Skip to main content
8 min read

From Lambda to Full Stack: Generate AWS Infrastructure with One API Call

The AWS Infrastructure Problem

Starting a new AWS project means navigating a maze of infrastructure configuration before you write a single line of application code. CloudFormation templates, SAM definitions, IAM policies with least-privilege scoping, security groups, DynamoDB table schemas, Lambda function configs, API Gateway routes, CloudFront distributions — each one has its own syntax, its own gotchas, and its own set of defaults that are wrong for production.

The AWS Well-Architected Framework describes exactly how all of this should look. Encryption at rest on every data store. IAM roles scoped to the minimum permissions required. VPC endpoints instead of public internet access. X-Ray tracing enabled. CloudWatch alarms on error rates. The patterns are well-documented, but implementing them correctly across a full stack takes hours of reading docs, cross-referencing resource ARNs, and fixing YAML indentation errors that CloudFormation surfaces as cryptic rollback messages twenty minutes into a deploy.

Most teams maintain internal template repositories that drift over time. The template that worked for the last project is missing the new security requirements. The one before that uses a deprecated Lambda runtime. CrowVault's AWS MCP server eliminates this drift by generating infrastructure from a structured description of what you need — every template follows current AWS best practices, every time.

The AWS MCP Server

CrowVault's AWS MCP server ships with 50 tools organized across 10 categories. Each tool takes a JSON description of the resource you need and returns a production-ready template — CloudFormation, SAM, CDK, or Amplify Gen 2 TypeScript depending on the tool. Every output includes the security and observability configuration that AWS recommends but leaves out of their quickstart examples.

The tools cover the full lifecycle of an AWS application: compute (Lambda, ECS, Step Functions), networking (VPC, ALB, API Gateway), storage (S3, EFS), databases (DynamoDB, RDS, Aurora), security (IAM, KMS, WAF), messaging (SQS, SNS, EventBridge), monitoring (CloudWatch, X-Ray), CI/CD (CodePipeline, GitHub Actions for AWS), and complete serverless stacks that wire everything together. One API call per resource. One consistent standard across your entire infrastructure.

Generating a Lambda Function

The generate_lambda_function tool takes the function name, runtime, architecture, and trigger configuration and produces a complete SAM template with IAM role, logging, and tracing:

bash
curl -s -X POST https://api.crowvault.ai/v1/tools/call \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "server": "aws-mcp",
    "tool": "generate_lambda_function",
    "args": {
      "functionName": "processOrder",
      "runtime": "nodejs20.x",
      "architecture": "arm64",
      "memorySize": 512,
      "timeout": 30,
      "trigger": "api-gateway"
    }
  }'

The output is a SAM template that includes everything you need to deploy immediately:

yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31

Globals:
  Function:
    Timeout: 30
    Runtime: nodejs20.x
    Architectures:
      - arm64
    Tracing: Active
    LoggingConfig:
      LogFormat: JSON

Resources:
  ProcessOrderFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: processOrder
      Handler: src/handlers/processOrder.handler
      MemorySize: 512
      Events:
        ApiEvent:
          Type: Api
          Properties:
            Path: /orders/process
            Method: post
      Policies:
        - CloudWatchLogsFullAccess
      Environment:
        Variables:
          NODE_ENV: production
          LOG_LEVEL: info

  ProcessOrderLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub "/aws/lambda/${ProcessOrderFunction}"
      RetentionInDays: 14

Three details worth noting. The arm64 architecture cuts Lambda costs by roughly 20% compared to x86_64 with no code changes for Node.js workloads. X-Ray tracing is enabled at the function level via Tracing: Active, which means distributed traces work out of the box when this function calls other AWS services. The CloudWatch log group has a 14-day retention — the default (never expire) accumulates costs silently on high-throughput functions. These are the kinds of production defaults that quickstart templates omit.

Complete Serverless Stack in One Call

Individual resources are useful. But the real time savings come from generating an entire application stack at once. The generate_serverless_fullstack tool is the flagship — it takes a project description and produces the complete infrastructure for a serverless web application:

bash
curl -s -X POST https://api.crowvault.ai/v1/tools/call \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "server": "aws-mcp",
    "tool": "generate_serverless_fullstack",
    "args": {
      "projectName": "store",
      "framework": "react",
      "apiRoutes": ["/products", "/orders"],
      "dataModels": ["products", "orders"],
      "authEnabled": true
    }
  }'

The output is a multi-file SAM template that defines a complete production stack. Here is what gets generated:

Frontend hosting — an S3 bucket configured for static site hosting behind a CloudFront distribution with OAC (Origin Access Control), TLS 1.2 minimum, and a custom cache policy that serves your React build with proper cache headers for hashed assets.

API layer — API Gateway HTTP API with Lambda integrations for each route. /products and /orders each get their own Lambda function with individual IAM roles scoped to only the DynamoDB tables they need. No shared "god role" that can access everything.

Authentication — a Cognito User Pool with email verification, password policies, and a JWT authorizer on the API Gateway. The generated template includes the Cognito app client configuration and the authorizer attachment — the part that most tutorials leave as an exercise.

Data layer — DynamoDB tables for products and orders with on-demand billing, point-in-time recovery enabled, and encryption at rest using AWS-managed keys. The table schemas include a partition key and sort key based on the model name, with GSIs for common access patterns.

CI/CD — a GitHub Actions workflow that runs sam build and sam deploy on push to main, with OIDC federation for keyless AWS authentication. No long-lived access keys stored in GitHub Secrets.

This is the stack you would build after reading the AWS Well-Architected serverless lens. It takes an experienced AWS engineer two to four hours to assemble manually. CrowVault generates it in one API call.

AWS Amplify Gen 2

For teams using AWS Amplify, the generate_amplify_app tool produces an Amplify Gen 2 project with TypeScript-first configuration. Amplify Gen 2 replaced the CLI-based workflow with code-based infrastructure definitions, but the migration path is poorly documented and the TypeScript types are extensive:

bash
curl -s -X POST https://api.crowvault.ai/v1/tools/call \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "server": "aws-mcp",
    "tool": "generate_amplify_app",
    "args": {
      "projectName": "store",
      "framework": "nextjs",
      "features": ["auth", "data", "storage"]
    }
  }'

The output includes the Amplify Gen 2 directory structure: amplify/auth/resource.ts with Cognito configuration, amplify/data/resource.ts with a typed data model using Amplify's schema builder, amplify/storage/resource.ts with S3 bucket rules scoped to authenticated users, and the root amplify/backend.ts that ties them together. The generated data models include authorization rules — owner-based access by default, with admin group overrides — so your API is secure from the first deploy.

For Next.js specifically, the output includes the server-side configuration for using Amplify's generateServerClientUsingCookies in Server Components and Route Handlers, which is the part of Amplify Gen 2 that has the steepest learning curve.

Infrastructure Security by Default

Every template generated by the AWS MCP server follows AWS security best practices without requiring you to remember them:

Encryption at rest — S3 buckets use SSE-S3 or SSE-KMS. DynamoDB tables enable encryption. RDS instances use encrypted storage. EBS volumes attached to ECS tasks are encrypted. There is no generated template that stores data unencrypted.

Least-privilege IAM — each Lambda function gets its own execution role with permissions scoped to the specific resources it accesses. No * resource ARNs. No AdministratorAccess policies. The generated IAM statements reference specific table ARNs and S3 bucket ARNs.

Network security — generated security groups use parameterized CIDR blocks, not 0.0.0.0/0. VPC configurations include private subnets for compute and isolated subnets for databases. NAT Gateways are placed in public subnets with Elastic IPs.

Operational safety — DynamoDB tables include deletion protection. S3 buckets have versioning enabled. RDS instances enable automated backups with configurable retention. CloudWatch alarms are generated for error rates and throttling.

50 Tools Across 10 Categories

The AWS MCP server organizes its tools into ten categories that cover the full surface area of a production AWS deployment:

text
Category        Tools  Examples
─────────────── ─────  ───────────────────────────────────────
Compute           6    Lambda, ECS, Fargate, Step Functions
Networking        7    VPC, ALB, API Gateway, Route 53, CloudFront
Storage           5    S3, EFS, backup policies, lifecycle rules
Database          5    DynamoDB, RDS, Aurora, ElastiCache, schemas
Security          6    IAM roles, KMS keys, WAF rules, secrets
Messaging         5    SQS, SNS, EventBridge, pipes, DLQ
Monitoring        4    CloudWatch alarms, dashboards, X-Ray, logs
CI/CD             3    CodePipeline, GitHub Actions, deploy configs
Serverless        8    Full stacks, SAM apps, Amplify, API combos
Meta              1    Server health check

Each tool follows the same API pattern: send a JSON description, receive a production-ready template. The tools compose naturally — generate a DynamoDB table, then generate the Lambda function that reads from it, and the IAM permissions will reference the correct table ARN.

Getting Started

The AWS MCP server is available on all CrowVault plans. The Developer plan ($49/month) includes 500 tool calls — enough to scaffold the complete infrastructure for multiple AWS projects. For teams generating infrastructure across many services, the Team plan includes 5,000 calls and priority support.

If you need to generate multiple resources at once, the batch API lets you call up to 10 tools in parallel. Generate a VPC, DynamoDB table, Lambda function, and API Gateway configuration in a single request. Add "format": "raw" to strip markdown fences from the output and pipe directly into template files.

Create your account, generate an API key from the dashboard, and deploy your first Lambda function in under two minutes. The API documentation covers all 50 AWS tools with parameter schemas and example outputs.

6 min read

Connect OpenClaw to CrowVault: 325 Dev Tools from Any Chat Platform

OpenClaw runs AI agents in your chat apps. CrowVault generates production-ready code. Connect them in one step and generate infrastructure, schemas, and tests from any message thread.
5 min read

CrowVault Expands to 320 Tools Across 9 Servers

From 183 to 320 tools. Four new servers covering testing, security, frontend, and Google Cloud. Here's what changed and why it matters.
8 min read

From Schema to Deployment: A Full-Stack Workflow with CrowVault

Six API calls. One complete microservice. See how CrowVault takes you from schema design to production deployment in minutes, not hours.