SOLUTIONS · BY WHAT THEY TOUCH Payments Code & CI Data & databases Infrastructure Customer ops Org-wide rollout SOLUTIONS · BY AGENT TYPE Coding agents Customer-support agents Internal copilots Autonomous agents MCP DIRECTORY Tools Policies Risk Levels Token Cost MCP SECURITY MCP Security Attack Database MCP Incidents Compliance LEARN Blog Research State of MCP Glossary Integrations Compare Scan STACK CHECK DOCS PRICING GET STARTED

// MCP TOOL REFERENCE

AWS MCP SERVER TOOLS

54 tools from the AWS MCP Server MCP Server, categorised by risk level.

View the AWS MCP Server policy →

// ALL 54 AWS MCP SERVER TOOLS

READ 12 tools

Read list-amis List AMIs Read list-buckets List all the S3 buckets in the given region Read list-db-instances List all the RDS DB instances in the given region Read list-ec2-instances List EC2 instances in a given region Read list-instance-tags List instance tags Read list-internet-gateways List all internet gateways in the given region Read list-key-pairs List key pairs in the given region Read list-route-tables List route tables in the given region Read list-security-group-rules List all security group rules in the given region Read list-security-groups List all security groups in the given region Read list-subnets List all the subnets in the given region Read list-vpcs List all the VPCs in the given region

WRITE 24 tools

Write associate-route-table Associate a route table with a subnet or internet gateway or virtual private gateway Write attach-internet-gateway Attach an internet gateway to a VPC Write authorize-security-group-egress Authorize a security group egress in the given region Write authorize-security-group-ingress Authorize a security group ingress in the given region Write create-ami Create an AMI Write create-bucket Create a new S3 bucket in the given region Write create-db-instance Create a new RDS DB instance in the given region Write create-instance-tag Create instance tag Write create-internet-gateway Create a new internet gateway in the given region Write create-key-pair Create a key pair in the given region Write create-route-table Create a route table in the given region Write create-security-group Create a security group in the given region Write create-subnet Create a subnet in the given region Write create-vpc Create a new VPC in the given region Write disassociate-route-table Disassociate a route table from a subnet or internet gateway or virtual private gateway Write import-key-pair Import a key pair in the given region Write modify-security-group-rules Modify a security group rule in the given region Write replace-route-table-association Replace the route table association for a subnet or internet gateway or virtual private gateway Write update-db-instance Update a given RDS DB instance in the given region Write update-security-group-rule-descriptions-egress Update the description of a security group rule egress in the given region Write update-security-group-rule-descriptions-ingress Update the description of a security group rule ingress in the given region Write update-subnet-attribute Update a subnet attributes by subnet ID in the given region Write update-vpc-attribute Update a VPC attribute(EnableDnsHostnames, EnableDnsSupport, EnableNetworkAddressUsageMetrics) by VPC ID in... Write update-vpc-endpoint Update a VPC endpoint(Gateway endpoint, Interface endpoint) by VPC endpoint ID in the given region

DESTRUCTIVE 14 tools

Destructive delete-ami Delete an AMI Destructive delete-bucket Delete an S3 bucket in the given region Destructive delete-db-instance Delete a given RDS DB instance in the given region Destructive delete-instance-tag Delete instance tag Destructive delete-internet-gateway Delete an internet gateway by ID in the given region Destructive delete-key-pair Delete a key pair in the given region Destructive delete-route-table Delete a route table in the given region Destructive delete-security-group Delete a security group in the given region Destructive delete-subnet Delete a subnet by subnet ID in the given region Destructive delete-vpc Delete a VPC by VPC ID in the given region Destructive revoke-security-group-egress Revoke a security group egress in the given region Destructive revoke-security-group-ingress Revoke a security group ingress in the given region Destructive detach-internet-gateway Detach an internet gateway from a VPC Destructive terminate-ec2-instance Terminate an EC2 instance in a given region

EXECUTE 4 tools

Execute launch-ec2-instance Launch an EC2 instance in a given region Execute start-ec2-instance Start an EC2 instance in a given region Execute stop-ec2-instance Stop an EC2 instance in a given region Execute reboot-ec2-instance Reboot an EC2 instance in a given region

// FAQ

How many tools does the AWS MCP Server MCP server have? +

The AWS MCP Server MCP server exposes 54 tools across 4 categories: Read, Write, Destructive, Execute.

How do I enforce policies on AWS MCP Server tools? +

Route the AWS MCP Server server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard; they are enforced on every call before it reaches the server.

What risk categories do AWS MCP Server tools fall into? +

AWS MCP Server tools are categorised as Read (12), Write (24), Destructive (14), Execute (4). Each category has a recommended default policy.

Enforce policy on every AWS MCP Server tool call.

Start from AWS MCP Server, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.

CHECK YOUR STACK →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.