# AWS CLI — Manage Amazon Web Services

> Practical guide to the AWS CLI — manage services like S3, EC2, IAM and Lambda from the terminal, with profiles, regions and JSON, text or table output.

Source: https://www.jpkc.com/db/en/cheatsheets/cloud-iac/aws/

<!-- PROSE:intro -->
The AWS CLI is the official command-line interface for Amazon Web Services and drives nearly every service – from S3 and EC2 through IAM to Lambda and ECS – behind a single `aws` command. Instead of clicking through the web console, you automate infrastructure reproducibly in scripts and CI pipelines. Profiles let you switch between accounts, `--region` picks the data centre, and `--output` together with `--query` shape the results as JSON, text or a table. This guide walks you through the commands you reach for most often day to day.
<!-- PROSE:intro:end -->

## Configure & Auth

`aws configure` — Set up AWS credentials and default region interactively. Access keys are stored in plaintext under `~/.aws/credentials` – never commit them to Git; prefer IAM roles, temporary credentials or SSO (`aws sso login`).

```bash
aws configure
```

`aws configure list` — Show current configuration values and their sources.

```bash
aws configure list
```

`aws configure --profile <name>` — Configure a named profile.

```bash
aws configure --profile production
```

`aws sts get-caller-identity` — Show the current IAM user/role (verify credentials).

```bash
aws sts get-caller-identity
```

`export AWS_PROFILE=<name>` — Switch to a named profile for the current session.

```bash
export AWS_PROFILE=production
```

## S3 — Storage

`aws s3 ls` — List all S3 buckets.

```bash
aws s3 ls
```

`aws s3 ls s3://<bucket>/<prefix>` — List objects in a bucket/prefix.

```bash
aws s3 ls s3://my-bucket/uploads/
```

`aws s3 cp <file> s3://<bucket>/<key>` — Upload a file to S3.

```bash
aws s3 cp backup.tar.gz s3://my-bucket/backups/
```

`aws s3 cp s3://<bucket>/<key> <file>` — Download a file from S3.

```bash
aws s3 cp s3://my-bucket/backups/backup.tar.gz ./backup.tar.gz
```

`aws s3 sync <dir> s3://<bucket>/<prefix>` — Sync a local directory to S3 (like rsync). Caution: `--delete` removes everything in the destination that is missing locally – test it first with `--dryrun`.

```bash
aws s3 sync ./dist/ s3://my-website-bucket/ --delete
```

`aws s3 rm s3://<bucket>/<key>` — Delete an object from S3 (irreversible).

```bash
aws s3 rm s3://my-bucket/old-file.txt
```

`aws s3 rm s3://<bucket>/<prefix> --recursive` — Delete all objects under a prefix. Destructive and silent – check what it matches first with `--dryrun`.

```bash
aws s3 rm s3://my-bucket/tmp/ --recursive
```

`aws s3 mb s3://<bucket>` — Create a new S3 bucket.

```bash
aws s3 mb s3://my-new-bucket --region eu-west-1
```

## EC2 — Compute

`aws ec2 describe-instances` — List all EC2 instances.

```bash
aws ec2 describe-instances --query 'Reservations[].Instances[].{ID:InstanceId,State:State.Name,Type:InstanceType}' --output table
```

`aws ec2 start-instances --instance-ids <id>` — Start an EC2 instance.

```bash
aws ec2 start-instances --instance-ids i-1234567890abcdef0
```

`aws ec2 stop-instances --instance-ids <id>` — Stop an EC2 instance.

```bash
aws ec2 stop-instances --instance-ids i-1234567890abcdef0
```

`aws ec2 reboot-instances --instance-ids <id>` — Reboot an EC2 instance.

```bash
aws ec2 reboot-instances --instance-ids i-1234567890abcdef0
```

`aws ec2 describe-security-groups` — List all security groups.

```bash
aws ec2 describe-security-groups --output table
```

## IAM — Identity

`aws iam list-users` — List all IAM users.

```bash
aws iam list-users --output table
```

`aws iam list-roles` — List all IAM roles.

```bash
aws iam list-roles --query 'Roles[].RoleName'
```

`aws iam create-user --user-name <name>` — Create a new IAM user.

```bash
aws iam create-user --user-name deploy-bot
```

`aws iam attach-user-policy --user-name <user> --policy-arn <arn>` — Attach a policy to a user. Follow the least-privilege principle instead of blanket `*FullAccess` policies.

```bash
aws iam attach-user-policy --user-name deploy-bot --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
```

`aws iam create-access-key --user-name <user>` — Create access keys for a user. The secret key is shown only once – store it securely, never in Git or plaintext files; temporary credentials or IAM roles are the better choice.

```bash
aws iam create-access-key --user-name deploy-bot
```

## Lambda & ECS

`aws lambda list-functions` — List all Lambda functions.

```bash
aws lambda list-functions --query 'Functions[].FunctionName'
```

`aws lambda invoke --function-name <name> <output>` — Invoke a Lambda function.

```bash
aws lambda invoke --function-name my-function response.json
```

`aws ecs list-clusters` — List all ECS clusters.

```bash
aws ecs list-clusters
```

`aws ecs list-services --cluster <name>` — List services in an ECS cluster.

```bash
aws ecs list-services --cluster production
```

`aws ecs update-service --cluster <cluster> --service <service> --force-new-deployment` — Force redeploy an ECS service.

```bash
aws ecs update-service --cluster production --service web --force-new-deployment
```

## Output & Common Options

`--output <format>` — Set output format (json, table, text, yaml).

```bash
aws ec2 describe-instances --output table
```

`--query '<jmespath>'` — Filter output using JMESPath expressions.

```bash
aws s3api list-buckets --query 'Buckets[].Name'
```

`--region <region>` — Override the default region.

```bash
aws s3 ls --region eu-central-1
```

`--profile <name>` — Use a specific named profile.

```bash
aws s3 ls --profile production
```

`--no-cli-pager` — Disable the output pager (useful in scripts).

```bash
aws ec2 describe-instances --no-cli-pager
```

`aws help` — Show general help or help for a specific service.

```bash
aws s3 help
```

<!-- PROSE:outro -->
## Conclusion

The AWS CLI condenses the entire AWS universe into a single command, making cloud infrastructure scriptable, reproducible and version-controllable. Treat your credentials like production passwords: rely on IAM roles, SSO or temporary credentials rather than long-lived access keys, and apply the least-privilege principle throughout. For destructive operations like `s3 rm --recursive`, `s3 rb --force` or `ec2 terminate-instances`, a quick `--dryrun` or a careful check pays off, because deleted resources are gone for good.

## Further Reading

- [AWS CLI – official reference](https://docs.aws.amazon.com/cli/) – complete documentation on installation, configuration and every service command
- [AWS CLI Command Reference](https://awscli.amazonaws.com/v2/documentation/api/latest/index.html) – searchable reference for all subcommands and options
- [AWS CLI security](https://docs.aws.amazon.com/cli/latest/userguide/security.html) – best practices for credentials, profiles and IAM
<!-- PROSE:outro:end -->

## Related Commands

- [ansible](https://www.jpkc.com/db/en/cheatsheets/cloud-iac/ansible/) – agentless configuration management and provisioning
- [terraform](https://www.jpkc.com/db/en/cheatsheets/cloud-iac/terraform/) – declarative infrastructure as code for AWS and other providers