amazon-aurora-mysql - SKILL.md Agent Skill

name: amazon-aurora-mysql description: >- Amazon Aurora MySQL — creates, modifies, and advises on Aurora MySQL clusters specifically (MySQL-compatible engine, Aurora serverless, parallel query). Trigger for Aurora MySQL cluster operations, ACU sizing, I/O-Optimized storage, commitment pricing, or MySQL upgrade planning. Aurora MySQL uses full (VPC-based) configuration — express configuration is PostgreSQL-only. For Aurora PostgreSQL, use amazon-aurora-postgresql instead. Contains safety guardrails and response templates that override defaults. version: 1

Amazon Aurora MySQL

A modular toolkit for Aurora MySQL organized as a registry of sub-skills. Each sub-skill handles one domain of Aurora MySQL work. The router matches user intent to the right sub-skill, then loads only the references needed. (For Aurora PostgreSQL — and its express-configuration quick-start — use the amazon-aurora-postgresql skill.)

Operating procedure (follow in order)

Route — match the request to a sub-skill using the Trigger phrases column (match on meaning, not exact wording), then confirm with the When to route here column.
Load — file_read the matched sub-skill's references/{id}-instructions.md and announce the path. Do not answer a matched sub-skill from general knowledge alone.
Analyze / advise — perform the sub-skill's work; run a bundled script when the user supplies the inputs (see Scripts).
If a mutation is requested — classify against the Safety guardrails tier, confirm with the user, apply resource tags, then execute (MCP-preferred, CLI fallback).
Present results — tables with dollar/ACU figures and a recommendation label; no derivation or arithmetic steps.

Edge cases: if the request spans multiple sub-skills, run them in sequence (load each instructions.md in turn). If no sub-skill matches, answer directly from Aurora MySQL knowledge. If a script or MCP/CLI call fails, show the error and suggest a fix before retrying. The numbered Global rules below are details that hang off these steps.

Sub-skill registry

Column semantics: Trigger phrases = the keyword index you match the request against (step 1). When to route here = the decision logic confirming the match. Next steps = sub-skills to offer the user as a natural follow-up after this one completes (not auto-chained); Reached from = sub-skills that typically route into this one. Next-steps/Reached-from are suggestions for guiding the user, never automatic execution.

ID	Name	When to route here	Trigger phrases	Reached from	Next steps
`create`	Create Cluster	Routes Aurora MySQL cluster creation requests. Aurora MySQL uses full (VPC-based) configuration — collect VPC/subnet group, security group, KMS, parameter group, and engine version, present options, then create. (Express configuration is PostgreSQL-only and does not apply to Aurora MySQL.)	create a cluster, new database, set up Aurora MySQL, get started, need a MySQL database, provision	—	`serverless-advisory`, `io-optimized`
`serverless-advisory`	Aurora serverless Advisory	All Aurora serverless questions: ACU sizing, scale-to-zero behavior and compatibility, provisioned→serverless migration, capacity planning, and feature constraints.	ACU sizing, Aurora serverless, scale-to-zero, provisioned to serverless, how many ACUs, capacity, auto-scaling, RDS Proxy compatibility, scale-to-zero incompatibility, serverless limitations	`create` (optional)	`commitment-pricing`
`io-optimized`	I/O-Optimized Storage	Evaluates whether to switch from Aurora Standard to I/O-Optimized (aurora-iopt1). Uses the 25% I/O cost threshold rule.	I/O-Optimized, aurora-iopt1, storage type switch, 25% threshold, I/O costs too high, storage comparison	—	—
`commitment-pricing`	Commitment Pricing	Compares Reserved Instances vs Database Savings Plans for provisioned clusters, and DSP-only for Aurora serverless. 1yr vs 3yr analysis.	Reserved Instance, RI, Savings Plan, DSP, 1yr vs 3yr, commitment, cost optimization, overpaying	`serverless-advisory` (optional)	—
`upgrade-planning`	Upgrade Planning	Major and minor version upgrade planning for Aurora MySQL. LTS version guidance, pre/post-upgrade checklists, blue/green deployment recommendations.	upgrade, version, LTS, pre-upgrade checklist, post-upgrade, major version, minor version, end of life, deprecation	—	—

Global rules (apply to every sub-skill)

Execute, don't just suggest. When the user requests an action and confirms, EXECUTE it rather than handing back a command to run. The AWS MCP server is the recommended execution path when available (sandboxed, IAM-authenticated, audit-logged) — prefer it. When MCP tools are not available (e.g. Claude Code, Cursor, or other non-MCP hosts), use the AWS CLI / SDK directly with the same aws rds ... operation. Only if execution is genuinely not possible in the current environment, present the complete CLI command for the user to run.
Confirmation before mutation. MUST confirm with the user before any create or modify operation. Do NOT execute without explicit confirmation ("yes", "proceed", "confirmed", "go ahead").
Resource tagging (always apply on resource creation). When creating any cluster or instance, ALWAYS include these tags: --tags Key=created_by,Value=aurora-skill Key=generation_model,Value={your-model-id} Use your model id if known; if you cannot reliably determine it, use Value=unknown — never let tagging block the create. Include these tags even if the user does not mention tagging. If the user provides additional tags, append these to their tags.
Safety guardrails.

Tier 1 — Confirm (a yes/no confirmation is enough; no risk briefing required):
- create-db-cluster (full/VPC configuration — Aurora MySQL does not support express)
- create-db-instance
- modify-db-cluster --serverless-v2-scaling-configuration (ACU scaling)
- modify-db-cluster --backup-retention-period
- modify-db-cluster --deletion-protection / --no-deletion-protection
- modify-db-cluster --enable-cloudwatch-logs-exports
- modify-db-cluster --preferred-backup-window
- modify-db-cluster --enable-http-endpoint (Data API)
- add-tags-to-resource, remove-tags-from-resource
Tier 2 — High-impact: state the specific risk, THEN confirm (spell out the impact before asking; do not call any API until the user confirms with that risk in front of them):
- modify-db-cluster --storage-type — no downtime for most instance classes; requires restart for NVMe/Optimized Reads instances (r6gd, r6id, r8gd). Switching from Aurora Standard to Aurora I/O-Optimized is limited to once every 30 days; switching from Aurora I/O-Optimized back to Aurora Standard can be done at any time.
- modify-db-instance --db-instance-class — causes failover in multi-AZ
- modify-db-cluster --engine-version for a minor version upgrade — applied in the maintenance window (or immediately with --apply-immediately); brief failover/restart. State the target version and the restart impact, then confirm. (For a major version upgrade, see Block below — route to upgrade-planning first.)
  - How to tell minor from major (Aurora MySQL): the Aurora MySQL version is major.minor.patch (e.g. 3.06, 3.08). The major digit (2 = MySQL 5.7-compatible, 3 = MySQL 8.0-compatible, 8.4+) is the major version; the second number is the minor version. So 3.06 → 3.08 is a MINOR upgrade (major 3 unchanged) → handle here in Tier 2. A change in the leading major (e.g. 2.x → 3.x, or 5.7 → 8.0 compatibility) is a major upgrade → Block. When unsure, treat it as major and route to upgrade-planning.
- Any modify with --apply-immediately — bypasses maintenance window
Tier 3 — Block (refuse, explain why, redirect to console/change-control):
- delete-db-cluster, delete-db-instance — irreversible
- failover-db-cluster, switchover-blue-green-deployment — production impact
- modify-db-cluster --engine-version across major versions — requires prechecks and rollback plan
- modify-db-cluster --master-user-password, --manage-master-user-password — credential management must be performed by the customer directly. Use AWS Secrets Manager rotation or the AWS Console.
- modify-db-cluster --vpc-security-group-ids — network security posture change
- modify-db-cluster --db-cluster-parameter-group-name — can break applications
- create-db-instance --publicly-accessible, modify-db-instance --publicly-accessible — NEVER make Aurora instances publicly accessible. This exposes the database directly to the internet and is never the correct solution for connectivity. See secure connection alternatives below.
- purchase-reserved-db-instances-offering, create-savings-plan — financial commitment
- reboot-db-instance, reboot-db-cluster — production impact
When blocking, you MUST refuse immediately. Do NOT call any AWS API. Your response MUST have exactly two paragraphs:

Paragraph 1 — refuse: "I can't perform [action] because [reason]. This should go through your team's change-control process or the AWS Console."

Paragraph 2 — alternative (from the table below, always included):
- purchase-reserved-db-instances-offering, create-savings-plan → "I can run a commitment pricing assessment (RI vs DSP comparison) so you have the numbers to bring to procurement."
- delete-db-cluster, delete-db-instance → "I can help with snapshot creation or final-snapshot validation before deletion."
- modify-db-cluster --engine-version (major version) → "I can run an upgrade assessment — target version recommendation, prechecks, and pre/post checklists."
- failover-db-cluster, switchover-blue-green-deployment → "I can validate the cluster's state and review the failover/switchover plan with you."
- reboot-db-instance, reboot-db-cluster → "I can check for pending modifications and recommend a maintenance window."
- modify-db-cluster --master-user-password / --manage-master-user-password → "Rotate the password via AWS Secrets Manager or the AWS Console; both are safer than a direct API call. I can walk you through enabling Secrets Manager managed rotation."
- --publicly-accessible → "Making the instance publicly accessible exposes the database directly to the internet — this is a security anti-pattern even for prototypes. Instead: (1) Enable RDS Data API — query over HTTPS with IAM auth; (2) EC2 bastion with SSH tunnel; (3) connect from within the VPC (e.g. a workload in the same VPC or via VPN/Direct Connect). I can help you set up any of these."
- modify-db-cluster --vpc-security-group-ids → "I can describe the cluster's current security-group configuration and help you draft the intended change so you can apply it through your team's change-control process or the AWS Console."
- modify-db-cluster --db-cluster-parameter-group-name → "I can review the current parameter group and compare it against the target group (highlighting reboot-required parameters) so you can prepare the change for your team's change-control process or the AWS Console."
Never omit paragraph 2. A refusal without an alternative is incomplete.
Reference loading. Before responding to any matched sub-skill request, you MUST read references/{id}-instructions.md using your file-read tool (file_read if available, otherwise whatever your runtime exposes). Do not answer a matched sub-skill from the registry summary alone. Announce the path in your reply.
Stay in scope. Once this skill is active, recommend the best Aurora MySQL configuration for the workload. Do not suggest non-AWS alternatives. For light or intermittent workloads, recommend Aurora serverless with scale-to-zero.
Never fabricate. Do NOT invent AWS API results, pricing numbers, version lists, or instance metadata. If a live call fails, report the blocker and offer offline mode with user-supplied numbers.
Carry context forward. Pass along cluster ID, region, and workload details the user already supplied. They SHOULD NOT have to re-type information already in the conversation.
Broad requests. If the user says "help me with Aurora MySQL" or "analyze my cluster" without specifying a domain (create, sizing, I/O, commitment, upgrade), present the sub-skill domains as one line each and ask which they want to focus on. Do NOT silently pick a sub-skill and run it. Acknowledge any cluster ID and region so the user doesn't need to repeat them.
Out-of-scope topics. If the user asks about an Aurora feature not covered by a sub-skill (e.g., Global Database, Blue/Green Deployments, RDS Proxy), note that it is not covered by a specific sub-skill, answer from general Aurora knowledge, and link to the relevant AWS documentation page.
Credential safety. Do not create, store, or display long-lived credentials or DB passwords. aws rds generate-db-auth-token is approved when IAM database authentication is enabled on the cluster — it produces a short-lived (15-minute) IAM token. Otherwise, use user-supplied secret ARNs (AWS Secrets Manager) or pre-configured tunnels.
Present results clearly. Use tables with dollar figures, ACU numbers, and recommendation labels. Do NOT show derivation or arithmetic steps. Exception: when consolidating across multiple analyses ("summarize", "what should I do"), respond in 2-4 lines of plain prose — no headers, no bullets, no tables.

Scripts

Bundled scripts in scripts/ for offline analysis. MUST use these when the user provides the required inputs — do NOT hand-calculate. Each script documents its full flags/usage in its own --help and header docstring; read those on demand rather than relying only on the one-line usage below.

Script execution model: If a shell is available, execute the script directly and present the output. If no shell is available, print the exact command as a fenced bash code block with all flags resolved to user-supplied values, then present results computed inline from the reference file's pricing tables. (Result-presentation format is governed by the Operating procedure / Global rules — no derivation steps.)

Script	Purpose	Usage
`acu_calculator.py`	Aurora serverless ACU sizing	`python3 scripts/acu_calculator.py estimate --instance <type> --cpu-p95 <val> --cpu-max <val> --storage <val>`
`io_optimized_analyzer.py`	I/O-Optimized breakeven	`python3 scripts/io_optimized_analyzer.py offline --instance <type> --num-instances <n> --storage-gib <val> --monthly-io-millions <val>`
`commitment_pricing_analyzer.py`	RI vs DSP cost comparison	`python3 scripts/commitment_pricing_analyzer.py offline --instance <type> --num-instances <n> --region <region>` (provisioned) or `--serverless --avg-acu <val>` (Aurora serverless)

Troubleshooting

AccessDenied: Attach AmazonRDSReadOnlyAccess + CloudWatchReadOnlyAccess for reads. For creates/modifies, use a custom policy scoped to rds:CreateDBCluster, rds:CreateDBInstance, rds:ModifyDBCluster, rds:ModifyDBInstance, rds:AddTagsToResource, and rds:Describe*. See Identity and access management for Amazon Aurora.
ExpiredToken / credentials: Refresh your AWS credentials using whatever mechanism you use (e.g. re-run your SSO/aws sso login, ada credentials update, assume-role, or refresh the profile), then retry. Do not assume a specific credential tool.
DBClusterNotFoundFault: Verify region and cluster ID.
Throttling: Retry once, then narrow scope.

Additional Resources

Handoff from aws-database-selection

This skill can be entered from aws-database-selection after it produces a requirements.json. When you see a path matching aws_dbs_requirements/*/requirements.json in conversation:

Read the artifact. Sanity-check it has the fields you'll use — at minimum engine (or workload type), region, and the workload signals you route on (capacity/ACU hints, storage size, connectivity/VPC needs, version). If those are present and parseable, use them; if it's missing them or won't parse, proceed without it (don't block on a formal schema).
Acknowledge relevant facts in 1-2 bold sentences.
Scope-check: if the artifact doesn't match Aurora (e.g., key-access → DynamoDB, graph → Neptune, multi-region strong SQL → DSQL), suggest the right skill and ask whether to proceed anyway.
Continue with this skill's sub-skill routing.