Essential AWS CLI commands for common cloud infrastructure operations.
Configuration
Initial Setup
# Configure AWS CLI
aws configure
# Enter Access Key ID, Secret Key, Region, Output format
# Named profiles
aws configure --profile production
aws configure --profile dev
# Use specific profile
aws s3 ls --profile production
export AWS_PROFILE=production
# List configured profiles
cat ~/.aws/credentials
cat ~/.aws/config
Identity & Access
# Get current identity
aws sts get-caller-identity
# Assume role
aws sts assume-role --role-arn arn:aws:iam::123456789:role/RoleName --role-session-name session1
# Get MFA token
aws sts get-session-token --serial-number arn:aws:iam::123456789:mfa/user --token-code 123456
EC2
Instances
# List instances
aws ec2 describe-instances
# List running instances
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running"
# List specific instance
aws ec2 describe-instances --instance-ids i-1234567890abcdef0
# Start instance
aws ec2 start-instances --instance-ids i-1234567890abcdef0
# Stop instance
aws ec2 stop-instances --instance-ids i-1234567890abcdef0
# Terminate instance
aws ec2 terminate-instances --instance-ids i-1234567890abcdef0
# Get instance details (with jq)
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,InstanceType,PublicIpAddress]' --output table
AMIs
# List AMIs (owned by me)
aws ec2 describe-images --owners self
# Find Ubuntu AMIs
aws ec2 describe-images --filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-*" --query 'Images[*].[ImageId,Name]' --output table
# Create AMI from instance
aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI"
# Deregister AMI
aws ec2 deregister-image --image-id ami-12345678
Security Groups
# List security groups
aws ec2 describe-security-groups
# Create security group
aws ec2 create-security-group --group-name MySecurityGroup --description "My security group" --vpc-id vpc-12345678
# Add ingress rule (SSH)
aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 22 --cidr 0.0.0.0/0
# Remove ingress rule
aws ec2 revoke-security-group-ingress --group-id sg-12345678 --protocol tcp --port 22 --cidr 0.0.0.0/0
Key Pairs
# List key pairs
aws ec2 describe-key-pairs
# Create key pair
aws ec2 create-key-pair --key-name MyKeyPair --query 'KeyMaterial' --output text > MyKeyPair.pem
chmod 400 MyKeyPair.pem
# Delete key pair
aws ec2 delete-key-pair --key-name MyKeyPair
S3
Buckets
# List buckets
aws s3 ls
# List bucket contents
aws s3 ls s3://bucket-name
aws s3 ls s3://bucket-name/prefix/
# Create bucket
aws s3 mb s3://bucket-name
# Remove bucket
aws s3 rb s3://bucket-name
aws s3 rb s3://bucket-name --force # With contents
File Operations
# Upload file
aws s3 cp file.txt s3://bucket-name/
aws s3 cp file.txt s3://bucket-name/path/to/file.txt
# Download file
aws s3 cp s3://bucket-name/file.txt .
# Sync directory (upload)
aws s3 sync ./local-dir s3://bucket-name/remote-dir/
# Sync directory (download)
aws s3 sync s3://bucket-name/remote-dir/ ./local-dir
# Delete file
aws s3 rm s3://bucket-name/file.txt
# Delete directory
aws s3 rm s3://bucket-name/prefix/ --recursive
# Move file
aws s3 mv s3://bucket-name/old.txt s3://bucket-name/new.txt
Bucket Policies
# Get bucket policy
aws s3api get-bucket-policy --bucket bucket-name
# Set bucket policy
aws s3api put-bucket-policy --bucket bucket-name --policy file://policy.json
# Delete bucket policy
aws s3api delete-bucket-policy --bucket bucket-name
Versioning & Lifecycle
# Enable versioning
aws s3api put-bucket-versioning --bucket bucket-name --versioning-configuration Status=Enabled
# Get versioning status
aws s3api get-bucket-versioning --bucket bucket-name
# List object versions
aws s3api list-object-versions --bucket bucket-name
IAM
Users
# List users
aws iam list-users
# Create user
aws iam create-user --user-name new-user
# Delete user
aws iam delete-user --user-name old-user
# Get user
aws iam get-user --user-name username
Access Keys
# Create access key
aws iam create-access-key --user-name username
# List access keys
aws iam list-access-keys --user-name username
# Delete access key
aws iam delete-access-key --user-name username --access-key-id AKIAIOSFODNN7EXAMPLE
Groups & Policies
# List groups
aws iam list-groups
# Add user to group
aws iam add-user-to-group --user-name username --group-name groupname
# Attach policy to user
aws iam attach-user-policy --user-name username --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# List attached policies
aws iam list-attached-user-policies --user-name username
# Detach policy
aws iam detach-user-policy --user-name username --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
RDS
# List DB instances
aws rds describe-db-instances
# Create DB instance
aws rds create-db-instance --db-instance-identifier mydb --db-instance-class db.t3.micro --engine mysql --master-username admin --master-user-password password --allocated-storage 20
# Delete DB instance
aws rds delete-db-instance --db-instance-identifier mydb --skip-final-snapshot
# Create snapshot
aws rds create-db-snapshot --db-instance-identifier mydb --db-snapshot-identifier mydb-snapshot
# Restore from snapshot
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier mydb-restored --db-snapshot-identifier mydb-snapshot
Lambda
# List functions
aws lambda list-functions
# Create function
aws lambda create-function --function-name my-function --runtime python3.9 --role arn:aws:iam::123456789:role/lambda-role --handler lambda_function.lambda_handler --zip-file fileb://function.zip
# Invoke function
aws lambda invoke --function-name my-function output.txt
# Update function code
aws lambda update-function-code --function-name my-function --zip-file fileb://function.zip
# Delete function
aws lambda delete-function --function-name my-function
CloudWatch
Logs
# List log groups
aws logs describe-log-groups
# Get log events
aws logs filter-log-events --log-group-name /aws/lambda/my-function
# Tail logs
aws logs tail /aws/lambda/my-function --follow
# Create log group
aws logs create-log-group --log-group-name /my/log/group
# Delete log group
aws logs delete-log-group --log-group-name /my/log/group
Metrics
# List metrics
aws cloudwatch list-metrics
# Get metric statistics
aws cloudwatch get-metric-statistics --namespace AWS/EC2 --metric-name CPUUtilization --dimensions Name=InstanceId,Value=i-1234567890abcdef0 --start-time 2023-01-01T00:00:00Z --end-time 2023-01-02T00:00:00Z --period 3600 --statistics Average
VPC
# List VPCs
aws ec2 describe-vpcs
# Create VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16
# Create subnet
aws ec2 create-subnet --vpc-id vpc-12345678 --cidr-block 10.0.1.0/24
# List subnets
aws ec2 describe-subnets
# Create internet gateway
aws ec2 create-internet-gateway
# Attach internet gateway
aws ec2 attach-internet-gateway --internet-gateway-id igw-12345678 --vpc-id vpc-12345678
ECS / ECR
ECR (Container Registry)
# Create repository
aws ecr create-repository --repository-name my-repo
# Get login password
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com
# Push image
docker tag my-image:latest 123456789.dkr.ecr.us-east-1.amazonaws.com/my-repo:latest
docker push 123456789.dkr.ecr.us-east-1.amazonaws.com/my-repo:latest
# List images
aws ecr list-images --repository-name my-repo
CloudFormation
# List stacks
aws cloudformation list-stacks
# Create stack
aws cloudformation create-stack --stack-name my-stack --template-body file://template.json
# Update stack
aws cloudformation update-stack --stack-name my-stack --template-body file://template.json
# Delete stack
aws cloudformation delete-stack --stack-name my-stack
# Describe stack
aws cloudformation describe-stacks --stack-name my-stack
Route 53
# List hosted zones
aws route53 list-hosted-zones
# List record sets
aws route53 list-resource-record-sets --hosted-zone-id Z123456789
# Create record
aws route53 change-resource-record-sets --hosted-zone-id Z123456789 --change-batch file://change-batch.json
Useful Queries & Filters
# Find all running instances with tag
aws ec2 describe-instances --filters "Name=tag:Environment,Values=production" "Name=instance-state-name,Values=running" --query 'Reservations[*].Instances[*].[InstanceId,Tags[?Key==`Name`].Value|[0],PrivateIpAddress]' --output table
# List all S3 buckets sorted by size
aws s3 ls --summarize --human-readable --recursive s3://bucket-name | sort -h
# Find all unattached EBS volumes
aws ec2 describe-volumes --filters "Name=status,Values=available" --query 'Volumes[*].{ID:VolumeId,Size:Size,Type:VolumeType}' --output table
# Get total cost estimate
aws ce get-cost-and-usage --time-period Start=2023-01-01,End=2023-02-01 --granularity MONTHLY --metrics BlendedCost
# List all security groups with specific port open
aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?ToPort==`22`]].[GroupId,GroupName]' --output table
AWS CLI Tips
# Use JQ for better output
aws ec2 describe-instances | jq '.Reservations[].Instances[] | {id: .InstanceId, type: .InstanceType, state: .State.Name}'
# Output to table
aws ec2 describe-instances --output table
# Dry run (test without executing)
aws ec2 run-instances --dry-run --image-id ami-12345678 --instance-type t2.micro
# Use query for specific fields
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name]'
# Region override
aws ec2 describe-instances --region us-west-2
# Debug API calls
aws ec2 describe-instances --debug
AWS Shell / SSM
# Start session to EC2 instance
aws ssm start-session --target i-1234567890abcdef0
# Run command on instance
aws ssm send-command --instance-ids i-1234567890abcdef0 --document-name "AWS-RunShellScript" --parameters 'commands=["uptime"]'
# Get command output
aws ssm get-command-invocation --command-id <command-id> --instance-id i-1234567890abcdef0