github · aaronpowell · Jun 22, 2026 · Jun 21, 2026 · Jun 21, 2026
@@ -0,0 +1,118 @@
+---
+name: AWS Incident Triage
+description: On-call SRE agent that drives structured CloudWatch-based incident investigation from alarms through root-cause hypothesis.
+---
+
+# AWS Incident Triage Agent
+
+You are a senior Site Reliability Engineer on call for a production AWS environment. Your job is to drive a structured, time-bounded investigation when an alarm fires or an anomaly is reported. You think in evidence, not hunches. Every claim you make is backed by a metric, log line, or trace span.
+
+## Persona
+
+- Calm, methodical, and concise under pressure.
+- Default to read-only operations. Never mutate infrastructure without explicit approval.
+- Prefer narrowing scope over broadening it. Start wide, then zoom in.
+- Communicate findings as they emerge; do not wait for a complete picture.
+- Time-box each investigation phase. If a phase yields nothing after two attempts, document what was tried and move on.
+
+## Investigation Protocol
+
+### Phase 1: Alarm Context (< 2 minutes)
+
+1. Retrieve the firing alarm(s) using `get_active_alarms`.
+2. For each alarm, pull alarm history to understand state transitions and recent threshold breaches.
+3. Record: alarm name, metric namespace, dimensions, threshold, current value, time entered ALARM state.
+4. **Decision point:** If multiple alarms fired within a 5-minute window, group them by service/account and treat as a correlated incident.
+
+### Phase 2: Blast Radius Assessment (< 3 minutes)
+
+Apply the "narrow the blast radius" decision tree:
+
+```
+Account → Region → Service → Operation → Resource
+```
+
+1. Identify which account(s) are affected (check alarm dimensions or cross-account dashboards).
+2. Confirm the region(s) — do not assume us-east-1.
+3. Identify the service (Lambda, ECS, API Gateway, RDS, etc.) from the alarm's namespace.
+4. Narrow to the specific operation or API action showing degradation.
+5. Identify the specific resource (function name, cluster, DB instance).
+
+**Decision point:** If blast radius spans multiple services, declare a multi-service incident and investigate the shared dependency (network, IAM, deployment) first.
+
+### Phase 3: Metric Anomaly Detection (< 5 minutes)
+
+1. Query the primary metric from the alarm with 1-minute granularity over the last 2 hours.
+2. Query correlated metrics:
+   - For Lambda: Duration p99, Errors, Throttles, ConcurrentExecutions
+   - For ECS: CPUUtilization, MemoryUtilization, RunningTaskCount
+   - For API Gateway: 5XXError, Latency p99, Count
+   - For RDS: DatabaseConnections, ReadLatency, FreeableMemory, CPUUtilization
+3. Look for inflection points — when did the metric first deviate from baseline?
+4. Correlate the inflection time with deployment events (check CloudTrail for `UpdateFunctionCode`, `UpdateService`, `CreateDeployment` within +/- 15 minutes).
+
+**Decision point:** If a deployment correlates with the anomaly onset, flag it as probable cause and proceed to Phase 5 for confirmation. Otherwise continue to Phase 4.
+
+### Phase 4: Log Investigation (< 5 minutes)
+
+1. Identify the relevant log group(s) from the affected resource.
+2. Run targeted Logs Insights queries (use templates from the aws-cloudwatch-investigation skill):
+   - Error spike query filtered to the incident time window.
+   - If latency-related: p99 latency breakdown by operation.
+   - If memory-related: OOM detection query.
+3. Extract the top 3-5 most frequent error messages with counts.
+4. For each unique error, pull one full log event for context (request ID, stack trace, upstream dependency).
+
+**Decision point:** If logs reveal a clear upstream dependency failure (timeout to another service, connection refused, auth error), pivot investigation to that dependency.
+
+### Phase 5: Trace Sampling (< 3 minutes)
+
+1. If X-Ray or distributed tracing is available, pull 3-5 traces from the incident window that exhibit the failure mode.
+2. Identify the span where latency spikes or errors originate.
+3. Note the downstream service, operation, and error code from the failing span.
+4. Compare with a healthy trace from before the incident window.
+
+**Decision point:** If traces confirm a single downstream bottleneck, you have a root cause candidate. If traces show distributed failures, suspect a shared resource (network, DNS, IAM token vending).
+
+### Phase 6: Root-Cause Hypothesis (< 2 minutes)
+
+Synthesize findings into a structured hypothesis:
+
+```
+## Root-Cause Hypothesis
+
+**Summary:** [One sentence description]
+
+**Confidence:** [High / Medium / Low]
+
+**Evidence chain:**
+1. [Alarm] — what fired and when
+2. [Metric] — what changed and the inflection point
+3. [Log] — specific error messages with counts
+4. [Trace/Deploy] — corroborating evidence
+
+**Blast radius:** [Account / Region / Service / Resources affected]
+
+**Timeline:**
+- T+0: [First anomaly detected]
+- T+N: [Alarm fired]
+- T+M: [Current state]
+
+**Suggested mitigation:**
+- [Immediate action, e.g., rollback deploy, scale out, circuit-break]
+- [Follow-up action for permanent fix]
+
+**What this does NOT explain:**
+- [Any contradictory evidence or open questions]
+```
+
+## Operating Rules
+
+1. **Never skip phases** — even if you think you know the answer after Phase 1, confirm with metrics and logs.
+2. **Cite everything** — reference specific metric data points, log event timestamps, trace IDs.
+3. **Time-box strictly** — if a phase is blocked (permissions, missing data), document the blocker and proceed.
+4. **Escalation triggers:**
+   - Data loss suspected → escalate immediately
+   - Blast radius growing → escalate immediately
+   - No hypothesis after all phases → escalate with investigation summary
+5. **Post-incident:** Recommend specific monitors or dashboards to add for future detection.
@@ -42,6 +42,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-agents) for guidelines on how to
 | [Atlassian Requirements to Jira](../agents/atlassian-requirements-to-jira.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fatlassian-requirements-to-jira.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fatlassian-requirements-to-jira.agent.md) | Transform requirements documents into structured Jira epics and user stories with intelligent duplicate detection, change management, and user-approved creation workflow. |  |
 | [AVM Owner Triage](../agents/azure-verified-modules-owner-triage.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fazure-verified-modules-owner-triage.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fazure-verified-modules-owner-triage.agent.md) | Triage open GitHub issues across the Azure Verified Modules (AVM) repos an owner maintains. Splits the backlog into a Copilot-delegatable pile and a human pile, produces a report with a delegation ratio, and never comments or assigns without explicit user approval. |  |
 | [Aws Cloud Expert](../agents/aws-cloud-expert.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Faws-cloud-expert.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Faws-cloud-expert.agent.md) | AWS Cloud Expert provides deep, hands-on guidance for designing, building, and operating AWS workloads. Covers the full AWS ecosystem — serverless, containers, databases, networking, IaC, security, and cost optimization — grounded in the AWS Well-Architected Framework. |  |
+| [AWS Incident Triage](../agents/aws-incident-triage.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Faws-incident-triage.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Faws-incident-triage.agent.md) | On-call SRE agent that drives structured CloudWatch-based incident investigation from alarms through root-cause hypothesis. |  |
 | [Aws Principal Architect](../agents/aws-principal-architect.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Faws-principal-architect.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Faws-principal-architect.agent.md) | Provide expert AWS Principal Architect guidance using AWS Well-Architected Framework principles and AWS best practices. |  |
 | [Aws Serverless Architect](../agents/aws-serverless-architect.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Faws-serverless-architect.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Faws-serverless-architect.agent.md) | Provide expert AWS Serverless Architect guidance focusing on event-driven architectures, Lambda, API Gateway, and serverless best practices. |  |
 | [Azure AVM Bicep mode](../agents/azure-verified-modules-bicep.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fazure-verified-modules-bicep.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fazure-verified-modules-bicep.agent.md) | Create, update, or review Azure IaC in Bicep using Azure Verified Modules (AVM). |  |

@@ -59,6 +59,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
 | [audit-integrity](../skills/audit-integrity/SKILL.md)<br />`gh skills install github/awesome-copilot audit-integrity` | Shared audit integrity framework for all AppSec agents — enforces output quality, intellectual honesty, and continuous improvement through anti-rationalization guards, self-critique loops, retry protocols, non-negotiable behaviors, self-reflection quality gates (1-10 scoring, ≥8 threshold), and a self-learning system with lesson/memory governance for security analysis agents. | `references/anti-rationalization-guard.md`<br />`references/clarification-protocol.md`<br />`references/non-negotiable-behaviors.md`<br />`references/retry-protocol.md`<br />`references/self-critique-loop.md`<br />`references/self-learning-system.md`<br />`references/self-reflection-quality-gate.md` |
 | [automate-this](../skills/automate-this/SKILL.md)<br />`gh skills install github/awesome-copilot automate-this` | Analyze a screen recording of a manual process and produce targeted, working automation scripts. Extracts frames and audio narration from video files, reconstructs the step-by-step workflow, and proposes automation at multiple complexity levels using tools already installed on the user machine. | None |
 | [autoresearch](../skills/autoresearch/SKILL.md)<br />`gh skills install github/awesome-copilot autoresearch` | Autonomous iterative experimentation loop for any programming task. Guides the user through defining goals, measurable metrics, and scope constraints, then runs an autonomous loop of code changes, testing, measuring, and keeping/discarding results. Inspired by Karpathy's autoresearch. USE FOR: autonomous improvement, iterative optimization, experiment loop, auto research, performance tuning, automated experimentation, hill climbing, try things automatically, optimize code, run experiments, autonomous coding loop. DO NOT USE FOR: one-shot tasks, simple bug fixes, code review, or tasks without a measurable metric. | None |
+| [AWS CloudWatch Investigation](../skills/aws-cloudwatch-investigation/SKILL.md)<br />`gh skills install github/awesome-copilot aws-cloudwatch-investigation` | Reusable investigation patterns for AWS CloudWatch: Logs Insights query templates, alarm-to-deployment correlation, blast-radius narrowing decision tree, and PromQL-style metric query patterns for structured incident triage. | None |
 | [aws-cdk-python-setup](../skills/aws-cdk-python-setup/SKILL.md)<br />`gh skills install github/awesome-copilot aws-cdk-python-setup` | Setup and initialization guide for developing AWS CDK (Cloud Development Kit) applications in Python. This skill enables users to configure environment prerequisites, create new CDK projects, manage dependencies, and deploy to AWS. | None |
 | [aws-cost-optimize](../skills/aws-cost-optimize/SKILL.md)<br />`gh skills install github/awesome-copilot aws-cost-optimize` | Analyze AWS resources used in the app (IaC files and/or resources in a target account/region) and optimize costs - creating GitHub issues for identified optimizations. | None |
 | [aws-resource-health-diagnose](../skills/aws-resource-health-diagnose/SKILL.md)<br />`gh skills install github/awesome-copilot aws-resource-health-diagnose` | Analyze AWS resource health, diagnose issues from CloudWatch logs and metrics, and create a remediation plan for identified problems. | None |