From argos
AWS fundamentals discipline (S3 + RDS + Lambda + IAM derinleşme). DigitalOcean/Cloudflare-leanlı plugin için transitioning customer rehberi; comprehensive AWS değil 4 servisin core pattern'leri + IAM derinleşme. EKS scope dışı (`kubernetes-troubleshooting` + AWS-specific section). EventBridge/Aurora/Organizations/Control Tower ileri sürümde. Cloud platform pattern; yeni agent yok (`platform-engineer` topoloji, `security-reviewer` IAM, `database-optimizer` RDS).
npx claudepluginhub resultakak/argos --plugin argosThis skill uses the workspace's default tool permissions.
`agents/shared/severity-rubric.md` ve `agents/shared/escalation-matrix.md`
Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.
Share bugs, ideas, or general feedback.
agents/shared/severity-rubric.md ve agents/shared/escalation-matrix.md
default-load (agents/coordination.md §11). Çıktı Critical / High / Medium /
Low + kanıt formatında. Sahiplik dışı bulgu delege:
security-reviewer — IAM, OWASP A01 (IDOR/broken access), bucket policydatabase-optimizer — RDS parameter group, slow query, IAM authplatform-engineer — VPC topology, Lambda networking, multi-regionperformance-profiler — Lambda cold start, p99 latencyfinops-review — Budgets, Anomaly Detection, Reserved/Savings Plansinfrastructure-implementer — Terraform / CloudFormation IaCAction: "*" yasak prod.| Konu | Tool | Notlar |
|---|---|---|
| CLI | aws v2 | Profile multi-account |
| Read-only inspect | Read API'ler (s3api, iam, lambda, rds, cloudtrail) | Profile read-only role |
| Policy lint | cfn-lint, iam-policy-json-to-terraform, parliament | Wildcard yakalama |
| Access analyzer | aws accessanalyzer | Unused permissions |
| Cost | aws ce (Cost Explorer), aws budgets | Tag dimension |
| Audit | aws cloudtrail, CloudTrail Lake | SQL-style query |
| IaC | Terraform aws provider, CDK | DOAP/DOKS Terraform paraleli |
| IAM simulation | aws iam simulate-principal-policy | Pre-deployment check |
# Active region + identity
aws sts get-caller-identity
aws ec2 describe-regions --query 'Regions[].RegionName' --output table
# Account-level BPA
aws s3control get-public-access-block --account-id "$(aws sts get-caller-identity --query Account --output text)"
# CloudTrail status
aws cloudtrail describe-trails --output table
aws cloudtrail get-trail-status --name <trail-name>
# IAM password policy
aws iam get-account-password-policy
# Org status
aws organizations describe-organization 2>/dev/null || echo "Standalone account"
# Tüm bucket'lar + public erişim durumu
aws s3api list-buckets --query 'Buckets[].Name' --output text | tr '\t' '\n' | while read b; do
bpa=$(aws s3api get-public-access-block --bucket "$b" 2>/dev/null \
| jq -r '.PublicAccessBlockConfiguration | "BPA=\(.BlockPublicAcls)/\(.IgnorePublicAcls)/\(.BlockPublicPolicy)/\(.RestrictPublicBuckets)"')
acl=$(aws s3api get-bucket-acl --bucket "$b" --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`].Permission' --output text)
policy=$(aws s3api get-bucket-policy-status --bucket "$b" 2>/dev/null | jq -r '.PolicyStatus.IsPublic')
echo "$b: $bpa acl_public=${acl:-none} policy_public=$policy"
done
# Encryption + versioning
for b in $(aws s3api list-buckets --query 'Buckets[].Name' --output text); do
sse=$(aws s3api get-bucket-encryption --bucket "$b" 2>/dev/null | jq -r '.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.SSEAlgorithm')
ver=$(aws s3api get-bucket-versioning --bucket "$b" --query 'Status' --output text)
echo "$b: sse=${sse:-NONE} versioning=${ver:-Disabled}"
done
# Instances + engine + multi-AZ + encryption
aws rds describe-db-instances --query \
'DBInstances[].{ID:DBInstanceIdentifier,Engine:Engine,Class:DBInstanceClass,MultiAZ:MultiAZ,Encrypted:StorageEncrypted,IAM:IAMDatabaseAuthenticationEnabled}' \
--output table
# Backup retention
aws rds describe-db-instances --query \
'DBInstances[].{ID:DBInstanceIdentifier,Backup:BackupRetentionPeriod,PITR:LatestRestorableTime}' \
--output table
# Parameter group custom mı?
aws rds describe-db-instances --query \
'DBInstances[].{ID:DBInstanceIdentifier,ParameterGroup:DBParameterGroups[0].DBParameterGroupName}' \
--output table
# pg_stat_statements var mı (Postgres)?
psql -h <endpoint> -U <user> -c "SELECT * FROM pg_extension WHERE extname='pg_stat_statements';"
# Tüm function'lar + memory + timeout + runtime
aws lambda list-functions --query \
'Functions[].{Name:FunctionName,Runtime:Runtime,Memory:MemorySize,Timeout:Timeout,Concurrency:ReservedConcurrentExecutions}' \
--output table
# Cold start gözlem (X-Ray traces)
aws xray get-trace-summaries --start-time "$(date -d '-1 hour' +%s)" --end-time "$(date +%s)" \
--filter-expression 'service("<svc-name>")' --output table
# Provisioned concurrency
aws lambda list-provisioned-concurrency-configs --function-name <fn>
# All roles
aws iam list-roles --output json | jq '.Roles[].RoleName' > /tmp/roles.txt
# Wildcard policy detect
aws iam list-policies --scope Local --output json | jq -r '.Policies[].Arn' | while read arn; do
doc=$(aws iam get-policy-version --policy-arn "$arn" --version-id "$(aws iam get-policy --policy-arn "$arn" --query 'Policy.DefaultVersionId' --output text)")
if echo "$doc" | jq -e '.PolicyVersion.Document.Statement[] | select(.Action == "*" or (.Action | type == "array" and contains(["*"])))' > /dev/null; then
echo "WILDCARD: $arn"
fi
done
# Access Analyzer findings
aws accessanalyzer list-findings --analyzer-arn arn:aws:access-analyzer:eu-west-1:123:analyzer/zone-trust \
--filter '{"status":{"eq":["ACTIVE"]}}'
# Unused credentials
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d
# user, access_key_1_last_used_date, password_last_used → 90+ gün unused
# Last 30 day action list for a role
ROLE="app-prod-role"
START=$(date -d '-30 days' --iso-8601=seconds)
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=Username,AttributeValue=$ROLE \
--start-time "$START" --max-results 1000 \
| jq '.Events[].CloudTrailEvent | fromjson | "\(.eventSource):\(.eventName)"' \
| sort -u > /tmp/${ROLE}-actions.txt
# Bu liste → IAM policy Allow statement
# Bu ayın toplam
aws ce get-cost-and-usage --time-period Start=$(date -d 'start of month' +%Y-%m-%d),End=$(date +%Y-%m-%d) \
--granularity MONTHLY --metrics UnblendedCost --output table
# Servis dağılımı
aws ce get-cost-and-usage --time-period Start=$(date -d '-30 days' +%Y-%m-%d),End=$(date +%Y-%m-%d) \
--granularity DAILY --metrics UnblendedCost \
--group-by Type=DIMENSION,Key=SERVICE \
--output table
# Tag policy uyumluluğu
aws ce get-cost-and-usage --time-period Start=$(date -d '-30 days' +%Y-%m-%d),End=$(date +%Y-%m-%d) \
--granularity MONTHLY --metrics UnblendedCost \
--group-by Type=TAG,Key=Environment | jq '.GroupDefinitions, .ResultsByTime'
# Budget alarmları var mı?
aws budgets describe-budgets --account-id "$(aws sts get-caller-identity --query Account --output text)"
# AWS Findings: <account-id> (<env>)
## Critical
- [ ] 3 bucket BPA off (`acme-prod-uploads`, `acme-prod-static`, `legacy-bkt`) —
data leak riski; per-bucket BPA + account-wide enforce
- [ ] `AdminAccessRole` 14 IAM user'a attached + MFA off 8 user — breach
blast radius
## High
- [ ] RDS `prod-pg-main` multi-AZ off — HA yok, failover manuel
- [ ] RDS encryption at rest disabled (3 instance) — SOC 2 CC6.4 ihlal
- [ ] Lambda `extractor-svc` cold start p99 4.2s — provisioned concurrency
yok, kritik path
- [ ] CloudTrail single-region (eu-west-1); us-east-1 IAM event capture yok
## Medium
- [ ] 12 IAM policy wildcard `Action: "*"` veya `Resource: "*"` — Access
Analyzer ile shrink listesi var (`/tmp/access-findings.json`)
- [ ] Cost: NAT GW egress $480/ay; S3 VPC endpoint kurulumu → ~$100/ay
- [ ] Budget alert yok; Anomaly Detection off
## Low
- [ ] Tag policy yok — cost attribution Environment/Owner/Project
- [ ] IAM password policy zayıf (8 char, no MFA enforce)
Action: "*" ve Resource: "*" prod role'lerinde yokiam:DeleteUser, cloudtrail:StopLogging deny*:* prod role'ünde.AllUsers ACL grant bucket policy yerine.AWSAdministratorAccess günlük rol.rules/aws.md — discipline rule.rules/security.md, rules/owasp-top10.md — A01 IAM least privilege.rules/postgres.md — RDS Postgres parameter group, pg_stat_statements.rules/compliance.md — CloudTrail, SOC 2 CC6.4/CC7.3 evidence.rules/finops.md — Budget, Anomaly Detection, Reserved/Savings.rules/terraform.md — IaC AWS provider.skills/owasp-top10/SKILL.md — A01 IDOR/IAM crossover.skills/postgres-performance/SKILL.md — RDS Postgres tuning.skills/finops-review/SKILL.md — AWS cost optimization.agents/security-reviewer.md — IAM audit lider.agents/database-optimizer.md — RDS sahiplik.agents/platform-engineer.md — VPC, multi-region, EKS (ayrı skill).commands/aws-review.md — slash entrypoint.