📖 Guide
AWS CLI Cheat Sheet — Complete Reference
Every AWS CLI command you need — EC2, S3, IAM, Lambda, ECS, RDS, CloudFormation, and more. Searchable and organized.
159 commands across 12 categories
Configuration
| Command | Description |
|---|---|
aws configure | Set up default credentials and region interactively |
aws configure --profile <name> | Configure a named profile |
aws configure list | Show current configuration values and their sources |
aws configure list-profiles | List all configured profiles |
aws sts get-caller-identity | Verify who you're authenticated as |
aws --region us-west-2 <command> | Override region for a single command |
aws --profile prod <command> | Use a named profile for a single command |
aws --output json <command> | Set output format (json, text, table, yaml) |
export AWS_PROFILE=prod | Set default profile via environment variable |
export AWS_DEFAULT_REGION=eu-west-1 | Set default region via environment variable |
S3
| Command | Description |
|---|---|
aws s3 ls | List all S3 buckets |
aws s3 ls s3://<bucket> | List objects in a bucket |
aws s3 ls s3://<bucket>/<prefix> --recursive | List all objects recursively under a prefix |
aws s3 mb s3://<bucket> | Create a new S3 bucket |
aws s3 rb s3://<bucket> | Remove an empty S3 bucket |
aws s3 rb s3://<bucket> --force | Remove a bucket and all its contents |
aws s3 cp <file> s3://<bucket>/ | Upload a file to S3 |
aws s3 cp s3://<bucket>/<key> <file> | Download a file from S3 |
aws s3 cp s3://<src> s3://<dst> | Copy object between S3 locations |
aws s3 mv <file> s3://<bucket>/ | Move/rename a file to S3 |
aws s3 rm s3://<bucket>/<key> | Delete an object from S3 |
aws s3 rm s3://<bucket>/<prefix> --recursive | Delete all objects under a prefix |
aws s3 sync <dir> s3://<bucket>/ | Sync a local directory to S3 |
aws s3 sync s3://<bucket>/ <dir> | Sync S3 bucket to local directory |
aws s3 sync <dir> s3://<bucket>/ --delete | Sync and delete files not in source |
aws s3 presign s3://<bucket>/<key> --expires-in 3600 | Generate a pre-signed URL (1 hour) |
aws s3api put-bucket-versioning --bucket <b> --versioning-configuration Status=Enabled | Enable versioning on a bucket |
aws s3api get-bucket-policy --bucket <b> | Get bucket policy |
EC2
| Command | Description |
|---|---|
aws ec2 describe-instances | List all EC2 instances |
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" | List running instances only |
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,PublicIpAddress]' --output table | Query specific fields with JMESPath |
aws ec2 run-instances --image-id <ami> --instance-type t3.micro --key-name <key> --count 1 | Launch a new EC2 instance |
aws ec2 run-instances --image-id <ami> --instance-type t3.micro --security-group-ids <sg-id> --subnet-id <subnet> | Launch instance with security group and subnet |
aws ec2 start-instances --instance-ids <id> | Start a stopped instance |
aws ec2 stop-instances --instance-ids <id> | Stop a running instance |
aws ec2 reboot-instances --instance-ids <id> | Reboot an instance |
aws ec2 terminate-instances --instance-ids <id> | Terminate (delete) an instance |
aws ec2 describe-security-groups | List all security groups |
aws ec2 create-security-group --group-name <name> --description <desc> --vpc-id <vpc> | Create a security group |
aws ec2 authorize-security-group-ingress --group-id <sg> --protocol tcp --port 22 --cidr 0.0.0.0/0 | Add inbound rule to security group |
aws ec2 revoke-security-group-ingress --group-id <sg> --protocol tcp --port 22 --cidr 0.0.0.0/0 | Remove inbound rule from security group |
aws ec2 describe-key-pairs | List SSH key pairs |
aws ec2 create-key-pair --key-name <name> --query 'KeyMaterial' --output text > key.pem | Create and save a new key pair |
aws ec2 describe-vpcs | List all VPCs |
aws ec2 describe-subnets | List all subnets |
aws ec2 create-tags --resources <id> --tags Key=Name,Value=MyInstance | Add tags to a resource |
aws ec2 describe-images --owners amazon --filters "Name=name,Values=amzn2-ami-hvm-*" | Search for Amazon Linux 2 AMIs |
aws ec2 allocate-address | Allocate an Elastic IP |
aws ec2 associate-address --instance-id <id> --allocation-id <eip> | Associate Elastic IP with an instance |
IAM
| Command | Description |
|---|---|
aws iam list-users | List all IAM users |
aws iam create-user --user-name <name> | Create a new IAM user |
aws iam delete-user --user-name <name> | Delete an IAM user |
aws iam create-access-key --user-name <name> | Create access keys for a user |
aws iam list-access-keys --user-name <name> | List access keys for a user |
aws iam delete-access-key --user-name <name> --access-key-id <key> | Delete an access key |
aws iam list-roles | List all IAM roles |
aws iam create-role --role-name <name> --assume-role-policy-document file://trust.json | Create a role with trust policy |
aws iam attach-user-policy --user-name <name> --policy-arn <arn> | Attach a managed policy to a user |
aws iam attach-role-policy --role-name <name> --policy-arn <arn> | Attach a managed policy to a role |
aws iam detach-role-policy --role-name <name> --policy-arn <arn> | Detach a policy from a role |
aws iam list-attached-user-policies --user-name <name> | List policies attached to a user |
aws iam list-policies --scope Local | List customer-managed policies |
aws iam create-policy --policy-name <name> --policy-document file://policy.json | Create a custom IAM policy |
aws iam list-groups | List all IAM groups |
aws iam add-user-to-group --user-name <user> --group-name <group> | Add user to a group |
Lambda
| Command | Description |
|---|---|
aws lambda list-functions | List all Lambda functions |
aws lambda create-function --function-name <name> --runtime python3.12 --role <arn> --handler lambda_function.handler --zip-file fileb://function.zip | Create a Lambda function from zip |
aws lambda invoke --function-name <name> --payload '{"key":"value"}' output.json | Invoke a Lambda function synchronously |
aws lambda invoke --function-name <name> --invocation-type Event --payload '{"key":"value"}' output.json | Invoke asynchronously (fire and forget) |
aws lambda update-function-code --function-name <name> --zip-file fileb://function.zip | Update function code |
aws lambda update-function-configuration --function-name <name> --timeout 30 --memory-size 256 | Update function config (timeout, memory) |
aws lambda get-function --function-name <name> | Get function details and code location |
aws lambda delete-function --function-name <name> | Delete a Lambda function |
aws lambda list-event-source-mappings --function-name <name> | List event source mappings (SQS, Kinesis, etc.) |
aws lambda add-permission --function-name <name> --statement-id <id> --action lambda:InvokeFunction --principal s3.amazonaws.com --source-arn <arn> | Grant another service permission to invoke |
aws lambda publish-version --function-name <name> | Publish a new version |
aws lambda create-alias --function-name <name> --name prod --function-version 1 | Create an alias pointing to a version |
aws logs tail /aws/lambda/<name> --follow | Tail CloudWatch logs for a Lambda function |
ECS
| Command | Description |
|---|---|
aws ecs list-clusters | List all ECS clusters |
aws ecs create-cluster --cluster-name <name> | Create an ECS cluster |
aws ecs delete-cluster --cluster <name> | Delete an ECS cluster |
aws ecs list-task-definitions | List task definitions |
aws ecs register-task-definition --cli-input-json file://task-def.json | Register a new task definition |
aws ecs list-services --cluster <name> | List services in a cluster |
aws ecs create-service --cluster <name> --service-name <svc> --task-definition <td> --desired-count 2 | Create a service |
aws ecs update-service --cluster <name> --service <svc> --desired-count 3 | Scale a service |
aws ecs update-service --cluster <name> --service <svc> --force-new-deployment | Force a new deployment |
aws ecs delete-service --cluster <name> --service <svc> --force | Delete a service |
aws ecs run-task --cluster <name> --task-definition <td> | Run a one-off task |
aws ecs list-tasks --cluster <name> --service-name <svc> | List running tasks |
aws ecs stop-task --cluster <name> --task <arn> | Stop a running task |
aws ecs describe-tasks --cluster <name> --tasks <arn> | Get task details |
aws ecs execute-command --cluster <name> --task <arn> --container <c> --command "/bin/sh" --interactive | Exec into a running container (ECS Exec) |
RDS
| Command | Description |
|---|---|
aws rds describe-db-instances | List all RDS instances |
aws rds create-db-instance --db-instance-identifier <id> --db-instance-class db.t3.micro --engine postgres --master-username admin --master-user-password <pwd> --allocated-storage 20 | Create a new RDS instance |
aws rds modify-db-instance --db-instance-identifier <id> --db-instance-class db.t3.small --apply-immediately | Modify instance (resize, etc.) |
aws rds stop-db-instance --db-instance-identifier <id> | Stop an RDS instance |
aws rds start-db-instance --db-instance-identifier <id> | Start a stopped RDS instance |
aws rds delete-db-instance --db-instance-identifier <id> --skip-final-snapshot | Delete an RDS instance |
aws rds reboot-db-instance --db-instance-identifier <id> | Reboot an RDS instance |
aws rds describe-db-snapshots --db-instance-identifier <id> | List snapshots for an instance |
aws rds create-db-snapshot --db-instance-identifier <id> --db-snapshot-identifier <snap> | Create a manual snapshot |
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <new-id> --db-snapshot-identifier <snap> | Restore from snapshot |
aws rds describe-db-clusters | List Aurora clusters |
CloudFormation
| Command | Description |
|---|---|
aws cloudformation create-stack --stack-name <name> --template-body file://template.yaml | Create a stack from a template file |
aws cloudformation create-stack --stack-name <name> --template-url <s3-url> --parameters ParameterKey=Env,ParameterValue=prod | Create stack with parameters |
aws cloudformation update-stack --stack-name <name> --template-body file://template.yaml | Update an existing stack |
aws cloudformation delete-stack --stack-name <name> | Delete a stack and its resources |
aws cloudformation describe-stacks --stack-name <name> | Get stack details and status |
aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE | List stacks by status |
aws cloudformation describe-stack-events --stack-name <name> | View stack events (for debugging) |
aws cloudformation describe-stack-resources --stack-name <name> | List resources in a stack |
aws cloudformation validate-template --template-body file://template.yaml | Validate a template |
aws cloudformation create-change-set --stack-name <name> --change-set-name <cs> --template-body file://template.yaml | Create a change set (preview changes) |
aws cloudformation execute-change-set --change-set-name <cs> --stack-name <name> | Execute a change set |
aws cloudformation get-template --stack-name <name> | Get the template for a stack |
CloudWatch
| Command | Description |
|---|---|
aws cloudwatch list-metrics --namespace AWS/EC2 | List available metrics for a namespace |
aws cloudwatch get-metric-statistics --namespace AWS/EC2 --metric-name CPUUtilization --dimensions Name=InstanceId,Value=<id> --start-time <t> --end-time <t> --period 300 --statistics Average | Get metric statistics |
aws cloudwatch put-metric-data --namespace Custom --metric-name PageViews --value 1 | Publish a custom metric |
aws cloudwatch describe-alarms | List all CloudWatch alarms |
aws cloudwatch put-metric-alarm --alarm-name <name> --metric-name CPUUtilization --namespace AWS/EC2 --statistic Average --period 300 --threshold 80 --comparison-operator GreaterThanThreshold --evaluation-periods 2 --alarm-actions <sns-arn> | Create a metric alarm |
aws cloudwatch delete-alarms --alarm-names <name> | Delete an alarm |
aws logs describe-log-groups | List CloudWatch log groups |
aws logs tail <log-group> --follow | Tail a log group in real-time |
aws logs filter-log-events --log-group-name <group> --filter-pattern "ERROR" | Search logs with filter pattern |
aws logs create-log-group --log-group-name <name> | Create a log group |
aws logs put-retention-policy --log-group-name <name> --retention-in-days 30 | Set log retention policy |
SQS & SNS
| Command | Description |
|---|---|
aws sqs create-queue --queue-name <name> | Create an SQS queue |
aws sqs list-queues | List all SQS queues |
aws sqs send-message --queue-url <url> --message-body '{"key":"value"}' | Send a message to a queue |
aws sqs receive-message --queue-url <url> --max-number-of-messages 10 | Receive messages from a queue |
aws sqs delete-message --queue-url <url> --receipt-handle <handle> | Delete a message after processing |
aws sqs purge-queue --queue-url <url> | Purge all messages from a queue |
aws sqs get-queue-attributes --queue-url <url> --attribute-names All | Get queue attributes (message count, etc.) |
aws sqs delete-queue --queue-url <url> | Delete a queue |
aws sns list-topics | List all SNS topics |
aws sns create-topic --name <name> | Create an SNS topic |
aws sns publish --topic-arn <arn> --message "Hello" | Publish a message to an SNS topic |
aws sns subscribe --topic-arn <arn> --protocol email --notification-endpoint user@example.com | Subscribe to a topic |
aws sns list-subscriptions-by-topic --topic-arn <arn> | List subscriptions for a topic |
Route 53
| Command | Description |
|---|---|
aws route53 list-hosted-zones | List all hosted zones |
aws route53 create-hosted-zone --name example.com --caller-reference <unique-id> | Create a hosted zone |
aws route53 list-resource-record-sets --hosted-zone-id <id> | List DNS records in a hosted zone |
aws route53 change-resource-record-sets --hosted-zone-id <id> --change-batch file://changes.json | Create/update/delete DNS records |
aws route53 get-hosted-zone --id <id> | Get hosted zone details |
aws route53 delete-hosted-zone --id <id> | Delete a hosted zone |
aws route53 test-dns-answer --hosted-zone-id <id> --record-name example.com --record-type A | Test DNS resolution |
Common Patterns
| Command | Description |
|---|---|
aws <service> <command> --query '<jmespath>' --output text | Filter output with JMESPath query |
aws <service> wait <waiter>e.g. aws ec2 wait instance-running --instance-ids i-1234 | Wait for a resource to reach a state |
aws <service> <command> --no-paginate | Disable automatic pagination |
aws <service> <command> --dry-run | Test permissions without making changes (EC2) |
aws <service> <command> --cli-input-json file://input.json | Read command input from a JSON file |
aws <service> <command> --generate-cli-skeleton | Generate a JSON skeleton for --cli-input-json |
for id in $(aws ec2 describe-instances --query 'Reservations[*].Instances[*].InstanceId' --output text); do echo $id; done | Loop through resources with shell scripting |
aws ecr get-login-password | docker login --username AWS --password-stdin <account>.dkr.ecr.<region>.amazonaws.com | Authenticate Docker to ECR |
aws ecr create-repository --repository-name <name> | Create an ECR container repository |
aws ssm start-session --target <instance-id> | Start a Session Manager session (no SSH needed) |
aws ssm get-parameter --name <name> --with-decryption | Get a parameter from Parameter Store |
aws ssm put-parameter --name <name> --value <val> --type SecureString | Store a secret in Parameter Store |
📖 Free, searchable command reference. Bookmark this page for quick access.