AWS CLI Cheatsheet — 80+ Commands for EC2, S3, IAM, Lambda, RDS, EKS, CloudFormation

Interactive prompt to write AKID, secret, default region, and output format to ~/.aws/credentials and ~/.aws/config.

⚠ Common pitfall: Writes to the [default] profile. On a multi-account org use `aws configure --profile <name>` so you do not overwrite an existing key.

aws configure

aws configure --profile prod

aws configure list

Set up an IAM Identity Center (SSO) profile — opens the browser to authenticate, then caches a short-lived token.

⚠ Common pitfall: Tokens expire (default 8h). When they do, every command 401s — run `aws sso login --profile <name>` again, no need to re-configure.

aws configure sso

aws sso login --profile prod-admin

aws sso logout

Print the AWS account, user/role ARN, and user ID for the current credentials. The "who am I" of AWS.

⚠ Common pitfall: Always run this BEFORE any destructive command. The two-second check has saved a thousand careers from deleting the wrong stack.

aws sts get-caller-identity

aws sts get-caller-identity --profile prod

aws sts get-caller-identity --output text --query Arn

Assume an IAM role and return temporary credentials (access key, secret, session token) for that role.

⚠ Common pitfall: The returned creds expire (default 1h). Export all THREE — most failures are forgetting AWS_SESSION_TOKEN. Better: set source_profile + role_arn in ~/.aws/config so the CLI auto-assumes.

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/Admin --role-session-name lilei

aws sts assume-role-with-web-identity --role-arn ... --web-identity-token $TOKEN --role-session-name ci

List every profile defined in ~/.aws/credentials and ~/.aws/config.

aws configure list-profiles

AWS_PROFILE=prod aws sts get-caller-identity

Print the CLI version. Required to tell v1 from v2 — they have different defaults for pager, output, and binary payload encoding.

⚠ Common pitfall: v1 is in end-of-life. Most ops issues stem from running v1 with v2 docs. Upgrade with `pip install --upgrade awscli` (v1) or the installer (v2).

aws --version

which aws

Read a single config value (region, output, aws_access_key_id…) for a profile without opening the file.

aws configure get region --profile prod

aws configure get output

aws configure get aws_access_key_id --profile dev

Write a single config value into ~/.aws/config or ~/.aws/credentials non-interactively. Handy in setup scripts.

⚠ Common pitfall: Setting a credential key (`aws_secret_access_key`) puts the plaintext secret in ~/.aws/credentials. Prefer SSO or `assume-role` over long-lived keys.

aws configure set region ap-northeast-1 --profile prod

aws configure set output json --profile prod

aws configure set cli_pager "" --profile prod

Get temporary credentials for your OWN identity, typically to satisfy an MFA requirement before a sensitive call.

⚠ Common pitfall: This does NOT switch roles — it just wraps your current identity (optionally with MFA). To change permissions use `assume-role` instead.

aws sts get-session-token --serial-number arn:aws:iam::123456789012:mfa/lilei --token-code 123456

aws sts get-session-token --duration-seconds 3600

Map an access key ID (AKIA…/ASIA…) back to the AWS account number that owns it — no permissions needed.

⚠ Common pitfall: Great for incident response: a leaked key with unknown owner can be traced to its account in one call before you escalate.

aws sts get-access-key-info --access-key-id AKIAIOSFODNN7EXAMPLE

Refresh the short-lived SSO token for a profile by re-authenticating in the browser. No re-configure needed.

⚠ Common pitfall: After the token expires every command 401s. `aws sso login` is the fix, not `aws configure sso`. Add `--no-browser` for headless boxes.

aws sso login --profile prod-admin

aws sso login --no-browser --profile ci

List EC2 instances in the current region with full state: ID, type, IP, security groups, tags, launch time.

⚠ Common pitfall: Default table output truncates wide columns. For scripting use `--output text --query` to extract specific fields. Without `--filters` you get every instance ever.

aws ec2 describe-instances

aws ec2 describe-instances --filters "Name=instance-state-name,Values=running"

aws ec2 describe-instances --query "Reservations[].Instances[].[InstanceId,State.Name,Tags[?Key=='Name'].Value|[0]]" --output table

Start one or more stopped EC2 instances by instance ID.

⚠ Common pitfall: Public IP changes on every stop/start unless you attach an Elastic IP. Bookmarks and DNS records break.

aws ec2 start-instances --instance-ids i-0abc1234def567890

aws ec2 start-instances --instance-ids i-aaa i-bbb i-ccc

Stop running EC2 instances. EBS volumes and Elastic IPs are preserved, you stop paying for compute.

⚠ Common pitfall: You still pay for the EBS volume while stopped. To stop all billing terminate instead — but terminating deletes the volume by default.

aws ec2 stop-instances --instance-ids i-0abc1234def567890

aws ec2 stop-instances --instance-ids i-aaa --hibernate

Permanently destroy EC2 instances. The instance ID is unrecoverable, and EBS root volumes are deleted by default.

⚠ Common pitfall: Cannot be undone. Enable termination protection (`modify-instance-attribute --disable-api-termination`) on production hosts so a typo cannot nuke them.

aws ec2 terminate-instances --instance-ids i-0abc1234def567890

aws ec2 modify-instance-attribute --instance-id i-aaa --disable-api-termination

Launch a new EC2 instance from an AMI. Specify image, type, key pair, subnet, and security group.

⚠ Common pitfall: Forgetting `--security-group-ids` lands the instance in the default SG, which usually blocks all inbound. Forgetting `--key-name` means no SSH key — you cannot log in.

aws ec2 run-instances --image-id ami-0abcdef --instance-type t3.micro --key-name lilei --security-group-ids sg-aaa --subnet-id subnet-bbb

aws ec2 run-instances --image-id ami-0abcdef --instance-type t3.micro --count 3 --tag-specifications "ResourceType=instance,Tags=[{Key=Env,Value=dev}]"

List security groups with their ingress and egress rules.

aws ec2 describe-security-groups

aws ec2 describe-security-groups --group-ids sg-0abc1234

aws ec2 describe-security-groups --filters "Name=group-name,Values=web"

Add an inbound rule to a security group — open a port to a CIDR or another SG.

⚠ Common pitfall: Opening 0.0.0.0/0 to SSH (22) or RDP (3389) shows up in your security audit within hours. Scope to your office CIDR, or use SSM Session Manager and skip SSH entirely.

aws ec2 authorize-security-group-ingress --group-id sg-aaa --protocol tcp --port 443 --cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress --group-id sg-aaa --protocol tcp --port 22 --cidr 203.0.113.42/32

aws ec2 authorize-security-group-ingress --group-id sg-aaa --source-group sg-bbb --protocol tcp --port 5432

Remove an inbound rule from a security group.

aws ec2 revoke-security-group-ingress --group-id sg-aaa --protocol tcp --port 22 --cidr 0.0.0.0/0

List EC2 key pairs in the current region (just the names and fingerprints — not the private keys).

aws ec2 describe-key-pairs

aws ec2 create-key-pair --key-name lilei-dev --query KeyMaterial --output text > lilei-dev.pem

Search for AMIs by owner, name pattern, or architecture. The "find an AMI ID" workhorse.

⚠ Common pitfall: Without `--owners` you scan the entire AMI marketplace and the call hangs. Use `--owners amazon` or `--owners 099720109477` (Canonical) to scope.

aws ec2 describe-images --owners amazon --filters "Name=name,Values=al2023-ami-*" --query "Images|sort_by(@,&CreationDate)[-1].ImageId" --output text

aws ec2 describe-images --owners 099720109477 --filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"

Allocate a new Elastic IP. Pair with `associate-address` to attach it to an instance or ENI.

⚠ Common pitfall: Unattached EIPs cost $0.005/hour. Always `release-address` what you do not use, or your bill grows quietly.

aws ec2 allocate-address

aws ec2 associate-address --instance-id i-aaa --allocation-id eipalloc-bbb

Reboot running EC2 instances in place. Keeps the same instance ID, private IP, and EBS volumes.

⚠ Common pitfall: A reboot is NOT a stop/start — it stays on the same host, so it will not clear an underlying-hardware problem. For that, stop then start.

aws ec2 reboot-instances --instance-ids i-0abc1234def567890

Check system-status and instance-status health checks, plus any scheduled events (retirement, reboot) for instances.

⚠ Common pitfall: By default it hides stopped instances. Add `--include-all-instances` to also see ones that are not running.

aws ec2 describe-instance-status --instance-ids i-aaa

aws ec2 describe-instance-status --include-all-instances --filters "Name=instance-status.status,Values=impaired"

List EBS volumes with size, type, state, and which instance they are attached to.

⚠ Common pitfall: Filter on `status=available` to find orphaned volumes — detached EBS still bills every hour. They are pure waste.

aws ec2 describe-volumes --filters "Name=status,Values=available"

aws ec2 describe-volumes --query "Volumes[].[VolumeId,Size,State]" --output table

Take a point-in-time snapshot of an EBS volume. Snapshots are incremental and stored in S3 under the hood.

⚠ Common pitfall: For a consistent multi-volume snapshot of a running instance use `create-snapshots` (plural) with `--instance-specification`, not one volume at a time.

aws ec2 create-snapshot --volume-id vol-0abc123 --description "before upgrade"

aws ec2 create-snapshots --instance-specification InstanceId=i-aaa --description "full-host"

List all AWS regions your account can use, including which are opt-in (disabled by default).

aws ec2 describe-regions --query "Regions[].RegionName" --output text

aws ec2 describe-regions --all-regions --query "Regions[?OptInStatus=='not-opted-in'].RegionName"

List availability zones (and local/wavelength zones) in a region, with their state and zone IDs.

⚠ Common pitfall: Zone NAMES (us-east-1a) are randomized per account — `us-east-1a` in your account is not the same hardware as in another. Use zone IDs (use1-az1) to truly pin.

aws ec2 describe-availability-zones --region us-east-1 --query "AvailabilityZones[].[ZoneName,ZoneId]" --output table

Add or overwrite tags on one or more EC2 resources (instances, volumes, snapshots, AMIs…).

⚠ Common pitfall: Tags drive cost allocation and IAM conditions. A typo in a `Key` silently creates a brand-new tag instead of updating — your cost report then splits.

aws ec2 create-tags --resources i-aaa vol-bbb --tags Key=Env,Value=prod Key=Owner,Value=lilei

aws ec2 delete-tags --resources i-aaa --tags Key=Temp

Change an instance attribute while stopped — instance type, EBS optimization, user-data, or termination protection.

⚠ Common pitfall: Changing `--instance-type` requires the instance be STOPPED first, and the new type must be available in the same AZ. Otherwise you get IncorrectInstanceState.

aws ec2 modify-instance-attribute --instance-id i-aaa --instance-type "{\"Value\":\"t3.large\"}"

aws ec2 modify-instance-attribute --instance-id i-aaa --no-source-dest-check

Fetch the serial console / boot log of an instance. The go-to when SSH fails and you need to see why it did not boot.

⚠ Common pitfall: Output is cached and may lag a few minutes after boot. Add `--latest` (Nitro instances) to force the freshest serial output.

aws ec2 get-console-output --instance-id i-aaa --output text

aws ec2 get-console-output --instance-id i-aaa --latest

List VPCs in the region with their CIDR blocks and which one is the default VPC.

aws ec2 describe-vpcs --query "Vpcs[].[VpcId,CidrBlock,IsDefault]" --output table

aws ec2 describe-vpcs --filters "Name=isDefault,Values=true"

List subnets with their VPC, AZ, CIDR, and available IP count.

⚠ Common pitfall: Watch `AvailableIpAddressCount`. A subnet running out of IPs is a classic cause of "Lambda/ENI/Fargate failed to launch" in a VPC.

aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-aaa" --query "Subnets[].[SubnetId,AvailabilityZone,CidrBlock,AvailableIpAddressCount]" --output table

List S3 buckets, or the contents of a bucket / prefix. The s3 equivalent of `ls`.

⚠ Common pitfall: Paginates silently — first 1000 keys only by default. Use `--recursive` to walk subprefixes, and `--page-size` / `--max-items` to control.

aws s3 ls

aws s3 ls s3://my-bucket/

aws s3 ls s3://my-bucket/logs/ --recursive --human-readable --summarize

Copy a file to/from/between S3. The basic upload/download primitive.

⚠ Common pitfall: Single-object only by default. Use `--recursive` for a folder, or switch to `aws s3 sync` which is incremental and faster on re-runs.

aws s3 cp ./build.tar.gz s3://my-bucket/releases/build.tar.gz

aws s3 cp s3://my-bucket/logs/access.log ./

aws s3 cp ./dist s3://my-bucket/site/ --recursive --acl public-read

Rsync-style sync: copy only files that differ (by size and modified time). Use --delete to mirror deletions.

⚠ Common pitfall: Forgetting the source subfolder (`aws s3 sync . s3://b/ --delete`) silently nukes everything in the bucket on first run. Always dry-run with `--dryrun` first.

aws s3 sync ./dist s3://my-bucket/ --delete

aws s3 sync s3://prod-bucket/ s3://backup-bucket/

aws s3 sync ./photos s3://my-bucket/photos --exclude "*.tmp" --include "*.jpg"

Move an object — equivalent to cp followed by rm at the source.

⚠ Common pitfall: If the network drops mid-transfer the source is gone but the destination is empty. For irreplaceable data prefer `cp` then verify, then `rm`.

aws s3 mv s3://my-bucket/tmp/file s3://my-bucket/archive/file

aws s3 mv ./local.csv s3://my-bucket/incoming/

Delete an S3 object (or a whole prefix with --recursive).

⚠ Common pitfall: On versioned buckets `rm` only adds a delete marker — the data is still there and you still pay for it. Use `aws s3api delete-object` with `--version-id` to truly purge.

aws s3 rm s3://my-bucket/old.log

aws s3 rm s3://my-bucket/logs/ --recursive --exclude "*" --include "2024-*"

Make bucket — create a new S3 bucket. Name must be globally unique across all of AWS.

⚠ Common pitfall: Bucket names are global. Pick a project-prefixed name (`lilei-2026-logs`) not a generic one (`logs`) which is taken. Outside us-east-1 you must pass `--region`.

aws s3 mb s3://lilei-2026-logs

aws s3 mb s3://lilei-2026-logs --region ap-northeast-1

Remove bucket. Empty buckets only by default; add --force to delete contents first.

⚠ Common pitfall: `--force` does not handle versioned buckets — you must `aws s3api delete-objects` versions first, then `rb`. Easy to get stuck.

aws s3 rb s3://my-bucket

aws s3 rb s3://my-bucket --force

Generate a time-limited HTTPS URL that anyone can use to download a private object — without giving them an AWS account.

⚠ Common pitfall: Default expiry is 3600s (1h). Max is 7 days. Anyone with the URL gets the object — treat the URL itself as a secret.

aws s3 presign s3://my-bucket/report.pdf

aws s3 presign s3://my-bucket/report.pdf --expires-in 86400

Configure a bucket for static website hosting (index document, error document).

⚠ Common pitfall: The website endpoint is HTTP only and uses path-style URLs. For HTTPS + custom domain put CloudFront in front, or use the newer S3 + OAC pattern.

aws s3 website s3://my-bucket/ --index-document index.html --error-document error.html

Low-level S3 API — list objects with pagination tokens, prefixes, delimiters. The escape hatch when `aws s3 ls` is not enough.

aws s3api list-objects-v2 --bucket my-bucket --prefix logs/ --max-keys 50

aws s3api list-object-versions --bucket my-bucket --prefix old.log

Set bucket-level Block Public Access. Belt-and-suspenders defense against accidental world-readable buckets.

⚠ Common pitfall: Account-level setting overrides bucket-level. Set both: `s3control put-public-access-block --account-id <id>` and the per-bucket one.

aws s3api put-public-access-block --bucket my-bucket --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

Attach a JSON bucket policy that controls who can read/write the bucket.

⚠ Common pitfall: A policy allowing `Principal: "*"` with `s3:GetObject` makes the bucket world-readable. Combine with Block Public Access settings or every audit fires.

aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json

Fetch only an object’s metadata (size, content-type, ETag, storage class, last-modified) without downloading the body.

⚠ Common pitfall: On a missing key it returns exit code 254 with an empty error — scripts must check `$?`, not just parse stdout, to tell "missing" from "error".

aws s3api head-object --bucket my-bucket --key path/to/file.zip

Server-side copy within S3 — change storage class, metadata, or encryption without pulling bytes to your machine.

⚠ Common pitfall: Metadata only updates if you pass `--metadata-directive REPLACE`. With the default COPY directive your new `--content-type` is silently ignored.

aws s3api copy-object --bucket b --key file --copy-source b/file --storage-class GLACIER

aws s3api copy-object --bucket b --key f --copy-source b/f --metadata-directive REPLACE --content-type application/json

Turn on (or suspend) object versioning for a bucket so overwrites and deletes keep prior versions.

⚠ Common pitfall: Versioning can be Suspended but never fully turned Off once enabled. Old versions keep billing — pair with a lifecycle rule to expire noncurrent versions.

aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=Enabled

aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=Suspended

Attach lifecycle rules to a bucket — transition objects to cheaper storage classes or expire them after N days.

⚠ Common pitfall: Each call REPLACES the entire rule set, not appends. Always read the existing config first, edit the JSON, then put the whole thing back.

aws s3api put-bucket-lifecycle-configuration --bucket my-bucket --lifecycle-configuration file://lifecycle.json

Set default server-side encryption (SSE-S3 / SSE-KMS) so every new object is encrypted at rest automatically.

⚠ Common pitfall: SSE-KMS adds a KMS API call per object — at high request rates you can hit the KMS throttle limit. Enable S3 Bucket Keys to cut KMS calls dramatically.

aws s3api put-bucket-encryption --bucket my-bucket --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"alias/my-key"},"BucketKeyEnabled":true}]}'

Return the region a bucket lives in. Essential before cross-region operations or presigned-URL signing.

⚠ Common pitfall: For us-east-1 the API returns `null` (an empty LocationConstraint), a long-standing quirk. Treat null as us-east-1.

aws s3api get-bucket-location --bucket my-bucket --output text

List every bucket you own across all regions, with creation dates. The account-wide bucket inventory.

aws s3api list-buckets --query "Buckets[].Name" --output text

aws s3api list-buckets --query "sort_by(Buckets,&CreationDate)[].[Name,CreationDate]" --output table

Kick off a restore of an object archived in Glacier / Glacier Deep Archive back to a temporarily retrievable copy.

⚠ Common pitfall: Restore is asynchronous and slow — Standard tier is minutes-to-hours, Deep Archive can take up to 12 hours. Poll `head-object` for the `Restore` header.

aws s3api restore-object --bucket my-bucket --key archive/data.bak --restore-request Days=3,GlacierJobParameters={Tier=Standard}

List all IAM users in the AWS account.

aws iam list-users

aws iam list-users --query "Users[].UserName" --output text

Create a new IAM user. No login or programmatic access by default — you add those separately.

⚠ Common pitfall: Modern practice is to skip IAM users entirely and federate through Identity Center (SSO). IAM users with long-lived access keys are a recurring breach source.

aws iam create-user --user-name lilei

aws iam create-login-profile --user-name lilei --password Temp-2026! --password-reset-required

Attach a managed policy (AWS or customer) to an IAM user.

⚠ Common pitfall: Attaching AdministratorAccess is the lazy answer. Prefer specific managed policies (PowerUserAccess, ReadOnlyAccess) and least privilege.

aws iam attach-user-policy --user-name lilei --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

aws iam list-attached-user-policies --user-name lilei

Generate a new access key (AKID + secret) for an IAM user. Returned ONCE — save the secret now or it is gone.

⚠ Common pitfall: Never commit AKID/secret to git, even in a private repo. Rotate every 90 days, delete the old one. If leaked, `aws iam delete-access-key` immediately then investigate.

aws iam create-access-key --user-name lilei

aws iam delete-access-key --user-name lilei --access-key-id AKIA...

List all IAM roles in the account.

aws iam list-roles --query "Roles[].RoleName" --output text

aws iam list-roles --path-prefix /aws-service-role/

Create an IAM role with a trust policy (the document that defines WHO can assume it).

⚠ Common pitfall: The trust policy is mandatory and the most common source of "AccessDenied" — wrong principal ARN, missing condition. Get the JSON exact.

aws iam create-role --role-name MyAppRole --assume-role-policy-document file://trust.json

aws iam attach-role-policy --role-name MyAppRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Test whether a user/role would be allowed to perform an action against a resource — without actually trying. The IAM debugger.

aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/lilei --action-names s3:GetObject --resource-arns arn:aws:s3:::my-bucket/key

High-level account totals — number of users, roles, MFA devices, password policy status.

aws iam get-account-summary

Dump the entire IAM model — every user, group, role, policy, and attachment — in one JSON blob. The audit firehose.

⚠ Common pitfall: The output is huge on real accounts. Pipe to a file and analyze with jq offline rather than scrolling the terminal.

aws iam get-account-authorization-details > iam-dump.json

aws iam get-account-authorization-details --filter Role

List the access keys (IDs, status, creation date) for an IAM user. Shows nothing secret, just metadata.

⚠ Common pitfall: A user can have at most TWO keys — that two-key limit exists precisely so you can rotate: create the new one, deploy, then delete the old.

aws iam list-access-keys --user-name lilei

aws iam update-access-key --user-name lilei --access-key-id AKIA... --status Inactive

Show when and where an access key was last used (date, region, service). The "is this key dead?" check.

⚠ Common pitfall: A key never used in 90+ days is a prime candidate to delete. Combine with a credential report to sweep the whole account.

aws iam get-access-key-last-used --access-key-id AKIAIOSFODNN7EXAMPLE

Generate (then `get-credential-report`) a CSV of every user’s key age, MFA status, and last-used data. Audit gold.

⚠ Common pitfall: Generate is async — call `generate` first, wait for COMPLETE, then `get-credential-report` to read the base64 CSV. Reports cache for 4 hours.

aws iam generate-credential-report

aws iam get-credential-report --query Content --output text | base64 --decode

Create a customer-managed policy from a JSON document so you can attach the same permissions to many principals.

⚠ Common pitfall: Each policy is capped at 5 versions — `create-policy-version` past that fails. Delete an old version, or set `--set-as-default` consciously.

aws iam create-policy --policy-name S3ReadMyBucket --policy-document file://policy.json

aws iam create-policy-version --policy-arn arn:aws:iam::123:policy/S3ReadMyBucket --policy-document file://v2.json --set-as-default

List the managed policies attached to a role. Pair with `list-role-policies` for inline policies.

⚠ Common pitfall: Managed and inline policies are separate worlds. A "missing permission" you cannot find is often hiding in an inline policy, not the attached managed ones.

aws iam list-attached-role-policies --role-name MyAppRole

aws iam list-role-policies --role-name MyAppRole

Create the special IAM role a particular AWS service needs to act on your behalf (e.g. ECS, ELB, Auto Scaling).

⚠ Common pitfall: Most services auto-create theirs on first use. You only run this manually when a CloudFormation or Terraform deploy fails with "service-linked role does not exist yet".

aws iam create-service-linked-role --aws-service-name elasticloadbalancing.amazonaws.com

List all Lambda functions in the region with runtime, memory, and last-modified time.

aws lambda list-functions

aws lambda list-functions --query "Functions[?Runtime=='nodejs20.x'].FunctionName" --output text

Synchronously invoke a Lambda function with a JSON payload and write the response to a local file.

⚠ Common pitfall: On v2 CLI you MUST pass `--cli-binary-format raw-in-base64-out` or `--payload` is base64-encoded silently and your function gets garbage.

aws lambda invoke --function-name my-fn --payload '{"key":"value"}' --cli-binary-format raw-in-base64-out response.json

aws lambda invoke --function-name my-fn --invocation-type Event --payload '{}' /dev/null

Upload new code to an existing Lambda — from a local zip, S3 object, or container image URI.

⚠ Common pitfall: New code is active in seconds. To deploy safely use `publish-version` + alias traffic shifting, or roll out via CodeDeploy.

aws lambda update-function-code --function-name my-fn --zip-file fileb://function.zip

aws lambda update-function-code --function-name my-fn --s3-bucket my-deploys --s3-key fn-v2.zip

aws lambda update-function-code --function-name my-fn --image-uri 123.dkr.ecr.us-east-1.amazonaws.com/my-fn:v2

Print the function configuration: handler, runtime, memory, timeout, env vars, layers, VPC config.

aws lambda get-function-configuration --function-name my-fn

aws lambda get-function-configuration --function-name my-fn --query "Environment.Variables"

Change Lambda configuration in place — memory, timeout, env vars, handler, layers.

⚠ Common pitfall: Setting `--environment "Variables={...}"` REPLACES all env vars, not merges. Always `get-function-configuration` first and add to the existing set.

aws lambda update-function-configuration --function-name my-fn --memory-size 1024 --timeout 30

aws lambda update-function-configuration --function-name my-fn --environment "Variables={STAGE=prod,LOG_LEVEL=info}"

Snapshot current $LATEST as an immutable numbered version. Pair with aliases for blue-green deploy.

aws lambda publish-version --function-name my-fn --description "v1.2.3"

Create a named alias that points at a specific version, with optional traffic weights for canary deploys.

aws lambda create-alias --function-name my-fn --name prod --function-version 7

aws lambda update-alias --function-name my-fn --name prod --function-version 8 --routing-config "AdditionalVersionWeights={\"7\"=0.9}"

Grant another AWS service or account permission to invoke your function — e.g. let API Gateway or S3 trigger it.

⚠ Common pitfall: Each statement needs a unique `--statement-id`. Re-running with the same SID throws ResourceConflictException — `remove-permission` first or use a fresh SID.

aws lambda add-permission --function-name my-fn --statement-id s3invoke --action lambda:InvokeFunction --principal s3.amazonaws.com --source-arn arn:aws:s3:::my-bucket

aws lambda add-permission --function-name my-fn --statement-id apigw --action lambda:InvokeFunction --principal apigateway.amazonaws.com

Wire a stream/queue source (SQS, Kinesis, DynamoDB Streams, Kafka) to poll-trigger your function.

⚠ Common pitfall: For SQS, set `--batch-size` and `--maximum-batching-window-in-seconds` together. Too large a batch with a short function timeout silently drops throughput.

aws lambda create-event-source-mapping --function-name my-fn --event-source-arn arn:aws:sqs:us-east-1:123:my-queue --batch-size 10

aws lambda list-event-source-mappings --function-name my-fn

Get everything about a function: configuration plus a presigned URL to download the deployed code package.

⚠ Common pitfall: The Code.Location URL is presigned and expires in ~10 minutes — download right away, do not stash it for later.

aws lambda get-function --function-name my-fn

aws lambda get-function --function-name my-fn --query Code.Location --output text

Reserve (or cap) concurrent executions for a function so it cannot starve — or overwhelm — the rest of the account.

⚠ Common pitfall: Reserving concurrency for one function REMOVES it from the account-wide unreserved pool. Over-reserve and other functions start throttling.

aws lambda put-function-concurrency --function-name my-fn --reserved-concurrent-executions 50

aws lambda delete-function-concurrency --function-name my-fn

Pre-warm a fixed number of execution environments for an alias/version to eliminate cold starts on latency-critical paths.

⚠ Common pitfall: Provisioned concurrency bills even when idle, and only attaches to a VERSION or ALIAS, never $LATEST. Forgetting that is the usual "why is it still cold" cause.

aws lambda put-provisioned-concurrency-config --function-name my-fn --qualifier prod --provisioned-concurrent-executions 5

Fetch raw metric data points for a namespace/metric/dimension over a time window with a chosen aggregation.

⚠ Common pitfall: Use UTC for `--start-time` and `--end-time`. ISO-8601 only — passing a Unix timestamp silently errors. Period must be a multiple of 60s.

aws cloudwatch get-metric-statistics --namespace AWS/EC2 --metric-name CPUUtilization --dimensions Name=InstanceId,Value=i-aaa --start-time 2026-05-26T00:00:00Z --end-time 2026-05-26T01:00:00Z --period 300 --statistics Average

Create or update a metric alarm — threshold, evaluation periods, alarm action (usually an SNS topic ARN).

⚠ Common pitfall: `--alarm-actions` takes an ARN, not just a topic name. Without an action the alarm just changes state silently and nobody is paged.

aws cloudwatch put-metric-alarm --alarm-name high-cpu --metric-name CPUUtilization --namespace AWS/EC2 --statistic Average --period 300 --threshold 80 --comparison-operator GreaterThanThreshold --evaluation-periods 2 --alarm-actions arn:aws:sns:us-east-1:123:alerts --dimensions Name=InstanceId,Value=i-aaa

List metric alarms — filter by state to find what is firing right now.

aws cloudwatch describe-alarms

aws cloudwatch describe-alarms --state-value ALARM

aws cloudwatch describe-alarms --alarm-name-prefix high-

Tail a CloudWatch Logs group like `tail -f`, with optional regex filter and --follow for live streams.

⚠ Common pitfall: Tailing is throttled to ~10 log streams concurrently. For very busy groups use `--log-stream-name-prefix` or switch to Logs Insights.

aws logs tail /aws/lambda/my-fn --follow

aws logs tail /aws/lambda/my-fn --since 10m --filter-pattern ERROR

aws logs tail /aws/lambda/my-fn --format short --since 1h

Search a log group with a CloudWatch Logs filter pattern across a time range.

aws logs filter-log-events --log-group-name /aws/lambda/my-fn --filter-pattern "ERROR" --start-time $(date -u -d "1 hour ago" +%s)000

List CloudWatch log groups in the region.

aws logs describe-log-groups --log-group-name-prefix /aws/lambda/

Discover which metrics actually exist for a namespace/dimension before you try to graph or alarm on them.

⚠ Common pitfall: list-metrics only shows metrics that have reported data in the last ~2 weeks. A brand-new resource may not appear yet even though it is configured.

aws cloudwatch list-metrics --namespace AWS/Lambda

aws cloudwatch list-metrics --namespace AWS/RDS --dimensions Name=DBInstanceIdentifier,Value=mydb

The modern, batched metric query — pull many metrics with math expressions in one call. Replaces get-metric-statistics at scale.

⚠ Common pitfall: Uses a JSON `--metric-data-queries` structure, not flat flags. Each query needs a unique `Id` matching `^[a-z][a-zA-Z0-9_]*$` — uppercase-first Ids are rejected.

aws cloudwatch get-metric-data --metric-data-queries file://queries.json --start-time 2026-05-29T00:00:00Z --end-time 2026-05-30T00:00:00Z

Manually force an alarm into ALARM/OK/INSUFFICIENT_DATA — great for testing that your SNS/paging wiring actually fires.

⚠ Common pitfall: The forced state is temporary — the next real evaluation overwrites it. Use it to test the notification path, not as a permanent override.

aws cloudwatch set-alarm-state --alarm-name high-cpu --state-value ALARM --state-reason "testing pager"

Run a CloudWatch Logs Insights query across one or more log groups — structured, SQL-like log analytics.

⚠ Common pitfall: start-query is async and returns a queryId — you then poll `get-query-results` until Status is Complete. One-shot it does not exist.

aws logs start-query --log-group-name /aws/lambda/my-fn --start-time $(date -u -d "1 hour ago" +%s) --end-time $(date -u +%s) --query-string "fields @timestamp, @message | filter @message like /ERROR/ | sort @timestamp desc | limit 20"

aws logs get-query-results --query-id <id>

Set how many days a log group keeps data. New groups default to "never expire", which quietly grows your bill forever.

⚠ Common pitfall: Retention must be one of the allowed values (1, 3, 5, 7, 14, 30, 60, 90, …). An arbitrary number like 45 is rejected.

aws logs put-retention-policy --log-group-name /aws/lambda/my-fn --retention-in-days 30

List RDS DB instances with engine, version, endpoint, status, and storage.

aws rds describe-db-instances

aws rds describe-db-instances --query "DBInstances[].[DBInstanceIdentifier,Engine,DBInstanceStatus,Endpoint.Address]" --output table

Take a manual snapshot of an RDS instance. Manual snapshots persist until you delete them.

⚠ Common pitfall: Snapshots are not portable across accounts by default — must `share-db-snapshot` first. And storage cost applies forever; clean up old ones.

aws rds create-db-snapshot --db-instance-identifier mydb --db-snapshot-identifier mydb-2026-05-26

Create a new RDS instance from a snapshot. The original is untouched.

⚠ Common pitfall: Restored instance gets a NEW endpoint hostname. Apps must update connection strings — there is no "in-place restore".

aws rds restore-db-instance-from-db-snapshot --db-instance-identifier mydb-restored --db-snapshot-identifier mydb-2026-05-26

Change an RDS instance — class, storage, master password, parameter group, backup retention.

⚠ Common pitfall: Without `--apply-immediately` changes wait for the maintenance window. Common surprise — "I changed the password and it did not take effect".

aws rds modify-db-instance --db-instance-identifier mydb --db-instance-class db.t3.medium --apply-immediately

List RDS snapshots — manual and automated.

aws rds describe-db-snapshots --db-instance-identifier mydb --snapshot-type manual

Reboot an RDS instance. With --force-failover it triggers a Multi-AZ failover to the standby.

aws rds reboot-db-instance --db-instance-identifier mydb

aws rds reboot-db-instance --db-instance-identifier mydb --force-failover

List Aurora / Multi-AZ DB clusters with their writer and reader endpoints, engine version, and status.

⚠ Common pitfall: Aurora has SEPARATE cluster and reader endpoints. Pointing all traffic at the cluster (writer) endpoint wastes your read replicas entirely.

aws rds describe-db-clusters --query "DBClusters[].[DBClusterIdentifier,Endpoint,ReaderEndpoint,Status]" --output table

Trigger a controlled failover in an Aurora cluster, optionally promoting a specific reader to writer.

⚠ Common pitfall: Failover drops all existing DB connections — there is a brief outage. Run it in a maintenance window unless you are actively testing resilience.

aws rds failover-db-cluster --db-cluster-identifier my-aurora --target-db-instance-identifier my-aurora-reader-1

List the database log files (error log, slow query log) available on an RDS instance, then download them.

⚠ Common pitfall: You cannot SSH into RDS, so this + `download-db-log-file-portion` is the only way to read MySQL/Postgres logs from the CLI.

aws rds describe-db-log-files --db-instance-identifier mydb

aws rds download-db-log-file-portion --db-instance-identifier mydb --log-file-name error/mysql-error.log --output text

Show recent RDS events — failovers, backups, parameter changes, low storage warnings — for an instance or cluster.

⚠ Common pitfall: Events are retained for only 14 days. For longer history subscribe an SNS topic via `create-event-subscription`.

aws rds describe-events --source-identifier mydb --source-type db-instance --duration 1440

Generate (or update) a kubeconfig entry for an EKS cluster so kubectl can talk to it.

⚠ Common pitfall: Uses the current AWS profile to mint tokens. If you switch profiles later kubectl breaks — re-run with `--profile <name>`.

aws eks update-kubeconfig --name my-cluster --region us-east-1

aws eks update-kubeconfig --name my-cluster --profile prod --alias prod-cluster

Print full EKS cluster details: endpoint, version, IAM role, VPC config, addons.

aws eks describe-cluster --name my-cluster

aws eks describe-cluster --name my-cluster --query "cluster.version" --output text

List EKS clusters in the region.

aws eks list-clusters

aws eks list-clusters --query "clusters[]" --output text

List managed node groups for an EKS cluster.

aws eks list-nodegroups --cluster-name my-cluster

Get full configuration for a managed node group: instance types, scaling, AMI version, taints.

aws eks describe-nodegroup --cluster-name my-cluster --nodegroup-name workers

Update an EKS addon version (VPC CNI, CoreDNS, kube-proxy, EBS CSI). Specify --resolve-conflicts to handle field ownership.

⚠ Common pitfall: Without `--resolve-conflicts OVERWRITE` (or PRESERVE) the update aborts if you previously kubectl-edited the addon. Pick one consciously.

aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.18.0-eksbuild.1 --resolve-conflicts OVERWRITE

List addons (VPC CNI, CoreDNS, kube-proxy, EBS CSI, etc.) installed on an EKS cluster.

aws eks list-addons --cluster-name my-cluster

List the available versions of an EKS addon compatible with a given Kubernetes version — before you upgrade.

⚠ Common pitfall: Not every addon version supports every cluster version. Filter by `--kubernetes-version` to avoid picking one that fails the update.

aws eks describe-addon-versions --addon-name vpc-cni --kubernetes-version 1.29 --query "addons[].addonVersions[].addonVersion"

Roll a managed node group to a newer AMI / Kubernetes version, draining and replacing nodes gracefully.

⚠ Common pitfall: Without PodDisruptionBudgets your workloads can all evict at once mid-roll. Set PDBs before upgrading, or `--force` will honor nothing.

aws eks update-nodegroup-version --cluster-name my-cluster --nodegroup-name workers --kubernetes-version 1.29

List the Fargate profiles on a cluster — the namespace/label selectors that decide which pods run serverless.

aws eks list-fargate-profiles --cluster-name my-cluster

aws eks describe-fargate-profile --cluster-name my-cluster --fargate-profile-name fp-default

Check the status of an in-flight EKS control-plane or addon update (InProgress / Successful / Failed) and why it failed.

aws eks describe-update --name my-cluster --update-id <update-id>

High-level deploy that creates the stack if missing or updates it if present. Computes the changeset for you.

⚠ Common pitfall: Without `--capabilities CAPABILITY_NAMED_IAM` any template that creates IAM resources fails with "Requires capabilities" — most stacks need this.

aws cloudformation deploy --template-file template.yaml --stack-name my-stack --capabilities CAPABILITY_NAMED_IAM

aws cloudformation deploy --template-file template.yaml --stack-name my-stack --parameter-overrides Env=prod Region=us-east-1

List or describe CloudFormation stacks — status, parameters, outputs, drift status.

aws cloudformation describe-stacks

aws cloudformation describe-stacks --stack-name my-stack --query "Stacks[0].Outputs"

Stream the event log for a stack. The "why did my deploy fail" view.

⚠ Common pitfall: Events are reverse-chronological. The FIRST failure is the root cause and is buried at the bottom — scroll all the way down or pipe through `tac`.

aws cloudformation describe-stack-events --stack-name my-stack --max-items 50

Delete a CloudFormation stack and all the resources it created.

⚠ Common pitfall: Buckets with objects, log groups with retention=Never, RDS without skip-snapshot — these can stall the delete. Check `describe-stack-events` for which resource is wedged.

aws cloudformation delete-stack --stack-name my-stack

aws cloudformation wait stack-delete-complete --stack-name my-stack

Upload local artifacts referenced in a template to S3 and produce a template ready for `deploy`.

aws cloudformation package --template-file template.yaml --s3-bucket my-deploys --output-template-file packaged.yaml

Lint a CloudFormation template for syntax and required parameters before deploy.

aws cloudformation validate-template --template-body file://template.yaml

Preview exactly what an update would add, modify, or delete BEFORE applying it. The safe way to update prod stacks.

⚠ Common pitfall: Use `--change-set-type CREATE` for a brand-new stack — the default UPDATE type errors if the stack does not exist yet.

aws cloudformation create-change-set --stack-name my-stack --template-body file://t.yaml --change-set-name preview1 --capabilities CAPABILITY_NAMED_IAM

aws cloudformation describe-change-set --stack-name my-stack --change-set-name preview1

Detect whether live resources have drifted from what the stack template declares — someone clicked in the console again.

⚠ Common pitfall: Drift detection is async: `detect-stack-drift` returns an id, then poll `describe-stack-drift-detection-status` and `describe-stack-resource-drifts`.

aws cloudformation detect-stack-drift --stack-name my-stack

aws cloudformation describe-stack-resource-drifts --stack-name my-stack --stack-resource-drift-status-filters MODIFIED DELETED

List stacks filtered by status — handy to find every stack stuck in ROLLBACK or DELETE_FAILED across the account.

⚠ Common pitfall: By default deleted stacks are included as ghosts. Pass `--stack-status-filter` to exclude DELETE_COMPLETE and see only live stacks.

aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE ROLLBACK_COMPLETE

Abort an in-progress stack UPDATE and roll back to the last known-good state.

⚠ Common pitfall: Only works while status is UPDATE_IN_PROGRESS. If it has already moved to UPDATE_ROLLBACK_FAILED you must `continue-update-rollback` instead.

aws cloudformation cancel-update-stack --stack-name my-stack

List all Route 53 hosted zones in the account.

aws route53 list-hosted-zones

aws route53 list-hosted-zones --query "HostedZones[].[Name,Id]" --output text

List all DNS records (A, AAAA, CNAME, MX, TXT, ALIAS) for a hosted zone.

aws route53 list-resource-record-sets --hosted-zone-id Z1234567890ABC

aws route53 list-resource-record-sets --hosted-zone-id Z1234567890ABC --query "ResourceRecordSets[?Type=='A']"

Create, update, or delete DNS records via a JSON change batch. The only way to script DNS changes.

⚠ Common pitfall: A DELETE must match the existing record EXACTLY — same value, same TTL. Mismatch and you get InvalidChangeBatch. Always list-resource-record-sets first to copy the exact JSON.

aws route53 change-resource-record-sets --hosted-zone-id Z1234567890ABC --change-batch file://change.json

Check whether a Route 53 change has propagated (PENDING vs INSYNC).

aws route53 get-change --id /change/C1234567890ABC

Create a new Route 53 hosted zone for a domain.

⚠ Common pitfall: After creation, change your registrar to use the four returned NS records — otherwise the zone exists but nothing resolves.

aws route53 create-hosted-zone --name example.com --caller-reference $(date +%s)

List Route 53 health checks — the probes that drive DNS failover and latency-based routing decisions.

aws route53 list-health-checks

aws route53 get-health-check-status --health-check-id abc-123

Ask Route 53 what answer it WOULD return for a name/type from a given resolver IP — without changing your real DNS.

⚠ Common pitfall: This queries the authoritative zone directly, bypassing all resolver and TTL caching. It is the truth, but not what an end user with a cached record sees.

aws route53 test-dns-answer --hosted-zone-id Z1234567890ABC --record-name www.example.com --record-type A

List domain names registered through Route 53 Domains, with expiry dates and auto-renew status.

⚠ Common pitfall: Route 53 Domains is a global service — the API only answers in us-east-1. Add `--region us-east-1` or it fails to connect.

aws route53domains list-domains --region us-east-1

aws route53domains get-domain-detail --domain-name example.com --region us-east-1

Without `--profile <name>` (or AWS_PROFILE env var), the CLI uses `[default]`. On multi-account orgs this is almost always the wrong account. Set AWS_PROFILE in your shell, or alias commands per project.

⚠ Common pitfall: A typo like `--profile=prod` (with =) sometimes works, sometimes does not depending on CLI version. Stick to `--profile prod` (space-separated).

export AWS_PROFILE=prod

aws s3 ls --profile dev

alias awsp="aws --profile prod"

If neither `--region`, AWS_REGION, AWS_DEFAULT_REGION, nor profile region is set, you get "You must specify a region" or a confusing "Could not connect" error.

⚠ Common pitfall: Different services live in different regions. Setting a default in `~/.aws/config` per profile is the most maintainable.

aws configure set region us-east-1 --profile prod

export AWS_REGION=ap-northeast-1

aws s3 ls --region eu-west-1

AWS APIs paginate. The CLI auto-paginates by default but if AWS_PAGER is set to "" or you pass --no-paginate you only see page 1. `aws s3 ls` paginates at 1000 keys.

aws ec2 describe-instances --max-items 10 --starting-token <token>

aws s3 ls s3://bucket/ --recursive | wc -l

json is for piping into jq. text is tab-separated and ideal for shell loops (`for i in $(aws ... --output text)`). table is for humans and truncates wide columns. Set the default in `~/.aws/config`.

aws ec2 describe-instances --output text --query "Reservations[].Instances[].InstanceId"

aws s3api list-buckets --output json | jq -r ".Buckets[].Name"

aws configure set output json --profile prod

`--query` uses JMESPath. Subtle differences from jq: `.[0]` becomes `[0]`, no pipes inside expressions, and string literals are SINGLE-quoted. For complex shape-changes prefer `--output json | jq`.

aws ec2 describe-instances --query "Reservations[*].Instances[*].[InstanceId,State.Name]" --output table

aws s3api list-buckets --query "Buckets[?starts_with(Name, 'logs-')].Name" --output text

Many people assume every AWS service supports `--dry-run`. It does NOT — only most EC2 mutate operations do. Returns DryRunOperation on success. For other services, simulate via `iam simulate-principal-policy` or `cloudformation deploy --no-execute-changeset`.

aws ec2 terminate-instances --instance-ids i-aaa --dry-run

aws cloudformation deploy --template-file t.yaml --stack-name s --no-execute-changeset

Since 2020 S3 reads-after-writes are strongly consistent globally. The OLD eventual-consistency trap (PUT then LIST does not see the new key) is gone. But cross-region replication, CloudFront caches, and versioning are still eventually consistent.

aws s3 cp file s3://b/key && aws s3 ls s3://b/key

aws s3api put-object --bucket b --key k --body file

If an access key ends up in git history, GitHub bots scan and abuse it within minutes — bitcoin miners spin up across every region. Immediately `iam delete-access-key`, audit CloudTrail for the past 24h, rotate every secret in the same account.

⚠ Common pitfall: Rewriting git history does NOT help — the key is already cached and scraped. Delete the key first, history cleanup is cosmetic.

aws iam delete-access-key --user-name lilei --access-key-id AKIA...

aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=AKIA...

IAM, Route 53, CloudFront, WAF (global), and Organizations are global but their CLI endpoint is us-east-1. Commands that "cannot connect" or return empty in another region almost always need `--region us-east-1`.

aws cloudfront list-distributions --region us-east-1

aws route53domains list-domains --region us-east-1

On bulk calls AWS returns ThrottlingException / RequestLimitExceeded. The CLI retries with backoff, but loops calling it per-item will still get rate-limited. Raise `--cli-read-timeout`, set `AWS_MAX_ATTEMPTS`, or use server-side batch APIs.

AWS_MAX_ATTEMPTS=10 AWS_RETRY_MODE=adaptive aws ec2 describe-instances

aws configure set retry_mode adaptive --profile prod

Use `file://` for text (JSON policies, templates) and `fileb://` for BINARY (a Lambda zip, an image). Passing a zip with `file://` corrupts it because the CLI treats it as UTF-8 text.

aws lambda update-function-code --function-name my-fn --zip-file fileb://function.zip

aws iam create-policy --policy-name P --policy-document file://policy.json

CLI v2 pipes long output through your pager (less) by default. In scripts and CI this looks like the command "hangs" waiting for a keypress. Set `AWS_PAGER=""` globally or per command.

export AWS_PAGER=""

AWS_PAGER="" aws ec2 describe-instances

aws configure set cli_pager "" --profile prod

AWS rejects requests whose signature timestamp is more than ~5 minutes off server time with "Signature expired" or "InvalidSignatureException". If every command suddenly fails auth, check your system clock / NTP first.

date -u

sudo chronyc makestep

Point the CLI at a non-default endpoint with `--endpoint-url` — for LocalStack testing, an S3-compatible store, or a private VPC endpoint. Without it you hit the real public AWS endpoint and may bill or fail.

aws --endpoint-url http://localhost:4566 s3 ls

aws --endpoint-url https://bucket.vpce-xxx.s3.us-east-1.vpce.amazonaws.com s3 cp f s3://b/f