菜单
[Applies to: **/*] Definitive guidelines for secure, reproducible, and efficient use of the AWS CLI, emphasizing modern DevOps practices and automation.
Add non-text files to a person's artifacts folder. Use when saving images, documents, or other files related to someone. Trigger words: artifact, save image, add photo, attach file, store document.
Token-efficient tracking for AI orchestration. CLI-first for status updates (~50 tokens), agent fallback for complex ops (~1KB). Use when: updating task status, querying blockers, creating progress files, validating phases.
AshAi extension guidelines for integrating AI capabilities with Ash Framework. Use when implementing vectorization/embeddings, exposing Ash actions as LLM tools, creating prompt-backed actions, or setting up MCP servers. Covers semantic search, LangChain integration, and structured outputs.
ASI Agent-O-Rama Skill
This skill should be used when solving hard questions, complex architectural problems, or debugging issues that benefit from GPT-5 Pro or GPT-5.1 thinking models with large file context. Use when standard Claude analysis needs deeper reasoning or extended context windows.
Personal assistant for daily routines, task management, and productivity
| name | aws-cli |
| description | [Applies to: **/*] Definitive guidelines for secure, reproducible, and efficient use of the AWS CLI, emphasizing modern DevOps practices and automation. |
| source | cursor_mdc |
The AWS CLI is your primary interface for programmatic interaction with AWS. Adhering to these best practices ensures your CLI usage is secure, reproducible, and efficient, aligning with modern DevOps principles.
Organize your AWS CLI interactions into well-defined scripts or functions. Avoid one-off commands for anything beyond simple queries.
Always define multiple named profiles for different environments (e.g., dev, test, prod) and projects. This prevents accidental operations in the wrong account.
❌ BAD: Relying on default profile or constantly switching credentials.
# Easy to accidentally target production
aws s3 rm s3://my-prod-bucket --recursive
✅ GOOD: Explicitly using named profiles.
# ~/.aws/config
# [profile dev]
# region = us-east-1
# output = json
# [profile prod]
# region = us-east-1
# output = json
# In your script or terminal
aws s3 ls --profile dev
aws s3 rm s3://my-dev-bucket --recursive --profile dev
Ensure consistent behavior by pinning the AWS CLI version in automated environments. Use awscli-v2 for modern features and stability.
❌ BAD: Relying on the latest available version in CI/CD.
# .github/workflows/deploy.yml
# ...
# - name: Install AWS CLI
# run: pip install awscli # Installs latest, potentially breaking changes
✅ GOOD: Using a specific, tested version (e.g., via Docker).
# .github/workflows/deploy.yml
# ...
- name: Deploy with AWS CLI v2
uses: docker://amazon/aws-cli:2.15.30 # Pin to a specific, validated version
with:
args: s3 sync ./app s3://my-bucket-name --delete --profile prod
Adopt patterns that promote automation, idempotency, and machine-readability.
jq for ParsingAlways output in json format and use jq for robust, idempotent parsing. Avoid parsing human-readable formats like text or table.
❌ BAD: Parsing text output is brittle and prone to breakage from CLI updates.
# Output format can change, breaking script
aws ec2 describe-instances --output text | grep "running" | awk '{print $NF}'
✅ GOOD: Using json and jq for reliable, structured parsing.
# Get running instance IDs
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" \
--query 'Reservations[*].Instances[*].InstanceId' --output json | jq -r '.[] | .[]'
Include explicit validation steps in your scripts to catch misconfigurations or permission issues early, preventing costly failures.
❌ BAD: Assuming credentials are correct and permissions are sufficient.
# Script proceeds even if credentials are bad or lack permissions
aws s3 cp local.txt s3://my-bucket/
✅ GOOD: Validating caller identity before critical operations.
if ! aws sts get-caller-identity --profile prod > /dev/null 2>&1; then
echo "ERROR: Failed to authenticate with 'prod' profile. Check credentials and IAM role."
exit 1
fi
aws s3 cp local.txt s3://my-bucket/ --profile prod
Optimize CLI commands for speed and resource usage, especially when dealing with large datasets.
--query and --filtersReduce network traffic and processing by filtering results directly in the CLI command rather than fetching all data and post-processing with jq.
❌ BAD: Fetching all data then filtering locally.
aws ec2 describe-instances --output json | jq -r '.Reservations[].Instances[] | select(.State.Name=="running") | .InstanceId'
✅ GOOD: Filtering on the AWS side using --filters and --query.
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" \
--query 'Reservations[*].Instances[*].InstanceId' --output json | jq -r '.[] | .[]'
For commands that return many results, use --page-size and --max-items for controlled pagination. For write operations, use batch commands when available to reduce API calls.
✅ GOOD: Efficiently listing many S3 objects.
# List 1000 objects at a time, then continue, up to 5000 total
aws s3api list-objects-v2 --bucket my-large-bucket --page-size 1000 --max-items 5000 --output json
Avoid common mistakes that lead to security vulnerabilities or operational failures.
Store credentials securely outside of scripts and version control. Hardcoding is the weakest link in cloud security.
❌ BAD: Hardcoding AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in scripts.
export AWS_ACCESS_KEY_ID="AKIA..." # NEVER DO THIS
export AWS_SECRET_ACCESS_KEY="wJalr..." # NEVER DO THIS
aws s3 ls
✅ GOOD: Using named profiles, IAM roles, or temporary credentials.
# Credentials managed in ~/.aws/credentials or assumed via IAM role
aws s3 ls --profile dev
Regularly validate your ~/.aws/config and ~/.aws/credentials files, especially after manual edits or when troubleshooting.
✅ GOOD: Using the built-in validation.
aws configure list --profile dev # Verifies profile exists and lists its configuration
Centralize and secure your AWS CLI configuration.
~/.aws/config and ~/.aws/credentialsThese are the standard, secure locations for CLI configuration and credentials. Keep them separate for clarity and security.
# ~/.aws/config (for profile-specific settings like region, output, role assumption)
[profile dev]
region = us-east-1
output = json
role_arn = arn:aws:iam::123456789012:role/DevRole
source_profile = default
# ~/.aws/credentials (for actual access keys, typically for base profile)
[default]
aws_access_key_id = AKIA...
aws_secret_access_key = wJalr...
For sensitive values (API keys, database passwords) used by CLI scripts, retrieve them dynamically at runtime. Never embed them in scripts or config files directly.
✅ GOOD: Fetching secrets at runtime.
DB_PASSWORD=$(aws secretsmanager get-secret-value --secret-id my-db-secret --query SecretString --output text --profile dev)
echo "Connecting with password: $DB_PASSWORD"
Leverage environment variables for dynamic configuration without modifying scripts, enabling portable automation.
AWS_PROFILE and AWS_REGIONControl which profile and region your commands target without requiring --profile and --region flags on every command. This is crucial for CI/CD.
❌ BAD: Forgetting --profile or --region and relying on defaults.
aws s3 ls # Might use default profile or wrong region
✅ GOOD: Setting environment variables for script context.
# In a script or shell session
export AWS_PROFILE=prod
export AWS_REGION=us-west-2
aws s3 ls # Will use 'prod' profile in 'us-west-2'
Implement robust logging for auditability, debugging, and compliance.
Capture command invocations and their responses, especially in automated scripts. This provides a clear audit trail.
✅ GOOD: Logging to a file or standard output.
LOG_FILE="aws_script_$(date +%Y%m%d_%H%M%S).log"
echo "Executing: aws s3 ls --profile dev" | tee -a "$LOG_FILE"
aws s3 ls --profile dev | tee -a "$LOG_FILE"
In automated pipelines, ensure CLI output is captured and sent to CloudWatch Logs for centralized monitoring, alerting, and long-term retention.
Ensure the reliability and correctness of your AWS CLI scripts through systematic testing.
For complex scripts, use tools like moto (for Python-based AWS interactions) to mock AWS services locally. This enables faster unit testing without incurring AWS costs or hitting actual endpoints.
Run your CLI scripts as part of your CI/CD pipeline against dedicated, isolated non-production AWS accounts. This validates end-to-end functionality and permissions.
✅ GOOD: Automated pipeline step.
# .github/workflows/test.yml
# ...
- name: Run AWS CLI integration tests
run: |
./scripts/validate_s3_bucket.sh --profile test
./scripts/check_lambda_status.sh --profile test
env:
AWS_PROFILE: test # Ensure test profile is used for integration tests
Before deployment, use tools like AWS Config conformance packs or Open Policy Agent (OPA) to validate that IAM policies and resource configurations (often managed via IaC and CLI) adhere to security and operational best practices.