APEX Skills — Agentic Platform Engineering eXperience

Curated platform-engineering skills that compress onboarding from months to weeks. Domain knowledge authored by senior AWS SSAs, TAMs, and ProServe, delivered through agentic AI tools (Claude Code, Kiro CLI etc).

APEX uses agentic AI (frontier models and agent harness like Claude Code) combined with curated "skills" to give engineers SSA-grade platform engineering output.

Agent Skills are organized folders of instructions, scripts, and resources that frontier LLM models can discover and load dynamically to perform specialized tasks. By codifying expert platform engineering knowledge as Agent Skills, we amplify best practices and scale them across teams while reducing toil. They follow the Agent Skills Agent Skills open standard open standard and are compatible with any supported agent harness.

What's in This Repo

sample-apex-skills/
├── skills/       → 📚 Domain knowledge (platform-engineering best practices, Terraform, skill creation)
├── steering/     → 🎯 Guided workflows (optional — structured engagement playbooks)
├── examples/     → 🏗️ Hands-on exercises (deployable labs with planted issues)
└── misc/         → 🔧 Maintenance and tooling
    ├── evals/    → 🧪 Per-skill evaluation inputs (triggering + task prompts)
    └── (scripts) → Sync skills from sources, update cross-references

Directory	Purpose	Think of it as...
`skills/`	What the agent knows — reusable domain knowledge	An expert's brain
`steering/`	How the agent runs an engagement — slash commands, questionnaires, checkpoints, routing	A senior SA's playbook
`examples/`	How to try it — deploy, run APEX against it, see results	A workshop lab
`misc/`	Maintenance tooling and per-skill evaluation inputs	The toolbox

Key principle: Skills provide the knowledge. Steering provides the structure.

Quick Start

Option A: Just the Skills

Use the skills with any agent that supports the Agent Skills standard. Skills are self-contained — clone and point your tool at them.

git clone https://github.com/aws-samples/sample-apex-skills.git
cd sample-apex-skills

Each skill lives in skills/{skill-name}/ with a SKILL.md (frontmatter + instructions) and optional references/, scripts/, and assets/ directories. See skills/README.md for details.

Option B: Skills + Steering (Guided Experience)

For a structured engagement experience — where the agent follows a questionnaire, enforces checkpoints, and validates output quality — add the steering files.

Claude Code

git clone https://github.com/aws-samples/sample-apex-skills.git
cd sample-apex-skills

# One-time setup — symlink skills, steering + commands into .claude/
mkdir -p .claude/skills .claude/commands
for skill in skills/*/; do ln -sfn "../../$skill" ".claude/skills/$(basename $skill)"; done
ln -sfn ../../steering/commands/apex .claude/commands/apex
ln -sfn ../steering .claude/steering

# Make steering available at a fixed absolute path for slash commands
ln -sfn "$(pwd)/steering" ~/.claude/apex-steering

Claude Code walks up to the git root to find .claude/, so commands work from any subdirectory in the repo. The ~/.claude/apex-steering symlink gives slash commands an absolute path to load steering files instantly.

Usage:

Start a Claude Code session from anywhere in the repo
Use slash commands:
- /apex:eks — hub that auto-routes based on your request
- /apex:eks-design — "Help me design an EKS cluster"
- /apex:eks-upgrade-check — "Is my cluster ready to upgrade to 1.32?"

Kiro CLI

git clone https://github.com/aws-samples/sample-apex-skills.git
cd sample-apex-skills

# Skills — symlink into .kiro/skills/
mkdir -p .kiro/skills
for skill in skills/*/; do
  name=$(basename "$skill")
  ln -sfn "../../skills/$name" ".kiro/skills/$name"
done

# Steering — copy for Kiro IDE slash commands
mkdir -p .kiro/steering
cp steering/eks.md .kiro/steering/eks.md

Usage:

kiro-cli chat
# Then in the session:
/model claude-opus-4.5
/context add steering/eks.md
# Ask: "Help me design an EKS cluster"

Skills Reference

This table is auto-generated by misc/update-skills-references.sh. Do not edit manually.

Skill	What It Covers
eks-best-practices	Use this skill whenever someone is making an Amazon EKS design, architecture, or configuration decision — even phrased casually as "how should we set up...", "what's the right way to...", "should we use X or Y", "we're about to redesign/consolidate/migrate...", or "is this reasonable?". Covers compute strategy (Karpenter, MNG, Fargate, Auto Mode, self-managed), multi-tenant platform design and tenant isolation (namespaces, node pools, RBAC, network policies, quotas), VPC/IP planning, ingress, IAM/Pod Identity/IRSA, pod security, PDBs and reliability, upgrade strategy (in-place vs blue-green), cost (Spot, Graviton, consolidation), autoscaling, and observability. Also triggers for Terraform with terraform-aws-modules/terraform-aws-eks (access entries, addons, node groups, IRSA). Trigger even if "best practice" is never said — any EKS planning or architectural judgment call qualifies. Skip for pure Kubernetes questions unrelated to EKS.
eks-build	Use when building EKS clusters. Generates complete, production-ready Terraform projects with optional ArgoCD GitOps integration. Handles environment-specific constraints: air-gapped/VPC-endpoint-only networks, enterprise proxies, private container registries, compliance requirements. Supports 3 patterns: full Terraform, ArgoCD+Terraform, ArgoCD+ACK/KRO. Includes validated modules, two-phase webhook ordering, IRSA/Pod Identity, and 29+ addon configurations. Ask interactive questions or accept requirements YAML. Also use when (1) generating EKS Terraform code from scratch, (2) creating GitOps-managed EKS addons with ArgoCD, (3) scaffolding EKS projects with compliance constraints, (4) implementing two-phase webhook ordering for EKS addons, (5) configuring IRSA or Pod Identity for EKS workloads, or (6) generating ArgoCD ApplicationSets for EKS addon management.
eks-design	Use when designing EKS architecture. Generates architecture design documents including system architecture with Mermaid diagrams, Architecture Decision Records (ADRs), security architecture, and architecture validation reports. Translates requirements into tailored EKS architecture designs guided by AWS Well-Architected best practices. Output populates the project design folder and feeds into eks-build for code generation. Covers cluster architecture, compute strategy, networking model, security posture, addon selection, observability, cost optimization, and upgrade strategy. Also use when (1) reviewing EKS architecture decisions, (2) choosing between EKS compute options, (3) planning EKS networking or security, (4) evaluating EKS deployment models, (5) optimizing EKS cost and scalability, or (6) generating architecture documentation for an EKS project.
eks-mcp-server	Setup and configure the EKS MCP Server for live cluster operations. Use this skill when the user wants to interact with real EKS clusters (list clusters, read K8s resources, troubleshoot pods, deploy workloads, check upgrade insights) but MCP tools are not available or not working. Also activate if user mentions "eks mcp", "mcp server", or asks how to connect their AI assistant to EKS.
eks-operation-review	Run a structured EKS operational excellence assessment against a live cluster. Covers 10 areas — networking, autoscaling, observability, access & identity, add-ons, workload config, deployments, cluster lifecycle, IaC, operational processes — and produces a GREEN/AMBER/RED rated report with prioritized recommendations. Activate for any request to audit, review, health-check, or score an EKS cluster's operational posture, including section-scoped reviews of individual areas. Not for upgrade readiness, cluster discovery, or architectural design advice.
eks-platform-engineering	Use whenever someone is designing or building an Internal Developer Platform (IDP) or doing platform engineering on Amazon EKS — phrased as "build a developer platform", "self-service for developers", "golden paths", "IDP", or "set up Backstage / ArgoCD / Kargo". Covers the opinionated platform stack — developer portal (Backstage), GitOps delivery (ArgoCD, Argo Workflows), progressive delivery (Argo Rollouts canary with quality gates) and multi-stage promotion (Kargo), infrastructure abstraction (ACK, kro), application modeling (KubeVela/OAM), self-service provisioning, hub-and-spoke topology with the GitOps Bridge, identity/SSO (Keycloak, Pod Identity), measuring platform success (DORA, Apache DevLake), GenAI with Amazon Q Developer, and golden paths for AI/ML and data engineering. Trigger even if "platform engineering" is never said. Skip for single-cluster EKS architecture or cost/ops tuning with no platform angle (use eks-best-practices); for standalone Terraform use terraform-skill.
eks-recon	EKS cluster reconnaissance and environment discovery. Detects compute strategy (Karpenter, MNG, Auto Mode, Fargate), IaC tooling (Terraform, CloudFormation, CDK, eksctl), CI/CD pipelines (GitHub Actions, GitLab, ArgoCD, Flux), add-on inventory, networking, security posture, and observability. Use this skill whenever someone asks about their EKS cluster, wants to understand their setup, is planning an upgrade or migration, needs cluster context for any reason, asks "what version am I running", mentions wanting to review or document their cluster, or is about to make any EKS-related decision - even if they don't explicitly say "reconnaissance" or "discovery". When in doubt about cluster state, run recon first.
eks-upgrade-check	Assess EKS cluster upgrade readiness — run automated checks across 8 areas (version, breaking changes, deprecated APIs, add-on compatibility, node readiness, workload risks, AWS Insights, upgrade plan), calculate a 0-100 readiness score with a hard-blocker override, and generate a markdown/HTML report with prioritized remediation. Use this skill whenever someone asks "can I upgrade my cluster?", "is my cluster ready for 1.32?", "are we good to go to 1.33?", "what is blocking my upgrade?", or "should we move to the next version?" — even if they do not say "readiness" or "score". Falls back to AWS CLI and kubectl when the EKS MCP server is unavailable.
skill-creator	Create new skills, modify and improve existing skills, and measure skill performance. Use when users want to create a skill from scratch, edit, or optimize an existing skill, run evals to test a skill, benchmark skill performance with variance analysis, or optimize a skill's description for better triggering accuracy.
steering-workflow-creator	Author a new steering workflow for any AWS service and pair it with a matching slash-command shim. Use when the user asks to create a steering workflow, add a workflow to apex, standardize steering, write a new workflow for EKS / RDS / Lambda / IAM / any AWS service, or build a phased playbook that plugs into a service hub. Covers the convention (frontmatter, header block, required sections), tool routing (knowledge vs. live MCP vs. setup-bridge), and the lint pass before handoff.
terraform-skill	Use when working with Terraform or OpenTofu - creating modules, writing tests (native test framework, Terratest), setting up CI/CD pipelines, reviewing configurations, choosing between testing approaches, debugging state issues, implementing security scanning (trivy, checkov), or making infrastructure-as-code architecture decisions
update-docs	Audit and update every documentation surface in the APEX repo against the current state of skills, steering workflows, README marker tables, and the Docusaurus site under misc/website/. After any change to a skill (rename, retire, add, edit description), walk the repo, re-run script-managed surfaces if their --check fails, and reason through every tracked prose *.md to catch references that need updating. Use after adding/removing/renaming a skill, after editing SKILL.md frontmatter, after editing README marker blocks, or before publishing a docs change. Also use when the user says "update docs", "sync docs", "check docs", "run update-docs", or mentions that documentation might be stale.

Steering (Optional)

This table is auto-generated by misc/update-steering-references.sh. Do not edit manually.

Steering File	Description
apex	APEX meta hub. Routes contributor requests about the repo itself — adding a new skill, authoring a new steering workflow, and other maintenance actions that are not tied to a specific AWS service.
eks	EKS platform engineering hub. Routes to design, build, upgrade-readiness, and operational-review workflows. Use as the entry point for any EKS-related request.
design	Day 0 architecture design workflow. 8-phase questionnaire for EKS cluster design, architecture reviews, and option comparisons.
eks-build	Day 1 infrastructure build workflow. Multi-phase questionnaire gathering requirements then generating production-ready Terraform code for EKS clusters.
eks-operation-review	Day 2 operational-review workflow. Runs the eks-operation-review skill end-to-end — 10-section structured assessment of a live cluster's operational excellence, with GREEN/AMBER/RED ratings and a markdown/HTML report including prioritized actions and AWS reference links.
eks-platform-engineering	Day 1 platform-engineering workflow. Guides building an Internal Developer Platform on EKS — golden paths, developer portal (Backstage), GitOps and progressive delivery, self-service infrastructure (ACK/KRO), tenancy, AI/ML golden paths, and measuring success with DORA.
eks-upgrade-check	Day 2 upgrade-readiness assessment workflow. Runs the eks-upgrade-check skill end-to-end — 8 automated checks, 0-100 readiness score, markdown/HTML report with remediation steps.
new-skill	Meta contributor workflow. Onboards a new skill end-to-end — scope intake, optional skill-creator drafting, sibling-graph survey, repo fan-out diff, eval scaffold and finalization, and baseline PR prep. Bimodal — greenfield authoring or retrofit on an existing skill that skipped the process.

Slash Commands (Claude Code)

Command	Description
/apex:eks	EKS platform engineering hub. Routes to design or upgrade workflows based on your request. Use for any EKS-related task -- architecture design, cluster upgrades, reviews, comparisons, or general EKS questions.
/apex:eks-build	Build a production-ready EKS cluster. Multi-phase questionnaire gathering requirements then generating Terraform code via the eks-build skill.
/apex:eks-design	Design a new EKS cluster architecture. 8-phase questionnaire covering compute, networking, security, observability, cost, reliability, and multi-tenancy. Also handles architecture reviews and option comparisons.
/apex:eks-operation-review	Run a structured EKS operational excellence assessment — 10-section review (cluster lifecycle, IaC/GitOps, access/identity, observability, workload config, networking, autoscaling, deployment practices, ops processes, add-on management) producing a rated report with GREEN/AMBER/RED findings and prioritized actions. Use when someone asks "run an EKS operational review", "audit my cluster", "EKS health check", "review my EKS posture", or asks for a section-scoped review (networking, RBAC, observability, etc.).
/apex:eks-platform-engineering	Build an Internal Developer Platform on EKS — golden paths, developer portal (Backstage), GitOps and progressive delivery, self-service infrastructure (ACK/KRO), tenancy, AI/ML golden paths, and DORA-based measurement. Use to design or stand up developer self-service on EKS.
/apex:eks-upgrade-check	Assess EKS cluster upgrade readiness — automated checks across 8 areas (version, breaking changes, deprecated APIs, add-on compatibility, node readiness, workload risks, AWS Insights, upgrade plan), a 0-100 readiness score, and a markdown/HTML report with prioritized remediation. Use for upgrade-readiness assessments before running an actual upgrade.
/apex:new-skill	Onboard a new skill end-to-end — draft it, survey siblings, fan out the repo edits, scaffold and finalize the eval set, and baseline the scorecard. Bimodal — greenfield authoring or retrofit on an existing skill.

Steering files control how the agent runs an engagement — they don't contain domain knowledge (that's in skills), but define the interaction pattern. The hub (eks.md) is the entry point — it detects what the user wants and routes to the appropriate workflow. Each workflow follows a structured sequence with checkpoints and STOP gates. The commands/ directory provides agent-harness-specific entry points (e.g., Claude Code slash commands) that map to the hub and workflows.

The key test: If you removed all steering files, would the agent still know the right answers? Yes — skills provide the knowledge. But the agent wouldn't know how to run the engagement.

Examples

This table is auto-generated by misc/update-examples-references.sh. Do not edit manually.

Example	Description	Workflow
EKS Upgrade Readiness Check	Deploy an EKS 1.32 cluster with Karpenter v1.0.2 and planted upgrade issues, then run the APEX EKS upgrade-check skill to produce a scored readiness report showing NOT READY status.	eks-upgrade-check

Contributing

See CONTRIBUTING.md for guidelines on:

Where new content goes (skills vs steering vs examples)
How to create a new skill
How to create a new steering workflow
How to create a new example
How to add evals for a new skill

Sources

All best practices content is sourced from public AWS documentation:

License

This project is licensed under the MIT-0 License. See the LICENSE file.