Update a SageMaker HyperPod clusters. Notes: - before using this tool, ensure you first have the most recent cluster instance group configurations by first calling the describe_hp_cluster tool first. - modify the instance group configuration based on user's request - important: Use "...
Bulk/mass operation — affects multiple targets
Part of the Amazon SageMaker AI MCP Server MCP server. Enforce policies on this tool with Intercept, the open-source MCP proxy.
AI agents use update_hp_cluster to create or modify resources in Amazon SageMaker AI MCP Server. Write operations carry medium risk because an autonomous agent could trigger bulk unintended modifications. Rate limits prevent a single agent session from making hundreds of changes in rapid succession. Argument validation ensures the agent passes expected values.
Without a policy, an AI agent could call update_hp_cluster repeatedly, creating or modifying resources faster than any human could review. Intercept's rate limiting ensures write operations happen at a controlled pace, and argument validation catches malformed or unexpected inputs before they reach Amazon SageMaker AI MCP Server.
Write tools can modify data. A rate limit prevents runaway bulk operations from AI agents.
tools:
update_hp_cluster:
rules:
- action: allow
rate_limit:
max: 30
window: 60See the full Amazon SageMaker AI MCP Server policy for all 4 tools.
Agents calling write-class tools like update_hp_cluster have been implicated in these attack patterns. Read the full case and prevention policy for each:
Other tools in the Write risk category across the catalogue. The same policy patterns (rate-limit, validate) apply to each.
Update a SageMaker HyperPod clusters. Notes: - before using this tool, ensure you first have the most recent cluster instance group configurations by first calling the describe_hp_cluster tool first. - modify the instance group configuration based on user's request - important: Use "InstanceCount" (NOT "CurrentCount" or "TargetCount") for desired target count - pass the configuration back in the instance group parameter - IMPORTANT: if user wants to do scheduled updates for their cluster nodes/AMI, also add the ScheduledUpdateConfig configs for the instance group they specified; the scheduled update time can be one-time or recurring based on user provided valid cron experssion;Times are in the UTC-00:00 time zone. - example cron expressions for parameter ScheduleExpression - cron(Minutes Hours Day-of-month Month Day-of-week Year) - one-time update on December 25, 2025 at 2:00 AM UTC: cron(0 2 25 12 ? 2025) - First day of every month at midnight UTC: cron(0 0 1 * ? *) - Every Saturday at 4:30 AM UTC: cron(30 4 ? * SAT *) - example instance groups parameter "instance_groups": [ ⋮ { ⋮ "OverrideVpcConfig": { ⋮ "SecurityGroupIds": [ ⋮ "<>" ⋮ ], ⋮ "Subnets": [ ⋮ "<>" ⋮ ] ⋮ }, ⋮ "InstanceCount": <>, ⋮ "InstanceGroupName": "<>", ⋮ "InstanceStorageConfigs": [ ⋮ { ⋮ "EbsVolumeConfig": { ⋮ "VolumeSizeInGB": <> ⋮ } ⋮ } ⋮ ], ⋮ "LifeCycleConfig": { ⋮ "SourceS3Uri": "<>", ⋮ "OnCreate": "<>" ⋮ }, ⋮ "InstanceType": "<>", ⋮ "ThreadsPerCore": <>, ⋮ "ExecutionRole": "<>" ⋮ } ⋮ ], ## Fallback Options: - If this tool fails, advise using AWS SageMaker CLI option: `aws sagemaker update-cluster --region <cluster_region>` with all appropriate parameters - Or as another alternative, advise making updates directly in the SageMaker HyperPod console (Amazon SageMaker AI → HyperPod Clusters → Cluster Management → select cluster → Edit) - To verify results: use CLI `aws sagemaker describe-cluster --cluster-name <name>` or directly verify in console Args: ctx: MCP context cluster_name: REQUIRED: cluster name to update instance_groups: REQUIRED: instance group configurations region_name: REQUIRED - AWS region name profile_name: AWS profile name (optional) Returns: update cluster response. It is categorised as a Write tool in the Amazon SageMaker AI MCP Server MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.
Add a rule in your Intercept YAML policy under the tools section for update_hp_cluster. You can allow, deny, rate-limit, or validate arguments. Then run Intercept as a proxy in front of the Amazon SageMaker AI MCP Server MCP server.
update_hp_cluster is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.
Yes. Add a rate_limit block to the update_hp_cluster rule in your Intercept policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the Intercept policy for update_hp_cluster. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
update_hp_cluster is provided by the Amazon SageMaker AI MCP Server MCP server (awslabs.sagemaker-ai-mcp-server). Intercept sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Deterministic policy on every MCP tool call. Per-identity grants. Full audit log.