AWS CLI Cheat Sheet
Table of Contents
- Volumes
- AMIs
- Lambda
- IAM
- S3 API
- VPC
- Subnets
- Internet Gateway
- NAT
- Route Tables
- CloudFront
- RDS
- List Databases
- List Public Databases
- List Non Protected Databases (DeletionProtection)
- Describe the Automated Backups for a DB Instance
- Create a DB Cluster
- Create a DB Instance
- Create a DB Security Group
- Create a Read Replica
- Create a Custom DB Cluster Endpoint
- Apply Tag to a DB
- Create a Cluster Snapshot
- Create a CloudWatch Alarm for a DB Instance
- Connect Deeper
Volumes
Describing volumes
aws ec2 describe-volumes
Describing filtered volumes:
aws ec2 describe-volumes --filters Name=status,Values=creating | available | in-use | deleting | deleted | error
e.g, describing all deleted volumes:
aws ec2 describe-volumes --filters Name=status,Values=deleted
Filters can be applied to the attachment status:
aws ec2 describe-volumes --filters Name=attachment.status,Values=attaching | attached | detaching | detached
e.g: describing all volumes with the status "attaching":
aws ec2 describe-volumes --filters Name=attachment.status,Values=attaching
This is the generic form. Use --profile <your_profile_name>
, if you have multiple AWS profiles or accounts.
aws ec2 describe-volumes --filters Name:'tag:Name',Values: ['some_values'] --profile <your_profile_name>
Describing volumes using a different aws user profile
aws ec2 describe-volumes --filters Name=status,Values=in-use --profile <your_profile_name>
Listing Available Volumes IDs
aws ec2 describe-volumes --filters Name=status,Values=available |grep VolumeId|awk '{print $2}' | tr '\n|,|"' ' '
With "profile":
aws ec2 describe-volumes --filters Name=status,Values=available --profile <your_profile_name>|grep VolumeId|awk '{print $2}' | tr '\n|,|"' ' '
Deleting a Volume
aws ec2 delete-volume --region <region> --volume-id <volume_id>
Deleting Unused Volumes.. Think Before You Type :-)
for x in $(aws ec2 describe-volumes --filters Name=status,Values=available --profile <your_profile_name>|grep VolumeId|awk '{print $2}' | tr ',|"' ' '); do aws ec2 delete-volume --region <region> --volume-id $x; done
With "profile":
for x in $(aws ec2 describe-volumes --filters Name=status,Values=available --profile <your_profile_name>|grep VolumeId|awk '{print $2}' | tr ',|"' ' '); do aws ec2 delete-volume --region <region> --volume-id $x --profile <your_profile_name>; done
Creating a Snapshot
aws ec2 create-snapshot --volume-id <vol-id>
aws ec2 create-snapshot --volume-id <vol-id> --description "snapshot-$(date +'%Y-%m-%d_%H-%M-%S')"
Creating an Image (AMI)
aws ec2 create-image --instance-id <instance_id> --name "image-$(date +'%Y-%m-%d_%H-%M-%S')" --description "image-$(date +'%Y-%m-%d_%H-%M-%S')"
Creating AMI Without Rebooting the Machine
aws ec2 create-image --instance-id <instance_id> --name "image-$(date +'%Y-%m-%d_%H-%M-%S')" --description "image-$(date +'%Y-%m-%d_%H-%M-%S')" --no-reboot
You are free to change the AMI name image-$(date +'%Y-%m-%d_%H-%M-%S')
to a name of your choice.
AMIs
Listing AMI(s)
aws ec2 describe-images
Describing AMI(s)
aws ec2 describe-images --image-ids <image_id> --profile <profile> --region <region>
e.g:
aws ec2 describe-images --image-ids ami-e24dfa9f --profile terraform --region eu-west-3
Listing Amazon AMIs
aws ec2 describe-images --owners amazon
Using Filters
e.g: Describing Windows AMIs that are backed by Amazon EBS.
aws ec2 describe-images --filters "Name=platform,Values=windows" "Name=root-device-type,Values=ebs"
e.g: Describing Ubuntu AMIs
aws ec2 describe-images --filters "Name=name,Values=ubuntu*"
Lambda
List Functions
aws lambda list-functions
Describe a Function
aws lambda get-function --function-name my-function
Invoke a Function
aws lambda invoke --function-name my-function --payload '{ "name": "Bob" }' response.json
Update a Function Code
aws lambda update-function-code --function-name my-function --zip-file fileb://my-function.zip
Publish a Version
aws lambda publish-version --function-name my-function
List Layers
Let's take this example in which we want to list information of layers that are compatible with Python 3.7 runtime.
aws lambda list-layers --compatible-runtime python3.7
Possible layers runtime:
nodejs
nodejs4.3
nodejs6.10
nodejs8.10
nodejs10.x
nodejs12.x
java8
java8.al2
java11
python2.7
python3.6
python3.7
python3.8
dotnetcore1.0
dotnetcore2.0
dotnetcore2.1
dotnetcore3.1
nodejs4.3-edge
go1.x
ruby2.5
ruby2.7
provided
provided.al2
List Aliases of a Function
aws lambda list-aliases --function-name my-function
Describe an Alias
aws lambda get-alias --function-name my-function --name LIVE
Create an Alias
aws lambda create-alias --function-name my-function --description "alias description goes here" --function-version 1 --name LIVE
Delete an Alias
aws lambda delete-alias --function-name my-function --name LIVE
List Function Tags
aws lambda list-tags --resource arn:aws:lambda:eu-west-1:xxxxxxxxxxx:function:my-function
Delete a Function
aws lambda delete-function --function-name my-function
Using AWS Lambda with Scheduled Events
sid=Sid$(date +%Y%m%d%H%M%S); aws lambda add-permission --statement-id $sid --action 'lambda:InvokeFunction' --principal events.amazonaws.com --source-arn arn:aws:events:<region>:<arn>:rule/AWSLambdaBasicExecutionRole --function-name function:<awsents> --region <region>
IAM
List Users
aws iam list-users
List Policies
aws iam list-policies
List Groups
aws iam list-groups
Get Users in a Group
aws iam get-group --group-name <group_name>
Describing a Policy
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/<policy_name>
List Access Keys
aws iam list-access-keys
List Keys
aws iam list-access-keys
List the Access Key IDs for an IAM User
aws iam list-access-keys --user-name <user_name>
List the SSH Public Keys for a User
aws iam list-ssh-public-keys --user-name <user_name>
S3 API
Listing Buckets
aws s3api list-buckets
Or
aws s3 ls
e.g
aws s3 ls --profile eon01
Listing Only Bucket Names
aws s3api list-buckets --query 'Buckets[].Name'
Getting a Bucket Region
aws s3api get-bucket-location --bucket <bucket_name>
e.g
aws s3api get-bucket-location --bucket practicalaws.com
Listing the Content of a Bucket
aws s3 ls s3://<bucket_name> --region <region>
e.g
aws s3 ls s3://practicalaws.com
aws s3 ls s3://practicalaws.com --region eu-west-1
aws s3 ls s3://practicalaws.com --region eu-west-1 --profile eon01
Syncing a Local Folder with a Bucket
aws s3 sync <local_path> s3://<bucket_name>
e.g
aws s3 sync . s3://practicalaws.com --region eu-west-1
Copying Files
aws s3 cp <file_name> s3://<bucket_name>
Or:
aws s3 cp <file_name> s3://<bucket_name>/<folder_name>/
To copy all files from a filder, look at "Copying Folders". Or use the following example, where I copy the content of the folder "images (contains images) in the remote folder "images".
cd images
aws s3 cp . s3://saltstackfordevops.com/images --recursive --region us-east-2
Copying Folders
aws s3 cp <folder_name>/ s3://<bucket_name>/ --recursive
To exclude files:
aws s3 cp <folder_name>/ s3://<bucket_name>/ --recursive --exclude "<file_name_or_a_wildcard>"
e.g: To only include a certain type of files (PNG) and exclude others (JPG)
aws s3 cp practicalaws.com/ s3://practicalaws-backup/ --recursive --exclude "*.jpg" --include "*.png"
e.g: To exclude a folder
aws s3 cp practicalaws.com/ s3://practicalaws-backup/ --recursive --exclude ".git/*"
Removing a File from a Bucket
aws s3 rm s3://<bucket_name>/<object_name>
e.g
aws s3 rm s3://practicalaws.com/temp.txt
Deleting a Bucket
aws s3 rb s3://<bucket_name> --force
If the bucket is not empty, use --force.
e.g
aws s3 rb s3://practicalaws.com --force
Emptying a Bucket
aws s3 rm s3://<bucket_name>/<key_name> --recursive
e.g
In order to remove tempfiles/file1.txt and tempfiles/file2.txt from practicalaws.com bucket, use:
aws s3 rm s3://practicalaws.com/tempfiles --recursive
Remove all objects using:
aws s3 rm s3://practicalaws.com/tempfiles
Making a Public File Private
aws s3api put-object-acl --acl private --bucket <bucket-name> --key <file_name or file_path>
e.g:
aws s3api put-object-acl --acl private --bucket practicalaws.com --key image/logo.png
Making a Public bucket Private
aws s3 ls --recursive s3://<bucket-name> | cut -d' ' -f5- | awk '{print $NF}' | while read line; do
echo "$line"
aws s3api put-object-acl --acl private --bucket <bucket-name> --key "$line"
done
VPC
Creating A VPC
aws ec2 create-vpc --cidr-block <cidr_block> --regiosn <region>
e.g
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --region eu-west-1
Allowing DNS hostnames
aws ec2 modify-vpc-attribute --vpc-id <vpc_id> --enable-dns-hostnames "{\"Value\":true}" --region <region>
Subnets
Creating A Subnet
aws ec2 create-subnet --vpc-id <vpc_id> --cidr-block <cidr_block> --availability-zone <availability_zone> --region <region>
Auto Assigning Public IPs To Instances In A Public Subnet
aws ec2 modify-subnet-attribute --subnet-id <subnet_id> --map-public-ip-on-launch --region <region>
Internet Gateway
Creating An IGW
aws ec2 create-internet-gateway --region <region>
Attaching An IGW to A VPC
aws ec2 attach-internet-gateway --internet-gateway-id <igw_id> --vpc-id <vpc_id> --region <region>
NAT
Setting Up A NAT Gateway
Allocate Elastic IP
aws ec2 allocate-address --domain vpc --region <region>
then use the AllocationId to create the NAT Gateway for the public zone in
aws ec2 create-nat-gateway --subnet-id <subnet_id> --allocation-id <allocation_id> --region <region>
Route Tables
Creating A Public Route Table
Create the Route Table:
aws ec2 create-route-table --vpc-id <vpc_id> --region <region>
then create a route for an Internet Gateway.
Now, use the outputted Route Table ID:
aws ec2 create-route --route-table-id <route_table_id> --destination-cidr-block 0.0.0.0/0 --gateway-id <igw_id> --region <region>
Finally, associate the public subnet with the Route Table
aws ec2 associate-route-table --route-table-id <route_table_id> --subnet-id <subnet_id> --region <region>
Creating A Private Route Tables
Create the Route Table
aws ec2 create-route-table --vpc-id <vpc_id> --region <region>
then create a route that points to a NAT Gateway
aws ec2 create-route --route-table-id <route_table_id> --destination-cidr-block 0.0.0.0/0 --nat-gateway-id <net_gateway_id> --region <region>
Finally, associate the subnet
aws ec2 associate-route-table --route-table-id <route_table_id> --subnet-id <subnet_id> --region <region>
CloudFront
Listing Distributions
In some cases, you need to setup this first:
aws configure set preview.cloudfront true
Then:
aws cloudfront list-distributions
Invalidating Files From a Distribution
To invalidate index and error HTML files from the distribution with the ID Z2W2LX9VBMAPRX:
aws cloudfront create-invalidation --distribution-id Z2W2LX9VBMAPRX --paths /index.html /error.html
To invalidate everything in the distribution:
aws cloudfront create-invalidation --distribution-id Z2W2LX9VBMAPRX --paths '/*'
Sync a Local Folder with a CLoudFront Distribution
CloudFront is "attached" to a bucket, you need to upload your files to the bucket.
e.g.:
aws s3 sync . s3://my-bucket.com
If you should keep the files public:
aws s3 sync . s3://my-bucket.com --acl public-read
To copy a single file, you need to:
aws s3 cp file1 s3://my-bucket.com/sub-folder/ --acl <ACL>
Sync and Invalidate at the Same Time:
aws s3 sync . s3://my-bucket.com --acl public-read && aws cloudfront create-invalidation --distribution-id Z2W2LX9VBMAPRX --paths '/*'
or in case you want to update a single file:
aws s3 cp file1 s3://my-bucket.com/sub-folder/ --acl public-read && aws cloudfront create-invalidation --distribution-id Z2W2LX9VBMAPRX --paths '/sub-folder/file1'
RDS
List Databases
aws rds describe-db-instances
or:
aws rds describe-db-instances --query 'DBInstances[].DBInstanceIdentifier'
List Public Databases
aws rds describe-db-instances --query 'DBInstances[?PubliclyAccessible=="true"].[DBInstanceIdentifier,Endpoint.Address]'
List Non Protected Databases (DeletionProtection)
aws rds describe-db-instances \
--query 'DBInstances[*].[DBInstanceIdentifier]' \
--output text \
| xargs -I {} bash -c 'if [[ $(aws rds describe-db-instances --db-instance-identifier {} --query '"'"'DBInstances[*].DeletionProtection'"'"' --output text) == False ]]; then echo {} ; fi'
Describe the Automated Backups for a DB Instance
aws rds describe-db-instance-automated-backups --db-instance-identifier database-mysql
Create a DB Cluster
aws rds create-db-cluster \
--db-cluster-identifier mysql-cluster \
--engine aurora-mysql \
--engine-version 5.7.12 \
--master-username master \
--master-user-password xxxxxx \
--db-subnet-group-name default \
--vpc-security-group-ids sg-0130572b9daf3dc16
Create a DB Instance
aws rds create-db-instance \
--db-instance-identifier mysql-instance \
--db-instance-class db.t3.micro \
--engine mysql \
--master-username admin \
--master-user-password xxxxx \
--allocated-storage 40
Create a DB Security Group
aws rds create-db-security-group --db-security-group-name my-security-group --db-security-group-description "My Security Group"
Create a Read Replica
aws rds create-db-instance-read-replica \
--db-instance-identifier test-instance-repl \
--source-db-instance-identifier test-instance
Create a Custom DB Cluster Endpoint
aws rds create-db-cluster-endpoint \
--db-cluster-endpoint-identifier mycustomendpoint \
--endpoint-type reader \
--db-cluster-identifier mydbcluster \
--static-members dbinstance1 dbinstance2
Apply Tag to a DB
aws rds add-tags-to-resource \
--resource-name arn:aws:rds:us-east-1:123456789012:db:database-mysql \
--tags "[{\"Key\": \"Name\",\"Value\": \"MyDatabase\"},{\"Key\": \"Environment\",\"Value\": \"test\"}]"
Create a Cluster Snapshot
aws rds create-db-cluster-snapshot --db-cluster-identifier my-db-cluster --db-cluster-snapshot-identifier my-db-cluster-snapshot
Create a CloudWatch Alarm for a DB Instance
e.g.: When average CPU for latest 15 minutes is above 90%
aws cloudwatch put-metric-alarm \
--alarm-name "my-alarm" \
--metric-name "CPUUtilization" \
--namespace "AWS/RDS" \
--statistic "Average" \
--period 300 \
--evaluation-periods 3 \
--threshold 90.0 \
--comparison-operator "GreaterThanOrEqualToThreshold" \
--dimensions "Name=DBInstanceIdentifier,Value=my-db-instance" \
--alarm-actions "<arn of sns resource>"
This will monitor the DB instance during a period of 300 seconds (5 minutes) during 3 evaluation periods: 5*3 = 15 minutes.
If in the three periods, the average is equal or more than 90%, then the alarm will trigger the SNS resource.
You should subscribe to the SNS resource you create by email or SMS.
Connect Deeper
This work was first published in Practical AWS course.
Join our online community FAUN and subscribe to our podcast The DevOps Fauncast.
Visit our publication The Chief I/O, subscribe to the newsletter and get cloud native insights from our contributors.