Skip to content

Add CloudFront operational review skill#25

Open
derekzie wants to merge 1 commit into
aws-samples:mainfrom
derekzie:cloudfront-operational-review
Open

Add CloudFront operational review skill#25
derekzie wants to merge 1 commit into
aws-samples:mainfrom
derekzie:cloudfront-operational-review

Conversation

@derekzie

Copy link
Copy Markdown

Read-only Amazon CloudFront operational review skill modeled on rds-operation-review and eks-operation-review. Reviews distributions against the AWS Well-Architected Framework across security (WAF, TLS, OAC), reliability (origin failover), performance, cost, and operational excellence, and generates a per-distribution report. Native read-only AWS APIs only; adds a least-privilege per-skill IAM block. Passes Agent Skill Eval (audit + functional + trigger).

Description

A new read-only skill, cloudfront-operational-review, that performs a comprehensive
Amazon CloudFront operational review aligned with the AWS Well-Architected Framework.
It mirrors the structure of the existing rds-operation-review and eks-operation-review
skills: identify targets → discover distributions and dependencies → collect CloudWatch
metrics, access-log signals, and config-change notes → cost → analyze by pillar → emit a
per-distribution Markdown report (cloudfront-review-<distribution-id>-<YYYY-MM-DD>.md).

Pillars covered:

  • Security — WAF attachment, TLS minimum protocol, viewer protocol policy, OAC vs public
    S3 origin, field-level encryption, signed URLs/cookies, geo restriction, custom cert.
  • Reliability — origin failover / origin groups, custom-origin and VPC-origin health,
    5xx / origin-error trends.
  • Performance — cache hit ratio, cache policy TTLs, compression, HTTP/2 & HTTP/3, Origin
    Shield, price-class vs latency, OriginLatency.
  • Cost — price class, cache efficiency, unused/disabled distributions, cost-allocation tags.
  • Operational Excellence — CloudWatch alarms, standard logging, additional-metrics
    monitoring subscription, real-time logs, tagging.

Type of change

  • New skill
  • New custom agent
  • Update to an existing skill or agent
  • Documentation or infrastructure change

Testing

  • Agent Skill Eval (skill-eval report): root "passed": true — audit ✅ (0 critical,
    0 warning), functional ✅ (classified PARETO_BETTER), trigger ✅ (pass rate 1.0 across
    should-not-trigger near-misses). Results committed under evals/.
  • Manual DevOps Agent test (On-demand agent, live CloudFront distribution): the agent
    auto-invoked the skill from natural prompts (e.g. "review my CloudFront distribution … for
    best practices", "do a health check on our CDN") without the skill being named, ran the
    read-only review, and produced the report. Near-miss prompts (create a distribution, create
    an invalidation, pricing question, single-path 403 debugging) did not cause the skill to
    hijack the response. Notes in evals/manual-test-results.md. (Account IDs / ARNs redacted.)

License confirmation

  • By submitting this pull request, I confirm that my contribution is made under the terms of the Apache License 2.0.

Read-only Amazon CloudFront operational review skill modeled on rds-operation-review and eks-operation-review. Reviews distributions against the AWS Well-Architected Framework across security (WAF, TLS, OAC), reliability (origin failover), performance, cost, and operational excellence, and generates a per-distribution report. Native read-only AWS APIs only; adds a least-privilege per-skill IAM block. Passes Agent Skill Eval (audit + functional + trigger).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant