Add CloudFront operational review skill#25
Open
derekzie wants to merge 1 commit into
Open
Conversation
Read-only Amazon CloudFront operational review skill modeled on rds-operation-review and eks-operation-review. Reviews distributions against the AWS Well-Architected Framework across security (WAF, TLS, OAC), reliability (origin failover), performance, cost, and operational excellence, and generates a per-distribution report. Native read-only AWS APIs only; adds a least-privilege per-skill IAM block. Passes Agent Skill Eval (audit + functional + trigger).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Read-only Amazon CloudFront operational review skill modeled on rds-operation-review and eks-operation-review. Reviews distributions against the AWS Well-Architected Framework across security (WAF, TLS, OAC), reliability (origin failover), performance, cost, and operational excellence, and generates a per-distribution report. Native read-only AWS APIs only; adds a least-privilege per-skill IAM block. Passes Agent Skill Eval (audit + functional + trigger).
Description
A new read-only skill,
cloudfront-operational-review, that performs a comprehensiveAmazon CloudFront operational review aligned with the AWS Well-Architected Framework.
It mirrors the structure of the existing
rds-operation-reviewandeks-operation-reviewskills: identify targets → discover distributions and dependencies → collect CloudWatch
metrics, access-log signals, and config-change notes → cost → analyze by pillar → emit a
per-distribution Markdown report (
cloudfront-review-<distribution-id>-<YYYY-MM-DD>.md).Pillars covered:
S3 origin, field-level encryption, signed URLs/cookies, geo restriction, custom cert.
5xx / origin-error trends.
Shield, price-class vs latency, OriginLatency.
monitoring subscription, real-time logs, tagging.
Type of change
Testing
skill-eval report): root"passed": true— audit ✅ (0 critical,0 warning), functional ✅ (classified PARETO_BETTER), trigger ✅ (pass rate 1.0 across
should-not-trigger near-misses). Results committed under
evals/.auto-invoked the skill from natural prompts (e.g. "review my CloudFront distribution … for
best practices", "do a health check on our CDN") without the skill being named, ran the
read-only review, and produced the report. Near-miss prompts (create a distribution, create
an invalidation, pricing question, single-path 403 debugging) did not cause the skill to
hijack the response. Notes in
evals/manual-test-results.md. (Account IDs / ARNs redacted.)License confirmation