Quick Reference · AWS CLI v2 · Docker CLI · Amazon ECR

aws cli cheat sheet

Every AWS CLI call follows the same pattern: aws <service> <action> [options]. Also covers Docker CLI (build → run → debug → clean) and Amazon ECR (authenticate → push → scan → lifecycle). Master the global flags (--output, --query, --profile, --region) and you can drive any of 200+ services from the terminal.

setup & config S3 storage compute (EC2 · Lambda · ECS) IAM & security databases (RDS · DynamoDB) networking (Route53 · CF · ELB) ops (CloudWatch · SNS · SQS) Docker CLI ECR (container registry) most common

Cross-referenced from: docs.aws.amazon.com/cli/latest · devhints.io/awscli · bluematador.com/learn/aws-cli-cheatsheet · gist.github.com/apolloclark · pluralsight.com S3 cheatsheet

Command anatomy — every service, every action, same shape
aws s3 · ec2 · iam … describe-instances --profile prod --region us-east-1 --output json --query '…' --filter '…' binary service action / sub-command global options (any order, any service) $ aws ec2 describe-instances --filters Name=instance-state-name,Values=running --query 'Reservations[].Instances[].[InstanceId,InstanceType]' BINARY SERVICE ACTION OPTIONS
01Install & Setupfirst-time

Credentials precedence: env vars → CLI flags → ~/.aws/credentials → IAM instance role. An instance role is the recommended production approach — no local keys needed.

02Global Flagswork with every service
03Filtering Output with jqparse JSON like a pro

Tip: install jq with brew install jq or apt install jq. It turns verbose JSON into scriptable one-liners.

04S3 — Bucketss3 · s3api
05S3 — Objectscp · mv · rm · sync · presign

s3 vs s3api: s3 = high-level shortcuts (cp, sync, mb). s3api = raw API access for policies, ACLs, versioning.

06EC2 — Instancesvirtual machines
07EC2 — Security Groups & VPCfirewall rules
08EC2 — Key Pairs & AMIsSSH keys · machine images
09IAM — Users & Access Keysidentity
10IAM — Groups, Policies & Rolespermissions
11Lambdaserverless functions
12RDS — Relational DatabasesMySQL · Postgres · Aurora
13DynamoDBNoSQL key–value & document store
14ECS & EKScontainers
15CloudWatchmetrics · alarms · logs
16Route 53DNS management

Change-batch: use Action CREATE, UPSERT (create or update), or DELETE in the JSON file.

17CloudFront & ELBCDN · load balancers
18SNS & SQSpub/sub · queues
19CloudTrail & Secrets Manageraudit · secure secrets
20Docker — Imagesbuild · tag · inspect
21Docker — Containersrun · manage · lifecycle
22Docker — Exec & Debugshell in · logs · copy files
23Docker — Volumes & Networkspersistent data · container DNS

DNS tip: containers on a user-defined network resolve each other by container name. E.g. api can reach db at http://db:5432.

24Compose & Cleanupmulti-container · prune
25ECR — Authentication⚠ required before every push/pull

Token lifetime: authorization tokens are valid for 12 hours. In CI/CD pipelines, run the login step fresh at the start of every job.
IAM needed: ecr:GetAuthorizationToken + repo permissions (ecr:BatchGetImage, ecr:PutImage…).

26ECR — Repositoriescreate · list · delete
27ECR — Push / Pull Workflowthe 4-step pattern

Shortcut: in the ECR console, open your repo and click View push commands — it generates all 4 steps with your exact account/region filled in.

28ECR — Images & Securitylist · scan · lifecycle

Docker & ECR mental models

The container lifecycle and the local-to-ECR deploy pipeline — the two flows you repeat dozens of times a day.

Docker container lifecycle

Every container moves through these states. Key insight: stopped ≠ gone — data and logs persist until docker rm.

Image Dockerfile / Hub / ECR Running process is alive Stopped layer data retained Deleted docker rm New Image docker commit run stop/exit start docker build ECR Pull docker pull …

Local dev → ECR → ECS deploy pipeline

The canonical CI/CD flow. Authentication expires every 12 h — re-run the login step at the start of each pipeline job.

1. Build docker build -t 2. Tag docker tag ECR URI 3. Auth get-login- password 4. Push docker push … ECR Registry private image store ECS Task task def pull Lambda container image EKS Pod imagePullPolicy CodeBuild docker pull IAM ecr: *Token

Key mental models

Three diagrams that unlock how S3, IAM, and jq filtering actually work — drawn from the official docs and community guides.

S3 object hierarchy

No real folders — just a key that looks like a path. The bucket is the top-level namespace; everything below is an object key.

AWS Account 🪣 s3://my-bucket/ globally unique name · region-specific storage images/ logo.png hero.jpg (prefix) backup/2026/ db.tar.gz logs.zip (prefix)

IAM: who → what → resource

Permissions flow from a principal (user/role/group) through a policy to an action on a resource, identified by its ARN.

User or Role principal Policy Effect: Allow Effect: Deny attached policy (JSON) Resource ARN S3/EC2/RDS… ARN format: arn:aws:s3:::my-bucket arn:aws:ec2:us-east-1:123456789:instance/i-xxx

S3 storage class ladder

Choose the class based on how often data is accessed — costs drop significantly for infrequent or archival tiers.

S3 Standard — hot, frequent, low latency Intelligent-Tiering — auto-moves to cheapest tier Standard-IA — infrequent, fast when needed One Zone-IA — same but single AZ (20% cheaper) Glacier Instant — archives, ms retrieval Glacier Deep Archive — cheapest, hours retrieval $$$$ $

Worth memorizing

aws sts get-caller-identityalways run first to confirm which account/role you're in
--dry-runEC2 commands accept this flag to validate without doing anything
--query (JMESPath)built-in server-side filtering; faster than piping full JSON to jq
--output texttab-delimited output — easiest to pass to cut/awk in shell scripts
s3 vs s3apis3 = high-level; s3api = raw API; use s3api for ACLs, policies, versioning
presignshare private S3 objects without making them public — expiry in seconds
ARN formatarn:partition:service:region:account:resource — the universal resource ID
IAM least privilegegrant only the actions a user/role actually needs, nothing more
named profileskeep dev/staging/prod credentials separate with --profile; never cross the streams
jq -rraw output (no JSON quotes) — almost always what you want in scripts
instance rolespreferred over access keys on EC2 — no credentials to rotate or leak
paginateadd --no-paginate or loop with --starting-token for results > 1 page
ECR loginaws ecr get-login-password | docker login — token valid 12 h only
ECR URI format<account>.dkr.ecr.<region>.amazonaws.com/<repo>:<tag>
ECR repo firstcreate-repository before pushing — push to a non-existent repo fails
docker run -it --rmbest combo for throwaway debug containers — shell in, auto-cleanup on exit
scanOnPush=trueenable on ECR repos in prod — free CVE scanning on every image push
IMMUTABLE tagsprevents silent overwrites of :latest in ECR — use semver tags in production