// MCP TOOL REFERENCE
Medium Risk

generate_resources

Generates resources from a DynamoDB data model JSON file (dynamodb_data_model.json). This tool generates various resources based on the provided `dynamodb_data_model.json` file. Currently supports generating a CDK app for deploying DynamoDB tables. Supported resource types: - cdk: CDK app for d...

Part of the AWS DynamoDB MCP Server MCP server. Enforce policies on this tool with Intercept, the open-source MCP proxy.

awslabs.dynamodb-mcp-server Write
// WHEN AI AGENTS USE THIS TOOL

AI agents use generate_resources to create or modify resources in AWS DynamoDB MCP Server. Write operations carry medium risk because an autonomous agent could trigger bulk unintended modifications. Rate limits prevent a single agent session from making hundreds of changes in rapid succession. Argument validation ensures the agent passes expected values.

// WHY ENFORCE A POLICY ON GENERATE_RESOURCES

Without a policy, an AI agent could call generate_resources repeatedly, creating or modifying resources faster than any human could review. Intercept's rate limiting ensures write operations happen at a controlled pace, and argument validation catches malformed or unexpected inputs before they reach AWS DynamoDB MCP Server.

// RECOMMENDED POLICY

Write tools can modify data. A rate limit prevents runaway bulk operations from AI agents.

aws-dynamodb-mcp-server.yaml 
tools:
  generate_resources:
    rules:
      - action: allow
        rate_limit:
          max: 30
          window: 60

See the full AWS DynamoDB MCP Server policy for all 8 tools.

// DETAILS
Tool Name generate_resources
Category Write
MCP Server AWS DynamoDB MCP Server MCP Server
Risk Level Medium
// MORE AWS DYNAMODB MCP SERVER TOOLS
Execute source_db_analyzer Write compute_performances_and_costs Write generate_data_access_layer Read dynamodb_data_model_schema_converter Read dynamodb_data_model_schema_validator Read dynamodb_data_model_validation Read dynamodb_data_modeling
// WHAT CAN GO WRONG

Agents calling write-class tools like generate_resources have been implicated in these attack patterns. Read the full case and prevention policy for each:

Browse the full MCP Attack Database →

// OTHER WRITE TOOLS ACROSS MCP SERVERS

Other tools in the Write risk category across the catalogue. The same policy patterns (rate-limit, validate) apply to each.

Firecrawl Web Scraping Server firecrawl_generate_llmstxt AbraFlexi contact_create AbraFlexi contact_update AbraFlexi evidence_create AbraFlexi evidence_update AbraFlexi invoice_issued_update
// RELATED READING
// FAQ
What does the generate_resources tool do? +

Generates resources from a DynamoDB data model JSON file (dynamodb_data_model.json). This tool generates various resources based on the provided `dynamodb_data_model.json` file. Currently supports generating a CDK app for deploying DynamoDB tables. Supported resource types: - cdk: CDK app for deploying DynamoDB tables. Generates a CDK app that provisions DynamoDB tables and GSIs as defined in `dynamodb_data_model.json`. WHEN TO USE: - After completing data model validation with `dynamodb_data_model_validation` tool - When user asks to "deploy", "create CDK app", "generate CDK", or "provision infrastructure" - When user wants to deploy their DynamoDB tables and GSIs to AWS using a CDK app WHEN NOT TO USE: - Before completing data model validation with `dynamodb_data_model_validation` tool - Before having created the `dynamodb_data_model.json` file - When user only wants to generate Python code without deploying infrastructure WHAT TO DO ON SUCCESSFUL COMPLETION: After CDK generation completes, you MUST ask the user if they want to: 1. Deploy the CDK app now (provide deployment instructions) 2. Generate Python data access layer code to interact with the tables (call `dynamodb_data_model_schema_converter` then `generate_data_access_layer`) Args: dynamodb_data_model_json_file: Absolute path to the `dynamodb_data_model.json` file resource_type: Type of resource to generate, possible values: cdk Returns: Success message with the destination path, or error message if generation fails. It is categorised as a Write tool in the AWS DynamoDB MCP Server MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.

How do I enforce a policy on generate_resources? +

Add a rule in your Intercept YAML policy under the tools section for generate_resources. You can allow, deny, rate-limit, or validate arguments. Then run Intercept as a proxy in front of the AWS DynamoDB MCP Server MCP server.

What risk level is generate_resources? +

generate_resources is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.

Can I rate-limit generate_resources? +

Yes. Add a rate_limit block to the generate_resources rule in your Intercept policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.

How do I block generate_resources completely? +

Set action: deny in the Intercept policy for generate_resources. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.

What MCP server provides generate_resources? +

generate_resources is provided by the AWS DynamoDB MCP Server MCP server (awslabs.dynamodb-mcp-server). Intercept sits as a proxy in front of this server to enforce policies before tool calls reach the server.

Let agents act without letting them run wild.

Deterministic policy on every MCP tool call. Per-identity grants. Full audit log.

GET STARTED →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.