AWS CLI Essentials Cheatsheet

Quick Overview

The AWS Command Line Interface (CLI) is a unified tool that allows you to manage your Amazon Web Services (AWS) from your terminal. It’s an open-source tool, offering direct control over multiple AWS services and enabling automation through scripting. You’d reach for it to quickly provision resources, inspect configurations, or integrate AWS operations into CI/CD pipelines. This guide covers AWS CLI v2, the latest major version.

To check your current version or if you have it installed:

# bash
aws --version

Getting Started

Follow these steps to get the AWS CLI up and running on your machine.

1. Install the AWS CLI v2

The recommended way to install AWS CLI v2 varies by operating system.

For Linux/macOS (using curl):

# bash
# Download the installer
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

# Unzip the installer
# You might need to install 'unzip' if it's not present: sudo apt-get install unzip
unzip awscliv2.zip

# Run the install program (creates a symlink in /usr/local/bin by default)
sudo ./aws/install

# Verify installation
aws --version

For Windows:

Download the appropriate MSI installer from the official AWS CLI documentation and follow the on-screen instructions. After installation, verify in PowerShell or Command Prompt.

# powershell
# Verify installation after running the MSI installer
aws --version

2. Configure the AWS CLI

After installation, you need to configure your AWS credentials and default settings. This creates ~/.aws/credentials and ~/.aws/config files.

# bash
# Start the configuration wizard
aws configure

You will be prompted for:

AWS Access Key ID: Found in your AWS Management Console under IAM (Identity and Access Management) > Users > Security Credentials. It usually starts with AKIA.
AWS Secret Access Key: The secret part corresponding to your Access Key ID. It’s only shown once upon creation, so store it securely.
Default region name: E.g., us-east-1, eu-west-2. This is the region where CLI commands will run by default if not explicitly specified.
Default output format: Common choices are json, text, or table. json is great for scripting, table for human readability.

# bash
# Example output during configuration
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-east-1
Default output format [None]: json

3. Hello World (Verify Configuration)

To ensure everything is correctly set up, you can use the sts get-caller-identity command, which shows information about the AWS identity used to make the call.

# bash
# Get details about the current AWS identity
aws sts get-caller-identity

Expected output:

{
    "UserId": "AIDAIOSFODNN7EXAMPLE",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/your-user-name"
}

Core Concepts

Understanding these fundamental concepts is key to effectively using the AWS CLI.

Concept	Description
Services	AWS is composed of many services (EC2, S3, Lambda, IAM, etc.). The CLI commands are organized by service.
Commands	Each service has a set of commands (e.g., `s3 ls`, `ec2 describe-instances`).
Subcommands	Many commands have further subcommands for specific operations (e.g., `s3api get-object`).
Profiles	Named sets of credentials and configuration (region, output format). Allows managing multiple AWS accounts or roles from a single CLI installation. The `default` profile is used if none is specified.
Regions	Geographic locations where AWS hosts its services. Commands are region-specific unless a global service is accessed. You can set a default or override with `--region`.
Output Formats	Determines how the command results are displayed: `json` (default, for scripting), `text` (space-separated values), `table` (human-readable table), `yaml`, `yaml-stream`. Can be set globally or per-command with `--output`.
Pagination	AWS APIs often return large datasets in pages. The CLI automatically handles pagination by default (e.g., fetching all S3 objects). Use `--no-paginate` to disable this.

Essential Commands / API / Syntax

This section covers the 80/20 of common AWS CLI tasks.

General Commands & Configuration

# bash
# Get help for the AWS CLI itself
aws help

# Get help for a specific service (e.g., S3)
aws s3 help

# Get help for a specific command within a service (e.g., 'ls' for S3)
aws s3 ls help

# Specify a named profile for a command
aws s3 ls --profile my-dev-account

# Override the default region for a command
aws s3 ls --region us-west-2

# Override the default output format for a command
aws s3 ls --output text

# Update configuration for the default profile
aws configure

# Configure a named profile
aws configure --profile my-dev-account

Amazon S3 (Simple Storage Service)

Common operations for managing S3 buckets and objects.

# bash
# List all buckets in your account
aws s3 ls

# List contents of a specific bucket
aws s3 ls s3://my-unique-bucket-name/

# List contents recursively (like 'ls -R')
aws s3 ls s3://my-unique-bucket-name/ --recursive

# Copy a local file to S3
aws s3 cp my-local-file.txt s3://my-unique-bucket-name/path/to/remote/

# Copy a file from S3 to local
aws s3 cp s3://my-unique-bucket-name/path/to/remote/remote-file.txt my-downloaded-file.txt

# Sync local directory to S3 bucket (like rsync)
aws s3 sync ./my-local-data s3://my-unique-bucket-name/data/

# Make a new S3 bucket
# Bucket names must be globally unique
aws s3 mb s3://my-new-globally-unique-bucket/

# Remove an empty S3 bucket
aws s3 rb s3://my-empty-bucket-to-delete/

# Remove an S3 bucket and all its contents (DANGER!)
aws s3 rb s3://my-bucket-and-all-its-contents/ --force

Amazon EC2 (Elastic Compute Cloud)

Basic instance management.

# bash
# Describe all EC2 instances
aws ec2 describe-instances

# Describe instances with a specific tag (using JMESPath query)
aws ec2 describe-instances --filters "Name=tag:Environment,Values=production" --query "Reservations[*].Instances[*].{ID:InstanceId,State:State.Name,Type:InstanceType,Name:Tags[?Key=='Name']|[0].Value}" --output table

# Launch a new EC2 instance (simplified example, requires AMI, KeyPair, SecurityGroup)
# Replace with your actual values
aws ec2 run-instances \
    --image-id ami-0abcdef1234567890 \
    --count 1 \
    --instance-type t2.micro \
    --key-name MyKeyPair \
    --security-group-ids sg-0123456789abcdef0 \
    --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=MyNewInstance}]'

# Stop an EC2 instance
aws ec2 stop-instances --instance-ids i-0abcdef1234567890

# Start an EC2 instance
aws ec2 start-instances --instance-ids i-0abcdef1234567890

# Terminate an EC2 instance (DANGER!)
aws ec2 terminate-instances --instance-ids i-0abcdef1234567890

AWS IAM (Identity and Access Management)

Managing users and permissions.

# bash
# List all IAM users
aws iam list-users

# Create a new IAM user
aws iam create-user --user-name my-new-cli-user

# Attach a managed policy to a user
aws iam attach-user-policy \
    --user-name my-new-cli-user \
    --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

# Get access key for a user (after creating login profile or access key)
# For new access keys, you'd usually create them in the console or via iam create-access-key
# This command is to list existing ones:
aws iam list-access-keys --user-name my-new-cli-user

AWS CloudWatch Logs

Viewing application logs.

# bash
# List log groups
aws logs describe-log-groups

# List log streams for a specific log group
aws logs describe-log-streams --log-group-name /aws/lambda/my-function-name --order-by LastEventTime --descending

# Get log events from a specific log stream
aws logs get-log-events --log-group-name /aws/lambda/my-function-name --log-stream-name 2023/10/26/[...some-id...] --limit 10

Common Patterns

1. Scripting with `jq` for JSON Output Processing

The AWS CLI returns JSON by default, making it ideal for piping into jq for powerful filtering and transformation.

# bash
# Get instance IDs of all running t2.micro instances
aws ec2 describe-instances \
    --filters "Name=instance-state-name,Values=running" "Name=instance-type,Values=t2.micro" \
    --query "Reservations[*].Instances[*].InstanceId" \
    --output json | jq -r '.[] | .[]'

# List S3 buckets and their creation dates, formatted as a CSV
aws s3api list-buckets --query "Buckets[*].{Name:Name,CreationDate:CreationDate}" --output json | \
    jq -r '.[] | [.Name, .CreationDate] | @csv'

2. Using Environment Variables for Credentials and Region

For automation or temporary access, you can set environment variables instead of relying on ~/.aws/credentials or ~/.aws/config. Environment variables take precedence over config files.

# bash
# Set temporary credentials
export AWS_ACCESS_KEY_ID=AKIAEXAMPLEACCESSKEY
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=AQoDYXdzEXAMPLE... (if using temporary credentials)

# Set default region
export AWS_DEFAULT_REGION=eu-west-1

# Now run your AWS CLI commands without specifying --profile or --region
aws s3 ls

3. Cross-Account Access with IAM Roles and Profiles

To access resources in another AWS account using an IAM role, configure a named profile that assumes the role.

First, ensure you have an IAM role in the target account that trusts your source account and has the necessary permissions.

Then, configure your local AWS CLI ~/.aws/config file (or ~/.aws/credentials for the base credentials) with your source credentials and the role to assume:

# ~/.aws/config
[profile source-account-profile]
region = us-east-1
output = json

[profile target-account-role]
role_arn = arn:aws:iam::123456789012:role/CrossAccountAccessRole
source_profile = source-account-profile
region = us-east-1
output = json

# bash
# Now use the target-account-role profile
aws s3 ls --profile target-account-role

Gotchas & Tips

Credential Precedence: Be aware of the order of precedence for credentials and configuration: Command line options (--region, --profile) > Environment variables (AWS_ACCESS_KEY_ID, AWS_DEFAULT_REGION) > AWS CLI configuration files (~/.aws/credentials, ~/.aws/config).
Region Specificity: Most AWS services are region-specific. If you’re having trouble finding a resource, double-check your default region or explicitly specify it with --region.

JSON Output & Quoting: When providing JSON as an input parameter (e.g., --tags), it often needs to be properly quoted for your shell. Use single quotes for simple JSON in bash/zsh, or escape double quotes. For complex JSON, consider reading from a file using file://.

# bash
# Example: single quotes for simple JSON in bash
aws ec2 run-instances ... --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=MyServer}]'

# Example: reading from a file
# file.json: {"Key": "Name", "Value": "MyServer"}
# aws ec2 run-instances ... --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=MyServer}]'

--query for Filtering: The --query parameter uses JMESPath, a powerful query language for JSON. It’s incredibly useful for extracting specific data from large responses, reducing the need for external tools like jq in simple cases.
Pagination: By default, the AWS CLI fetches all results when listing resources that support pagination. For very large datasets, this can be slow. Use --max-items to limit the number of items returned per call and --starting-token to continue from a previous response. Or, if you only need the first page, use --no-paginate.
Security Best Practices: Always use IAM users with the principle of least privilege. Avoid using root account credentials for CLI access. Rotate your access keys regularly.

Next Steps

Official AWS CLI Documentation: The comprehensive source for all commands and options.
- AWS CLI User Guide
- AWS CLI Command Reference
JMESPath Tutorial: Learn more about advanced querying with the --query parameter.
- JMESPath Tutorial

Source: z2h.fyi/cheatsheets/aws-cli-cheatsheet — Zero to Hero cheatsheets for developers.