Is Amazon CloudWatch safe to install?
AWS Labs · Cloud · stdio (local process)
Analyze CloudWatch metrics, alarms, and logs for operational troubleshooting.
Capabilities
What Amazon CloudWatch declares it can do
A server's blast radius is the most powerful thing each of its tools can do. This grades the tools it declares, read-only, not whether it is secure.
- Execute0
- Delete0
- Write0
- Read19
Amazon CloudWatch declares no high-impact capabilities that AxioRank flags. A minimal grade means a small blast radius, not an endorsement.
Tools
Every tool Amazon CloudWatch exposes
19 tools
Control
Govern Amazon CloudWatch with AxioRank
Installed as-is, all 19 of Amazon CloudWatch's tools are callable by your agent without restriction, including any that write, delete, or execute.
Flip the switch to see the policy AxioRank would apply.
Advisories
Informational content flags
Keyword matches in tool descriptions and schemas. These are shown for transparency and are not part of the grade.
- highCredential / secret access capability×20
- highCode-execution capability×15
- highShell/command injection×6
- mediumWildcard scope / permission×3
Install
Add Amazon CloudWatch to your client
Drop this into your MCP client config (Claude Desktop, Cursor, and others).
{
"mcpServers": {
"aws-cloudwatch": {
"command": "uvx",
"args": [
"awslabs.cloudwatch-mcp-server"
]
}
}
}Embed
Show the grade in your README
[](https://axiorank.com/mcp-index/aws-cloudwatch)Directory
More Cloud servers
How it works
About this grade
The grade reflects the blast radius of what Amazon CloudWatch declares it can do, read-only, not whether it is secure or trustworthy, and not a judgment of the vendor. Maintain this server? Claim this listing or request a re-scan. See the methodology.
Email me this scorecard
Get the Amazon CloudWatch grade in your inbox.
Let your agents use Amazon CloudWatch safely
Route this server through AxioRank to allowlist its tools, hold risky calls for approval, and keep a signed audit trail of every action.
Start free