Turn Claude into your AWS tagging compliance assistant — Ask in plain English, get real-time insights on your cloud costs and compliance.
- The Problem
- What Is MCP?
- What Is This Tagging MCP?
- Features
- Installation
- Production Deployment
- Configuration
- Testing with MCP Inspector
- Kiro Power
- Architecture
- Project Structure
- Documentation
- Contributing
- License
According to the FinOps Foundation's 2025 report, 43% of cloud costs lack proper tagging. For large enterprises, that translates to billions in annual spend that cannot be attributed to a team, project, or cost center — the so-called "attribution gap."
Today, fixing tagging compliance means:
- Manual audits: Clicking through the AWS Console resource by resource
- Custom scripts: Writing and maintaining boto3 scripts that check tags against a spreadsheet
- Delayed feedback: Finding violations weeks after resources are launched
- No cost context: Knowing a resource is untagged, but not how much money is at stake
The AWS Console can show you what tags exist, but it doesn't tell you whether they're correct, how much you're losing from the gaps, or what values should go there.
Model Context Protocol (MCP) is an open standard that lets AI assistants like Claude connect to external tools and data sources. Think of it as giving Claude a phone line to your infrastructure.
Without MCP: Claude can only work with what you paste into the chat — it has no access to your live AWS environment.
With MCP: Claude can call specialized tools to query your AWS resources, validate tags, calculate costs, and return real-time insights — all through natural conversation.
MCP servers expose "tools" that Claude invokes automatically based on what you ask. When you say "Which S3 buckets are untagged?", Claude recognizes it needs the find_untagged_resources tool, calls it, gets structured data back, and translates that into a natural language answer.
An MCP server that gives Claude real-time access to your AWS tagging compliance data. Instead of writing boto3 scripts or clicking through the AWS Console, just ask Claude in natural language:
- "Run a compliance check on all my EC2 and RDS instances"
- "How much of our EC2 spend is unattributable due to missing tags?"
- "Suggest tags for this EC2 instance based on its name and similar resources"
- "Generate a markdown compliance report for our Q1 review"
Behind the scenes, this MCP server queries your AWS environment, validates resources against your tagging policy, calculates cost impacts, and returns structured insights that Claude translates into natural language.
The official AWS MCP can read your resource tags — but that's like having a librarian who can tell you which books exist, not whether they're organized correctly.
This MCP server goes deeper. It validates tags against your organization's policy, quantifies the financial impact when they're wrong or missing, suggests corrections using pattern matching across similar resources, and tracks compliance trends over time.
| Tool | Description |
|---|---|
check_tag_compliance |
Scan resources and calculate compliance score |
find_untagged_resources |
Find resources missing required tags with cost impact |
validate_resource_tags |
Validate specific resources by ARN |
get_cost_attribution_gap |
Calculate financial impact of tagging gaps |
suggest_tags |
ML-powered tag recommendations with confidence scores |
get_tagging_policy |
View current policy configuration |
generate_compliance_report |
Generate reports in JSON, CSV, or Markdown |
get_violation_history |
Track compliance trends over time |
detect_tag_drift |
Find unexpected tag changes since last scan |
generate_custodian_policy |
Create Cloud Custodian enforcement YAML |
generate_openops_workflow |
Build automated remediation workflows |
schedule_compliance_audit |
Configure recurring audit schedules |
export_violations_csv |
Export violations for spreadsheet analysis |
import_aws_tag_policy |
Import policies from AWS Organizations |
Scans all enabled AWS regions in parallel. Global resources (S3, IAM) are always included regardless of region filters.
EC2, S3, RDS, Lambda, ECS, DynamoDB, ElastiCache, EBS, EFS, Bedrock, OpenSearch, and many more. Use "all" to scan everything.
Links tagging violations to actual dollar amounts using AWS Cost Explorer. State-aware cost attribution correctly assigns $0 to stopped EC2 instances.
Define required and optional tags in a simple JSON file (policies/tagging_policy.json) with allowed values, regex validation, and per-resource-type rules.
- Python 3.10+
- AWS credentials configured (
~/.aws/credentialsor environment variables) - Claude Desktop or any MCP-compatible client (VS Code, Cursor, Kiro)
pip install finops-tag-compliance-mcpgit clone https://github.com/OptimNow/finops-tag-compliance-mcp.git
cd finops-tag-compliance-mcp
pip install -e .The server needs read-only AWS permissions. See IAM Permissions Guide for the full policy, but the key permissions are:
ec2:Describe*,rds:Describe*,s3:List*,lambda:List*tag:GetResources(Resource Groups Tagging API)ce:GetCostAndUsage(Cost Explorer — optional, for cost attribution)
No write permissions are needed.
This repository is designed for local use — the MCP server runs on your machine alongside Claude Desktop, Cursor, or VS Code. Your AWS credentials stay local and never leave your laptop.
For production and team environments, we provide a separate deployment repository with the infrastructure to run this MCP server securely on AWS:
- CloudFormation templates for VPC, ALB, and EC2/ECS deployment
- API key authentication via AWS Secrets Manager
- TLS termination and private subnet isolation
- CloudWatch logging and security monitoring
- CI/CD pipeline setup
See finops-tag-compliance-deploy for the full production stack. For support on deploying in production, contact jean@optimnow.io.
Add to your claude_desktop_config.json:
Minimal (uses default region and auto-discovers AWS credentials):
{
"mcpServers": {
"finops-tag-compliance": {
"command": "finops-tag-compliance"
}
}
}With options:
{
"mcpServers": {
"finops-tag-compliance": {
"command": "finops-tag-compliance",
"env": {
"AWS_REGION": "us-east-1",
"AWS_PROFILE": "my-profile",
"ALLOWED_REGIONS": "us-east-1,us-west-2,eu-west-1",
"POLICY_PATH": "/path/to/my/tagging_policy.json"
}
}
}
}Config file location:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json - Linux:
~/.config/Claude/claude_desktop_config.json
| Variable | Default | Description |
|---|---|---|
AWS_REGION |
us-east-1 |
Default AWS region (e.g. eu-west-1 for Ireland) |
AWS_PROFILE |
(default) | AWS credentials profile |
ALLOWED_REGIONS |
(all enabled) | Comma-separated list of regions to scan |
MAX_CONCURRENT_REGIONS |
5 |
Max parallel region scans (1-20) |
POLICY_PATH |
policies/tagging_policy.json |
Path to tagging policy |
RESOURCE_TYPES_CONFIG_PATH |
config/resource_types.json |
Resource types configuration |
REDIS_URL |
redis://localhost:6379/0 |
Redis URL (optional, for caching) |
COMPLIANCE_CACHE_TTL_SECONDS |
3600 |
Cache TTL for compliance results |
Redis is optional. Without it, results are not cached between invocations.
Define your organization's tagging rules in policies/tagging_policy.json:
{
"required_tags": [
{
"name": "Environment",
"description": "Deployment environment",
"allowed_values": ["production", "staging", "development"],
"applies_to": ["ec2:instance", "rds:db", "s3:bucket"]
},
{
"name": "CostCenter",
"description": "Cost center for billing",
"validation_regex": "^CC-\\d{4}$",
"applies_to": []
}
],
"optional_tags": [
{
"name": "Project",
"description": "Project name"
}
]
}allowed_values: Tag value must be in this list (case-sensitive)validation_regex: Tag value must match this patternapplies_to: Resource types this tag applies to (empty = all types)
See Tagging Policy Guide for full documentation.
The MCP Inspector lets you test the server interactively in your browser:
npx @modelcontextprotocol/inspector python -m mcp_server.stdio_serverThis opens a UI where you can list tools, execute them with custom arguments, and inspect results.
This server is also available as a Kiro Power — a packaging format that lets Kiro IDE load the tools on-demand based on conversation context, rather than loading all 14 tool definitions upfront.
From GitHub (recommended):
In Kiro, open the Powers panel and select Add power from GitHub, then enter:
OptimNow/finops-tag-compliance-mcp
From a local clone:
Powers panel → Add power from Local Path → select the repo root
When you mention keywords like "tag compliance", "untagged resources", "cost attribution", or "finops" in a Kiro conversation, the power activates automatically and loads the MCP tools and workflow guidance. When you're working on unrelated tasks, the tools stay out of the way.
The power includes steering files (steering/) with step-by-step workflows for compliance checking, cost analysis, remediation, and policy management.
Same as the standard MCP installation — Python 3.10+, AWS credentials, and pip install finops-tag-compliance-mcp. See Installation for details.
┌─────────────────────────────────────────────────────────────────┐
│ MCP Protocol Layer (stdio) │
│ stdio_server.py → FastMCP with 14 registered tools │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Tools Layer (Adapters) │
│ Thin wrappers: MCP tool calls → service method calls │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Services Layer (Core Library) │
│ ComplianceService, CostService, PolicyService, etc. │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ Protocol-agnostic — no MCP knowledge │
│ Reusable: from mcp_server.services import ComplianceService │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Clients Layer │
│ AWSClient (boto3 + rate limiting), RedisCache, SQLite │
└─────────────────────────────────────────────────────────────────┘
The services layer has zero knowledge of MCP. You can import ComplianceService directly into a CLI tool, webhook handler, or any other Python application.
finops-tag-compliance-mcp/
├── mcp_server/
│ ├── stdio_server.py # MCP entry point (Claude Desktop)
│ ├── container.py # Service container (dependency injection)
│ ├── config.py # Configuration settings
│ ├── services/ # Core business logic (12 services)
│ ├── tools/ # MCP tool adapters (14 tools)
│ ├── models/ # Pydantic data models (17 files)
│ ├── clients/ # AWS, Redis, database clients
│ └── utils/ # Correlation IDs, validation, error handling
├── policies/ # Tagging policy (JSON)
├── config/ # Resource types configuration
├── examples/ # Claude Desktop config examples
├── tests/ # Unit + property-based tests
├── docs/ # Documentation
├── pyproject.toml # Package configuration
└── LICENSE # Apache 2.0
| Guide | Description |
|---|---|
| User Manual | Practical guide for FinOps practitioners |
| Tagging Policy Guide | Define your organization's tagging rules |
| Tool Logic Reference | Detailed logic for each of the 14 tools |
| IAM Permissions | Required AWS permissions (read-only) |
| Resource Type Configuration | Manage which AWS resource types to scan |
| Testing Quick Start | Getting started with the test suite |
| Architecture Diagrams | System architecture, sequence, state, and component diagrams |
We welcome contributions! Bug reports, feature requests, documentation improvements, and code contributions are all appreciated.
- Fork the repository
- Create a feature branch (
git checkout -b feature/my-feature) - Run tests (
pytest tests/unit tests/property) - Commit your changes
- Open a Pull Request
See GitHub Issues for current work.
Apache 2.0 — see LICENSE for details.
Built for the FinOps community by OptimNow