Amazon SageMaker Well Architected Server
БесплатноНе проверенProvides tools to validate SageMaker workloads against the six pillars of the AWS Well-Architected Framework, returning findings with severity levels and recomm
Описание
Provides tools to validate SageMaker workloads against the six pillars of the AWS Well-Architected Framework, returning findings with severity levels and recommendations.
README
The Amazon SageMaker Well-Architected MCP server provides agents with tools to validate SageMaker workloads against all six AWS Well-Architected Framework pillars: Security, Reliability, Performance Efficiency, Cost Optimization, Operational Excellence, and Sustainability.
Available Features
Well-Architected Validation
Provides comprehensive tools for validating SageMaker resources (endpoints, training jobs, notebook instances, and models) against AWS best practices across all six Well-Architected pillars. Each validation returns findings with severity levels and actionable recommendations. See the validators documentation for detailed information on the supported tools.
Prerequisites
- Install Python 3.10+
- Install the uv package manager
- Install and configure the AWS CLI with credentials
Quickstart
This quickstart guide walks you through the steps to configure the Amazon SageMaker Well-Architected MCP Server for use with Kiro, Cursor, and other compatible IDEs.
| Kiro | Cursor | VS Code |
|---|---|---|
| Add to Kiro | Install MCP Server | Install on VS Code |
Set up Kiro
See the Kiro IDE documentation or the Kiro CLI documentation for details.
For global configuration, edit ~/.kiro/settings/mcp.json. For project-specific configuration, edit .kiro/settings/mcp.json in your project directory.
The example below includes the --allow-sensitive-data-access flag for accessing detailed resource configurations:
For Mac/Linux:
```
{
"mcpServers": {
"awslabs.sagemaker-wa-mcp-server": {
"command": "uvx",
"args": [
"awslabs.sagemaker-wa-mcp-server@latest",
"--allow-sensitive-data-access"
],
"env": {
"FASTMCP_LOG_LEVEL": "ERROR"
},
"autoApprove": [],
"disabled": false
}
}
}
```
For Windows:
```
{
"mcpServers": {
"awslabs.sagemaker-wa-mcp-server": {
"command": "uvx",
"args": [
"--from",
"awslabs.sagemaker-wa-mcp-server@latest",
"awslabs.sagemaker-wa-mcp-server.exe",
"--allow-sensitive-data-access"
],
"env": {
"FASTMCP_LOG_LEVEL": "ERROR"
},
"autoApprove": [],
"disabled": false
}
}
}
```
Verify your setup by running the /tools command in the Kiro CLI to see the available SageMaker Well-Architected MCP tools.
This server provides comprehensive Well-Architected validation for SageMaker workloads with 51 checks across all six pillars. For broader AWS API access and documentation lookup, you can also use AWS API MCP Server and AWS Documentation MCP Server.
Configurations
Arguments
The args field in the MCP server definition specifies the command-line arguments passed to the server when it starts. These arguments control how the server is executed and configured. For example:
For Mac/Linux:
{
"mcpServers": {
"awslabs.sagemaker-wa-mcp-server": {
"command": "uvx",
"args": [
"awslabs.sagemaker-wa-mcp-server@latest",
"--allow-sensitive-data-access"
],
"env": {
"AWS_PROFILE": "your-profile",
"AWS_REGION": "us-east-1"
}
}
}
}
For Windows:
{
"mcpServers": {
"awslabs.sagemaker-wa-mcp-server": {
"command": "uvx",
"args": [
"--from",
"awslabs.sagemaker-wa-mcp-server@latest",
"awslabs.sagemaker-wa-mcp-server.exe",
"--allow-sensitive-data-access"
],
"env": {
"AWS_PROFILE": "your-profile",
"AWS_REGION": "us-east-1"
}
}
}
}
Command Format
The command format differs between operating systems:
For Mac/Linux:
awslabs.sagemaker-wa-mcp-server@latest- Specifies the latest package/version specifier for the MCP client config.
For Windows:
--from awslabs.sagemaker-wa-mcp-server@latest awslabs.sagemaker-wa-mcp-server.exe- Windows requires the--fromflag to specify the package and the.exeextension.
--allow-sensitive-data-access (optional)
Enables access to sensitive data such as detailed resource configurations, tags, and endpoint config details. This flag is required for tools that access potentially sensitive information.
- Default: true (Access to sensitive data is allowed by default)
- Example: remove
--allow-sensitive-data-accessfrom theargslist in your MCP server definition to disable it.
Environment variables
The env field in the MCP server definition allows you to configure environment variables that control the behavior of the SageMaker Well-Architected MCP server. For example:
{
"mcpServers": {
"awslabs.sagemaker-wa-mcp-server": {
"env": {
"FASTMCP_LOG_LEVEL": "ERROR",
"AWS_PROFILE": "my-profile",
"AWS_REGION": "us-west-2"
}
}
}
}
FASTMCP_LOG_LEVEL (optional)
Sets the logging level verbosity for the server.
- Valid values: "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"
- Default: "WARNING"
- Example:
"FASTMCP_LOG_LEVEL": "ERROR"
AWS_PROFILE (optional)
Specifies the AWS profile to use for authentication.
- Default: None (If not set, uses default AWS credentials).
- Example:
"AWS_PROFILE": "my-profile"
AWS_REGION (optional)
Specifies the AWS region where SageMaker resources are validated, which will be used for all AWS service operations.
- Default: None (If not set, uses default AWS region).
- Example:
"AWS_REGION": "us-west-2"
Security & Permissions
Features
The SageMaker Well-Architected MCP Server implements the following security features:
- AWS Authentication: Uses AWS credentials from the environment for secure authentication.
- SSL Verification: Enforces SSL verification for all AWS API calls.
- Least Privilege: Only requires read/describe/list permissions on SageMaker resources.
- User Agent Tracking: All API calls include a custom user agent for auditability.
Considerations
When using the SageMaker Well-Architected MCP Server, consider the following:
- AWS Credentials: The server needs permission to describe and list SageMaker resources.
- Network Security: Ensure the environment running the server has network access to AWS APIs.
- Authentication: Use appropriate authentication mechanisms for AWS resources.
- Authorization: Configure IAM with read-only SageMaker permissions.
- Data Protection: Resource configurations may contain sensitive information.
- Logging and Monitoring: Enable logging and monitoring for SageMaker resources.
Permissions
The SageMaker Well-Architected MCP Server performs only read-only operations, which is recommended and considered generally safe for production environments. Below are the tools available:
- Read-only mode (default):
validate_sagemaker_resource,validate_all_endpoints,list_sagemaker_resources,get_pillar_details.
autoApprove (optional)
An array within the MCP server definition that lists tool names to be automatically approved by the MCP Server client, bypassing user confirmation for those specific tools. Since all operations are read-only, auto-approving all tools is safe. For example:
For Mac/Linux:
{
"mcpServers": {
"awslabs.sagemaker-wa-mcp-server": {
"command": "uvx",
"args": [
"awslabs.sagemaker-wa-mcp-server@latest"
],
"env": {
"AWS_PROFILE": "sagemaker-wa-mcp-readonly-profile",
"AWS_REGION": "us-east-1",
"FASTMCP_LOG_LEVEL": "INFO"
},
"autoApprove": [
"validate_sagemaker_resource",
"validate_all_endpoints",
"list_sagemaker_resources",
"get_pillar_details"
]
}
}
}
For Windows:
{
"mcpServers": {
"awslabs.sagemaker-wa-mcp-server": {
"command": "uvx",
"args": [
"--from",
"awslabs.sagemaker-wa-mcp-server@latest",
"awslabs.sagemaker-wa-mcp-server.exe"
],
"env": {
"AWS_PROFILE": "sagemaker-wa-mcp-readonly-profile",
"AWS_REGION": "us-east-1",
"FASTMCP_LOG_LEVEL": "INFO"
},
"autoApprove": [
"validate_sagemaker_resource",
"validate_all_endpoints",
"list_sagemaker_resources",
"get_pillar_details"
]
}
}
}
Role Scoping Recommendations
In accordance with security best practices, we recommend the following:
- Create dedicated IAM roles to be used by the SageMaker Well-Architected MCP Server with the principle of "least privilege."
- Use read-only roles since the server only performs describe and list operations.
- Implement resource tagging to limit actions to specific resources.
- Enable AWS CloudTrail to audit all API calls made by the server.
- Regularly review the permissions granted to the server's IAM role.
- Use IAM Access Analyzer to identify unused permissions that can be removed.
Sensitive Information Handling
IMPORTANT: Do not pass secrets or sensitive information via allowed input mechanisms:
- Do not include secrets or credentials in tool parameters.
- Do not pass sensitive information directly in the prompt to the model.
- Avoid using MCP tools for creating secrets, as this would require providing the secret data to the model.
Instead of passing secrets through MCP:
- Use AWS Secrets Manager or Parameter Store to store sensitive information.
- Configure proper IAM roles for service accounts.
- Use IAM roles for service accounts (IRSA) for AWS service access.
File System Access and Operating Mode
Important: This MCP server is intended for STDIO mode only as a local server using a single user's credentials. The server runs with the same permissions as the user who started it and has complete access to the file system.
Security and Access Considerations
- Read-Only Operations: The server does not write to the file system or modify any AWS resources
- Host Credentials: The server uses the host's AWS credentials configuration
- Do Not Modify for Network Use: This server is designed for local STDIO use only; network operation introduces additional security risks
General Best Practices
- Resource Naming: Use descriptive names for SageMaker resources.
- Error Handling: Check for errors in tool responses and handle them appropriately.
- Prioritize Findings: Address HIGH severity findings first, then MEDIUM, then LOW.
- Regular Audits: Run validations periodically to catch configuration drift.
- Monitoring: Monitor resource status regularly.
- Security: Follow AWS security best practices for SageMaker resources.
General Troubleshooting
- Permission Errors: Verify that your AWS credentials have the necessary read-only SageMaker permissions.
- Resource Not Found: Verify the resource name and region are correct.
- SageMaker API Errors: Verify that the SageMaker resources exist and are accessible.
- Network Issues: Check that the environment has network access to AWS APIs.
- Client Errors: Verify that the MCP client is configured correctly.
- Log Level: Increase the log level to DEBUG for more detailed logs.
For service-specific issues, consult the relevant documentation:
Version
Current MCP server version: 0.1.0
Установка Amazon SageMaker Well Architected Server
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/srikanrk/aws-wa-sagemaker-mcpFAQ
Amazon SageMaker Well Architected Server MCP бесплатный?
Да, Amazon SageMaker Well Architected Server MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Amazon SageMaker Well Architected Server?
Нет, Amazon SageMaker Well Architected Server работает без API-ключей и переменных окружения.
Amazon SageMaker Well Architected Server — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Amazon SageMaker Well Architected Server в Claude Desktop, Claude Code или Cursor?
Открой Amazon SageMaker Well Architected Server на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Amazon SageMaker Well Architected Server with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
