AWS CLI — Manage Amazon Web Services
Practical guide to the AWS CLI — manage services like S3, EC2, IAM and Lambda from the terminal, with profiles, regions and JSON, text or table output.
The AWS CLI is the official command-line interface for Amazon Web Services and drives nearly every service – from S3 and EC2 through IAM to Lambda and ECS – behind a single aws command. Instead of clicking through the web console, you automate infrastructure reproducibly in scripts and CI pipelines. Profiles let you switch between accounts, --region picks the data centre, and --output together with --query shape the results as JSON, text or a table. This guide walks you through the commands you reach for most often day to day.
Configure & Auth
aws configure — Set up AWS credentials and default region interactively. Access keys are stored in plaintext under ~/.aws/credentials – never commit them to Git; prefer IAM roles, temporary credentials or SSO (aws sso login).
aws configureaws configure list — Show current configuration values and their sources.
aws configure listaws configure --profile <name> — Configure a named profile.
aws configure --profile productionaws sts get-caller-identity — Show the current IAM user/role (verify credentials).
aws sts get-caller-identityexport AWS_PROFILE=<name> — Switch to a named profile for the current session.
export AWS_PROFILE=productionS3 — Storage
aws s3 ls — List all S3 buckets.
aws s3 lsaws s3 ls s3://<bucket>/<prefix> — List objects in a bucket/prefix.
aws s3 ls s3://my-bucket/uploads/aws s3 cp <file> s3://<bucket>/<key> — Upload a file to S3.
aws s3 cp backup.tar.gz s3://my-bucket/backups/aws s3 cp s3://<bucket>/<key> <file> — Download a file from S3.
aws s3 cp s3://my-bucket/backups/backup.tar.gz ./backup.tar.gzaws s3 sync <dir> s3://<bucket>/<prefix> — Sync a local directory to S3 (like rsync). Caution: --delete removes everything in the destination that is missing locally – test it first with --dryrun.
aws s3 sync ./dist/ s3://my-website-bucket/ --deleteaws s3 rm s3://<bucket>/<key> — Delete an object from S3 (irreversible).
aws s3 rm s3://my-bucket/old-file.txtaws s3 rm s3://<bucket>/<prefix> --recursive — Delete all objects under a prefix. Destructive and silent – check what it matches first with --dryrun.
aws s3 rm s3://my-bucket/tmp/ --recursiveaws s3 mb s3://<bucket> — Create a new S3 bucket.
aws s3 mb s3://my-new-bucket --region eu-west-1EC2 — Compute
aws ec2 describe-instances — List all EC2 instances.
aws ec2 describe-instances --query 'Reservations[].Instances[].{ID:InstanceId,State:State.Name,Type:InstanceType}' --output tableaws ec2 start-instances --instance-ids <id> — Start an EC2 instance.
aws ec2 start-instances --instance-ids i-1234567890abcdef0aws ec2 stop-instances --instance-ids <id> — Stop an EC2 instance.
aws ec2 stop-instances --instance-ids i-1234567890abcdef0aws ec2 reboot-instances --instance-ids <id> — Reboot an EC2 instance.
aws ec2 reboot-instances --instance-ids i-1234567890abcdef0aws ec2 describe-security-groups — List all security groups.
aws ec2 describe-security-groups --output tableIAM — Identity
aws iam list-users — List all IAM users.
aws iam list-users --output tableaws iam list-roles — List all IAM roles.
aws iam list-roles --query 'Roles[].RoleName'aws iam create-user --user-name <name> — Create a new IAM user.
aws iam create-user --user-name deploy-botaws iam attach-user-policy --user-name <user> --policy-arn <arn> — Attach a policy to a user. Follow the least-privilege principle instead of blanket *FullAccess policies.
aws iam attach-user-policy --user-name deploy-bot --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccessaws iam create-access-key --user-name <user> — Create access keys for a user. The secret key is shown only once – store it securely, never in Git or plaintext files; temporary credentials or IAM roles are the better choice.
aws iam create-access-key --user-name deploy-botLambda & ECS
aws lambda list-functions — List all Lambda functions.
aws lambda list-functions --query 'Functions[].FunctionName'aws lambda invoke --function-name <name> <output> — Invoke a Lambda function.
aws lambda invoke --function-name my-function response.jsonaws ecs list-clusters — List all ECS clusters.
aws ecs list-clustersaws ecs list-services --cluster <name> — List services in an ECS cluster.
aws ecs list-services --cluster productionaws ecs update-service --cluster <cluster> --service <service> --force-new-deployment — Force redeploy an ECS service.
aws ecs update-service --cluster production --service web --force-new-deploymentOutput & Common Options
--output <format> — Set output format (json, table, text, yaml).
aws ec2 describe-instances --output table--query '<jmespath>' — Filter output using JMESPath expressions.
aws s3api list-buckets --query 'Buckets[].Name'--region <region> — Override the default region.
aws s3 ls --region eu-central-1--profile <name> — Use a specific named profile.
aws s3 ls --profile production--no-cli-pager — Disable the output pager (useful in scripts).
aws ec2 describe-instances --no-cli-pageraws help — Show general help or help for a specific service.
aws s3 helpConclusion
The AWS CLI condenses the entire AWS universe into a single command, making cloud infrastructure scriptable, reproducible and version-controllable. Treat your credentials like production passwords: rely on IAM roles, SSO or temporary credentials rather than long-lived access keys, and apply the least-privilege principle throughout. For destructive operations like s3 rm --recursive, s3 rb --force or ec2 terminate-instances, a quick --dryrun or a careful check pays off, because deleted resources are gone for good.
Further Reading
- AWS CLI – official reference – complete documentation on installation, configuration and every service command
- AWS CLI Command Reference – searchable reference for all subcommands and options
- AWS CLI security – best practices for credentials, profiles and IAM