What does aws-discover output?

An aws_infrastructure.json containing metadata and categorized resource lists (account_id, region, environment, project, discovered_at, and resource sections for networking, compute, databases, storage, security, messaging, and API/CDN).

Do I need permissions?

Yes—read permissions on the AWS services you plan to discover (e.g., sts, ec2, s3, rds, elbv2, secretsmanager, etc.).

Can I target a different region or profile?

Yes. Pass --profile and --region to all AWS CLI commands in the discovery flow, or set them globally for your session.

aws-discover

npx machina-cli add skill mpuig/claude-cloud-diagrams/aws-discover --openclaw

Files (1)

SKILL.md

4.9 KB

AWS Infrastructure Discovery

Explore an AWS account and collect comprehensive information about its infrastructure.

Before Starting

Ask the user for:

AWS Profile - Which AWS profile to use (or use default)
AWS Region - Which region to scan (or use default)

AWS CLI Configuration

Use the profile and region flags with all AWS CLI commands:

aws <command> --profile <profile> --region <region>

Discovery Process

Explore systematically. Start with basics, then dig deeper based on what you find.

1. Account Identity

aws sts get-caller-identity --profile <profile> --region <region>

2. Networking

VPCs: aws ec2 describe-vpcs
Subnets: aws ec2 describe-subnets
Internet Gateways: aws ec2 describe-internet-gateways
NAT Gateways: aws ec2 describe-nat-gateways
Transit Gateways: aws ec2 describe-transit-gateways
VPC Endpoints: aws ec2 describe-vpc-endpoints
Route Tables: aws ec2 describe-route-tables

3. Compute

ECS Clusters: aws ecs list-clusters then aws ecs describe-clusters
ECS Services: aws ecs list-services --cluster <name> then aws ecs describe-services
Lambda: aws lambda list-functions
EC2: aws ec2 describe-instances
EKS: aws eks list-clusters

4. Load Balancing

ALB/NLB: aws elbv2 describe-load-balancers
Listeners: aws elbv2 describe-listeners --load-balancer-arn <arn>
Target Groups: aws elbv2 describe-target-groups
Rules: aws elbv2 describe-rules --listener-arn <arn>

5. Databases

RDS: aws rds describe-db-instances
Aurora: aws rds describe-db-clusters
DynamoDB: aws dynamodb list-tables
ElastiCache: aws elasticache describe-cache-clusters

6. Storage

S3: aws s3api list-buckets
EFS: aws efs describe-file-systems
ECR: aws ecr describe-repositories

7. Security

Security Groups: aws ec2 describe-security-groups
WAF: aws wafv2 list-web-acls --scope REGIONAL
Cognito: aws cognito-idp list-user-pools --max-results 20
ACM: aws acm list-certificates
Secrets Manager: aws secretsmanager list-secrets
KMS: aws kms list-keys

8. Messaging

SQS: aws sqs list-queues
SNS: aws sns list-topics
EventBridge: aws events list-rules

9. API & CDN

API Gateway: aws apigateway get-rest-apis
CloudFront: aws cloudfront list-distributions

Output Format

Create aws_infrastructure.json with this structure:

{
  "metadata": {
    "account_id": "...",
    "region": "...",
    "environment": "...",
    "project": "...",
    "discovered_at": "..."
  },
  "networking": {
    "vpc": {"id": "...", "name": "...", "cidr": "..."},
    "subnets": {
      "public": [{"id": "...", "name": "...", "cidr": "...", "az": "..."}],
      "private": [{"id": "...", "name": "...", "cidr": "...", "az": "..."}]
    },
    "internet_gateway": {"id": "..."},
    "nat_gateways": [...],
    "transit_gateway": {"id": "...", "routes": [...]},
    "vpc_endpoints": [{"id": "...", "type": "...", "service": "..."}]
  },
  "load_balancers": {
    "public": {"name": "...", "scheme": "internet-facing", "dns_name": "..."},
    "private": {"name": "...", "scheme": "internal"}
  },
  "compute": {
    "ecs_cluster": {"name": "..."},
    "ecs_services": [{"name": "...", "launch_type": "FARGATE"}],
    "lambda_functions": [{"name": "...", "runtime": "..."}],
    "ec2_instances": [...]
  },
  "databases": {
    "aurora_clusters": [{"database_name": "...", "engine": "..."}],
    "dynamodb_tables": [{"name": "..."}],
    "elasticache": {"engine": "redis", "num_cache_clusters": 2}
  },
  "storage": {
    "s3_buckets": [{"name": "..."}],
    "ecr_repositories": [...]
  },
  "security": {
    "waf": {"web_acl": {"name": "..."}},
    "acm_certificates": [{"domain": "..."}],
    "cognito_pools": [{"name": "..."}]
  },
  "messaging": {
    "sqs_queues": [...],
    "sns_topics": [...],
    "eventbridge_rules": [...]
  },
  "traffic_rules": {
    "allowed_sources": {
      "public_internet": {"cidrs": ["0.0.0.0/0"], "ports": [443]},
      "corporate": {"cidrs": ["10.0.0.0/8"], "ports": [80, 443]}
    },
    "domains": {
      "public": ["api.example.com"],
      "private": ["internal.example.com"]
    }
  }
}

Guidelines

Only include sections that have resources (omit empty sections)
Infer environment and project from resource names/tags
Infer traffic rules from security group ingress rules and load balancer configurations
For subnets, use "az" field (not "availability_zone")
Skip empty services quickly - if list-* returns empty, move on
Add new sections for services not listed (e.g., "step_functions", "glue", "opensearch")

After Discovery

Tell the user:

What was discovered (summary of resources)
That they can now generate diagrams with: "generate AWS diagram"

Source

git clone https://github.com/mpuig/claude-cloud-diagrams/blob/main/skills/aws-discover/SKILL.mdView on GitHub

Overview

aws-discover inventories an AWS account and emits a structured json file named aws_infrastructure.json. It starts by identifying the account identity, then enumerates networking, compute, storage, databases, security, messaging, and API/CDN resources, giving you a complete snapshot for auditing, migration planning, or documentation. The tool relies on AWS CLI commands assembled with a chosen profile and region.

How This Skill Works

It prompts you for the AWS Profile and Region, then runs a sequence of AWS CLI commands (VPCs, subnets, EC2, RDS, S3, etc.) using --profile and --region. The results are aggregated into a single aws_infrastructure.json matching the output schema described in the skill. The process proceeds from account identity through networking, compute, storage, security, and API/CDN resources.

When to Use It

discover AWS infrastructure for an account
explore an AWS account to build a JSON inventory
scan AWS infrastructure and generate aws_infrastructure.json
document AWS setup for audits or onboarding
plan migrations or changes with a complete inventory

Quick Start

Step 1: Configure AWS CLI with your profile and region (set AWS_PROFILE and AWS_REGION or use aws configure)
Step 2: Run the discovery process across identity, networking, compute, storage, security, and API/CDN resources (as shown in the SKILL)
Step 3: Save the results to aws_infrastructure.json and review the metadata and resource inventories

Best Practices

Ask for AWS Profile and Region up front and keep them consistent
Use read-only permissions to minimize risk during discovery
Validate aws_infrastructure.json against the defined Output Format
Run discovery in representative environments (prod/staging) to capture variability
Document timestamps and account ID in the metadata for traceability

Example Use Cases

Inventory a new AWS account before a migration or restructure
Produce a comprehensive infra document for a security/compliance audit
Create an onboarding map showing networking and compute layers for new engineers
Generate a baseline inventory for cost optimization and right-sizing
Prepare evidence of existing S3, EC2, RDS assets before consolidation or consolidation planning

Frequently Asked Questions

Add this skill to your agents