一键导入
aws-cli-playbook
Canonical AWS CLI patterns for discover, plan, deploy, validate, and rollback
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Canonical AWS CLI patterns for discover, plan, deploy, validate, and rollback
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
**AWS Coworker Development Guardrails** - MANDATORY when extending or modifying AWS Coworker itself. TRIGGERS (use this skill when ANY of these apply): - User asks to add new skills, agents, or commands to AWS Coworker - User asks to modify existing AWS Coworker components - User asks about AWS Coworker architecture or design - User wants to add support for new AWS services - Discussion involves directory structure or file organization - User mentions "extending", "customizing", or "adding to" AWS Coworker - Creating or modifying files in: skills/, .claude/agents/, .claude/commands/, config/ NOT for: Using AWS Coworker to interact with AWS (that's CLAUDE.md's domain)
AWS Well-Architected Framework alignment for planning and review
Organization governance policies - never do, always do, and compliance rules
Git and GitHub best practices for AWS Coworker change management
Multi-account and OU strategy, landing zone patterns, and workload placement
Cost-aware AWS interaction and optimization patterns
| name | aws-cli-playbook |
| description | Canonical AWS CLI patterns for discover, plan, deploy, validate, and rollback |
| version | 1.0.0 |
| category | aws |
| agents | ["aws-coworker-core","aws-coworker-planner","aws-coworker-executor"] |
| tools | ["Bash","Read"] |
This skill provides canonical AWS CLI patterns for safe, effective AWS interactions. It covers discovery, planning, deployment, validation, and rollback patterns across major AWS services.
# Always explicit - never rely on defaults
aws ec2 describe-instances \
--profile dev-admin \
--region us-east-1
# JSON for parsing
aws ec2 describe-instances --output json
# Table for human review
aws ec2 describe-instances --output table
# Text for scripting
aws ec2 describe-instances --output text
# JMESPath queries for specific data
aws ec2 describe-instances \
--query 'Reservations[*].Instances[*].[InstanceId,State.Name,Tags[?Key==`Name`].Value|[0]]' \
--output table
# Test before execute
aws ec2 run-instances --dry-run ...
aws ec2 terminate-instances --dry-run ...
# Capture and verify
RESULT=$(aws ec2 run-instances ... --output json)
INSTANCE_ID=$(echo $RESULT | jq -r '.Instances[0].InstanceId')
echo "Created instance: $INSTANCE_ID"
# Who am I?
aws sts get-caller-identity --profile {profile}
# What permissions do I have? (simulate)
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::123456789012:user/myuser \
--action-names ec2:DescribeInstances ec2:RunInstances \
--profile {profile}
# List my roles
aws iam list-roles --profile {profile}
# All instances
aws ec2 describe-instances \
--profile {profile} \
--region {region}
# Running instances only
aws ec2 describe-instances \
--filters "Name=instance-state-name,Values=running" \
--profile {profile} \
--region {region}
# Instances by tag
aws ec2 describe-instances \
--filters "Name=tag:Environment,Values=production" \
--profile {profile} \
--region {region}
# Instance summary table
aws ec2 describe-instances \
--query 'Reservations[*].Instances[*].[InstanceId,InstanceType,State.Name,Tags[?Key==`Name`].Value|[0],PrivateIpAddress]' \
--output table \
--profile {profile} \
--region {region}
# All VPCs
aws ec2 describe-vpcs \
--profile {profile} \
--region {region}
# Subnets with details
aws ec2 describe-subnets \
--query 'Subnets[*].[SubnetId,VpcId,CidrBlock,AvailabilityZone,Tags[?Key==`Name`].Value|[0]]' \
--output table \
--profile {profile} \
--region {region}
# Security groups
aws ec2 describe-security-groups \
--profile {profile} \
--region {region}
# Security groups with risky rules (0.0.0.0/0)
aws ec2 describe-security-groups \
--query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]].[GroupId,GroupName,Description]' \
--output table \
--profile {profile} \
--region {region}
# All buckets
aws s3 ls --profile {profile}
# Bucket details
aws s3api get-bucket-location --bucket {bucket} --profile {profile}
aws s3api get-bucket-versioning --bucket {bucket} --profile {profile}
aws s3api get-bucket-encryption --bucket {bucket} --profile {profile}
aws s3api get-public-access-block --bucket {bucket} --profile {profile}
# Bucket size (can be slow for large buckets)
aws s3 ls s3://{bucket} --recursive --summarize --profile {profile}
# All DB instances
aws rds describe-db-instances \
--profile {profile} \
--region {region}
# DB instance summary
aws rds describe-db-instances \
--query 'DBInstances[*].[DBInstanceIdentifier,DBInstanceClass,Engine,DBInstanceStatus]' \
--output table \
--profile {profile} \
--region {region}
# DB clusters (Aurora)
aws rds describe-db-clusters \
--profile {profile} \
--region {region}
# All functions
aws lambda list-functions \
--profile {profile} \
--region {region}
# Function details
aws lambda get-function \
--function-name {function-name} \
--profile {profile} \
--region {region}
# Function summary
aws lambda list-functions \
--query 'Functions[*].[FunctionName,Runtime,MemorySize,Timeout]' \
--output table \
--profile {profile} \
--region {region}
# All users
aws iam list-users --profile {profile}
# All roles
aws iam list-roles \
--query 'Roles[*].[RoleName,Arn,CreateDate]' \
--output table \
--profile {profile}
# Role policy
aws iam list-attached-role-policies --role-name {role} --profile {profile}
aws iam list-role-policies --role-name {role} --profile {profile}
aws iam get-role-policy --role-name {role} --policy-name {policy} --profile {profile}
# All stacks
aws cloudformation list-stacks \
--stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE \
--profile {profile} \
--region {region}
# Stack details
aws cloudformation describe-stacks \
--stack-name {stack} \
--profile {profile} \
--region {region}
# Stack resources
aws cloudformation list-stack-resources \
--stack-name {stack} \
--profile {profile} \
--region {region}
# Stack events (useful for debugging)
aws cloudformation describe-stack-events \
--stack-name {stack} \
--profile {profile} \
--region {region}
# Start instance
aws ec2 start-instances \
--instance-ids i-xxxxxxxxx \
--profile {profile} \
--region {region}
# Stop instance (data preserved)
aws ec2 stop-instances \
--instance-ids i-xxxxxxxxx \
--profile {profile} \
--region {region}
# Terminate instance (DESTRUCTIVE)
aws ec2 terminate-instances \
--instance-ids i-xxxxxxxxx \
--profile {profile} \
--region {region}
# WARNING: Instance and non-persistent storage deleted
# Add ingress rule
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxxxxxxx \
--protocol tcp \
--port 443 \
--cidr 10.0.0.0/8 \
--profile {profile} \
--region {region}
# Remove ingress rule
aws ec2 revoke-security-group-ingress \
--group-id sg-xxxxxxxxx \
--protocol tcp \
--port 22 \
--cidr 0.0.0.0/0 \
--profile {profile} \
--region {region}
# Copy file
aws s3 cp local-file.txt s3://{bucket}/path/ --profile {profile}
# Sync directory
aws s3 sync ./local-dir s3://{bucket}/path/ --profile {profile}
# Delete object (DESTRUCTIVE)
aws s3 rm s3://{bucket}/path/file.txt --profile {profile}
# Delete bucket contents (VERY DESTRUCTIVE)
aws s3 rm s3://{bucket} --recursive --profile {profile}
# WARNING: All objects deleted, cannot be undone unless versioning enabled
# Add/update tags
aws ec2 create-tags \
--resources i-xxxxxxxxx \
--tags Key=Environment,Value=production Key=Owner,Value=platform-team \
--profile {profile} \
--region {region}
# Remove tags
aws ec2 delete-tags \
--resources i-xxxxxxxxx \
--tags Key=Temporary \
--profile {profile} \
--region {region}
# Create stack
aws cloudformation create-stack \
--stack-name {stack-name} \
--template-body file://template.yaml \
--parameters ParameterKey=Environment,ParameterValue=dev \
--capabilities CAPABILITY_IAM \
--tags Key=Environment,Value=dev \
--profile {profile} \
--region {region}
# Update stack (creates change set)
aws cloudformation create-change-set \
--stack-name {stack-name} \
--change-set-name {change-set-name} \
--template-body file://template.yaml \
--profile {profile} \
--region {region}
# Review change set
aws cloudformation describe-change-set \
--stack-name {stack-name} \
--change-set-name {change-set-name} \
--profile {profile} \
--region {region}
# Execute change set
aws cloudformation execute-change-set \
--stack-name {stack-name} \
--change-set-name {change-set-name} \
--profile {profile} \
--region {region}
# Wait for completion
aws cloudformation wait stack-update-complete \
--stack-name {stack-name} \
--profile {profile} \
--region {region}
# Synthesize (preview CloudFormation)
cdk synth --profile {profile}
# Diff (show changes)
cdk diff --profile {profile}
# Deploy (with approval)
cdk deploy --profile {profile} --require-approval broadening
# Deploy specific stack
cdk deploy MyStack --profile {profile}
# Initialize
terraform init
# Plan (preview)
terraform plan -var-file={env}.tfvars -out=plan.tfplan
# Apply plan
terraform apply plan.tfplan
# Apply with auto-approve (use with caution)
terraform apply -var-file={env}.tfvars -auto-approve
# Automatic rollback on failure (default)
# Stack returns to previous state
# Manual rollback via update
aws cloudformation update-stack \
--stack-name {stack-name} \
--use-previous-template \
--parameters ParameterKey=SomeParam,UsePreviousValue=true \
--profile {profile} \
--region {region}
# Delete failed stack
aws cloudformation delete-stack \
--stack-name {stack-name} \
--profile {profile} \
--region {region}
# Cancel update in progress
aws cloudformation cancel-update-stack \
--stack-name {stack-name} \
--profile {profile} \
--region {region}
# From snapshot (EBS)
aws ec2 create-volume \
--snapshot-id snap-xxxxxxxxx \
--availability-zone {az} \
--profile {profile} \
--region {region}
# Restore from AMI
aws ec2 run-instances \
--image-id ami-xxxxxxxxx \
--instance-type {type} \
--profile {profile} \
--region {region}
# List object versions (if versioning enabled)
aws s3api list-object-versions \
--bucket {bucket} \
--prefix {key} \
--profile {profile}
# Restore previous version
aws s3api copy-object \
--bucket {bucket} \
--copy-source {bucket}/{key}?versionId={version-id} \
--key {key} \
--profile {profile}
Detailed service-specific commands are in:
commands/bedrock.md - Bedrock patterns (model access, inference, guardrails)commands/bedrock-agentcore.md - Bedrock AgentCore patterns (agent runtimes, identity, gateway)commands/cloudformation.md - CloudFormation patternscommands/ec2.md - EC2 patternscommands/ecs.md - ECS patternscommands/eks.md - EKS patternscommands/iam.md - IAM patternscommands/lambda.md - Lambda patternscommands/organizations.md - Organizations patternscommands/rds.md - RDS patternscommands/s3.md - S3 patternscommands/vpc.md - VPC/networking patternsaws-well-architected — Architectural alignmentaws-governance-guardrails — Policy complianceaws-org-strategy — Multi-account context