs, images, JSON, model outputs. AI Agents often read/write documents here.

📦 Like Google Drive, but for developers — accessible via code.

storage

Lambda

AWS Lambda

Run code without managing servers. You write a function, deploy it, and AWS runs it only when triggered (HTTP call, file upload, schedule). You pay per invocation — great for MCP tools.

🚗 Like Uber — a driver only shows up when you need a ride, not parked outside 24/7.

compute

🔐

IAM

Identity & Access Management

Controls WHO can do WHAT in your AWS account. You create Users (people), Roles (identities for services), and Policies (permission rules). The most important service to understand for security.

🔑 Like a keycard system — every door has rules about who can enter.

security

🧠

Bedrock

AWS Bedrock

Access powerful AI foundation models (Claude, Llama, Titan) via API. No GPU management needed. AI Agents built on Bedrock can use tools, call APIs, and reason in multi-step workflows.

🤖 Like hiring a brilliant contractor — you give the task, they figure out the steps.

AI / ML

🗄

DynamoDB

Amazon DynamoDB

A fast NoSQL database — think of it like a giant key-value store that scales automatically. AI Agents often use it to persist memory, session state, or conversation history.

📒 Like a notebook with infinite pages — look up any entry instantly by its key.

database

🚪

API Gateway

Amazon API Gateway

Creates HTTP endpoints that trigger your Lambda functions. Your MCP server can expose tools as REST APIs that Claude calls over the internet, instead of running locally on stdio.

🏛 Like a reception desk — all visitors (requests) come through here before reaching anyone inside.

networking

🔒

Secrets Manager

AWS Secrets Manager

Safely store API keys, database passwords, and tokens. Your MCP server fetches secrets at runtime — no hardcoding credentials in code or config files. Rotates secrets automatically.

🗝 Like a secure vault — only authorized apps can retrieve the combination.

security

📊

CloudWatch

Amazon CloudWatch

Logs, metrics, and alarms for everything in your AWS account. When your MCP server errors or slows down, CloudWatch is where you look. Also lets you set alerts for unusual activity.

🩺 Like a health monitor strapped to your entire infrastructure.

monitoring

🌊

Kinesis

Amazon Kinesis

Stream real-time data at massive scale — events, logs, sensor data. AI Agents that need to react to live data (stock ticks, IoT sensors) consume Kinesis streams as their input.

🚰 Like a pipe carrying a constant flow of water — your code reads drops as they pass.

streaming

📨

SQS

Simple Queue Service

A message queue — producers drop jobs in, consumers pick them up. Lets different parts of your AI system communicate asynchronously without one waiting for the other.

📬 Like a mailbox — the sender drops a letter, the recipient picks it up when ready.

messaging

🌐

VPC

Virtual Private Cloud

Your own private network inside AWS. You control which services are public-facing and which are internal-only. Keeps your MCP server and databases isolated from the open internet.

🏘 Like a gated community — you decide who gets a gate pass and what's visible from outside.

networking

Chapter 2

The jargon decoded

Every field has its language. Here are the AWS terms you'll encounter constantly when building with MCP and AI Agents — in order of how often you'll see them.

Region

A geographic location where AWS has data centers (e.g., us-east-1 = North Virginia, ap-south-1 = Mumbai). Your services run in a region — pick one close to your users for speed.

core

Availability Zone

A data center within a region. Each region has 2–6 AZs. Running services in multiple AZs means if one data center fails, your app stays up. Usually written as us-east-1a, us-east-1b.

core

IAM Role

An identity (not tied to a person) that AWS services assume to get permissions. Your Lambda function uses a Role to access S3. Your MCP server on EC2 uses a Role to call Bedrock. Think: "what can this service do?"

security

IAM Policy

A JSON document that lists allowed or denied actions. Attached to a User or Role. Example: "allow s3:GetObject on bucket my-data". The most granular unit of AWS permissions.

security

ARN

Amazon Resource Name — a unique ID for every AWS resource. Looks like arn:aws:s3:::my-bucket or arn:aws:lambda:us-east-1:123456:function:myFunc. Used in policies to specify exactly which resource to allow/deny.

core

SDK

Software Development Kit — the official library AWS provides so your code can call AWS APIs. For Node.js/TypeScript it's @aws-sdk/client-s3 etc. The SDK handles auth, retry logic, and request signing for you.

core

Foundation Model

A large, general-purpose AI model (like Claude, Llama, or Titan) pre-trained on vast data. You access these via AWS Bedrock without training anything yourself. Your AI Agent is built on top of one.

Agent (Bedrock)

An AI workflow in Bedrock where the model can reason across multiple steps, call tools (APIs, Lambda, S3), and decide its own plan to complete a goal. Similar to MCP tool use but managed inside AWS.

Knowledge Base

In Bedrock — a vector database of your documents that the AI can search through (RAG: Retrieval-Augmented Generation). Upload PDFs, docs, or web pages and your agent can answer questions from them.

Bucket

The top-level container in S3. Like a folder, but globally unique. You put objects (files) inside. Buckets have names like my-company-data-2024. Access is controlled per-bucket via IAM policies.

storage

Object

Any file stored in S3 — a PDF, image, JSON file, CSV, or model weights. Each object has a key (path) like reports/2024/q1.pdf. Max size is 5TB per object.

storage

Serverless

Running code without managing servers. With Lambda, you just upload your function — AWS handles scaling, patching, and availability. You pay only per invocation. Great for MCP tool handlers.

compute

Cold Start

The first invocation of a Lambda function after a period of inactivity is slower because AWS needs to spin up a container. Subsequent calls are faster. Relevant when Lambda hosts your MCP tools.

compute

Environment Variable

Key-value config injected into your function or server at runtime (e.g., AWS_REGION=us-east-1). Used to pass config without hardcoding it. In Lambda, set these in the console or via CDK.

core

VPC Subnet

A subdivision of your VPC network. Public subnets have internet access; private subnets don't. Databases go in private subnets; load balancers go in public ones. Security through isolation.

network

CloudFormation / CDK

Infrastructure as Code — define your entire AWS setup in code (YAML or TypeScript) and deploy it repeatably. CDK (Cloud Development Kit) is the modern TypeScript-friendly way to do this.

core

Chapter 3

Where AWS services fit in MCP & AI Agents

A visual map of how AWS services plug into a real AI Agent architecture powered by MCP.

End-to-end: Claude → MCP Server → AWS infrastructure

💬

User

types prompt

→

🤖

Claude Desktop

MCP Client

→

⚙️

MCP Server

your Node.js app

→

🚪

API Gateway

optional HTTPS endpoint

// AWS SDK calls below this line

Lambda

runs tool logic

→

🪣

files & docs

→

🗄

DynamoDB

agent memory

→

🧠

Bedrock

AI models

// Cross-cutting: always present

🔐

IAM

auth & permissions

→

🔒

Secrets Manager

credentials vault

→

📊

CloudWatch

logs & alerts

→

🌐

VPC

private network

🔧 MCP Server role

The bridge. It exposes tools to Claude and calls AWS APIs using the SDK. Lives on EC2 or runs as Lambda. Auth is via an IAM Role attached to the server.

🧠 Bedrock Agent role

An alternative to Claude Desktop + MCP. Bedrock Agents run inside AWS, call Lambda functions as tools, and store context in DynamoDB. Fully managed.

🔐 IAM's role (everywhere)

Every service interaction is authorized by IAM. Your MCP server has a Role. Lambda has a Role. Bedrock has a Role. Always check IAM first when something says "Access Denied".

Chapter 4

Test your knowledge

Five quick questions to cement what you've learned. No pressure — click to reveal answers if you're stuck.

1. Your MCP server needs to read a PDF stored in the cloud. Which AWS service holds the file?

2. You hardcoded your OpenAI API key in your MCP server's source code. What should you use instead?

3. What does an IAM Role do that's different from an IAM User?

4. Your AI Agent needs to "remember" conversation history across sessions. Where should it store this?

5. AWS Bedrock is best described as:

Chapter 5

One-line cheat sheet

Bookmark this. When someone says an AWS service name, this is what to think.

💻

EC2

A virtual computer you rent

🪣

Infinite file storage

Lambda

Run code, no server needed

🔐

IAM

Who can do what

🧠

Bedrock

AI models as an API

🗄

DynamoDB

Fast NoSQL database

🚪

API Gateway

HTTPS front door to Lambda

🔒

Secrets Manager

Secure credential vault

📊

CloudWatch

Logs, metrics, alarms

🌐

VPC

Private network in the cloud

📨

SQS

Message queue / job queue

🌊

Kinesis

Real-time data streams

📍

Region

Geographic AWS location

🏗

CDK

Define infrastructure in code

🆔

ARN

Unique ID for any resource

📚

Knowledge Base

AI's searchable document store

When to use which service

Store a file

→ S3. Always. Upload PDFs, model outputs, user documents, images here.

storage

Run a tool / function

→ Lambda for event-driven, short tasks. EC2 if you need it running 24/7.

compute

Remember something

→ DynamoDB for fast lookups (session state, agent memory). RDS/Aurora for complex relational data.

database

Expose an API

→ API Gateway + Lambda. Creates a public HTTPS endpoint for your MCP tools.

network

Use an AI model

→ Bedrock. Access Claude, Llama, or Titan without managing GPU infrastructure.

Something is broken

→ CloudWatch Logs first. Search for ERROR in your Lambda or EC2 log group.

core

Access denied error

→ IAM always. Check the Role attached to your service and its Policy permissions.

security

Chapter 6

Your learning path

A suggested order for going from zero to a production AI Agent on AWS. Take it one step at a time — each one builds on the last.

Get an AWS account & set up the CLI

Create a free-tier AWS account, install the AWS CLI, and run aws configure with your Access Key. This unlocks all subsequent steps. The free tier covers most learning experiments.

AWS CLI IAM (first user) Free Tier

Understand IAM — users, roles, policies

Create an IAM user for yourself, create a Role for a Lambda function, and write your first Policy. Understanding IAM now saves hours of "Access Denied" debugging later. It touches everything.

IAM Users IAM Roles IAM Policies

Build your first Lambda + S3 integration

Write a Lambda function that reads a file from S3 and returns its content. Deploy it. Trigger it. This covers the core pattern used in almost every MCP tool handler: "run code → read/write data".

Lambda S3 CloudWatch Logs

Build the MCP server (back to the previous guide!)

Now wire it all together: an MCP server with tool handlers that call S3, EC2, and Lambda via the AWS SDK. Register it in Claude Desktop and test it by asking Claude natural-language questions about your AWS resources.

MCP SDK AWS SDK v3 Claude Desktop

Explore AWS Bedrock Agents

Try Bedrock's managed AI Agent framework — create an Agent that uses Lambda as its tools, and attach a Knowledge Base to let it answer questions from your documents. This is the fully-managed alternative to self-hosting MCP.

Bedrock Knowledge Base OpenSearch / Pinecone DynamoDB

The biggest mistake beginners make is trying to learn all 200+ AWS services before building anything. You only need 5–6 services to ship a production AI Agent. Build first, learn the rest as you need it.

// The most important advice in this guide