playbooks

home / skills / a5c-ai / babysitter / cloudformation-analyzer

cloudformation-analyzer skill

/plugins/babysitter/skills/babysit/process/specializations/software-architecture/skills/cloudformation-analyzer

This skill validates and analyzes AWS CloudFormation templates for security, cost, and best practices, delivering actionable findings.

npx playbooks add skill a5c-ai/babysitter --skill cloudformation-analyzer

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
2.4 KB
---
name: cloudformation-analyzer
description: Validate and analyze AWS CloudFormation templates for security and best practices
allowed-tools:
  - Bash
  - Read
  - Write
  - Glob
---

# CloudFormation Analyzer Skill

## Overview

Validates and analyzes AWS CloudFormation templates including security scanning with cfn-nag, resource dependency analysis, and cost estimation.

## Capabilities

- Validate CloudFormation templates
- Security scanning (cfn-nag)
- Resource dependency analysis
- Cost estimation
- Best practice linting
- Drift detection support
- Stack change set analysis

## Target Processes

- iac-review
- cloud-architecture-design

## Input Schema

```json
{
  "type": "object",
  "required": ["templatePath"],
  "properties": {
    "templatePath": {
      "type": "string",
      "description": "Path to CloudFormation template"
    },
    "mode": {
      "type": "string",
      "enum": ["validate", "security", "cost", "all"],
      "default": "all"
    },
    "options": {
      "type": "object",
      "properties": {
        "parametersFile": {
          "type": "string",
          "description": "Path to parameters file"
        },
        "region": {
          "type": "string",
          "default": "us-east-1"
        },
        "failOnWarning": {
          "type": "boolean",
          "default": false
        }
      }
    }
  }
}
```

## Output Schema

```json
{
  "type": "object",
  "properties": {
    "valid": {
      "type": "boolean"
    },
    "resources": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "logicalId": { "type": "string" },
          "type": { "type": "string" },
          "dependencies": { "type": "array" }
        }
      }
    },
    "securityFindings": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "rule": { "type": "string" },
          "severity": { "type": "string" },
          "resource": { "type": "string" },
          "message": { "type": "string" }
        }
      }
    },
    "estimatedCost": {
      "type": "object",
      "properties": {
        "monthly": { "type": "number" },
        "breakdown": { "type": "array" }
      }
    }
  }
}
```

## Usage Example

```javascript
{
  kind: 'skill',
  skill: {
    name: 'cloudformation-analyzer',
    context: {
      templatePath: 'infrastructure/main.yaml',
      mode: 'all',
      options: {
        region: 'us-east-1'
      }
    }
  }
}
```

Overview

This skill validates and analyzes AWS CloudFormation templates to surface security issues, resource dependencies, and cost estimates. It combines template validation, cfn-nag style security scanning, dependency mapping, and simple cost breakdowns to support fast IaC reviews. Use it to catch problems earlier and improve template quality before deployment.

How this skill works

The skill parses the specified CloudFormation template, runs schema and syntactic validation, and enumerates defined resources and their dependencies. It runs security checks similar to cfn-nag to identify risky configurations, produces a change-set or drift-aware view when available, and estimates monthly costs with a per-resource breakdown. Results are returned as a structured report including validity, resources, security findings, and estimated costs.

When to use it

  • Pre-deployment IaC reviews to catch validation and security issues
  • Pull request or CI pipelines for automated template checks
  • Architecture design sessions to analyze resource topology and dependencies
  • Cost reviews to estimate monthly spend from a template
  • Drift or change-set analysis before applying updates

Best practices

  • Run the skill in CI on every template change to enforce consistency and catch regressions
  • Use the mode option to limit runs (validate, security, cost) for faster checks during development
  • Provide a parameters file and target region to get accurate validation and cost estimates
  • Treat findings as actionable: prioritize HIGH severity security findings before deployment
  • Combine output with manual design review for architecture and cost trade-offs

Example use cases

  • Validate a central infrastructure template before merging to main branch
  • Scan feature branch templates for insecure IAM, public S3 buckets, or open security groups
  • Estimate monthly cost impact of introducing RDS and NAT gateways in a new stack
  • Create a dependency graph to understand update ordering and potential service interruptions
  • Compare a change set to detect risky resource replacements or deletes

FAQ

What input does the skill require?

Provide the templatePath and optionally mode and options (parametersFile, region, failOnWarning). Default mode is 'all'.

How accurate is the cost estimation?

Cost estimation provides a rough monthly estimate and per-resource breakdown; it is useful for comparisons but not a substitute for detailed billing forecasts from cloud provider tools.