Critical-risk tools in AWS Bedrock AgentCore MCP Server
15 of the 122 tools in AWS Bedrock AgentCore MCP Server are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
delete_agent_runtimeDestructiveDelete an AgentCore Runtime and all its versions. All endpoints must be deleted first. Active sessions will be terminated. This operation cannot be undone.
-
delete_agent_runtime_endpointDestructiveDelete a runtime endpoint. Cannot delete the DEFAULT endpoint. This operation cannot be undone.
-
gateway_deleteDestructiveDelete an AgentCore Gateway. WARNING: This permanently deletes the gateway. All associated targets and the auto-created workload identity are removed. Agents pointing to this g...
-
gateway_resource_policy_deleteDestructiveDelete the resource-based policy attached to a gateway. WARNING: This removes all permissions granted by the resource policy. Principals that relied on the policy for access wi...
-
gateway_target_deleteDestructiveDelete a gateway target. WARNING: This permanently removes the target from the gateway. Tools exposed via this target will no longer be available to agents. This action cannot ...
-
identity_delete_api_key_providerDestructivePermanently delete an API key credential provider. WARNING: This permanently deletes the credential provider and its backing secret. Any agents or workloads retrieving the key ...
-
identity_delete_oauth2_providerDestructivePermanently delete an OAuth2 credential provider. WARNING: This permanently deletes the credential provider and its backing secret. Any agents or workloads retrieving tokens vi...
-
identity_delete_resource_policyDestructivePermanently delete the resource-based policy on an AgentCore resource. WARNING: Removes ALL access-control statements from the target resource. After deletion, only principals ...
-
identity_delete_workload_identityDestructivePermanently delete an AgentCore workload identity. WARNING: This permanently deletes the workload identity. Any agents or code relying on this identity will no longer be able t...
-
memory_batch_delete_recordsDestructiveBatch delete memory records from an AgentCore Memory resource. WARNING: This permanently deletes up to 100 memory records in a single call. This action cannot be undone.
-
memory_deleteDestructiveDelete an AgentCore Memory resource. WARNING: This permanently deletes the memory resource and all associated data (events, memory records, strategies). This action cannot be u...
-
memory_delete_eventDestructivePermanently delete an event from an AgentCore Memory resource. WARNING: This permanently removes the event. This action cannot be undone. Already-extracted long-term memory rec...
-
memory_delete_recordDestructivePermanently delete a memory record from an AgentCore Memory resource. WARNING: This permanently removes the memory record. This action cannot be undone.
-
policy_deleteDestructiveDelete a Cedar policy. WARNING: This permanently deletes the policy. Delete is asynchronous — status transitions through DELETING. This action cannot be undone.
-
policy_engine_deleteDestructiveDelete an AgentCore Policy Engine. WARNING: This permanently deletes the policy engine. The engine must not have any associated policies before deletion — delete all policies f...
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.