awslabs/aws-serverless-deployment
plugins/aws-serverless/skills/aws-serverless-deployment/SKILL.md
AWS SAM and AWS CDK deployment for serverless applications. Triggers on phrases like: use SAM, SAM template, SAM init, SAM deploy, CDK serverless, CDK Lambda construct, NodejsFunction, PythonFunction, SAM and CDK together, serverless CI/CD pipeline. For general app deployment with service selection, use deploy-on-aws plugin instead.
$ install --global
skillsauthnpx skillsauth add awslabs/agent-plugins aws-serverless-deploymentInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 12:08 PM27.8s6 files scanned
SKILL.md
- name:
- aws-serverless-deployment
- description:
- AWS SAM and AWS CDK deployment for serverless applications. Triggers on phrases like: use SAM, SAM template, SAM init, SAM deploy, CDK serverless, CDK Lambda construct, NodejsFunction, PythonFunction, SAM and CDK together, serverless CI/CD pipeline. For general app deployment with service selection, use deploy-on-aws plugin instead.
- argument-hint:
- [what are you deploying?]
AWS Serverless Deployment
Deploy serverless applications to AWS using SAM or CDK. This skill covers project scaffolding, IaC templates, CDK constructs and patterns, deployment workflows, CI/CD pipelines, and SAM/CDK coexistence.
For Lambda runtime behavior, event sources, orchestration, observability, and optimization, see the aws-lambda skill.
When to Load Reference Files
Load the appropriate reference file based on what the user is working on:
- SAM project setup, templates, deployment workflow, local testing, or container images -> see references/sam-project-setup.md
- CDK project setup, constructs, CDK testing, or CDK pipelines -> see references/cdk-project-setup.md
- CDK Lambda constructs, NodejsFunction, PythonFunction, or CDK Function -> see references/cdk-lambda-constructs.md
- CDK serverless patterns, API Gateway CDK, Function URL CDK, EventBridge CDK, DynamoDB CDK, or SQS CDK -> see references/cdk-serverless-patterns.md
- SAM and CDK coexistence, migrating from SAM to CDK, or using sam build with CDK -> see references/sam-cdk-coexistence.md
Best Practices
SAM
- Do: Use
sam_initwith an appropriate template for your use case - Do: Set global defaults for timeout, memory, runtime, and tracing in the
Globalssection - Do: Use
samconfig.tomlenvironment-specific sections for multi-environment deployments - Do: Use
sam build --use-containerwhen native dependencies are involved - Don't: Copy-paste templates from the internet without understanding the resource configuration
- Don't: Hardcode resource ARNs or account IDs in templates — use
!Ref,!GetAtt, and!Sub
CDK
- Do: Use TypeScript — type checking catches errors at synthesis time, before any AWS API calls
- Do: Prefer L2 constructs and
grant*methods over L1 and raw IAM statements - Do: Separate stateful and stateless resources into different stacks; enable termination protection on stateful stacks
- Do: Commit
cdk.context.jsonto version control — it caches VPC/AZ lookups for deterministic synthesis - Do: Write unit tests with
aws-cdk-lib/assertions; assert logical IDs of stateful resources to detect accidental replacements - Do: Use
cdk diffin CI before every deployment to review changes - Don't: Hardcode account IDs or region strings — use
this.accountandthis.region - Don't: Use
cdk deploydirectly in production without a pipeline - Don't: Skip
cdk bootstrap— deployments will fail without the CDK toolkit stack
Configuration
AWS CLI Setup
This skill requires that AWS credentials are configured on the host machine:
Verify access: Run aws sts get-caller-identity to confirm credentials are valid
SAM CLI Setup
Verify: Run sam --version
Container Runtime Setup
- Install a Docker compatible container runtime: Required for
sam_local_invokeand container-based builds - Verify: Use an appropriate command such as
docker --versionorfinch --version
AWS Serverless MCP Server
Write access is enabled by default. The plugin ships with --allow-write in .mcp.json, so the MCP server can create projects, generate IaC, and deploy on behalf of the user.
Access to sensitive data (like Lambda and API Gateway logs) is not enabled by default. To grant it, add --allow-sensitive-data-access to .mcp.json.
SAM Template Validation Hook
This plugin includes a PostToolUse hook that runs sam validate automatically after any edit to template.yaml or template.yml. If validation fails, the error is returned as a system message so you can fix it immediately. The hook requires SAM CLI and jq to be installed; if either is missing, validation is skipped with a system message. Users can disable it via /hooks.
Verify: Run jq --version
IaC framework selection
Default: CDK
Override syntax:
- "use CloudFormation" → Generate YAML templates
- "use SAM" → Generate YAML templates
When not specified, ALWAYS use CDK
Language selection for CDK
Default: TypeScript
Override syntax:
- "use Python" → Generate Python code
- "use JavaScript" → Generate JavaScript code
When not specified, ALWAYS use TypeScript
Error Scenarios
Serverless MCP Server Unavailable
- Inform user: "AWS Serverless MCP not responding"
- Ask: "Proceed without MCP support?"
- DO NOT continue without user confirmation
Resources
- AWS SAM Documentation
- AWS CDK Documentation
- AWS Serverless MCP Server
Related Skills
awslabs/elastic-beanstalk
development
VerifiedTrustedCommunity
Deploy to AWS Elastic Beanstalk. Triggers on: elastic beanstalk, EB, managed EC2 platform, web app with managed patching, worker on EC2, Heroku alternative, don't want to manage servers or containers, migrate from Heroku, managed operational lifecycle. Covers Elastic Beanstalk on EC2 for web and worker applications.
772SKILL.mdUpdated Jun 4, 2026
awslabs/aws-lambda-managed-instances
testing
VerifiedTrustedCommunity
Evaluate, configure, and migrate workloads to AWS Lambda Managed Instances (LMI). Triggers on: Lambda Managed Instances, LMI, capacity provider, multi-concurrency Lambda, dedicated instance Lambda, EC2-backed Lambda, cold start elimination, Graviton Lambda, instance type for Lambda, Lambda cost optimization with Reserved Instances or Savings Plans. Also trigger when users describe high-volume predictable workloads seeking cost savings, or compare Lambda vs EC2 for steady-state traffic. For standard Lambda without LMI, use the aws-lambda skill instead.
772SKILL.mdUpdated Jun 4, 2026
awslabs/deploy
development
VerifiedTrustedCommunity
Deploy applications to AWS. Triggers on phrases like: deploy to AWS, host on AWS, run this on AWS, AWS architecture, estimate AWS cost, generate infrastructure. Analyzes any codebase and deploys to optimal AWS services.
772SKILL.mdUpdated Apr 3, 2026
awslabs/dsql
development
VerifiedTrustedCommunity
Build with Aurora DSQL — manage schemas, execute queries, handle migrations, diagnose query plans, load data, and develop applications with a serverless, distributed SQL database. Covers IAM auth, multi-tenant patterns, MySQL-to-DSQL migration, DDL operations, query plan explainability, SQL compatibility validation, and bulk data loading. Triggers on phrases like: DSQL, Aurora DSQL, create DSQL table, DSQL schema, migrate to DSQL, distributed SQL database, serverless PostgreSQL-compatible database, DSQL query plan, DSQL EXPLAIN ANALYZE, why is my DSQL query slow, aurora-dsql-loader, load CSV into DSQL.
772SKILL.mdUpdated Apr 3, 2026