Ejecuta cualquier Skill en Manus
con un clic

Ejecuta cualquier Skill en Manus con un clic

$pwd:

cross-account-inventory-compare

Name: Cross Account Inventory Compare
Author: aws-samples

// Query the same AWS resource type (EC2, RDS, VPC, subnets, security groups, S3 buckets, Lambda functions, IAM roles, CloudFormation stacks, etc.) across both China region MCPs (aws-cn and aws-cn-2) and present a side-by-side comparison. Use this skill when the user asks to compare, diff, list across both, find differences, find matching resources by name or tag, or detect drift/inconsistency between the two China accounts. Triggers on phrases like "对比两个账号", "两边", "两个中国区", "aws-cn vs aws-cn-2", "宁夏和北京", "compare the two China accounts", "diff", "drift", "同名资源", "一致吗". Also use when the user wants an inventory that must cover both accounts regardless of which.

Ejecutar en Manus

$ git log --oneline --stat

stars:1

forks:0

updated:28 de mayo de 2026, 03:56

SKILL.md

readonly

name

cross-account-inventory-compare

description

Query the same AWS resource type (EC2, RDS, VPC, subnets, security groups, S3 buckets, Lambda functions, IAM roles, CloudFormation stacks, etc.) across both China region MCPs (aws-cn and aws-cn-2) and present a side-by-side comparison. Use this skill when the user asks to compare, diff, list across both, find differences, find matching resources by name or tag, or detect drift/inconsistency between the two China accounts. Triggers on phrases like "对比两个账号", "两边", "两个中国区", "aws-cn vs aws-cn-2", "宁夏和北京", "compare the two China accounts", "diff", "drift", "同名资源", "一致吗". Also use when the user wants an inventory that must cover both accounts regardless of which.

Cross-Account Resource Inventory & Comparison

Routing behavior (endpoint ↔ region mapping, disambiguation rules, output labeling) is governed by the china-region-multi-account-routing skill; this skill assumes that routing is already in effect and focuses on how to query, correlate, and diff resources across both accounts.

When to use

Use this skill whenever the user's intent requires data from both China region accounts and a comparative or unified view of that data. Examples:

"对比两个账号的 VPC CIDR"
"两个中国区账号各自有几个 EC2 在跑"
"北京账号有没有和宁夏同名的 security group"
"哪些 S3 bucket 只在一个账号里存在"
"两边的 IAM role 一致吗"

Do not use this skill when the user asks about a single explicitly-named account ("查宁夏的 EC2") — that is single-account inventory, not comparison.

Procedure

Step 1 — Identify the resource type and scope

Parse the user's request to extract:

Resource type (EC2 instance, RDS DB, VPC, S3 bucket, IAM role, …)
Scope (全部 / 运行中 / 某 tag / 某 name prefix / 某 region)
Comparison key (name, tag Name, ID, ARN, configuration field)

If any of these is ambiguous, ask one clarifying question before proceeding.

Step 2 — Run the equivalent describe/list on both endpoints in parallel

Call the same AWS API on both aws-cn and aws-cn-2 MCP endpoints concurrently (not sequentially). Use the narrowest filter the user's request allows — avoid listing all resources of a type if a tag or name filter works.

Examples:

EC2: aws ec2 describe-instances --filters Name=instance-state-name,Values=running
RDS: aws rds describe-db-instances
VPC: aws ec2 describe-vpcs
S3: aws s3api list-buckets (plus get-bucket-location per bucket since S3 is regional in China)
IAM: aws iam list-roles (partition-wide, same per account)

Step 3 — Correlate across accounts

Match resources across the two accounts using the comparison key from Step 1. Partition the results into three buckets:

Only in aws-cn — present in Ningxia, absent in Beijing
Only in aws-cn-2 — present in Beijing, absent in Ningxia
In both — present in both accounts (matched by key)

For bucket 3, surface any configuration differences the user asked about (e.g., different CIDRs, different instance types, different tags).

Step 4 — Present the diff

Use a table when comparing configuration:

Resource (by name)	aws-cn (Ningxia)	aws-cn-2 (Beijing)
`prod-web-sg`	`0.0.0.0/0:443` allowed	`0.0.0.0/0:443` allowed
`prod-db-sg`	exists	missing

Use grouped sections when listing disjoint sets:

### Only in aws-cn (Ningxia)
- i-0aaa... (t3.medium)
- i-0bbb... (t3.small)

### Only in aws-cn-2 (Beijing)
- i-0xxx... (t3.large)

### In both
(none, or list matched pairs)

Step 5 — Summarize findings

End the response with 1–3 sentences of interpretation: is the drift expected (e.g. DR-style asymmetry) or unexpected (e.g. missing resource)? Do not remediate — this skill is read-only analysis.

Things not to do

Do not assume two resources with the same name are "the same" — they are different AWS resources in different accounts. Say "matched by name" or "matched by tag X", never "the same resource".
Do not silently drop resources from one side if the API fails on that side. If aws-cn-2 returned an error, report "aws-cn-2: failed with " and still show aws-cn's data — do not pretend aws-cn-2 has no resources.
Do not iterate sequentially on the two accounts when parallel is possible. Users expect one round-trip latency, not two.
Do not reformat IDs or ARNs when presenting — they need to be copy-pasteable back into AWS CLI.

Examples

Input: "对比两个账号的 VPC CIDR"

Action: Parallel aws ec2 describe-vpcs on both. Extract CidrBlock and Tags[Name] per VPC. Match by tag Name. Output:

VPC Name	aws-cn (Ningxia)	aws-cn-2 (Beijing)
`default`	`172.31.0.0/16`	`172.31.0.0/16`
`prod`	`10.0.0.0/16`	`10.1.0.0/16`
`dev`	`10.10.0.0/16`	— (absent)

Summary: "aws-cn-2 is missing the dev VPC; default overlaps (expected, both accounts use AWS's default). prod CIDRs are distinct (no overlap, safe to peer later if needed)."

Input: "两个账号各自多少个 running EC2"

Action: Parallel describe-instances --filters state=running. Output just counts plus instance IDs:

aws-cn (Ningxia):   3 running — i-0a, i-0b, i-0c
aws-cn-2 (Beijing): 1 running — i-0x

Input: "哪些 IAM role 只存在于宁夏账号，北京账号没有"

Action: Parallel aws iam list-roles on both. Compute set difference. Output:

### Only in aws-cn (Ningxia) — 2 roles
- mcp-pod-reader
- eks-node-group-extra

### Only in aws-cn-2 (Beijing) — 0 roles

### In both — 14 roles
(not listed unless requested)

related-skills.json

mismo repositorio

china-account-prevention-checks.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Proactive prevention and pre-alarm health checks across the two China region accounts (aws-cn and aws-cn-2). Use this skill when the user asks about prevention, 防护, 预防, proactive, 体检, health check, risk assessment, 潜在风险, 隐患, or "what might break soon", and when the Evaluation agent runs scheduled recommendation workflows. Looks for conditions that predict future incidents — single points of failure, service quotas nearing limits, stale AMIs, aging credentials, certificates expiring within 30 days, deprecated Lambda runtimes. This skill is distinct from cross-account-security-posture-check, which reports current-state security risk. Prevention predicts future failure; security posture describes current exposure.

2026-05-281

china-incident-mitigation.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Draft step-by-step mitigation CLI commands for a root-caused incident in either China account (aws-cn or aws-cn-2). Use this skill after RCA has identified the root cause, when the user asks for mitigation, remediation, 缓解, 修复, 回滚, rollback, restore service, 怎么修, fix it, 怎么办. Covers common mitigation patterns such as credential rotation, Kubernetes pod rollout-restart, ALB target group reattach, security group rule revoke, IAM policy rollback, and safe CloudFormation stack rollback. Output always includes the exact CLI command, a one-line explanation of what it changes, a rollback/undo command, and an explicit human approval prompt. CRITICAL — this skill NEVER executes commands autonomously; every mitigation step requires explicit user approval before running.

2026-05-281

china-incident-rca.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Root cause analysis for a triaged incident in either China account (aws-cn or aws-cn-2). Use this skill after triage has produced a Triage Card, or when the user directly asks RCA, 根本原因, 根因, 为什么挂, why did X fail, deep dive, deep investigation, 深入分析, dig into, 调查. Correlates the CloudTrail API log window around the incident, recent deploy events (CloudFormation stack events, CodeDeploy, ECR pushes, Lambda updates), metric anomalies against prior-week baseline, and cross-account blast radius — specifically, whether the same failure pattern also hit the other China account around the same time, which would suggest a shared upstream cause (IAM partition-wide, AWS region event, or common dependency). Produces a single root-cause hypothesis plus the evidence chain. Does NOT execute remediation.

2026-05-281

china-incident-triage.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

First-response triage for an incoming alarm, ticket, or failure report originating from either China account (aws-cn or aws-cn-2). Use this skill when the trigger is an alarm name, CloudWatch alarm payload, SIM ticket body, error log snippet, or a user phrase such as 告警, 出事了, 服务挂了, incident, triage, 分类, 初步判断, 看一下这个告警, what happened. Determines which of the two accounts is affected, classifies the incident into one of six classes (compute / network / identity-credentials / data / cost / unknown), estimates severity from the signal, and checks whether a similar incident fired recently so duplicates are marked. Output is a short triage card that hands off to RCA or mitigation depending on severity. This skill is the entry point of the incident response pipeline.

2026-05-281

china-region-multi-account-routing.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Routing and disambiguation guidance for the two AWS China region MCP servers exposed by this Agent Space. Use this skill whenever the user's request mentions "中国区", "China", "cn-north-1", "cn-northwest-1", "Beijing", "Ningxia", or any AWS resource that must resolve to a specific China partition account. The skill explains which MCP endpoint maps to which account, how to pick when the user does not specify, and how to label cross-account results so the user can tell them apart.

2026-05-281

cn-partition-arn-routing.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Diagnose and explain AWS partition ARN mismatches in China region accounts. Use this skill whenever an investigation in `cn-north-1` or `cn-northwest-1` involves ARNs starting with `arn:aws:` instead of `arn:aws-cn:`, or whenever symptoms include AccessDenied, AuthFailure, MalformedPolicyDocument, NoSuchEntity, or "principal cannot be assumed" errors against IAM roles, SNS topics, KMS keys, S3 buckets, or any other ARN-bearing resource. Triggers also include the user mentioning "partition", "aws-cn vs aws", "cross-partition", "中国区 ARN 不对", "global partition ARN in China account", "trust policy 写错了", or pasting any ARN that looks like `arn:aws:iam::*` while the account context is China. Importantly, use this skill BEFORE concluding that an IAM trust policy or resource policy is "missing permissions" — the more common root cause in China region accounts is a partition string mismatch that the agent and generic LLM debuggers consistently get wrong.

2026-05-281

package.json

"author": "aws-samples"

"repository": "aws-samples/sample-skills-for-AWS-Devops-agent"

Abrir repositorio de GitHub Ver repositorios del creador

$ install --global

$ download --local

Ejecutar en Manus

name

cross-account-inventory-compare

description

Cross-Account Resource Inventory & Comparison

When to use

Use this skill whenever the user's intent requires data from both China region accounts and a comparative or unified view of that data. Examples:

"对比两个账号的 VPC CIDR"
"两个中国区账号各自有几个 EC2 在跑"
"北京账号有没有和宁夏同名的 security group"
"哪些 S3 bucket 只在一个账号里存在"
"两边的 IAM role 一致吗"

Do not use this skill when the user asks about a single explicitly-named account ("查宁夏的 EC2") — that is single-account inventory, not comparison.

Procedure

Step 1 — Identify the resource type and scope

Parse the user's request to extract:

Resource type (EC2 instance, RDS DB, VPC, S3 bucket, IAM role, …)
Scope (全部 / 运行中 / 某 tag / 某 name prefix / 某 region)
Comparison key (name, tag Name, ID, ARN, configuration field)

If any of these is ambiguous, ask one clarifying question before proceeding.

Step 2 — Run the equivalent describe/list on both endpoints in parallel

Examples:

EC2: aws ec2 describe-instances --filters Name=instance-state-name,Values=running
RDS: aws rds describe-db-instances
VPC: aws ec2 describe-vpcs
S3: aws s3api list-buckets (plus get-bucket-location per bucket since S3 is regional in China)
IAM: aws iam list-roles (partition-wide, same per account)

Step 3 — Correlate across accounts

Match resources across the two accounts using the comparison key from Step 1. Partition the results into three buckets:

Only in aws-cn — present in Ningxia, absent in Beijing
Only in aws-cn-2 — present in Beijing, absent in Ningxia
In both — present in both accounts (matched by key)

For bucket 3, surface any configuration differences the user asked about (e.g., different CIDRs, different instance types, different tags).

Step 4 — Present the diff

Use a table when comparing configuration:

Resource (by name)	aws-cn (Ningxia)	aws-cn-2 (Beijing)
`prod-web-sg`	`0.0.0.0/0:443` allowed	`0.0.0.0/0:443` allowed
`prod-db-sg`	exists	missing

Use grouped sections when listing disjoint sets:

### Only in aws-cn (Ningxia)
- i-0aaa... (t3.medium)
- i-0bbb... (t3.small)

### Only in aws-cn-2 (Beijing)
- i-0xxx... (t3.large)

### In both
(none, or list matched pairs)

Step 5 — Summarize findings

End the response with 1–3 sentences of interpretation: is the drift expected (e.g. DR-style asymmetry) or unexpected (e.g. missing resource)? Do not remediate — this skill is read-only analysis.

Things not to do

Do not assume two resources with the same name are "the same" — they are different AWS resources in different accounts. Say "matched by name" or "matched by tag X", never "the same resource".
Do not silently drop resources from one side if the API fails on that side. If aws-cn-2 returned an error, report "aws-cn-2: failed with " and still show aws-cn's data — do not pretend aws-cn-2 has no resources.
Do not iterate sequentially on the two accounts when parallel is possible. Users expect one round-trip latency, not two.
Do not reformat IDs or ARNs when presenting — they need to be copy-pasteable back into AWS CLI.

Examples

Input: "对比两个账号的 VPC CIDR"

Action: Parallel aws ec2 describe-vpcs on both. Extract CidrBlock and Tags[Name] per VPC. Match by tag Name. Output:

VPC Name	aws-cn (Ningxia)	aws-cn-2 (Beijing)
`default`	`172.31.0.0/16`	`172.31.0.0/16`
`prod`	`10.0.0.0/16`	`10.1.0.0/16`
`dev`	`10.10.0.0/16`	— (absent)

Summary: "aws-cn-2 is missing the dev VPC; default overlaps (expected, both accounts use AWS's default). prod CIDRs are distinct (no overlap, safe to peer later if needed)."

Input: "两个账号各自多少个 running EC2"

Action: Parallel describe-instances --filters state=running. Output just counts plus instance IDs:

aws-cn (Ningxia):   3 running — i-0a, i-0b, i-0c
aws-cn-2 (Beijing): 1 running — i-0x

Input: "哪些 IAM role 只存在于宁夏账号，北京账号没有"

Action: Parallel aws iam list-roles on both. Compute set difference. Output:

### Only in aws-cn (Ningxia) — 2 roles
- mcp-pod-reader
- eks-node-group-extra

### Only in aws-cn-2 (Beijing) — 0 roles

### In both — 14 roles
(not listed unless requested)

cross-account-inventory-compare

Cross-Account Resource Inventory & Comparison

When to use

Procedure

Step 1 — Identify the resource type and scope

Step 2 — Run the equivalent describe/list on both endpoints in parallel

Step 3 — Correlate across accounts

Step 4 — Present the diff

Step 5 — Summarize findings

Things not to do

Examples

Más de este repositorio

Más de este repositorio

Cross-Account Resource Inventory & Comparison

When to use

Procedure

Step 1 — Identify the resource type and scope

Step 2 — Run the equivalent describe/list on both endpoints in parallel

Step 3 — Correlate across accounts

Step 4 — Present the diff

Step 5 — Summarize findings

Things not to do

Examples