AWS -- Cloud Infrastructure Expert

---

name: aws description: > Build S3, Lambda, DynamoDB, SQS, and IAM configurations for production. USE WHEN: User needs to implement AWS S3, Lambda, DynamoDB, SQS, or IAM infrastructure. DON'T USE WHEN: User needs general cloud architecture. Use Architect for system design. Use Cloudflare for edge computing. OUTPUTS: S3 configurations, Lambda functions, DynamoDB schemas, SQS workflows, IAM policies, deployment patterns. version: 1.0.0 author: SpookyJuice tags: [aws, s3, lambda, dynamodb, sqs, iam, cloud] price: 19 author_url: "https://www.shopclawmart.com" support: "brian@gorzelic.net" license: proprietary osps_version: "0.1" content_hash: "sha256:c59d699adcda3a69e16bebf707cabf59548214f7b290662d19f70a94bee61da2"

#‍​‌‌​‌‌‌‌​‌‌‌​​‌‌​‌‌‌​​​​​‌‌‌​​‌‌​​‌‌‌​‌​​​‌‌​​​‌​​‌‌‌​‌​​‌‌‌​​‌‌​‌‌​‌​‌​​​‌​‌‌​‌​​‌‌‌​​​​​‌‌​​​​​​‌‌​‌‌‌​‌‌​​‌‌​​​‌‌‌​​​​‌‌​​​‌‌​​‌‌​​‌‌​‌‌​​​‌‌‍ AWS

Version: 1.0.0 Price: $19 Type: Skill

Description

Production-grade AWS integration patterns for the five services that power 90% of real workloads: S3, Lambda, DynamoDB, SQS, and IAM. AWS has 200+ services and documentation that shows happy paths — but production breaks when you hit S3 lifecycle race conditions, Lambda cold starts eating your p99 latency, DynamoDB hot partitions throttling your busiest table, or IAM policies that are either wide open or so restrictive your own code can't function. This skill gives you battle-tested implementations that handle the failure modes the docs gloss over.

Prerequisites

• AWS account with billing alerts configured (seriously, set a budget alarm first)
• AWS CLI v2 installed: brew install awscli
• Credentials configured: aws configure or SSO via aws configure sso
• Service quotas reviewed for Lambda concurrent executions and DynamoDB throughput

Setup

1. Copy SKILL.md into your OpenClaw skills directory
2. Set environment variables:

   export AWS_ACCESS_KEY_ID="AKIA..."
   export AWS_SECRET_ACCESS_KEY="..."
   export AWS_REGION="us-east-1"
   export AWS_PROFILE="default"  # or your named profile
   

3. Reload OpenClaw

Commands

• "Implement S3 upload pipeline for [file type] with lifecycle rules"
• "Design DynamoDB schema for [access pattern] with GSI strategy"
• "Build Lambda function for [trigger type] with error handling"
• "Set up SQS queue with dead-letter handling for [use case]"
• "Write IAM policy for [service] with least-privilege access"
• "Configure S3 event notifications to trigger Lambda for [workflow]"
• "Design DynamoDB single-table model for [entity relationships]"
• "Implement SQS FIFO queue with deduplication for [ordering requirement]"

Workflow

S3 Storage Pipeline

1. Bucket design — one bucket per environment (dev/staging/prod), not per feature. Use prefixes (folders) for logical separation and S3 inventory for auditing. Enable versioning from day one — restoring accidentally deleted production data without it is a nightmare you only experience once.
2. Upload implementation — use presigned URLs for client-side uploads (keeps files off your servers, avoids 6MB API Gateway limit). Set URL expiration to 5-15 minutes. Include Content-Type and Content-Length conditions to prevent abuse and enforce size limits at the S3 level.
3. Lifecycle rules — configure transitions: Standard to Infrequent Access at 30 days, to Glacier at 90 days, expiration at 365 days. Apply rules per prefix so hot data and cold data follow different policies. Test lifecycle rules in a scratch bucket first because misconfigured rules silently delete production data.
4. Access control — use bucket policies for cross-account access, IAM policies for same-account access. Never use ACLs (they're legacy and confusing). Block public access at the account level, then explicitly allow only the buckets that genuinely need public read access.
5. Encryption and compliance — enable SSE-S3 (default encryption) at minimum. Use SSE-KMS when you need key rotation auditing or cross-account key sharing. Enable access logging to a separate bucket for compliance trails. S3 Object Lock for regulatory hold requirements.
6. Event-driven processing — S3 Event Notifications trigger Lambda for image processing, virus scanning, or ETL. Use SQS as an intermediary between S3 and Lambda to handle bursts — direct S3-to-Lambda invocations can hit concurrency limits and silently drop events.

Lambda Function Architecture

1. Handler structure — separate your handler function from business logic. The handler does: parse event, validate input, call business logic, format response. Business logic lives in importable modules with no Lambda dependencies so you can test it locally without mocking the Lambda runtime.
2. Cold start mitigation — keep deployment packages under 50MB unzipped. Use Lambda layers for shared dependencies. For latency-sensitive functions, use Provisioned Concurrency on the production alias (not $LATEST). ARM64 (Graviton2) gives you 20% better price-performance with no code changes for most runtimes.
3. Memory and timeout tuning — Lambda CPU scales linearly with memory. A function at 1769MB gets one full vCPU. Start at 256MB, use AWS Lambda Power Tuning to find the cost-performance sweet spot. Set timeout to 3x your p95 execution time, never to the 15-minute maximum.
4. Error handling — distinguish between retryable errors (downstream timeout) and non-retryable errors (validation failure). For async invocations, configure a dead-letter queue (SQS) to capture failures. Use structured logging with request ID, correlation ID, and error context in every log line.
5. Environment and secrets — use environment variables for non-sensitive config (feature flags, table names). Use AWS Systems Manager Parameter Store or Secrets Manager for credentials, cached at init time outside the handler. Never fetch secrets on every invocation — that's a latency and cost multiplier.
6. Deployment — use function aliases (dev/staging/prod) pointing to specific versions, never deploy to $LATEST in production. Implement gradual deployments with CodeDeploy traffic shifting (canary 10% for 5 minutes, then 100%) to catch regressions before full rollout.

DynamoDB Data Modeling

1. Access pattern first — list every query your application will make before designing the table. DynamoDB is not a relational database — you design around access patterns, not entity relationships. If you design the schema first and figure out queries later, you will end up with a table that requires full scans for common operations.
2. Partition key selection — choose a key with high cardinality that distributes traffic evenly. User ID is usually good. Timestamps are terrible (hot partition on the current time period). Composite keys (e.g., TENANT#123) enable multi-tenant isolation within a single table.
3. Single-table design — store multiple entity types in one table using prefixed sort keys (e.g., PK: USER#123, SK: ORDER#456). This lets you fetch a user and their orders in a single query. Use GSIs to support additional access patterns. Overloaded GSIs (GSI1PK/GSI1SK) keep you under the 20-GSI limit.
4. Capacity planning — start with on-demand pricing for unpredictable workloads, switch to provisioned with auto-scaling once you understand your traffic patterns. On-demand costs 6.5x more per request than provisioned at steady state. Set auto-scaling min/max and target utilization (70% is a solid default).
5. TTL and data lifecycle — enable TTL on a designated attribute to automatically expire old records at zero cost. DynamoDB deletes expired items within 48 hours (not instantly). TTL deletions emit to DynamoDB Streams, so you can archive expired data to S3 via Lambda before it disappears.
6. Transactions and consistency — use TransactWriteItems for operations that must be atomic across items (e.g., transfer balance between accounts). Transactions cost 2x a standard write. Use strongly consistent reads only when you cannot tolerate stale data — eventually consistent reads cost half and are sufficient for 90% of use cases.

SQS Message Processing

1. Queue selection — Standard queues: nearly unlimited throughput, at-least-once delivery, best-effort ordering. FIFO queues: exactly-once processing, strict ordering within message groups, 3,000 messages/second with batching. Use Standard unless your business logic breaks with duplicate or out-of-order messages.
2. Visibility timeout — set to 6x your average processing time. If your consumer takes 10 seconds, set visibility timeout to 60 seconds. Too short and messages get reprocessed (duplicates). Too long and failed messages sit invisible while retries are delayed.
3. Dead-letter queue configuration — every queue gets a DLQ. Set maxReceiveCount to 3-5 depending on your retry tolerance. Monitor DLQ depth with CloudWatch alarms. Build a redrive workflow (SQS now supports built-in redrive) to replay failed messages after fixing the underlying issue.
4. Lambda integration — use SQS as an event source for Lambda with batch size 10 and batch window 5 seconds for throughput optimization. Enable ReportBatchItemFailures so Lambda reports which specific messages failed instead of retrying the entire batch.
5. Message design — keep messages small (under 64KB). For large payloads, put the data in S3 and pass the S3 key in the message. Include a correlation ID, timestamp, and message schema version in every message for debugging and backward compatibility.

IAM Policy Design

1. Least-privilege construction — start with zero permissions and add only what's needed. Use CloudTrail logs and IAM Access Analyzer to identify actually-used permissions, then scope policies down. The * resource wildcard is the root cause of most AWS security incidents.
2. Policy structure — use customer-managed policies over inline policies (reusable, versionable, auditable). Limit each policy to one logical capability. Use conditions to restrict by source IP, time of day, MFA status, or resource tags.
3. Role design for Lambda — every Lambda function gets its own execution role. The role includes: CloudWatch Logs (required), plus exactly the permissions that function needs. Use resource-level ARNs, not *. Example: arn:aws:dynamodb:us-east-1:123456:table/MyTable not arn:aws:dynamodb:*:*:*.
4. Cross-account access — use IAM roles with trust policies for cross-account access, never shared credentials. The trusted account assumes the role via STS. Include an external ID condition to prevent confused deputy attacks.
5. Policy testing — use IAM Policy Simulator to validate policies before deploying. Use aws iam simulate-principal-policy in CI to catch permission regressions. Test both allowed and denied actions — a policy that allows too much is as broken as one that denies too much.

Output Format

CLOUD AWS -- IMPLEMENTATION GUIDE
Service: [S3/Lambda/DynamoDB/SQS/IAM]
Region: [Region]
Date: [YYYY-MM-DD]

=== ARCHITECTURE ===
[Component diagram: client -> API Gateway -> Lambda -> DynamoDB/S3/SQS]

=== IMPLEMENTATION ===
[Code and configuration with inline comments explaining each decision]

=== CONFIGURATION ===
| Setting | Value | Why |
|---------|-------|-----|
| [config] | [value] | [rationale] |

=== TESTING CHECKLIST ===
[ ] [Test scenario with expected behavior]

=== COMMON PITFALLS ===
- [Pitfall and how to avoid it]

Common Pitfalls

• S3 strong consistency misunderstandings — S3 is now strongly consistent for PUTs and DELETEs (since December 2020), but list operations can still show stale results briefly after large batch writes. Don't assume a ListObjects call immediately reflects thousands of objects you just uploaded.
• Lambda memory-CPU coupling — you cannot configure CPU independently. At 1769MB you get one full vCPU; below that you get a fraction. A CPU-bound function at 128MB will be 10x slower than at 1769MB and may actually cost more because it runs longer.
• DynamoDB hot partitions — a partition handles 3,000 RCU and 1,000 WCU. If your partition key doesn't distribute traffic evenly, provisioned capacity is wasted on cold partitions while the hot one throttles. Adaptive capacity helps but doesn't solve fundamentally bad key design.
• SQS visibility timeout vs. Lambda timeout — if your Lambda timeout exceeds the SQS visibility timeout, a slow invocation causes the message to become visible again and get processed twice. Always set visibility timeout to at least 6x the Lambda function timeout.
• IAM policy evaluation logic — an explicit Deny always wins, even over an explicit Allow. If a user has one policy that allows s3:* and another that denies s3:DeleteBucket, the deny wins. Misunderstanding this leads to hours of debugging "Access Denied" errors.
• Lambda $LATEST is not an alias — deploying to $LATEST in production means every deployment is a full cutover with no rollback path. Use versioned aliases and traffic shifting for safe deployments.

Guardrails

• Never hardcode credentials. Use IAM roles for compute services (Lambda, EC2, ECS). Use environment variables or Secrets Manager for external credentials. Access keys in source code are the number one cause of AWS account compromise.
• Always use least-privilege IAM. Every role and policy starts with zero permissions and adds only what's necessary. Resource ARNs are specific, never wildcarded. Policies are reviewed before deployment.
• Test locally first. Use LocalStack or SAM CLI for local Lambda testing before deploying to AWS. Validate DynamoDB schemas with local DynamoDB. Catch errors before they cost money.
• Encryption at rest is mandatory. S3 buckets use SSE-S3 or SSE-KMS. DynamoDB tables use AWS-managed or customer-managed KMS keys. SQS queues use SSE. No exceptions for any environment.
• Cost alerting is non-negotiable. Every account has AWS Budgets configured with alerts at 50%, 80%, and 100% of expected spend. A misconfigured Lambda or DynamoDB table can generate thousands of dollars in charges overnight.
• Tag everything. Every resource includes tags for Environment, Project, Owner, and CostCenter. Tags enable cost allocation, access control via ABAC, and automated cleanup of orphaned resources.
• CloudTrail stays on. Management events are logged in all regions. S3 data events are logged for sensitive buckets. Logs go to a separate account's S3 bucket with Object Lock for tamper resistance.

Support

Questions or issues with this skill? Contact brian@gorzelic.net Published by SpookyJuice — https://www.shopclawmart.com