giuseppe-trisciuoglio/aws-cloudformation-rds
plugins/developer-kit-aws/skills/aws-cloudformation/aws-cloudformation-rds/SKILL.md
Provides AWS CloudFormation patterns for Amazon RDS databases. Use when creating RDS instances (MySQL, PostgreSQL, Aurora), DB clusters, multi-AZ deployments, parameter groups, subnet groups, and implementing template structure with Parameters, Outputs, Mappings, Conditions, and cross-stack references.
$ install --global
skillsauthnpx skillsauth add giuseppe-trisciuoglio/developer-kit aws-cloudformation-rdsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 1:23 PM14.1s9 files scanned
SKILL.md
- name:
- aws-cloudformation-rds
- description:
- Provides AWS CloudFormation patterns for Amazon RDS databases. Use when creating RDS instances (MySQL, PostgreSQL, Aurora), DB clusters, multi-AZ deployments, parameter groups, subnet groups, and implementing template structure with Parameters, Outputs, Mappings, Conditions, and cross-stack references.
- allowed-tools:
- Read, Write, Bash
AWS CloudFormation RDS Database
Overview
Create production-ready Amazon RDS infrastructure using AWS CloudFormation templates. Covers RDS instances (MySQL, PostgreSQL, Aurora), DB clusters, multi-AZ deployments, parameter groups, subnet groups, security groups, and cross-stack references.
When to Use
- Creating RDS instances (MySQL, PostgreSQL, Aurora) or DB clusters with read replicas
- Setting up multi-AZ deployments or configuring parameter/subnet groups
- Integrating with Secrets Manager or implementing cross-stack references
Quick Reference
| Component | CloudFormation Type | Use Case |
|-----------|-------------------|----------|
| DB Instance | AWS::RDS::DBInstance | Single database instance |
| DB Cluster | AWS::RDS::DBCluster | Aurora cluster |
| DB Subnet Group | AWS::RDS::DBSubnetGroup | VPC deployment |
| Parameter Group | AWS::RDS::DBParameterGroup | Database configuration |
| Security Group | AWS::EC2::SecurityGroup | Network access control |
| Secrets Manager | AWS::SecretsManager::Secret | Credential storage |
Instructions
Step 1 — Define Database Parameters
Use AWS-specific parameter types for validation.
Parameters:
DBInstanceClass:
Type: AWS::RDS::DBInstance::InstanceType
Default: db.t3.micro
AllowedValues: [db.t3.micro, db.t3.small, db.t3.medium]
Engine:
Type: String
Default: mysql
AllowedValues: [mysql, postgres, aurora-mysql, aurora-postgresql]
MasterUsername:
Type: String
Default: admin
AllowedPattern: "^[a-zA-Z][a-zA-Z0-9]*$"
MinLength: 1
MaxLength: 16
MasterUserPassword:
Type: String
NoEcho: true
MinLength: 8
MaxLength: 41
See template-structure.md for advanced parameter patterns, mappings, conditions, and cross-stack references.
Step 2 — Create DB Subnet Group
Required for VPC deployment with subnets in different AZs.
DBSubnetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: Subnet group for RDS
SubnetIds:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
See database-components.md for parameter groups, option groups, and engine-specific configurations.
Step 3 — Configure Security Group
Restrict access to application tier only.
DBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for RDS
VpcId: !Ref VpcId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 3306
ToPort: 3306
SourceSecurityGroupId: !Ref AppSecurityGroup
See security-secrets.md for VPC security groups, encryption, Secrets Manager integration, and IAM authentication.
Step 4 — Launch RDS Instance
Configure instance with subnet group, security group, and settings.
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: !Sub "${AWS::StackName}-mysql"
DBInstanceClass: !Ref DBInstanceClass
Engine: !Ref Engine
MasterUsername: !Ref MasterUsername
MasterUserPassword: !Ref MasterUserPassword
AllocatedStorage: 20
StorageType: gp3
DBSubnetGroupName: !Ref DBSubnetGroup
VPCSecurityGroups: [!Ref DBSecurityGroup]
StorageEncrypted: true
MultiAZ: true
BackupRetentionPeriod: 7
DeletionProtection: false
See database-components.md for MySQL, PostgreSQL, Aurora cluster configurations, and parameter groups.
Step 5 — Enable High Availability
Configure multi-AZ deployment for production.
Conditions:
IsProduction: !Equals [!Ref Environment, production]
Resources:
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
MultiAZ: !If [IsProduction, true, false]
BackupRetentionPeriod: !If [IsProduction, 35, 7]
DeletionProtection: !If [IsProduction, true, false]
EnablePerformanceInsights: !If [IsProduction, true, false]
See high-availability.md for multi-AZ deployments, read replicas, Aurora auto-scaling, enhanced monitoring, and disaster recovery.
Step 6 — Define Outputs
Export connection details for application stacks.
Outputs:
DBInstanceEndpoint:
Description: Database endpoint address
Value: !GetAtt DBInstance.Endpoint.Address
Export:
Name: !Sub ${AWS::StackName}-DBEndpoint
DBInstancePort:
Description: Database port
Value: !GetAtt DBInstance.Endpoint.Port
Export:
Name: !Sub ${AWS::StackName}-DBPort
DBConnectionString:
Description: Connection string
Value: !Sub jdbc:mysql://${DBInstance.Endpoint.Address}:${DBInstance.Endpoint.Port}/${DBName}
See template-structure.md for cross-stack reference patterns and import/export strategies.
Validation Steps
Always validate before deploying, especially to production.
# Validate the template syntax
aws cloudformation validate-template --template-body file://template.yaml
# Review the change set before applying updates
aws cloudformation create-change-set \
--stack-name my-rds-stack \
--template-body file://template.yaml \
--change-set-type UPDATE
aws cloudformation describe-change-set --change-set-name <arn>
# Execute the change set if the preview looks correct
aws cloudformation execute-change-set --change-set-name <arn>
Best Practices
| Category | Practice | Implementation |
|----------|----------|----------------|
| Security | Encryption at rest | StorageEncrypted: true with KMS key |
| Security | Credential management | Use Secrets Manager integration |
| Security | Network isolation | Private subnets, restrictive SG rules |
| Security | IAM authentication | Enable IAMDatabaseAuthentication |
| HA | Multi-AZ deployment | MultiAZ: true for production |
| HA | Deletion protection | DeletionProtection: true for production |
| HA | Backup retention | 35 days for production, 7 for dev |
| HA | Read replicas | Use for read-heavy workloads |
| Cost | Storage type | Use gp3 for cost efficiency |
| Cost | Instance sizing | Right-size based on workload |
| Cost | Serverless | Consider Aurora Serverless for variable loads |
| Operations | Change sets | Always review before applying updates |
| Operations | Drift detection | Enable for template compliance |
| Operations | Monitoring | Configure CloudWatch alarms |
See operational-practices.md for detailed guidance on stack policies, termination protection, and backup strategies.
Examples
Complete production-ready RDS instance with MultiAZ, encryption, and Secrets Manager integration:
AWSTemplateFormatVersion: '2010-09-09'
Description: Production RDS Instance
Parameters:
VpcId:
Type: AWS::EC2::VPC::Identifier
SubnetIds:
Type: List<AWS::EC2::Subnet::Identifier>
AppSecurityGroupId:
Type: AWS::EC2::SecurityGroup::Id
Environment:
Type: String
AllowedValues: [dev, staging, production]
MasterUsername:
Type: String
Default: dbadmin
Conditions:
IsProduction: !Equals [!Ref Environment, production]
Resources:
DBSubnetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: !Sub "${AWS::StackName} subnet group"
SubnetIds: !Ref SubnetIds
DBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: !Sub "${AWS::StackName} RDS security group"
VpcId: !Ref VpcId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 3306
ToPort: 3306
SourceSecurityGroupId: !Ref AppSecurityGroupId
DBInstance:
Type: AWS::RDS::DBInstance
DeletionPolicy: Snapshot
UpdateReplacePolicy: Snapshot
Properties:
DBInstanceIdentifier: !Sub "${AWS::StackName}-mysql"
DBInstanceClass: db.t3.medium
Engine: mysql
EngineVersion: '8.0'
MasterUsername: !Ref MasterUsername
MasterUserPassword: !Ref MasterUserPassword
AllocatedStorage: 50
StorageType: gp3
StorageEncrypted: true
KmsKeyId: !Ref KmsKeyId
DBSubnetGroupName: !Ref DBSubnetGroup
VPCSecurityGroups: [!Ref DBSecurityGroup]
MultiAZ: !If [IsProduction, true, false]
BackupRetentionPeriod: !If [IsProduction, 35, 7]
DeletionProtection: !If [IsProduction, true, false]
EnablePerformanceInsights: !If [IsProduction, true, false]
PerformanceInsightsRetentionPeriod: !If [IsProduction, 731, 7]
KmsKeyId:
Type: AWS::KMS::Key
Condition: IsProduction
Properties:
Description: KMS key for RDS encryption
EnableKeyRotation: true
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: kms:*
Resource: '*'
Outputs:
DBEndpoint:
Description: Database endpoint
Value: !GetAtt DBInstance.Endpoint.Address
Export:
Name: !Sub ${AWS::StackName}-DBEndpoint
DBPort:
Description: Database port
Value: !GetAtt DBInstance.Endpoint.Port
Export:
Name: !Sub ${AWS::StackName}-DBPort
See examples.md for additional examples including Aurora clusters, read replicas, and multi-region setups.
References
Core Configuration
- template-structure.md — Template sections, parameters, mappings, conditions, outputs, cross-stack references
- database-components.md — DB instances, clusters, parameter groups, subnet groups, Aurora configurations
- security-secrets.md — Security groups, encryption, Secrets Manager, IAM authentication
- high-availability.md — Multi-AZ, read replicas, Aurora auto-scaling, disaster recovery
Operational Guides
- operational-practices.md — Stack policies, termination protection, drift detection, change sets, monitoring
- constraints.md — Resource limits, operational constraints, security constraints, cost considerations
Additional Resources
- examples.md — Complete production-ready examples
- reference.md — CloudFormation RDS resource reference
Constraints and Warnings
Resource Limits
- Maximum storage size varies by engine (up to 64 TB for MySQL/PostgreSQL)
- Maximum 500 resources per CloudFormation stack
- Parameter group limits vary by account/region
Cost Considerations
- Multi-AZ deployments cost approximately double single-AZ
- Provisioned IOPS (io1) significantly increases costs
- Backup storage beyond free tier incurs monthly costs
- Manual snapshots incur storage costs even after instance deletion
Security Constraints
- Master password cannot be retrieved after creation
- Encryption at rest cannot be disabled once enabled
- RDS instances must be in VPC (public access not recommended)
- Security group rules must restrict access to application tier
Operational Constraints
- Certain modifications (engine version, storage type) require instance replacement with downtime
- Maintenance windows may cause brief service interruptions
- Read replicas may lag behind primary by seconds to minutes
- Not all database engines available in all regions
See constraints.md for complete constraints, troubleshooting guides, and performance considerations.
Related Skills
giuseppe-trisciuoglio/typescript-security-review
development
VerifiedTrustedCommunity
Provides security review capability for TypeScript/Node.js applications, validates code against XSS, injection, CSRF, JWT/OAuth2 flaws, dependency CVEs, and secrets exposure. Use when performing security audits, before deployment, reviewing authentication/authorization implementations, or ensuring OWASP compliance for Express, NestJS, and Next.js. Triggers on "security review", "check for security issues", "TypeScript security audit".
270SKILL.mdUpdated Apr 5, 2026
giuseppe-trisciuoglio/specs-code-cleanup
development
VerifiedTrustedCommunity
Provides final code cleanup after task review approval. Removes debug logs, temporary comments, dead code, optimizes imports, and improves readability. Use when asked to clean up code, polish, finalize, tidy up, remove technical debt, or prepare code for completion after review. Not for refactoring logic or fixing bugs—focused solely on cosmetic and hygiene cleanup.
250SKILL.mdUpdated May 5, 2026
giuseppe-trisciuoglio/ralph-loop
tools
VerifiedTrustedCommunity
Ralph Wiggum-inspired automation loop for specification-driven development. Orchestrates task implementation, review, cleanup, and synchronization using a Python script. Use when: user runs /loop command, user asks to automate task implementation, user wants to iterate through spec tasks step-by-step, or user wants to run development workflow automation with context window management. One step per invocation. State machine: init → choose_task → implementation → review → fix → cleanup → sync → update_done. Supports --from-task and --to-task for task range filtering. State persisted in fix_plan.json.
250SKILL.mdUpdated May 5, 2026
giuseppe-trisciuoglio/constitution
testing
VerifiedTrustedCommunity
Creates, updates, validates, and displays the architectural DNA of a project through two shared documents: docs/specs/architecture.md (technology stack, architectural rules, security constraints, AI guardrails) and docs/specs/ontology.md (domain glossary / Ubiquitous Language). Use BEFORE brainstorm as a project setup step, or at any point in the SDD lifecycle to validate specs/tasks against architecture principles. Triggers on 'create constitution', 'update constitution', 'constitution check', 'validate against constitution', 'project principles', 'architectural guardrails', 'setup project architecture', 'define ontology'.
250SKILL.mdUpdated May 5, 2026