Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From aws-dev-toolkit
Runs a 5-minute AWS account scan across security posture, cost waste, reliability gaps, and operational readiness. Lighter than a full Well-Architected review.
How this skill is triggered — by the user, by Claude, or both
Slash command
/aws-dev-toolkit:aws-health-checkThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are running a quick AWS account health assessment. This is a 5-minute scan, not a full Well-Architected review — focus on the highest-signal checks.
You are running a quick AWS account health assessment. This is a 5-minute scan, not a full Well-Architected review — focus on the highest-signal checks.
aws sts get-caller-identity# GuardDuty enabled?
aws guardduty list-detectors --region $REGION
# CloudTrail multi-region?
aws cloudtrail describe-trails --query 'trailList[].{Name:Name,Multi:IsMultiRegionTrail}'
# Public S3 buckets?
for bucket in $(aws s3api list-buckets --query 'Buckets[].Name' --output text); do
status=$(aws s3api get-public-access-block --bucket $bucket 2>/dev/null | grep -c "true" || echo "0")
[ "$status" -lt 4 ] && echo "WARNING: $bucket may have public access"
done
# Security groups with 0.0.0.0/0 on non-HTTP ports
aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]]' \
--output json | jq -r '.[] | select(.IpPermissions[] | select(.FromPort != 80 and .FromPort != 443 and .FromPort != null)) | .GroupId + " " + .GroupName'
# Public RDS instances
aws rds describe-db-instances --query 'DBInstances[?PubliclyAccessible==`true`].{ID:DBInstanceIdentifier,Engine:Engine}'
# IMDSv2 enforcement
aws ec2 describe-instances --query 'Reservations[].Instances[?MetadataOptions.HttpTokens!=`required`].{ID:InstanceId,Name:Tags[?Key==`Name`].Value|[0],IMDS:MetadataOptions.HttpTokens}'
# Unattached EBS volumes
aws ec2 describe-volumes --filters "Name=status,Values=available" --query 'Volumes[].{ID:VolumeId,Size:Size,Type:VolumeType}'
# Unassociated Elastic IPs (charged when idle)
aws ec2 describe-addresses --query 'Addresses[?AssociationId==null].{IP:PublicIp}'
# Stopped instances still incurring EBS charges
aws ec2 describe-instances --filters "Name=instance-state-name,Values=stopped" --query 'Reservations[].Instances[].{ID:InstanceId,Name:Tags[?Key==`Name`].Value|[0],Type:InstanceType}'
# Single-AZ RDS (risky for production)
aws rds describe-db-instances --query 'DBInstances[?MultiAZ==`false`].{ID:DBInstanceIdentifier,Engine:Engine}'
# No auto-scaling groups (static capacity)
aws autoscaling describe-auto-scaling-groups --query 'AutoScalingGroups[?MinSize==MaxSize].{Name:AutoScalingGroupName,Size:MinSize}'
# AWS Account Health Check
**Account**: [ID] | **Region**: [region] | **Date**: [today]
## Score: [X/10]
## Findings
### Critical (fix now)
- ...
### Warning (fix soon)
- ...
### Good (keep doing this)
- ...
## Quick Wins
1. [Easiest high-impact fix]
2. [Next easiest]
3. [...]
## SCP Gaps
[If no SCPs detected, recommend baseline guardrails per CLAUDE.md]
npx claudepluginhub aws-samples/sample-claude-code-plugins-for-startups --plugin aws-dev-toolkitProvides behavioral guidelines to reduce common LLM coding mistakes, focusing on simplicity, surgical changes, assumption surfacing, and verifiable success criteria.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.