A practical starter kit for Cloud Platform & SRE teams to get productive with Kiro — AWS's AI-powered IDE. Encode your org's standards once, accelerate every engineer forever.
Kiro is a VS Code-based AI IDE. When you open an infrastructure repo it reads three things from .kiro/ and combines them with the current file context before every AI response.
Markdown docs that encode your org's standards. Loaded automatically from .kiro/steering/ when Kiro opens the repo.
Reusable workflows invoked with /skill-name. Pre-built for CFN review, security scan, cost estimate, runbooks.
Kiro calls live AWS APIs mid-conversation — describe stacks, check costs, lookup docs — without leaving the editor.
Central steering + SCPs + permission boundaries that prevent Kiro from generating insecure patterns.
Steering files are markdown documents in .kiro/steering/ that tell Kiro how your org does things. Toggle the steering files below and see how the generated CloudFormation output changes.
--- includeBy: # Only activate for YAML/CFN files - "**/*.yaml" - "**/cloudformation/**" --- # CloudFormation Security Standards ## Encryption: always on by default All storage resources must be encrypted. No exceptions. ### S3 ```yaml MyBucket: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true ```
Use includeBy frontmatter to scope steering to specific file patterns. Irrelevant files are not loaded, keeping Kiro's context focused.
| Steering file | includeBy pattern | When active |
|---|---|---|
cfn-structure.md | **/*.yaml | Any YAML file |
pipeline-standards.md | **/.github/workflows/** | GitHub Actions files only |
sre-standards.md | **/runbooks/** | Runbook directories only |
security-guardrails.md | (none — always active) | Always loaded |
Steering files in this repo, ready to copy into your .kiro/steering/:
Skills are reusable AI workflows invoked with a /slash-command. Click any skill below to see what prompt it sends to Kiro and what output format it produces.
MCP (Model Context Protocol) servers give Kiro tools it can call mid-conversation — live AWS API access, documentation lookups, cost data. Configure them in .kiro/settings.json.
{
"mcpServers": {
"aws-docs": {
"command": "uvx",
"args": ["awslabs.aws-documentation-mcp-server@latest"],
"env": { "FASTMCP_LOG_LEVEL": "ERROR" }
},
"cloudformation": {
"command": "uvx",
"args": ["awslabs.aws-cloudformation-mcp-server@latest"],
"env": {
"AWS_PROFILE": "${env:AWS_PROFILE}",
"AWS_REGION": "eu-west-1"
}
},
"cost-analysis": {
"command": "uvx",
"args": ["awslabs.aws-cost-analysis-mcp-server@latest"],
"env": { "AWS_PROFILE": "${env:AWS_PROFILE}" }
}
}
}
${env:AWS_PROFILE} references — never paste credentials directly into settings.json. This file is checked into git.Guardrails work at two levels. Steering guardrails shape what Kiro generates (AI-level). AWS guardrails enforce at runtime regardless of how resources were created.
Tell Kiro what patterns to never generate. Lives in security-guardrails.md and iam-guardrails.md.
SCPs, IAM Permission Boundaries, Config Rules — actual enforcement that applies regardless of how resources were created.
Permission boundary on every role, scoped policies, no IAM users for workloads.
Private subnets by default, no SSH to internet, security group references over CIDRs.
OIDC federation only, staging-before-prod, cfn-lint + checkov required.
Org-level: deny disable CloudTrail/GuardDuty, region restriction, prod account controls.
OrgPermissionBoundary CFN template — prevents privilege escalation and region drift.
GitHub Actions OIDC provider + scoped deployment roles. No long-lived access keys.
Follow these steps to go from a fresh Kiro install to your first AI-assisted infrastructure deployment with your org's standards baked in.
Download from kiro.dev. Sign in with AWS Builder ID. Open your infrastructure repository.
kiro /path/to/your/infra-repo
Clone this repo and copy the .kiro/ directory into your infra repo. Replace placeholder values with your org's actual account IDs, regions, and cost centre codes.
git clone https://github.com/nirmal84/kiro-for-cloud-engineering cp -r kiro-for-cloud-engineering/steering/* your-infra-repo/.kiro/steering/ cp -r kiro-for-cloud-engineering/skills/* your-infra-repo/.kiro/skills/ cp kiro-for-cloud-engineering/mcp-servers/settings-template.json \ your-infra-repo/.kiro/settings.json
Search and replace these across all steering files:
| Find | Replace with |
|---|---|
OrgPermissionBoundary | Your IAM boundary policy name |
eu-west-1 | Your primary AWS region |
your-org | Your GitHub org name |
CC-[0-9]+ | Your cost centre code format |
log-archive-${AWS::AccountId} | Your centralised log bucket name |
# Install uv (Python package runner for AWS MCP servers) curl -LsSf https://astral.sh/uv/install.sh | sh # Set your AWS profile export AWS_PROFILE=my-sandbox-profile aws sso login --profile my-sandbox-profile
Open the project. Kiro auto-loads steering from .kiro/steering/. Try these prompts to verify everything is working:
# Verify steering is loaded What steering files are active for this project? # Test CFN generation with your standards Create a CloudFormation template for an S3 bucket that stores access logs. # Test skills /cfn-review # Test MCP (needs AWS credentials) Use the cloudformation MCP tool to list all stacks in eu-west-1
.kiro/ directory is a team artifact — commit steering files, settings, and skills to git so every engineer gets the same AI context when they open the project.
All templates, steering files, skills, and guardrails are open source under MIT-0 — use without attribution.
View the full repo on GitHub →