Amp Plugins

Shared Amp plugins.

Each plugin is a standalone TypeScript file at the repository root. To use one, copy the plugin file you want into an Amp plugin directory and reload plugins from Amp's command palette with plugins: reload.

Plugins

Plugin	Description
aws-control-plane-readonly.ts	Checks AWS CLI commands before Amp runs them, allowing only commands classified as control-plane read-only operations.

Installation

Install a plugin user-wide:

mkdir -p ~/.config/amp/plugins
cp <plugin-file>.ts ~/.config/amp/plugins/

Or install a plugin for one project:

mkdir -p .amp/plugins
cp <plugin-file>.ts .amp/plugins/

After installing or updating a plugin file, reload plugins from Amp's command palette with plugins: reload.

AWS Control Plane Read-only

aws-control-plane-readonly.ts checks AWS CLI commands before Amp runs them.

The plugin allows AWS CLI commands only when every aws invocation in the shell command is classified as a control-plane read-only operation. It uses deterministic checks for obvious reads, rejects writes and known data-plane/data-access operations, and prompts before anything else.

What is allowed without prompting?

The plugin is intended to allow control-plane inspection commands, for example:

aws ec2 describe-instances
aws iam list-users
aws eks describe-cluster --name example
aws sts get-caller-identity

What is rejected before running?

The plugin rejects commands that deterministic rules classify as writes, mutations, or known data-plane/data-access operations.

Examples:

aws ec2 create-tags --resources i-1234567890abcdef0 --tags Key=Name,Value=test
aws rds modify-db-instance --db-instance-identifier example --apply-immediately
aws route53 change-resource-record-sets --hosted-zone-id example --change-batch file://change.json
aws s3api get-object --bucket example --key secret.txt secret.txt
aws logs get-log-events --log-group-name example --log-stream-name example
aws dynamodb get-item --table-name example --key file://key.json
aws secretsmanager get-secret-value --secret-id example

What prompts before running?

The plugin prompts before commands that deterministic rules cannot classify as either allowed control-plane reads or rejected commands. From that prompt, the user can allow, ask AI to classify, or reject with feedback.

Examples:

aws sts decode-authorization-message --encoded-message example
aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/example --action-names s3:ListBucket

How it works

The plugin listens for Amp tool.call events, extracts shell commands with amp.helpers.shellCommandFromToolCall(), and checks commands that invoke the aws CLI.

For AWS commands, it first applies deterministic rules:

• obvious control-plane reads such as list-*, describe-*, and get-* operations are allowed unless they match a known data-plane/data-access exception;
• write-like operations such as create-*, modify-*, delete-*, put-*, start-*, stop-*, tag-*, and similar verbs are rejected immediately;
• known data-plane/data-access operations such as s3 cp, s3api get-object, dynamodb get-item, logs filter-log-events, and secretsmanager get-secret-value are rejected immediately;
• commands that are not covered by those rules prompt for a decision.

For deterministic prompts, the user can allow the command, ask AI to classify it, or reject it. If the user chooses "Ask AI", the plugin calls ctx.ai.ask() with a yes/no classification prompt. A yes result is allowed. A no or uncertain result asks whether to allow or reject. Rejection asks for feedback and returns none given if left blank.

Security note

This plugin uses AI classification rather than a complete AWS API allowlist. It is a guardrail for Amp-driven AWS CLI usage, not a substitute for least-privilege IAM, AWS Organizations SCPs, approval workflows, or other access controls.