一键在 Manus 中运行任何 Skill

$pwd:

china-account-prevention-checks

Name: China Account Prevention Checks
Author: aws-samples

// Proactive prevention and pre-alarm health checks across the two China region accounts (aws-cn and aws-cn-2). Use this skill when the user asks about prevention, 防护, 预防, proactive, 体检, health check, risk assessment, 潜在风险, 隐患, or "what might break soon", and when the Evaluation agent runs scheduled recommendation workflows. Looks for conditions that predict future incidents — single points of failure, service quotas nearing limits, stale AMIs, aging credentials, certificates expiring within 30 days, deprecated Lambda runtimes. This skill is distinct from cross-account-security-posture-check, which reports current-state security risk. Prevention predicts future failure; security posture describes current exposure.

在 Manus 中运行

$ git log --oneline --stat

stars:1

forks:0

updated:2026年5月28日 03:56

SKILL.md

readonly

name

china-account-prevention-checks

description

Proactive prevention and pre-alarm health checks across the two China region accounts (aws-cn and aws-cn-2). Use this skill when the user asks about prevention, 防护, 预防, proactive, 体检, health check, risk assessment, 潜在风险, 隐患, or "what might break soon", and when the Evaluation agent runs scheduled recommendation workflows. Looks for conditions that predict future incidents — single points of failure, service quotas nearing limits, stale AMIs, aging credentials, certificates expiring within 30 days, deprecated Lambda runtimes. This skill is distinct from cross-account-security-posture-check, which reports current-state security risk. Prevention predicts future failure; security posture describes current exposure.

China Account Prevention Checks

Routing is governed by china-region-multi-account-routing. This skill runs predictive checks across both accounts and ranks findings by time-to-likely-incident, not by static severity.

Intended agent type

Upload with Agent Type Evaluation selected. This skill loads during scheduled prevention workflows and when a user asks for proactive review. Do not leave Agent Type as Generic — it is noisy in incident paths.

When to use

Scheduled Evaluation runs (daily/weekly)
User phrases like "体检一下两个账号", "有什么潜在风险", "哪些东西快挂", "proactive review", "preventive maintenance"
Before major events (holiday freeze, product launch, customer demo)

Do not use during an active incident — the user wants triage/RCA then, not a list of unrelated future risks.

Check catalog

Runs across both accounts in parallel. Each check has a time-to-incident estimate that ranks the finding.

#	Check	API	Time-to-incident
1	RDS `MultiAZ=false` on prod-tagged DBs	`rds describe-db-instances`	~30 days (AZ event MTBF)
2	Auto Scaling groups with `min=desired=max=1` on prod	`autoscaling describe-auto-scaling-groups`	~60 days (instance-level MTBF)
3	Service quotas above 80% used	`service-quotas get-service-quota` + CloudWatch usage metrics	Varies — if growth rate suggests hit in 30 days, escalate
4	EC2 running AMIs older than 180 days	`ec2 describe-instances` + `describe-images`	~90 days (CVE exposure compounds)
5	IAM access keys older than 60 days (predictive of expiry)	`iam list-access-keys` + age check	30 days until team's 90-day rotation deadline
6	ACM certs expiring within 30 days	`acm list-certificates` + `describe-certificate`	IMMEDIATE if < 14 days
7	Lambda runtimes marked deprecated by AWS	`lambda list-functions` + runtime vs. [deprecation schedule]	Varies — check official AWS deprecation dates
8	EKS node groups with `desiredSize=1`	`eks describe-nodegroup`	~60 days
9	Single-replica Kubernetes Deployments in critical namespaces	via kubectl MCP if available, else skip	~60 days

If the user narrows the ask ("只看证书", "RDS 有没有问题"), run only the relevant checks. Default = all checks.

Procedure

Step 1 — Parallel execution

For each (account, check) pair, issue API calls concurrently. Do not serialize across the 9 checks × 2 accounts.

Step 2 — Classify by urgency

Assign each finding one of four urgency bands based on time-to-incident:

IMMEDIATE (< 14 days until failure)
SOON (14–30 days)
WATCH (30–60 days)
TRACK (60–90 days or longer)

Step 3 — Rank and present

Two-level grouping: urgency first, then account within urgency.

## 🔴 IMMEDIATE (< 14 days)

### aws-cn (Ningxia)
- [acm-expiry] Certificate `prod.yingchu.cloud` expires in 7 days (2026-05-18)
  → Trigger renewal; DNS validation CNAME already present

## 🟠 SOON (14–30 days)

### aws-cn (Ningxia)
- [iam-key-age] User `ci-deployer` access key created 62 days ago — team
  policy is 90 days, rotation window opens in 28 days

### aws-cn-2 (Beijing)
- [rds-multiaz] Prod RDS `prod-db-nrt` has MultiAZ disabled; AZ outage
  would cause ~30 min downtime

## 🟡 WATCH (30–60 days) — N findings omitted (ask to expand)
## 🟢 TRACK (60+ days) — M findings omitted

Step 4 — Scorecard + nudge

End with a per-account scorecard:

aws-cn:    1 Immediate / 1 Soon / 3 Watch / 2 Track
aws-cn-2:  0 Immediate / 1 Soon / 2 Watch / 1 Track

And a single actionable nudge pointing at the highest-urgency item.

Things not to do

Do not execute remediation (rotate keys, renew certs, scale up). This skill is read-only.
Do not duplicate findings already reported by cross-account-security-posture-check in the same session. If the user already ran security audit, defer overlapping checks to it.
Do not raise alarms on AWS-managed auto-renewing resources (e.g., ACM certs issued via AWS have auto-renewal when DNS validation record is present — only flag when renewal is blocked).
Do not assume service quotas in China mirror global region quotas; they can differ. Always read the live quota, don't hardcode.
Do not confuse this with security-posture. If in doubt — "is this currently exploitable?" → security. "Will this fail sometime?" → prevention.

Examples

Input: "体检一下两个中国区账号"

Action: Run all 9 checks on both accounts, produce the full urgency- banded report + scorecard.

Input: "两个账号证书还有多久过期"

Action: Check #6 only, both accounts, list all certs with expiry date and days remaining.

Input: "哪些是 immediate 要处理的"

Action: Same as full run but filter to IMMEDIATE band only. If empty, confirm "No immediate-urgency findings in either account."

related-skills.json

同仓库

china-incident-mitigation.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Draft step-by-step mitigation CLI commands for a root-caused incident in either China account (aws-cn or aws-cn-2). Use this skill after RCA has identified the root cause, when the user asks for mitigation, remediation, 缓解, 修复, 回滚, rollback, restore service, 怎么修, fix it, 怎么办. Covers common mitigation patterns such as credential rotation, Kubernetes pod rollout-restart, ALB target group reattach, security group rule revoke, IAM policy rollback, and safe CloudFormation stack rollback. Output always includes the exact CLI command, a one-line explanation of what it changes, a rollback/undo command, and an explicit human approval prompt. CRITICAL — this skill NEVER executes commands autonomously; every mitigation step requires explicit user approval before running.

2026-05-281

china-incident-rca.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Root cause analysis for a triaged incident in either China account (aws-cn or aws-cn-2). Use this skill after triage has produced a Triage Card, or when the user directly asks RCA, 根本原因, 根因, 为什么挂, why did X fail, deep dive, deep investigation, 深入分析, dig into, 调查. Correlates the CloudTrail API log window around the incident, recent deploy events (CloudFormation stack events, CodeDeploy, ECR pushes, Lambda updates), metric anomalies against prior-week baseline, and cross-account blast radius — specifically, whether the same failure pattern also hit the other China account around the same time, which would suggest a shared upstream cause (IAM partition-wide, AWS region event, or common dependency). Produces a single root-cause hypothesis plus the evidence chain. Does NOT execute remediation.

2026-05-281

china-incident-triage.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

First-response triage for an incoming alarm, ticket, or failure report originating from either China account (aws-cn or aws-cn-2). Use this skill when the trigger is an alarm name, CloudWatch alarm payload, SIM ticket body, error log snippet, or a user phrase such as 告警, 出事了, 服务挂了, incident, triage, 分类, 初步判断, 看一下这个告警, what happened. Determines which of the two accounts is affected, classifies the incident into one of six classes (compute / network / identity-credentials / data / cost / unknown), estimates severity from the signal, and checks whether a similar incident fired recently so duplicates are marked. Output is a short triage card that hands off to RCA or mitigation depending on severity. This skill is the entry point of the incident response pipeline.

2026-05-281

china-region-multi-account-routing.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Routing and disambiguation guidance for the two AWS China region MCP servers exposed by this Agent Space. Use this skill whenever the user's request mentions "中国区", "China", "cn-north-1", "cn-northwest-1", "Beijing", "Ningxia", or any AWS resource that must resolve to a specific China partition account. The skill explains which MCP endpoint maps to which account, how to pick when the user does not specify, and how to label cross-account results so the user can tell them apart.

2026-05-281

cn-partition-arn-routing.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Diagnose and explain AWS partition ARN mismatches in China region accounts. Use this skill whenever an investigation in `cn-north-1` or `cn-northwest-1` involves ARNs starting with `arn:aws:` instead of `arn:aws-cn:`, or whenever symptoms include AccessDenied, AuthFailure, MalformedPolicyDocument, NoSuchEntity, or "principal cannot be assumed" errors against IAM roles, SNS topics, KMS keys, S3 buckets, or any other ARN-bearing resource. Triggers also include the user mentioning "partition", "aws-cn vs aws", "cross-partition", "中国区 ARN 不对", "global partition ARN in China account", "trust policy 写错了", or pasting any ARN that looks like `arn:aws:iam::*` while the account context is China. Importantly, use this skill BEFORE concluding that an IAM trust policy or resource policy is "missing permissions" — the more common root cause in China region accounts is a partition string mismatch that the agent and generic LLM debuggers consistently get wrong.

2026-05-281

cross-account-cost-attribution.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Retrieve, compare, and attribute AWS spend across the two China region accounts (aws-cn in cn-northwest-1 and aws-cn-2 in cn-north-1). Use this skill when the user asks about cost, spend, billing, 花费, 成本, 账单, 多少钱, expensive, 贵, top services, cost breakdown, month-over-month, budget, or wants to know which China account spends more and on what. Covers month-to-date, last month, last 90 days, and custom time ranges. Also use when the user wants to correlate cost with specific resources or services (e.g. "哪个账号的 EC2 花费高"). Report totals per account, top services per account, and deltas vs previous period when available.

2026-05-281

package.json

"author": "aws-samples"

"repository": "aws-samples/sample-skills-for-AWS-Devops-agent"

打开 GitHub 仓库查看创作者相关仓库

$ install --global

$ download --local

在 Manus 中运行

name

china-account-prevention-checks

description

China Account Prevention Checks

Routing is governed by china-region-multi-account-routing. This skill runs predictive checks across both accounts and ranks findings by time-to-likely-incident, not by static severity.

Intended agent type

When to use

Scheduled Evaluation runs (daily/weekly)
User phrases like "体检一下两个账号", "有什么潜在风险", "哪些东西快挂", "proactive review", "preventive maintenance"
Before major events (holiday freeze, product launch, customer demo)

Do not use during an active incident — the user wants triage/RCA then, not a list of unrelated future risks.

Check catalog

Runs across both accounts in parallel. Each check has a time-to-incident estimate that ranks the finding.

#	Check	API	Time-to-incident
1	RDS `MultiAZ=false` on prod-tagged DBs	`rds describe-db-instances`	~30 days (AZ event MTBF)
2	Auto Scaling groups with `min=desired=max=1` on prod	`autoscaling describe-auto-scaling-groups`	~60 days (instance-level MTBF)
3	Service quotas above 80% used	`service-quotas get-service-quota` + CloudWatch usage metrics	Varies — if growth rate suggests hit in 30 days, escalate
4	EC2 running AMIs older than 180 days	`ec2 describe-instances` + `describe-images`	~90 days (CVE exposure compounds)
5	IAM access keys older than 60 days (predictive of expiry)	`iam list-access-keys` + age check	30 days until team's 90-day rotation deadline
6	ACM certs expiring within 30 days	`acm list-certificates` + `describe-certificate`	IMMEDIATE if < 14 days
7	Lambda runtimes marked deprecated by AWS	`lambda list-functions` + runtime vs. [deprecation schedule]	Varies — check official AWS deprecation dates
8	EKS node groups with `desiredSize=1`	`eks describe-nodegroup`	~60 days
9	Single-replica Kubernetes Deployments in critical namespaces	via kubectl MCP if available, else skip	~60 days

If the user narrows the ask ("只看证书", "RDS 有没有问题"), run only the relevant checks. Default = all checks.

Procedure

Step 1 — Parallel execution

For each (account, check) pair, issue API calls concurrently. Do not serialize across the 9 checks × 2 accounts.

Step 2 — Classify by urgency

Assign each finding one of four urgency bands based on time-to-incident:

IMMEDIATE (< 14 days until failure)
SOON (14–30 days)
WATCH (30–60 days)
TRACK (60–90 days or longer)

Step 3 — Rank and present

Two-level grouping: urgency first, then account within urgency.

## 🔴 IMMEDIATE (< 14 days)

### aws-cn (Ningxia)
- [acm-expiry] Certificate `prod.yingchu.cloud` expires in 7 days (2026-05-18)
  → Trigger renewal; DNS validation CNAME already present

## 🟠 SOON (14–30 days)

### aws-cn (Ningxia)
- [iam-key-age] User `ci-deployer` access key created 62 days ago — team
  policy is 90 days, rotation window opens in 28 days

### aws-cn-2 (Beijing)
- [rds-multiaz] Prod RDS `prod-db-nrt` has MultiAZ disabled; AZ outage
  would cause ~30 min downtime

## 🟡 WATCH (30–60 days) — N findings omitted (ask to expand)
## 🟢 TRACK (60+ days) — M findings omitted

Step 4 — Scorecard + nudge

End with a per-account scorecard:

aws-cn:    1 Immediate / 1 Soon / 3 Watch / 2 Track
aws-cn-2:  0 Immediate / 1 Soon / 2 Watch / 1 Track

And a single actionable nudge pointing at the highest-urgency item.

Things not to do

Do not execute remediation (rotate keys, renew certs, scale up). This skill is read-only.
Do not duplicate findings already reported by cross-account-security-posture-check in the same session. If the user already ran security audit, defer overlapping checks to it.
Do not raise alarms on AWS-managed auto-renewing resources (e.g., ACM certs issued via AWS have auto-renewal when DNS validation record is present — only flag when renewal is blocked).
Do not assume service quotas in China mirror global region quotas; they can differ. Always read the live quota, don't hardcode.
Do not confuse this with security-posture. If in doubt — "is this currently exploitable?" → security. "Will this fail sometime?" → prevention.

Examples

Input: "体检一下两个中国区账号"

Action: Run all 9 checks on both accounts, produce the full urgency- banded report + scorecard.

Input: "两个账号证书还有多久过期"

Action: Check #6 only, both accounts, list all certs with expiry date and days remaining.

Input: "哪些是 immediate 要处理的"

Action: Same as full run but filter to IMMEDIATE band only. If empty, confirm "No immediate-urgency findings in either account."

china-account-prevention-checks

China Account Prevention Checks

Intended agent type

When to use

Check catalog

Procedure

Step 1 — Parallel execution

Step 2 — Classify by urgency

Step 3 — Rank and present

Step 4 — Scorecard + nudge

Things not to do

Examples

同仓库更多 Skills

同仓库更多 Skills

China Account Prevention Checks

Intended agent type

When to use

Check catalog

Procedure

Step 1 — Parallel execution

Step 2 — Classify by urgency

Step 3 — Rank and present

Step 4 — Scorecard + nudge

Things not to do

Examples