AgentSkillsCN

cloud-platforms

AWS、Azure、GCP 和 Cloudflare 的云平台最佳实践。涵盖零信任架构、IAM 模式、EKS/AKS/GKE 配置、无服务器模式和多云策略。在处理云基础设施、AWS 服务、Azure 资源、GCP 项目、Cloudflare Workers 或询问云架构和部署时使用。

SKILL.md
--- frontmatter
name: cloud-platforms
description: Cloud platform best practices for AWS, Azure, GCP, and Cloudflare. Covers Zero Trust architecture, IAM patterns, EKS/AKS/GKE configurations, serverless patterns, and multi-cloud strategies. Use when working with cloud infrastructure, AWS services, Azure resources, GCP projects, Cloudflare Workers, or when asking about cloud architecture and deployment.

Cloud Platforms

Core Principles

  1. Zero Trust: Never trust, always verify
  2. Least Privilege: Minimum necessary permissions
  3. Defense in Depth: Multiple layers of security
  4. Infrastructure as Code: All infrastructure defined in code
  5. Observability: Comprehensive logging, metrics, and tracing

Platform Selection

Use CaseRecommended
Enterprise, broad servicesAWS
Microsoft ecosystemAzure
Data/ML workloadsGCP
Edge/CDN, simple serverlessCloudflare

AWS Quick Reference

IAM Best Practices

hcl
# EKS Pod Identity (Recommended over IRSA)
resource "aws_eks_pod_identity_association" "app" {
  cluster_name    = aws_eks_cluster.main.name
  namespace       = "default"
  service_account = "app"
  role_arn        = aws_iam_role.app_pod_identity.arn
}

VPC Pattern

hcl
# Private subnets only - Zero Trust
resource "aws_subnet" "private" {
  count             = 3
  vpc_id            = aws_vpc.main.id
  cidr_block        = "10.16.${count.index + 1}.0/24"
  availability_zone = data.aws_availability_zones.available.names[count.index]

  tags = {
    Name = "private-subnet-${count.index + 1}"
    Type = "Private"
  }
}

Essential Services

  • EKS: Managed Kubernetes
  • Lambda: Serverless compute
  • RDS/Aurora: Managed databases
  • S3: Object storage
  • CloudFront: CDN
  • Secrets Manager: Secret storage

Azure Quick Reference

Managed Identity

hcl
resource "azurerm_user_assigned_identity" "app" {
  name                = "app-identity"
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location
}

Essential Services

  • AKS: Managed Kubernetes
  • Azure Functions: Serverless
  • Azure SQL: Managed databases
  • Blob Storage: Object storage
  • Azure CDN: Content delivery
  • Key Vault: Secret management

GCP Quick Reference

Workload Identity

hcl
resource "google_service_account" "app" {
  account_id   = "app-sa"
  display_name = "Application Service Account"
}

resource "google_project_iam_member" "app" {
  project = var.project_id
  role    = "roles/storage.objectViewer"
  member  = "serviceAccount:${google_service_account.app.email}"
}

Essential Services

  • GKE: Managed Kubernetes
  • Cloud Functions: Serverless
  • Cloud SQL: Managed databases
  • Cloud Storage: Object storage
  • Cloud CDN: Content delivery
  • Secret Manager: Secrets

Cloudflare Quick Reference

Workers

javascript
export default {
  async fetch(request, env) {
    const url = new URL(request.url);
    
    if (url.pathname === '/api/data') {
      const data = await env.MY_KV.get('key');
      return new Response(JSON.stringify({ data }), {
        headers: { 'Content-Type': 'application/json' }
      });
    }
    
    return new Response('Hello World');
  }
};

Essential Services

  • Workers: Edge compute
  • Pages: Static site hosting
  • D1: SQLite database
  • KV: Key-value storage
  • R2: S3-compatible storage

Security Checklist

  • IAM roles with least privilege
  • Network segmentation (VPCs, security groups)
  • Encryption at rest and in transit
  • Secret management (not in code)
  • Audit logging enabled
  • Multi-factor authentication
  • Regular security assessments

Detailed References