AWS CLI Cheatsheet

Essential AWS CLI Commands for Cloud Operations

Category: Cloud Computing
Level: Intermediate

AWS CLI quick reference covering configuration, EC2, S3, IAM, ECS, Lambda, and CloudWatch. Essential commands for cloud engineers, developers, and DevOps professionals.

Table of Contents

🔧 Setup & Configuration

# Install AWS CLI (macOS)
brew install awscli

# Install AWS CLI (Linux)
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip && sudo ./aws/install

# Configure default profile
aws configure

# Configure named profile
aws configure --profile production

# View configuration
aws configure list
aws configure list --profile production

# Use named profile for a command
aws s3 ls --profile production

# Set default profile for session
export AWS_PROFILE=production

# Override region for one command
aws ec2 describe-instances --region eu-west-1

# Check current identity
aws sts get-caller-identity

# Useful global flags
--region us-east-1          # Override region
--profile my-profile        # Use specific profile
--output json               # Output format: json, text, table
--query "key.path"          # JMESPath query to filter output
--dry-run                   # Validate without executing (supported commands)
--no-cli-pager              # Disable pager for long output

🖥️ EC2 — Elastic Compute Cloud

# List instances
aws ec2 describe-instances
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,PublicIpAddress]' --output table

# Filter by state
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running"

# Filter by tag
aws ec2 describe-instances --filters "Name=tag:Name,Values=my-server"

# Start / Stop / Reboot instances
aws ec2 start-instances --instance-ids i-1234567890abcdef0
aws ec2 stop-instances --instance-ids i-1234567890abcdef0
aws ec2 reboot-instances --instance-ids i-1234567890abcdef0

# Terminate instance
aws ec2 terminate-instances --instance-ids i-1234567890abcdef0

# Launch instance
aws ec2 run-instances \
  --image-id ami-0c55b159cbfafe1f0 \
  --instance-type t3.micro \
  --key-name my-keypair \
  --security-group-ids sg-12345678 \
  --subnet-id subnet-12345678 \
  --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=my-server}]'

# Create key pair
aws ec2 create-key-pair --key-name my-keypair --query 'KeyMaterial' --output text > my-keypair.pem
chmod 400 my-keypair.pem

# List AMIs (your own)
aws ec2 describe-images --owners self

# Security groups
aws ec2 describe-security-groups
aws ec2 create-security-group --group-name my-sg --description "My security group" --vpc-id vpc-12345678
aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 22 --cidr 0.0.0.0/0
aws ec2 revoke-security-group-ingress --group-id sg-12345678 --protocol tcp --port 22 --cidr 0.0.0.0/0
aws ec2 delete-security-group --group-id sg-12345678

# Elastic IPs
aws ec2 allocate-address --domain vpc
aws ec2 associate-address --instance-id i-1234567890abcdef0 --allocation-id eipalloc-12345678
aws ec2 release-address --allocation-id eipalloc-12345678

# Instance metadata (run from inside instance)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/public-ipv4
curl http://169.254.169.254/latest/meta-data/instance-id

🗄️ S3 — Simple Storage Service

# List buckets
aws s3 ls

# List objects in bucket
aws s3 ls s3://my-bucket
aws s3 ls s3://my-bucket/prefix/
aws s3 ls s3://my-bucket --recursive

# Create bucket (us-east-1 doesn't need LocationConstraint)
aws s3 mb s3://my-unique-bucket-name
aws s3 mb s3://my-bucket --region eu-west-1

# Copy files
aws s3 cp file.txt s3://my-bucket/
aws s3 cp file.txt s3://my-bucket/path/file.txt
aws s3 cp s3://my-bucket/file.txt ./local/

# Sync directory (efficient — only copies changed files)
aws s3 sync ./local-dir s3://my-bucket/prefix/
aws s3 sync s3://my-bucket/prefix/ ./local-dir
aws s3 sync ./local-dir s3://my-bucket/ --delete  # Delete files not in source

# Move / Rename
aws s3 mv file.txt s3://my-bucket/
aws s3 mv s3://my-bucket/old-name.txt s3://my-bucket/new-name.txt

# Delete
aws s3 rm s3://my-bucket/file.txt
aws s3 rm s3://my-bucket/ --recursive
aws s3 rb s3://my-bucket                     # Remove empty bucket
aws s3 rb s3://my-bucket --force             # Remove bucket and all contents

# Presigned URL (temporary access — default 3600 seconds)
aws s3 presign s3://my-bucket/file.txt
aws s3 presign s3://my-bucket/file.txt --expires-in 86400   # 24 hours

# Set public access block
aws s3api put-public-access-block \
  --bucket my-bucket \
  --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

# Enable versioning
aws s3api put-bucket-versioning \
  --bucket my-bucket \
  --versioning-configuration Status=Enabled

# Get bucket size
aws s3 ls s3://my-bucket --recursive --human-readable --summarize | tail -2

👤 IAM — Identity and Access Management

# Users
aws iam list-users
aws iam create-user --user-name alice
aws iam delete-user --user-name alice
aws iam get-user --user-name alice

# Access keys
aws iam create-access-key --user-name alice
aws iam list-access-keys --user-name alice
aws iam delete-access-key --user-name alice --access-key-id AKIAIOSFODNN7EXAMPLE
aws iam update-access-key --user-name alice --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive

# Groups
aws iam list-groups
aws iam create-group --group-name developers
aws iam add-user-to-group --user-name alice --group-name developers
aws iam remove-user-from-group --user-name alice --group-name developers

# Policies
aws iam list-policies --scope Local    # Custom policies
aws iam list-attached-user-policies --user-name alice
aws iam attach-user-policy --user-name alice --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
aws iam detach-user-policy --user-name alice --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
aws iam list-attached-group-policies --group-name developers

# Roles
aws iam list-roles
aws iam get-role --role-name my-lambda-role
aws iam list-attached-role-policies --role-name my-lambda-role

# Password policy
aws iam get-account-password-policy
aws iam update-account-password-policy \
  --minimum-password-length 14 \
  --require-uppercase-characters \
  --require-lowercase-characters \
  --require-numbers \
  --require-symbols \
  --max-password-age 90

📦 ECS — Elastic Container Service

# Clusters
aws ecs list-clusters
aws ecs create-cluster --cluster-name my-cluster
aws ecs delete-cluster --cluster my-cluster
aws ecs describe-clusters --clusters my-cluster

# Task definitions
aws ecs list-task-definitions
aws ecs describe-task-definition --task-definition my-task:1
aws ecs register-task-definition --cli-input-json file://task-definition.json
aws ecs deregister-task-definition --task-definition my-task:1

# Services
aws ecs list-services --cluster my-cluster
aws ecs describe-services --cluster my-cluster --services my-service
aws ecs create-service --cluster my-cluster --service-name my-service --task-definition my-task:1 --desired-count 2
aws ecs update-service --cluster my-cluster --service my-service --desired-count 3
aws ecs update-service --cluster my-cluster --service my-service --force-new-deployment
aws ecs delete-service --cluster my-cluster --service my-service

# Tasks
aws ecs list-tasks --cluster my-cluster
aws ecs describe-tasks --cluster my-cluster --tasks task-id
aws ecs run-task --cluster my-cluster --task-definition my-task --launch-type FARGATE \
  --network-configuration "awsvpcConfiguration={subnets=[subnet-12345],securityGroups=[sg-12345],assignPublicIp=ENABLED}"
aws ecs stop-task --cluster my-cluster --task task-id

λ Lambda

# List functions
aws lambda list-functions
aws lambda list-functions --query 'Functions[*].[FunctionName,Runtime]' --output table

# Get function info
aws lambda get-function --function-name my-function
aws lambda get-function-configuration --function-name my-function

# Invoke function
aws lambda invoke --function-name my-function output.json
aws lambda invoke --function-name my-function \
  --payload '{"key":"value"}' \
  --cli-binary-format raw-in-base64-out \
  output.json && cat output.json

# Deploy (update code)
aws lambda update-function-code \
  --function-name my-function \
  --zip-file fileb://function.zip

# Update from S3
aws lambda update-function-code \
  --function-name my-function \
  --s3-bucket my-bucket \
  --s3-key function.zip

# Update environment variables
aws lambda update-function-configuration \
  --function-name my-function \
  --environment "Variables={KEY=value,DB_URL=postgres://...}"

# View logs
aws logs tail /aws/lambda/my-function --follow

# Delete function
aws lambda delete-function --function-name my-function

📊 CloudWatch Logs

# List log groups
aws logs describe-log-groups
aws logs describe-log-groups --log-group-name-prefix /aws/lambda/

# List log streams
aws logs describe-log-streams --log-group-name /aws/lambda/my-function

# Get log events
aws logs get-log-events \
  --log-group-name /aws/lambda/my-function \
  --log-stream-name "2026/01/15/[$LATEST]abc123"

# Tail logs (AWS CLI v2)
aws logs tail /aws/lambda/my-function
aws logs tail /aws/lambda/my-function --follow
aws logs tail /aws/lambda/my-function --since 1h

# Filter log events
aws logs filter-log-events \
  --log-group-name /aws/lambda/my-function \
  --filter-pattern "ERROR"

# Delete log group
aws logs delete-log-group --log-group-name /my/log/group

🔐 Secrets Manager

# Create a secret
aws secretsmanager create-secret \
  --name my-app/db-password \
  --secret-string "mySecretPassword123"

# Create from JSON
aws secretsmanager create-secret \
  --name my-app/config \
  --secret-string '{"username":"admin","password":"secret"}'

# Get a secret value
aws secretsmanager get-secret-value --secret-id my-app/db-password
aws secretsmanager get-secret-value --secret-id my-app/db-password --query SecretString --output text

# Update a secret
aws secretsmanager put-secret-value \
  --secret-id my-app/db-password \
  --secret-string "newPassword456"

# List secrets
aws secretsmanager list-secrets

# Delete secret
aws secretsmanager delete-secret --secret-id my-app/db-password
aws secretsmanager delete-secret --secret-id my-app/db-password --force-delete-without-recovery

⚡ Useful Query Patterns

# Get only running instance IDs
aws ec2 describe-instances \
  --filters "Name=instance-state-name,Values=running" \
  --query "Reservations[*].Instances[*].InstanceId" \
  --output text

# Get instance ID and public IP as table
aws ec2 describe-instances \
  --query "Reservations[*].Instances[*].[InstanceId,PublicIpAddress,Tags[?Key=='Name'].Value|[0]]" \
  --output table

# Get S3 bucket names only
aws s3api list-buckets --query "Buckets[*].Name" --output text

# Get Lambda function names and runtimes
aws lambda list-functions \
  --query "Functions[*].[FunctionName,Runtime,LastModified]" \
  --output table

# Get ECS services and their status
aws ecs describe-services \
  --cluster my-cluster \
  --services $(aws ecs list-services --cluster my-cluster --query "serviceArns[*]" --output text) \
  --query "services[*].[serviceName,status,runningCount,desiredCount]" \
  --output table

→ Related: Cloud Computing Guide | Deploy to AWS with Docker Tutorial | AWS CLI — DevOps Basics Guide

📬 New Cheatsheets Added Regularly

New quick-reference guides are added as the hub grows. Subscribe to the newsletter to know when new ones drop.

→ Subscribe to the Newsletter