AWS CLI Cheatsheet
Профили и конфигурация
# ~/.aws/config
[profile prod]
sso_session = company
sso_account_id = 123456789
sso_role_name = AdministratorAccess
region = eu-west-1
[sso-session company]
sso_start_url = https://company.awsapps.com/start
sso_region = eu-west-1
sso_registration_scopes = sso:account:access
# Использование
aws sso login --profile prod
aws --profile prod sts get-caller-identity
export AWS_PROFILE=prod # для текущего shell
# Регион
aws configure get region
aws configure set region eu-west-1
Identity
aws sts get-caller-identity # кто я
aws iam list-account-aliases
aws sts assume-role --role-arn ... --role-session-name ...
S3
aws s3 ls
aws s3 ls s3://bucket/
aws s3 ls s3://bucket/prefix/ --recursive
aws s3 cp file.txt s3://bucket/
aws s3 cp s3://bucket/file.txt .
aws s3 sync ./local s3://bucket/path
aws s3 sync s3://bucket/path ./local --delete
aws s3 mb s3://my-bucket --region eu-west-1
aws s3 rb s3://my-bucket --force
# Pre-signed URL
aws s3 presign s3://bucket/file.txt --expires-in 3600
# API-уровень (s3api)
aws s3api list-objects-v2 --bucket B --prefix "logs/" --query 'Contents[?Size>`1000`]'
aws s3api put-bucket-versioning --bucket B --versioning-configuration Status=Enabled
aws s3api put-bucket-encryption --bucket B \
--server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'
EC2
aws ec2 describe-instances \
--query 'Reservations[].Instances[].[InstanceId,State.Name,Tags[?Key==`Name`].Value|[0]]' \
--output table
aws ec2 describe-instances --filters "Name=tag:Environment,Values=prod"
aws ec2 describe-instances --instance-ids i-1234567890abcdef0
aws ec2 start-instances --instance-ids i-...
aws ec2 stop-instances --instance-ids i-...
aws ec2 reboot-instances --instance-ids i-...
aws ec2 terminate-instances --instance-ids i-...
aws ec2 describe-images --owners 099720109477 \
--filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-noble-*"
# Security Groups
aws ec2 describe-security-groups
aws ec2 authorize-security-group-ingress --group-id sg-... --protocol tcp --port 443 --cidr 0.0.0.0/0
VPC
aws ec2 describe-vpcs
aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-..."
aws ec2 describe-route-tables
aws ec2 describe-nat-gateways
aws ec2 describe-vpc-endpoints
IAM
aws iam list-users
aws iam list-roles
aws iam list-attached-role-policies --role-name MyRole
aws iam list-account-aliases
aws iam create-role --role-name app-role \
--assume-role-policy-document file://trust.json
aws iam attach-role-policy --role-name app-role \
--policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
# Симуляция policy
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::...:role/app-role \
--action-names s3:GetObject \
--resource-arns arn:aws:s3:::bucket/*
# Last accessed
aws iam generate-service-last-accessed-details --arn arn:aws:iam::...:role/app-role
aws iam get-service-last-accessed-details --job-id ...
EKS
aws eks list-clusters
aws eks describe-cluster --name prod
aws eks update-kubeconfig --name prod --region eu-west-1
aws eks list-nodegroups --cluster-name prod
RDS
aws rds describe-db-instances
aws rds describe-db-snapshots
aws rds create-db-snapshot --db-instance-identifier prod-db --db-snapshot-identifier backup-$(date +%Y%m%d)
aws rds modify-db-instance --db-instance-identifier prod-db --apply-immediately ...
Lambda
aws lambda list-functions
aws lambda invoke --function-name my-fn --payload '{"key":"value"}' out.json
aws lambda update-function-code --function-name my-fn --zip-file fileb://function.zip
aws lambda get-function --function-name my-fn
CloudWatch Logs
aws logs describe-log-groups
aws logs tail /aws/lambda/my-fn --follow
aws logs tail /aws/lambda/my-fn --since 1h --filter-pattern "ERROR"
aws logs filter-log-events --log-group-name /aws/lambda/my-fn \
--start-time $(date -d "1 hour ago" +%s)000
Secrets Manager / SSM Parameter Store
aws secretsmanager get-secret-value --secret-id prod/db/password \
--query SecretString --output text
aws ssm get-parameter --name /prod/api/key --with-decryption
aws ssm put-parameter --name /prod/api/key --value "secret" --type SecureString
aws ssm get-parameters-by-path --path /prod/ --recursive --with-decryption
Полезные паттерны
# JMESPath query — мощно
aws ec2 describe-instances \
--query 'Reservations[].Instances[?State.Name==`running`].[InstanceId, PrivateIpAddress]' \
--output text
# Pagination — для больших списков
aws s3api list-objects-v2 --bucket B --max-items 100
aws s3api list-objects-v2 --bucket B --starting-token $NEXT_TOKEN
# JSON output для парсинга
aws ec2 describe-instances --output json | jq '.Reservations[].Instances[].InstanceId'
# Через xargs для batch
aws ec2 describe-instances --query 'Reservations[].Instances[?State.Name==`stopped`].InstanceId' --output text | \
xargs -n1 aws ec2 terminate-instances --instance-ids
SSM Session Manager — SSH без портов
# Установить plugin
# https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
aws ssm start-session --target i-1234567890abcdef0
aws ssm start-session --target i-... \
--document-name AWS-StartPortForwardingSession \
--parameters '{"portNumber":["3306"],"localPortNumber":["3306"]}'