Quick Reference · Amazon Web Services Command Line Interface v2

aws cli cheat sheet

Every AWS CLI call follows the same pattern: aws <service> <action> [options]. Master the global flags (--output, --query, --profile, --region) and you can drive any of 200+ services from the terminal.

setup & config S3 storage compute (EC2 · Lambda · ECS) IAM & security databases (RDS · DynamoDB) networking (Route53 · CF · ELB) ops (CloudWatch · SNS · SQS) most common

Cross-referenced from: docs.aws.amazon.com/cli/latest · devhints.io/awscli · bluematador.com/learn/aws-cli-cheatsheet · gist.github.com/apolloclark · pluralsight.com S3 cheatsheet

Command anatomy — every service, every action, same shape
aws s3 · ec2 · iam … describe-instances --profile prod --region us-east-1 --output json --query '…' --filter '…' binary service action / sub-command global options (any order, any service) $ aws ec2 describe-instances --filters Name=instance-state-name,Values=running --query 'Reservations[].Instances[].[InstanceId,InstanceType]' BINARY SERVICE ACTION OPTIONS
01Install & Setupfirst-time

Credentials precedence: env vars → CLI flags → ~/.aws/credentials → IAM instance role. An instance role is the recommended production approach — no local keys needed.

02Global Flagswork with every service
03Filtering Output with jqparse JSON like a pro

Tip: install jq with brew install jq or apt install jq. It turns verbose JSON into scriptable one-liners.

04S3 — Bucketss3 · s3api
05S3 — Objectscp · mv · rm · sync · presign

s3 vs s3api: s3 = high-level shortcuts (cp, sync, mb). s3api = raw API access for policies, ACLs, versioning.

06EC2 — Instancesvirtual machines
07EC2 — Security Groups & VPCfirewall rules
08EC2 — Key Pairs & AMIsSSH keys · machine images
09IAM — Users & Access Keysidentity
10IAM — Groups, Policies & Rolespermissions
11Lambdaserverless functions
12RDS — Relational DatabasesMySQL · Postgres · Aurora
13DynamoDBNoSQL key–value & document store
14ECS & EKScontainers
15CloudWatchmetrics · alarms · logs
16Route 53DNS management

Change-batch: use Action CREATE, UPSERT (create or update), or DELETE in the JSON file.

17CloudFront & ELBCDN · load balancers
18SNS & SQSpub/sub · queues
19CloudTrail & Secrets Manageraudit · secure secrets

Key mental models

Three diagrams that unlock how S3, IAM, and jq filtering actually work — drawn from the official docs and community guides.

S3 object hierarchy

No real folders — just a key that looks like a path. The bucket is the top-level namespace; everything below is an object key.

AWS Account 🪣 s3://my-bucket/ globally unique name · region-specific storage images/ logo.png hero.jpg (prefix) backup/2026/ db.tar.gz logs.zip (prefix)

IAM: who → what → resource

Permissions flow from a principal (user/role/group) through a policy to an action on a resource, identified by its ARN.

User or Role principal Policy Effect: Allow Effect: Deny attached policy (JSON) Resource ARN S3/EC2/RDS… ARN format: arn:aws:s3:::my-bucket arn:aws:ec2:us-east-1:123456789:instance/i-xxx

S3 storage class ladder

Choose the class based on how often data is accessed — costs drop significantly for infrequent or archival tiers.

S3 Standard — hot, frequent, low latency Intelligent-Tiering — auto-moves to cheapest tier Standard-IA — infrequent, fast when needed One Zone-IA — same but single AZ (20% cheaper) Glacier Instant — archives, ms retrieval Glacier Deep Archive — cheapest, hours retrieval $$$$ $

Worth memorizing

aws sts get-caller-identityalways run first to confirm which account/role you're in
--dry-runEC2 commands accept this flag to validate without doing anything
--query (JMESPath)built-in server-side filtering; faster than piping full JSON to jq
--output texttab-delimited output — easiest to pass to cut/awk in shell scripts
s3 vs s3apis3 = high-level; s3api = raw API; use s3api for ACLs, policies, versioning
presignshare private S3 objects without making them public — expiry in seconds
ARN formatarn:partition:service:region:account:resource — the universal resource ID
IAM least privilegegrant only the actions a user/role actually needs, nothing more
named profileskeep dev/staging/prod credentials separate with --profile; never cross the streams
jq -rraw output (no JSON quotes) — almost always what you want in scripts
instance rolespreferred over access keys on EC2 — no credentials to rotate or leak
paginateadd --no-paginate or loop with --starting-token for results > 1 page