Aws Serverless Deployment

Best Practices

SAM

• Do: Use sam_init with an appropriate template for your use case
• Do: Set global defaults for timeout, memory, runtime, and tracing in the Globals section
• Do: Use samconfig.toml environment-specific sections for multi-environment deployments
• Do: Use sam build --use-container when native dependencies are involved
• Don't: Copy-paste templates from the internet without understanding the resource configuration
• Don't: Hardcode resource ARNs or account IDs in templates — use !Ref, !GetAtt, and !Sub

CDK

• Do: Use TypeScript — type checking catches errors at synthesis time, before any AWS API calls
• Do: Prefer L2 constructs and grant* methods over L1 and raw IAM statements
• Do: Separate stateful and stateless resources into different stacks; enable termination protection on stateful stacks
• Do: Commit cdk.context.json to version control — it caches VPC/AZ lookups for deterministic synthesis
• Do: Write unit tests with aws-cdk-lib/assertions; assert logical IDs of stateful resources to detect accidental replacements
• Do: Use cdk diff in CI before every deployment to review changes
• Don't: Hardcode account IDs or region strings — use this.account and this.region
• Don't: Use cdk deploy directly in production without a pipeline
• Don't: Skip cdk bootstrap — deployments will fail without the CDK toolkit stack

Configuration

AWS CLI Setup

This skill requires that AWS credentials are configured on the host machine:

Verify access: Run aws sts get-caller-identity to confirm credentials are valid

SAM CLI Setup

Verify: Run sam --version

Container Runtime Setup

1. Install a Docker compatible container runtime: Required for sam_local_invoke and container-based builds
2. Verify: Use an appropriate command such as docker --version or finch --version

AWS Serverless MCP Server

Write access is enabled by default. The plugin ships with --allow-write in .mcp.json, so the MCP server can create projects, generate IaC, and deploy on behalf of the user.

Access to sensitive data (like Lambda and API Gateway logs) is not enabled by default. To grant it, add --allow-sensitive-data-access to .mcp.json.

SAM Template Validation Hook

This plugin includes a PostToolUse hook that runs sam validate automatically after any edit to template.yaml or template.yml. If validation fails, the error is returned as a system message so you can fix it immediately. The hook requires SAM CLI and jq to be installed; if either is missing, validation is skipped with a system message. Users can disable it via /hooks.

Verify: Run jq --version

IaC framework selection

Default: CDK

Override syntax:

• "use CloudFormation" → Generate YAML templates
• "use SAM" → Generate YAML templates

When not specified, ALWAYS use CDK

Language selection for CDK

Default: TypeScript

Override syntax:

• "use Python" → Generate Python code
• "use JavaScript" → Generate JavaScript code

When not specified, ALWAYS use TypeScript

Error Scenarios

Serverless MCP Server Unavailable

• Inform user: "AWS Serverless MCP not responding"
• Ask: "Proceed without MCP support?"
• DO NOT continue without user confirmation

Resources

• AWS SAM Documentation
• AWS CDK Documentation
• AWS Serverless MCP Server