// SCAN REPORT

AWS Bedrock AgentCore MCP Server

122 tools. 69 can modify or destroy data without limits.

15 destructive tools with no built-in limits. Policy required.

Last updated:

69 can modify or destroy data
53 read-only
122 tools total
// TOOL MAP
Read (53) Write / Execute (54) Destructive / Financial (15)
// WHAT CAN GO WRONG

Destructive tools (delete_agent_runtime, delete_agent_runtime_endpoint, gateway_delete) permanently delete resources. There is no undo. An agent calling these in a retry loop causes irreversible damage.

Write operations (browser_click, browser_close, browser_fill_form) modify state. Without rate limits, an agent can make hundreds of changes in seconds — faster than any human can review or revert.

Execute tools (browser_evaluate, browser_navigate, browser_navigate_back) trigger processes with side effects. Builds, notifications, workflows — all fired without throttling.

// RECOMMENDED RULES
Deny destructive operations
delete_agent_runtime:
  rules:
    - action: deny

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
browser_click:
  rules:
    - rate_limit: 30/hour

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
browser_console_messages:
  rules:
    - rate_limit: 60/minute

Controls API costs and prevents retry loops from exhausting upstream rate limits.

// ALL 122 AWS BEDROCK AGENTCORE MCP SERVER TOOLS
DESTRUCTIVE 15 tools
Destructive delete_agent_runtime Destructive delete_agent_runtime_endpoint Destructive gateway_delete Destructive gateway_resource_policy_delete Destructive gateway_target_delete Destructive identity_delete_api_key_provider Destructive identity_delete_oauth2_provider Destructive identity_delete_resource_policy Destructive identity_delete_workload_identity Destructive memory_batch_delete_records Destructive memory_delete Destructive memory_delete_event Destructive memory_delete_record Destructive policy_delete Destructive policy_engine_delete
EXECUTE 16 tools
Execute browser_evaluate Execute browser_navigate Execute browser_navigate_back Execute browser_navigate_forward Execute browser_wait_for Execute execute_code Execute execute_command Execute gateway_target_synchronize Execute invoke_agent_runtime Execute memory_start_extraction_job Execute policy_generation_start Execute start_browser_session Execute start_code_interpreter_session Execute stop_browser_session Execute stop_code_interpreter_session Execute stop_runtime_session
WRITE 38 tools
Write browser_click Write browser_close Write browser_fill_form Write browser_handle_dialog Write browser_press_key Write browser_resize Write browser_select_option Write browser_tabs Write browser_type Write browser_upload_file Write create_agent_runtime Write create_agent_runtime_endpoint Write gateway_create Write gateway_resource_policy_put Write gateway_target_create Write gateway_target_update Write gateway_update Write identity_create_api_key_provider Write identity_create_oauth2_provider Write identity_create_workload_identity Write identity_put_resource_policy Write identity_set_token_vault_cmk Write identity_update_api_key_provider Write identity_update_oauth2_provider Write identity_update_workload_identity Write install_packages Write memory_batch_create_records Write memory_batch_update_records Write memory_create Write memory_create_event Write memory_update Write policy_create Write policy_engine_create Write policy_engine_update Write policy_update Write update_agent_runtime Write update_agent_runtime_endpoint Write upload_file
READ 53 tools
Read browser_console_messages Read browser_hover Read browser_mouse_wheel Read browser_network_requests Read browser_snapshot Read browser_take_screenshot Read download_file Read fetch_agentcore_doc Read gateway_get Read gateway_list Read gateway_resource_policy_get Read gateway_target_get Read gateway_target_list Read get_agent_runtime Read get_agent_runtime_endpoint Read get_browser_session Read get_code_interpreter_session Read get_gateway_guide Read get_identity_guide Read get_memory_guide Read get_policy_guide Read get_runtime_guide Read identity_get_api_key_provider Read identity_get_oauth2_provider Read identity_get_resource_policy Read identity_get_token_vault Read identity_get_workload_identity Read identity_list_api_key_providers Read identity_list_oauth2_providers Read identity_list_workload_identities Read list_agent_runtime_endpoints Read list_agent_runtime_versions Read list_agent_runtimes Read list_browser_sessions Read list_code_interpreter_sessions Read memory_get Read memory_get_event Read memory_get_record Read memory_list Read memory_list_actors Read memory_list_events Read memory_list_extraction_jobs Read memory_list_records Read memory_list_sessions Read memory_retrieve_records Read policy_engine_get Read policy_engine_list Read policy_generation_get Read policy_generation_list Read policy_generation_list_assets Read policy_get Read policy_list Read search_agentcore_docs
// FAQ
Can an AI agent delete data through the AWS Bedrock AgentCore MCP Server MCP server? +

Yes. The AWS Bedrock AgentCore MCP Server server exposes 15 destructive tools including delete_agent_runtime, delete_agent_runtime_endpoint, gateway_delete. These permanently remove resources with no undo. Intercept blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through AWS Bedrock AgentCore MCP Server? +

The AWS Bedrock AgentCore MCP Server server has 38 write tools including browser_click, browser_close, browser_fill_form. Set rate limits in your policy file -- for example, rate_limit: 10/hour prevents an agent from making more than 10 modifications per hour. Intercept enforces this at the transport layer.

How many tools does the AWS Bedrock AgentCore MCP Server MCP server expose? +

122 tools across 4 categories: Destructive, Execute, Read, Write. 53 are read-only. 69 can modify, create, or delete data.

How do I add Intercept to my AWS Bedrock AgentCore MCP Server setup? +

One line change. Instead of running the AWS Bedrock AgentCore MCP Server server directly, prefix it with Intercept: intercept -c aws-bedrock-agentcore-mcp-server.yaml -- npx -y @awslabs.amazon-bedrock-agentcore-mcp-server. Download a pre-built policy from policylayer.com/policies/aws-bedrock-agentcore-mcp-server and adjust the limits to match your use case.

// RELATED SERVERS

Other MCP servers with similar tools.

Starter policies available for each. Same risk classification, same one-command setup.

Mcp Api 314 tools
adminautomation
Aibtc 308 tools
adminautomation
SmartBear MCP 243 tools
adminautomation
Google Super 200 tools
adminautomation
Arcane 180 tools
adminautomation
Propresenter 177 tools
adminautomation
Leaper Vision Toolkit 169 tools
adminautomation
Opencut Controller 161 tools
adminautomation

Let agents act without letting them run wild.

Deterministic policy on every MCP tool call. Per-identity grants. Full audit log.

GET STARTED →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.