AWS | Amazon Web Services

Setup

On first use, read `setup.md` for integration options. The skill works immediately — setup is optional for personalization.

When to Use

User needs AWS infrastructure guidance. Agent handles architecture decisions, service selection, cost optimization, security hardening, and deployment patterns.

Architecture

Memory lives in `~/aws/`. See `memory-template.md` for structure.

``` ~/aws/ ├── memory.md # Account context + preferences ├── resources.md # Active infrastructure inventory └── costs.md # Cost tracking + alerts ```

Quick Reference

| Topic | File | |-------|------| | Setup process | `setup.md` | | Memory template | `memory-template.md` | | Service patterns | `services.md` | | Cost optimization | `costs.md` | | Security hardening | `security.md` |

Core Rules

1. Verify Account Context First Before any operation, confirm: - Region (default: us-east-1, but ask) - Account type (personal/startup/enterprise) - Existing infrastructure (VPC, subnets, security groups)

```bash aws sts get-caller-identity aws ec2 describe-vpcs --query 'Vpcs[].{ID:VpcId,CIDR:CidrBlock,Default:IsDefault}' ```

2. Cost-First Architecture Every recommendation includes cost impact:

| Stage | Recommended Stack | Monthly Cost | |-------|-------------------|--------------| | MVP (<1k users) | Single EC2 + RDS | ~$50 | | Growth (1-10k) | ALB + ASG + RDS Multi-AZ | ~$200 | | Scale (10k+) | ECS/EKS + Aurora + ElastiCache | ~$500+ |

Default to smallest viable instance. Scaling up is easy; scaling down wastes money.

3. Security by Default Every resource includes: - Principle of least privilege IAM - Encryption at rest (KMS default key minimum) - VPC isolation (no public subnets for databases) - Security groups with explicit deny-all inbound

4. Infrastructure as Code Generate Terraform or CloudFormation for reproducibility: ```bash # Prefer Terraform for multi-cloud portability terraform init && terraform plan ``` Never rely on console-only changes.

5. Tagging Strategy Every resource gets tagged for cost allocation: ```bash --tags Key=Environment,Value=prod Key=Project,Value=myapp Key=Owner,Value=team ```

6. Monitoring from Day 1 Deploy CloudWatch alarms with infrastructure: - Billing alerts (before you get surprised) - CPU/Memory thresholds - Error rate spikes

Cost Traps

NAT Gateway data processing ($0.045/GB): VPC endpoints are free for S3/DynamoDB. A busy app can burn $500/month on NAT alone. ```bash aws ec2 create-vpc-endpoint --vpc-id vpc-xxx \ --service-name com.amazonaws.us-east-1.s3 --route-table-ids rtb-xxx ```

EBS snapshots accumulate forever: Automated backups create snapshots that never delete. Set lifecycle policies. ```bash aws ec2 describe-snapshots --owner-ids self \ --query 'Snapshots[?StartTime<=`2024-01-01`].[SnapshotId,StartTime,VolumeSize]' ```

CloudWatch Logs default retention is forever: ```bash aws logs put-retention-policy --log-group-name /aws/lambda/fn --retention-in-days 14 ```

Idle load balancers cost $16/month minimum: ALBs charge even with zero traffic. Delete unused ones.

Data transfer between AZs costs $0.01/GB each way: Chatty microservices across AZs add up fast. Co-locate when possible.

Security Traps

S3 bucket policies override ACLs: Console shows ACL as "private" but a bucket policy can still expose everything. ```bash aws s3api get-bucket-policy --bucket my-bucket 2>/dev/null || echo "No policy" aws s3api get-public-access-block --bucket my-bucket ```

Default VPC security groups allow all outbound: Attackers exfiltrate through outbound. Restrict it.

IAM users with console access + programmatic access: Credentials in code get leaked. Use roles + temporary credentials.

RDS publicly accessible defaults to Yes in console: Always verify: ```bash aws rds describe-db-instances --query 'DBInstances[].{ID:DBInstanceIdentifier,Public:PubliclyAccessible}' ```

Performance Patterns

• Lambda cold starts:
• Use provisioned concurrency for latency-sensitive functions
• Keep packages small (<50MB unzipped)
• Initialize SDK clients outside handler

RDS connection limits: | Instance | Max Connections | |----------|-----------------| | db.t3.micro | 66 | | db.t3.small | 150 | | db.t3.medium | 300 |

Use RDS Proxy for Lambda to avoid connection exhaustion.

EBS volume types: | Type | Use Case | IOPS | |------|----------|------| | gp3 | Default (consistent) | 3,000 base | | io2 | Databases (guaranteed) | Up to 64,000 | | st1 | Big data (throughput) | 500 MiB/s |

Service Selection

| Need | Service | Why | |------|---------|-----| | Static site | S3 + CloudFront | Pennies/month, global CDN | | API backend | Lambda + API Gateway | Zero idle cost | | Container app | ECS Fargate | No cluster management | | Database | RDS PostgreSQL | Managed, Multi-AZ ready | | Cache | ElastiCache Redis | Session/cache, < DynamoDB latency | | Queue | SQS | Simpler than SNS for most cases | | Search | OpenSearch | Elasticsearch managed |

CLI Essentials

```bash # Configure credentials aws configure --profile myproject

# Always specify profile export AWS_PROFILE=myproject

# Check current identity aws sts get-caller-identity

# List all regions aws ec2 describe-regions --query 'Regions[].RegionName'

# Estimate monthly cost aws ce get-cost-forecast --time-period Start=$(date +%Y-%m-01),End=$(date -v+1m +%Y-%m-01) \ --metric UNBLENDED_COST --granularity MONTHLY ```

Security & Privacy

Credentials: This skill uses the AWS CLI, which reads credentials from `~/.aws/credentials` or environment variables. The skill never stores, logs, or transmits AWS credentials.

Local storage: Preferences and context stored in `~/aws/` — no data leaves your machine.

CLI commands: All commands shown are read-only by default. Destructive operations (delete, terminate) require explicit user confirmation.

Related Skills Install with `clawhub install <slug>` if user confirms: - `infrastructure` — architecture decisions - `cloud` — multi-cloud patterns - `docker` — container basics - `backend` — API design

Feedback

• If useful: `clawhub star aws`
• Stay updated: `clawhub sync`