aws sts get-caller-identityalways run first to confirm which account/role you're in
--dry-runEC2 commands accept this flag to validate without doing anything
--query (JMESPath)built-in server-side filtering; faster than piping full JSON to jq
--output texttab-delimited output — easiest to pass to cut/awk in shell scripts
s3 vs s3apis3 = high-level; s3api = raw API; use s3api for ACLs, policies, versioning
presignshare private S3 objects without making them public — expiry in seconds
ARN formatarn:partition:service:region:account:resource — the universal resource ID
IAM least privilegegrant only the actions a user/role actually needs, nothing more
named profileskeep dev/staging/prod credentials separate with --profile; never cross the streams
jq -rraw output (no JSON quotes) — almost always what you want in scripts
instance rolespreferred over access keys on EC2 — no credentials to rotate or leak
paginateadd --no-paginate or loop with --starting-token for results > 1 page
ECR loginaws ecr get-login-password | docker login — token valid 12 h only
ECR URI format<account>.dkr.ecr.<region>.amazonaws.com/<repo>:<tag>
ECR repo firstcreate-repository before pushing — push to a non-existent repo fails
docker run -it --rmbest combo for throwaway debug containers — shell in, auto-cleanup on exit
scanOnPush=trueenable on ECR repos in prod — free CVE scanning on every image push
IMMUTABLE tagsprevents silent overwrites of :latest in ECR — use semver tags in production