LLM Best Practices

AWS CLI Commands Cheatsheet

4 min read

View markdown source

Overview

The AWS CLI (aws) is the standard tool for scripting AWS from the terminal or CI. This card groups commands by service. All examples assume AWS CLI v2 and a configured profile (aws configure or environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION). Add --profile <name> to any command to use a non-default profile. For secrets storage in CI, see github-secrets.

S3 commands

CommandWhat it does
aws s3 lsList all buckets.
aws s3 ls s3://my-bucket/prefix/List objects under a prefix.
aws s3 cp file.txt s3://my-bucket/file.txtUpload a single file.
aws s3 cp s3://my-bucket/file.txt ./file.txtDownload a single file.
aws s3 sync ./dist s3://my-bucket/Sync a directory; skips unchanged files.
aws s3 sync s3://my-bucket/ ./backupDownload bucket to local directory.
aws s3 rm s3://my-bucket/file.txtDelete a single object.
aws s3 rm s3://my-bucket/prefix/ --recursiveDelete all objects under a prefix.
aws s3 mb s3://new-bucket --region us-east-1Create a bucket.
aws s3 rb s3://empty-bucketDelete an empty bucket.
aws s3 presign s3://my-bucket/file.txt --expires-in 3600Generate a pre-signed URL valid for 1 hour.
# Sync with cache headers for static site deployment
aws s3 sync ./dist s3://my-bucket/ \
  --delete \
  --cache-control "max-age=31536000,public" \
  --exclude "index.html" \
  --exclude "*.json"
 
# Upload index.html with no-cache
aws s3 cp ./dist/index.html s3://my-bucket/index.html \
  --cache-control "no-cache,no-store"

EC2 commands

CommandWhat it does
aws ec2 describe-instancesList all instances with full detail.
aws ec2 describe-instances --query "Reservations[*].Instances[*].[InstanceId,State.Name,PublicIpAddress]" --output tableTerse table of ID, state, IP.
aws ec2 start-instances --instance-ids i-0abc123Start a stopped instance.
aws ec2 stop-instances --instance-ids i-0abc123Stop a running instance.
aws ec2 terminate-instances --instance-ids i-0abc123Terminate (delete) an instance.
aws ec2 describe-security-groups --group-ids sg-0abcInspect a security group’s rules.
aws ec2 describe-key-pairsList SSH key pairs registered in EC2.
aws ec2 describe-images --owners selfList your custom AMIs.
# Terse instance summary across all states
aws ec2 describe-instances \
  --query "Reservations[*].Instances[*].{ID:InstanceId,State:State.Name,IP:PublicIpAddress,Name:Tags[?Key=='Name']|[0].Value}" \
  --output table

Lambda commands

CommandWhat it does
aws lambda list-functionsList all Lambda functions in the region.
aws lambda get-function --function-name my-fnFunction config and download URL.
aws lambda invoke --function-name my-fn --payload '{}' out.jsonInvoke synchronously; response body goes to out.json.
aws lambda invoke --function-name my-fn --invocation-type Event --payload '{}' /dev/nullAsync invoke; no response body.
aws lambda update-function-code --function-name my-fn --zip-file fileb://fn.zipDeploy new code from a zip.
aws lambda update-function-configuration --function-name my-fn --timeout 30Change a configuration parameter.
aws lambda get-function-configuration --function-name my-fnRead current memory, timeout, env vars.
aws logs tail /aws/lambda/my-fn --followStream live Lambda logs (CloudWatch).
# Invoke with a JSON payload from a file
aws lambda invoke \
  --function-name my-fn \
  --payload file://event.json \
  --log-type Tail \
  --query 'LogResult' \
  --output text \
  out.json | base64 --decode

STS commands

Use STS to check your identity and assume roles.

CommandWhat it does
aws sts get-caller-identityShow the current account ID, user/role ARN, and user ID.
aws sts assume-role --role-arn arn:aws:iam::123:role/MyRole --role-session-name session1Assume a cross-account or privileged role; returns temporary credentials.
aws sts get-session-token --duration-seconds 3600Get temporary credentials for an IAM user; used with MFA.
# Assume a role and export credentials to the shell
eval $(aws sts assume-role \
  --role-arn arn:aws:iam::123456789:role/DeployRole \
  --role-session-name deploy \
  --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
  --output text \
  | awk '{print "export AWS_ACCESS_KEY_ID="$1" AWS_SECRET_ACCESS_KEY="$2" AWS_SESSION_TOKEN="$3}')

IAM commands

CommandWhat it does
aws iam list-usersList all IAM users.
aws iam get-user --user-name aliceUser details and ARN.
aws iam list-attached-user-policies --user-name alicePolicies directly attached to a user.
aws iam list-rolesList all IAM roles.
aws iam get-role --role-name MyRoleRole trust policy and ARN.
aws iam simulate-principal-policy --policy-source-arn arn --action-names s3:PutObject --resource-arns arn:aws:s3:::bucket/*Simulate whether an ARN can perform an action.
aws iam create-policy --policy-name MyPolicy --policy-document file://policy.jsonCreate a managed policy from a file.

Common gotchas

  • aws s3 sync does not delete by default. Add --delete to remove objects in the destination that are absent from the source. Without it, old files accumulate.
  • --output table is for humans; --output json is for scripts. Use --query with JMESPath to filter before assigning to variables.
  • Lambda --payload in CLI v2 requires JSON as a string or file://path. Plain '{}' works in bash; quote carefully in CI environments.
  • aws sts get-caller-identity is the fastest way to confirm which credentials are active. Run it first when commands fail with access denied.
  • aws lambda invoke with --invocation-type Event always returns HTTP 202, even if the function fails. Check CloudWatch logs to diagnose async failures.
  • Region is required for most services. Set AWS_DEFAULT_REGION or --region on each command; the config file default can be wrong in CI.

Graph View

Backlinks