Aws Serverless

1---2name: aws-serverless3description: Specialized skill for building production-ready serverless4  applications on AWS. Covers Lambda functions, API Gateway, DynamoDB, SQS/SNS5  event-driven patterns, SAM/CDK deployment, and cold start optimization.6risk: unknown7source: vibeship-spawner-skills (Apache 2.0)8date_added: 2026-02-279---10 11# AWS Serverless12 13Specialized skill for building production-ready serverless applications on AWS.14Covers Lambda functions, API Gateway, DynamoDB, SQS/SNS event-driven patterns,15SAM/CDK deployment, and cold start optimization.16 17## Principles18 19- Right-size memory and timeout (measure before optimizing)20- Minimize cold starts for latency-sensitive workloads21- Use SnapStart for Java/.NET functions22- Prefer HTTP API over REST API for simple use cases23- Design for failure with DLQs and retries24- Keep deployment packages small25- Use environment variables for configuration26- Implement structured logging with correlation IDs27 28## Patterns29 30### Lambda Handler Pattern31 32Proper Lambda function structure with error handling33 34**When to use**: Any Lambda function implementation,API handlers, event processors, scheduled tasks35 36```javascript37// Node.js Lambda Handler38// handler.js39 40// Initialize outside handler (reused across invocations)41const { DynamoDBClient } = require('@aws-sdk/client-dynamodb');42const { DynamoDBDocumentClient, GetCommand } = require('@aws-sdk/lib-dynamodb');43 44const client = new DynamoDBClient({});45const docClient = DynamoDBDocumentClient.from(client);46 47// Handler function48exports.handler = async (event, context) => {49  // Optional: Don't wait for event loop to clear (Node.js)50  context.callbackWaitsForEmptyEventLoop = false;51 52  try {53    // Parse input based on event source54    const body = typeof event.body === 'string'55      ? JSON.parse(event.body)56      : event.body;57 58    // Business logic59    const result = await processRequest(body);60 61    // Return API Gateway compatible response62    return {63      statusCode: 200,64      headers: {65        'Content-Type': 'application/json',66        'Access-Control-Allow-Origin': '*'67      },68      body: JSON.stringify(result)69    };70  } catch (error) {71    console.error('Error:', JSON.stringify({72      error: error.message,73      stack: error.stack,74      requestId: context.awsRequestId75    }));76 77    return {78      statusCode: error.statusCode || 500,79      headers: { 'Content-Type': 'application/json' },80      body: JSON.stringify({81        error: error.message || 'Internal server error'82      })83    };84  }85};86 87async function processRequest(data) {88  // Your business logic here89  const result = await docClient.send(new GetCommand({90    TableName: process.env.TABLE_NAME,91    Key: { id: data.id }92  }));93  return result.Item;94}95```96 97```python98# Python Lambda Handler99# handler.py100 101import json102import os103import logging104import boto3105from botocore.exceptions import ClientError106 107# Initialize outside handler (reused across invocations)108logger = logging.getLogger()109logger.setLevel(logging.INFO)110 111dynamodb = boto3.resource('dynamodb')112table = dynamodb.Table(os.environ['TABLE_NAME'])113 114def handler(event, context):115    try:116        # Parse input117        body = json.loads(event.get('body', '{}')) if isinstance(event.get('body'), str) else event.get('body', {})118 119        # Business logic120        result = process_request(body)121 122        return {123            'statusCode': 200,124            'headers': {125                'Content-Type': 'application/json',126                'Access-Control-Allow-Origin': '*'127            },128            'body': json.dumps(result)129        }130 131    except ClientError as e:132        logger.error(f"DynamoDB error: {e.response['Error']['Message']}")133        return error_response(500, 'Database error')134 135    except json.JSONDecodeError:136        return error_response(400, 'Invalid JSON')137 138    except Exception as e:139        logger.error(f"Unexpected error: {str(e)}", exc_info=True)140        return error_response(500, 'Internal server error')141 142def process_request(data):143    response = table.get_item(Key={'id': data['id']})144    return response.get('Item')145 146def error_response(status_code, message):147    return {148        'statusCode': status_code,149        'headers': {'Content-Type': 'application/json'},150        'body': json.dumps({'error': message})151    }152```153 154### Best_practices155 156- Initialize clients outside handler (reused across warm invocations)157- Always return proper API Gateway response format158- Log with structured JSON for CloudWatch Insights159- Include request ID in error logs for tracing160 161### API Gateway Integration Pattern162 163REST API and HTTP API integration with Lambda164 165**When to use**: Building REST APIs backed by Lambda,Need HTTP endpoints for functions166 167```yaml168# template.yaml (SAM)169AWSTemplateFormatVersion: '2010-09-09'170Transform: AWS::Serverless-2016-10-31171 172Globals:173  Function:174    Runtime: nodejs20.x175    Timeout: 30176    MemorySize: 256177    Environment:178      Variables:179        TABLE_NAME: !Ref ItemsTable180 181Resources:182  # HTTP API (recommended for simple use cases)183  HttpApi:184    Type: AWS::Serverless::HttpApi185    Properties:186      StageName: prod187      CorsConfiguration:188        AllowOrigins:189          - "*"190        AllowMethods:191          - GET192          - POST193          - DELETE194        AllowHeaders:195          - "*"196 197  # Lambda Functions198  GetItemFunction:199    Type: AWS::Serverless::Function200    Properties:201      Handler: src/handlers/get.handler202      Events:203        GetItem:204          Type: HttpApi205          Properties:206            ApiId: !Ref HttpApi207            Path: /items/{id}208            Method: GET209      Policies:210        - DynamoDBReadPolicy:211            TableName: !Ref ItemsTable212 213  CreateItemFunction:214    Type: AWS::Serverless::Function215    Properties:216      Handler: src/handlers/create.handler217      Events:218        CreateItem:219          Type: HttpApi220          Properties:221            ApiId: !Ref HttpApi222            Path: /items223            Method: POST224      Policies:225        - DynamoDBCrudPolicy:226            TableName: !Ref ItemsTable227 228  # DynamoDB Table229  ItemsTable:230    Type: AWS::DynamoDB::Table231    Properties:232      AttributeDefinitions:233        - AttributeName: id234          AttributeType: S235      KeySchema:236        - AttributeName: id237          KeyType: HASH238      BillingMode: PAY_PER_REQUEST239 240Outputs:241  ApiUrl:242    Value: !Sub "https://${HttpApi}.execute-api.${AWS::Region}.amazonaws.com/prod"243```244 245```javascript246// src/handlers/get.js247const { getItem } = require('../lib/dynamodb');248 249exports.handler = async (event) => {250  const id = event.pathParameters?.id;251 252  if (!id) {253    return {254      statusCode: 400,255      body: JSON.stringify({ error: 'Missing id parameter' })256    };257  }258 259  const item = await getItem(id);260 261  if (!item) {262    return {263      statusCode: 404,264      body: JSON.stringify({ error: 'Item not found' })265    };266  }267 268  return {269    statusCode: 200,270    body: JSON.stringify(item)271  };272};273```274 275### Structure276 277project/278├── template.yaml      # SAM template279├── src/280│   ├── handlers/281│   │   ├── get.js282│   │   ├── create.js283│   │   └── delete.js284│   └── lib/285│       └── dynamodb.js286└── events/287    └── event.json     # Test events288 289### Api_comparison290 291- Http_api:292  - Lower latency (~10ms)293  - Lower cost (50-70% cheaper)294  - Simpler, fewer features295  - Best for: Most REST APIs296- Rest_api:297  - More features (caching, request validation, WAF)298  - Usage plans and API keys299  - Request/response transformation300  - Best for: Complex APIs, enterprise features301 302### Event-Driven SQS Pattern303 304Lambda triggered by SQS for reliable async processing305 306**When to use**: Decoupled, asynchronous processing,Need retry logic and DLQ,Processing messages in batches307 308```yaml309# template.yaml310Resources:311  ProcessorFunction:312    Type: AWS::Serverless::Function313    Properties:314      Handler: src/handlers/processor.handler315      Events:316        SQSEvent:317          Type: SQS318          Properties:319            Queue: !GetAtt ProcessingQueue.Arn320            BatchSize: 10321            FunctionResponseTypes:322              - ReportBatchItemFailures  # Partial batch failure handling323 324  ProcessingQueue:325    Type: AWS::SQS::Queue326    Properties:327      VisibilityTimeout: 180  # 6x Lambda timeout328      RedrivePolicy:329        deadLetterTargetArn: !GetAtt DeadLetterQueue.Arn330        maxReceiveCount: 3331 332  DeadLetterQueue:333    Type: AWS::SQS::Queue334    Properties:335      MessageRetentionPeriod: 1209600  # 14 days336```337 338```javascript339// src/handlers/processor.js340exports.handler = async (event) => {341  const batchItemFailures = [];342 343  for (const record of event.Records) {344    try {345      const body = JSON.parse(record.body);346      await processMessage(body);347    } catch (error) {348      console.error(`Failed to process message ${record.messageId}:`, error);349      // Report this item as failed (will be retried)350      batchItemFailures.push({351        itemIdentifier: record.messageId352      });353    }354  }355 356  // Return failed items for retry357  return { batchItemFailures };358};359 360async function processMessage(message) {361  // Your processing logic362  console.log('Processing:', message);363 364  // Simulate work365  await saveToDatabase(message);366}367```368 369```python370# Python version371import json372import logging373 374logger = logging.getLogger()375 376def handler(event, context):377    batch_item_failures = []378 379    for record in event['Records']:380        try:381            body = json.loads(record['body'])382            process_message(body)383        except Exception as e:384            logger.error(f"Failed to process {record['messageId']}: {e}")385            batch_item_failures.append({386                'itemIdentifier': record['messageId']387            })388 389    return {'batchItemFailures': batch_item_failures}390```391 392### Best_practices393 394- Set VisibilityTimeout to 6x Lambda timeout395- Use ReportBatchItemFailures for partial batch failure396- Always configure a DLQ for poison messages397- Process messages idempotently398 399### DynamoDB Streams Pattern400 401React to DynamoDB table changes with Lambda402 403**When to use**: Real-time reactions to data changes,Cross-region replication,Audit logging, notifications404 405```yaml406# template.yaml407Resources:408  ItemsTable:409    Type: AWS::DynamoDB::Table410    Properties:411      TableName: items412      AttributeDefinitions:413        - AttributeName: id414          AttributeType: S415      KeySchema:416        - AttributeName: id417          KeyType: HASH418      BillingMode: PAY_PER_REQUEST419      StreamSpecification:420        StreamViewType: NEW_AND_OLD_IMAGES421 422  StreamProcessorFunction:423    Type: AWS::Serverless::Function424    Properties:425      Handler: src/handlers/stream.handler426      Events:427        Stream:428          Type: DynamoDB429          Properties:430            Stream: !GetAtt ItemsTable.StreamArn431            StartingPosition: TRIM_HORIZON432            BatchSize: 100433            MaximumRetryAttempts: 3434            DestinationConfig:435              OnFailure:436                Destination: !GetAtt StreamDLQ.Arn437 438  StreamDLQ:439    Type: AWS::SQS::Queue440```441 442```javascript443// src/handlers/stream.js444exports.handler = async (event) => {445  for (const record of event.Records) {446    const eventName = record.eventName;  // INSERT, MODIFY, REMOVE447 448    // Unmarshall DynamoDB format to plain JS objects449    const newImage = record.dynamodb.NewImage450      ? unmarshall(record.dynamodb.NewImage)451      : null;452    const oldImage = record.dynamodb.OldImage453      ? unmarshall(record.dynamodb.OldImage)454      : null;455 456    console.log(`${eventName}: `, { newImage, oldImage });457 458    switch (eventName) {459      case 'INSERT':460        await handleInsert(newImage);461        break;462      case 'MODIFY':463        await handleModify(oldImage, newImage);464        break;465      case 'REMOVE':466        await handleRemove(oldImage);467        break;468    }469  }470};471 472// Use AWS SDK v3 unmarshall473const { unmarshall } = require('@aws-sdk/util-dynamodb');474```475 476### Stream_view_types477 478- KEYS_ONLY: Only key attributes479- NEW_IMAGE: After modification480- OLD_IMAGE: Before modification481- NEW_AND_OLD_IMAGES: Both before and after482 483### Cold Start Optimization Pattern484 485Minimize Lambda cold start latency486 487**When to use**: Latency-sensitive applications,User-facing APIs,High-traffic functions488 489## 1. Optimize Package Size490 491```javascript492// Use modular AWS SDK v3 imports493// GOOD - only imports what you need494const { DynamoDBClient } = require('@aws-sdk/client-dynamodb');495const { DynamoDBDocumentClient, GetCommand } = require('@aws-sdk/lib-dynamodb');496 497// BAD - imports entire SDK498const AWS = require('aws-sdk');  // Don't do this!499```500 501## 2. Use SnapStart (Java/.NET)502 503```yaml504# template.yaml505Resources:506  JavaFunction:507    Type: AWS::Serverless::Function508    Properties:509      Handler: com.example.Handler::handleRequest510      Runtime: java21511      SnapStart:512        ApplyOn: PublishedVersions  # Enable SnapStart513      AutoPublishAlias: live514```515 516## 3. Right-size Memory517 518```yaml519# More memory = more CPU = faster init520Resources:521  FastFunction:522    Type: AWS::Serverless::Function523    Properties:524      MemorySize: 1024  # 1GB gets full vCPU525      Timeout: 30526```527 528## 4. Provisioned Concurrency (when needed)529 530```yaml531Resources:532  CriticalFunction:533    Type: AWS::Serverless::Function534    Properties:535      Handler: src/handlers/critical.handler536      AutoPublishAlias: live537 538  ProvisionedConcurrency:539    Type: AWS::Lambda::ProvisionedConcurrencyConfig540    Properties:541      FunctionName: !Ref CriticalFunction542      Qualifier: live543      ProvisionedConcurrentExecutions: 5544```545 546## 5. Keep Init Light547 548```python549# GOOD - Lazy initialization550_table = None551 552def get_table():553    global _table554    if _table is None:555        dynamodb = boto3.resource('dynamodb')556        _table = dynamodb.Table(os.environ['TABLE_NAME'])557    return _table558 559def handler(event, context):560    table = get_table()  # Only initializes on first use561    # ...562```563 564### Optimization_priority565 566- 1: Reduce package size (biggest impact)567- 2: Use SnapStart for Java/.NET568- 3: Increase memory for faster init569- 4: Delay heavy imports570- 5: Provisioned concurrency (last resort)571 572### SAM Local Development Pattern573 574Local testing and debugging with SAM CLI575 576**When to use**: Local development and testing,Debugging Lambda functions,Testing API Gateway locally577 578```bash579# Install SAM CLI580pip install aws-sam-cli581 582# Initialize new project583sam init --runtime nodejs20.x --name my-api584 585# Build the project586sam build587 588# Run locally589sam local start-api590 591# Invoke single function592sam local invoke GetItemFunction --event events/get.json593 594# Local debugging (Node.js with VS Code)595sam local invoke --debug-port 5858 GetItemFunction596 597# Deploy598sam deploy --guided599```600 601```json602// events/get.json (test event)603{604  "pathParameters": {605    "id": "123"606  },607  "httpMethod": "GET",608  "path": "/items/123"609}610```611 612```json613// .vscode/launch.json (for debugging)614{615  "version": "0.2.0",616  "configurations": [617    {618      "name": "Attach to SAM CLI",619      "type": "node",620      "request": "attach",621      "address": "localhost",622      "port": 5858,623      "localRoot": "${workspaceRoot}/src",624      "remoteRoot": "/var/task/src",625      "protocol": "inspector"626    }627  ]628}629```630 631### Commands632 633- Sam_build: Build Lambda deployment packages634- Sam_local_start_api: Start local API Gateway635- Sam_local_invoke: Invoke single function636- Sam_deploy: Deploy to AWS637- Sam_logs: Tail CloudWatch logs638 639### CDK Serverless Pattern640 641Infrastructure as code with AWS CDK642 643**When to use**: Complex infrastructure beyond Lambda,Prefer programming languages over YAML,Need reusable constructs644 645```typescript646// lib/api-stack.ts647import * as cdk from 'aws-cdk-lib';648import * as lambda from 'aws-cdk-lib/aws-lambda';649import * as apigateway from 'aws-cdk-lib/aws-apigateway';650import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';651import { Construct } from 'constructs';652 653export class ApiStack extends cdk.Stack {654  constructor(scope: Construct, id: string, props?: cdk.StackProps) {655    super(scope, id, props);656 657    // DynamoDB Table658    const table = new dynamodb.Table(this, 'ItemsTable', {659      partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },660      billingMode: dynamodb.BillingMode.PAY_PER_REQUEST,661      removalPolicy: cdk.RemovalPolicy.DESTROY, // For dev only662    });663 664    // Lambda Function665    const getItemFn = new lambda.Function(this, 'GetItemFunction', {666      runtime: lambda.Runtime.NODEJS_20_X,667      handler: 'get.handler',668      code: lambda.Code.fromAsset('src/handlers'),669      environment: {670        TABLE_NAME: table.tableName,671      },672      memorySize: 256,673      timeout: cdk.Duration.seconds(30),674    });675 676    // Grant permissions677    table.grantReadData(getItemFn);678 679    // API Gateway680    const api = new apigateway.RestApi(this, 'ItemsApi', {681      restApiName: 'Items Service',682      defaultCorsPreflightOptions: {683        allowOrigins: apigateway.Cors.ALL_ORIGINS,684        allowMethods: apigateway.Cors.ALL_METHODS,685      },686    });687 688    const items = api.root.addResource('items');689    const item = items.addResource('{id}');690 691    item.addMethod('GET', new apigateway.LambdaIntegration(getItemFn));692 693    // Output API URL694    new cdk.CfnOutput(this, 'ApiUrl', {695      value: api.url,696    });697  }698}699```700 701```bash702# CDK commands703npm install -g aws-cdk704cdk init app --language typescript705cdk synth    # Generate CloudFormation706cdk diff     # Show changes707cdk deploy   # Deploy to AWS708```709 710## Sharp Edges711 712### Cold Start INIT Phase Now Billed (Aug 2025)713 714Severity: HIGH715 716Situation: Running Lambda functions in production717 718Symptoms:719Unexplained increase in Lambda costs (10-50% higher).720Bill includes charges for function initialization.721Functions with heavy startup logic cost more than expected.722 723Why this breaks:724As of August 1, 2025, AWS bills the INIT phase the same way it bills725invocation duration. Previously, cold start initialization wasn't billed726for the full duration.727 728This affects functions with:729- Heavy dependency loading (large packages)730- Slow initialization code731- Frequent cold starts (low traffic or poor concurrency)732 733Cold starts now directly impact your bill, not just latency.734 735Recommended fix:736 737## Measure your INIT phase738 739```bash740# Check CloudWatch Logs for INIT_REPORT741# Look for Init Duration in milliseconds742 743# Example log line:744# INIT_REPORT Init Duration: 423.45 ms745```746 747## Reduce INIT duration748 749```javascript750// 1. Minimize package size751// Use tree shaking, exclude dev dependencies752// npm prune --production753 754// 2. Lazy load heavy dependencies755let heavyLib = null;756function getHeavyLib() {757  if (!heavyLib) {758    heavyLib = require('heavy-library');759  }760  return heavyLib;761}762 763// 3. Use AWS SDK v3 modular imports764const { S3Client } = require('@aws-sdk/client-s3');765// NOT: const AWS = require('aws-sdk');766```767 768## Use SnapStart for Java/.NET769 770```yaml771Resources:772  JavaFunction:773    Type: AWS::Serverless::Function774    Properties:775      Runtime: java21776      SnapStart:777        ApplyOn: PublishedVersions778```779 780## Monitor cold start frequency781 782```javascript783// Track cold starts with custom metric784let isColdStart = true;785 786exports.handler = async (event) => {787  if (isColdStart) {788    console.log('COLD_START');789    // CloudWatch custom metric here790    isColdStart = false;791  }792  // ...793};794```795 796### Lambda Timeout Misconfiguration797 798Severity: HIGH799 800Situation: Running Lambda functions, especially with external calls801 802Symptoms:803Function times out unexpectedly.804"Task timed out after X seconds" in logs.805Partial processing with no response.806Silent failures with no error caught.807 808Why this breaks:809Default Lambda timeout is only 3 seconds. Maximum is 15 minutes.810 811Common timeout causes:812- Default timeout too short for workload813- Downstream service taking longer than expected814- Network issues in VPC815- Infinite loops or blocking operations816- S3 downloads larger than expected817 818Lambda terminates at timeout without graceful shutdown.819 820Recommended fix:821 822## Set appropriate timeout823 824```yaml825# template.yaml826Resources:827  MyFunction:828    Type: AWS::Serverless::Function829    Properties:830      Timeout: 30  # Seconds (max 900)831      # Set to expected duration + buffer832```833 834## Implement timeout awareness835 836```javascript837exports.handler = async (event, context) => {838  // Get remaining time839  const remainingTime = context.getRemainingTimeInMillis();840 841  // If running low on time, fail gracefully842  if (remainingTime < 5000) {843    console.warn('Running low on time, aborting');844    throw new Error('Insufficient time remaining');845  }846 847  // For long operations, check periodically848  for (const item of items) {849    if (context.getRemainingTimeInMillis() < 10000) {850      // Save progress and exit gracefully851      await saveProgress(processedItems);852      throw new Error('Timeout approaching, saved progress');853    }854    await processItem(item);855  }856};857```858 859## Set downstream timeouts860 861```javascript862const axios = require('axios');863 864// Always set timeouts on HTTP calls865const response = await axios.get('https://api.example.com/data', {866  timeout: 5000  // 5 seconds867});868```869 870### Out of Memory (OOM) Crash871 872Severity: HIGH873 874Situation: Lambda function processing data875 876Symptoms:877Function stops abruptly without error.878CloudWatch logs appear truncated.879"Max Memory Used" hits configured limit.880Inconsistent behavior under load.881 882Why this breaks:883When Lambda exceeds memory allocation, AWS forcibly terminates884the runtime. This happens without raising a catchable exception.885 886Common causes:887- Processing large files in memory888- Memory leaks across invocations889- Buffering entire response bodies890- Heavy libraries consuming too much memory891 892Recommended fix:893 894## Increase memory allocation895 896```yaml897Resources:898  MyFunction:899    Type: AWS::Serverless::Function900    Properties:901      MemorySize: 1024  # MB (128-10240)902      # More memory = more CPU too903```904 905## Stream large data906 907```javascript908// BAD - loads entire file into memory909const data = await s3.getObject(params).promise();910const content = data.Body.toString();911 912// GOOD - stream processing913const { S3Client, GetObjectCommand } = require('@aws-sdk/client-s3');914const s3 = new S3Client({});915 916const response = await s3.send(new GetObjectCommand(params));917const stream = response.Body;918 919// Process stream in chunks920for await (const chunk of stream) {921  await processChunk(chunk);922}923```924 925## Monitor memory usage926 927```javascript928exports.handler = async (event, context) => {929  const used = process.memoryUsage();930  console.log('Memory:', {931    heapUsed: Math.round(used.heapUsed / 1024 / 1024) + 'MB',932    heapTotal: Math.round(used.heapTotal / 1024 / 1024) + 'MB'933  });934  // ...935};936```937 938## Use Lambda Power Tuning939 940```bash941# Find optimal memory setting942# https://github.com/alexcasalboni/aws-lambda-power-tuning943```944 945### VPC-Attached Lambda Cold Start Delay946 947Severity: MEDIUM948 949Situation: Lambda functions in VPC accessing private resources950 951Symptoms:952Extremely slow cold starts (was 10+ seconds, now ~100ms).953Timeouts on first invocation after idle period.954Functions work in VPC but slow compared to non-VPC.955 956Why this breaks:957Lambda functions in VPC need Elastic Network Interfaces (ENIs).958AWS improved this significantly with Hyperplane ENIs, but:959 960- First cold start in VPC still has overhead961- NAT Gateway issues can cause timeouts962- Security group misconfig blocks traffic963- DNS resolution can be slow964 965Recommended fix:966 967## Verify VPC configuration968 969```yaml970Resources:971  MyFunction:972    Type: AWS::Serverless::Function973    Properties:974      VpcConfig:975        SecurityGroupIds:976          - !Ref LambdaSecurityGroup977        SubnetIds:978          - !Ref PrivateSubnet1979          - !Ref PrivateSubnet2  # Multiple AZs980 981  LambdaSecurityGroup:982    Type: AWS::EC2::SecurityGroup983    Properties:984      GroupDescription: Lambda SG985      VpcId: !Ref VPC986      SecurityGroupEgress:987        - IpProtocol: tcp988          FromPort: 443989          ToPort: 443990          CidrIp: 0.0.0.0/0  # Allow HTTPS outbound991```992 993## Use VPC endpoints for AWS services994 995```yaml996# Avoid NAT Gateway for AWS service calls997DynamoDBEndpoint:998  Type: AWS::EC2::VPCEndpoint999  Properties:1000    ServiceName: !Sub com.amazonaws.${AWS::Region}.dynamodb1001    VpcId: !Ref VPC1002    RouteTableIds:1003      - !Ref PrivateRouteTable1004    VpcEndpointType: Gateway1005 1006S3Endpoint:1007  Type: AWS::EC2::VPCEndpoint1008  Properties:1009    ServiceName: !Sub com.amazonaws.${AWS::Region}.s31010    VpcId: !Ref VPC1011    VpcEndpointType: Gateway1012```1013 1014## Only use VPC when necessary1015 1016Don't attach Lambda to VPC unless you need:1017- Access to RDS/ElastiCache in VPC1018- Access to private EC2 instances1019- Compliance requirements1020 1021Most AWS services can be accessed without VPC.1022 1023### Node.js Event Loop Not Cleared1024 1025Severity: MEDIUM1026 1027Situation: Node.js Lambda function with callbacks or timers1028 1029Symptoms:1030Function takes full timeout duration to return.1031"Task timed out" even though logic completed.1032Extra billing for idle time.1033 1034Why this breaks:1035By default, Lambda waits for the Node.js event loop to be empty1036before returning. If you have:1037- Unresolved setTimeout/setInterval1038- Dangling database connections1039- Pending callbacks1040 1041Lambda waits until timeout, even if your response was ready.1042 1043Recommended fix:1044 1045## Tell Lambda not to wait for event loop1046 1047```javascript1048exports.handler = async (event, context) => {1049  // Don't wait for event loop to clear1050  context.callbackWaitsForEmptyEventLoop = false;1051 1052  // Your code here1053  const result = await processRequest(event);1054 1055  return {1056    statusCode: 200,1057    body: JSON.stringify(result)1058  };1059};1060```1061 1062## Close connections properly1063 1064```javascript1065// For database connections, use connection pooling1066// or close connections explicitly1067 1068const mysql = require('mysql2/promise');1069 1070exports.handler = async (event, context) => {1071  context.callbackWaitsForEmptyEventLoop = false;1072 1073  const connection = await mysql.createConnection({...});1074  try {1075    const [rows] = await connection.query('SELECT * FROM users');1076    return { statusCode: 200, body: JSON.stringify(rows) };1077  } finally {1078    await connection.end();  // Always close1079  }1080};1081```1082 1083### API Gateway Payload Size Limits1084 1085Severity: MEDIUM1086 1087Situation: Returning large responses or receiving large requests1088 1089Symptoms:1090"413 Request Entity Too Large" error1091"Execution failed due to configuration error: Malformed Lambda proxy response"1092Response truncated or failed1093 1094Why this breaks:1095API Gateway has hard payload limits:1096- REST API: 10 MB request/response1097- HTTP API: 10 MB request/response1098- Lambda itself: 6 MB sync response, 256 KB async1099 1100Exceeding these causes failures that may not be obvious.1101 1102Recommended fix:1103 1104## For large file uploads1105 1106```javascript1107// Use presigned S3 URLs instead of passing through API Gateway1108 1109const { S3Client, PutObjectCommand } = require('@aws-sdk/client-s3');1110const { getSignedUrl } = require('@aws-sdk/s3-request-presigner');1111 1112exports.handler = async (event) => {1113  const s3 = new S3Client({});1114 1115  const command = new PutObjectCommand({1116    Bucket: process.env.BUCKET_NAME,1117    Key: `uploads/${Date.now()}.file`1118  });1119 1120  const uploadUrl = await getSignedUrl(s3, command, { expiresIn: 300 });1121 1122  return {1123    statusCode: 200,1124    body: JSON.stringify({ uploadUrl })1125  };1126};1127```1128 1129## For large responses1130 1131```javascript1132// Store in S3, return presigned download URL1133exports.handler = async (event) => {1134  const largeData = await generateLargeReport();1135 1136  await s3.send(new PutObjectCommand({1137    Bucket: process.env.BUCKET_NAME,1138    Key: `reports/${reportId}.json`,1139    Body: JSON.stringify(largeData)1140  }));1141 1142  const downloadUrl = await getSignedUrl(s3,1143    new GetObjectCommand({1144      Bucket: process.env.BUCKET_NAME,1145      Key: `reports/${reportId}.json`1146    }),1147    { expiresIn: 3600 }1148  );1149 1150  return {1151    statusCode: 200,1152    body: JSON.stringify({ downloadUrl })1153  };1154};1155```1156 1157### Infinite Loop or Recursive Invocation1158 1159Severity: HIGH1160 1161Situation: Lambda triggered by events1162 1163Symptoms:1164Runaway costs.1165Thousands of invocations in minutes.1166CloudWatch logs show repeated invocations.1167Lambda writing to source bucket/table that triggers it.1168 1169Why this breaks:1170Lambda can accidentally trigger itself:1171- S3 trigger writes back to same bucket1172- DynamoDB trigger updates same table1173- SNS publishes to topic that triggers it1174- Step Functions with wrong error handling1175 1176Recommended fix:1177 1178## Use different buckets/prefixes1179 1180```yaml1181# S3 trigger with prefix filter1182Events:1183  S3Event:1184    Type: S31185    Properties:1186      Bucket: !Ref InputBucket1187      Events: s3:ObjectCreated:*1188      Filter:1189        S3Key:1190          Rules:1191            - Name: prefix1192              Value: uploads/  # Only trigger on uploads/1193 1194# Output to different bucket or prefix1195# OutputBucket or processed/ prefix1196```1197 1198## Add idempotency checks1199 1200```javascript1201exports.handler = async (event) => {1202  for (const record of event.Records) {1203    const key = record.s3.object.key;1204 1205    // Skip if this is a processed file1206    if (key.startsWith('processed/')) {1207      console.log('Skipping already processed file:', key);1208      continue;1209    }1210 1211    // Process and write to different location1212    await processFile(key);1213    await writeToS3(`processed/${key}`, result);1214  }1215};1216```1217 1218## Set reserved concurrency as circuit breaker1219 1220```yaml1221Resources:1222  RiskyFunction:1223    Type: AWS::Serverless::Function1224    Properties:1225      ReservedConcurrentExecutions: 10  # Max 10 parallel1226      # Limits blast radius of runaway invocations1227```1228 1229## Monitor with CloudWatch alarms1230 1231```yaml1232InvocationAlarm:1233  Type: AWS::CloudWatch::Alarm1234  Properties:1235    MetricName: Invocations1236    Namespace: AWS/Lambda1237    Statistic: Sum1238    Period: 601239    EvaluationPeriods: 11240    Threshold: 1000  # Alert if >1000 invocations/min1241    ComparisonOperator: GreaterThanThreshold1242```1243 1244## Validation Checks1245 1246### Hardcoded AWS Credentials1247 1248Severity: ERROR1249 1250AWS credentials must never be hardcoded1251 1252Message: Hardcoded AWS access key detected. Use IAM roles or environment variables.1253 1254### AWS Secret Key in Source Code1255 1256Severity: ERROR1257 1258Secret keys should use Secrets Manager or environment variables1259 1260Message: Hardcoded AWS secret key. Use IAM roles or Secrets Manager.1261 1262### Overly Permissive IAM Policy1263 1264Severity: WARNING1265 1266Avoid wildcard permissions in Lambda IAM roles1267 1268Message: Overly permissive IAM policy. Use least privilege principle.1269 1270### Lambda Handler Without Error Handling1271 1272Severity: WARNING1273 1274Lambda handlers should have try/catch for graceful errors1275 1276Message: Lambda handler without error handling. Add try/catch.1277 1278### Missing callbackWaitsForEmptyEventLoop1279 1280Severity: INFO1281 1282Node.js handlers should set callbackWaitsForEmptyEventLoop1283 1284Message: Consider setting context.callbackWaitsForEmptyEventLoop = false1285 1286### Default Memory Configuration1287 1288Severity: INFO1289 1290Default 128MB may be too low for many workloads1291 1292Message: Using default 128MB memory. Consider increasing for better performance.1293 1294### Low Timeout Configuration1295 1296Severity: WARNING1297 1298Very low timeout may cause unexpected failures1299 1300Message: Timeout of 1-3 seconds may be too low. Increase if making external calls.1301 1302### No Dead Letter Queue Configuration1303 1304Severity: WARNING1305 1306Async functions should have DLQ for failed invocations1307 1308Message: No DLQ configured. Add for async invocations.1309 1310### Importing Full AWS SDK v21311 1312Severity: WARNING1313 1314Import specific clients from AWS SDK v3 for smaller packages1315 1316Message: Importing full AWS SDK. Use modular SDK v3 imports for smaller packages.1317 1318### Hardcoded DynamoDB Table Name1319 1320Severity: WARNING1321 1322Table names should come from environment variables1323 1324Message: Hardcoded table name. Use environment variable for portability.1325 1326## Collaboration1327 1328### Delegation Triggers1329 1330- user needs GCP serverless -> gcp-cloud-run (Cloud Run for containers, Cloud Functions for events)1331- user needs Azure serverless -> azure-functions (Azure Functions, Logic Apps)1332- user needs database design -> postgres-wizard (RDS design, or use DynamoDB patterns)1333- user needs authentication -> auth-specialist (Cognito, API Gateway authorizers)1334- user needs complex workflows -> workflow-automation (Step Functions, EventBridge)1335- user needs AI integration -> llm-architect (Lambda calling Bedrock or external LLMs)1336 1337## When to Use1338Use this skill when the request clearly matches the capabilities and patterns described above.1339 1340## Limitations1341- Use this skill only when the task clearly matches the scope described above.1342- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.1343- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.