As your AWS infrastructure scales, operational workflows naturally grow more complex. SREs and DevOps Engineers spend significant time context-switching between the AWS Management Console, CLI documentation, and multiple service dashboards. They manually translate business questions into the correct API syntax, chain calls across services, and rebuild the same integration patterns for each new use case.This friction compounds over time. Incident investigations require cross-referencing Amazon CloudWatch Logs, Amazon Elastic Compute Cloud (Amazon EC2) instance states, and AWS Identity and Access Management (IAM) policies across separate interfaces. Capacity planning means manually querying multiple services and assembling results. Security audits demand consistent, repeatable API call sequences that are time-consuming to script from scratch.

This post shows you how to use Amazon Bedrock AgentCore Runtime with Model Context Protocol (MCP) support to connect Amazon Quick with AWS services through the AWS API MCP Server, creating a conversational AI assistant that translates natural language into AWS Command Line Interface (AWS CLI) commands, without the need to switch between tools during critical moments.

With Amazon Bedrock AgentCore Runtime and MCP support, natural language queries translate directly to AWS API calls. You can ask, “Show me all running EC2 instances in us-east-1,” and get immediate, accurate results without switching between tools or memorizing API syntax. Your requests run securely within your existing IAM permissions, with full Amazon CloudWatch audit trails for compliance. Rather than rebuilding connection logic for each workflow, you can standardize how AI agents interact with AWS services through a single, reusable integration. The following diagram shows how Amazon Bedrock AgentCore Runtime connects Amazon Quick to AWS services through the AWS API MCP Server.

Visual layouts in some screenshots in this post might look different than those on your AWS Management Console.

Amazon Cognito provides authentication and authorization for your application. In this solution, you configure a Cognito user pool to generate JWT tokens that authenticate requests to the Amazon Bedrock AgentCore Runtime. With JWT authentication using Amazon Cognito, you configure the authorizer during the CreateAgentRuntime operation, specifying your identity provider (IdP)-specific discovery URL and allowed clients. Your existing agent code requires no modification. You add the authorizer configuration to your runtime deployment. When a calling entity or user invokes your agent, they pass their IdP-specific access token as a bearer token in the Authorization header. AgentCore Runtime uses AgentCore Identity to automatically validate this token against your configured authorizer and rejects unauthorized requests.

Create Amazon Cognito user pool for JWT authentication with unique application name and application type as Machine-to-machine application as shown in the following screenshot. Provide a name for the application and then choose create user directory.