Archon

Appearance

Unverified — AI-generated content. Help verify this page

AWS CLI Cheat Sheet

Quick reference for the most common AWS CLI commands across core services. Assumes AWS CLI v2 is installed and configured.

Related: Terraform Cheat Sheet | Docker Cheat Sheet

Setup & Configuration

CommandDescription
aws configureInteractive setup (access key, secret, region, output)
aws configure --profile stagingConfigure a named profile
aws configure listShow current config values
aws sts get-caller-identityVerify who you are authenticated as
aws configure set region us-west-2Set default region
export AWS_PROFILE=stagingSwitch active profile via env var
export AWS_DEFAULT_REGION=eu-west-1Override region via env var

TIP

Always verify your identity with aws sts get-caller-identity before running destructive commands. You might be in the wrong account.

EC2 (Elastic Compute Cloud)

Instance Management

CommandDescription
aws ec2 describe-instancesList all EC2 instances
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running"List only running instances
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,PublicIpAddress]' --output tableClean tabular output
aws ec2 start-instances --instance-ids i-1234567890abcdef0Start an instance
aws ec2 stop-instances --instance-ids i-1234567890abcdef0Stop an instance
aws ec2 reboot-instances --instance-ids i-1234567890abcdef0Reboot an instance
aws ec2 terminate-instances --instance-ids i-1234567890abcdef0Terminate (delete) an instance

Security Groups

CommandDescription
aws ec2 describe-security-groupsList all security groups
aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 443 --cidr 0.0.0.0/0Allow HTTPS from anywhere
aws ec2 revoke-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr 0.0.0.0/0Remove SSH access

Key Pairs

CommandDescription
aws ec2 create-key-pair --key-name my-key --query 'KeyMaterial' --output text > my-key.pemCreate and save key pair
aws ec2 describe-key-pairsList key pairs
aws ec2 delete-key-pair --key-name my-keyDelete key pair

S3 (Simple Storage Service)

Bucket Operations

CommandDescription
aws s3 lsList all buckets
aws s3 ls s3://my-bucketList top-level objects in bucket
aws s3 ls s3://my-bucket --recursive --human-readableList all objects with human-readable sizes
aws s3 mb s3://my-new-bucketCreate a bucket
aws s3 rb s3://my-bucketRemove an empty bucket
aws s3 rb s3://my-bucket --forceRemove bucket and all contents

File Operations

CommandDescription
aws s3 cp file.txt s3://bucket/path/Upload file
aws s3 cp s3://bucket/path/file.txt .Download file
aws s3 cp s3://bucket/a.txt s3://bucket/b.txtCopy within S3
aws s3 mv file.txt s3://bucket/path/Move file to S3
aws s3 rm s3://bucket/path/file.txtDelete file
aws s3 sync ./local-dir s3://bucket/path/Sync local directory to S3
aws s3 sync s3://bucket/path/ ./local-dirSync S3 to local directory
aws s3 sync . s3://bucket/ --exclude "*.log"Sync excluding patterns
aws s3 sync . s3://bucket/ --deleteSync and remove deleted files

Presigned URLs

CommandDescription
aws s3 presign s3://bucket/file.txt --expires-in 3600Generate presigned URL (1 hour)

WARNING

aws s3 sync --delete will remove files in the destination that do not exist in the source. Double-check direction before running.

IAM (Identity and Access Management)

Users & Groups

CommandDescription
aws iam list-usersList all IAM users
aws iam create-user --user-name dev-userCreate a user
aws iam delete-user --user-name dev-userDelete a user
aws iam list-groupsList all groups
aws iam add-user-to-group --user-name dev-user --group-name developersAdd user to group
aws iam create-access-key --user-name dev-userCreate access key for user
aws iam list-access-keys --user-name dev-userList user's access keys
aws iam delete-access-key --user-name dev-user --access-key-id AKIAXXXXXXXDelete access key

Roles & Policies

CommandDescription
aws iam list-rolesList all roles
aws iam list-policies --scope LocalList customer-managed policies
aws iam attach-role-policy --role-name my-role --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccessAttach policy to role
aws iam list-attached-role-policies --role-name my-roleList policies attached to role
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccessGet policy details
aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456:user/dev --action-names s3:GetObjectTest permissions

Lambda

CommandDescription
aws lambda list-functionsList all Lambda functions
aws lambda get-function --function-name my-funcGet function details
aws lambda invoke --function-name my-func --payload '{"key":"val"}' output.jsonInvoke function synchronously
aws lambda invoke --function-name my-func --invocation-type Event --payload '{}' output.jsonInvoke asynchronously
aws lambda update-function-code --function-name my-func --zip-file fileb://function.zipDeploy new code from zip
aws lambda update-function-configuration --function-name my-func --memory-size 512 --timeout 30Update config
aws lambda publish-version --function-name my-funcPublish a version
aws lambda list-versions-by-function --function-name my-funcList versions
aws lambda create-alias --function-name my-func --name prod --function-version 5Create alias pointing to version
aws lambda get-function-configuration --function-name my-funcGet runtime config

Lambda Logs

bash
# Get recent log streams
aws logs describe-log-streams \
  --log-group-name /aws/lambda/my-func \
  --order-by LastEventTime \
  --descending \
  --limit 5

# Tail live logs
aws logs tail /aws/lambda/my-func --follow

RDS (Relational Database Service)

CommandDescription
aws rds describe-db-instancesList all RDS instances
aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier,DBInstanceStatus,Endpoint.Address]' --output tableClean table output
aws rds create-db-snapshot --db-instance-identifier mydb --db-snapshot-identifier mydb-snapCreate snapshot
aws rds describe-db-snapshots --db-instance-identifier mydbList snapshots
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier mydb-restored --db-snapshot-identifier mydb-snapRestore from snapshot
aws rds stop-db-instance --db-instance-identifier mydbStop instance (saves cost)
aws rds start-db-instance --db-instance-identifier mydbStart instance
aws rds modify-db-instance --db-instance-identifier mydb --db-instance-class db.r5.large --apply-immediatelyChange instance type

DANGER

--apply-immediately causes downtime for most modifications. Use --no-apply-immediately to defer to the next maintenance window.

ECS (Elastic Container Service)

Cluster & Service Management

CommandDescription
aws ecs list-clustersList all ECS clusters
aws ecs describe-clusters --clusters my-clusterGet cluster details
aws ecs list-services --cluster my-clusterList services in a cluster
aws ecs describe-services --cluster my-cluster --services my-svcGet service details
aws ecs update-service --cluster my-cluster --service my-svc --desired-count 3Scale service
aws ecs update-service --cluster my-cluster --service my-svc --force-new-deploymentForce redeploy

Tasks

CommandDescription
aws ecs list-tasks --cluster my-cluster --service-name my-svcList running tasks
aws ecs describe-tasks --cluster my-cluster --tasks arn:aws:ecs:...Get task details
aws ecs stop-task --cluster my-cluster --task arn:aws:ecs:...Stop a task
aws ecs run-task --cluster my-cluster --task-definition my-td:3Run a one-off task
aws ecs execute-command --cluster my-cluster --task arn --container app --interactive --command "/bin/sh"Shell into running container

Task Definitions

CommandDescription
aws ecs list-task-definitionsList all task definitions
aws ecs describe-task-definition --task-definition my-td:3Get task definition
aws ecs register-task-definition --cli-input-json file://task-def.jsonRegister new task definition
aws ecs deregister-task-definition --task-definition my-td:1Deregister old revision

CloudWatch

CommandDescription
aws logs describe-log-groupsList log groups
aws logs tail /ecs/my-service --followTail logs in real time
aws logs filter-log-events --log-group-name /ecs/my-svc --filter-pattern "ERROR"Search for errors
aws cloudwatch list-metrics --namespace AWS/EC2List available metrics
aws cloudwatch get-metric-statistics --namespace AWS/EC2 --metric-name CPUUtilization --dimensions Name=InstanceId,Value=i-xxx --start-time 2024-01-01T00:00:00Z --end-time 2024-01-02T00:00:00Z --period 3600 --statistics AverageGet CPU stats

Useful Patterns

Find Expensive Resources

bash
# Large S3 buckets
aws s3api list-buckets --query 'Buckets[*].Name' --output text | \
  xargs -I {} aws s3api head-bucket --bucket {} 2>/dev/null

# Running EC2 instances and their types
aws ec2 describe-instances \
  --filters "Name=instance-state-name,Values=running" \
  --query 'Reservations[*].Instances[*].[InstanceId,InstanceType,LaunchTime]' \
  --output table

Multi-Account Operations

bash
# Assume role in another account
CREDS=$(aws sts assume-role \
  --role-arn arn:aws:iam::TARGET_ACCOUNT:role/CrossAccountRole \
  --role-session-name my-session \
  --query 'Credentials')

export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r '.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r '.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r '.SessionToken')

Output Formatting

bash
# Table output
aws ec2 describe-instances --output table

# JSON with jq
aws ec2 describe-instances | jq '.Reservations[].Instances[] | {id: .InstanceId, state: .State.Name}'

# Text output (great for scripting)
aws ec2 describe-instances --query 'Reservations[*].Instances[*].InstanceId' --output text

# YAML output
aws ec2 describe-instances --output yaml

TIP

Use --query (JMESPath) for server-side filtering, and jq for client-side transformation. Combine both for complex queries.

Common Flags

FlagDescription
--profile nameUse a named profile
--region us-east-1Override region
--output json|table|text|yamlOutput format
--query 'JMESPath'Filter/transform output
--no-cli-pagerDisable pager for scripting
--dry-runTest permissions without executing (EC2)
--debugFull debug output
Test Yourself

  1. What command verifies which AWS account and IAM identity you are using?aws sts get-caller-identity

  2. How do you sync a local directory to S3, deleting files in S3 that no longer exist locally?aws s3 sync . s3://bucket/ --delete

  3. What command generates a presigned URL valid for 1 hour?aws s3 presign s3://bucket/file.txt --expires-in 3600

  4. How do you invoke a Lambda function asynchronously?aws lambda invoke --function-name my-func --invocation-type Event --payload '{}' output.json

  5. What command tails CloudWatch logs in real time?aws logs tail /aws/lambda/my-func --follow

  6. How do you list only running EC2 instances?aws ec2 describe-instances --filters "Name=instance-state-name,Values=running"

  7. What flag switches the active AWS profile via environment variable?export AWS_PROFILE=staging

  8. How do you force a new deployment of an ECS service?aws ecs update-service --cluster my-cluster --service my-svc --force-new-deployment

  9. What flag disables the pager for scripting?--no-cli-pager

  10. How do you assume a role in another AWS account?aws sts assume-role --role-arn arn:aws:iam::TARGET:role/Role --role-session-name session

Common Gotchas

  • aws s3 sync --delete can delete production data. It removes files in the destination that are not in the source. Always double-check the sync direction (source vs destination).
  • Running destructive commands in the wrong account. Always verify with aws sts get-caller-identity before running terminate-instances, delete-bucket, or similar commands.
  • --apply-immediately on RDS causes downtime. Most RDS modifications trigger a restart. Use --no-apply-immediately to defer to the next maintenance window.
  • Forgetting --region with global services. Some resources (like S3 buckets) are global but created in a specific region. IAM is truly global but CloudWatch metrics are regional.

One-Liner Summary

The AWS CLI is your command-line interface to every AWS service -- master sts get-caller-identity, s3 sync, --query JMESPath filters, and named profiles to operate safely across accounts.

Last updated: 2026-03-20

Related Pages

AWS for Engineers: Complete Overview
A practical guide to AWS infrastructure — global architecture, account structure, core services, and...
intermediate2 matching tags
awscloud
Cheat Sheets
Quick reference cards for essential engineering tools and technologies
intermediate2 matching tags
cheat-sheetreference
AWS Cost Optimization
Complete guide to AWS cost optimization — Reserved Instances, Savings Plans, Spot Instances, data tr...
intermediate1 matching tag
aws
ECS vs EKS: Container Orchestration on AWS
Deep comparison of ECS Fargate and EKS — architecture internals, cost models, operational complexity...
advanced1 matching tag
aws
ElastiCache: Redis & Memcached on AWS
Deep dive into ElastiCache — Redis vs Memcached internals, cluster mode, failover mechanics, evictio...
advanced1 matching tag
aws
AWS IAM Deep Dive
Complete guide to AWS Identity and Access Management — policy evaluation logic, least privilege, cro...
advanced1 matching tag
aws
AWS Lambda Deep Dive
Complete guide to AWS Lambda — cold starts, execution model, layers, VPC integration, provisioned co...
intermediate1 matching tag
aws
RDS & Aurora: Relational Databases on AWS
Deep dive into RDS Multi-AZ, Aurora architecture internals, Performance Insights, read replicas, fai...
advanced1 matching tag
aws

"What I cannot create, I do not understand." — Richard Feynman

Archon — The Engineer's Sacred Texts