AWS cli cheatsheet
Section 1: General
aws [options] [parameters]
Options:
Turn on debug logging.
--debug (boolean)
Override command's default URL with the given URL.
--endpoint-url (string)
By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.
--no-verify-ssl (boolean)
Output format
--output (json/text/table)
A JMESPath query to use in filtering the response data.
--query (string)
Use a specific profile from your credential file.
--profile (string)
The region to use. Overrides config/env settings.
--region (string)
Display the version of this tool.
--version (string)
Section 2: Configure
Configures AWS CLI with AWS access keys. aws configure
Section 3: IAM
Lists all the iam users.
aws iam list-users
Lists all the iam groups.
aws iam list-groups
Lists all the iam roles.
aws iam list-roles
Lists all the iam policies.
aws iam list-policies
Creates an IAM user in the current account.
aws iam create-user --user-name
Creates an IAM group in the current account.
aws iam create-group --group-name
Creates an IAM role in the current account.
aws iam create-role --role-name --assume-role-policy-document file://
Creates an IAM policy in the current account.
aws iam create-policy --policy-name --policy-document file://
Lists policies attached to the group.
aws iam list-attached-group-policies --group-name
Lists policies attached to the role.
aws iam list-attached-role-policies --role-name
Lists policies attached to the user.
aws iam list-attached-user-policies --user-name
Lists managed policies attached to the group.
aws iam list-group-policies --group-name
Lists managed policies attached to the user.
aws iam list-user-policies --user-name
Lists managed policies attached to the role.
aws iam list-role-policies --role-name
Lists groups attached to the user.
aws iam list-groups-for-user --user-name
Lists signing certificates for the user.
aws iam list-signing-certificates --user-name
Lists public ssh keys for the user.
aws iam list-ssh-public-keys --user-name
Lists all virtual-mfa devices present.
aws iam list-virtual-mfa-devices
Retrieves information about the specified managed policy
aws iam get-policy --policy-arn --version-id
Retrieves information about the specified version of the specified managed policy, including the policy document.
aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/MyPolicy --version-id v2
Retrieves information about the specified IAM user.
aws iam get-user --user-name
Retrieves information about the specified role.
aws iam get-role --role-name
Retrieves information about the specified group.
aws iam get-group --group-name
Retrieves the specified inline policy document that is embedded in the specified IAM user.
aws iam get-user-policy --user-name --policy-name
Retrieves the specified inline policy document that is embedded with the specified IAM role.
aws iam get-role-policy --role-name --policy-name
Retrieves the specified inline policy document that is embedded with the specified IAM group.
aws iam get-group-policy --group-name --policy-name
Attaches the specified managed policy to the specified IAM group.
aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess --group-name Finance
Attaches the specified managed policy to the specified IAM role.
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess --role-name ReadOnlyRole
Attaches the specified managed policy to the specified user.
aws iam attach-user-policy --policy-arn arn:aws:iam:ACCOUNT-ID:aws:policy/AdministratorAccess --user-name Alice
Creates a password for the specified IAM user.
aws iam create-login-profile --user-name --password
Retrieves the username and password creation date for the specified IAM user.
aws iam get-login-profile --user-name
Lists the instance profiles that have the specified path prefix.
aws iam list-instance-profiles
Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role.
aws iam get-instance-profile --instance-profile-name ExampleInstanceProfile
Adds or updates an inline policy document that is embedded in the specified IAM group.
aws iam put-group-policy --group-name --policy-document file:// --policy-name
Adds or updates an inline policy document that is embedded in the specified IAM role.
aws iam put-role-policy --role-name --policy-name --policy-document file://
Adds or updates an inline policy document that is embedded in the specified IAM user.
aws iam put-user-policy --user-name --policy-name --policy-document file://
Removes the specified user from the specified group.
aws iam remove-user-from-group --user-name Bob --group-name Admins
Updates the name and/or the path of the specified IAM group.
aws iam update-group --group-name Test --new-group-name Test-1
Section 4: API Gateway
Gets information about the current Account resource.
aws apigateway get-account
Lists the RestApis resources for your collection.
aws apigateway get-rest-apis
Lists the RestApi resource in the collection.
aws apigateway get-rest-api
Gets information about the current ApiKeys resource.
aws apigateway get-api-keys
Gets information about the current ApiKey resource.
aws apigateway get-api-key --api-key
Describe an existing Method resource.
aws apigateway get-method --rest-api-id --http-method --resource-id
Describes a MethodResponse resource.
aws apigateway get-method-response --rest-api-id --resource-id --http-method --status-code
Describe an existing Authorizers resource.
aws apigateway get-authorizers --rest-api-id
Describe an existing Authorizer resource.
aws apigateway get-authorizer --rest-api-id --authorizer-id
Gets a collection of ClientCertificate resources.
aws apigateway get-client-certificates
Lists information about a collection of Resource resources.
aws apigateway get-resources --rest-api-id
Lists information about a resource.
aws apigateway get-resource --rest-api-id --resource-id
Gets a collection of ClientCertificate resources.
aws apigateway get-client-certificates
Gets information about the current ClientCertificate resource.
aws apigateway get-client-certificate --client-certificate-id
Get the integration settings.
aws apigateway get-integration --rest-api-id --resource-id --http-method
Represents a get integration response.
aws apigateway get-integration-response --rest-api-id --resource-id --http-method --status-code 200
Gets all the usage plans of the caller's account.
aws apigateway get-usage-plans
Gets a usage plan of a given plan identifier.
aws apigateway get-usage-plan --usage-plan-id
Gets all the usage plan keys representing the API keys added to a specified usage plan.
aws apigateway get-usage-plan-keys --usage-plan-id
Gets a usage plan key of a given key identifier.
aws apigateway get-usage-plan-key --usage-plan-id --key-id
Add a method to an existing Resource resource.
aws apigateway put-method --rest-api-id --resource-id --http-method --authorization-type "NONE" --no-api-key-required --request-parameters "method.request.header.custom-header=false"
updates an existing API with an input of external API definitions.
aws apigateway put-rest-api --rest-api-id --mode overwrite --body 'file:///'
Create an ApiKey resource.
aws apigateway create-api-key --name '' --description '' --enabled --stage-keys restApiId='',stageName=''
Creates a new RestApi resource.
aws apigateway create-rest-api --name '' --description ''
Changes information about an ApiKey resource.
aws apigateway update-api-key --api-key
Changes information about the specified API.
aws apigateway update-rest-api --rest-api-id
Section 5: Lambda
Returns a list of aliases for a Lambda function.
aws lambda list-aliases --function-name
Returns details about a Lambda function alias.
aws lambda get-alias --function-name --name
Returns a list of Lambda functions, with the version-specific configuration of each.
aws lambda list-functions
Returns information about the function or function version.
aws lambda get-function --function-name
Returns the resource-based IAM policy for a function, version, or alias.
aws lambda get-policy --function-name
Lists AWS Lambda layers and shows information about the latest version of each.
aws lambda list-layers
Returns information about a version of an AWS Lambda layer.
aws lambda get-layer-version --layer-name --version-number
Returns information about a version of an AWS Lambda layer
aws lambda get-layer-version-by-arn --arn
Returns the permission policy for a version of an AWS Lambda layer.
aws lambda get-layer-version-policy --layer-name --version-number
Lists event source mappings.
aws lambda list-event-source-mappings
Invokes a Lambda function.
aws lambda invoke --function-name
Retrieves details about your account's limits and usage in an AWS Region.
aws lambda get-account-settings
Returns a list of code signing configurations.
aws lambda list-code-signing-configs
Returns information about the specified code signing configuration.
aws lambda get-code-signing-config --code-signing-config-arn
Returns a list of versions , with the version-specific configuration of each.
aws lambda list-versions-by-function --function-name
Creates a Lambda function.
aws lambda create-function --function-name --runtime --zip-file fileb:// --handler evil.handler --role
Creates an alias for a Lambda function version.
aws lambda --function-name --name --function-version
Creates an AWS Lambda layer from a ZIP archive.
aws lambda publish-layer-version --layer-name
Creates a version from the current code and configuration of a function.
aws lambda publish-version --function-name
Updates the configuration of a Lambda function alias.
aws lambda update-alias --function-name
Updates an event source mapping.
aws lambda update-event-source-mapping --uuid
Deletes a Lambda function alias.
aws lambda delete-alias --function-name --name
Deletes a Lambda function.
aws lambda delete-function --function-name
Deletes a version of an AWS Lambda layer.
aws lambda delete-layer-version --layer-name --version-number
Deletes an event source mapping.
aws lambda delete-event-source-mapping --uuid
Section 6: Databases
RDS:
Returns a list of the available DB engines.
aws rds describe-db-engine-versions
Lists all of the attributes for a customer account.
aws rds describe-account-attributes
Returns information about provisioned Aurora DB clusters.
aws rds describe-db-clusters
Returns a list of DBClusterParameterGroup descriptions.
aws rds describe-db-cluster-parameter-groups
Returns the detailed parameter list for a particular DB cluster parameter group.
aws rds describe-db-cluster-parameters --db-cluster-parameter-group-name
Returns information about DB cluster snapshots.
aws rds describe-db-cluster-snapshots
Returns a list of DB cluster snapshot attribute names and values for a manual DB cluster snapshot.
aws rds describe-db-cluster-snapshot-attributes --db-cluster-snapshot-identifier
Returns information about provisioned RDS instances.
aws rds describe-db-instances
Returns a list of DBSecurityGroup descriptions.
aws rds describe-db-security-groups
Returns a list of DBSubnetGroup descriptions.
aws rds describe-db-subnet-groups
Lists the set of CA certificates provided by Amazon RDS for this AWS account.
aws rds describe-certificates
Returns information about endpoints for an Amazon Aurora DB cluster.
aws rds describe-db-cluster-endpoints
Returns events related to DB instances, DB clusters, DB parameter groups, DB security groups, DB snapshots, and DB cluster snapshots
aws rds describe-events
Returns a list of the source AWS Regions where the current AWS Region can create a read replica, copy a DB snapshot from, or replicate automated backups from.
aws rds describe-source-regions
Returns a list of DB log files for the DB instance.
aws rds describe-db-log-files --db-instance-identifier
Modifies an existing option group.
aws rds add-option-to-option-group --option-group-name
Associates an Identity and Access Management (IAM) role from an Amazon Aurora DB cluster.
aws rds add-role-to-db-cluster --db-cluster-identifier
Creates a new Amazon Aurora DB cluster.
aws rds create-db-cluster --db-cluster-identifier --engine
Creates a new DB instance.
aws rds create-db-instance --db-cluster-identifier --engine --db-instance-class
Creates a snapshot of a DB instance.
aws rds create-db-snapshot --db-snapshot-identifier --db-instance-identifier
Creates a new DB subnet group.
aws rds create-db-subnet-group --db-subnet-group-name --db-subnet-group-description --subnet-ids
Override the system-default Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate for Amazon RDS for new DB instances temporarily.
aws rds modify-certificates --certificate-identifier
Modify a setting for an Amazon Aurora DB cluster.
aws rds modify-db-cluster --db-cluster-identifier
Modifies settings for a DB instance.
aws rds modify-db-instance --db-instance-identifier
Updates a manual DB snapshot with a new engine version.
aws rds modify-db-snapshot --db-snapshot-identifier --engine-version
Creates a new DB cluster from a DB snapshot or DB cluster snapshot.
aws rds restore-db-cluster-from-snapshot --db-cluster-identifier --snapshot-identifier --engine
Stops an Amazon RDS DB instance.
aws rds stop-db-instance --db-instance-identifier
Document DB:
Creates a new Amazon DocumentDB cluster.
aws docdb create-db-cluster --db-cluster-identifier --db-cluster-identifier --engine --master-username --master-user-password --preferred-maintenance-window
Creates a new DB instance.
aws docdb create-db-instance --db-cluster-identifier --engine --db-instance-class
Returns information about provisioned DocumentDB instances.
aws docdb describe-db-instances
Returns information about provisioned Amazon DocumentDB clusters.
aws rds describe-db-clusters
Returns a list of DBClusterParameterGroup descriptions.
aws docdb describe-db-cluster-parameter-groups
Returns the detailed parameter list for a particular DB cluster parameter group.
aws docdb describe-db-cluster-parameters --db-cluster-parameter-group-name
Returns information about DB cluster snapshots.
aws docdb describe-db-cluster-snapshots
Returns a list of DB cluster snapshot attribute names and values for a manual DB cluster snapshot.
aws docdb describe-db-cluster-snapshot-attributes --db-cluster-snapshot-identifier
Returns a list of the available engines.
aws docdb describe-db-engine-versions
Returns a list of DBSubnetGroup descriptions.
aws docdb describe-db-subnet-groups
Returns events related to DB instances, DB clusters, DB parameter groups, DB security groups, DB snapshots, and DB cluster snapshots.
aws docdb describe-events
DynamoDB:
To perform batch reads and writes on data stored in DynamoDB.
aws dynamodb batch-execute-statement --statements
The BatchGetItem operation returns the attributes of one or more items from one or more tables.
aws dynamodb batch-get-item --request-items
Puts or deletes multiple items in one or more tables.
aws dynamodb batch-write-item --request-items
Adds a new table to your account. In an AWS account.
aws dynamodb create-table --attribute-definitions --table-name --key-schema
Describes an existing backup of a table.
aws dynamodb describe-backup --backup-arn
Returns information about the table, including the current status of the table.
aws dynamodb describe-table --table-name
Returns the current provisioned-capacity quotas for your AWS account in a Region.
aws dynamodb describe-limits
This operation allows you to perform reads and singleton writes on data stored in DynamoDB.
aws dynamodb execute-statement --statement
This operation allows you to perform transactional reads or writes on data stored in DynamoDB.
aws dynamodb execute-transaction --transact-statements
The GetItem operation returns a set of attributes for the item with the given primary key.
aws dynamodb get-item --table-name --key
List backups associated with an AWS account.
aws dynamodb list-backups
Lists completed exports within the past 90 days.
aws dynamodb list-exports
Returns an array of table names associated with the current account and endpoint.
aws dynamodb list-tables
Creates a new item, or replaces an old item with a new item.
aws dynamodb put-item --table-name --item
Creates a new table from an existing backup.
aws dynamodb restore-table-from-backup --target-table-name --backup-arn
Returns one or more items and item attributes by accessing every item in a table
aws dynamodb scan --table-name
Edits an existing item's attributes, or adds a new item to the table if it does not already exist.
aws dynamodb update-item --table-name --key
Modifies the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table.
aws dynamodb update-table --table-name
Section 6: S3
Copies a local file or S3 object to another location locally or in S3.
aws s3 cp or or
List S3 objects and common prefixes under a prefix or all S3 buckets.
aws s3 ls
Creates an S3 bucket.
aws s3 mb
Moves a local file or S3 object to another location locally or in S3.
aws s3 mv or or
Generate a pre-signed URL for an Amazon S3 object.
aws s3 presign
Deletes an empty S3 bucket.
aws s3 rb
Deletes an S3 object.
aws s3 rm
Syncs directories and S3 prefixes.
aws s3 sync or or
Set the website configuration for a bucket.
aws s3 website
List buckets.
aws s3api list-buckets
List bucket objects.
aws s3api list-objects --bucket
Retrieves bucket location.
aws s3api get-bucket-location --bucket
Returns some or all (up to 1,000) of the objects in a bucket.
aws s3api list-objects-v2 --bucket data-extractor-repo
List object versions.
aws s3api list-object-versions --bucket
Return the ACL of the bucket.
aws s3api get-bucket-acl --bucket
Returns the cors configuration information set for the bucket.
aws s3api get-bucket-cors --bucket
Returns the logging status of a bucket and the permissions users have to view and modify that status.
aws s3api get-bucket-logging --bucket
Retrieves the policy status for an Amazon S3 bucket.
aws s3api get-bucket-policy-status --bucket
Returns the policy of a specified bucket.
aws s3api get-bucket-policy --bucket
Retrieves OwnershipControls for an Amazon S3 bucket.
aws s3api get-bucket-ownership-controls --bucket
Retrieves objects from Amazon S3.
aws s3api get-object --bucket --key
Returns the access control list (ACL) of an object.
aws s3api get-object-acl --bucket --key
Returns the tag-set of an object.
aws s3api get-object-tagging --bucket --key
Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.
aws s3api get-public-access-block --bucket
Sets the permissions on an existing bucket using access control lists (ACL).
aws s3api put-bucket-acl --bucket --access-control-policy file://
Sets the cors configuration for the bucket.
aws s3api put-bucket-cors --bucket --cors-configuration
Applies an Amazon S3 bucket policy to an Amazon S3 bucket.
aws s3api put-bucket-policy --bucket --policy file://
Use tags to organize your AWS bill to reflect your own cost structure.
aws s3api put-bucket-tagging --bucket --tagging
Adds an object to a bucket.
aws s3api put-object --bucket --key --body
Uses the acl subresource to set the access control list (ACL) permissions for a new or existing object for s3 bucket.
aws s3api put-object-acl --bucket --key --access-control-policy file://
Sets the supplied tag-set to an object that already exists in a bucket.
aws s3api put-object-tagging --bucket --key --tagging
Creates or modifies OwnershipControls for an Amazon S3 bucket.
aws s3api put-bucket-ownership-controls --bucket --ownership-controls
Creates a copy of an object that is already stored in Amazon S3.
aws s3api copy-object --bucket --copy-source --key
Creates a new S3 bucket.
aws s3api create-bucket --bucket
Deletes the S3 bucket.
aws s3api delete-bucket --bucket
Deletes the S3 bucket cors configuration information set.
aws s3api delete-bucket-cors --bucket
Delete the policy of a specified bucket.
aws s3api delete-bucket-policy --bucket
Deletes the tags from the bucket.
aws s3api delete-bucket-tagging --bucket
Removes the null version (if there is one) of an object and inserts a delete marker.
aws s3api delete-bucket-tagging --bucket --key
Delete multiple objects from a bucket using a single HTTP request.
aws s3api delete-bucket-tagging --bucket --delete file://
Removes OwnershipControls for an Amazon S3 bucket.
aws s3api delete-bucket-ownership-controls --bucket
Last updated