aws-skills MCP — Cas d'usage, Installer & Démo en direct

Pourquoi l'utiliser

Fonctionnalités clés

Shell-first — commands visible before execution
Common services: EC2, S3, IAM, Lambda, CloudFormation, Cost Explorer
Least-privilege IAM defaults
Region and profile aware
Works with Claude Code and Codex

Démo en direct

Aperçu en pratique

aws-skill.replay ▶ prêt

0/0

Installer

Choisissez votre client

~/Library/Application Support/Claude/claude_desktop_config.json · Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "aws-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/zxkane/aws-skills",
        "~/.claude/skills/aws-skills"
      ],
      "_inferred": true
    }
  }
}

Ouvrez Claude Desktop → Settings → Developer → Edit Config. Redémarrez après avoir enregistré.

~/.cursor/mcp.json · .cursor/mcp.json

{
  "mcpServers": {
    "aws-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/zxkane/aws-skills",
        "~/.claude/skills/aws-skills"
      ],
      "_inferred": true
    }
  }
}

Cursor utilise le même schéma mcpServers que Claude Desktop. La config projet l'emporte sur la globale.

VS Code → Cline → MCP Servers → Edit

{
  "mcpServers": {
    "aws-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/zxkane/aws-skills",
        "~/.claude/skills/aws-skills"
      ],
      "_inferred": true
    }
  }
}

Cliquez sur l'icône MCP Servers dans la barre latérale Cline, puis "Edit Configuration".

~/.codeium/windsurf/mcp_config.json

{
  "mcpServers": {
    "aws-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/zxkane/aws-skills",
        "~/.claude/skills/aws-skills"
      ],
      "_inferred": true
    }
  }
}

Même format que Claude Desktop. Redémarrez Windsurf pour appliquer.

~/.continue/config.json

{
  "mcpServers": [
    {
      "name": "aws-skill",
      "command": "git",
      "args": [
        "clone",
        "https://github.com/zxkane/aws-skills",
        "~/.claude/skills/aws-skills"
      ]
    }
  ]
}

Continue utilise un tableau d'objets serveur plutôt qu'une map.

~/.config/zed/settings.json

{
  "context_servers": {
    "aws-skill": {
      "command": {
        "path": "git",
        "args": [
          "clone",
          "https://github.com/zxkane/aws-skills",
          "~/.claude/skills/aws-skills"
        ]
      }
    }
  }
}

Ajoutez dans context_servers. Zed recharge à chaud à la sauvegarde.

claude mcp add aws-skill -- git clone https://github.com/zxkane/aws-skills ~/.claude/skills/aws-skills

Une seule ligne. Vérifiez avec claude mcp list. Supprimez avec claude mcp remove.

Cas d'usage

Usages concrets : aws-skills

How to run a fleet-wide operation on EC2 safely

👤 Cloud ops engineers running one-off fleet operations ⏱ ~20 min intermediate

Quand l'utiliser : You need to patch or restart a group of instances matching a tag, without writing the whole script yourself.

Prérequis

Skill installed — git clone https://github.com/zxkane/aws-skills ~/.claude/skills/aws-skills
aws CLI configured — aws configure or SSO profile

Déroulement

Dry-run the query

Use aws-skill. List EC2 instances tagged Env=staging, App=api. Just describe, don't mutate.✓ Copié

→ Table of instance IDs with state
Plan the action

Now propose the command to restart all running ones. Show me the exact aws cli call before running it.✓ Copié

→ Command printed; no execution yet
Execute with guardrails

Execute in batches of 3 with 30s between batches. Abort if any fails.✓ Copié

→ Batched output with success/failure per batch

Résultat : A controlled fleet operation with no unpleasant surprises.

Pièges

Wrong profile/region destroys prod — Always echo the resolved profile + region as the first line of any action

Audit S3 bucket policies for public exposure

👤 Security engineers looking for public S3 risk ⏱ ~30 min intermediate

Quand l'utiliser : Before a compliance review, or after a misconfig alert.

Déroulement

List buckets

List all S3 buckets in our account with their public access block settings and any bucket policies that allow *.✓ Copié

→ Table with per-bucket status
Triage

Flag buckets that have public access and don't match our known public-bucket allowlist (list: [...]). Propose remediation for each.✓ Copié

→ Remediation plan per flagged bucket

Résultat : A prioritized remediation list for S3 public exposure.

Pièges

OAI / OAC for CloudFront looks public at the bucket level — Check CloudFront origin config before flagging

Scope an IAM policy to least privilege

👤 Engineers with an overly-broad policy to tighten ⏱ ~45 min advanced

Quand l'utiliser : A service account works with AdministratorAccess and you want to scope it down.

Déroulement

Collect usage

Pull the Access Analyzer / CloudTrail-derived actions used by this role over last 30 days.✓ Copié

→ Actions table
Generate scoped policy

Write the minimal policy matching those actions. No wildcard Resource unless necessary; comment where wildcards are justified.✓ Copié

→ Policy JSON with comments

Résultat : A least-privilege policy with documented rationale.

Pièges

30 days isn't long enough to capture all paths — Verify against known monthly or quarterly jobs before flipping the policy

Combiner avec : claude-code-owasp-skill

Answer a cost question quickly

👤 Engineers and finance owners chasing spend ⏱ ~20 min intermediate

Quand l'utiliser : Finance asks 'why did S3 spend spike in April?' — you want an answer before the meeting.

Déroulement

Query

Use Cost Explorer to compare S3 spend April vs March by usage type.✓ Copié

→ Diff table by usage type
Explain

Which usage type grew most, and which bucket is most likely responsible?✓ Copié

→ Hypothesis with specific bucket candidates

Résultat : A specific attribution you can follow up on.

Combinaisons

Associez-le à d'autres MCPs pour un effet X10

aws-skill + terrashark-skill

AWS-skill for one-off ops, TerraShark for codified infra

Investigate with aws-skill, then codify the fix as Terraform with terrashark.✓ Copié

aws-skill + claude-code-owasp-skill

Security reviews on IAM and S3 configs

After IAM scoping, run OWASP review on the resulting policy.✓ Copié

Outils

Ce que ce MCP expose

Outil	Entrées	Quand appeler	Coût
EC2 fleet ops	-	Tag-scoped fleet ops	1+ AWS API calls
S3 policy audit	-	Security review	1+ API calls
IAM scoping	role_name	Tightening access	Access Analyzer + CloudTrail calls
Cost queries	service, range	Spend investigations	Cost Explorer calls
CFN/CDK scaffolding	-	New stacks	Claude tokens

Coût et limites

Coût d'exécution

Quota d'API: AWS API limits vary per service; usually non-issue for interactive use
Tokens par appel: 5-15k for planning; execution is free of Claude tokens
Monétaire: Free skill; AWS usage billed as normal
Astuce: Cost Explorer API has per-request pricing. Cache results when iterating.

Sécurité

Permissions, secrets, portée

Stockage des identifiants : Standard AWS CLI credentials (shared config, SSO). Skill reads active profile.

Sortie de données : All AWS API calls. Command outputs may contain sensitive data (ARNs, tags).

Ne jamais accorder : AdministratorAccess for interactive use

Always verify active profile and region before destructive commands. Skill prints both before execution — don't skip the check.
Use SSO short-lived credentials rather than long-lived access keys.

Dépannage

Erreurs courantes et correctifs

AccessDenied despite correct profile

Role session may have expired. Re-authenticate (aws sso login or STS refresh)

Vérifier : aws sts get-caller-identity

Commands hit the wrong region

Skill respects AWS_REGION env; set explicitly or pass --region each call

Rate-limiting on large fleet ops

Use the skill's batch mode with delays

Alternatives

aws-skills vs autres

Alternative	Quand l'utiliser	Compromis
AWS MCP server	You want native MCP tool calls instead of shell-first	Less shell visibility; different trust model

Plus

Ressources

📖 Lire le README officiel sur GitHub

🐙 Voir les issues ouvertes

🔍 Parcourir les 400+ serveurs MCP et Skills