Fetches CloudWatch logs that are generated by Lambda function and API GW resources in a SAM application. Requirements: - AWS SAM CLI MUST be installed and configured in your environment - Your SAM application MUST be deployed and receiving traffic After deploying your serverless application, yo...
High parameter count (10 properties); Admin/system-level operation
Part of the AWS Serverless MCP Server MCP server. Enforce policies on this tool with Intercept, the open-source MCP proxy.
AI agents call sam_logs to retrieve information from AWS Serverless MCP Server without modifying any data. This is common in research, monitoring, and reporting workflows where the agent needs context before taking action. Because read operations don't change state, they are generally safe to allow without restrictions -- but you may still want rate limits to control API costs.
Even though sam_logs only reads data, uncontrolled read access can leak sensitive information or rack up API costs. An agent caught in a retry loop could make thousands of calls per minute. A rate limit gives you a safety net without blocking legitimate use.
Read-only tools are safe to allow by default. No rate limit needed unless you want to control costs.
tools:
sam_logs:
rules:
- action: allowSee the full AWS Serverless MCP Server policy for all 32 tools.
Agents calling read-class tools like sam_logs have been implicated in these attack patterns. Read the full case and prevention policy for each:
Other tools in the Read risk category across the catalogue. The same policy patterns (rate-limit, allow) apply to each.
Fetches CloudWatch logs that are generated by Lambda function and API GW resources in a SAM application. Requirements: - AWS SAM CLI MUST be installed and configured in your environment - Your SAM application MUST be deployed and receiving traffic After deploying your serverless application, you can use this tool to monitor it to provide insights on its operations and detect anomalies. Use this tool to help troubleshoot invocation failures, and function code errors and find root causes. Lambda function logs contain application logs emitted by your code and platform level logs emitted by the Lambda service. Usage tips: - Use logs to debug out-of-memory errors. Platform logs indicate memory usage in the REPORT line. If memory usage is high compared to configured memory, out-of-memory could be causing invocation failures. - Use logs to debug timeouts errors. Functions that have timed-out contain a log line like ' Task timed out after 3.00 seconds'. Note: You MUST explicitly enable logging on API GW resources Returns: Dict: Log retrieval result. It is categorised as a Read tool in the AWS Serverless MCP Server MCP Server, which means it retrieves data without modifying state.
Add a rule in your Intercept YAML policy under the tools section for sam_logs. You can allow, deny, rate-limit, or validate arguments. Then run Intercept as a proxy in front of the AWS Serverless MCP Server MCP server.
sam_logs is a Read tool with low risk. Read-only tools are generally safe to allow by default.
Yes. Add a rate_limit block to the sam_logs rule in your Intercept policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the Intercept policy for sam_logs. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
sam_logs is provided by the AWS Serverless MCP Server MCP server (awslabs.aws-serverless-mcp-server). Intercept sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Deterministic policy on every MCP tool call. Per-identity grants. Full audit log.