AWS | Amazon Web Services

SKILL.md

---
name: AWS | Amazon Web Services
slug: aws
version: 1.0.2
homepage: https://clawic.com/skills/aws
description: Architect, deploy, and optimize AWS infrastructure avoiding cost explosions and security pitfalls.
changelog: Complete rewrite with cost traps, security hardening, service selection
metadata: {"clawdbot":{"emoji":"☁️","requires":{"bins":["aws"]},"install":[{"id":"brew","kind":"brew","formula":"awscli","bins":["aws"],"label":"Install AWS CLI (Homebrew)"}],"os":["linux","darwin","win32"]}}
---

## Setup

On first use, read `setup.md` for integration options. The skill works immediately — setup is optional for personalization.

## When to Use

User needs AWS infrastructure guidance. Agent handles architecture decisions, service selection, cost optimization, security hardening, and deployment patterns.

## Architecture

Memory lives in `~/aws/`. See `memory-template.md` for structure.

```
~/aws/
├── memory.md        # Account context + preferences
├── resources.md     # Active infrastructure inventory
└── costs.md         # Cost tracking + alerts
```

## Quick Reference

| Topic | File |
|-------|------|
| Setup process | `setup.md` |
| Memory template | `memory-template.md` |
| Service patterns | `services.md` |
| Cost optimization | `costs.md` |
| Security hardening | `security.md` |

## Core Rules

### 1. Verify Account Context First
Before any operation, confirm:
- Region (default: us-east-1, but ask)
- Account type (personal/startup/enterprise)
- Existing infrastructure (VPC, subnets, security groups)

```bash
aws sts get-caller-identity
aws ec2 describe-vpcs --query 'Vpcs[].{ID:VpcId,CIDR:CidrBlock,Default:IsDefault}'
```

### 2. Cost-First Architecture
Every recommendation includes cost impact:

| Stage | Recommended Stack | Monthly Cost |
|-------|-------------------|--------------|
| MVP (<1k users) | Single EC2 + RDS | ~$50 |
| Growth (1-10k) | ALB + ASG + RDS Multi-AZ | ~$200 |
| Scale (10k+) | ECS/EKS + Aurora + ElastiCache | ~$500+ |

**Default to smallest viable instance.** Scaling up is easy; scaling down wastes money.

### 3. Security by Default
Every resource includes:
- Principle of least privilege IAM
- Encryption at rest (KMS default key minimum)
- VPC isolation (no public subnets for databases)
- Security groups with explicit deny-all inbound

### 4. Infrastructure as Code
Generate Terraform or CloudFormation for reproducibility:
```bash
# Prefer Terraform for multi-cloud portability
terraform init && terraform plan
```
Never rely on console-only changes.

### 5. Tagging Strategy
Every resource gets tagged for cost allocation:
```bash
--tags Key=Environment,Value=prod Key=Project,Value=myapp Key=Owner,Value=team
```

### 6. Monitoring from Day 1
Deploy CloudWatch alarms with infrastructure:
- Billing alerts (before you get surprised)
- CPU/Memory thresholds
- Error rate spikes

## Cost Traps

**NAT Gateway data processing ($0.045/GB):**
VPC endpoints are free for S3/DynamoDB. A busy app can burn $500/month on NAT alone.
```bash
aws ec2 create-vpc-endpoint --vpc-id vpc-xxx \
  --service-name com.amazonaws.us-east-1.s3 --route-table-ids rtb-xxx
```

**EBS snapshots accumulate forever:**
Automated backups create snapshots that never delete. Set lifecycle policies.
```bash
aws ec2 describe-snapshots --owner-ids self \
  --query 'Snapshots[?StartTime<=`2024-01-01`].[SnapshotId,StartTime,VolumeSize]'
```

**CloudWatch Logs default retention is forever:**
```bash
aws logs put-retention-policy --log-group-name /aws/lambda/fn --retention-in-days 14
```

**Idle load balancers cost $16/month minimum:**
ALBs charge even with zero traffic. Delete unused ones.

**Data transfer between AZs costs $0.01/GB each way:**
Chatty microservices across AZs add up fast. Co-locate when possible.

## Security Traps

**S3 bucket policies override ACLs:**
Console shows ACL as "private" but a bucket policy can still expose everything.
```bash
aws s3api get-bucket-policy --bucket my-bucket 2>/dev/null || echo "No policy"
aws s3api get-public-access-block --bucket my-bucket
```

**Default VPC security groups allow all outbound:**
Attackers exfiltrate through outbound. Restrict it.

**IAM users with console access + programmatic access:**
Credentials in code get leaked. Use roles + temporary credentials.

**RDS publicly accessible defaults to Yes in console:**
Always verify:
```bash
aws rds describe-db-instances --query 'DBInstances[].{ID:DBInstanceIdentifier,Public:PubliclyAccessible}'
```

## Performance Patterns

**Lambda cold starts:**
- Use provisioned concurrency for latency-sensitive functions
- Keep packages small (<50MB unzipped)
- Initialize SDK clients outside handler

**RDS connection limits:**
| Instance | Max Connections |
|----------|-----------------|
| db.t3.micro | 66 |
| db.t3.small | 150 |
| db.t3.medium | 300 |

Use RDS Proxy for Lambda to avoid connection exhaustion.

**EBS volume types:**
| Type | Use Case | IOPS |
|------|----------|------|
| gp3 | Default (consistent) | 3,000 base |
| io2 | Databases (guaranteed) | Up to 64,000 |
| st1 | Big data (throughput) | 500 MiB/s |

## Service Selection

| Need | Service | Why |
|------|---------|-----|
| Static site | S3 + CloudFront | Pennies/month, global CDN |
| API backend | Lambda + API Gateway | Zero idle cost |
| Container app | ECS Fargate | No cluster management |
| Database | RDS PostgreSQL | Managed, Multi-AZ ready |
| Cache | ElastiCache Redis | Session/cache, < DynamoDB latency |
| Queue | SQS | Simpler than SNS for most cases |
| Search | OpenSearch | Elasticsearch managed |

## CLI Essentials

```bash
# Configure credentials
aws configure --profile myproject

# Always specify profile
export AWS_PROFILE=myproject

# Check current identity
aws sts get-caller-identity

# List all regions
aws ec2 describe-regions --query 'Regions[].RegionName'

# Estimate monthly cost
aws ce get-cost-forecast --time-period Start=$(date +%Y-%m-01),End=$(date -v+1m +%Y-%m-01) \
  --metric UNBLENDED_COST --granularity MONTHLY
```

## Security & Privacy

**Credentials:** This skill uses the AWS CLI, which reads credentials from `~/.aws/credentials` or environment variables. The skill never stores, logs, or transmits AWS credentials.

**Local storage:** Preferences and context stored in `~/aws/` — no data leaves your machine.

**CLI commands:** All commands shown are read-only by default. Destructive operations (delete, terminate) require explicit user confirmation.

## Related Skills
Install with `clawhub install <slug>` if user confirms:
- `infrastructure` — architecture decisions
- `cloud` — multi-cloud patterns
- `docker` — container basics
- `backend` — API design

## Feedback

- If useful: `clawhub star aws`
- Stay updated: `clawhub sync`