# Deployment SOPs
The AWS MCP Server (Preview) includes Standard Operating Procedures (SOPs) that deploy applications to AWS. These SOPs analyze your application, generate Infrastructure as Code (IaC) using the [AWS Cloud Development Kit (CDK)](https://docs.aws.amazon.com/cdk/v2/guide/home.html), and deploy it through [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html).
Deployment SOPs support single-page applications, static site generators, Supabase-backed applications (such as Lovable.dev and Bolt.new), and static websites. These SOPs can deploy applications with minimal prompting. For complex applications, your coding agent may require additional information or iterations to complete the deployment.
Your coding agent is guided by AWS security best practice recommendations from the SOPs, providing a secure starting point from where you can review and customize for your requirements.
## Quick start
1. Install the AWS MCP Server (Preview). For instructions, see [Setting up your AWS MCP Server (Preview)](https://docs.aws.amazon.com/aws-mcp/latest/userguide/getting-started-aws-mcp-server.html).
1. Log in to the AWS CLI. For instructions, see [Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html).
1. Prompt your coding agent: `Deploy my app to AWS`
## Available deployment types
### Frontend applications
Deploys applications built with modern frontend frameworks to [Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and [Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html). Generates CDK infrastructure code and deploys it through AWS CloudFormation, providing a shareable preview URL.
Supported application types: React, Vue, Angular, SvelteKit, Next.js (static export), Nuxt 2/3, Gatsby, Hugo, Jekyll, Docusaurus, Astro, Eleventy. Other frameworks may require you to provide additional guidance to your coding agent, or perform manual updates after the deployment.
For more information, see [Frontend applications](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment-frontend.html).
### Supabase applications
Deploys applications built with Supabase to your AWS account. Your database and authentication remain in Supabase, while Edge Functions migrate to [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) and [Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html). Stores secrets in [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html). Generates CDK infrastructure code and deploys through CloudFormation, providing a shareable preview URL.
Supported application types: Applications with environment-based Supabase configuration (`supabase/config.toml`), such as Lovable.dev and Bolt.new.
For more information, see [Supabase applications](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment-supabase.html).
### Set up CodePipeline
Creates a CI/CD pipeline using [AWS CodePipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html) that automatically builds, tests, and deploys your application when changes are pushed to your source repository.
Supported application types: All applications deployed using Deployment SOPs.
For more information, see [Set up CodePipeline](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment-pipeline.html).
## How the SOPs work
The SOPs provide step-by-step instructions that your coding agent follows. Your coding agent inspects the application, generates CDK infrastructure code, and deploys using CloudFormation. Application code is modified to support deployment to AWS, which includes changing how secrets are obtained, how edge functions are wrapped for AWS Lambda, and, in some cases, frontend build configurations. The SOPs instruct your coding agent to avoid modifying application code unless required for deployment.
Your coding agent may ask your permission to use a tool or request additional information such as application secret keys. Where possible, your coding agent derives information from available source code.
The SOPs generate documentation in your repository to track deployment progress and provide context for future deployments.
In some situations, you may need to prompt your coding agent to fix inconsistencies, particularly with larger applications or older models with smaller context windows.
## Prerequisites
**AI model requirements**
Testing showed best results with the following models:
+ Anthropic Claude Opus 4.6 (200k, 1M)
+ Anthropic Claude Opus 4.5 (200k)
+ Anthropic Claude Sonnet 4.5
+ OpenAI GPT-5.2-Codex
+ OpenAI GPT-5.3-Codex
+ Google Gemini 3 Pro
**Tooling prerequisites**
Before you begin, ensure that you have an AWS account with appropriate permissions. For instructions, see [Setting up your AWS MCP Server (Preview)](https://docs.aws.amazon.com/aws-mcp/latest/userguide/getting-started-aws-mcp-server.html).
Additional prerequisites vary depending on your application. The SOP guides your coding agent to verify these automatically:
+ AWS MCP Server (Preview) — configured in your AI coding assistant (such as Kiro or Cursor). For setup instructions see [Setting up your AWS MCP Server (Preview)](https://docs.aws.amazon.com/aws-mcp/latest/userguide/getting-started-aws-mcp-server.html)
+ [Git CLI](https://git-scm.com/install/) — Installed and configured
+ [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) — Configured with valid credentials. For setup instructions see [Set up the AWS CLI](https://docs.aws.amazon.com/streams/latest/dev/setup-awscli.html)
+ AWS CDK CLI — Version 2.x configured. For setup instructions see [Getting started with the AWS CDK](https://docs.aws.amazon.com/cdk/v2/guide/getting-started.html)
+ Package manager — npm, yarn, pnpm, or bun as required by your project
## Security features
**Note**
The [AWS shared responsibility model](https://docs.aws.amazon.com/aws-mcp/latest/userguide/data-protection.html) applies to data protection when using Deployment SOPs in AWS MCP Server (Preview). Always review generated infrastructure code before deploying. Your coding agent may not apply all recommended security defaults. For more information, see [Data protection](https://docs.aws.amazon.com/aws-mcp/latest/userguide/data-protection.html).
Deployment SOPs prompt your coding agent to implement the following security best practices:
+ *Private Amazon S3 buckets* — Blocks all public access to stored content
+ *Encryption at rest* — Enables Amazon S3 managed encryption for all stored content
+ *HTTPS enforcement* — Requires TLS 1.2 or higher with automatic HTTPS redirect
+ *Origin Access Control (OAC)* — Configures Amazon CloudFront to access Amazon S3 through the AWS internal network
+ *AWS IAM least privilege* — Applies minimal required permissions for each service
When you combine it with the CodePipeline SOP, you have access to additional quality controls that include:
+ *Security scanning* — Detects exposed secrets in your codebase during each build
+ *Quality gates* — Runs available unit tests and static code analysis before deployment
## Limitations
The Deployment SOPs work using local code agent capabilities, and depend upon the LLM you select. Large applications, such as those with over 25 APIs functions, may have reliability issues. If that happens, prompt your coding agent to test the application or API and fix the problems it finds.
## Pricing
With Deployment SOPs, you pay only for the AWS resources you use and any applicable data transfer costs. The Deployment SOPs have no additional charges. For more information about AWS pricing, see [AWS Pricing](https://aws.amazon.com/pricing/). If you are new to AWS, you can get started with many services for free. For more information, see [AWS Free Tier](https://aws.amazon.com/free/).
# Frontend applications
This SOP analyzes your frontend application and generates AWS CDK infrastructure code. The SOP then deploys the infrastructure to AWS. After deployment, the SOP provides a shareable URL for your website.
For prerequisites and security information, see [AWS Deployment SOPs](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment.html).
## Supported application types
+ Single-page applications (SPAs): React, Vue, Angular, SvelteKit
+ Static site generators (SSGs): Next.js (static export), Nuxt 2/3, Gatsby, Hugo, Jekyll, Docusaurus, Astro, Eleventy
+ Static websites
**Note**
Applications that require server-side rendering (SSR) are not supported by this SOP. If your application uses SSR, consider deploying with [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html), [Amazon ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html), or [AWS App Runner](https://docs.aws.amazon.com/apprunner/latest/dg/what-is-apprunner.html).
## Example prompt
To start a deployment, prompt your coding agent: `Deploy my application`.
## Steps your coding agent takes
Your coding agent commits changes after each significant step to a new `deploy-to-aws` branch.
1. Scans the project to detect the framework, build configuration, and output directory
1. Validates prerequisites (AWS credentials, package manager, CDK CLI)
1. Creates a new branch (`deploy-to-aws`)
1. Generates CDK infrastructure code for Amazon S3 and Amazon CloudFront
1. Builds your application and deploys infrastructure through [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html)
1. Validates the deployment and provides a URL for your application
1. Records deployment details, and follow-up instructions, in your repository in `AGENTS.md` and `DEPLOYMENT.md`
## How it works
Your coding agent analyzes your application to determine the framework, build output directory, and routing strategy. Based on this analysis, the agent generates CDK infrastructure code using the [CloudFrontToS3](https://docs.aws.amazon.com/solutions/latest/constructs/aws_cloudfront_s3.html) AWS Solutions Construct.
The generated infrastructure creates an Amazon S3 bucket to store your compiled application. It also creates an Amazon CloudFront distribution to serve the application globally. CloudFront is configured with Origin Access Control (OAC) so that Amazon S3 is accessed only through the AWS internal network, keeping the bucket private.
Your coding agent determines the correct CloudFront routing configuration based on your framework:
+ Single-page applications use CloudFront error responses to redirect navigation requests to `index.html`
+ Static site generators use CloudFront Functions to rewrite URLs. Depending on your framework's trailing slash configuration, requests are rewritten to either `/path/index.html` or `/path.html`
A personal preview stack is provisioned using CloudFormation with the naming pattern `{AppName}Frontend-preview-{username}`. Preview environments use non-production defaults. These defaults include `DESTROY` removal policies and short log retention. Production environments use `RETAIN` removal policies and longer retention periods.
The SOP prompts your coding agent to apply security best practices. These practices include private S3 buckets, Content Security Policy (CSP) headers, HTTPS enforcement, and managed security response headers. Always review the generated configuration before deploying to production environments.
For production environments with CI/CD, see [Set up CodePipeline](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment-pipeline.html).
## Troubleshooting
**Application type not supported**
Verify that all prerequisites are met. If your application meets the prerequisites but is reported as unsupported, prompt your coding agent to attempt the deployment. Minor adjustments may be sufficient.
For any other troubleshooting issues, you can contact [AWS Support](https://console.aws.amazon.com/support/home/) or post your question on [re:Post](https://repost.aws/) and tag it to the AWS MCP Server (Preview) to ask the community.
# Supabase applications
This SOP deploys applications that use Supabase (such as Lovable.dev and Bolt.new) to AWS. The SOP migrates Supabase Edge Functions to AWS Lambda and [Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html). It stores secrets in [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) and hosts the frontend on [Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and [Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html). After deployment, the SOP provides a shareable URL for your application.
For prerequisites and security information, see [AWS Deployment SOPs](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment.html).
**Important**
This SOP keeps your database, authentication, and storage in Supabase. You can use an existing project or create a new one. Hosting, Edge Functions, and secrets management migrate to AWS. To fully migrate to AWS, you must manually move your Supabase data.
## Supported application types
+ Applications with environment-based Supabase configuration (`supabase/config.toml`):
+ Single-page applications (SPAs): React, Vue, Angular, SvelteKit
+ Static site generators (SSGs): Next.js (static export), Nuxt 2/3, Gatsby, Hugo, Jekyll, Docusaurus, Astro, Eleventy
## Example prompt
To start a deployment, prompt your coding agent: `Deploy my application`.
## Steps your coding agent takes
Your coding agent commits changes after each significant step to a new `deploy-to-aws` branch.
1. Scans the project to detect the framework, build configuration, and Supabase setup
1. Validates prerequisites (AWS credentials, Supabase CLI, package manager, CDK CLI)
1. Creates a new branch (`deploy-to-aws`)
1. Analyzes Supabase Edge Functions, database configuration, and required secrets
1. Configures the Supabase project — uses your existing project or creates a new one under your existing subscription
1. Migrates Supabase Edge Functions (Deno, TypeScript) to AWS Lambda (Node.js, TypeScript)
1. Converts AI or LLM functions to [Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html), if detected. This uses `[InvokeModel](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_runtime_InvokeModel.html)` or `[InvokeModelWithResponseStream](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_runtime_InvokeModelWithResponseStream.html)` as needed
1. Updates all Edge Function references in your application code to use new API endpoints
1. Stores application secrets in AWS Secrets Manager
1. Generates CDK infrastructure code for Lambda, API Gateway, Amazon S3, and Amazon CloudFront
1. Deploys infrastructure through [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html)
1. Validates each migrated function through the deployed API
1. Provides a URL for your application
1. Records deployment details in your repository
## How it works
Your coding agent analyzes your application to identify Supabase Edge Functions, database configuration, and required secrets. The SOP can create a new Supabase project if needed. The new project is created under your existing subscription, and the SOP pushes database migrations to it.
Each Supabase Edge Function is migrated from Deno/TypeScript to Node.js/TypeScript. The migrated function is deployed as an AWS Lambda function fronted by Amazon API Gateway. The SOP uses [NodejsFunction](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_nodejs-readme.html) with esbuild to bundle each function. If your application uses AI or LLM features, those functions are converted to use Amazon Bedrock. Application secrets, including Supabase credentials, are stored in AWS Secrets Manager. Lambda functions access these secrets at runtime.
For the frontend, the SOP generates the same Amazon S3 and Amazon CloudFront infrastructure as a [frontend deployment](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment-frontend.html). The SOP adds an additional CloudFront behavior that proxies `/api/*` requests to API Gateway. This routing approach avoids cross-origin issues and presents a single domain to your users. All Supabase Edge Function references in your application code are updated to use the new `/api/*` endpoints.
After deployment, the SOP updates Supabase authentication redirect URLs to include the CloudFront domain, so authentication flows work correctly with the new hosting.
The SOP prompts your coding agent to apply security best practices to all generated resources. Always review the generated configuration before deploying to production environments.
For production environments with CI/CD, see [Set up CodePipeline](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment-pipeline.html).
**Services used**
Amazon CloudFront, Amazon S3, AWS Lambda, Amazon API Gateway, AWS Secrets Manager, AWS CloudFormation, AWS IAM, and optionally Amazon Bedrock.
## Troubleshooting
**Application type not supported**
Verify that all prerequisites are met. If your application meets the prerequisites but is reported as unsupported, prompt your coding agent to attempt the deployment. Minor adjustments may be sufficient.
For any other troubleshooting issues, you can contact [AWS Support](https://console.aws.amazon.com/support/home/) or post your question on [re:Post](https://repost.aws/) and tag it to the AWS MCP Server (Preview) to ask the community.
# Set up CodePipeline
This SOP creates a CI/CD pipeline using AWS CodePipeline. The pipeline automatically builds, tests, and deploys your application when changes are pushed to a source repository branch.
For prerequisites and security information, see [AWS Deployment SOPs](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment.html).
## Requirements
Your application must already be configured as a CDK application with existing infrastructure code. This SOP works best after deploying with [Frontend applications](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment-frontend.html) or [Supabase applications](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment-supabase.html).
**Important**
This SOP requires you to manually approve an AWS CodeConnections resource in your web browser. You need permissions to install and configure the connection in your repository or organization.
## Example prompt
To set up a pipeline, prompt your coding agent with the following: `Set up a pipeline for my application`.
## Steps your coding agent takes
Your coding agent commits changes after each significant step to the `deploy-to-aws` branch.
1. Scans the project to detect existing CDK infrastructure, stacks, and application configuration
1. Identifies available quality checks (linting, unit tests) and verifies they pass locally
1. Presents a detection summary and asks you to confirm the configuration
1. Creates an AWS CodeConnections resource to connect AWS to your source repository
1. Creates production secrets in [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html), if your application uses Lambda functions
1. Generates CDK infrastructure code for the pipeline
1. Deploys the pipeline stack through [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html)
1. Prompts you to authorize the connection in the AWS console
1. Verifies the pipeline triggers and runs successfully
1. Records pipeline configuration and deployment details in your repository
## Manual steps
During Step 8, you must complete authorization in the AWS console:
1. Open the [AWS CodeConnections console](https://console.aws.amazon.com/codesuite/settings/connections)
1. Find the pending connection for your application
1. Choose **Update pending connection**
1. Authorize and install the connector for your repository
## How it works
Your coding agent verifies your application has existing CDK infrastructure code. The agent then generates a pipeline stack using the CDK Pipelines module (`aws-cdk-lib/pipelines`). The pipeline is self-mutating. When you push changes to pipeline infrastructure code, the pipeline automatically updates itself.
The pipeline uses AWS CodeConnections to authenticate with your source repository. When changes are pushed to the configured branch, the pipeline executes the following stages:
1. *Source* — Pulls source code from your repository through the CodeConnections resource
1. *Build (Synth)* — Installs dependencies, runs quality checks, builds the application, and synthesizes CloudFormation templates using CDK
1. *Update pipeline* — Self-mutation stage that updates the pipeline if its own infrastructure code changed
1. *Assets* — Publishes file and Docker image assets required by the stacks
1. *Deploy* — Deploys your application stacks to a production environment
The pipeline initially triggers on the `deploy-to-aws` branch. You can reconfigure the pipeline to trigger on `main` or another branch. To reconfigure, update the `branchName` context variable in the CDK configuration.
Quality checks are included only if they pass locally during setup. End-to-end tests are not included in the pipeline. The pipeline uses Secretlint to scan for exposed secrets in your codebase during each build. As part of the [AWS Shared Responsibility Model](https://docs.aws.amazon.com/aws-mcp/latest/userguide/data-protection.html), you should rotate exposed secrets immediately.
If your application includes Lambda functions, the SOP creates a separate production secret in AWS Secrets Manager (`{AppName}/prod/secrets`) and deploys both Lambda and frontend stacks through the pipeline.
The SOP prompts your coding agent to apply security best practices. Always review the generated pipeline configuration before deploying.
## Troubleshooting
For troubleshooting issues, you can contact [AWS Support](https://console.aws.amazon.com/support/home/) or post your question on [re:Post](https://repost.aws/) and tag it to the AWS MCP Server (Preview) to ask the community.