configure_domain · Awslabs Valkey MCP: Risk & Policy

WHAT IT DOES

What configure_domain does on Awslabs Valkey

AI agents use configure_domain to create or update resources in Awslabs Valkey — usually the action step of a workflow, after the agent has gathered context. Every call changes real data in your Awslabs Valkey environment.

WHY IT NEEDS A POLICY

Why configure_domain needs a policy

Domain configuration in ElastiCache/MemoryDB is a reversible Write operation—it modifies cluster settings (SSL, encryption, network domains) without deleting data. The high severity reflects that misconfigured domains could disable access, break encryption, or expose clusters. Confidence is moderate due to empty description, but the name and AWS service context indicate clear data/configuration modification intent.

From the tool's definition Tool name 'configure_domain' indicates configuration modification. Given the context of AWS ElastiCache/MemoryDB Valkey, domain configuration changes would modify network/SSL settings and other cluster properties. Description is empty, limiting certainty.

Attacks that exploit this kind of access

Recommended rule Ready

Verdict

configure_domain Rate-limited

configure_domain stays usable, but capped — an agent stuck in a loop can't make hundreds of changes a minute. Everything else on the server is denied unless you say otherwise.

View as policy code

policy.json

{
  "version": "1",
  "default": "deny",
  "tools": {
    "configure_domain": {
      "limits": [
        {
          "counter": "configure_domain_rate",
          "window": "minute",
          "max": 30,
          "scope": "grant"
        }
      ]
    }
  }
}

LIMIT THIS TOOL →

Instant setup, no code required.

PolicyLayer is an MCP gateway: every tool call is checked against your rule before it reaches Awslabs Valkey, so you can run agents against it safely.

FAQ

Questions about configure_domain

What does the configure_domain tool do? +

configure_domain. It is categorised as a Write tool in the Awslabs Valkey MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.

How do I enforce a policy on configure_domain? +

Register the Awslabs Valkey MCP server in PolicyLayer and add a rule for configure_domain: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Awslabs Valkey. Nothing to install.

What risk level is configure_domain? +

configure_domain is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.

Can I rate-limit configure_domain? +

Yes. Add a rate_limit block to the configure_domain rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.

How do I block configure_domain completely? +

Set action: deny in the PolicyLayer policy for configure_domain. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.

What MCP server provides configure_domain? +

configure_domain is provided by the Awslabs Valkey MCP server (awslabs.valkey-mcp-server). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.