AWS CLI - Command Quick Reference

Production-ready AWS CLI reference — EC2, S3, IAM, Lambda, and CloudWatch commands with JMESPath query filtering for daily cloud operations.

AWS CLI — Command Quick Reference

Setup and Profiles

Configure credentials before running anything against a real account.

BASH

aws configure                          ## interactive setup, default profile
aws configure --profile prod-payments  ## named profile
aws configure list                     ## show active config
aws sts get-caller-identity            ## confirm which account/role is active
export AWS_PROFILE=prod-payments       ## set profile for this shell session
aws --version

Parameter Breakdown:

--profile: Targets a specific named credential set instead of default
sts get-caller-identity: Always run this before any destructive command on prod
AWS_PROFILE: Environment variable overrides --profile for the whole session

EC2 — Instances

Inspect and manage compute instances.

BASH

aws ec2 describe-instances \
  --filters Name=instance-state-name,Values=running

aws ec2 describe-instances \
  --query "Reservations[].Instances[].[InstanceId,PublicIpAddress,State.Name]" \
  --output table

aws ec2 start-instances --instance-ids i-0a1b2c3d4e5f67890
aws ec2 stop-instances --instance-ids i-0a1b2c3d4e5f67890
aws ec2 terminate-instances --instance-ids i-0a1b2c3d4e5f67890
aws ec2 describe-security-groups \
  --filters Name=ip-permission.to-port,Values=22

Parameter Breakdown:

--filters: Server-side filtering — cheaper and faster than filtering client-side
--query: JMESPath expression to shape the JSON response before it's printed
--output table: Human-readable table instead of raw JSON

S3 — Buckets and Objects

Manage object storage from the command line.

BASH

aws s3 ls                                       ## list buckets
aws s3 ls s3://razorpay-prod-backups/            ## list objects in a bucket
aws s3 cp ./report.csv s3://razorpay-prod-backups/reports/
aws s3 sync ./local-dir s3://razorpay-prod-backups/exports/
aws s3 rm s3://razorpay-prod-backups/reports/old-report.csv
aws s3api list-objects-v2 \
  --bucket razorpay-prod-backups \
  --query "Contents[].{Key:Key,Size:Size}" \
  --output table

Parameter Breakdown:

s3 sync: Copies only new or changed files — safe for repeated runs
s3api: Lower-level API access for operations the high-level s3 commands don't expose
cp vs sync: Use cp for single files, sync for whole directories

IAM — Users, Roles, and Policies

Audit and manage access control.

BASH

aws iam list-users
aws iam list-access-keys --user-name svc-orders-api
aws iam list-mfa-devices --user-name svc-orders-api
aws iam list-attached-user-policies --user-name svc-orders-api
aws iam get-role --role-name eks-node-role
aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::123456789012:role/eks-node-role \
  --action-names s3:GetObject

Parameter Breakdown:

simulate-principal-policy: Tests whether a role can perform an action without actually running it
list-access-keys: Audit for stale or unused access keys regularly
Always scope IAM changes through code review — never run mutating IAM commands ad hoc on prod

Lambda

Deploy and inspect serverless functions.

BASH

aws lambda list-functions \
  --query "Functions[].FunctionName"

aws lambda update-function-code \
  --function-name process-payment-webhook \
  --zip-file fileb://function.zip

aws lambda invoke \
  --function-name process-payment-webhook \
  --payload '{"orderId":"ord_9F3kP2"}' \
  response.json

aws lambda get-function-configuration \
  --function-name process-payment-webhook

Parameter Breakdown:

update-function-code: Deploys new code without changing function configuration
invoke: Synchronously calls the function and writes the response to a local file
fileb://: Required prefix for binary file input like a zipped deployment package

CloudWatch Logs

Pull logs without opening the console.

BASH

aws logs describe-log-groups \
  --query "logGroups[].logGroupName"

aws logs tail /aws/lambda/process-payment-webhook --follow

aws logs filter-log-events \
  --log-group-name /aws/lambda/process-payment-webhook \
  --filter-pattern "ERROR" \
  --start-time $(date -d '1 hour ago' +%s000)

Parameter Breakdown:

logs tail --follow: Streams new log entries live, similar to tail -f
filter-pattern: Server-side text filter — avoids downloading and grepping huge log dumps
--start-time: Epoch milliseconds — use date to compute relative windows

ECS and EKS

Container orchestration on AWS.

BASH

aws ecs list-clusters
aws ecs list-tasks --cluster prod-payments-cluster
aws ecs describe-services \
  --cluster prod-payments-cluster \
  --services orders-api-service

aws eks list-clusters
aws eks update-kubeconfig \
  --name prod-eks --region ap-south-1
aws eks describe-cluster --name prod-eks \
  --query "cluster.status"

Parameter Breakdown:

eks update-kubeconfig: Writes EKS cluster credentials into your local kubeconfig for kubectl
ecs describe-services: Shows desired vs running task count — first place to check a stuck deployment
--region: Required if your default profile region doesn't match the cluster

Querying with --query and JMESPath

Shape output server-side instead of piping to jq.

BASH

## Get only running instance IDs
aws ec2 describe-instances \
  --query "Reservations[].Instances[?State.Name=='running'].InstanceId" \
  --output text

## Get S3 objects larger than a threshold (post-filter with jq)
aws s3api list-objects-v2 \
  --bucket razorpay-prod-backups \
  --query "Contents[?Size > \`1000000\`].Key"

## Format any output as a table
aws ec2 describe-instances --output table

Command Parameter Table:

Output	Description
`--output json`	Default — full structured response
`--output table`	Human-readable, good for terminals
`--output text`	Tab-delimited, good for piping into other commands

Troubleshooting and Common Errors

What to check first when a command fails.

BASH

## "Unable to locate credentials"
aws configure list                     ## confirm a profile is active

## "AccessDenied" on an otherwise valid command
aws sts get-caller-identity            ## confirm you're the role you expect
aws iam simulate-principal-policy ...  ## confirm the role actually has the permission

## Wrong region returned empty results
aws configure get region
aws ec2 describe-instances --region ap-south-1

## Debug the raw HTTP request/response
aws s3 ls --debug

Notes:

Most "it returned nothing" issues are a region mismatch, not a missing resource
--debug is verbose but the fastest way to see exactly what AWS rejected and why

Useful Aliases and One-Liners

Shortcuts worth adding to your dotfiles.

BASH

alias awswho='aws sts get-caller-identity'
alias aws-prod='aws --profile prod-payments'
alias aws-staging='aws --profile staging-payments'

## Pipe any AWS CLI output through jq for complex transforms
aws ec2 describe-instances | jq -r \
  '.Reservations[].Instances[] | "\(.InstanceId) \(.State.Name)"'

## Find all unattached EBS volumes (wasted spend)
aws ec2 describe-volumes \
  --filters Name=status,Values=available \
  --query "Volumes[].VolumeId"