بنقرة واحدة
aws-governance-guardrails
Organization governance policies - never do, always do, and compliance rules
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Organization governance policies - never do, always do, and compliance rules
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
**AWS Coworker Development Guardrails** - MANDATORY when extending or modifying AWS Coworker itself. TRIGGERS (use this skill when ANY of these apply): - User asks to add new skills, agents, or commands to AWS Coworker - User asks to modify existing AWS Coworker components - User asks about AWS Coworker architecture or design - User wants to add support for new AWS services - Discussion involves directory structure or file organization - User mentions "extending", "customizing", or "adding to" AWS Coworker - Creating or modifying files in: skills/, .claude/agents/, .claude/commands/, config/ NOT for: Using AWS Coworker to interact with AWS (that's CLAUDE.md's domain)
Canonical AWS CLI patterns for discover, plan, deploy, validate, and rollback
AWS Well-Architected Framework alignment for planning and review
Git and GitHub best practices for AWS Coworker change management
Multi-account and OU strategy, landing zone patterns, and workload placement
Cost-aware AWS interaction and optimization patterns
استنادا إلى تصنيف SOC المهني
| name | aws-governance-guardrails |
| description | Organization governance policies - never do, always do, and compliance rules |
| version | 1.0.0 |
| category | org |
| agents | ["aws-coworker-core","aws-coworker-planner","aws-coworker-guardrail","aws-coworker-executor"] |
| tools | ["Read"] |
This skill encodes organizational governance and compliance rules for AWS operations. It defines what must always be done, what must never be done, and how to validate compliance.
| Category | Description |
|---|---|
| Never Do | Prohibited actions that could cause security or compliance issues |
| Always Do | Mandatory practices for all AWS operations |
| Environment-Specific | Rules that vary by environment |
| Validation | How to check compliance |
### NEVER: Public S3 Buckets for Sensitive Data
- Do not create S3 buckets with public read/write
- Do not disable Block Public Access for data buckets
- Exception: Intentionally public static content (requires documented approval)
### NEVER: Wildcard IAM Permissions
- Do not use "Action": "*" in IAM policies
- Do not use "Resource": "*" without conditions
- Do not use "NotAction" without careful scoping
### NEVER: Root Account Usage
- Do not use root credentials for operations
- Do not create access keys for root
- Exception: Account recovery and specific console-only tasks
### NEVER: Long-Lived Credentials in Code
- Do not commit AWS access keys to repositories
- Do not embed credentials in application code
- Do not store credentials in environment variables long-term
- Use: IAM roles, Secrets Manager, Parameter Store
### NEVER: Unencrypted Sensitive Data
- Do not store PII/sensitive data without encryption
- Do not transmit sensitive data over unencrypted channels
- Do not use deprecated encryption (MD5, SHA1 for security)
### NEVER: Open Security Groups
- Do not allow 0.0.0.0/0 to SSH (22)
- Do not allow 0.0.0.0/0 to RDP (3389)
- Do not allow 0.0.0.0/0 to database ports (3306, 5432, 1433, etc.)
### NEVER: Direct Production Changes
- Do not modify production via AWS Console for infrastructure
- Do not run ad-hoc AWS CLI commands that mutate production
- Use: CI/CD pipelines, Infrastructure as Code
### NEVER: Skip Change Management
- Do not deploy to staging/production without change ticket
- Do not bypass approval workflows
- Do not deploy during change freeze without emergency approval
### NEVER: Delete Without Backup
- Do not terminate production instances without AMI/snapshot
- Do not delete databases without verified backup
- Do not empty S3 buckets without lifecycle consideration
### NEVER: Skip Plan-Execute Workflow
- Do not execute any state-changing operation without presenting a plan first
- Do not delegate mutations to sub-agents before user approval
- Do not treat tagging, config changes, or "fixes" as exempt from the workflow
- Exception: None. All state changes require explicit approval.
### NEVER: Unrestricted Bedrock Model Access
- Do not request access to all Bedrock models — grant access per model family based on need
- Do not use wildcard model ARNs in IAM policies for bedrock:InvokeModel
- Do not invoke models without logging enabled (audit trail required)
### NEVER: Shared Agent Credentials
- Do not share IAM roles across different agent types (discovery agents vs mutation agents)
- Do not use the AgentCore execution role as the agent runtime role — these must be separate
- Do not hardcode API keys or tokens in agent container images or environment variables
- Use: AgentCore Identity (API key credentials, OAuth2 credentials) or IAM roles
### NEVER: Unmonitored Agent Sessions
- Do not deploy agent runtimes without CloudWatch logging in staging or above
- Do not deploy without session timeout configuration (prevents runaway sessions and cost)
- Do not allow unbounded session concurrency in staging or production
### NEVER: Uncontrolled Spending
- Do not launch large instances without cost estimate
- Do not leave idle resources running indefinitely
- Do not skip cost tags on resources
### ALWAYS: Apply Required Tags
All AWS resources MUST have:
| Tag Key | Description | Format |
|---------|-------------|--------|
| Environment | Deployment environment | sandbox, development, staging, production |
| Owner | Responsible team/person | team-name or user@domain |
| CostCenter | Cost allocation | CC-NNNN format |
Recommended additional tags:
| Tag Key | Description | Format |
|---------|-------------|--------|
| Project | Project name | project-name |
| DataClassification | Data sensitivity | public, internal, confidential, restricted |
| CreatedBy | Creation method | terraform, cdk, manual |
| ExpirationDate | For temporary resources | YYYY-MM-DD |
### ALWAYS: Encryption
At Rest:
- Enable encryption for EBS volumes (KMS)
- Enable encryption for RDS (KMS)
- Enable encryption for S3 (SSE-S3 minimum, SSE-KMS for sensitive)
- Enable encryption for Secrets Manager, Parameter Store
In Transit:
- Use HTTPS/TLS for all external connections
- Enforce TLS 1.2 minimum
- Use SSL for database connections
### ALWAYS: Logging
Enable for all accounts:
- CloudTrail (all regions, management + data events for sensitive)
- VPC Flow Logs (all VPCs)
- S3 Access Logs (for data buckets)
- Application logging to CloudWatch
### ALWAYS: Least Privilege IAM
- Scope permissions to specific resources
- Use conditions where appropriate
- Prefer managed policies over inline
- Regular access reviews (quarterly minimum)
### ALWAYS: Network Segmentation
- Use private subnets for databases and internal services
- Implement security groups with minimal required access
- Use NACLs for additional defense in depth
- Document allowed traffic flows
### ALWAYS: Infrastructure as Code
- Define infrastructure in CDK, Terraform, or CloudFormation
- Store IaC in version control
- Deploy via CI/CD pipelines
- Maintain drift detection
### ALWAYS: Documentation
- Document architecture decisions
- Maintain runbooks for operations
- Keep deployment documentation current
- Record change rationale
### ALWAYS: Backup and Recovery
- Automated backups for databases
- Snapshot critical EBS volumes
- Test recovery procedures quarterly
- Document RPO/RTO for each service
## Sandbox Environment
Permissions:
- AWS CLI mutations: Allowed
- Direct console changes: Allowed
- Approval required: None
Restrictions:
- No production data
- Budget capped at $X/month
- Resources may be auto-terminated
- No connectivity to other environments
## Development Environment
Permissions:
- AWS CLI mutations: Allowed with tagging
- Direct console changes: Discouraged
- Approval required: Destructive operations only
Restrictions:
- No production data
- Budget alerts at 80%
- Scheduled scaling down after hours (optional)
## Staging Environment
Permissions:
- AWS CLI mutations: Via IaC preferred
- Direct console changes: Emergency only
- Approval required: All mutations
Restrictions:
- No production data (use anonymized)
- Configuration must match production
- Change windows may apply
## Production Environment
Permissions:
- AWS CLI mutations: Prohibited (except discovery)
- Direct console changes: Emergency only with ticket
- Approval required: CAB for significant changes
Requirements:
- All changes via CI/CD pipeline
- Change ticket required
- Rollback plan documented
- Post-deployment validation
## Guardrail Validation Checklist
### Tagging
- [ ] Required tags present (Environment, Owner, CostCenter)
- [ ] Tag values match allowed patterns
- [ ] DataClassification if data-storing resource
### Security
- [ ] Encryption enabled (at rest)
- [ ] TLS/SSL configured (in transit)
- [ ] Security groups least-privilege
- [ ] No public access unless intentional
- [ ] IAM follows least privilege
### Network
- [ ] Correct VPC and subnet placement
- [ ] Security group rules documented
- [ ] No 0.0.0.0/0 to sensitive ports
### Compliance
- [ ] Logging enabled
- [ ] Backup configured
- [ ] Matches environment policies
- [ ] Change management followed
# AWS Config Rules (examples)
- s3-bucket-public-read-prohibited
- s3-bucket-ssl-requests-only
- encrypted-volumes
- rds-storage-encrypted
- ec2-imdsv2-check
- iam-user-no-policies-check
- root-account-mfa-enabled
- cloudtrail-enabled
# Custom Rules
- required-tags-check
- security-group-ingress-check
- vpc-flow-logs-enabled
## Exception Request Template
### Finding
[What policy is being excepted]
### Justification
[Why exception is necessary]
### Duration
[Temporary (with date) or permanent]
### Compensating Controls
[Alternative security measures in place]
### Risk Acceptance
[Who is accepting the risk]
### Approval
- [ ] Technical Lead
- [ ] Security Team (if security-related)
- [ ] Documented in change ticket
All exceptions must be:
| Review | Frequency | Owner |
|---|---|---|
| Tagging compliance | Weekly | Platform team |
| Security posture | Weekly | Security team |
| IAM access review | Quarterly | Security team |
| Policy effectiveness | Quarterly | Governance team |
| Exception review | Monthly | Governance team |
## Key Compliance Indicators
- % of resources with required tags
- # of open security findings
- # of non-compliant resources
- # of active exceptions
- Mean time to remediate findings
To customize this skill for your organization:
Store policy details in:
policies/iam-policies.mdpolicies/network-policies.mdpolicies/data-policies.mdpolicies/tagging-policies.mdaws-org-strategy — Organizational contextaws-well-architected — Security pillar alignmentaws-observability-setup — Logging requirementsaws-cli-playbook — Validation commands