Announcing AWS with Azure SRE Agent: Cross-Cloud Investigation using the brand new AWS DevOps Agent

Overview

Connect Azure SRE Agent to AWS services using the official AWS MCP server. Query AWS documentation, execute any of the 15,000+ AWS APIs, run operational workflows, and kick off incident investigations through AWS DevOps Agent, which is now generally available.

The AWS MCP server connects Azure SRE Agent to AWS documentation, APIs, regional availability data, pre-built operational workflows (Agent SOPs), and AWS DevOps Agent for incident investigation. When connected, the proxy exposes 23 MCP tools organized into four categories: documentation and knowledge, API execution, guided workflows, and DevOps Agent operations.

How it works

The MCP Proxy for AWS runs as a local stdio process that SRE Agent spawns via uvx. The proxy handles AWS authentication using credentials you provide as environment variables. No separate infrastructure or container deployment is needed.

In the portal, you use the generic MCP server (User provided connector) option with stdio transport.

Key capabilities

Note: The AWS MCP Server is free to use. You pay only for the AWS resources consumed by API calls made through the server. All actions respect your existing IAM policies.

---

Prerequisites

• Azure SRE Agent resource deployed in Azure
• AWS account with IAM credentials configured
• uv package manager installed on the SRE Agent host (used to run the MCP proxy via uvx)
• IAM permissions: aws-mcp:InvokeMcp, aws-mcp:CallReadOnlyTool, and optionally aws-mcp:CallReadWriteTool

---

Step 1: Create AWS access keys

The AWS MCP server authenticates using AWS access keys (an Access Key ID and a Secret Access Key). These keys are tied to an IAM user in your AWS account. You create them in the AWS Management Console.

Navigate to IAM in the AWS Console

1. Sign in to the AWS Management Console
2. In the top search bar, type IAM and select IAM from the results (Direct URL: https://console.aws.amazon.com/iam/)
3. In the left sidebar, select Users (Direct URL: https://console.aws.amazon.com/iam/home#/users)

Create a dedicated IAM user

Create a dedicated user for SRE Agent rather than reusing a personal account. This makes it easy to scope permissions and rotate keys independently.

1. Select Create user
2. Enter a descriptive user name (e.g., sre-agent-mcp)
3. Do not check "Provide user access to the AWS Management Console" (this user only needs programmatic access)
4. Select Next
5. Select Attach policies directly
6. Select Create policy (opens in a new tab) and paste the following JSON in the JSON editor:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aws-mcp:InvokeMcp",
        "aws-mcp:CallReadOnlyTool",
        "aws-mcp:CallReadWriteTool"
      ],
      "Resource": "*"
    }
  ]
}

7. Select Next, give the policy a name (e.g., SREAgentMCPAccess), and select Create policy
8. Back on the Create user tab, select the refresh button in the policy list, search for SREAgentMCPAccess, and check it
9. Select Next > Create user

Generate access keys

After the user is created, generate the access keys that SRE Agent will use:

1. From the Users list, select the user you just created (e.g., sre-agent-mcp)
2. Select the Security credentials tab
3. Scroll down to the Access keys section
4. Select Create access key
5. For the use case, select Third-party service
6. Check the confirmation checkbox and select Next
7. Optionally add a description tag (e.g., Azure SRE Agent) and select Create access key
8. Copy both values immediately:

Important: The Secret Access Key is shown only once on this screen. If you close the page without copying it, you must delete the key and create a new one. Select Download .csv file as a backup, then store the file securely and delete it after configuring the connector.

Tip: For production use, also add service-specific IAM permissions for the AWS APIs you want SRE Agent to call. The MCP permissions above grant access to the MCP server itself, but individual API calls (e.g., ec2:DescribeInstances, logs:GetQueryResults) require their own IAM actions. Start broad for testing, then scope down using the principle of least privilege.

Required permissions summary

---

Step 2: Add the MCP connector

Connect the AWS MCP server to your SRE Agent using the portal. The proxy runs as a local stdio process that SRE Agent spawns via uvx. It handles SigV4 signing using the AWS credentials you provide as environment variables.

Determine the AWS MCP endpoint for your region

The AWS MCP server has regional endpoints. Choose the one matching your AWS resources:

Note: Without the --metadata AWS_REGION=<region> argument, operations default to us-east-1. You can always override the region in your query.

Using the Azure portal

1. In Azure portal, navigate to your SRE Agent resource
2. Select Builder > Connectors
3. Select Add connector
4. Select MCP server (User provided connector) and select Next
5. Configure the connector with these values:

6. Select Next to review
7. Select Add connector

This is equivalent to the following MCP client configuration used by tools like Claude Desktop or Amazon Kiro CLI:

{
  "mcpServers": {
    "aws-mcp": {
      "command": "uvx",
      "args": [
        "mcp-proxy-for-aws@latest",
        "https://aws-mcp.us-east-1.api.aws/mcp",
        "--metadata", "AWS_REGION=us-west-2"
      ]
    }
  }
}

Important: Store the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY securely. In the portal, environment variables for connectors are stored encrypted. For production deployments, consider using a dedicated IAM user with scoped-down permissions (see Step 1). Never commit credentials to source control.

Tip: If your SRE Agent host already has AWS credentials configured (e.g., via aws configure or an instance profile), the proxy will pick them up automatically from the environment. In that case, you can omit the explicit AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.

Note: After adding the connector, the agent service initializes the MCP connection. This may take up to 30 seconds as uvx downloads the proxy package on first run (~89 dependencies). If the connector does not show Connected status after a minute, see the Troubleshooting section below.

---

Step 3: Add an AWS skill

Skills give agents domain knowledge and best practices for specific tool sets. Create an AWS skill so your agent knows how to troubleshoot AWS services, provision infrastructure, and follow operational workflows.

Tip: Why skills over subagents? Skills inject domain knowledge into the main agent's context, so it can use AWS expertise without handing off to a separate agent. Conversation context stays intact and there's no handoff latency. Use a subagent when you need full isolation with its own system prompt and tool restrictions.

1. Navigate to Builder > Skills
2. Select Add skill
3. Paste the following skill configuration:

api_version: azuresre.ai/v1
kind: SkillConfiguration
metadata:
  owner: your-team@contoso.com
  version: "1.0.0"
spec:
  name: aws_infrastructure_operations
  display_name: AWS Infrastructure & Operations

  description: |
    AWS infrastructure and operations: EC2, EKS, Lambda, S3, RDS, CloudWatch,
    CloudTrail, IAM, VPC, and others. Also covers AWS DevOps Agent for
    incident investigation, root cause analysis, and remediation. Use for
    querying AWS resources, investigating issues, provisioning infrastructure,
    searching documentation, running AWS API calls via the AWS MCP server,
    and coordinating investigations between Azure SRE Agent and AWS DevOps Agent.

  instructions: |
    ## Overview

    The AWS MCP Server is a managed remote MCP server that gives AI
    assistants authenticated access to AWS services. It combines
    documentation access, authenticated API execution, and pre-built
    Agent SOPs in a single interface.

    **Authentication:** Handled automatically by the MCP Proxy for AWS,
    running as a local stdio process. All actions respect existing IAM
    policies configured in the connector environment variables.

    **Regional endpoints:** The MCP server has regional endpoints. The proxy
    is configured with a default region; you can override by specifying a
    region in your queries (e.g., "list my EC2 instances in eu-west-1").

    ## Searching Documentation

    Use aws___search_documentation to find information across all AWS docs.

    ## Executing AWS API Calls

    Use aws___call_aws to execute authenticated AWS API calls. The tool
    handles SigV4 signing and provides syntax validation.

    ## Using Agent SOPs

    Use aws___retrieve_agent_sop to find and follow pre-built workflows.
    SOPs provide step-by-step guidance following AWS Well-Architected
    principles.

    ## Regional Operations

    Use aws___list_regions to see all available AWS regions and
    aws___get_regional_availability to check service support in
    specific regions.

    ## AWS DevOps Agent Integration

    The AWS MCP server includes tools for AWS DevOps Agent:
    - aws___list_agent_spaces / aws___create_agent_space: Manage AgentSpaces
    - aws___create_investigation: Start incident investigations (5-8 min async)
    - aws___get_task: Poll investigation status
    - aws___list_journal_records: Read root cause analysis
    - aws___list_recommendations / aws___get_recommendation: Get remediation steps
    - aws___start_evaluation: Run proactive infrastructure evaluations
    - aws___create_chat / aws___send_message: Chat with AWS DevOps Agent

    ## Troubleshooting

    | Issue | Solution |
    |-------|----------|
    | Access denied errors | Verify IAM policy includes aws-mcp:InvokeMcp and aws-mcp:CallReadOnlyTool |
    | API call fails | Check IAM policy includes the specific service action |
    | Wrong region results | Specify the region explicitly in your query |
    | Proxy connection error | Verify uvx is installed and the proxy can reach aws-mcp.region.api.aws |

  mcp_connectors:
    - aws-mcp

4. Select Save

Note: The mcp_connectors: - aws-mcp at the bottom links this skill to the connector you created in Step 2. The skill's instructions teach the agent how to use the 23 AWS MCP tools effectively.

---

Step 4: Test the integration

Open a new chat session with your SRE Agent and try these example prompts to verify the connection is working.

Quick verification

Start with this simple test to confirm the AWS MCP proxy is connected and authenticating correctly:

What AWS regions are available?

If the agent returns a list of regions, the connection is working. If you see authentication errors, go back and verify the IAM credentials and permissions from Step 1.

Documentation and knowledge

Search AWS documentation for EKS best practices for production clusters

What AWS regions support Amazon Bedrock?

Read the AWS documentation page about S3 bucket policies

Infrastructure queries

List all my running EC2 instances in us-east-1

Show me the details of my EKS cluster named "production-cluster"

What Lambda functions are deployed in my account?

CloudWatch and monitoring

What CloudWatch alarms are currently in ALARM state?

Show me the CPU utilization metrics for my RDS instance over the last 24 hours

Search CloudWatch Logs for errors in the /aws/lambda/my-function log group

Troubleshooting workflows

My EC2 instance i-0abc123 is not reachable. Help me troubleshoot.

My Lambda function is timing out. Walk me through the investigation.

Find an Agent SOP for troubleshooting EKS pod scheduling failures

Cross-cloud scenarios

My Azure Function is failing when calling AWS S3. Check if there are any S3
service issues and review the bucket policy for "my-data-bucket".

Compare the health of my AWS EKS cluster with my Azure AKS cluster.

AWS DevOps Agent investigations

List all available AWS DevOps Agent spaces in my account

Create an AWS DevOps Agent investigation for the high error rate on my
Lambda function "order-processor" in us-west-2

Start a chat with AWS DevOps Agent about my EKS cluster performance

Cross-agent investigation (Azure SRE Agent + AWS DevOps Agent)

My application is failing across both Azure and AWS. Start an AWS DevOps
Agent investigation for the AWS side while you check Azure Monitor for
errors on the Azure side. Then combine the findings into a unified root
cause analysis.

---

What's New: AWS DevOps Agent Integration

The AWS MCP server now includes full integration with AWS DevOps Agent, which recently became generally available. This means Azure SRE Agent can start autonomous incident investigations on AWS infrastructure and get back root cause analyses and remediation recommendations — all within the same chat session.

Available tools by category

AgentSpace management

Investigation lifecycle

Proactive evaluations

Real-time chat

---

Cross-Agent Investigation Workflow

With the AWS MCP server connected, SRE Agent can run parallel investigations across both clouds. Here's how the cross-agent workflow works:

1. Start an AWS investigation: Ask SRE Agent to create an AWS DevOps Agent investigation for the AWS-side symptoms
2. Investigate Azure in parallel: While the AWS investigation runs (5-8 minutes), SRE Agent uses its native tools to check Azure Monitor, Log Analytics, and resource health
3. Read AWS results: When the investigation completes, SRE Agent reads the journal records and recommendations
4. Correlate findings: SRE Agent combines both sets of findings into a single root cause analysis with remediation steps for both clouds

Common cross-cloud scenarios:

• Azure app calling AWS services: Investigate Azure Function errors that correlate with AWS API failures
• Hybrid deployments: Check AWS EKS clusters alongside Azure AKS clusters during multi-cloud outages
• Data pipeline issues: Trace data flow across Azure Event Hubs and AWS Kinesis or SQS
• Agent-to-agent investigation: Start an AWS DevOps Agent investigation for the AWS side while Azure SRE Agent checks Azure resources in parallel

---

Architecture

The integration uses a stdio proxy architecture. SRE Agent spawns the proxy as a child process, and the proxy forwards requests to the AWS MCP endpoint:

Azure SRE Agent
      |
      | stdio (local process)
      v
mcp-proxy-for-aws (spawned via uvx)
      |
      | Authenticated HTTPS requests
      v
AWS MCP Server (aws-mcp.<region>.api.aws)
      |
      |--- Authenticated AWS API calls --> AWS Services
      |                                    (EC2, S3, CloudWatch, EKS, Lambda, etc.)
      |
      '--- DevOps Agent API calls ------> AWS DevOps Agent
                                           |-- AgentSpaces (workspaces)
                                           |-- Investigations (async root cause analysis)
                                           |-- Recommendations (remediation specs)
                                           '-- Chat sessions (real-time interaction)

---

Troubleshooting

Authentication and connectivity issues

API and permission issues

Verify the connection

Test that the proxy can authenticate by opening a new chat session and asking:

What AWS regions are available?

If the agent returns a list of regions, the connection is working. If you see authentication errors, verify the IAM credentials and permissions from Step 1.

Re-authorize the integration

If you encounter persistent authentication issues:

1. Navigate to the IAM console
2. Select the user created in Step 1
3. Navigate to Security credentials > Access keys
4. Deactivate or delete the old access key
5. Create a new access key
6. Update the connector environment variables in the SRE Agent portal with the new credentials

---

Related content

• AWS MCP Server documentation
• MCP Proxy for AWS on GitHub
• AWS MCP Server tools reference
• AWS DevOps Agent documentation
• AWS DevOps Agent GA announcement
• AWS IAM documentation