| name | aws-scan-apps |
| description | Map application-layer AWS resources (ECS, Lambda, ALB, API Gateway) and write a topology to AWS_STATE_DIR. |
| model | sonnet |
| effort | medium |
| context | fork |
Procedure
ASA-1. Verify prerequisites.
ASA-2. Enumerate (pass --profile $AWS_PROFILE --region $AWS_DEFAULT_REGION):
- ECS: list-clusters, list-services, describe-task-definition
- Lambda:
aws lambda list-functions
- ALB/NLB:
aws elbv2 describe-load-balancers
- API GW REST:
aws apigateway get-rest-apis
- API GW HTTP:
aws apigatewayv2 get-apis
- CloudFront:
aws cloudfront list-distributions
ASA-3. Build topology: entry points (ALB/API GW/CloudFront) → compute (ECS/Lambda).
ASA-4. Write raw data to $AWS_STATE_DIR/apps-<YYYYMMDD>.json.
ASA-5. Write human-readable summary to $AWS_STATE_DIR/apps-<YYYYMMDD>.md:
- Topology table: entry point type | backend type | count
- No ARNs, domain names, or IDs
ASA-6. Print: counts by type (no ARNs, domain names, IDs).
Rules
- Read-only. Domain names, ARNs, IDs must NOT appear in conversation.
- AccessDeniedException → log to state file, continue.
- Include region in each state file entry.
Skip Conditions
Skip if $AWS_STATE_DIR/apps-<YYYYMMDD>.json exists and is less than 4 hours old.