AWS CLI Cheat Sheet
Published on April 14, 2021
Table of Contents
- Volumes
- AMIs
- Lambda
- IAM
- S3 API
- VPC
- Subnets
- Internet Gateway
- NAT
- Route Tables
- CloudFront
- RDS
- List Databases
- List Public Databases
- List Non Protected Databases (DeletionProtection)
- Describe the Automated Backups for a DB Instance
- Create a DB Cluster
- Create a DB Instance
- Create a DB Security Group
- Create a Read Replica
- Create a Custom DB Cluster Endpoint
- Apply Tag to a DB
- Create a Cluster Snapshot
- Create a CloudWatch Alarm for a DB Instance
Volumes
Describing volumes
aws ec2 describe-volumes
Describing filtered volumes:
aws ec2 describe-volumes --filters Name=status,Values=creating | available | in-use | deleting | deleted | error
e.g, describing all deleted volumes:
aws ec2 describe-volumes --filters Name=status,Values=deleted
Filters can be applied to the attachment status:
aws ec2 describe-volumes --filters Name=attachment.status,Values=attaching | attached | detaching | detached
e.g: describing all volumes with the status "attaching":
aws ec2 describe-volumes --filters Name=attachment.status,Values=attaching
This is the generic form. Use --profile <your_profile_name>
, if you have multiple AWS profiles or accounts.
aws ec2 describe-volumes --filters Name:'tag:Name',Values: ['some_values'] --profile <your_profile_name>
Describing volumes using a different aws user profile
aws ec2 describe-volumes --filters Name=status,Values=in-use --profile <your_profile_name>
Listing Available Volumes IDs
aws ec2 describe-volumes --filters Name=status,Values=available |grep VolumeId|awk '{print $2}' | tr '\n|,|"' ' '
With "profile":
aws ec2 describe-volumes --filters Name=status,Values=available --profile <your_profile_name>|grep VolumeId|awk '{print $2}' | tr '\n|,|"' ' '
Deleting a Volume
aws ec2 delete-volume --region <region> --volume-id <volume_id>
Deleting Unused Volumes.. Think Before You Type :-)
for x in $(aws ec2 describe-volumes --filters Name=status,Values=available --profile <your_profile_name>|grep VolumeId|awk '{print $2}' | tr ',|"' ' '); do aws ec2 delete-volume --region <region> --volume-id $x; done
With "profile":
for x in $(aws ec2 describe-volumes --filters Name=status,Values=available --profile <your_profile_name>|grep VolumeId|awk '{print $2}' | tr ',|"' ' '); do aws ec2 delete-volume --region <region> --volume-id $x --profile <your_profile_name>; done
Creating a Snapshot
aws ec2 create-snapshot --volume-id <vol-id>
aws ec2 create-snapshot --volume-id <vol-id> --description "snapshot-$(date +'%Y-%m-%d_%H-%M-%S')"
Creating an Image (AMI)
aws ec2 create-image --instance-id <instance_id> --name "image-$(date +'%Y-%m-%d_%H-%M-%S')" --description "image-$(date +'%Y-%m-%d_%H-%M-%S')"
Creating AMI Without Rebooting the Machine
aws ec2 create-image --instance-id <instance_id> --name "image-$(date +'%Y-%m-%d_%H-%M-%S')" --description "image-$(date +'%Y-%m-%d_%H-%M-%S')" --no-reboot
You are free to change the AMI name image-$(date +'%Y-%m-%d_%H-%M-%S')
to a name of your choice.
AMIs
Listing AMI(s)
aws ec2 describe-images
Describing AMI(s)
aws ec2 describe-images --image-ids <image_id> --profile <profile> --region <region>
e.g:
aws ec2 describe-images --image-ids ami-e24dfa9f --profile terraform --region eu-west-3
Listing Amazon AMIs
aws ec2 describe-images --owners amazon
Using Filters
e.g: Describing Windows AMIs that are backed by Amazon EBS.
aws ec2 describe-images --filters "Name=platform,Values=windows" "Name=root-device-type,Values=ebs"
e.g: Describing Ubuntu AMIs
aws ec2 describe-images --filters "Name=name,Values=ubuntu*"
Lambda
List Functions
aws lambda list-functions
Describe a Function
aws lambda get-function --function-name my-function
Invoke a Function
aws lambda invoke --function-name my-function --payload '{ "name": "Bob" }' response.json
Update a Function Code
aws lambda update-function-code --function-name my-function --zip-file fileb://my-function.zip
Publish a Version
aws lambda publish-version --function-name my-function
List Layers
Let's take this example in which we want to list information of layers that are compatible with Python 3.7 runtime.
aws lambda list-layers --compatible-runtime python3.7
Possible layers runtime:
nodejs
nodejs4.3
nodejs6.10
nodejs8.10
nodejs10.x
nodejs12.x
java8
java8.al2
java11
python2.7
python3.6
python3.7
python3.8
dotnetcore1.0
dotnetcore2.0
dotnetcore2.1
dotnetcore3.1
nodejs4.3-edge
go1.x
ruby2.5
ruby2.7
provided
provided.al2
List Aliases of a Function
aws lambda list-aliases --function-name my-function
Describe an Alias
aws lambda get-alias --function-name my-function --name LIVE
Create an Alias
aws lambda create-alias --function-name my-function --description "alias description goes here" --function-version 1 --name LIVE
Delete an Alias
aws lambda delete-alias --function-name my-function --name LIVE
List Function Tags
aws lambda list-tags --resource arn:aws:lambda:eu-west-1:xxxxxxxxxxx:function:my-function
Delete a Function
aws lambda delete-function --function-name my-function
Using AWS Lambda with Scheduled Events
sid=Sid$(date +%Y%m%d%H%M%S); aws lambda add-permission --statement-id $sid --action 'lambda:InvokeFunction' --principal events.amazonaws.com --source-arn arn:aws:events:<region>:<arn>:rule/AWSLambdaBasicExecutionRole --function-name function:<awsents> --region <region>
IAM
List Users
aws iam list-users
List Policies
aws iam list-policies
List Groups
aws iam list-groups
Get Users in a Group
aws iam get-group --group-name <group_name>
Describing a Policy
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/<policy_name>
List Access Keys
aws iam list-access-keys
List Keys
aws iam list-access-keys
List the Access Key IDs for an IAM User
aws iam list-access-keys --user-name <user_name>
List the SSH Public Keys for a User
aws iam list-ssh-public-keys --user-name <user_name>
S3 API
Listing Buckets
aws s3api list-buckets
Or
aws s3 ls
e.g
aws s3 ls --profile eon01
Listing Only Bucket Names
aws s3api list-buckets --query 'Buckets[].Name'
Getting a Bucket Region
aws s3api get-bucket-location --bucket <bucket_name>
e.g
aws s3api get-bucket-location --bucket practicalaws.com
Listing the Content of a Bucket
aws s3 ls s3://<bucket_name> --region <region>
e.g
aws s3 ls s3://practicalaws.com
aws s3 ls s3://practicalaws.com --region eu-west-1
aws s3 ls s3://practicalaws.com --region eu-west-1 --profile eon01
Syncing a Local Folder with a Bucket
aws s3 sync <local_path> s3://<bucket_name>
e.g
aws s3 sync . s3://practicalaws.com --region eu-west-1
Copying Files
aws s3 cp <file_name> s3://<bucket_name>
Or:
aws s3 cp <file_name> s3://<bucket_name>/<folder_name>/
To copy all files from a filder, look at "Copying Folders". Or use the following example, where I copy the content of the folder "images (contains images) in the remote folder "images".
cd images
aws s3 cp . s3://saltstackfordevops.com/images --recursive --region us-east-2
Copying Folders
aws s3 cp <folder_name>/ s3://<bucket_name>/ --recursive
To exclude files:
aws s3 cp <folder_name>/ s3://<bucket_name>/ --recursive --exclude "<file_name_or_a_wildcard>"
e.g: To only include a certain type of files (PNG) and exclude others (JPG)
aws s3 cp practicalaws.com/ s3://practicalaws-backup/ --recursive --exclude "*.jpg" --include "*.png"
e.g: To exclude a folder
aws s3 cp practicalaws.com/ s3://practicalaws-backup/ --recursive --exclude ".git/*"
Removing a File from a Bucket
aws s3 rm s3://<bucket_name>/<object_name>
e.g
aws s3 rm s3://practicalaws.com/temp.txt
Deleting a Bucket
aws s3 rb s3://<bucket_name> --force
If the bucket is not empty, use --force.
e.g
aws s3 rb s3://practicalaws.com --force
Emptying a Bucket
aws s3 rm s3://<bucket_name>/<key_name> --recursive
e.g
In order to remove tempfiles/file1.txt and tempfiles/file2.txt from practicalaws.com bucket, use:
aws s3 rm s3://practicalaws.com/tempfiles --recursive
Remove all objects using:
aws s3 rm s3://practicalaws.com/tempfiles
Making a Public File Private
aws s3api put-object-acl --acl private --bucket <bucket-name> --key <file_name or file_path>
e.g:
aws s3api put-object-acl --acl private --bucket practicalaws.com --key image/logo.png
Making a Public bucket Private
aws s3 ls --recursive s3://<bucket-name> | cut -d' ' -f5- | awk '{print $NF}' | while read line; do
echo "$line"
aws s3api put-object-acl --acl private --bucket <bucket-name> --key "$line"
done
VPC
Creating A VPC
aws ec2 create-vpc --cidr-block <cidr_block> --regiosn <region>
e.g
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --region eu-west-1
Allowing DNS hostnames
aws ec2 modify-vpc-attribute --vpc-id <vpc_id> --enable-dns-hostnames "{\"Value\":true}" --region <region>
Subnets
Creating A Subnet
aws ec2 create-subnet --vpc-id <vpc_id> --cidr-block <cidr_block> --availability-zone <availability_zone> --region <region>
Auto Assigning Public IPs To Instances In A Public Subnet
aws ec2 modify-subnet-attribute --subnet-id <subnet_id> --map-public-ip-on-launch --region <region>
Internet Gateway
Creating An IGW
aws ec2 create-internet-gateway --region <region>
Attaching An IGW to A VPC
aws ec2 attach-internet-gateway --internet-gateway-id <igw_id> --vpc-id <vpc_id> --region <region>
NAT
Setting Up A NAT Gateway
Allocate Elastic IP
aws ec2 allocate-address --domain vpc --region <region>
then use the AllocationId to create the NAT Gateway for the public zone in <region>
aws ec2 create-nat-gateway --subnet-id <subnet_id> --allocation-id <allocation_id> --region <region>
Route Tables
Creating A Public Route Table
Create the Route Table:
aws ec2 create-route-table --vpc-id <vpc_id> --region <region>
then create a route for an Internet Gateway.
Now, use the outputted Route Table ID:
aws ec2 create-route --route-table-id <route_table_id> --destination-cidr-block 0.0.0.0/0 --gateway-id <igw_id> --region <region>
Finally, associate the public subnet with the Route Table
aws ec2 associate-route-table --route-table-id <route_table_id> --subnet-id <subnet_id> --region <region>
Creating A Private Route Tables
Create the Route Table
aws ec2 create-route-table --vpc-id <vpc_id> --region <region>
then create a route that points to a NAT Gateway
aws ec2 create-route --route-table-id <route_table_id> --destination-cidr-block 0.0.0.0/0 --nat-gateway-id <net_gateway_id> --region <region>
Finally, associate the subnet
aws ec2 associate-route-table --route-table-id <route_table_id> --subnet-id <subnet_id> --region <region>
CloudFront
Listing Distributions
In some cases, you need to setup this first:
aws configure set preview.cloudfront true
Then:
aws cloudfront list-distributions
Invalidating Files From a Distribution
To invalidate index and error HTML files from the distribution with the ID Z2W2LX9VBMAPRX:
aws cloudfront create-invalidation --distribution-id Z2W2LX9VBMAPRX --paths /index.html /error.html
To invalidate everything in the distribution:
aws cloudfront create-invalidation --distribution-id Z2W2LX9VBMAPRX --paths '/*'
Sync a Local Folder with a CLoudFront Distribution
CloudFront is "attached" to a bucket, you need to upload your files to the bucket.
e.g.:
aws s3 sync . s3://my-bucket.com
If you should keep the files public:
aws s3 sync . s3://my-bucket.com --acl public-read
To copy a single file, you need to:
aws s3 cp file1 s3://my-bucket.com/sub-folder/ --acl <ACL>
Sync and Invalidate at the Same Time:
aws s3 sync . s3://my-bucket.com --acl public-read && aws cloudfront create-invalidation --distribution-id Z2W2LX9VBMAPRX --paths '/*'
or in case you want to update a single file:
aws s3 cp file1 s3://my-bucket.com/sub-folder/ --acl public-read && aws cloudfront create-invalidation --distribution-id Z2W2LX9VBMAPRX --paths '/sub-folder/file1'
RDS
List Databases
aws rds describe-db-instances
or:
aws rds describe-db-instances --query 'DBInstances[].DBInstanceIdentifier'
List Public Databases
aws rds describe-db-instances --query 'DBInstances[?PubliclyAccessible=="true"].[DBInstanceIdentifier,Endpoint.Address]'
List Non Protected Databases (DeletionProtection)
aws rds describe-db-instances \
--query 'DBInstances[*].[DBInstanceIdentifier]' \
--output text \
| xargs -I {} bash -c 'if [[ $(aws rds describe-db-instances --db-instance-identifier {} --query '"'"'DBInstances[*].DeletionProtection'"'"' --output text) == False ]]; then echo {} ; fi'
Describe the Automated Backups for a DB Instance
aws rds describe-db-instance-automated-backups --db-instance-identifier database-mysql
Create a DB Cluster
aws rds create-db-cluster \
--db-cluster-identifier mysql-cluster \
--engine aurora-mysql \
--engine-version 5.7.12 \
--master-username master \
--master-user-password xxxxxx \
--db-subnet-group-name default \
--vpc-security-group-ids sg-0130572b9daf3dc16
Create a DB Instance
aws rds create-db-instance \
--db-instance-identifier mysql-instance \
--db-instance-class db.t3.micro \
--engine mysql \
--master-username admin \
--master-user-password xxxxx \
--allocated-storage 40
Create a DB Security Group
aws rds create-db-security-group --db-security-group-name my-security-group --db-security-group-description "My Security Group"
Create a Read Replica
aws rds create-db-instance-read-replica \
--db-instance-identifier test-instance-repl \
--source-db-instance-identifier test-instance
Create a Custom DB Cluster Endpoint
aws rds create-db-cluster-endpoint \
--db-cluster-endpoint-identifier mycustomendpoint \
--endpoint-type reader \
--db-cluster-identifier mydbcluster \
--static-members dbinstance1 dbinstance2
Apply Tag to a DB
aws rds add-tags-to-resource \
--resource-name arn:aws:rds:us-east-1:123456789012:db:database-mysql \
--tags "[{\"Key\": \"Name\",\"Value\": \"MyDatabase\"},{\"Key\": \"Environment\",\"Value\": \"test\"}]"
Create a Cluster Snapshot
aws rds create-db-cluster-snapshot --db-cluster-identifier my-db-cluster --db-cluster-snapshot-identifier my-db-cluster-snapshot
Create a CloudWatch Alarm for a DB Instance
e.g.: When average CPU for latest 15 minutes is above 90%
aws cloudwatch put-metric-alarm \
--alarm-name "my-alarm" \
--metric-name "CPUUtilization" \
--namespace "AWS/RDS" \
--statistic "Average" \
--period 300 \
--evaluation-periods 3 \
--threshold 90.0 \
--comparison-operator "GreaterThanOrEqualToThreshold" \
--dimensions "Name=DBInstanceIdentifier,Value=my-db-instance" \
--alarm-actions "<arn of sns resource>"
This will monitor the DB instance during a period of 300 seconds (5 minutes) during 3 evaluation periods: 5*3 = 15 minutes.
If in the three periods, the average is equal or more than 90%, then the alarm will trigger the SNS resource.
You should subscribe to the SNS resource you create by email or SMS.