diff --git a/.evergreen/setup-mongodb-aws-auth-tests.sh b/.evergreen/setup-mongodb-aws-auth-tests.sh
index 0d91583d046..800d116e276 100644
--- a/.evergreen/setup-mongodb-aws-auth-tests.sh
+++ b/.evergreen/setup-mongodb-aws-auth-tests.sh
@@ -18,7 +18,7 @@ cd $DRIVERS_TOOLS/.evergreen/auth_aws
 # Create a python virtual environment.
 . ./activate-authawsvenv.sh
 # Source the environment variables. Configure the environment and the server.
-. aws_setup.sh $AWS_CREDENTIAL_TYPE
+. aws_setup.sh --nouri $AWS_CREDENTIAL_TYPE
 
 cd $BEFORE
 
diff --git a/.gitmodules b/.gitmodules
index d89986aa201..6c55e340790 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,3 @@
 [submodule "drivers-evergreen-tools"]
 	path = drivers-evergreen-tools
-	url = https://github.com/mongodb-labs/drivers-evergreen-tools.git
+	url = https://github.com/mongodb-labs/drivers-evergreen-tools.git
\ No newline at end of file
diff --git a/drivers-evergreen-tools b/drivers-evergreen-tools
index 3b3f081588c..1dcbfe40545 160000
--- a/drivers-evergreen-tools
+++ b/drivers-evergreen-tools
@@ -1 +1 @@
-Subproject commit 3b3f081588cdd4b03be0bf1d6a293ed90a4ea9a4
+Subproject commit 1dcbfe4054590022e93df4e059545eef95af2782
diff --git a/src/cmap/auth/mongo_credentials.ts b/src/cmap/auth/mongo_credentials.ts
index 9abe1ebbc5b..5030f8ebbdf 100644
--- a/src/cmap/auth/mongo_credentials.ts
+++ b/src/cmap/auth/mongo_credentials.ts
@@ -58,6 +58,7 @@ export interface AuthMechanismProperties extends Document {
   SERVICE_NAME?: string;
   SERVICE_REALM?: string;
   CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
+  /** @internal */
   AWS_SESSION_TOKEN?: string;
   /** A user provided OIDC machine callback function. */
   OIDC_CALLBACK?: OIDCCallbackFunction;
diff --git a/src/cmap/auth/mongodb_aws.ts b/src/cmap/auth/mongodb_aws.ts
index d8bb29886da..27365640651 100644
--- a/src/cmap/auth/mongodb_aws.ts
+++ b/src/cmap/auth/mongodb_aws.ts
@@ -56,12 +56,10 @@ export class MongoDBAWS extends AuthProvider {
       );
     }
 
-    if (!authContext.credentials.username) {
-      authContext.credentials = await makeTempCredentials(
-        authContext.credentials,
-        this.credentialFetcher
-      );
-    }
+    authContext.credentials = await makeTempCredentials(
+      authContext.credentials,
+      this.credentialFetcher
+    );
 
     const { credentials } = authContext;
 
diff --git a/src/connection_string.ts b/src/connection_string.ts
index 97b7d4d62cc..7e33806183a 100644
--- a/src/connection_string.ts
+++ b/src/connection_string.ts
@@ -423,6 +423,20 @@ export function parseOptions(
       );
     }
 
+    if (isAws) {
+      const { username, password } = mongoOptions.credentials;
+      if (username || password) {
+        throw new MongoAPIError(
+          'username and password cannot be provided when using MONGODB-AWS. Credentials must be read via the AWS SDK'
+        );
+      }
+      if (mongoOptions.credentials.mechanismProperties.AWS_SESSION_TOKEN) {
+        throw new MongoAPIError(
+          'AWS_SESSION_TOKEN cannot be provided when using MONGODB-AWS. Credentials must be read via the AWS SDK'
+        );
+      }
+    }
+
     mongoOptions.credentials.validate();
 
     // Check if the only auth related option provided was authSource, if so we can remove credentials
diff --git a/test/integration/node-specific/examples/aws_handler.js b/test/integration/node-specific/examples/aws_handler.js
index b22ce92bf5a..f0743b98ee3 100644
--- a/test/integration/node-specific/examples/aws_handler.js
+++ b/test/integration/node-specific/examples/aws_handler.js
@@ -6,10 +6,6 @@ const { MongoClient } = require('mongodb');
 // options. Note that MongoClient now auto-connects so no need to store the connect()
 // promise anywhere and reference it.
 const client = new MongoClient(process.env.MONGODB_URI, {
-  auth: {
-    username: process.env.AWS_ACCESS_KEY_ID,
-    password: process.env.AWS_SECRET_ACCESS_KEY
-  },
   authSource: '$external',
   authMechanism: 'MONGODB-AWS'
 });
diff --git a/test/spec/auth/legacy/connection-string.json b/test/spec/auth/legacy/connection-string.json
index 3a099c81379..8982b61d5ae 100644
--- a/test/spec/auth/legacy/connection-string.json
+++ b/test/spec/auth/legacy/connection-string.json
@@ -440,6 +440,21 @@
         }
       }
     },
+    {
+      "description": "should throw an exception if username provided (MONGODB-AWS)",
+      "uri": "mongodb://user@localhost.com/?authMechanism=MONGODB-AWS",
+      "valid": false
+    },
+    {
+      "description": "should throw an exception if username and password provided (MONGODB-AWS)",
+      "uri": "mongodb://user:pass@localhost.com/?authMechanism=MONGODB-AWS",
+      "valid": false
+    },
+    {
+      "description": "should throw an exception if AWS_SESSION_TOKEN provided (MONGODB-AWS)",
+      "uri": "mongodb://localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:token",
+      "valid": false
+    },
     {
       "description": "should recognise the mechanism with test environment (MONGODB-OIDC)",
       "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test",
diff --git a/test/spec/auth/legacy/connection-string.yml b/test/spec/auth/legacy/connection-string.yml
index 6b82ef42258..2b98f0f8f2a 100644
--- a/test/spec/auth/legacy/connection-string.yml
+++ b/test/spec/auth/legacy/connection-string.yml
@@ -320,6 +320,15 @@ tests:
     mechanism: MONGODB-AWS
     mechanism_properties:
       AWS_SESSION_TOKEN: token!@#$%^&*()_+
+- description: should throw an exception if username provided (MONGODB-AWS)
+  uri: mongodb://user@localhost.com/?authMechanism=MONGODB-AWS
+  valid: false
+- description: should throw an exception if username and password provided (MONGODB-AWS)
+  uri: mongodb://user:pass@localhost.com/?authMechanism=MONGODB-AWS
+  valid: false
+- description: should throw an exception if AWS_SESSION_TOKEN provided (MONGODB-AWS)
+  uri: mongodb://localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:token
+  valid: false
 - description: should recognise the mechanism with test environment (MONGODB-OIDC)
   uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test
   valid: true
@@ -468,4 +477,4 @@ tests:
     (MONGODB-OIDC)
   uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s
   valid: false
-  credential: null
\ No newline at end of file
+  credential: null
diff --git a/test/unit/assorted/auth.spec.test.ts b/test/unit/assorted/auth.spec.test.ts
index c474fd8cf11..0c6d734a86c 100644
--- a/test/unit/assorted/auth.spec.test.ts
+++ b/test/unit/assorted/auth.spec.test.ts
@@ -1,6 +1,11 @@
 import { loadSpecTests } from '../../spec';
 import { executeUriValidationTest } from '../../tools/uri_spec_runner';
 
+const SKIP = [
+  'should use username and password if specified (MONGODB-AWS)',
+  'should use username, password and session token if specified (MONGODB-AWS)'
+];
+
 describe('Auth option spec tests (legacy)', function () {
   const suites = loadSpecTests('auth', 'legacy');
 
@@ -8,6 +13,10 @@ describe('Auth option spec tests (legacy)', function () {
     describe(suite.name, function () {
       for (const test of suite.tests) {
         it(`${test.description}`, function () {
+          if (SKIP.includes(test.description)) {
+            this.test.skipReason = `NODE-7228: ${test.description}`;
+            this.test.skip();
+          }
           executeUriValidationTest(test);
         });
       }