AWS | Amazon Web Services

---

name: AWS | Amazon Web Services slug: aws version: 1.0.2 homepage: https://clawic.com/skills/aws description: Architect, deploy, and optimize AWS infrastructure avoiding cost explosions and security pitfalls. changelog: Complete rewrite with cost traps, security hardening, service selection metadata: {"clawdbot":{"emoji":"☁️","requires":{"bins":["aws"]},"install":[{"id":"brew","kind":"brew","formula":"awscli","bins":["aws"],"label":"Install AWS CLI (Homebrew)"}],"os":["linux","darwin","win32"]}}

Setup

On first use, read setup.md for integration options. The skill works immediately — setup is optional for personalization.

When to Use

User needs AWS infrastructure guidance. Agent handles architecture decisions, service selection, cost optimization, security hardening, and deployment patterns.

Architecture

Memory lives in ~/aws/. See memory-template.md for structure.

~/aws/
├── memory.md        # Account context + preferences
├── resources.md     # Active infrastructure inventory
└── costs.md         # Cost tracking + alerts

Quick Reference

Topic	File
Setup process	setup.md
Memory template	memory-template.md
Service patterns	services.md
Cost optimization	costs.md
Security hardening	security.md

Core Rules

1. Verify Account Context First

Before any operation, confirm:

• Region (default: us-east-1, but ask)
• Account type (personal/startup/enterprise)
• Existing infrastructure (VPC, subnets, security groups)

aws sts get-caller-identity
aws ec2 describe-vpcs --query 'Vpcs[].{ID:VpcId,CIDR:CidrBlock,Default:IsDefault}'

2. Cost-First Architecture

Every recommendation includes cost impact:

Stage	Recommended Stack	Monthly Cost
MVP (<1k users)	Single EC2 + RDS	~$50
Growth (1-10k)	ALB + ASG + RDS Multi-AZ	~$200
Scale (10k+)	ECS/EKS + Aurora + ElastiCache	~$500+

Default to smallest viable instance. Scaling up is easy; scaling down wastes money.

3. Security by Default

Every resource includes:

• Principle of least privilege IAM
• Encryption at rest (KMS default key minimum)
• VPC isolation (no public subnets for databases)
• Security groups with explicit deny-all inbound

4. Infrastructure as Code

Generate Terraform or CloudFormation for reproducibility:

# Prefer Terraform for multi-cloud portability
terraform init && terraform plan

Never rely on console-only changes.

5. Tagging Strategy

Every resource gets tagged for cost allocation:

--tags Key=Environment,Value=prod Key=Project,Value=myapp Key=Owner,Value=team

6. Monitoring from Day 1

Deploy CloudWatch alarms with infrastructure:

• Billing alerts (before you get surprised)
• CPU/Memory thresholds
• Error rate spikes

Cost Traps

NAT Gateway data processing ($0.045/GB): VPC endpoints are free for S3/DynamoDB. A busy app can burn $500/month on NAT alone.

aws ec2 create-vpc-endpoint --vpc-id vpc-xxx \
  --service-name com.amazonaws.us-east-1.s3 --route-table-ids rtb-xxx

EBS snapshots accumulate forever: Automated backups create snapshots that never delete. Set lifecycle policies.

aws ec2 describe-snapshots --owner-ids self \
  --query 'Snapshots[?StartTime<=`2024-01-01`].[SnapshotId,StartTime,VolumeSize]'

CloudWatch Logs default retention is forever:

aws logs put-retention-policy --log-group-name /aws/lambda/fn --retention-in-days 14

Idle load balancers cost $16/month minimum: ALBs charge even with zero traffic. Delete unused ones.

Data transfer between AZs costs $0.01/GB each way: Chatty microservices across AZs add up fast. Co-locate when possible.

Security Traps

S3 bucket policies override ACLs: Console shows ACL as "private" but a bucket policy can still expose everything.

aws s3api get-bucket-policy --bucket my-bucket 2>/dev/null || echo "No policy"
aws s3api get-public-access-block --bucket my-bucket

Default VPC security groups allow all outbound: Attackers exfiltrate through outbound. Restrict it.

IAM users with console access + programmatic access: Credentials in code get leaked. Use roles + temporary credentials.

RDS publicly accessible defaults to Yes in console: Always verify:

aws rds describe-db-instances --query 'DBInstances[].{ID:DBInstanceIdentifier,Public:PubliclyAccessible}'

Performance Patterns

Lambda cold starts:

• Use provisioned concurrency for latency-sensitive functions
• Keep packages small (<50MB unzipped)
• Initialize SDK clients outside handler

RDS connection limits:

Instance	Max Connections
db.t3.micro	66
db.t3.small	150
db.t3.medium	300

Use RDS Proxy for Lambda to avoid connection exhaustion.

EBS volume types:

Type	Use Case	IOPS
gp3	Default (consistent)	3,000 base
io2	Databases (guaranteed)	Up to 64,000
st1	Big data (throughput)	500 MiB/s

Service Selection

Need	Service	Why
Static site	S3 + CloudFront	Pennies/month, global CDN
API backend	Lambda + API Gateway	Zero idle cost
Container app	ECS Fargate	No cluster management
Database	RDS PostgreSQL	Managed, Multi-AZ ready
Cache	ElastiCache Redis	Session/cache, < DynamoDB latency
Queue	SQS	Simpler than SNS for most cases
Search	OpenSearch	Elasticsearch managed

CLI Essentials

# Configure credentials
aws configure --profile myproject

# Always specify profile
export AWS_PROFILE=myproject

# Check current identity
aws sts get-caller-identity

# List all regions
aws ec2 describe-regions --query 'Regions[].RegionName'

# Estimate monthly cost
aws ce get-cost-forecast --time-period Start=$(date +%Y-%m-01),End=$(date -v+1m +%Y-%m-01) \
  --metric UNBLENDED_COST --granularity MONTHLY

Security & Privacy

Credentials: This skill uses the AWS CLI, which reads credentials from ~/.aws/credentials or environment variables. The skill never stores, logs, or transmits AWS credentials.

Local storage: Preferences and context stored in ~/aws/ — no data leaves your machine.

CLI commands: All commands shown are read-only by default. Destructive operations (delete, terminate) require explicit user confirmation.

Related Skills

Install with clawhub install <slug> if user confirms:

• infrastructure — architecture decisions
• cloud — multi-cloud patterns
• docker — container basics
• backend — API design

Feedback

• If useful: clawhub star aws
• Stay updated: clawhub sync