Search everything...

Stats

Actions

Available In

aws

Name: aws
Author: rcrsr

By rcrsr

Operate your AWS infrastructure from Claude Code: stack discovery, live resource resolution, and SSO-aware guardrails that block destructive commands.

npx claudepluginhub rcrsr/aws

Popularity

Stars

Med: 0·Avg: 285

Installs

Med: 0·Avg: 1

What's Inside

Agents4

cdk-engineer

/cdk-engineer

CDK code engineer for the aws plugin. Edits AWS CDK source files across all supported CDK languages (TypeScript, JavaScript, Python, Java, C#, Go). Use when a skill or task needs to add, modify, or remove CDK constructs, props, or tags in CDK source code without deploying to AWS.

cost-analyst

/cost-analyst

Investigate AWS cost spikes and attribute spend to services, tags, and time windows. Compares the affected window against the prior period to isolate deltas and quantify each driver in USD. Use when a bill jumps or the user needs a detailed cost breakdown beyond a quick summary.

diagnostician

/diagnostician

Root-cause a failed deploy, ETL run, or API incident across CloudWatch, ECS, Lambda, and CloudFormation. Use when something is broken in AWS and the cause spans multiple services or the failure source is not yet known.

security-auditor

/security-auditor

Perform a read-only security exposure audit across IAM, S3, and security groups for the discovered stack. Use when you need a thorough security review beyond the quick security-review skill, or when you want ranked findings with exact remediation steps for each exposed resource.

Skills9

cost

/cost

Summarize AWS spend by service and tag using Cost Explorer for an environment. Use when the user asks about costs, a bill increase, or wants spend attributed to services or components.

discover

/discover

Derive the project AWS architecture from the live deployment and write or refresh .claude/aws-stack.md plus the env->profile map. Use when setting up the plugin in a repo, when the user asks what AWS resources a project uses, or to check for deployment drift.

ecs

/ecs

Inspect ECS Fargate services and tasks: list services, show task status, and fetch stopped-task reasons for a discovered cluster. Use when an ECS or ETL task fails, will not start, or the user asks about service health.

logs

/logs

Tail or search CloudWatch Logs for a discovered role (Lambda or ECS) in a given environment. Use when debugging errors, tailing live logs, or searching log history for an incident.

report-anomalies

/report-anomalies

Read-only cross-dimension scan of a project's AWS environment. Surfaces issues across app health, infra health, cost, security, reliability, and hygiene, then produces one concise ranked report with recommended actions. Use for a periodic health/risk sweep, before a release, or when the user asks "is anything wrong in AWS?"

Hooks1

Event Hooks

Bash

1 hook across 1 event

Stats

Version1.0.1

LanguageJavaScript

Stars0

MaintenanceGood

LicenseMIT

Last CommitJun 17, 2026

AddedJun 17, 2026

Actions

View on GitHub View README Plugin Marketplace JSON

Own this plugin?

Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).

Safety Signals

Caution

Executes bash commands

Hook triggers when Bash tool is used

Uses power tools

Uses Bash, Write, or Edit tools

README

AWS

Portable AWS operations for Claude Code: stack discovery, SSO-aware identity, live role resolution, and a guardrail that blocks dangerous aws commands before they run.

Why this plugin?

Operate your AWS infrastructure by talking to Claude Code. Ask "what's wrong in prod?", "tail the etl logs", or "trigger the nightly job", and the plugin maps your stack, resolves live resources, and runs the right aws commands, with guardrails that stop the dangerous ones before they execute.

Guardrailed by default. A PreToolUse hook classifies every aws command and blocks destructive ones (delete, terminate, policy writes, scale-to-zero) unless you explicitly opt in. Unrecognized verbs fail safe toward "mutating".

Profile pinning. Every aws command must carry an explicit --profile from your allowed set. No ambient credentials, no accidental prod hits.

Id-free architecture map. Discovery writes a committed, deploy-portable cheat sheet (.claude/aws-stack.md) that carries services, environments, and role handles, never concrete ARNs, resource ids, or account numbers. Those resolve live, on demand.

SSO-aware. Identity and session checks tell you exactly which aws sso login to run when a session expires.

No npm dependencies. Pure ESM, node: builtins only. No npm install, no build step. The one external requirement is the AWS CLI v2 (see Requirements).

How it works

The plugin ships a single CLI dispatcher (scripts/awsx.mjs) that skills and agents shell out to. The live AWS account is authoritative for every call; the committed document is only an abstract map.

Component	Role
`awsx.mjs`	CLI dispatcher. Routes subcommands, prints the exact `aws` command before live calls, maps errors to exit codes.
`lib/awscli.mjs`	Only module that spawns the real `aws` binary. Normalizes failures into typed `AwsError` codes.
`lib/profiles.mjs`	Reads/writes the git-ignored env→{profile, region} map. Source of truth for allowed profiles.
`lib/discover.mjs`	Queries CloudFormation + Resource Groups Tagging API, mines the repo for hints, builds the id-free model.
`lib/resolve.mjs`	Resolves one role to its live ARN/id via exactly one targeted query. Nothing cached.
`lib/stackdoc.mjs`	Renders/parses `.claude/aws-stack.md` (round-trips).
`lib/guard.mjs`	The PreToolUse policy: classify, then allow or block.

Two persistent artifacts (written into your repo, never the plugin dir):

.claude/aws-stack.md — committed, id-free architecture cheat sheet. Hand-edited descriptions and the architecture narrative survive re-runs.
.claude/aws-profiles.local.json — git-ignored env→profile map.

Requirements

Requirement	Notes
AWS CLI v2	Required. The plugin shells out to the `aws` binary on your `PATH`; it does not bundle an SDK. Commands fail with exit code `1` (`CLI_MISSING`) when `aws` is absent.
Node.js 18+	Required. The CLI is ESM using only `node:` builtins.
AWS SSO profiles	Configured in `~/.aws/config`. Map each to a logical environment with `awsx profiles set`.

Install the AWS CLI v2 from the official guide, then verify:

aws --version   # expect: aws-cli/2.x.x ...

Installation

# Load locally
claude --plugin-dir /path/to/aws

# Or install from a marketplace
/plugin marketplace add <owner>/<marketplace-repo>
/plugin install aws@<marketplace>

Quick Start

# 1. Map a logical environment to an AWS profile + region
node scripts/awsx.mjs profiles set prod my-sso-profile us-west-2

# 2. Confirm the SSO session is valid
node scripts/awsx.mjs whoami --env prod

# 3. Discover the stack and write .claude/aws-stack.md
node scripts/awsx.mjs discover --env prod

Then drive it through skills in conversation, e.g. "what's wrong in AWS prod?", "tail the logs for the etl role", "summarize this month's spend".

CLI

Run the dispatcher from the consumer repo root (not the plugin directory):

Command	Description
`awsx whoami --env <e>`	Validate SSO and print account / arn / userId.
`awsx discover --env <e> [--check]`	Build `.claude/aws-stack.md`; `--check` diffs without writing.
`awsx resolve <role> --env <e> [--json]`	Resolve a role to its current live ARN/id.
`awsx profiles list`	List configured env → profile / region.
`awsx profiles set <env> <profile> <region>`	Add or overwrite an env entry.
`awsx guard`	PreToolUse hook entrypoint (stdin-driven; runs automatically).

Exit codes: 0 success, 1 drift/failure, 2 guard block, 3 expired SSO (run aws sso login), 4 usage error.

The Guard

hooks/hooks.json runs awsx guard on every Bash call. Non-aws commands always pass. Each aws command is classified into a tier:

View full README on GitHub

aws

Popularity

What's Inside

Confidence

README

AWS

Why this plugin?

How it works

Requirements

Installation

Quick Start

CLI

The Guard

Similar Plugins

caveman

llm-council-plugin

self-improving-agent

ui-design

claude-mem

More by rcrsr

snoop

checkmate

velocity

policies

rill-make

AWS

Why this plugin?

How it works

Requirements

Installation

Quick Start

CLI

The Guard

More by rcrsr

snoop

checkmate

velocity

policies

rill-make

Popularity

Health & Quality

Similar Plugins

caveman

llm-council-plugin

self-improving-agent

ui-design

claude-mem