AWS CLI Cheatsheet¶
Common commands for daily use. Assumes AWS CLI v2.
Initial Setup¶
Configure with permanent credentials (IAM user)¶
aws configure
# AWS Access Key ID: AKIA...
# AWS Secret Access Key: ...
# Default region: us-east-1
# Output format: json
Configure with temporary session credentials (lab/role)¶
aws configure
# Enter Access Key + Secret Key as prompted
aws configure set aws_session_token <token>
Verify identity¶
Expected output:
{
"UserId": "AROA...",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/role-name/session"
}
Switch profiles¶
aws configure --profile work
aws s3 ls --profile work
export AWS_PROFILE=work # set for the whole session
S3¶
# List buckets
aws s3 ls
# List objects in bucket
aws s3 ls s3://my-bucket/
# Copy file to S3
aws s3 cp file.txt s3://my-bucket/
# Copy S3 object to local
aws s3 cp s3://my-bucket/file.txt ./
# Sync directory to S3
aws s3 sync ./local-dir s3://my-bucket/prefix/
# Delete object
aws s3 rm s3://my-bucket/file.txt
# Make bucket
aws s3 mb s3://my-bucket
EC2¶
# List instances
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,PublicIpAddress]' --output table
# Start / stop
aws ec2 start-instances --instance-ids i-0abc123
aws ec2 stop-instances --instance-ids i-0abc123
# Describe security groups
aws ec2 describe-security-groups
# Get instance metadata (from within EC2)
curl http://169.254.169.254/latest/meta-data/instance-id
curl http://169.254.169.254/latest/meta-data/public-ipv4
IAM¶
# List users
aws iam list-users
# List groups
aws iam list-groups
# Who am I (role/user ARN)
aws sts get-caller-identity
# List policies attached to a role
aws iam list-attached-role-policies --role-name MyRole
# Get current account ID
aws sts get-caller-identity --query Account --output text
Lambda¶
# List functions
aws lambda list-functions
# Invoke function
aws lambda invoke --function-name my-function --payload '{"key": "value"}' output.json
# View logs (most recent)
aws logs tail /aws/lambda/my-function --follow
CloudWatch Logs¶
# List log groups
aws logs describe-log-groups
# Tail a log group live
aws logs tail /aws/lambda/my-function --follow
# Query logs with Insights
aws logs start-query \
--log-group-name /aws/lambda/my-function \
--start-time $(date -d '1 hour ago' +%s) \
--end-time $(date +%s) \
--query-string 'fields @timestamp, @message | filter @message like /ERROR/'
VPC / Networking¶
# List VPCs
aws ec2 describe-vpcs
# List subnets
aws ec2 describe-subnets
# List route tables
aws ec2 describe-route-tables
# List internet gateways
aws ec2 describe-internet-gateways
Useful Flags¶
| Flag | What It Does |
|---|---|
--region us-east-1 |
Override default region |
--profile myprofile |
Use named profile |
--output json\|table\|text |
Change output format |
--query 'expression' |
JMESPath query to filter output |
--dry-run |
Test permissions without executing |
--no-cli-pager |
Skip pager, output directly |
JMESPath Quick Reference¶
# Get specific field
aws ec2 describe-instances --query 'Reservations[*].Instances[*].InstanceId'
# Filter by value
aws ec2 describe-instances --query 'Reservations[*].Instances[?State.Name==`running`].InstanceId'
# Output as table
aws ec2 describe-instances \
--query 'Reservations[*].Instances[*].[InstanceId,InstanceType,State.Name]' \
--output table