AWS Native Integrations
Developer Reference
This page covers internal implementation details. It is not included in the User Guide.
AWS data sources Escher reads from. Each row is verified against the corresponding script in v2-skills/ or a dedicated repo.
Verified data sources
These have a working script or service in the org today.
| AWS service | Source repo / script | Used by |
|---|---|---|
| EC2 | v2-skills/estate-scan/aws/ec2-details-*.sh | Infra Ops, SecOps, FinOps |
| S3 | v2-skills/estate-scan/aws/s3-details-*.sh | SecOps, Compliance |
| IAM | v2-skills/estate-scan/aws/iam-details-*.sh; deeper analysis via v4-adk/iam-security-agent/ | IAM, Compliance |
| RDS | v2-skills/estate-scan/aws/rds-details-*.sh | Data Ops, Compliance |
| VPC | v2-skills/estate-scan/aws/vpc-details-*.sh | Infra Ops, SecOps |
| CloudTrail | Reachable via v2-cloudwatch-service-go query patterns; referenced in iam-security-agent capabilities | IAM, Compliance |
| CloudWatch (Metrics + Logs) | v2-cloudwatch-service-go (replaces archived Python version) | DevOps, IAM |
| Cost Explorer | v2-skills/cost/aws/aws_cost_report.sh | FinOps |
| AWS API (general) | v2-tauri-plugin-scanner-aws (Rust scanner plugin) drives in-app scans | All |
Roadmap (no shipped script today)
These services are referenced in the v4 architecture spec but have no corresponding script in v2-skills/ or a dedicated reader repo:
- AWS Config
- Security Hub
- GuardDuty
- AWS Organizations
- Lambda inventory (no
lambda-details-*.shscript inv2-skills/)
When they ship, this list moves up to the verified table.
Read-only guarantee
Escher never calls mutating AWS APIs during scan or skill execution. The shipped scripts in v2-skills/ are all Describe*, List*, Get* calls. Mutations only happen through the Playbook flow (currently v3-playbook-agent-go) with explicit human approval.
Next steps
- AWS Connection — IAM policy for the read-only role
- Skills Overview — Designed-vs-shipped vertical mapping