diff --git a/internal/cmd/base/base.go b/internal/cmd/base/base.go
index 4c8205bf7b..3c5b266329 100644
--- a/internal/cmd/base/base.go
+++ b/internal/cmd/base/base.go
@@ -21,6 +21,25 @@ import (
 	"github.com/posener/complete"
 )
 
+type EnabledPlugin uint
+
+const (
+	EnabledPluginUnknown EnabledPlugin = iota
+	EnabledPluginHostAws
+	EnabledPluginHostAzure
+)
+
+func (e EnabledPlugin) String() string {
+	switch e {
+	case EnabledPluginHostAws:
+		return "AWS"
+	case EnabledPluginHostAzure:
+		return "Azure"
+	default:
+		return ""
+	}
+}
+
 const (
 	CommandSuccess int = iota
 	CommandApiError
diff --git a/internal/cmd/base/servers.go b/internal/cmd/base/servers.go
index b4fdc15900..4134cb3617 100644
--- a/internal/cmd/base/servers.go
+++ b/internal/cmd/base/servers.go
@@ -114,7 +114,8 @@ type Server struct {
 	DevTargetSessionConnectionLimit  int
 	DevLoopbackHostPluginId          string
 
-	HostPlugins map[string]plgpb.HostPluginServiceClient
+	EnabledPlugins []EnabledPlugin
+	HostPlugins    map[string]plgpb.HostPluginServiceClient
 
 	DevOidcSetup oidcSetup
 
diff --git a/internal/cmd/commands/dev/dev.go b/internal/cmd/commands/dev/dev.go
index 83e29a01e4..a81fc19a01 100644
--- a/internal/cmd/commands/dev/dev.go
+++ b/internal/cmd/commands/dev/dev.go
@@ -596,6 +596,7 @@ func (c *Command) Run(args []string) int {
 	c.ReleaseLogGate()
 
 	{
+		c.EnabledPlugins = []base.EnabledPlugin{base.EnabledPluginHostAws, base.EnabledPluginHostAzure}
 		conf := &controller.Config{
 			RawConfig: c.Config,
 			Server:    c.Server,
diff --git a/internal/cmd/commands/server/server.go b/internal/cmd/commands/server/server.go
index f21adf2c18..aabee08256 100644
--- a/internal/cmd/commands/server/server.go
+++ b/internal/cmd/commands/server/server.go
@@ -457,6 +457,7 @@ func (c *Command) Run(args []string) int {
 	c.ReleaseLogGate()
 
 	if c.Config.Controller != nil {
+		c.EnabledPlugins = []base.EnabledPlugin{base.EnabledPluginHostAws, base.EnabledPluginHostAzure}
 		if err := c.StartController(ctx); err != nil {
 			c.UI.Error(err.Error())
 			return base.CommandCliError
diff --git a/internal/servers/controller/controller.go b/internal/servers/controller/controller.go
index 27ffe9d75c..09640b8a0f 100644
--- a/internal/servers/controller/controller.go
+++ b/internal/servers/controller/controller.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/rand"
 	"fmt"
+	"strings"
 	"sync"
 
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
@@ -11,6 +12,7 @@ import (
 	"github.com/hashicorp/boundary/internal/auth/oidc"
 	"github.com/hashicorp/boundary/internal/auth/password"
 	"github.com/hashicorp/boundary/internal/authtoken"
+	"github.com/hashicorp/boundary/internal/cmd/base"
 	"github.com/hashicorp/boundary/internal/cmd/config"
 	"github.com/hashicorp/boundary/internal/credential/vault"
 	"github.com/hashicorp/boundary/internal/db"
@@ -75,6 +77,8 @@ type Controller struct {
 	scheduler *scheduler.Scheduler
 
 	kms *kms.Kms
+
+	enabledPlugins []base.EnabledPlugin
 }
 
 func New(ctx context.Context, conf *Config) (*Controller, error) {
@@ -86,6 +90,7 @@ func New(ctx context.Context, conf *Config) (*Controller, error) {
 		schedulerWg:             new(sync.WaitGroup),
 		workerAuthCache:         new(sync.Map),
 		workerStatusUpdateTimes: new(sync.Map),
+		enabledPlugins:          conf.Server.EnabledPlugins,
 	}
 
 	c.started.Store(false)
@@ -119,32 +124,24 @@ func New(ctx context.Context, conf *Config) (*Controller, error) {
 		}
 	}
 
-	azureSvcClient, azureCleanup, err := external_host_plugins.CreateHostPlugin(
-		ctx,
-		"azure",
-		external_host_plugins.WithHostPluginsFilesystem("boundary-plugin-host-", host_plugin_assets.FileSystem()),
-		external_host_plugins.WithHostPluginExecutionDir(conf.RawConfig.Plugins.ExecutionDir),
-		external_host_plugins.WithLogger(hclog.NewNullLogger()))
-	if err != nil {
-		return nil, fmt.Errorf("error creating azure host plugin: %w", err)
-	}
-	conf.ShutdownFuncs = append(conf.ShutdownFuncs, azureCleanup)
-	if _, err := conf.RegisterHostPlugin(ctx, "azure", azureSvcClient, hostplugin.WithDescription("Built-in Azure host plugin")); err != nil {
-		return nil, fmt.Errorf("error registering azure host plugin: %w", err)
-	}
-
-	awsSvcClient, awsCleanup, err := external_host_plugins.CreateHostPlugin(
-		ctx,
-		"aws",
-		external_host_plugins.WithHostPluginsFilesystem("boundary-plugin-host-", host_plugin_assets.FileSystem()),
-		external_host_plugins.WithHostPluginExecutionDir(conf.RawConfig.Plugins.ExecutionDir),
-		external_host_plugins.WithLogger(hclog.NewNullLogger()))
-	if err != nil {
-		return nil, fmt.Errorf("error creating aws host plugin")
-	}
-	conf.ShutdownFuncs = append(conf.ShutdownFuncs, awsCleanup)
-	if _, err := conf.RegisterHostPlugin(ctx, "aws", awsSvcClient, hostplugin.WithDescription("Built-in AWS host plugin")); err != nil {
-		return nil, fmt.Errorf("error registering aws host plugin: %w", err)
+	for _, enabledPlugin := range c.enabledPlugins {
+		switch enabledPlugin {
+		case base.EnabledPluginHostAzure, base.EnabledPluginHostAws:
+			pluginType := strings.ToLower(enabledPlugin.String())
+			client, cleanup, err := external_host_plugins.CreateHostPlugin(
+				ctx,
+				pluginType,
+				external_host_plugins.WithHostPluginsFilesystem("boundary-plugin-host-", host_plugin_assets.FileSystem()),
+				external_host_plugins.WithHostPluginExecutionDir(conf.RawConfig.Plugins.ExecutionDir),
+				external_host_plugins.WithLogger(hclog.NewNullLogger()))
+			if err != nil {
+				return nil, fmt.Errorf("error creating %s host plugin: %w", pluginType, err)
+			}
+			conf.ShutdownFuncs = append(conf.ShutdownFuncs, cleanup)
+			if _, err := conf.RegisterHostPlugin(ctx, pluginType, client, hostplugin.WithDescription(fmt.Sprintf("Built-in %s host plugin", enabledPlugin.String()))); err != nil {
+				return nil, fmt.Errorf("error registering %s host plugin: %w", pluginType, err)
+			}
+		}
 	}
 
 	if conf.HostPlugins == nil {
diff --git a/internal/servers/controller/testing.go b/internal/servers/controller/testing.go
index f8fe35b192..a9f7a1061d 100644
--- a/internal/servers/controller/testing.go
+++ b/internal/servers/controller/testing.go
@@ -48,6 +48,7 @@ const (
 	DefaultTestOidcAccountId                 = "acctoidc_1234567890"
 	DefaultTestUnprivilegedPasswordAccountId = intglobals.NewPasswordAccountPrefix + "_0987654321"
 	DefaultTestUnprivilegedOidcAccountId     = "acctoidc_0987654321"
+	DefaultTestPluginId                      = "pl_1234567890"
 )
 
 // TestController wraps a base.Server and Controller to provide a
@@ -615,7 +616,7 @@ func TestControllerConfig(t *testing.T, ctx context.Context, tc *TestController,
 		}
 	} else if !opts.DisableDatabaseCreation {
 		var createOpts []base.Option
-		createOpts = append(createOpts, base.WithHostPlugin("pl_1234567890", plugin.NewWrappingPluginClient(plugin.NewLoopbackPlugin())))
+		createOpts = append(createOpts, base.WithHostPlugin(DefaultTestPluginId, plugin.NewWrappingPluginClient(plugin.NewLoopbackPlugin())))
 		if opts.DisableAuthMethodCreation {
 			createOpts = append(createOpts, base.WithSkipAuthMethodCreation())
 		}