// SCAN REPORT

Amazon EKS MCP Server

16 tools. 5 can modify or destroy data without limits.

5 write tools that can modify data. Rate limits recommended.

Last updated:

5 can modify or destroy data
11 read-only
16 tools total
// TOOL MAP
Read (11) Write / Execute (5) Destructive / Financial (0)
// WHAT CAN GO WRONG

Write operations (add_inline_policy, apply_yaml, generate_app_manifest) modify state. Without rate limits, an agent can make hundreds of changes in seconds — faster than any human can review or revert.

// RECOMMENDED RULES
Rate limit write operations
add_inline_policy:
  rules:
    - rate_limit: 30/hour

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
get_cloudwatch_logs:
  rules:
    - rate_limit: 60/minute

Controls API costs and prevents retry loops from exhausting upstream rate limits.

// ALL 16 AMAZON EKS MCP SERVER TOOLS
WRITE 5 tools
Write add_inline_policy Write apply_yaml Write generate_app_manifest Write manage_eks_stacks Write manage_k8s_resource
READ 11 tools
Read get_cloudwatch_logs Read get_cloudwatch_metrics Read get_eks_insights Read get_eks_metrics_guidance Read get_eks_vpc_config Read get_k8s_events Read get_pod_logs Read get_policies_for_role Read list_api_versions Read list_k8s_resources Read search_eks_troubleshoot_guide
// FAQ
How do I prevent bulk modifications through Amazon EKS MCP Server? +

The Amazon EKS MCP Server server has 5 write tools including add_inline_policy, apply_yaml, generate_app_manifest. Set rate limits in your policy file -- for example, rate_limit: 10/hour prevents an agent from making more than 10 modifications per hour. Intercept enforces this at the transport layer.

How many tools does the Amazon EKS MCP Server MCP server expose? +

16 tools across 2 categories: Read, Write. 11 are read-only. 5 can modify, create, or delete data.

How do I add Intercept to my Amazon EKS MCP Server setup? +

One line change. Instead of running the Amazon EKS MCP Server server directly, prefix it with Intercept: intercept -c amazon-eks-mcp-server.yaml -- npx -y @awslabs.eks-mcp-server. Download a pre-built policy from policylayer.com/policies/amazon-eks-mcp-server and adjust the limits to match your use case.

Let agents act without letting them run wild.

Deterministic policy on every MCP tool call. Per-identity grants. Full audit log.

GET STARTED →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.