3 tools. 1 can modify or destroy data without limits.
1 destructive tool with no built-in limits. Policy required.
Last updated:
Destructive tools (suggest_aws_commands) permanently delete resources. There is no undo. An agent calling these in a retry loop causes irreversible damage.
suggest_aws_commands:
rules:
- action: deny Destructive tools should never be available to autonomous agents without human approval.
call_aws:
rules:
- rate_limit: 60/minute Controls API costs and prevents retry loops from exhausting upstream rate limits.
Yes. The AWS API MCP Server server exposes 1 destructive tools including suggest_aws_commands. These permanently remove resources with no undo. Intercept blocks destructive tools by default so they never reach the upstream server.
3 tools across 2 categories: Destructive, Read. 2 are read-only. 1 can modify, create, or delete data.
One line change. Instead of running the AWS API MCP Server server directly, prefix it with Intercept: intercept -c aws-api-mcp-server.yaml -- npx -y @awslabs.aws-api-mcp-server. Download a pre-built policy from policylayer.com/policies/aws-api-mcp-server and adjust the limits to match your use case.
Starter policies available for each. Same risk classification, same one-command setup.
Deterministic policy on every MCP tool call. Per-identity grants. Full audit log.