On May 6, AWS shipped the AWS MCP Server generally available with two new IAM context keys. aws:ViaAWSMCPService is a boolean, set true on any request flowing through an AWS-managed MCP. aws:CalledViaAWSMCP carries the service principal of the originating MCP, with values like aws-mcp.amazonaws.com and eks-mcp.amazonaws.com . Both keys are injected at the service layer; callers cannot spoof them. CloudTrail records the same identifier under invokedBy . Read the announcement and the IAM-for-MCP blog . AWS shipped the cleanest L3 control surface in the agent space. Credit where due. Here is the part the GA walkthrough does not include. The bypass that survives the policy The IAM-for-MCP blog ships this SCP example, verbatim: { "Sid" : "DenyDeleteWhenAccessedViaMCP" , "Effect" : "Deny" , "Action" : [ "s3:DeleteObject" , "s3:DeleteBucket" ], "Resource" : "*" , "Condition" : { "Bool" : { "aws:ViaAWSMCPService" : "true" } } } Enter fullscreen mode Exit fullscreen mode Looks bulletproof.…