diff --git a/plugins/aws/plugin.go b/plugins/aws/plugin.go
index 75255e7d..cd2c7b96 100644
--- a/plugins/aws/plugin.go
+++ b/plugins/aws/plugin.go
@@ -18,6 +18,7 @@ func New() schema.Plugin {
 		Executables: []schema.Executable{
 			AWSCLI(),
 			AWSCDKToolkit(),
+			AWSSAMCLI(),
 			eksctlCLI(),
 		},
 	}
diff --git a/plugins/aws/sam.go b/plugins/aws/sam.go
new file mode 100644
index 00000000..33286a1c
--- /dev/null
+++ b/plugins/aws/sam.go
@@ -0,0 +1,31 @@
+package aws
+
+import (
+	"github.com/1Password/shell-plugins/sdk"
+	"github.com/1Password/shell-plugins/sdk/needsauth"
+	"github.com/1Password/shell-plugins/sdk/schema"
+	"github.com/1Password/shell-plugins/sdk/schema/credname"
+)
+
+func AWSSAMCLI() schema.Executable {
+	return schema.Executable{
+		Name:    "AWS SAM CLI",
+		Runs:    []string{"sam"},
+		DocsURL: sdk.URL("https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/reference-sam-cli.html"),
+		NeedsAuth: needsauth.IfAll(
+			needsauth.NotForHelpOrVersion(),
+			needsauth.NotWithoutArgs(),
+			// skip 1Password authentication for "sam docs", "sam init", "sam local" and "sam validate" and their subcommands
+			needsauth.NotWhenContainsArgs("docs"),
+			needsauth.NotWhenContainsArgs("init"),
+			needsauth.NotWhenContainsArgs("local"),
+			needsauth.NotWhenContainsArgs("validate"),
+		),
+		Uses: []schema.CredentialUsage{
+			{
+				Name:        credname.AccessKey,
+				Provisioner: CLIProvisioner{},
+			},
+		},
+	}
+}