Skip to content

IAM Conditions

Overview

In this lab, you'll create an IAM policy that uses the aws:CalledViaAWSMCP condition key to restrict specific actions when they're performed through the MCP Server. This demonstrates how to create guardrails at the IAM level — preventing your agent from performing destructive operations even if someone prompts it to.

What You'll Learn

  • How the aws:CalledViaAWSMCP condition key identifies API calls made through the MCP Server
  • How to write IAM deny policies that block destructive actions when called via MCP
  • How to test IAM-level guardrails by attempting blocked operations through your agent

Instructions

Explore

Try to accomplish this goal using your agent. Here are some hints if you get stuck:

  1. Create an IAM policy that denies S3 DeleteObject, DeleteBucket, PutBucketPolicy, and PutBucketAcl when the call comes through the MCP Server
  2. The condition key to use is aws:CalledViaAWSMCP with a value of true
  3. Attach the policy to the participant role and test it by asking your agent to delete something
Step-by-step Walkthrough
  1. Ask your agent to create a deny policy that blocks destructive S3 operations when called via MCP:

Create an IAM policy called "DenyDestructiveViaMCP" that denies the following S3 actions when the condition aws:CalledViaAWSMCP is true: - s3:DeleteObject - s3:DeleteBucket - s3:PutBucketPolicy - s3:PutBucketAcl

The policy should apply to all S3 resources. Use an explicit Deny with a StringEquals condition on "aws:CalledViaAWSMCP": "true".

  1. The resulting policy JSON should look like this:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyDestructiveViaMCP",
      "Effect": "Deny",
      "Action": [
        "s3:DeleteObject",
        "s3:DeleteBucket",
        "s3:PutBucketPolicy",
        "s3:PutBucketAcl"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:CalledViaAWSMCP": "true"
        }
      }
    }
  ]
}
  1. Attach the policy to the participant role:

Attach the DenyDestructiveViaMCP policy to the workshop participant role.

  1. Test the guardrail by asking your agent to perform a blocked action:

Delete a test object from my workshop S3 bucket.

The operation should fail with an AccessDenied error because the MCP Server call triggers the condition key.

  1. Verify the policy is correctly attached:

Show me the IAM policies attached to the participant role that contain the CalledViaAWSMCP condition.

Validation

Open the CloudWatch Dashboard in the AWS Console. The Module 4 widget checks:

  • ✅ An IAM policy attached to the participant role contains a aws:CalledViaAWSMCP or aws:ViaAWSMCPService condition key

You can verify by asking your agent:

List all IAM policies attached to my role that use the CalledViaAWSMCP condition key.

Agent-Specific Tips

Claude Code can create the IAM policy JSON and call the CreatePolicy/AttachRolePolicy APIs in one sequence. If the policy already exists, ask Claude to update it:

Check if DenyDestructiveViaMCP policy exists. If so, create a new version with the deny statement for S3 delete/put actions conditioned on CalledViaAWSMCP.

Kiro will use the MCP tools to create and attach the policy. You can ask it to verify the policy document structure before creating:

Show me the JSON policy document you'll create for DenyDestructiveViaMCP, then create and attach it.

Cursor can create the policy through the MCP Server. If it tries to write a local file instead of making an API call, redirect:

Use the MCP Server to create the IAM policy directly via the AWS API — don't just write a JSON file locally.

Codex can handle the IAM API calls through MCP. Be explicit about the condition key syntax:

Create the IAM policy using the exact condition key "aws:CalledViaAWSMCP" with StringEquals "true" — this is the key that identifies MCP Server API calls.