AWS cli cheatsheet

Section 1: General

aws [options] [parameters]

Options:

Turn on debug logging.

--debug (boolean)

Override command's default URL with the given URL.

--endpoint-url (string)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-verify-ssl (boolean)

Output format

--output (json/text/table)

A JMESPath query to use in filtering the response data.

--query (string)

Use a specific profile from your credential file.

--profile (string)

The region to use. Overrides config/env settings.

--region (string)

Display the version of this tool.

--version (string)

Section 2: Configure

Configures AWS CLI with AWS access keys. aws configure

Section 3: IAM

Lists all the iam users.

aws iam list-users

Lists all the iam groups.

aws iam list-groups

Lists all the iam roles.

aws iam list-roles

Lists all the iam policies.

aws iam list-policies

Creates an IAM user in the current account.

aws iam create-user --user-name

Creates an IAM group in the current account.

aws iam create-group --group-name

Creates an IAM role in the current account.

aws iam create-role --role-name --assume-role-policy-document file://

Creates an IAM policy in the current account.

aws iam create-policy --policy-name --policy-document file://

Lists policies attached to the group.

aws iam list-attached-group-policies --group-name

Lists policies attached to the role.

aws iam list-attached-role-policies --role-name

Lists policies attached to the user.

aws iam list-attached-user-policies --user-name

Lists managed policies attached to the group.

aws iam list-group-policies --group-name

Lists managed policies attached to the user.

aws iam list-user-policies --user-name

Lists managed policies attached to the role.

aws iam list-role-policies --role-name

Lists groups attached to the user.

aws iam list-groups-for-user --user-name

Lists signing certificates for the user.

aws iam list-signing-certificates --user-name

Lists public ssh keys for the user.

aws iam list-ssh-public-keys --user-name

Lists all virtual-mfa devices present.

aws iam list-virtual-mfa-devices

Retrieves information about the specified managed policy

aws iam get-policy --policy-arn --version-id

Retrieves information about the specified version of the specified managed policy, including the policy document.

aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/MyPolicy --version-id v2

Retrieves information about the specified IAM user.

aws iam get-user --user-name

Retrieves information about the specified role.

aws iam get-role --role-name

Retrieves information about the specified group.

aws iam get-group --group-name

Retrieves the specified inline policy document that is embedded in the specified IAM user.

aws iam get-user-policy --user-name --policy-name

Retrieves the specified inline policy document that is embedded with the specified IAM role.

aws iam get-role-policy --role-name --policy-name

Retrieves the specified inline policy document that is embedded with the specified IAM group.

aws iam get-group-policy --group-name --policy-name

Attaches the specified managed policy to the specified IAM group.

aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess --group-name Finance

Attaches the specified managed policy to the specified IAM role.

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess --role-name ReadOnlyRole

Attaches the specified managed policy to the specified user.

aws iam attach-user-policy --policy-arn arn:aws:iam:ACCOUNT-ID:aws:policy/AdministratorAccess --user-name Alice

Creates a password for the specified IAM user.

aws iam create-login-profile --user-name --password

Retrieves the username and password creation date for the specified IAM user.

aws iam get-login-profile --user-name

Lists the instance profiles that have the specified path prefix.

aws iam list-instance-profiles

Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role.

aws iam get-instance-profile --instance-profile-name ExampleInstanceProfile

Adds or updates an inline policy document that is embedded in the specified IAM group.

aws iam put-group-policy --group-name --policy-document file:// --policy-name

Adds or updates an inline policy document that is embedded in the specified IAM role.

aws iam put-role-policy --role-name --policy-name --policy-document file://

Adds or updates an inline policy document that is embedded in the specified IAM user.

aws iam put-user-policy --user-name --policy-name --policy-document file://

Removes the specified user from the specified group.

aws iam remove-user-from-group --user-name Bob --group-name Admins

Updates the name and/or the path of the specified IAM group.

aws iam update-group --group-name Test --new-group-name Test-1

Section 4: API Gateway

Gets information about the current Account resource.

aws apigateway get-account

Lists the RestApis resources for your collection.

aws apigateway get-rest-apis

Lists the RestApi resource in the collection.

aws apigateway get-rest-api

Gets information about the current ApiKeys resource.

aws apigateway get-api-keys

Gets information about the current ApiKey resource.

aws apigateway get-api-key --api-key

Describe an existing Method resource.

aws apigateway get-method --rest-api-id --http-method --resource-id

Describes a MethodResponse resource.

aws apigateway get-method-response --rest-api-id --resource-id --http-method --status-code

Describe an existing Authorizers resource.

aws apigateway get-authorizers --rest-api-id

Describe an existing Authorizer resource.

aws apigateway get-authorizer --rest-api-id --authorizer-id

Gets a collection of ClientCertificate resources.

aws apigateway get-client-certificates

Lists information about a collection of Resource resources.

aws apigateway get-resources --rest-api-id

Lists information about a resource.

aws apigateway get-resource --rest-api-id --resource-id

Gets a collection of ClientCertificate resources.

aws apigateway get-client-certificates

Gets information about the current ClientCertificate resource.

aws apigateway get-client-certificate --client-certificate-id

Get the integration settings.

aws apigateway get-integration --rest-api-id --resource-id --http-method

Represents a get integration response.

aws apigateway get-integration-response --rest-api-id --resource-id --http-method --status-code 200

Gets all the usage plans of the caller's account.

aws apigateway get-usage-plans

Gets a usage plan of a given plan identifier.

aws apigateway get-usage-plan --usage-plan-id

Gets all the usage plan keys representing the API keys added to a specified usage plan.

aws apigateway get-usage-plan-keys --usage-plan-id

Gets a usage plan key of a given key identifier.

aws apigateway get-usage-plan-key --usage-plan-id --key-id

Add a method to an existing Resource resource.

aws apigateway put-method --rest-api-id --resource-id --http-method --authorization-type "NONE" --no-api-key-required --request-parameters "method.request.header.custom-header=false"

updates an existing API with an input of external API definitions.

aws apigateway put-rest-api --rest-api-id --mode overwrite --body 'file:///'

Create an ApiKey resource.

aws apigateway create-api-key --name '' --description '' --enabled --stage-keys restApiId='',stageName=''

Creates a new RestApi resource.

aws apigateway create-rest-api --name '' --description ''

Changes information about an ApiKey resource.

aws apigateway update-api-key --api-key

Changes information about the specified API.

aws apigateway update-rest-api --rest-api-id

Section 5: Lambda

Returns a list of aliases for a Lambda function.

aws lambda list-aliases --function-name

Returns details about a Lambda function alias.

aws lambda get-alias --function-name --name

Returns a list of Lambda functions, with the version-specific configuration of each.

aws lambda list-functions

Returns information about the function or function version.

aws lambda get-function --function-name

Returns the resource-based IAM policy for a function, version, or alias.

aws lambda get-policy --function-name

Lists AWS Lambda layers and shows information about the latest version of each.

aws lambda list-layers

Returns information about a version of an AWS Lambda layer.

aws lambda get-layer-version --layer-name --version-number

Returns information about a version of an AWS Lambda layer

aws lambda get-layer-version-by-arn --arn

Returns the permission policy for a version of an AWS Lambda layer.

aws lambda get-layer-version-policy --layer-name --version-number

Lists event source mappings.

aws lambda list-event-source-mappings

Invokes a Lambda function.

aws lambda invoke --function-name

Retrieves details about your account's limits and usage in an AWS Region.

aws lambda get-account-settings

Returns a list of code signing configurations.

aws lambda list-code-signing-configs

Returns information about the specified code signing configuration.

aws lambda get-code-signing-config --code-signing-config-arn

Returns a list of versions , with the version-specific configuration of each.

aws lambda list-versions-by-function --function-name

Creates a Lambda function.

aws lambda create-function --function-name --runtime --zip-file fileb:// --handler evil.handler --role

Creates an alias for a Lambda function version.

aws lambda --function-name --name --function-version

Creates an AWS Lambda layer from a ZIP archive.

aws lambda publish-layer-version --layer-name

Creates a version from the current code and configuration of a function.

aws lambda publish-version --function-name

Updates the configuration of a Lambda function alias.

aws lambda update-alias --function-name

Updates an event source mapping.

aws lambda update-event-source-mapping --uuid

Deletes a Lambda function alias.

aws lambda delete-alias --function-name --name

Deletes a Lambda function.

aws lambda delete-function --function-name

Deletes a version of an AWS Lambda layer.

aws lambda delete-layer-version --layer-name --version-number

Deletes an event source mapping.

aws lambda delete-event-source-mapping --uuid

Section 6: Databases

RDS:

Returns a list of the available DB engines.

aws rds describe-db-engine-versions

Lists all of the attributes for a customer account.

aws rds describe-account-attributes

Returns information about provisioned Aurora DB clusters.

aws rds describe-db-clusters

Returns a list of DBClusterParameterGroup descriptions.

aws rds describe-db-cluster-parameter-groups

Returns the detailed parameter list for a particular DB cluster parameter group.

aws rds describe-db-cluster-parameters --db-cluster-parameter-group-name

Returns information about DB cluster snapshots.

aws rds describe-db-cluster-snapshots

Returns a list of DB cluster snapshot attribute names and values for a manual DB cluster snapshot.

aws rds describe-db-cluster-snapshot-attributes --db-cluster-snapshot-identifier

Returns information about provisioned RDS instances.

aws rds describe-db-instances

Returns a list of DBSecurityGroup descriptions.

aws rds describe-db-security-groups

Returns a list of DBSubnetGroup descriptions.

aws rds describe-db-subnet-groups

Lists the set of CA certificates provided by Amazon RDS for this AWS account.

aws rds describe-certificates

Returns information about endpoints for an Amazon Aurora DB cluster.

aws rds describe-db-cluster-endpoints

Returns events related to DB instances, DB clusters, DB parameter groups, DB security groups, DB snapshots, and DB cluster snapshots

aws rds describe-events

Returns a list of the source AWS Regions where the current AWS Region can create a read replica, copy a DB snapshot from, or replicate automated backups from.

aws rds describe-source-regions

Returns a list of DB log files for the DB instance.

aws rds describe-db-log-files --db-instance-identifier

Modifies an existing option group.

aws rds add-option-to-option-group --option-group-name

Associates an Identity and Access Management (IAM) role from an Amazon Aurora DB cluster.

aws rds add-role-to-db-cluster --db-cluster-identifier

Creates a new Amazon Aurora DB cluster.

aws rds create-db-cluster --db-cluster-identifier --engine

Creates a new DB instance.

aws rds create-db-instance --db-cluster-identifier --engine --db-instance-class

Creates a snapshot of a DB instance.

aws rds create-db-snapshot --db-snapshot-identifier --db-instance-identifier

Creates a new DB subnet group.

aws rds create-db-subnet-group --db-subnet-group-name --db-subnet-group-description --subnet-ids

Override the system-default Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate for Amazon RDS for new DB instances temporarily.

aws rds modify-certificates --certificate-identifier

Modify a setting for an Amazon Aurora DB cluster.

aws rds modify-db-cluster --db-cluster-identifier

Modifies settings for a DB instance.

aws rds modify-db-instance --db-instance-identifier

Updates a manual DB snapshot with a new engine version.

aws rds modify-db-snapshot --db-snapshot-identifier --engine-version

Creates a new DB cluster from a DB snapshot or DB cluster snapshot.

aws rds restore-db-cluster-from-snapshot --db-cluster-identifier --snapshot-identifier --engine

Stops an Amazon RDS DB instance.

aws rds stop-db-instance --db-instance-identifier

Document DB:

Creates a new Amazon DocumentDB cluster.

aws docdb create-db-cluster --db-cluster-identifier --db-cluster-identifier --engine --master-username --master-user-password --preferred-maintenance-window

Creates a new DB instance.

aws docdb create-db-instance --db-cluster-identifier --engine --db-instance-class

Returns information about provisioned DocumentDB instances.

aws docdb describe-db-instances

Returns information about provisioned Amazon DocumentDB clusters.

aws rds describe-db-clusters

Returns a list of DBClusterParameterGroup descriptions.

aws docdb describe-db-cluster-parameter-groups

Returns the detailed parameter list for a particular DB cluster parameter group.

aws docdb describe-db-cluster-parameters --db-cluster-parameter-group-name

Returns information about DB cluster snapshots.

aws docdb describe-db-cluster-snapshots

Returns a list of DB cluster snapshot attribute names and values for a manual DB cluster snapshot.

aws docdb describe-db-cluster-snapshot-attributes --db-cluster-snapshot-identifier

Returns a list of the available engines.

aws docdb describe-db-engine-versions

Returns a list of DBSubnetGroup descriptions.

aws docdb describe-db-subnet-groups

Returns events related to DB instances, DB clusters, DB parameter groups, DB security groups, DB snapshots, and DB cluster snapshots.

aws docdb describe-events

DynamoDB:

To perform batch reads and writes on data stored in DynamoDB.

aws dynamodb batch-execute-statement --statements

The BatchGetItem operation returns the attributes of one or more items from one or more tables.

aws dynamodb batch-get-item --request-items

Puts or deletes multiple items in one or more tables.

aws dynamodb batch-write-item --request-items

Adds a new table to your account. In an AWS account.

aws dynamodb create-table --attribute-definitions --table-name --key-schema

Describes an existing backup of a table.

aws dynamodb describe-backup --backup-arn

Returns information about the table, including the current status of the table.

aws dynamodb describe-table --table-name

Returns the current provisioned-capacity quotas for your AWS account in a Region.

aws dynamodb describe-limits

This operation allows you to perform reads and singleton writes on data stored in DynamoDB.

aws dynamodb execute-statement --statement

This operation allows you to perform transactional reads or writes on data stored in DynamoDB.

aws dynamodb execute-transaction --transact-statements

The GetItem operation returns a set of attributes for the item with the given primary key.

aws dynamodb get-item --table-name --key

List backups associated with an AWS account.

aws dynamodb list-backups

Lists completed exports within the past 90 days.

aws dynamodb list-exports

Returns an array of table names associated with the current account and endpoint.

aws dynamodb list-tables

Creates a new item, or replaces an old item with a new item.

aws dynamodb put-item --table-name --item

Creates a new table from an existing backup.

aws dynamodb restore-table-from-backup --target-table-name --backup-arn

Returns one or more items and item attributes by accessing every item in a table

aws dynamodb scan --table-name

Edits an existing item's attributes, or adds a new item to the table if it does not already exist.

aws dynamodb update-item --table-name --key

Modifies the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table.

aws dynamodb update-table --table-name

Section 6: S3

Copies a local file or S3 object to another location locally or in S3.

aws s3 cp or or

List S3 objects and common prefixes under a prefix or all S3 buckets.

aws s3 ls

Creates an S3 bucket.

aws s3 mb

Moves a local file or S3 object to another location locally or in S3.

aws s3 mv or or

Generate a pre-signed URL for an Amazon S3 object.

aws s3 presign

Deletes an empty S3 bucket.

aws s3 rb

Deletes an S3 object.

aws s3 rm

Syncs directories and S3 prefixes.

aws s3 sync or or

Set the website configuration for a bucket.

aws s3 website

List buckets.

aws s3api list-buckets

List bucket objects.

aws s3api list-objects --bucket

Retrieves bucket location.

aws s3api get-bucket-location --bucket

Returns some or all (up to 1,000) of the objects in a bucket.

aws s3api list-objects-v2 --bucket data-extractor-repo

List object versions.

aws s3api list-object-versions --bucket

Return the ACL of the bucket.

aws s3api get-bucket-acl --bucket

Returns the cors configuration information set for the bucket.

aws s3api get-bucket-cors --bucket

Returns the logging status of a bucket and the permissions users have to view and modify that status.

aws s3api get-bucket-logging --bucket

Retrieves the policy status for an Amazon S3 bucket.

aws s3api get-bucket-policy-status --bucket

Returns the policy of a specified bucket.

aws s3api get-bucket-policy --bucket

Retrieves OwnershipControls for an Amazon S3 bucket.

aws s3api get-bucket-ownership-controls --bucket

Retrieves objects from Amazon S3.

aws s3api get-object --bucket --key

Returns the access control list (ACL) of an object.

aws s3api get-object-acl --bucket --key

Returns the tag-set of an object.

aws s3api get-object-tagging --bucket --key

Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.

aws s3api get-public-access-block --bucket

Sets the permissions on an existing bucket using access control lists (ACL).

aws s3api put-bucket-acl --bucket --access-control-policy file://

Sets the cors configuration for the bucket.

aws s3api put-bucket-cors --bucket --cors-configuration

Applies an Amazon S3 bucket policy to an Amazon S3 bucket.

aws s3api put-bucket-policy --bucket --policy file://

Use tags to organize your AWS bill to reflect your own cost structure.

aws s3api put-bucket-tagging --bucket --tagging

Adds an object to a bucket.

aws s3api put-object --bucket --key --body

Uses the acl subresource to set the access control list (ACL) permissions for a new or existing object for s3 bucket.

aws s3api put-object-acl --bucket --key --access-control-policy file://

Sets the supplied tag-set to an object that already exists in a bucket.

aws s3api put-object-tagging --bucket --key --tagging

Creates or modifies OwnershipControls for an Amazon S3 bucket.

aws s3api put-bucket-ownership-controls --bucket --ownership-controls

Creates a copy of an object that is already stored in Amazon S3.

aws s3api copy-object --bucket --copy-source --key

Creates a new S3 bucket.

aws s3api create-bucket --bucket

Deletes the S3 bucket.

aws s3api delete-bucket --bucket

Deletes the S3 bucket cors configuration information set.

aws s3api delete-bucket-cors --bucket

Delete the policy of a specified bucket.

aws s3api delete-bucket-policy --bucket

Deletes the tags from the bucket.

aws s3api delete-bucket-tagging --bucket

Removes the null version (if there is one) of an object and inserts a delete marker.

aws s3api delete-bucket-tagging --bucket --key

Delete multiple objects from a bucket using a single HTTP request.

aws s3api delete-bucket-tagging --bucket --delete file://

Removes OwnershipControls for an Amazon S3 bucket.

aws s3api delete-bucket-ownership-controls --bucket