awsinspect
ActiveTool of InsideOut (Riley)
INSPECTION: Inspect AWS infrastructure for a deployed project ⚠️ **PREREQUISITE**: This tool requires a prior deployment ATTEMPT (successful or failed). Check convostatus for hasDeployAttempt=true before calling. Works even after failed deploys to inspect orphaned resources. Inspect deployed AWS resources after a deployment attempt. Use this tool when the user asks about the status or details of their deployed infrastructure. It fetches temporary read-only credentials securely and queries the AWS API directly. RESPONSE TIERS (default is summary for token efficiency): - Summary (default): Key fields only (~500 tokens). Set detail=false, raw=false or omit both. - Detail: Full metadata for a specific resource. Set detail=true + resource filter. - Raw: Complete unprocessed API response. Set raw=true. REQUIRES: session_id from convoopen response (format: sess_v2_...). Supported services: account, acm, alb, apigateway, apprunner, backup, bedrock, cloudfront, cloudwatchlogs, cognito, cost-explorer, dynamodb, ebs, ec2, ecs, eks, elasticache, kms, lambda, msk, opensearch, rds, route53, s3, sagemaker, secretsmanager, sqs, vpc, waf For a specific service's actions, call with action="list-actions". METRICS: Use list-metrics to discover available metrics for a service (no credentials needed). Then use get-metrics to retrieve data (auto-discovers resources). Most services return CloudWatch time-series. KMS returns key health (rotation, state). SecretsManager returns secret health (rotation, last accessed/rotated). Optional filters JSON: {"hours":6,"period":300}. BILLING: Use service=cost-explorer to inspect AWS costs. Actions: get-cost-summary (last 30 days by service, filters: {"days":7,"granularity":"DAILY"}), get-cost-forecast (projected spend through end of month), get-cost-by-tag (costs grouped by tag, filters: {"tag_key":"Environment","days":30}). Requires ce:GetCostAndUsage and ce:GetCostForecast IAM permissions. EXAMPLES: - awsinspect(session_id=..., service="ec2", action="describe-instances") - awsinspect(session_id=..., service="cost-explorer", action="get-cost-summary") - awsinspect(session_id=..., service="ec2", action="get-metrics", filters="{\"hours\":6}") - awsinspect(session_id=..., service="rds", action="describe-db-instances", detail=true)
Parameters schema
{
"type": "object",
"required": [
"session_id",
"service",
"action",
"filters",
"detail",
"raw"
],
"properties": {
"raw": {
"type": "boolean",
"description": "When true, returns the unprocessed AWS API response. Escape hatch for fields the summarized response doesn't surface."
},
"action": {
"type": "string",
"description": "Operation on the service. Examples: 'describe-instances' (ec2), 'list-buckets' (s3), 'list-keys' (kms), 'get-cost-summary' (cost-explorer), 'list-actions' (discovery), 'list-metrics' / 'get-metrics' (CloudWatch)."
},
"detail": {
"type": "boolean",
"description": "When true, returns full metadata for a single resource (requires a resource ID in filters). When false (default), returns a summary."
},
"filters": {
"type": "string",
"description": "Optional JSON-encoded filter object passed through to the underlying AWS API. Examples: '{\"hours\":6}' for metric windows, '{\"days\":7,\"granularity\":\"DAILY\"}' for cost queries."
},
"service": {
"enum": [
"account",
"acm",
"alb",
"apigateway",
"apprunner",
"backup",
"bedrock",
"cloudfront",
"cloudwatchlogs",
"cognito",
"cost-explorer",
"dynamodb",
"ebs",
"ec2",
"ecs",
"eks",
"elasticache",
"kms",
"lambda",
"msk",
"opensearch",
"rds",
"route53",
"s3",
"sagemaker",
"secretsmanager",
"sqs",
"vpc",
"waf"
],
"type": "string",
"description": "AWS service to query. Examples: 'ec2', 'rds', 'vpc', 's3', 'lambda', 'eks', 'ecs', 'cost-explorer'. Use action='list-actions' to discover the supported actions for a service."
},
"session_id": {
"type": "string",
"pattern": "^sess_v2_[0-9A-Za-z]+\\?token=[0-9a-f]+$",
"description": "Session ID from convoopen — pass back EXACTLY as returned, including the ?token=... suffix (format: sess_v2_*?token=*). The suffix is part of the session credential; never strip it when summarizing. The session must have an AWS deploy attempt before inspect probes will succeed."
}
},
"additionalProperties": false
}Parent server
InsideOut (Riley)
https://github.com/luthersystems/insideout-agent-skills
2/7 registries