| name | cloud-aws |
| description | AWS cloud infrastructure and services expert. Use when working with AWS CLI, Terraform for AWS, Lambda, S3, EC2, DynamoDB, IAM, API Gateway, or any AWS service configuration, deployment, troubleshooting, or best practices. |
Cloud AWS
Expert guidance for Amazon Web Services infrastructure, development, and operations.
Instructions
When helping with AWS tasks:
- Identify the AWS service(s) involved in the request
- Check authentication: Ensure AWS CLI is configured (
aws sts get-caller-identity) - Use appropriate tools: AWS CLI or Terraform as needed
- Avoid SAM, CloudFormation, and CDK - Always prefer Terraform for Infrastructure as Code
- Follow security best practices: Least privilege IAM, encryption, no hardcoded credentials
- Consider cost implications: Suggest cost-effective alternatives when relevant
AWS CLI Essentials
Authentication Check
aws sts get-caller-identity
aws configure list
Common Service Commands
S3:
aws s3 ls
aws s3 cp file.txt s3://bucket-name/
aws s3 sync ./local-dir s3://bucket-name/prefix/
aws s3 rm s3://bucket-name/prefix/ --recursive
EC2:
aws ec2 describe-instances --query 'Reservations[].Instances[].{ID:InstanceId,State:State.Name,Type:InstanceType}'
aws ec2 start-instances --instance-ids i-xxxxx
aws ec2 stop-instances --instance-ids i-xxxxx
Lambda:
aws lambda list-functions --query 'Functions[].{Name:FunctionName,Runtime:Runtime}'
aws lambda invoke --function-name my-function output.json
aws lambda update-function-code --function-name my-function --zip-file fileb://function.zip
aws logs tail /aws/lambda/my-function --follow
DynamoDB:
aws dynamodb list-tables
aws dynamodb scan --table-name my-table
aws dynamodb get-item --table-name my-table --key '{"PK":{"S":"USER#123"},"SK":{"S":"PROFILE"}}'
aws dynamodb put-item --table-name my-table --item '{"PK":{"S":"USER#123"},"SK":{"S":"PROFILE"},"name":{"S":"John"}}'
API Gateway (HTTP API v2):
aws apigatewayv2 get-apis
aws apigatewayv2 get-routes --api-id API_ID
aws apigatewayv2 get-stages --api-id API_ID
CloudFront:
aws cloudfront list-distributions --query 'DistributionList.Items[].{Id:Id,Domain:DomainName,Status:Status}'
aws cloudfront create-invalidation --distribution-id DIST_ID --paths "/*"
CloudWatch:
aws logs describe-log-groups
aws logs tail /aws/lambda/my-function --follow --since 1h
aws cloudwatch get-metric-statistics --namespace AWS/Lambda --metric-name Invocations --dimensions Name=FunctionName,Value=my-function --start-time 2025-01-01T00:00:00Z --end-time 2025-01-02T00:00:00Z --period 3600 --statistics Sum
Cost Management
Get Current Costs
# Current month costs by service
aws ce get-cost-and-usage \
--time-period Start=$(date -u +%Y-%m-01),End=$(date -u +%Y-%m-%d) \
--granularity MONTHLY \
--metrics "UnblendedCost" \
--group-by Type=DIMENSION,Key=SERVICE
# Cost forecast
aws ce get-cost-forecast \
--time-period Start=$(date -u +%Y-%m-%d),End=$(date -u +%Y-%m-31) \
--granularity MONTHLY \
--metric UNBLENDED_COST
# Filter by specific service
aws ce get-cost-and-usage \
--time-period Start=2025-01-01,End=2025-12-01 \
--granularity MONTHLY \
--metrics "UnblendedCost" \
--filter '{"Dimensions":{"Key":"SERVICE","Values":["Amazon CloudFront"]}}'
Set Budget Alert
aws budgets create-budget \
--account-id ACCOUNT_ID \
--budget file://budget.json \
--notifications-with-subscribers file://notifications.json
Infrastructure as Code (Terraform)
provider "aws" {
region = "us-east-1"
}
resource "aws_lambda_function" "my_function" {
filename = "function.zip"
function_name = "my-function"
role = aws_iam_role.lambda_role.arn
handler = "index.handler"
runtime = "python3.12"
source_code_hash = filebase64sha256("function.zip")
}
Deploy:
terraform init
terraform plan
terraform apply -auto-approve
terraform destroy
Security Best Practices
IAM Policies
- Use least privilege principle
- Prefer managed policies for common use cases
- Use conditions to restrict access
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query"],
"Resource": "arn:aws:dynamodb:*:*:table/my-table",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": ["${aws:userid}"]
}
}
}
]
}
Secrets Management
# AWS Secrets Manager
aws secretsmanager create-secret --name my-secret --secret-string '{"key":"value"}'
aws secretsmanager get-secret-value --secret-id my-secret --query SecretString --output text
# SSM Parameter Store (cheaper for simple values)
aws ssm put-parameter --name /app/db-password --value "secret" --type SecureString
aws ssm get-parameter --name /app/db-password --with-decryption --query Parameter.Value --output text
Encryption
- Enable encryption at rest for all data stores
- Use AWS KMS for key management
- Enable encryption in transit (TLS/HTTPS)
Troubleshooting
Check Permissions
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::ACCOUNT:role/my-role \
--action-names dynamodb:PutItem \
--resource-arns arn:aws:dynamodb:us-east-1:ACCOUNT:table/my-table
Debug Lambda
aws logs tail /aws/lambda/my-function --since 1h
aws lambda get-function-configuration --function-name my-function
aws lambda get-function --function-name my-function
Network Issues
aws ec2 describe-flow-logs
aws ec2 describe-security-groups --group-ids sg-xxxxx
aws ec2 describe-network-acls --network-acl-ids acl-xxxxx
API Gateway Issues
aws apigatewayv2 get-api --api-id API_ID
aws logs tail /aws/api-gateway/API_ID --since 1h
Cost Optimization Tips
- Lambda: Use ARM64 (Graviton2) for ~34% cost savings
- DynamoDB: Use on-demand for variable workloads, provisioned for steady-state
- S3: Enable Intelligent-Tiering for variable access patterns
- CloudFront: Use caching to reduce origin requests
- API Gateway: Use HTTP APIs (v2) instead of REST APIs for ~70% cost savings
- Set up billing alerts and budgets
- Use AWS Cost Explorer to identify optimization opportunities