AWS S3 MCP server

Amazon Simple Storage Service (S3) is an object storage service offering industry-leading scalability, durability, and performance for any data size. With this MCP server, AI agents can manage buckets, upload and download objects, configure lifecycle policies, manage access control, and automate storage operations through natural language commands.

Setting up an MCP server

This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.

Before you begin

You'll need:

• Access to AI Gateway with permission to create MCP servers
• API credentials for the application you're connecting (see the relevant application page for what to collect)

Create an MCP server

Find the API in the catalog

1. Sign in to AI Gateway and select MCP Servers from the left navigation.
2. Select New MCP Server.
3. Search for the application you want to connect, then select it from the catalog.

Configure the server

1. Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
2. Enter a Description so your team knows what the server is for.
3. Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
4. Toggle Production mode on if this server will be used in a live workflow.
5. Select Next.

Configure authentication

Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.

Configure security

1. Set any Rate limits appropriate for your use case and the API's own limits.
2. Enable Logging if you want AI Gateway to record requests and responses for auditing.
3. Select Next.

Deploy

Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.

---

Connect to an AI client

Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:

• Claude Desktop
• Claude Code
• Cursor
• VS Code
• Windsurf

Tips

• You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
• If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
• You can edit a server's name, description, timeout, and security settings after deployment without redeploying.

Authentication

S3 uses AWS Signature V4 authentication via IAM credentials. Configure an IAM user or role with S3 permissions.

• Service: s3
• Region: Specific bucket regions or us-east-1 for global operations
• Required permissions: s3:* or specific bucket actions
• Credential types: IAM user access keys or assumed role credentials

Available tools

The S3 MCP server exposes bucket management, object operations, access control, versioning, lifecycle, and batch operation APIs.

Tool	Purpose
Bucket Management	Create and delete buckets; list buckets; configure bucket properties; manage bucket regions
Object Operations	Upload and download objects; delete objects; copy objects; manage object metadata
Access Control	Create bucket policies; configure ACLs; manage public access settings; configure CORS
Versioning & Locking	Enable versioning; manage object versions; configure object locks for compliance
Lifecycle Management	Set automatic transitions between storage classes; configure object expiration rules
Encryption & Security	Enable server-side encryption; configure encryption keys; manage SSL/TLS settings
Event Notifications	Configure bucket event notifications; trigger Lambda or SNS on object changes
Multipart Upload	Upload large objects in parts; manage in-progress uploads; optimize transfer speed

Tips

Use consistent naming conventions with dates or identifiers.

Separate buckets by purpose (backups, logs, user data).

Use bucket tags for cost allocation.

Configure proper access controls per bucket.

Move infrequently-accessed objects to Glacier after 30-90 days.

Set appropriate expiration dates to avoid storage bloat.

Use intelligent tiering for unpredictable access patterns.

Regularly review policies.

Use bucket policies instead of ACLs for most use cases.

Leverage IAM roles for application access.

Block public access by default and enable selectively.

Use presigned URLs for time-limited access.

Enable versioning for critical data.

Configure MFA delete for important buckets.

Use server-side encryption with customer-managed keys for sensitive data.

Enable object lock for compliance requirements.

Use multipart uploads for objects larger than 100 MB.

Leverage transfer acceleration for global uploads.

Enable S3 transfer statistics to monitor performance.

Use CloudFront for frequently accessed objects.

---