AWS Made Its AI Agent Platform Less Capable. That Is the Security Bet It Is Making.

Amazon Web Services built an AI agent platform that does less than everyone else. That is the feature, not the bug.

The AWS MCP Server, which lets software agents interact with cloud infrastructure using the Model Context Protocol, reached general availability on May 6, 2026, according to AWS's announcement. The standard press release framing would lead with the 15,000-or-so AWS API operations now accessible to agents, or the IAM-based access control that enterprises have been promised. But the more revealing detail is one sentence buried in the announcement: the run_script tool, which lets agents execute Python server-side, inherits your IAM permissions but has no network access.

Network access: none.

That is not a limitation. AWS is explicit about it. The sandbox is a deliberate hole cut in the open-architecture gospel that every other AI framework is selling. While Microsoft, Google, and the broader MCP ecosystem race toward broad tool-calling — agents that can call APIs, fetch data, reach the internet — AWS drew a line at the network stack and called it a feature.

The Model Context Protocol itself is not complicated. It is a standardized way for AI models to connect to external tools and data sources. AWS has now made that connection IAM-native: agents use your existing credentials, CloudTrail logs every action, and the aws:CalledViaAWSMCP context key means you can distinguish an agent call from a human call in your audit logs. The call_aws tool covers the full AWS API surface. New APIs show up within days of launch, not months.

For enterprises that have been handing AI coding agents broadly-scoped IAM keys — a pattern AWS explicitly calls out in the announcement — this is a fork-in-the-road moment. The alternative to this MCP Server is not no access control; it is whatever access control you are cobbling together today, probably with too many permissions and no audit trail. AWS is betting that the right answer to how you give an agent access to your cloud is: inherit the permission model you already know, and lock down the network layer that you cannot control.

The question is whether that trade-off actually holds. The Docker security team published documented concerns about MCP infrastructure vulnerabilities — prompt injection, insecure tool integrations, agent manipulation — weeks before this GA announcement. AWS governance addresses the permission layer; it does not address the broader class of MCP protocol risks. The sandbox is a meaningful constraint, but it is a constraint on the agent execution environment, not on the MCP protocol surface itself.

What AWS has done is made a bet on what enterprise buyers actually need: not the most open tool-calling stack, but the one that fits inside the permission model they already have. Whether that bet is right depends on whether enterprises choose governance over capability. The answer will arrive in the next round of platform adoption data — not in the announcement.

The open-architecture crowd will call this a retreat. AWS is calling it enterprise readiness. The customers who have been running AI agents in production — and losing sleep over what those agents can reach — are likely to agree with AWS.