AWS Cost Explorer MCP Server

This server exposes AWS Cost Explorer and Amazon Bedrock model invocation log analysis through MCP. It can run locally for Claude Desktop over stdio or as a self-hosted remote SSE server, including an EC2/nginx HTTPS reverse proxy pattern documented in the README.

Installation

The project is a source-run Python application, not a published PyPI or npm package. The README requires Python 3.12, uv, AWS credentials with Cost Explorer access, and CloudWatch Logs read access for Bedrock model invocation logs. Setup from source is documented as:

git clone https://github.com/aarora79/aws-cost-explorer-mcp.git
cd aws-cost-explorer-mcp
uv venv --python 3.12 && source .venv/bin/activate && uv pip install --requirement pyproject.toml

The cloned repository reviewed for this submission is https://github.com/aarora79/aws-cost-explorer-mcp-server at commit 67a50d7de430495b5482bad7fde56d2abc4884ea; the README clone command appears to use an older repository name.

Local stdio launch

The documented local server launch is:

export MCP_TRANSPORT=stdio
export BEDROCK_LOG_GROUP_NAME=YOUR_BEDROCK_CW_LOG_GROUP_NAME
export CROSS_ACCOUNT_ROLE_NAME=ROLE_NAME_FOR_THE_ROLE_TO_ASSUME_IN_OTHER_ACCOUNTS
python server.py

server.py defaults MCP_TRANSPORT to stdio, BEDROCK_LOG_GROUP_NAME to BedrockModelInvocationLogGroup, and CROSS_ACCOUNT_ROLE_NAME to BedrockCrossAccount2. The README also documents Claude Desktop configurations using either Docker or uv --directory /path/to/aws-cost-explorer-mcp-server run server.py, with AWS credential environment variables and AWS_REGION=us-east-1.

Remote SSE deployment

For remote operation, set MCP_TRANSPORT=sse and run python server.py. The README says the server listens on TCP port 8000 and that clients connect to /sse; it also documents an nginx reverse proxy so clients can connect over HTTPS at https://your-mcp-server-domain-name.com/sse. The README warns that MCP JSON-RPC does not include authorization or authentication and advises not to send or receive sensitive data over MCP.

Docker

The repository includes a Dockerfile. The README documents building a local image with docker build -t aws-cost-explorer-mcp . and a Claude Desktop Docker launch that passes AWS credential, region, Bedrock log group, transport, and cross-account role environment variables. This is a locally built image, so it is captured as source review evidence rather than a package registry target.

Configuration

Runtime configuration includes MCP_TRANSPORT, BEDROCK_LOG_GROUP_NAME, CROSS_ACCOUNT_ROLE_NAME, AWS credential variables, and AWS_REGION. The server uses boto3 and can assume a cross-account IAM role when a tool call includes a different aws_account_id. Client helper applications additionally use MCP_SERVER_URL, MCP_SERVER_PORT, and AWS_ACCOUNT_ID.

Capabilities

The server exposes a prompt named system_prompt_for_agent, a static resource at config://app, and tools including get_ec2_spend_last_day, get_detailed_breakdown_by_day, get_bedrock_daily_usage_stats, and get_bedrock_hourly_usage_stats. The Cost Explorer tools retrieve EC2 spend for the previous day and detailed daily breakdowns by region, service, and instance or usage type. The Bedrock tools read CloudWatch model invocation logs and summarize daily or hourly usage by model, region, and user.

Requirements and Permissions

The README requires AWS credentials with Cost Explorer access and full read-only access to CloudWatch Logs. Bedrock usage analysis requires model invocation logs to be configured in CloudWatch. Cross-account access requires an IAM role with the configured CROSS_ACCOUNT_ROLE_NAME in the target account. The optional Chainlit/LangGraph clients use a Bedrock-hosted Claude model and therefore require Bedrock model access.

Limitations

Remote SSE mode is self-hosted; there is no public stable remote endpoint to register. Claude Desktop remote MCP support is called out as unavailable in the README. The README warns that MCP itself does not provide authorization/authentication for the remote JSON-RPC transport. Bedrock usage tools return no data unless model invocation logging is configured and the expected log group and stream exist. Cost data depends on AWS Cost Explorer availability, IAM permissions, and the requested time windows. The default server code does not expose CLI flags for host or port; server transport is selected by MCP_TRANSPORT.