AWS CLI Cheat Sheet 2026: Complete Command Reference

November 9, 2025

Comprehensive AWS CLI cheat sheet with 200+ commands for EC2, S3, Lambda, IAM, and more. Includes filtering, output formats, profiles, and troubleshooting.

On This Page

The AWS Command Line Interface (CLI) is an essential tool for managing Amazon Web Services from the terminal. This comprehensive AWS CLI cheat sheet provides quick reference for 200+ commonly-used commands across EC2, S3, Lambda, IAM, VPC, RDS, CloudWatch, and more. Whether you’re looking for AWS CLI output format options, filtering syntax, or specific service commands, this guide has you covered.

Quick Navigation: Installation | Configuration | Output Formats | Filtering | EC2 | S3 | IAM

Quick Command Reference

TaskCommand
Check current useraws sts get-caller-identity
List all S3 bucketsaws s3 ls
List running instancesaws ec2 describe-instances --filters "Name=instance-state-name,Values=running"
Create S3 bucketaws s3 mb s3://bucket-name
Upload to S3aws s3 cp file.txt s3://bucket/
Download from S3aws s3 cp s3://bucket/file.txt .
List Lambda functionsaws lambda list-functions
View CloudWatch logsaws logs tail /aws/lambda/function --follow
List IAM usersaws iam list-users
Dry run commandaws [command] --dry-run

Full command reference below ↓

Installation

Install AWS CLI v2

macOS:

# Using Homebrew
brew install awscli

# Or official installer
curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
sudo installer -pkg AWSCLIV2.pkg -target /

Linux:

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

Windows:

# Download and run: https://awscli.amazonaws.com/AWSCLIV2.msi
msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi

Verify Installation:

aws --version
# Output: aws-cli/2.x.x Python/3.x.x

Configuration

Initial Setup

# Configure AWS CLI
aws configure
# Enter Access Key ID, Secret Key, Region, Output format

# Named profiles
aws configure --profile production
aws configure --profile dev

# Use specific profile
aws s3 ls --profile production
export AWS_PROFILE=production

# List configured profiles
cat ~/.aws/credentials
cat ~/.aws/config

Profile Management

# List all configured profiles
aws configure list-profiles

# View current profile configuration
aws configure list

# Get current identity ("whoami")
aws sts get-caller-identity

# Use specific profile for one command
aws s3 ls --profile production

# Set default profile for session
export AWS_PROFILE=production

# Remove/delete a profile (edit files manually)
# Profiles are stored in:
# ~/.aws/credentials  # Access keys
# ~/.aws/config       # Configuration

# View all profiles
cat ~/.aws/config
cat ~/.aws/credentials

Regional Configuration

# Set default region
aws configure set region us-east-1

# Override region for one command
aws ec2 describe-instances --region us-west-2

# List all regions
aws ec2 describe-regions --query 'Regions[*].RegionName' --output table

Identity & Access

# Get current identity
aws sts get-caller-identity

# Assume role
aws sts assume-role --role-arn arn:aws:iam::123456789:role/RoleName --role-session-name session1

# Get MFA token
aws sts get-session-token --serial-number arn:aws:iam::123456789:mfa/user --token-code 123456

Output Formats

Set Output Format

# Configure default output format
aws configure set output json    # JSON (default)
aws configure set output table   # ASCII table
aws configure set output text    # Tab-delimited text
aws configure set output yaml    # YAML format

# One-time output format override
aws s3 ls --output table
aws ec2 describe-instances --output json

Output Format Examples

# JSON output (default - parseable)
aws ec2 describe-instances --output json

# Table output (human-readable)
aws ec2 describe-instances --output table

# Text output (for scripting)
aws ec2 describe-instances --output text

# YAML output
aws ec2 describe-instances --output yaml

Format & Display Options

# Suppress all output (quiet mode)
aws s3 cp file.txt s3://bucket/ --quiet
aws s3 cp file.txt s3://bucket/ --no-progress

# Human-readable sizes
aws s3 ls s3://bucket/ --human-readable

# Verbose output (show debug info)
aws ec2 describe-instances --debug

# Show only HTTP requests (no debug)
aws ec2 describe-instances --verbose

Filtering & Queries

Query Syntax

# Basic query for specific fields
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name]'

# Filter with JMESPath
aws ec2 describe-instances --query 'Reservations[*].Instances[?State.Name==`running`]'

# Complex nested queries
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,Tags[?Key==`Name`].Value|[0]]'

Filter Syntax

# Filter by tag
aws ec2 describe-instances --filters "Name=tag:Environment,Values=production"

# Filter by state
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running"

# Multiple filters (AND logic)
aws ec2 describe-instances --filters "Name=instance-type,Values=t2.micro" "Name=instance-state-name,Values=running"

# Filter EC2 by subnet
aws ec2 describe-instances --filters "Name=subnet-id,Values=subnet-12345"

Pagination

# Limit results
aws ec2 describe-instances --max-items 10

# Pagination with token
aws ec2 describe-instances --max-items 10 --starting-token <token>

# Get all results (bypass pagination)
aws ec2 describe-instances --no-paginate

# Set page size (controls API calls)
aws ec2 describe-instances --page-size 50

Common Query Patterns

# Get all running instance IDs
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" --query 'Reservations[*].Instances[*].InstanceId' --output text

# List all VPCs with names
aws ec2 describe-vpcs --query 'Vpcs[*].[VpcId,Tags[?Key==`Name`].Value|[0]]' --output table

# Find subnets in specific VPC
aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-12345" --query 'Subnets[*].[SubnetId,CidrBlock,AvailabilityZone]' --output table

# List S3 buckets with creation date
aws s3api list-buckets --query 'Buckets[*].[Name,CreationDate]' --output table

# Find unattached EBS volumes
aws ec2 describe-volumes --filters "Name=status,Values=available" --query 'Volumes[*].[VolumeId,Size,VolumeType]' --output table

EC2

Instances

# List instances
aws ec2 describe-instances

# List running instances
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running"

# List specific instance
aws ec2 describe-instances --instance-ids i-1234567890abcdef0

# Start instance
aws ec2 start-instances --instance-ids i-1234567890abcdef0

# Stop instance
aws ec2 stop-instances --instance-ids i-1234567890abcdef0

# Terminate instance
aws ec2 terminate-instances --instance-ids i-1234567890abcdef0

# Get instance details (with jq)
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,InstanceType,PublicIpAddress]' --output table

AMIs

# List AMIs (owned by me)
aws ec2 describe-images --owners self

# Find Ubuntu AMIs
aws ec2 describe-images --filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-*" --query 'Images[*].[ImageId,Name]' --output table

# Create AMI from instance
aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI"

# Deregister AMI
aws ec2 deregister-image --image-id ami-12345678

Security Groups

# List security groups
aws ec2 describe-security-groups

# Create security group
aws ec2 create-security-group --group-name MySecurityGroup --description "My security group" --vpc-id vpc-12345678

# Add ingress rule (SSH)
aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 22 --cidr 0.0.0.0/0

# Remove ingress rule
aws ec2 revoke-security-group-ingress --group-id sg-12345678 --protocol tcp --port 22 --cidr 0.0.0.0/0

Key Pairs

# List key pairs
aws ec2 describe-key-pairs

# Create key pair
aws ec2 create-key-pair --key-name MyKeyPair --query 'KeyMaterial' --output text > MyKeyPair.pem
chmod 400 MyKeyPair.pem

# Delete key pair
aws ec2 delete-key-pair --key-name MyKeyPair

Common EC2 Queries

# Delete/terminate instance (common search term)
aws ec2 terminate-instances --instance-ids i-1234567890abcdef0

# List instances with specific tag
aws ec2 describe-instances --filters "Name=tag:Name,Values=webserver*" --query 'Reservations[*].Instances[*].[InstanceId,Tags[?Key==`Name`].Value|[0],State.Name]' --output table

# Get instance public IP
aws ec2 describe-instances --instance-ids i-1234567890abcdef0 --query 'Reservations[*].Instances[*].PublicIpAddress' --output text

# List all VPCs (common search)
aws ec2 describe-vpcs --query 'Vpcs[*].[VpcId,Tags[?Key==`Name`].Value|[0],CidrBlock]' --output table

S3

Buckets

# List buckets
aws s3 ls

# List bucket contents
aws s3 ls s3://bucket-name
aws s3 ls s3://bucket-name/prefix/

# Create bucket
aws s3 mb s3://bucket-name

# Remove bucket
aws s3 rb s3://bucket-name
aws s3 rb s3://bucket-name --force  # With contents

File Operations

# Upload file
aws s3 cp file.txt s3://bucket-name/
aws s3 cp file.txt s3://bucket-name/path/to/file.txt

# Download file
aws s3 cp s3://bucket-name/file.txt .

# Sync directory (upload)
aws s3 sync ./local-dir s3://bucket-name/remote-dir/

# Sync directory (download)
aws s3 sync s3://bucket-name/remote-dir/ ./local-dir

# Delete file
aws s3 rm s3://bucket-name/file.txt

# Delete directory
aws s3 rm s3://bucket-name/prefix/ --recursive

# Move file
aws s3 mv s3://bucket-name/old.txt s3://bucket-name/new.txt

Bucket Policies

# Get bucket policy
aws s3api get-bucket-policy --bucket bucket-name

# Set bucket policy
aws s3api put-bucket-policy --bucket bucket-name --policy file://policy.json

# Delete bucket policy
aws s3api delete-bucket-policy --bucket bucket-name

Versioning & Lifecycle

# Enable versioning
aws s3api put-bucket-versioning --bucket bucket-name --versioning-configuration Status=Enabled

# Get versioning status
aws s3api get-bucket-versioning --bucket bucket-name

# List object versions
aws s3api list-object-versions --bucket bucket-name

S3 Advanced Operations

# List all buckets (common search)
aws s3 ls

# Read file content (cat equivalent)
aws s3 cp s3://bucket/file.txt -

# List bucket with human-readable sizes
aws s3 ls s3://bucket/ --human-readable --summarize

# Find total bucket size
aws s3 ls s3://bucket/ --recursive --human-readable --summarize

# Copy between buckets
aws s3 cp s3://source-bucket/file.txt s3://dest-bucket/file.txt

IAM

Users

# List users
aws iam list-users

# Create user
aws iam create-user --user-name new-user

# Delete user
aws iam delete-user --user-name old-user

# Get user
aws iam get-user --user-name username

Access Keys

# Create access key
aws iam create-access-key --user-name username

# List access keys
aws iam list-access-keys --user-name username

# Delete access key
aws iam delete-access-key --user-name username --access-key-id AKIAIOSFODNN7EXAMPLE

Groups & Policies

# List groups
aws iam list-groups

# Add user to group
aws iam add-user-to-group --user-name username --group-name groupname

# Attach policy to user
aws iam attach-user-policy --user-name username --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# List attached policies
aws iam list-attached-user-policies --user-name username

# Detach policy
aws iam detach-user-policy --user-name username --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

RDS

# List DB instances
aws rds describe-db-instances

# Create DB instance
aws rds create-db-instance --db-instance-identifier mydb --db-instance-class db.t3.micro --engine mysql --master-username admin --master-user-password password --allocated-storage 20

# Delete DB instance
aws rds delete-db-instance --db-instance-identifier mydb --skip-final-snapshot

# Create snapshot
aws rds create-db-snapshot --db-instance-identifier mydb --db-snapshot-identifier mydb-snapshot

# Restore from snapshot
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier mydb-restored --db-snapshot-identifier mydb-snapshot

Lambda

# List functions
aws lambda list-functions

# Create function
aws lambda create-function --function-name my-function --runtime python3.9 --role arn:aws:iam::123456789:role/lambda-role --handler lambda_function.lambda_handler --zip-file fileb://function.zip

# Invoke function
aws lambda invoke --function-name my-function output.txt

# Update function code
aws lambda update-function-code --function-name my-function --zip-file fileb://function.zip

# Delete function
aws lambda delete-function --function-name my-function

CloudWatch

Logs

# List log groups
aws logs describe-log-groups

# Get log events
aws logs filter-log-events --log-group-name /aws/lambda/my-function

# Tail logs
aws logs tail /aws/lambda/my-function --follow

# Create log group
aws logs create-log-group --log-group-name /my/log/group

# Delete log group
aws logs delete-log-group --log-group-name /my/log/group

Metrics

# List metrics
aws cloudwatch list-metrics

# Get metric statistics
aws cloudwatch get-metric-statistics --namespace AWS/EC2 --metric-name CPUUtilization --dimensions Name=InstanceId,Value=i-1234567890abcdef0 --start-time 2023-01-01T00:00:00Z --end-time 2023-01-02T00:00:00Z --period 3600 --statistics Average

VPC

# List VPCs
aws ec2 describe-vpcs

# Create VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16

# Create subnet
aws ec2 create-subnet --vpc-id vpc-12345678 --cidr-block 10.0.1.0/24

# List subnets
aws ec2 describe-subnets

# Create internet gateway
aws ec2 create-internet-gateway

# Attach internet gateway
aws ec2 attach-internet-gateway --internet-gateway-id igw-12345678 --vpc-id vpc-12345678

ECS / ECR

ECR (Container Registry)

# Create repository
aws ecr create-repository --repository-name my-repo

# Get login password
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com

# Push image
docker tag my-image:latest 123456789.dkr.ecr.us-east-1.amazonaws.com/my-repo:latest
docker push 123456789.dkr.ecr.us-east-1.amazonaws.com/my-repo:latest

# List images
aws ecr list-images --repository-name my-repo

CloudFormation

# List stacks
aws cloudformation list-stacks

# Create stack
aws cloudformation create-stack --stack-name my-stack --template-body file://template.json

# Update stack
aws cloudformation update-stack --stack-name my-stack --template-body file://template.json

# Delete stack
aws cloudformation delete-stack --stack-name my-stack

# Describe stack
aws cloudformation describe-stacks --stack-name my-stack

Route 53

# List hosted zones
aws route53 list-hosted-zones

# List record sets
aws route53 list-resource-record-sets --hosted-zone-id Z123456789

# Create record
aws route53 change-resource-record-sets --hosted-zone-id Z123456789 --change-batch file://change-batch.json

Troubleshooting & Debugging

Debug Commands

# Enable verbose debug output
aws ec2 describe-instances --debug

# Test command without executing (dry run)
aws ec2 run-instances --dry-run --image-id ami-12345 --instance-type t2.micro

# Validate CloudFormation template
aws cloudformation validate-template --template-body file://template.json

# Check current credentials
aws sts get-caller-identity

# Test IAM permissions
aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123:user/test --action-names s3:ListBucket

Common Errors

# "Unable to locate credentials"
# Fix: Run aws configure or set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

# "An error occurred (DryRunOperation)"
# This is expected with --dry-run, means command would succeed

# "An error occurred (UnauthorizedOperation)"
# Fix: Check IAM permissions for your user/role

# Connection timeout
# Fix: Check security groups, NACLs, and route tables

Performance Tips

# Use --no-cli-pager to disable automatic paging
export AWS_PAGER=""

# Suppress progress bars for faster execution
aws s3 sync . s3://bucket/ --no-progress

# Use --query to reduce data transfer
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId]'

# Use JQ for advanced JSON processing
aws ec2 describe-instances | jq '.Reservations[].Instances[] | {id: .InstanceId, type: .InstanceType, state: .State.Name}'

AWS Shell / SSM

# Start session to EC2 instance
aws ssm start-session --target i-1234567890abcdef0

# Run command on instance
aws ssm send-command --instance-ids i-1234567890abcdef0 --document-name "AWS-RunShellScript" --parameters 'commands=["uptime"]'

# Get command output
aws ssm get-command-invocation --command-id <command-id> --instance-id i-1234567890abcdef0

📥 Download & Print

Want a PDF version? This AWS CLI cheat sheet is optimized for printing:

  1. Use your browser’s Print function (Ctrl/Cmd + P)
  2. Select “Save as PDF”
  3. Choose landscape orientation for best results

Stay Updated: Bookmark this page for the latest AWS CLI commands and examples.

Last Updated: March 8, 2026