{"skill":{"slug":"aws","displayName":"AWS | Amazon Web Services","summary":"Architect, deploy, and optimize AWS infrastructure avoiding cost explosions and security pitfalls.","description":"---\nname: AWS | Amazon Web Services\nslug: aws\nversion: 1.0.2\nhomepage: https://clawic.com/skills/aws\ndescription: Architect, deploy, and optimize AWS infrastructure avoiding cost explosions and security pitfalls.\nchangelog: Complete rewrite with cost traps, security hardening, service selection\nmetadata: {\"clawdbot\":{\"emoji\":\"☁️\",\"requires\":{\"bins\":[\"aws\"]},\"install\":[{\"id\":\"brew\",\"kind\":\"brew\",\"formula\":\"awscli\",\"bins\":[\"aws\"],\"label\":\"Install AWS CLI (Homebrew)\"}],\"os\":[\"linux\",\"darwin\",\"win32\"]}}\n---\n\n## Setup\n\nOn first use, read `setup.md` for integration options. The skill works immediately — setup is optional for personalization.\n\n## When to Use\n\nUser needs AWS infrastructure guidance. Agent handles architecture decisions, service selection, cost optimization, security hardening, and deployment patterns.\n\n## Architecture\n\nMemory lives in `~/aws/`. See `memory-template.md` for structure.\n\n```\n~/aws/\n├── memory.md        # Account context + preferences\n├── resources.md     # Active infrastructure inventory\n└── costs.md         # Cost tracking + alerts\n```\n\n## Quick Reference\n\n| Topic | File |\n|-------|------|\n| Setup process | `setup.md` |\n| Memory template | `memory-template.md` |\n| Service patterns | `services.md` |\n| Cost optimization | `costs.md` |\n| Security hardening | `security.md` |\n\n## Core Rules\n\n### 1. Verify Account Context First\nBefore any operation, confirm:\n- Region (default: us-east-1, but ask)\n- Account type (personal/startup/enterprise)\n- Existing infrastructure (VPC, subnets, security groups)\n\n```bash\naws sts get-caller-identity\naws ec2 describe-vpcs --query 'Vpcs[].{ID:VpcId,CIDR:CidrBlock,Default:IsDefault}'\n```\n\n### 2. Cost-First Architecture\nEvery recommendation includes cost impact:\n\n| Stage | Recommended Stack | Monthly Cost |\n|-------|-------------------|--------------|\n| MVP (<1k users) | Single EC2 + RDS | ~$50 |\n| Growth (1-10k) | ALB + ASG + RDS Multi-AZ | ~$200 |\n| Scale (10k+) | ECS/EKS + Aurora + ElastiCache | ~$500+ |\n\n**Default to smallest viable instance.** Scaling up is easy; scaling down wastes money.\n\n### 3. Security by Default\nEvery resource includes:\n- Principle of least privilege IAM\n- Encryption at rest (KMS default key minimum)\n- VPC isolation (no public subnets for databases)\n- Security groups with explicit deny-all inbound\n\n### 4. Infrastructure as Code\nGenerate Terraform or CloudFormation for reproducibility:\n```bash\n# Prefer Terraform for multi-cloud portability\nterraform init && terraform plan\n```\nNever rely on console-only changes.\n\n### 5. Tagging Strategy\nEvery resource gets tagged for cost allocation:\n```bash\n--tags Key=Environment,Value=prod Key=Project,Value=myapp Key=Owner,Value=team\n```\n\n### 6. Monitoring from Day 1\nDeploy CloudWatch alarms with infrastructure:\n- Billing alerts (before you get surprised)\n- CPU/Memory thresholds\n- Error rate spikes\n\n## Cost Traps\n\n**NAT Gateway data processing ($0.045/GB):**\nVPC endpoints are free for S3/DynamoDB. A busy app can burn $500/month on NAT alone.\n```bash\naws ec2 create-vpc-endpoint --vpc-id vpc-xxx \\\n  --service-name com.amazonaws.us-east-1.s3 --route-table-ids rtb-xxx\n```\n\n**EBS snapshots accumulate forever:**\nAutomated backups create snapshots that never delete. Set lifecycle policies.\n```bash\naws ec2 describe-snapshots --owner-ids self \\\n  --query 'Snapshots[?StartTime<=`2024-01-01`].[SnapshotId,StartTime,VolumeSize]'\n```\n\n**CloudWatch Logs default retention is forever:**\n```bash\naws logs put-retention-policy --log-group-name /aws/lambda/fn --retention-in-days 14\n```\n\n**Idle load balancers cost $16/month minimum:**\nALBs charge even with zero traffic. Delete unused ones.\n\n**Data transfer between AZs costs $0.01/GB each way:**\nChatty microservices across AZs add up fast. Co-locate when possible.\n\n## Security Traps\n\n**S3 bucket policies override ACLs:**\nConsole shows ACL as \"private\" but a bucket policy can still expose everything.\n```bash\naws s3api get-bucket-policy --bucket my-bucket 2>/dev/null || echo \"No policy\"\naws s3api get-public-access-block --bucket my-bucket\n```\n\n**Default VPC security groups allow all outbound:**\nAttackers exfiltrate through outbound. Restrict it.\n\n**IAM users with console access + programmatic access:**\nCredentials in code get leaked. Use roles + temporary credentials.\n\n**RDS publicly accessible defaults to Yes in console:**\nAlways verify:\n```bash\naws rds describe-db-instances --query 'DBInstances[].{ID:DBInstanceIdentifier,Public:PubliclyAccessible}'\n```\n\n## Performance Patterns\n\n**Lambda cold starts:**\n- Use provisioned concurrency for latency-sensitive functions\n- Keep packages small (<50MB unzipped)\n- Initialize SDK clients outside handler\n\n**RDS connection limits:**\n| Instance | Max Connections |\n|----------|-----------------|\n| db.t3.micro | 66 |\n| db.t3.small | 150 |\n| db.t3.medium | 300 |\n\nUse RDS Proxy for Lambda to avoid connection exhaustion.\n\n**EBS volume types:**\n| Type | Use Case | IOPS |\n|------|----------|------|\n| gp3 | Default (consistent) | 3,000 base |\n| io2 | Databases (guaranteed) | Up to 64,000 |\n| st1 | Big data (throughput) | 500 MiB/s |\n\n## Service Selection\n\n| Need | Service | Why |\n|------|---------|-----|\n| Static site | S3 + CloudFront | Pennies/month, global CDN |\n| API backend | Lambda + API Gateway | Zero idle cost |\n| Container app | ECS Fargate | No cluster management |\n| Database | RDS PostgreSQL | Managed, Multi-AZ ready |\n| Cache | ElastiCache Redis | Session/cache, < DynamoDB latency |\n| Queue | SQS | Simpler than SNS for most cases |\n| Search | OpenSearch | Elasticsearch managed |\n\n## CLI Essentials\n\n```bash\n# Configure credentials\naws configure --profile myproject\n\n# Always specify profile\nexport AWS_PROFILE=myproject\n\n# Check current identity\naws sts get-caller-identity\n\n# List all regions\naws ec2 describe-regions --query 'Regions[].RegionName'\n\n# Estimate monthly cost\naws ce get-cost-forecast --time-period Start=$(date +%Y-%m-01),End=$(date -v+1m +%Y-%m-01) \\\n  --metric UNBLENDED_COST --granularity MONTHLY\n```\n\n## Security & Privacy\n\n**Credentials:** This skill uses the AWS CLI, which reads credentials from `~/.aws/credentials` or environment variables. The skill never stores, logs, or transmits AWS credentials.\n\n**Local storage:** Preferences and context stored in `~/aws/` — no data leaves your machine.\n\n**CLI commands:** All commands shown are read-only by default. Destructive operations (delete, terminate) require explicit user confirmation.\n\n## Related Skills\nInstall with `clawhub install <slug>` if user confirms:\n- `infrastructure` — architecture decisions\n- `cloud` — multi-cloud patterns\n- `docker` — container basics\n- `backend` — API design\n\n## Feedback\n\n- If useful: `clawhub star aws`\n- Stay updated: `clawhub sync`\n","tags":{"latest":"1.0.2"},"stats":{"comments":0,"downloads":3607,"installsAllTime":25,"installsCurrent":25,"stars":2,"versions":3},"createdAt":1770658172261,"updatedAt":1778989274802},"latestVersion":{"version":"1.0.2","createdAt":1771978633756,"changelog":"Complete rewrite with cost traps, security hardening, service selection","license":null},"metadata":{"setup":[],"os":["linux","darwin","win32"],"systems":null},"owner":{"handle":"ivangdavila","userId":"s178jdk12x4qj3gs2se3etxf3h83h7ft","displayName":"Iván","image":"https://avatars.githubusercontent.com/u/81719670?v=4"},"moderation":{"isSuspicious":false,"isMalwareBlocked":false,"verdict":"clean","reasonCodes":["review.llm_review"],"summary":"Review: review.llm_review","engineVersion":"v2.4.24","updatedAt":1779963127712}}