AWS CLI Cheatsheet

Профили и конфигурация

# ~/.aws/config
[profile prod]
sso_session = company
sso_account_id = 123456789
sso_role_name = AdministratorAccess
region = eu-west-1

[sso-session company]
sso_start_url = https://company.awsapps.com/start
sso_region = eu-west-1
sso_registration_scopes = sso:account:access

# Использование
aws sso login --profile prod
aws --profile prod sts get-caller-identity
export AWS_PROFILE=prod         # для текущего shell

# Регион
aws configure get region
aws configure set region eu-west-1

Identity

aws sts get-caller-identity                # кто я
aws iam list-account-aliases
aws sts assume-role --role-arn ... --role-session-name ...

S3

aws s3 ls
aws s3 ls s3://bucket/
aws s3 ls s3://bucket/prefix/ --recursive

aws s3 cp file.txt s3://bucket/
aws s3 cp s3://bucket/file.txt .
aws s3 sync ./local s3://bucket/path
aws s3 sync s3://bucket/path ./local --delete

aws s3 mb s3://my-bucket --region eu-west-1
aws s3 rb s3://my-bucket --force

# Pre-signed URL
aws s3 presign s3://bucket/file.txt --expires-in 3600

# API-уровень (s3api)
aws s3api list-objects-v2 --bucket B --prefix "logs/" --query 'Contents[?Size>`1000`]'
aws s3api put-bucket-versioning --bucket B --versioning-configuration Status=Enabled
aws s3api put-bucket-encryption --bucket B \
  --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'

EC2

aws ec2 describe-instances \
  --query 'Reservations[].Instances[].[InstanceId,State.Name,Tags[?Key==`Name`].Value|[0]]' \
  --output table

aws ec2 describe-instances --filters "Name=tag:Environment,Values=prod"
aws ec2 describe-instances --instance-ids i-1234567890abcdef0

aws ec2 start-instances --instance-ids i-...
aws ec2 stop-instances --instance-ids i-...
aws ec2 reboot-instances --instance-ids i-...
aws ec2 terminate-instances --instance-ids i-...

aws ec2 describe-images --owners 099720109477 \
  --filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-noble-*"

# Security Groups
aws ec2 describe-security-groups
aws ec2 authorize-security-group-ingress --group-id sg-... --protocol tcp --port 443 --cidr 0.0.0.0/0

VPC

aws ec2 describe-vpcs
aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-..."
aws ec2 describe-route-tables
aws ec2 describe-nat-gateways
aws ec2 describe-vpc-endpoints

IAM

aws iam list-users
aws iam list-roles
aws iam list-attached-role-policies --role-name MyRole
aws iam list-account-aliases

aws iam create-role --role-name app-role \
  --assume-role-policy-document file://trust.json

aws iam attach-role-policy --role-name app-role \
  --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

# Симуляция policy
aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::...:role/app-role \
  --action-names s3:GetObject \
  --resource-arns arn:aws:s3:::bucket/*

# Last accessed
aws iam generate-service-last-accessed-details --arn arn:aws:iam::...:role/app-role
aws iam get-service-last-accessed-details --job-id ...

EKS

aws eks list-clusters
aws eks describe-cluster --name prod
aws eks update-kubeconfig --name prod --region eu-west-1
aws eks list-nodegroups --cluster-name prod

RDS

aws rds describe-db-instances
aws rds describe-db-snapshots
aws rds create-db-snapshot --db-instance-identifier prod-db --db-snapshot-identifier backup-$(date +%Y%m%d)
aws rds modify-db-instance --db-instance-identifier prod-db --apply-immediately ...

Lambda

aws lambda list-functions
aws lambda invoke --function-name my-fn --payload '{"key":"value"}' out.json
aws lambda update-function-code --function-name my-fn --zip-file fileb://function.zip
aws lambda get-function --function-name my-fn

CloudWatch Logs

aws logs describe-log-groups
aws logs tail /aws/lambda/my-fn --follow
aws logs tail /aws/lambda/my-fn --since 1h --filter-pattern "ERROR"
aws logs filter-log-events --log-group-name /aws/lambda/my-fn \
  --start-time $(date -d "1 hour ago" +%s)000

Secrets Manager / SSM Parameter Store

aws secretsmanager get-secret-value --secret-id prod/db/password \
  --query SecretString --output text

aws ssm get-parameter --name /prod/api/key --with-decryption
aws ssm put-parameter --name /prod/api/key --value "secret" --type SecureString
aws ssm get-parameters-by-path --path /prod/ --recursive --with-decryption

Полезные паттерны

# JMESPath query — мощно
aws ec2 describe-instances \
  --query 'Reservations[].Instances[?State.Name==`running`].[InstanceId, PrivateIpAddress]' \
  --output text

# Pagination — для больших списков
aws s3api list-objects-v2 --bucket B --max-items 100
aws s3api list-objects-v2 --bucket B --starting-token $NEXT_TOKEN

# JSON output для парсинга
aws ec2 describe-instances --output json | jq '.Reservations[].Instances[].InstanceId'

# Через xargs для batch
aws ec2 describe-instances --query 'Reservations[].Instances[?State.Name==`stopped`].InstanceId' --output text | \
  xargs -n1 aws ec2 terminate-instances --instance-ids

SSM Session Manager — SSH без портов

# Установить plugin
# https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html

aws ssm start-session --target i-1234567890abcdef0
aws ssm start-session --target i-... \
  --document-name AWS-StartPortForwardingSession \
  --parameters '{"portNumber":["3306"],"localPortNumber":["3306"]}'