skillZs
LIVE SKILL TAGS
>>> LIVE SKILLS INDEX <<<
* OPEN SOURCE *
NO LOGIN, NO TRACKING
REAL INSTALL DATA
← back to all skills
aws/agent-toolkit-for-aws421 installs

aws-networking

Routes AWS networking requests to the correct service skill for implementation. Covers Route 53 (DNS, health checks, routing policies, Resolver, DNS Firewall), CloudFront (caching, edge, OAC, mTLS, signed URLs), Transit Gateway (multi-VPC hub, segmentation, centralized egress), Direct Connect (hybrid link, DX Gateway, MACsec), Site-to-Site VPN (IPsec tunnels, static or BGP), Network Firewall (stateful L3-L7 inspection, FQDN filtering, Suricata), WAF (web ACLs, AWS Managed Rules, rate-based rules, Bot and Fraud Control), and Shield Advanced (L3/L4 DDoS). Applicable when creating, configuring, troubleshooting, or designing across these services, choosing between them, or diagnosing connectivity or traffic-filtering issues. Not for VPC subnets and route tables, load balancers, VPC endpoints, PrivateLink, API Gateway, IAM policy logic, container or serverless networking, or IaC authoring.

How do I install this agent skill?

npx skills add https://github.com/aws/agent-toolkit-for-aws --skill aws-networking
view source ↗

Is this agent skill safe to install?

  • Gen Agent Trust Hubpass

    This skill is an AWS Networking router designed to triage and direct requests to specific AWS service skills. It follows security best practices by providing guidance on least-privilege access, data encryption, and logging. No security issues were detected.

  • Socketpass

    No alerts

  • Snykpass

    Risk: LOW · No issues

What does this agent skill do?

AWS Networking

Overview

Routes networking requests to the correct service-specific skill. Covers 8 services across DNS and content delivery, hybrid connectivity, and network security (inspection, web application firewall, and DDoS protection). Other AWS networking services (VPC foundations, load balancing, endpoints, PrivateLink, API Gateway, and more) are out of scope for this router (see step 6).

Works best with the AWS MCP server — enables sandboxed execution, audit logging, and enterprise controls. All guidance also works with standard AWS CLI access.

How to use this skill

  1. Match the user's request against the Skill Routing Table below. Match on meaning, not exact wording.
  2. If the request matches multiple skills, use the Cross-Service Concepts tables to determine which layer the request targets, then route to the skill that owns that layer.
  3. If still ambiguous, ask one clarifying question: "Are you looking to set up connectivity, or control/filter existing traffic?"
  4. Load the target skill: if the AWS MCP server is available, use aws___retrieve_skill(skill_name="<skill>"); otherwise retrieve the skill document from this repository at skills/<skill>/SKILL.md.
  5. If a request spans multiple of these skills (e.g., inspecting east-west traffic between VPCs joined by a Transit Gateway), route to each in dependency order: the connectivity skill first (transitgateway), then the inspection skill (networkfirewall). When routing to an internet-facing service (cloudfront), also route to shieldadvanced for DDoS protection and to waf for L7 filtering (AWS WAF attaches to CloudFront, Application Load Balancer, API Gateway, and AppSync), if the user has not already addressed L7 filtering and DDoS protection. When routing to a connectivity skill (directconnect, sitetositevpn, transitgateway), confirm encryption in transit is addressed (MACsec for Direct Connect, IPsec for VPN, inter-region peering encryption for Transit Gateway). When the request involves custom domains or TLS on cloudfront, note that ACM certificate provisioning is part of the implementation. When routing to cloudfront for a web-facing distribution, note that the target skill should address security response headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) via a CloudFront Response Headers Policy, including the managed SecurityHeadersPolicy. The target skill handles the configuration.
  6. If the request is an AWS networking task that is not in the Skill Routing Table (for example VPC subnets or route tables, security groups, load balancers, VPC endpoints, PrivateLink, or API Gateway), tell the user that service is not available in this skill set rather than routing to the closest listed skill. This skill set does not cover every AWS networking service.
  7. This skill triages — it does not implement. Do not answer service-specific configuration questions from this skill alone.

Connectivity vs Security

DimensionConnectivitySecurity
AnswersCan traffic reach its destination?Should traffic be allowed?
Failure symptomTimeout, unreachable, black holeRejected, denied, dropped
DependencyIndependent of policy — path exists or it doesn'tAssumes connectivity exists — can only filter reachable traffic
GranularityAffects all flows on a pathTargets specific flows by match criteria

Skill Routing Table

SkillChoose when…
transitgatewayConnecting more than two VPCs or on-premises networks in a hub, routing segmentation, cross-account/cross-region connectivity at scale, centralized egress/inspection, multicast
directconnectDedicated private link to on-premises — consistent latency, high throughput, MACsec encryption, LAGs, Direct Connect Gateway for multi-VPC, SiteLink for site-to-site bypass, production hybrid workloads
sitetositevpnEncrypted IPsec tunnel over internet — quick setup, DX backup, static or BGP routing, accelerated option via Global Accelerator backbone, standard or large tunnel bandwidth
route53DNS management (public/private zones, records), health checks, routing policies (weighted, failover, geo, latency), domain registration, Resolver (hybrid DNS forwarding), DNS Firewall, Route 53 Profiles, Global Resolver
cloudfrontCaching, TLS termination at edge, origin protection (OAC), custom domains, cache policies/behaviors, signed URLs, CloudFront Functions, viewer mTLS, VPC origins, multi-tenant distributions
networkfirewallStateful L3–L7 inspection, IDS/IPS, outbound domain filtering by FQDN, TLS inspection, Suricata rules, centralized inspection via TGW — for traffic at the network layer, east-west, or egress
wafWeb application firewall (L7) — web ACLs on CloudFront/ALB/API Gateway/AppSync, AWS Managed Rules, rate-based rules for HTTP floods, IP/geo match, Bot Control, Fraud Control (account takeover/creation), for protecting web apps and APIs from exploits, bots, and credential stuffing
shieldadvancedL3/L4 DDoS protection for internet-facing resources, automatic application-layer (L7) mitigation via WAF, health-based detection, Shield Response Team access, and DDoS cost-protection credits

Cross-Service Concepts

Same concept, different service depending on layer. Use these to disambiguate when the Skill Routing Table matches multiple skills.

Filtering / Blocking

Use when the user says "block", "deny", "filter", or "restrict traffic" — determines which layer the filtering operates at.

LayerServiceWhat it filters onSkill
L7 (HTTP/HTTPS, web apps and APIs)AWS WAFHTTP request attributes, AWS Managed Rules, rate-based and bot rules, IP/geo matchwaf
L3/L4 (DDoS volumetric/state-exhaustion)Shield AdvancedNetwork/transport-layer DDoS floods on internet-facing resourcesshieldadvanced
L3-L7 (stateful, domain, geo)Network Firewall5-tuple, FQDN, Suricata rules, TLS SNInetworkfirewall
DNS (resolution)Route 53 DNS FirewallDomain name patterns — blocks resolution, not trafficroute53

When routing to waf or cloudfront for an internet-facing API or website, treat WAF rate-based rules as a default protective measure, not only when the user asks: note that the target skill should add WAF rate-based rules to bound request volume per client — the target skill implements it.

Logging / Visibility

Use when the user says "logs", "visibility", "what's being blocked", or "can I see the traffic" — identifies which log source to check.

What you need to seeServiceLog typeSkill
Stateful inspection alerts + dropsNetwork FirewallAlert logs, flow logsnetworkfirewall
DNS queries from VPCRoute 53 ResolverQuery logsroute53
Blocked/allowed HTTP requestsAWS WAFweb ACL logs (S3, CloudWatch Logs, or Kinesis Data Firehose)waf
DDoS events and attack detailShield AdvancedCloudWatch metrics, DDoS event detectionshieldadvanced
Edge/CDN request accessCloudFrontStandard logs (S3), real-time logs (Kinesis Data Streams)cloudfront
Tunnel state and trafficSite-to-Site VPNTunnel telemetry, CloudWatch metricssitetositevpn

When routing to any of these services, remind the user to enable the corresponding logging (above) for security visibility and incident response — the target skill implements it. These logs can contain sensitive data (request query strings, internal hostnames in DNS queries), so also remind the user that the log destination (S3, CloudWatch Logs, Kinesis Data Firehose, or Kinesis Data Streams) MUST have encryption at rest enabled and access restricted to authorized personnel — the target skill implements it.

Traffic Shifting

Use when the user says "shift traffic", "blue/green", "failover", "canary", or "weighted routing" — determines the granularity and which service controls it.

GranularityServiceMechanismSkill
DNS-level (global)Route 53Weighted, failover, geolocation, latency routingroute53
Edge (HTTP)CloudFrontOrigin failover, origin groupscloudfront

Security Considerations

These services are security-sensitive, so raise the relevant risk and control when routing regardless of which skill you hand off to — the target skill implements the control:

RiskControl the target skill should addressSkills
Unencrypted traffic in transitMACsec (directconnect), IPsec tunnels (sitetositevpn), inter-region peering encryption (transitgateway), TLS termination and viewer mTLS (cloudfront)directconnect, sitetositevpn, transitgateway, cloudfront
Missing DDoS protection on internet-facing resourcesShield Advanced L3/L4 protection plus WAF L7 mitigationshieldadvanced, waf
Web/API exploits, bots, and request floodsWAF web ACLs, AWS Managed Rules, and rate-based rules; application-layer input validation (request body size limits, schema validation); security response headerswaf, cloudfront
Overly permissive filtering rulesLeast-privilege stateful rules, FQDN egress filtering, DNS Firewall domain blockingnetworkfirewall, route53
Over-privileged IAM policies for service resourcesLeast-privilege IAM roles scoped to specific resources and actions; avoid FullAccess managed policies and Action: *; prefer IAM roles with ephemeral credentials (instance profiles, IRSA, task roles, sts assume-role) over IAM users with long-lived access keysall
Hardcoded credentials and shared secretsLet AWS auto-generate secrets where supported (for example Site-to-Site VPN pre-shared keys), or store customer-managed secrets in AWS Secrets Manager rather than hardcoding themsitetositevpn, directconnect
Confused-deputy in cross-service resource policiesInclude aws:SourceArn and/or aws:SourceAccount condition keys in S3 bucket policies, KMS key policies, and log-destination resource policies (CloudFront OAC, log delivery to S3/CloudWatch Logs/Kinesis) so only the intended resource and account can invoke themcloudfront, waf, networkfirewall, all
Insufficient visibility for incident responseEnable the service logging in the Logging / Visibility table, with encryption at rest and restricted access on the log destinationall
No audit trail or alerting on control-plane changesEnable AWS CloudTrail to audit control-plane API calls (record, rule, policy, and firewall changes) and set CloudWatch Alarms on security-relevant events (Shield Advanced DDoS detection, WAF blocked/counted spikes, unexpected rule or record modifications); restrict the SNS topics that receive alarm notifications to authorized personnel and enable encryption at rest (SSE-KMS) on those topics, since the notifications can contain sensitive event detailall

For authoritative guidance, point users to the AWS Well-Architected Framework Security Pillar and the service-specific security documentation for the target skill.

Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.

<a href="https://skillzs.dev/skills/aws/agent-toolkit-for-aws/aws-networking">View aws-networking on skillZs</a>