playbooks

home / skills / openclaw / skills / aws-infra

aws-infra skill

/skills/bmdhodl/aws-infra

This skill helps you query and audit AWS resources using the AWS CLI with read-only defaults and explicit write confirmations.

npx playbooks add skill openclaw/skills --skill aws-infra

Review the files below or copy the command above to add this skill to your agents.

Files (4)
SKILL.md
1.9 KB
---
name: aws-infra
description: Chat-based AWS infrastructure assistance using AWS CLI and console context. Use for querying, auditing, and monitoring AWS resources (EC2, S3, IAM, Lambda, ECS/EKS, RDS, CloudWatch, billing, etc.), and for proposing safe changes with explicit confirmation before any write/destructive action.
---

# AWS Infra

## Overview
Use the local AWS CLI to answer questions about AWS resources. Default to read‑only queries. Only propose or run write/destructive actions after explicit user confirmation.

## Quick Start
1. Determine profile/region from environment or `~/.aws/config`.
2. Start with identity:
   - `aws sts get-caller-identity`
3. Use read‑only service commands to answer the question.
4. If the user asks for changes, outline the exact command and ask for confirmation before running.

## Safety Rules (must follow)
- Treat all actions as **read‑only** unless the user explicitly requests a change **and** confirms it.
- For any potentially destructive change (delete/terminate/destroy/modify/scale/billing/IAM credentials), require a confirmation step.
- Prefer `--dry-run` when available and show the plan before execution.
- Never reveal or log secrets (access keys, session tokens).

## Task Guide (common requests)
- **Inventory / list**: use `list`/`describe`/`get` commands.
- **Health / errors**: use CloudWatch metrics/logs queries.
- **Security checks**: IAM, S3 public access, SG exposure, KMS key usage.
- **Costs**: Cost Explorer / billing queries (read‑only).
- **Changes**: show exact CLI command and require confirmation.

## Region & Profile Handling
- If the user specifies a region/profile, honor it.
- Otherwise use `AWS_PROFILE` / `AWS_REGION` if set, then fall back to `~/.aws/config`.
- When results are region‑scoped, state the region used.

## References
See `references/aws-cli-queries.md` for common command patterns.

## Assets
- `assets/icon.svg` — custom icon (dark cloud + terminal prompt)

Overview

This skill provides chat-based AWS infrastructure assistance using the local AWS CLI and console context. It defaults to read-only queries for inventory, monitoring, auditing, and cost checks. Any write or destructive action is proposed explicitly with the exact CLI command and requires user confirmation before execution.

How this skill works

The skill inspects AWS resources by running AWS CLI describe/list/get commands and querying CloudWatch and Cost Explorer for metrics and billing data. It detects profile and region from environment variables or ~/.aws/config and reports which context was used. For change requests it generates the precise CLI command, recommends --dry-run when available, and waits for explicit user confirmation before running anything that modifies resources.

When to use it

  • Inventory and discovery of resources across EC2, S3, IAM, Lambda, ECS/EKS, RDS, and more
  • Auditing security posture: IAM permissions, S3 public access, security groups, and KMS usage
  • Troubleshooting and health checks using CloudWatch metrics and logs
  • Billing and cost analysis using Cost Explorer read-only queries
  • Preparing safe infrastructure changes with an exact CLI plan and confirmation

Best practices

  • Treat all interactions as read-only by default; explicitly confirm any write or destructive actions
  • Specify AWS_PROFILE and AWS_REGION when working across multiple accounts or regions
  • Prefer --dry-run where supported and show the planned command before execution
  • Never expose or log secrets such as access keys or session tokens
  • When reporting results, always state the region and profile used for the queries

Example use cases

  • List all EC2 instances in a region and highlight instances with missing tags
  • Check S3 buckets for public access and provide exact aws s3api commands to remediate
  • Fetch CloudWatch metrics and recent logs for a Lambda function to diagnose errors
  • Generate a cost summary for the last 30 days and identify top spenders by service
  • Draft an IAM policy change command and require confirmation before applying it

FAQ

How does the skill choose profile and region?

It honors an explicit profile/region you provide, otherwise uses AWS_PROFILE and AWS_REGION, then falls back to ~/.aws/config. The skill states the context used with each result.

Will it ever run destructive commands without asking?

No. All commands that modify, delete, or could affect billing require you to request the change and then explicitly confirm the exact command before it runs.