AWS | Amazon Web Services

Architect, deploy, and optimize AWS infrastructure avoiding cost explosions and security pitfalls.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 2 · 1.9k · 13 current installs · 13 all-time installs

byIván@ivangdavila

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

The name/description (AWS guidance, cost/security/deploy) matches the declared needs: the aws CLI binary and guidance-heavy SKILL.md. Commands and files relate to AWS architecture, costs, security, and IaC — appropriate for the stated purpose.

ℹ

Instruction Scope

The SKILL.md instructs the agent to run many aws CLI commands (sts, describe-*, create-*, put-*) and to read/write a local memory directory at ~/aws. This is consistent with an assistive AWS skill, but the instructions include commands that create resources (VPC endpoints, IAM users/roles, budgets) and change account state — so the agent (or a user following the guidance) could perform impactful operations. The skill implicitly accesses AWS credentials via the CLI config or environment variables.

ℹ

Install Mechanism

Install spec is a single Homebrew formula (awscli) that produces the aws binary — a reasonable, low-risk install for macOS/Linux Homebrew users. Minor inconsistency: the skill declares support for win32 but only provides a brew install; Windows install steps are not provided.

ℹ

Credentials

The skill declares no required env vars, which is reasonable because it relies on the aws CLI. However, runtime instructions will use AWS credentials from the environment or ~/.aws/ config and may read/write ~/aws/memory.md. This is proportional to the purpose but means the skill can access whatever permissions the configured AWS profile has — including highly privileged operations if credentials are admin-level.

ℹ

Persistence & Privilege

The skill stores memory under ~/aws/ (memory.md, resources.md, costs.md) and may persist account context locally. always:false (not force-installed). Autonomous invocation is allowed (platform default). Writing to a user-owned ~/aws directory is expected, but users should be aware that account context and resource inventory will be stored on disk.

Assessment

This skill is coherent for AWS guidance but be cautious: it runs aws CLI commands and will use whatever AWS credentials are available in your environment or ~/.aws/config. Before using it, (1) ensure the CLI is configured with a low-privilege/read-only profile for exploration; (2) review any suggested commands before running them — examples include resource-creating commands (IAM users, VPC endpoints, budgets) that can change billing or security posture; (3) be aware the skill will write files to ~/aws/ containing account/context notes; (4) on Windows you may need a different install method (brew is provided only); and (5) if you plan to let an autonomous agent run commands, limit its AWS permissions with least-privilege roles and use separate billing/ sandbox accounts to avoid accidental costs or privilege escalation.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2

Download zip

latestvk9732hsr802atn69dsg4xse87581t5b8

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

☁️ Clawdis

OSLinux · macOS · Windows

Binsaws

Install

Install AWS CLI (Homebrew)

Bins: aws

brew install awscli

SKILL.md

Setup

On first use, read setup.md for integration options. The skill works immediately — setup is optional for personalization.

When to Use

User needs AWS infrastructure guidance. Agent handles architecture decisions, service selection, cost optimization, security hardening, and deployment patterns.

Architecture

Memory lives in ~/aws/. See memory-template.md for structure.

~/aws/
├── memory.md        # Account context + preferences
├── resources.md     # Active infrastructure inventory
└── costs.md         # Cost tracking + alerts

Quick Reference

Topic	File
Setup process	`setup.md`
Memory template	`memory-template.md`
Service patterns	`services.md`
Cost optimization	`costs.md`
Security hardening	`security.md`

Core Rules

1. Verify Account Context First

Before any operation, confirm:

Region (default: us-east-1, but ask)
Account type (personal/startup/enterprise)
Existing infrastructure (VPC, subnets, security groups)

aws sts get-caller-identity
aws ec2 describe-vpcs --query 'Vpcs[].{ID:VpcId,CIDR:CidrBlock,Default:IsDefault}'

2. Cost-First Architecture

Every recommendation includes cost impact:

Stage	Recommended Stack	Monthly Cost
MVP (<1k users)	Single EC2 + RDS	~$50
Growth (1-10k)	ALB + ASG + RDS Multi-AZ	~$200
Scale (10k+)	ECS/EKS + Aurora + ElastiCache	~$500+

Default to smallest viable instance. Scaling up is easy; scaling down wastes money.

3. Security by Default

Every resource includes:

Principle of least privilege IAM
Encryption at rest (KMS default key minimum)
VPC isolation (no public subnets for databases)
Security groups with explicit deny-all inbound

4. Infrastructure as Code

Generate Terraform or CloudFormation for reproducibility:

# Prefer Terraform for multi-cloud portability
terraform init && terraform plan

Never rely on console-only changes.

5. Tagging Strategy

Every resource gets tagged for cost allocation:

--tags Key=Environment,Value=prod Key=Project,Value=myapp Key=Owner,Value=team

6. Monitoring from Day 1

Deploy CloudWatch alarms with infrastructure:

Billing alerts (before you get surprised)
CPU/Memory thresholds
Error rate spikes

Cost Traps

NAT Gateway data processing ($0.045/GB): VPC endpoints are free for S3/DynamoDB. A busy app can burn $500/month on NAT alone.

aws ec2 create-vpc-endpoint --vpc-id vpc-xxx \
  --service-name com.amazonaws.us-east-1.s3 --route-table-ids rtb-xxx

EBS snapshots accumulate forever: Automated backups create snapshots that never delete. Set lifecycle policies.

aws ec2 describe-snapshots --owner-ids self \
  --query 'Snapshots[?StartTime<=`2024-01-01`].[SnapshotId,StartTime,VolumeSize]'

CloudWatch Logs default retention is forever:

aws logs put-retention-policy --log-group-name /aws/lambda/fn --retention-in-days 14

Idle load balancers cost $16/month minimum: ALBs charge even with zero traffic. Delete unused ones.

Data transfer between AZs costs $0.01/GB each way: Chatty microservices across AZs add up fast. Co-locate when possible.

Security Traps

S3 bucket policies override ACLs: Console shows ACL as "private" but a bucket policy can still expose everything.

aws s3api get-bucket-policy --bucket my-bucket 2>/dev/null || echo "No policy"
aws s3api get-public-access-block --bucket my-bucket

Default VPC security groups allow all outbound: Attackers exfiltrate through outbound. Restrict it.

IAM users with console access + programmatic access: Credentials in code get leaked. Use roles + temporary credentials.

RDS publicly accessible defaults to Yes in console: Always verify:

aws rds describe-db-instances --query 'DBInstances[].{ID:DBInstanceIdentifier,Public:PubliclyAccessible}'

Performance Patterns

Lambda cold starts:

Use provisioned concurrency for latency-sensitive functions
Keep packages small (<50MB unzipped)
Initialize SDK clients outside handler

RDS connection limits:

Instance	Max Connections
db.t3.micro	66
db.t3.small	150
db.t3.medium	300

Use RDS Proxy for Lambda to avoid connection exhaustion.

EBS volume types:

Type	Use Case	IOPS
gp3	Default (consistent)	3,000 base
io2	Databases (guaranteed)	Up to 64,000
st1	Big data (throughput)	500 MiB/s

Service Selection

Need	Service	Why
Static site	S3 + CloudFront	Pennies/month, global CDN
API backend	Lambda + API Gateway	Zero idle cost
Container app	ECS Fargate	No cluster management
Database	RDS PostgreSQL	Managed, Multi-AZ ready
Cache	ElastiCache Redis	Session/cache, < DynamoDB latency
Queue	SQS	Simpler than SNS for most cases
Search	OpenSearch	Elasticsearch managed

CLI Essentials

# Configure credentials
aws configure --profile myproject

# Always specify profile
export AWS_PROFILE=myproject

# Check current identity
aws sts get-caller-identity

# List all regions
aws ec2 describe-regions --query 'Regions[].RegionName'

# Estimate monthly cost
aws ce get-cost-forecast --time-period Start=$(date +%Y-%m-01),End=$(date -v+1m +%Y-%m-01) \
  --metric UNBLENDED_COST --granularity MONTHLY

Security & Privacy

Credentials: This skill uses the AWS CLI, which reads credentials from ~/.aws/credentials or environment variables. The skill never stores, logs, or transmits AWS credentials.

Local storage: Preferences and context stored in ~/aws/ — no data leaves your machine.

CLI commands: All commands shown are read-only by default. Destructive operations (delete, terminate) require explicit user confirmation.

Related Skills

Install with clawhub install <slug> if user confirms:

infrastructure — architecture decisions
cloud — multi-cloud patterns
docker — container basics
backend — API design

Feedback

If useful: clawhub star aws
Stay updated: clawhub sync

Files

6 total

Select a file

Select a file to preview.

Comments

Loading comments…