🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

AWS | Amazon Web Services

by @ivangdavila

Architect, deploy, and optimize AWS infrastructure avoiding cost explosions and security pitfalls.

Versionv1.0.2
Downloads3,471
Installs21
Stars⭐ 2
TERMINAL
clawhub install aws

πŸ“– About This Skill


name: AWS | Amazon Web Services slug: aws version: 1.0.2 homepage: https://clawic.com/skills/aws description: Architect, deploy, and optimize AWS infrastructure avoiding cost explosions and security pitfalls. changelog: Complete rewrite with cost traps, security hardening, service selection metadata: {"clawdbot":{"emoji":"☁️","requires":{"bins":["aws"]},"install":[{"id":"brew","kind":"brew","formula":"awscli","bins":["aws"],"label":"Install AWS CLI (Homebrew)"}],"os":["linux","darwin","win32"]}}

Setup

On first use, read setup.md for integration options. The skill works immediately β€” setup is optional for personalization.

When to Use

User needs AWS infrastructure guidance. Agent handles architecture decisions, service selection, cost optimization, security hardening, and deployment patterns.

Architecture

Memory lives in ~/aws/. See memory-template.md for structure.

~/aws/
β”œβ”€β”€ memory.md        # Account context + preferences
β”œβ”€β”€ resources.md     # Active infrastructure inventory
└── costs.md         # Cost tracking + alerts

Quick Reference

| Topic | File | |-------|------| | Setup process | setup.md | | Memory template | memory-template.md | | Service patterns | services.md | | Cost optimization | costs.md | | Security hardening | security.md |

Core Rules

1. Verify Account Context First

Before any operation, confirm:
  • Region (default: us-east-1, but ask)
  • Account type (personal/startup/enterprise)
  • Existing infrastructure (VPC, subnets, security groups)
  • aws sts get-caller-identity
    aws ec2 describe-vpcs --query 'Vpcs[].{ID:VpcId,CIDR:CidrBlock,Default:IsDefault}'
    

    2. Cost-First Architecture

    Every recommendation includes cost impact:

    | Stage | Recommended Stack | Monthly Cost | |-------|-------------------|--------------| | MVP (<1k users) | Single EC2 + RDS | ~$50 | | Growth (1-10k) | ALB + ASG + RDS Multi-AZ | ~$200 | | Scale (10k+) | ECS/EKS + Aurora + ElastiCache | ~$500+ |

    Default to smallest viable instance. Scaling up is easy; scaling down wastes money.

    3. Security by Default

    Every resource includes:
  • Principle of least privilege IAM
  • Encryption at rest (KMS default key minimum)
  • VPC isolation (no public subnets for databases)
  • Security groups with explicit deny-all inbound
  • 4. Infrastructure as Code

    Generate Terraform or CloudFormation for reproducibility:
    # Prefer Terraform for multi-cloud portability
    terraform init && terraform plan
    
    Never rely on console-only changes.

    5. Tagging Strategy

    Every resource gets tagged for cost allocation:
    --tags Key=Environment,Value=prod Key=Project,Value=myapp Key=Owner,Value=team
    

    6. Monitoring from Day 1

    Deploy CloudWatch alarms with infrastructure:
  • Billing alerts (before you get surprised)
  • CPU/Memory thresholds
  • Error rate spikes
  • Cost Traps

    NAT Gateway data processing ($0.045/GB): VPC endpoints are free for S3/DynamoDB. A busy app can burn $500/month on NAT alone.

    aws ec2 create-vpc-endpoint --vpc-id vpc-xxx \
      --service-name com.amazonaws.us-east-1.s3 --route-table-ids rtb-xxx
    

    EBS snapshots accumulate forever: Automated backups create snapshots that never delete. Set lifecycle policies.

    aws ec2 describe-snapshots --owner-ids self \
      --query 'Snapshots[?StartTime<=2024-01-01].[SnapshotId,StartTime,VolumeSize]'
    

    CloudWatch Logs default retention is forever:

    aws logs put-retention-policy --log-group-name /aws/lambda/fn --retention-in-days 14
    

    Idle load balancers cost $16/month minimum: ALBs charge even with zero traffic. Delete unused ones.

    Data transfer between AZs costs $0.01/GB each way: Chatty microservices across AZs add up fast. Co-locate when possible.

    Security Traps

    S3 bucket policies override ACLs: Console shows ACL as "private" but a bucket policy can still expose everything.

    aws s3api get-bucket-policy --bucket my-bucket 2>/dev/null || echo "No policy"
    aws s3api get-public-access-block --bucket my-bucket
    

    Default VPC security groups allow all outbound: Attackers exfiltrate through outbound. Restrict it.

    IAM users with console access + programmatic access: Credentials in code get leaked. Use roles + temporary credentials.

    RDS publicly accessible defaults to Yes in console: Always verify:

    aws rds describe-db-instances --query 'DBInstances[].{ID:DBInstanceIdentifier,Public:PubliclyAccessible}'
    

    Performance Patterns

    Lambda cold starts:

  • Use provisioned concurrency for latency-sensitive functions
  • Keep packages small (<50MB unzipped)
  • Initialize SDK clients outside handler
  • RDS connection limits: | Instance | Max Connections | |----------|-----------------| | db.t3.micro | 66 | | db.t3.small | 150 | | db.t3.medium | 300 |

    Use RDS Proxy for Lambda to avoid connection exhaustion.

    EBS volume types: | Type | Use Case | IOPS | |------|----------|------| | gp3 | Default (consistent) | 3,000 base | | io2 | Databases (guaranteed) | Up to 64,000 | | st1 | Big data (throughput) | 500 MiB/s |

    Service Selection

    | Need | Service | Why | |------|---------|-----| | Static site | S3 + CloudFront | Pennies/month, global CDN | | API backend | Lambda + API Gateway | Zero idle cost | | Container app | ECS Fargate | No cluster management | | Database | RDS PostgreSQL | Managed, Multi-AZ ready | | Cache | ElastiCache Redis | Session/cache, < DynamoDB latency | | Queue | SQS | Simpler than SNS for most cases | | Search | OpenSearch | Elasticsearch managed |

    CLI Essentials

    # Configure credentials
    aws configure --profile myproject

    Always specify profile

    export AWS_PROFILE=myproject

    Check current identity

    aws sts get-caller-identity

    List all regions

    aws ec2 describe-regions --query 'Regions[].RegionName'

    Estimate monthly cost

    aws ce get-cost-forecast --time-period Start=$(date +%Y-%m-01),End=$(date -v+1m +%Y-%m-01) \ --metric UNBLENDED_COST --granularity MONTHLY

    Security & Privacy

    Credentials: This skill uses the AWS CLI, which reads credentials from ~/.aws/credentials or environment variables. The skill never stores, logs, or transmits AWS credentials.

    Local storage: Preferences and context stored in ~/aws/ β€” no data leaves your machine.

    CLI commands: All commands shown are read-only by default. Destructive operations (delete, terminate) require explicit user confirmation.

    Related Skills

    Install with clawhub install if user confirms:
  • infrastructure β€” architecture decisions
  • cloud β€” multi-cloud patterns
  • docker β€” container basics
  • backend β€” API design
  • Feedback

  • If useful: clawhub star aws
  • Stay updated: clawhub sync
  • ⚑ When to Use

    User needs AWS infrastructure guidance. Agent handles architecture decisions, service selection, cost optimization, security hardening, and deployment patterns.

    βš™οΈ Configuration

    On first use, read setup.md for integration options. The skill works immediately β€” setup is optional for personalization.