// SCAN REPORT

Aws Security

33 tools. 7 can modify or destroy data without limits.

7 write tools that can modify data. Rate limits recommended.

Last updated:

7 can modify or destroy data
26 read-only
33 tools total
// TOOL MAP
Read (26) Write / Execute (7) Destructive / Financial (0)
// WHAT CAN GO WRONG

Write operations (generate_html_report, generate_hw_defense_report, generate_maturity_report) modify state. Without rate limits, an agent can make hundreds of changes in seconds — faster than any human can review or revert.

One command. Full control.

Intercept sits between your agent and Aws Security. Every tool call checked against your policy before it executes — so your agent can do its job without breaking things.

npx -y @policylayer/intercept scan -- npx -y @aws-security-mcp
Scans every tool. Generates a policy. Starts enforcing.
Works with Claude Code · Cursor · Claude Desktop · Windsurf · any MCP client
// RECOMMENDED RULES
Rate limit write operations
generate_html_report:
  rules:
    - rate_limit: 30/hour

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
detect_services:
  rules:
    - rate_limit: 60/minute

Controls API costs and prevents retry loops from exhausting upstream rate limits.

// ALL 33 AWS SECURITY TOOLS
WRITE 7 tools
Write generate_html_report Write generate_hw_defense_report Write generate_maturity_report Write generate_mlps3_html_report Write generate_mlps3_report Write generate_report Write save_results
READ 26 tools
Read detect_services Read get_setup_template Read list_groups Read list_modules Read list_org_accounts Read scan_access_analyzer_findings Read scan_all Read scan_and_report Read scan_config_rules_findings Read scan_disaster_recovery Read scan_dns_dangling Read scan_group Read scan_guardduty_findings Read scan_iam_privilege_escalation Read scan_idle_resources Read scan_imdsv2_enforcement Read scan_inspector_findings Read scan_network_reachability Read scan_patch_compliance_findings Read scan_public_access_verify Read scan_secret_exposure Read scan_security_hub_findings Read scan_ssl_certificate Read scan_tag_compliance Read scan_trusted_advisor_findings Read scan_waf_coverage
// FAQ
How do I prevent bulk modifications through Aws Security? +

The Aws Security server has 7 write tools including generate_html_report, generate_hw_defense_report, generate_maturity_report. Set rate limits in your policy file -- for example, rate_limit: 10/hour prevents an agent from making more than 10 modifications per hour. Intercept enforces this at the transport layer.

How many tools does the Aws Security MCP server expose? +

33 tools across 2 categories: Read, Write. 26 are read-only. 7 can modify, create, or delete data.

How do I add Intercept to my Aws Security setup? +

One line change. Instead of running the Aws Security server directly, prefix it with Intercept: intercept -c aws-security.yaml -- npx -y @aws-security-mcp. Download a pre-built policy from policylayer.com/policies/aws-security and adjust the limits to match your use case.

policylayer/intercept

Control every MCP tool call
your agent makes.

Set budgets, approvals, and hard limits across MCP servers.

npx -y @policylayer/intercept init
Protect your agent in 30 seconds. Scans your MCP config and generates enforcement policies for every server.
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.