aws-patterns
AWS cloud infrastructure patterns and best practices. Use when designing AWS architectures, creating Lambda functions, configuring S3 buckets, setting up EC2 instances, designing VPCs, or implementing any AWS services.
Install
npx skillscat add mindmorass/reflex/aws-patterns Install via the SkillsCat registry.
SKILL.md
AWS Patterns
Best practices for AWS cloud infrastructure design and implementation.
Core Services Patterns
Lambda Functions
# Best practice Lambda handler structure
import json
import logging
from typing import Any
logger = logging.getLogger()
logger.setLevel(logging.INFO)
def handler(event: dict, context: Any) -> dict:
"""Lambda handler with proper error handling and logging."""
try:
logger.info(f"Event: {json.dumps(event)}")
# Process event
result = process_event(event)
return {
"statusCode": 200,
"headers": {"Content-Type": "application/json"},
"body": json.dumps(result)
}
except ValueError as e:
logger.warning(f"Validation error: {e}")
return {"statusCode": 400, "body": json.dumps({"error": str(e)})}
except Exception as e:
logger.error(f"Unexpected error: {e}", exc_info=True)
return {"statusCode": 500, "body": json.dumps({"error": "Internal server error"})}S3 Bucket Configuration
# Secure S3 bucket with versioning and encryption
Resources:
SecureBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "${AWS::StackName}-data"
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
LoggingConfiguration:
DestinationBucketName: !Ref LoggingBucket
LogFilePrefix: s3-access-logs/VPC Design
# Three-tier VPC architecture
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
# Public subnets (load balancers, NAT gateways)
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.1.0/24
AvailabilityZone: !Select [0, !GetAZs ""]
MapPublicIpOnLaunch: true
# Private subnets (application tier)
PrivateSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.10.0/24
AvailabilityZone: !Select [0, !GetAZs ""]
# Data subnets (databases, caches)
DataSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.20.0/24
AvailabilityZone: !Select [0, !GetAZs ""]IAM Best Practices
Least Privilege Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSpecificS3Actions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/prefix/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "private"
}
}
}
]
}Service Role Pattern
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: CustomPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- dynamodb:GetItem
- dynamodb:PutItem
Resource: !GetAtt Table.ArnCost Optimization
Resource Tagging Strategy
Tags:
- Key: Environment
Value: !Ref Environment
- Key: Project
Value: !Ref ProjectName
- Key: CostCenter
Value: !Ref CostCenter
- Key: Owner
Value: !Ref OwnerEmail
- Key: AutoShutdown
Value: "true" # For non-prod resourcesSpot Instances for Non-Critical Workloads
SpotFleet:
Type: AWS::EC2::SpotFleet
Properties:
SpotFleetRequestConfigData:
IamFleetRole: !GetAtt SpotFleetRole.Arn
TargetCapacity: 10
AllocationStrategy: lowestPrice
LaunchSpecifications:
- InstanceType: m5.large
SpotPrice: "0.05"
SubnetId: !Ref PrivateSubnet1High Availability Patterns
Multi-AZ Deployment
- Deploy across minimum 2 AZs, prefer 3
- Use Auto Scaling Groups with AZ-aware placement
- Configure cross-AZ load balancing
- Enable Multi-AZ for RDS and ElastiCache
Circuit Breaker with Step Functions
StateMachine:
Type: AWS::StepFunctions::StateMachine
Properties:
DefinitionString: |
{
"StartAt": "CallService",
"States": {
"CallService": {
"Type": "Task",
"Resource": "${LambdaArn}",
"Retry": [
{
"ErrorEquals": ["States.TaskFailed"],
"IntervalSeconds": 2,
"MaxAttempts": 3,
"BackoffRate": 2
}
],
"Catch": [
{
"ErrorEquals": ["States.ALL"],
"Next": "Fallback"
}
],
"End": true
},
"Fallback": {
"Type": "Pass",
"Result": {"status": "degraded"},
"End": true
}
}
}Security Patterns
Secrets Manager Integration
import boto3
from botocore.exceptions import ClientError
import json
def get_secret(secret_name: str, region: str = "us-east-1") -> dict:
"""Retrieve secret from AWS Secrets Manager."""
client = boto3.client("secretsmanager", region_name=region)
try:
response = client.get_secret_value(SecretId=secret_name)
return json.loads(response["SecretString"])
except ClientError as e:
raise RuntimeError(f"Failed to retrieve secret: {e}")KMS Encryption
KMSKey:
Type: AWS::KMS::Key
Properties:
Description: Customer managed key for data encryption
EnableKeyRotation: true
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: kms:*
Resource: "*"References
Categories
Install
npx skillscat add mindmorass/reflex/aws-patterns Install via the SkillsCat registry.