// Preflight validation for AWS CLI operations. Use before executing any AWS action to verify resource existence, permissions, quotas, and readiness. Covers Amazon S3, Amazon EC2, Amazon RDS, AWS Lambda, AWS IAM, Amazon ECS, Amazon DynamoDB, and other services.
Expert guide for backing up AWS databases including Amazon Relational Database Service (Amazon RDS), Aurora, MS-SQL, MySQL, and PostgreSQL. Use when planning or executing database backup operations, retention policies, or restore procedures. Covers Amazon Simple Storage Service (Amazon S3) upload security.
Cross-region migration for compute services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Container Service (Amazon ECS), and Amazon Elastic Kubernetes Service (Amazon EKS). Covers AZ failure recovery, AMI/snapshot migration, coldsnap EBS Direct API transfers, AWS MGN agent-based migration, WSFC/SQL FCI cluster recovery, FSx ONTAP iSCSI, container image replication, task definition migration, Kubernetes workload backup/restore, and IRSA re-association.
Cross-region migration for database services including Amazon Relational Database Service (Amazon RDS), Amazon Aurora, Amazon Redshift, and Amazon ElastiCache. Covers snapshot copy and restore, cross-region read replica promotion, cross-region automated backups, Aurora Global Database failover, AWS KMS re-encryption, native database dump fallback, Amazon Redshift cross-region snapshot copy, and ElastiCache Global Datastore failover.
Cross-region migration for networking services including AWS Transit Gateway, AWS Site-to-Site VPN, AWS Client VPN, and AWS Direct Connect. Covers Transit Gateway recreation with VPC and Direct Connect gateway attachments, VPN tunnel configuration with pre-shared keys, Client VPN endpoint migration with certificate handling, and Direct Connect Gateway association.
Cross-region migration for security services including ACM, AWS KMS, AWS IAM Identity Center, IAM/STS federation, and AWS WAF. Covers certificate re-issuance and validation, KMS key re-encryption workflows, Encryption SDK re-keying, IAM Identity Center multi-region replication, SAML regional endpoint failover, STS endpoint configuration, and WAF WebACL cloning.
Querying and analyzing CloudWatch Logs, CloudTrail events, and other AWS log sources. Use when investigating errors, auditing actions, or understanding what happened with an AWS resource.
| name | aws-preflight-checks |
| description | Preflight validation for AWS CLI operations. Use before executing any AWS action to verify resource existence, permissions, quotas, and readiness. Covers Amazon S3, Amazon EC2, Amazon RDS, AWS Lambda, AWS IAM, Amazon ECS, Amazon DynamoDB, and other services. |
Validate before executing. This skill provides checks to confirm targets exist, permissions are sufficient, quotas allow the action, and dependencies are met.
Security: Always verify that target resources meet or exceed the security configuration of the source resources. Refer to SECURITY.md for security requirements.
Customer responsibility — security baseline: Customers must configure all Amazon Simple Storage Service (Amazon S3) buckets used for AWS operations with Block Public Access enabled (all four settings true), default encryption configured, and a bucket policy enforcing TLS-only access.
# Bucket exists and accessible
aws s3api head-bucket --bucket <bucket> --region <region> 2>&1
# Object exists
aws s3api head-object --bucket <bucket> --key <key> --region <region> 2>&1
# Check bucket policy / ACL
aws s3api get-bucket-policy --bucket <bucket> --region <region> 2>&1
aws s3api get-bucket-acl --bucket <bucket> --region <region>
# Check versioning status
aws s3api get-bucket-versioning --bucket <bucket> --region <region>
# Check encryption (expected: SSE-S3 or SSE-KMS configured)
aws s3api get-bucket-encryption --bucket <bucket> --region <region> 2>&1
# Check available storage (list + summarize)
aws s3 ls s3://<bucket>/<prefix> --recursive --summarize --region <region>
# Check if bucket blocks public access (expected: all true)
aws s3api get-public-access-block --bucket <bucket> --region <region>
# Check bucket policy enforces TLS (expected: policy with aws:SecureTransport condition)
aws s3api get-bucket-policy --bucket <bucket> --region <region> --query Policy --output text 2>&1
# Check access logging (expected: enabled with target bucket)
aws s3api get-bucket-logging --bucket <bucket> --region <region>
# Instance exists and state
aws ec2 describe-instances --instance-ids <id> --region <region> --query 'Reservations[0].Instances[0].{State:State.Name,Type:InstanceType,AZ:Placement.AvailabilityZone}'
# Security group exists
aws ec2 describe-security-groups --group-ids <sg-id> --region <region> 2>&1
# Subnet exists and available IPs
aws ec2 describe-subnets --subnet-ids <subnet-id> --region <region> --query 'Subnets[0].{CIDR:CidrBlock,AvailableIPs:AvailableIpAddressCount,AZ:AvailabilityZone}'
# Key pair exists
aws ec2 describe-key-pairs --key-names <key-name> --region <region> 2>&1
# AMI exists and available
aws ec2 describe-images --image-ids <ami-id> --region <region> --query 'Images[0].{State:State,Name:Name}'
# Instance type available in AZ
aws ec2 describe-instance-type-offerings --location-type availability-zone --filters "Name=instance-type,Values=<type>" --region <region> --query 'InstanceTypeOfferings[*].Location'
# EBS volume exists and state
aws ec2 describe-volumes --volume-ids <vol-id> --region <region> --query 'Volumes[0].{State:State,Size:Size,AZ:AvailabilityZone}'
# Elastic IP available
aws ec2 describe-addresses --allocation-ids <alloc-id> --region <region> 2>&1
# Instance exists and status
aws rds describe-db-instances --db-instance-identifier <id> --region <region> --query 'DBInstances[0].{Status:DBInstanceStatus,Engine:Engine,Class:DBInstanceClass,AZ:AvailabilityZone}'
# Cluster exists
aws rds describe-db-clusters --db-cluster-identifier <id> --region <region> --query 'DBClusters[0].{Status:Status,Engine:Engine,Members:DBClusterMembers[*].DBInstanceIdentifier}'
# Snapshot exists
aws rds describe-db-snapshots --db-snapshot-identifier <snap-id> --region <region> --query 'DBSnapshots[0].{Status:Status,Engine:Engine,Size:AllocatedStorage}'
# Subnet group exists
aws rds describe-db-subnet-groups --db-subnet-group-name <name> --region <region> 2>&1
# Parameter group exists
aws rds describe-db-parameter-groups --db-parameter-group-name <name> --region <region> 2>&1
# Function exists
aws lambda get-function --function-name <name> --region <region> --query '{State:Configuration.State,Runtime:Configuration.Runtime,Memory:Configuration.MemorySize}'
# Layer exists
aws lambda get-layer-version --layer-name <name> --version-number <ver> --region <region> 2>&1
# Check concurrency limits
aws lambda get-account-settings --region <region> --query 'AccountLimit.{ConcurrentExecutions:ConcurrentExecutions,UnreservedConcurrent:UnreservedConcurrentExecutions}'
Customer responsibility: Configure IAM roles, policies, and permissions for AWS operations. Implement role trust policies that restrict AssumeRole to specific principals, attached policies that follow least-privilege principles, and MFA requirements for sensitive operations.
Verification: Use these checks to verify your IAM configuration before executing AWS operations.
Security controls to verify: Role trust policy restricts AssumeRole to specific principals. Attached policies follow least-privilege (no overly permissive wildcards). MFA is required for sensitive operations.
# Role exists
aws iam get-role --role-name <role> 2>&1
# Policy exists and get ARN
aws iam get-policy --policy-arn <arn> 2>&1
# Check caller identity
aws sts get-caller-identity
# Simulate permission (does caller have permission?)
aws iam simulate-principal-policy --policy-source-arn <caller-arn> --action-names <action> --resource-arns <resource-arn>
# Check if MFA is required
aws iam list-mfa-devices --user-name <user> 2>&1
# Cluster exists
aws ecs describe-clusters --clusters <cluster> --region <region> --query 'clusters[0].{Status:status,Running:runningTasksCount,Pending:pendingTasksCount}'
# Service exists
aws ecs describe-services --cluster <cluster> --services <service> --region <region> --query 'services[0].{Status:status,Desired:desiredCount,Running:runningCount}'
# Task definition exists
aws ecs describe-task-definition --task-definition <td> --region <region> --query 'taskDefinition.{Status:status,CPU:cpu,Memory:memory}'
# Table exists and status
aws dynamodb describe-table --table-name <table> --region <region> --query 'Table.{Status:TableStatus,ItemCount:ItemCount,Size:TableSizeBytes}'
# Check provisioned capacity
aws dynamodb describe-table --table-name <table> --region <region> --query 'Table.ProvisionedThroughput.{ReadCU:ReadCapacityUnits,WriteCU:WriteCapacityUnits}'
# Key exists and enabled
aws kms describe-key --key-id <key-id> --region <region> --query 'KeyMetadata.{State:KeyState,Manager:KeyManager,Spec:KeySpec}'
# Check key policy allows caller
aws kms get-key-policy --key-id <key-id> --policy-name default --region <region>
# Check specific quota
aws service-quotas get-service-quota --service-code <service> --quota-code <code> --region <region>
# List quotas for a service
aws service-quotas list-service-quotas --service-code <service> --region <region> --query 'Quotas[*].{Name:QuotaName,Value:Value}'
# Common quota codes:
# EC2 instances: L-1216C47A (Running On-Demand Standard)
# RDS instances: L-7B6409FD
# S3 buckets: L-DC2B2D3D
# Lambda concurrent: L-B99A9384
For any AWS action, follow this order:
aws sts get-caller-identity — confirm who you aredescribe-* or head-* on the target resourceiam simulate-principal-policy if uncertainservice-quotas get-service-quota if creating resources--dry-run flag to test without executing