| --- |
| schema_version: "1.0" |
| type: eem |
| project_name: aws-expert |
| domain: |
| - aws |
| - cloud-infrastructure |
| - devops |
| - security |
| license: mit |
| base_network: null |
| source_repos: [] |
| beliefs_total: 2775 |
| beliefs_in: 2775 |
| beliefs_out: 0 |
| premises: 2615 |
| derived: 160 |
| nogoods: 0 |
| generator: ftl-reasons/0.41.0 |
| --- |
| |
| # AWS Expert |
|
|
| Expert knowledge base for **AWS service behavior, defaults, and operational pitfalls**. Contains 2,775 justified beliefs covering DynamoDB, CloudTrail, IAM, CloudFormation, RDS, S3, networking, compute, and cross-service interactions. |
|
|
| ## What is this? |
|
|
| This is an **External Epistemic Memory** (EEM) — a model-agnostic knowledge base that any LLM can use via the `reasons` CLI or tool calling. Unlike a LoRA or fine-tune, this knowledge is not baked into model weights. It is external, inspectable, correctable, and works with any model. |
|
|
| ## Stats |
|
|
| | Metric | Value | |
| |--------|-------| |
| | Total beliefs | 2,775 | |
| | Status | 2,775 IN / 0 OUT | |
| | Premises (observations) | 2,615 | |
| | Derived (justified conclusions) | 160 | |
| | Nogoods (contradictions) | 0 | |
| | Retraction rate | 0% | |
| | Max derivation depth | 8 | |
|
|
| ## Top Topics |
|
|
| | Topic | Beliefs | |
| |-------|---------| |
| | dynamodb | 723 | |
| | cloudtrail | 416 | |
| | iam | 261 | |
| | account | 144 | |
| | rds | 134 | |
| | cfn | 132 | |
| | table | 128 | |
| | lake | 126 | |
| | default | 125 | |
| | max | 107 | |
| | region | 102 | |
| | backup | 98 | |
| | vpc | 95 | |
| | aws | 93 | |
| | ec2 | 89 | |
| | policy | 83 | |
| | data | 82 | |
| | cross | 80 | |
|
|
| ## Domain Coverage |
|
|
| - **DynamoDB**: capacity billing, GSI behavior, autoscaling pitfalls, TTL audit gaps, global tables consistency modes, DAX caching, item size overhead, cross-region replication (692 beliefs) |
| - **CloudTrail**: audit blind spots, Lake configuration, KMS key irrevocability, event data stores, data event logging gaps, automated operation blind spots (354 beliefs) |
| - **IAM**: policy evaluation, cross-account access, permission boundaries, default security posture, resource policies (222 beliefs) |
| - **CloudFormation**: stack lifecycle, drift detection, resource dependencies, rollback behavior, nested stacks (128 beliefs) |
| - **RDS/Aurora**: backup strategies, PITR windows, parameter groups, Multi-AZ failover, read replicas, lifecycle state transitions (139 beliefs) |
| - **S3**: bucket policies, lifecycle rules, versioning, cross-region replication, access points (119 beliefs) |
| - **EC2 & Compute**: instance lifecycle, spot interruptions, AMI management, EBS volumes, ENI limits (113 beliefs) |
| - **Networking**: VPC design, security groups, NACLs, Route 53 health checks, CloudFront distributions, EIP management (129 beliefs) |
| - **Backup & DR**: AWS Backup, PITR, cross-region backup, lifecycle transitions that degrade DR posture (65 beliefs) |
| - **DAX**: caching behavior, consistency implications, cluster management (61 beliefs) |
| - **CloudWatch**: metrics, alarms, log groups, observability investment ceilings (54 beliefs) |
| - **API Gateway**: REST vs HTTP APIs, throttling, authorization, stage management (89 beliefs) |
| - **SQS**: visibility timeout, dead letter queues, FIFO ordering, message retention (43 beliefs) |
| - **AppSync**: GraphQL resolvers, caching, authorization modes (31 beliefs) |
| - **Lambda**: cold starts, concurrency, event source mappings, resource limits (25 beliefs) |
| - **Container Services**: ECS task definitions, EKS node groups, ECR lifecycle policies (52 beliefs) |
| - **Security**: default hardening, KMS key management, ACM certificates, FIS chaos engineering (53 beliefs) |
| - **Additional topics**: ElastiCache, SES, CDK, spot instances, NoSQL Workbench patterns (remaining beliefs) |
|
|
| ## How to Use |
|
|
| ### Import into a reasons database |
|
|
| ```bash |
| reasons init |
| reasons import-json network.json |
| ``` |
|
|
| ### Query beliefs |
|
|
| ```bash |
| reasons search "DynamoDB capacity billing" |
| reasons explain lifecycle-transitions-silently-degrade-dr-posture |
| reasons show cloudtrail-eds-kms-key-irrevocable |
| ``` |
|
|
| ### Use as an MCP tool or CLI |
|
|
| Any LLM agent that can call `reasons search`, `reasons show`, and `reasons explain` can use this knowledge base. The agent does not need to be told it is an expert — the knowledge base speaks for itself. |
|
|
| ## Key Beliefs |
|
|
| | Node | Summary | |
| |------|---------| |
| | `lifecycle-transitions-silently-degrade-dr-posture` | Routine feature toggling and DR restores lose configuration state (PITR windows, audit settings) | |
| | `cloudtrail-eds-kms-key-irrevocable` | Once a KMS key is associated with a CloudTrail Lake event data store, it cannot be changed or removed | |
| | `dynamodb-ttl-deletions-not-logged-cloudtrail` | DynamoDB TTL data plane deletion actions are NOT logged by CloudTrail | |
| | `dynamodb-capacity-billing-penalizes-small-items-disproportionately` | DynamoDB capacity billing includes three hidden overhead mechanisms beyond raw item size | |
| | `aws-defaults-require-systematic-hardening-across-dimensions` | AWS default configurations systematically favor ease-of-use over security across operations | |
| | `full-observability-has-hard-ceiling-despite-investment` | Even after closing CloudTrail's configurable gaps, fundamental blind spots remain | |
| | `dynamodb-global-tables-consistency-mode-immutable` | DynamoDB Global Tables consistency mode is set at creation and cannot be changed afterward | |
| | `dynamodb-autoscaling-new-gsi-no-auto-scaling` | Creating a GSI on an existing DynamoDB table does not auto-enable scaling on the GSI | |
| | `cloudtrail-audit-blind-spots-exist-for-automated-operations` | Certain automated and system-initiated operations create audit gaps | |
| | `protocol-safety-unfalsifiable-under-current-testing` | Distributed protocol safety claims are unfalsifiable under the current testing methodology | |
|
|
| ## Sources |
|
|
| Built from exploration of AWS documentation, API behavior, and operational experience across DynamoDB, CloudTrail, IAM, CloudFormation, RDS, S3, EC2, VPC, and 25+ additional AWS services. |
|
|
| ## Files |
|
|
| | File | Description | |
| |------|-------------| |
| | `network.json` | Full belief network (machine-readable, portable) | |
| | `reasons.db` | SQLite database (gitignored, regenerate with `reasons import-json network.json`) | |
| | `CLAUDE.md` | Agent instructions for using this knowledge base | |
| | `entries/` | 655 exploration entries — raw observations behind the premises | |
|
|
| ## Quality |
|
|
| - All 2,775 beliefs are IN (none retracted) |
| - 2,615 premises grounded in direct observations of AWS service behavior |
| - 160 derived beliefs justified from premises via SL justifications |
| - 0 nogoods — no contradictions detected |
| - Max derivation depth of 8, indicating multi-step reasoning chains |
| - Built and reviewed using ftl-reasons derive and review-beliefs pipeline |
|
|
| ## Limitations |
|
|
| - Focused on AWS service behavior and defaults as of mid-2026 |
| - AWS services evolve rapidly; some beliefs may become stale as features change |
| - Heavier coverage of DynamoDB and CloudTrail than other services |
| - Does not cover pricing in detail beyond capacity billing mechanics |
| - No ATMS or assumption-based beliefs (single-context TMS only) |
|
|
| ## Authors |
|
|
| - Ben Thomasson ([@benthomasson](https://github.com/benthomasson)) |
|
|
| ## License |
|
|
| mit |
|
|