AWS CLI Cheat Sheet 2026: 50+ Commands for S3, EC2, IAM & More

The Problem: AWS CLI Has Thousands of Commands

The AWS CLI has over 200 services and thousands of subcommands. In practice, you use maybe 5% of them regularly. The other 95% are buried in documentation that takes 10 minutes to navigate every time you need to check a flag. This cheat sheet is the 5% you actually need, organized by service so you can find commands instantly.

This guide covers AWS CLI v2, which is the current version. If you are still on v1, upgrade with pip3 install --upgrade awscli or download the installer from AWS.

Installation and Configuration

Before any commands work, you need the CLI installed and configured with credentials.

# Install on macOS
brew install awscli

# Install on Linux
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip && sudo ./aws/install

# Verify installation
aws --version

# Configure credentials (interactive)
aws configure

# Configure a named profile
aws configure --profile mycompany

# Use a named profile for a command
aws s3 ls --profile mycompany

# Set default region without re-running configure
export AWS_DEFAULT_REGION=us-east-1

# Check your current identity
aws sts get-caller-identity

The aws configure command prompts for your Access Key ID, Secret Access Key, default region, and output format. Credentials are stored in ~/.aws/credentials and config in ~/.aws/config.

S3 Commands

S3 is probably the most commonly used AWS service from the CLI. The high-level aws s3 commands are simpler for most tasks; use aws s3api for lower-level control.

# List all buckets
aws s3 ls

# List contents of a bucket
aws s3 ls s3://my-bucket/
aws s3 ls s3://my-bucket/prefix/ --recursive

# Copy a file up to S3
aws s3 cp local-file.txt s3://my-bucket/

# Copy a file down from S3
aws s3 cp s3://my-bucket/file.txt ./local-file.txt

# Sync a local directory to S3
aws s3 sync ./dist s3://my-bucket/dist --delete

# Sync S3 to local
aws s3 sync s3://my-bucket/backups ./backups

# Remove a file
aws s3 rm s3://my-bucket/old-file.txt

# Remove all files with a prefix
aws s3 rm s3://my-bucket/logs/ --recursive

# Make a file publicly readable
aws s3api put-object-acl --bucket my-bucket --key file.txt --acl public-read

# Generate a pre-signed URL (valid 1 hour)
aws s3 presign s3://my-bucket/private-file.zip --expires-in 3600

# Get bucket size
aws s3 ls s3://my-bucket --recursive --human-readable --summarize | tail -2

EC2 Commands

EC2 commands let you query and control instances. The --query flag uses JMESPath expressions to filter output, and --output table makes results readable in the terminal.

# List running instances (clean table format)
aws ec2 describe-instances \
  --query 'Reservations[].Instances[].{ID:InstanceId,State:State.Name,IP:PublicIpAddress,Name:Tags[?Key==`Name`].Value|[0]}' \
  --output table

# Filter by state
aws ec2 describe-instances \
  --filters "Name=instance-state-name,Values=running" \
  --query 'Reservations[].Instances[].InstanceId' \
  --output text

# Start / stop / terminate instances
aws ec2 start-instances --instance-ids i-0abc123
aws ec2 stop-instances --instance-ids i-0abc123
aws ec2 terminate-instances --instance-ids i-0abc123

# Reboot an instance
aws ec2 reboot-instances --instance-ids i-0abc123

# Describe security groups
aws ec2 describe-security-groups \
  --query 'SecurityGroups[].{ID:GroupId,Name:GroupName}' \
  --output table

# Add an inbound rule (open port 443 to the world)
aws ec2 authorize-security-group-ingress \
  --group-id sg-0abc123 \
  --protocol tcp --port 443 --cidr 0.0.0.0/0

# Get available AMIs (Amazon Linux 2023)
aws ec2 describe-images \
  --owners amazon \
  --filters "Name=name,Values=al2023-ami-*" "Name=architecture,Values=x86_64" \
  --query 'sort_by(Images,&CreationDate)[-1].ImageId' \
  --output text

IAM Commands

IAM management from the CLI is essential for automation. Never create access keys for long-running services - use IAM roles instead. But for scripts and local development, these commands are invaluable.

# List all IAM users
aws iam list-users --query 'Users[].{User:UserName,Created:CreateDate}' --output table

# Create a new user
aws iam create-user --user-name deploy-bot

# Attach a managed policy to a user
aws iam attach-user-policy \
  --user-name deploy-bot \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

# List policies attached to a user
aws iam list-attached-user-policies --user-name deploy-bot

# Create an access key for a user
aws iam create-access-key --user-name deploy-bot

# List roles
aws iam list-roles --query 'Roles[].{Name:RoleName,ARN:Arn}' --output table

# Get the trust policy of a role
aws iam get-role --role-name my-role --query 'Role.AssumeRolePolicyDocument'

# List groups
aws iam list-groups

# Add user to group
aws iam add-user-to-group --user-name alice --group-name developers

Lambda Commands

Deploying and invoking Lambda functions from the CLI is common in CI/CD pipelines. The --payload and --log-type Tail flags are especially useful for debugging.

# List all Lambda functions
aws lambda list-functions \
  --query 'Functions[].{Name:FunctionName,Runtime:Runtime,Updated:LastModified}' \
  --output table

# Invoke a function synchronously
aws lambda invoke \
  --function-name my-function \
  --payload '{"key": "value"}' \
  --log-type Tail \
  output.json

# Decode the base64 log output
aws lambda invoke \
  --function-name my-function \
  --payload '{}' \
  --log-type Tail \
  --query 'LogResult' \
  --output text \
  /dev/null | base64 --decode

# Deploy updated code (zip file)
zip -r function.zip .
aws lambda update-function-code \
  --function-name my-function \
  --zip-file fileb://function.zip

# Update environment variables
aws lambda update-function-configuration \
  --function-name my-function \
  --environment Variables={DB_HOST=prod.db.internal,DEBUG=false}

# Get function configuration
aws lambda get-function-configuration --function-name my-function

ECS Commands

ECS is commonly used for containerised workloads. These commands let you inspect clusters, services, and trigger new deployments.

# List ECS clusters
aws ecs list-clusters

# List services in a cluster
aws ecs list-services --cluster my-cluster

# Describe a service
aws ecs describe-services \
  --cluster my-cluster \
  --services my-service \
  --query 'services[0].{Status:status,Running:runningCount,Desired:desiredCount,Task:taskDefinition}'

# Force a new deployment (rolling restart)
aws ecs update-service \
  --cluster my-cluster \
  --service my-service \
  --force-new-deployment

# List running tasks
aws ecs list-tasks --cluster my-cluster --service-name my-service

# Describe tasks (get container IPs, status)
aws ecs describe-tasks \
  --cluster my-cluster \
  --tasks $(aws ecs list-tasks --cluster my-cluster --service-name my-service --query 'taskArns[0]' --output text)

# Register a new task definition revision
aws ecs register-task-definition --cli-input-json file://task-def.json

RDS Commands

RDS commands are useful for inspecting database instances, managing snapshots, and checking connection endpoints without logging into the console.

# List all DB instances
aws rds describe-db-instances \
  --query 'DBInstances[].{ID:DBInstanceIdentifier,Status:DBInstanceStatus,Engine:Engine,Endpoint:Endpoint.Address}' \
  --output table

# Create a manual snapshot
aws rds create-db-snapshot \
  --db-instance-identifier my-db \
  --db-snapshot-identifier my-db-snapshot-$(date +%Y%m%d)

# List snapshots
aws rds describe-db-snapshots \
  --db-instance-identifier my-db \
  --query 'DBSnapshots[].{ID:DBSnapshotIdentifier,Status:Status,Created:SnapshotCreateTime}' \
  --output table

# Reboot a DB instance
aws rds reboot-db-instance --db-instance-identifier my-db

# Modify instance class (requires maintenance window or apply immediately)
aws rds modify-db-instance \
  --db-instance-identifier my-db \
  --db-instance-class db.t3.medium \
  --apply-immediately

CloudWatch Commands

CloudWatch CLI commands are essential for checking logs and metrics without opening the console. The get-log-events command in particular saves time when debugging Lambda and ECS issues.

# List log groups
aws logs describe-log-groups \
  --query 'logGroups[].{Name:logGroupName,Size:storedBytes}' \
  --output table

# List log streams in a group
aws logs describe-log-streams \
  --log-group-name /aws/lambda/my-function \
  --order-by LastEventTime \
  --descending \
  --max-items 5

# Get recent log events
aws logs get-log-events \
  --log-group-name /aws/lambda/my-function \
  --log-stream-name "2026/03/26/[\$LATEST]abc123" \
  --limit 50

# Live tail logs (requires AWS CLI v2.15+)
aws logs tail /aws/lambda/my-function --follow

# Get a metric statistic (CPU utilization last hour)
aws cloudwatch get-metric-statistics \
  --namespace AWS/EC2 \
  --metric-name CPUUtilization \
  --dimensions Name=InstanceId,Value=i-0abc123 \
  --start-time $(date -u -v-1H +%Y-%m-%dT%H:%M:%SZ) \
  --end-time $(date -u +%Y-%m-%dT%H:%M:%SZ) \
  --period 300 \
  --statistics Average

Useful Global Flags

These flags work across all AWS CLI commands and dramatically improve usability:

• --output json - Default. Machine-readable JSON output
• --output table - Human-readable tabular output, great for terminals
• --output text - Tab-separated text, useful for shell scripting
• --query 'expression' - JMESPath filter applied to the JSON response before output
• --region us-west-2 - Override the default region for a single command
• --profile myprofile - Use a named credentials profile
• --no-cli-pager - Disable the pager (useful in scripts)
• --dry-run - Available on many EC2 commands; checks permissions without executing
• --debug - Print full HTTP request/response for troubleshooting

Productivity Tips

Use --query to avoid grep

Instead of piping to grep or jq, the --query flag filters JSON responses natively. JMESPath expressions can filter arrays, select fields, and sort results. For example, --query 'Reservations[].Instances[?State.Name==`running`].InstanceId' returns only running instance IDs.

Set output format per session

If you prefer table output for interactive work, set it as an environment variable: export AWS_DEFAULT_OUTPUT=table. Your scripts should always explicitly specify --output json or --output text to avoid being affected by this variable.

Use AWS CLI auto-completion

Add auto-completion to bash or zsh so you can tab-complete service names and subcommands:

# Add to ~/.bashrc or ~/.zshrc
complete -C '/usr/local/bin/aws_completer' aws

Pipe JSON output to jq for complex queries

For transformations that JMESPath cannot handle elegantly, pipe to jq:

# Get instance IDs and their Name tags as key=value pairs
aws ec2 describe-instances \
  --query 'Reservations[].Instances[]' \
  --output json | \
  jq -r '.[] | "\(.InstanceId) \(.Tags[]? | select(.Key=="Name") | .Value)"'

Frequently Asked Questions

How do I install AWS CLI v2 on macOS?

The easiest way on macOS is brew install awscli. Alternatively, download the official .pkg installer from the AWS documentation. After installation, run aws --version to confirm it shows version 2.x. AWS CLI v1 is still installable via pip but v2 is recommended for all new setups.

How do I switch between multiple AWS accounts or regions?

Use named profiles. Run aws configure --profile staging to create a profile, then pass --profile staging to any command. You can also set the AWS_PROFILE environment variable to avoid typing --profile on every command: export AWS_PROFILE=staging. For regions, set AWS_DEFAULT_REGION or use --region per command.

What is the difference between aws s3 and aws s3api?

The aws s3 commands are high-level wrappers that handle multipart uploads, recursive operations, and sync logic automatically. The aws s3api commands map 1:1 to the S3 REST API and give you full control over every parameter. For most day-to-day tasks like copying, syncing, and listing, use aws s3. Use aws s3api when you need to set ACLs, manage bucket policies, or access features not exposed by the high-level commands.

How do I format AWS CLI output as a table?

Add --output table to any command. Combine it with --query to select only the fields you want: aws ec2 describe-instances --query 'Reservations[].Instances[].{ID:InstanceId,State:State.Name}' --output table. For permanent table output, add output = table to your ~/.aws/config file under the relevant profile.

Why does my AWS CLI command return "An error occurred (UnauthorizedOperation)"?

This means your IAM user or role does not have permission to perform the action. Check the exact action in the error message (e.g., ec2:DescribeInstances), then attach a policy granting that permission to your user or role. Use aws sts get-caller-identity to confirm which identity is being used. If you have multiple profiles configured, make sure you are using the right one with --profile.

How do I run AWS CLI commands in a CI/CD pipeline?

In GitHub Actions, use the aws-actions/configure-aws-credentials action with OIDC (preferred) or access keys stored as secrets. In other CI systems, set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION as environment variables. Never hardcode credentials in pipeline configuration files. Use IAM roles with the minimum permissions required.

Summary

This cheat sheet covers the commands you will reach for every day: configuring credentials, managing S3 buckets, querying EC2 instances, administering IAM, deploying Lambda functions, managing ECS services, working with RDS snapshots, and reading CloudWatch logs. Bookmark this page and save yourself the documentation hunt.

For more DevOps tools and references, explore our complete tools collection - all free, all client side, no account required.

Use our free JSON Formatter to explore AWS CLI output → Open the JSON Formatter here