Skip to main content

Enterprise Scale at AWS – James Hood

Speaker: James Hood, Senior Principal Engineer, AWS (16 years at Amazon)

Background

  • Former AI skeptic, breakthrough in early 2025
  • Started internal AI community — now tens of thousands of members
  • Transitioned to internal Builder Tools team

Amazon Scale

  • Tens of thousands of builders in internal AI community
  • MCP is "the most popular way to connect agents to internal systems"
  • AWS employs a core MCP maintainer (Claire LeBori)
  • Contributions to MCP: elicitation primitive (Java, Python SDKs), structured outputs (Java, Python, TypeScript), tasks primitive

Internal Registry Architecture

Amazon built an internal registry for MCP servers and agent configurations as a first-class primitive.

  • Centralized discovery and sharing
  • Security categorization by "lethal trifecta" properties
  • Configuration-level scanning for problematic combinations

The "Lethal Trifecta" (Simon Willison's Concept)

Agents with all three properties present data exfiltration risk:

  1. Access to private data (read tools)
  2. Exposure to untrusted content (external inputs)
  3. Ability to communicate externally (write/network tools)

Critical insight: This can occur even with entirely trustworthy servers and tools. Good tools can be composed into configurations that enable bad actions — the risk emerges from the combination, not from any single server.

Amazon's approach: The internal registry categorizes every tool by these three properties and automatically scans agent configurations for problematic combinations. When an agent config hits all three, it gets flagged for security review before deployment.

Context Window: Progressive Disclosure

Don't dump all tools into context:

  • Inject some tools directly
  • Wrap others in CLI interfaces for on-demand discovery
  • Let vendors specify which tools to inject vs. defer
  • Result: Lower inference costs, better agent performance

Key Quotes

"MCP is not dead. It's a central part of our AI strategy at Amazon."

"Context window size is not an inherent problem with the MCP protocol. It's how it's currently used by clients, and these are very solvable problems."