Guides

AWS CLI Cheat Sheet | Commands, S3 & PDF

3 minutes ago
8 mins
0 Views
Copy AWS CLI commands for S3, EC2, IAM, Lambda, profiles, query, output, automation, and troubleshooting in one interactive cheat sheet.
AWS CLI v2 Interactive Cheat Sheet

AWS CLI Cheat Sheet: Commands, S3, Services, Profiles, Queries, and Automation

A practical, candidate-ready AWS command line cheat sheet for students, cloud engineers, DevOps beginners, developers, and interview preparation. Use it to learn the command pattern, configure profiles, manage S3, inspect EC2, query IAM, automate deployments, troubleshoot errors, and copy safe command templates directly from the page.

Best forAWS beginners, DevOps candidates, cloud interviews
Version focusAWS CLI version 2 command style
IncludesSearch, tabs, copy commands, printable view
ReviewedMay 11, 2026

Quick Navigation

Use this page as both an AWS CLI commands cheat sheet and an AWS command line learning guide. The command cards are intentionally short, while the guide sections explain why each pattern matters.

Basics Install & Configure Global Options S3 Commands AWS Services Query & Output Automation Security Troubleshooting FAQ

What Is the AWS CLI?

The AWS CLI, or Amazon Web Services Command Line Interface, is a terminal tool for managing AWS services from a shell, script, local development environment, CI/CD pipeline, jump host, or cloud workstation. Instead of clicking through the AWS Management Console, you type commands such as aws s3 ls, aws ec2 describe-instances, or aws sts get-caller-identity. This is faster for repeatable tasks, safer for documented operations, and more scalable for teams that need consistent infrastructure workflows.

For candidates preparing for AWS, DevOps, cloud support, site reliability engineering, backend engineering, or platform engineering roles, the CLI is more than a convenience. It shows whether you understand resources, regions, identities, permissions, output formats, filters, and automation. A candidate who can explain aws s3 sync, --profile, --region, --query, and aws sts get-caller-identity usually understands AWS operational fundamentals better than someone who only memorizes console screenshots.

Core command shape: aws <service> <operation> [parameters] [global-options]. Example: aws ec2 describe-instances --region us-east-1 --output table.

The Four-Part Mental Model

1. Base command

aws calls the CLI program. Everything begins with this executable.

2. Service namespace

s3, ec2, iam, lambda, cloudformation, logs, and other names map to AWS services.

3. Operation

list-buckets, describe-instances, create-function, or get-object tells AWS what action you want.

4. Parameters

Parameters such as --bucket, --profile, --query, and --region add context and constraints.

AWS CLI has two broad command styles. High-level commands are friendlier wrappers, most commonly in the aws s3 namespace. They use commands like cp, mv, rm, sync, ls, mb, and rb. Low-level service commands generally mirror AWS service APIs more closely, such as aws s3api list-objects-v2, aws ec2 describe-security-groups, or aws iam list-users. A strong user knows both: high-level commands for daily file workflows, and service API commands for precision, scripting, and advanced output filtering.

Install, Verify, and Configure AWS CLI

In modern AWS workflows, use AWS CLI version 2 unless a legacy team script explicitly requires version 1. Version 2 includes current CLI behavior, built-in improvements, IAM Identity Center support, auto-prompt, additional output formats, and a more consistent experience across operating systems. Candidates should know how to check the installed version, configure credentials, select a profile, verify the caller identity, and avoid committing secrets to source control.

Setup

Check installed CLI version

aws --version

Use this first. It confirms whether the machine has AWS CLI installed and shows the major version.

Setup

Configure basic credentials

aws configure

Prompts for access key, secret access key, default region, and default output. Prefer IAM Identity Center or temporary credentials for real teams.

SSO

Configure IAM Identity Center profile

aws configure sso

Creates an SSO-backed profile for organizations that use IAM Identity Center.

STS

Verify current identity

aws sts get-caller-identity

The safest first diagnostic command. It returns the account, ARN, and user or role identity currently being used.

Profiles

List configured profiles

aws configure list-profiles

Useful when a laptop has multiple accounts such as dev, staging, production, or client-specific profiles.

Profiles

Run a command with a profile

aws s3 ls --profile dev

Use --profile to choose a named credential profile without changing global defaults.

Files Created by Configuration

Basic configuration usually writes to two files in the user home directory. The ~/.aws/config file stores profile settings such as region and output. The ~/.aws/credentials file can store access keys for profiles when static IAM user credentials are used. In production-grade environments, avoid long-lived credentials when possible. Prefer IAM roles, IAM Identity Center, short-lived credentials, workload identity, or CI-provided temporary credentials.

[default]
region = us-east-1
output = json

[profile dev]
region = ap-south-1
output = table

Candidate note: Never paste real access keys into blog comments, GitHub repositories, screenshots, tutorials, or public code. If a key is exposed, rotate or delete it immediately and review CloudTrail for suspicious activity.

Global Options Every Candidate Should Know

Global options work across many AWS CLI commands. These are important in interviews because they reveal whether you understand repeatability. A command without --region may work on one laptop but fail on another. A command without --profile may run against the wrong account. A command without --query may return too much output. A command without --output may be hard to read or hard to parse in automation.

OptionUseExampleCandidate Tip
--profileUse a named profile from local credentials/config files.aws ec2 describe-instances --profile devProtects you from accidentally using the wrong account.
--regionOverrides the configured region for one command.aws s3api list-buckets --region us-east-1Many services are regional; IAM and S3 bucket list behavior differs from regional services.
--outputControls output format: JSON, YAML, text, table, YAML stream, or off.aws iam list-users --output tableUse JSON for scripts and table for human reading.
--queryFilters response data using JMESPath.aws ec2 describe-instances --query 'Reservations[*].Instances[*].InstanceId'Powerful for interviews, audits, and dashboards.
--no-paginateReturn only the first page for paginated operations.aws s3api list-objects-v2 --bucket demo --no-paginateUseful for quick checks, not for complete inventories.
--page-sizeRequests smaller service pages to reduce timeout risk.aws ec2 describe-instances --page-size 100Changes API call behavior, not the final number of returned items.
--max-itemsLimits the number of items printed in output.aws iam list-users --max-items 20Useful for controlled review and paged scripts.
--no-cli-pagerDisables terminal pager for one command.aws logs describe-log-groups --no-cli-pagerHelpful in scripts and CI logs.
--debugShows low-level diagnostic details.aws s3 ls --debugUse carefully; debug logs may expose sensitive context.
--cli-auto-promptEnables guided command completion.aws dynamodb describe-table --cli-auto-promptUseful when learning unfamiliar services.

Environment Variables

Environment variables let you override local settings temporarily. This is common in shell sessions, Docker containers, CI pipelines, and automated jobs. Use them carefully because they can hide the true source of credentials from beginners.

export AWS_PROFILE=dev
export AWS_REGION=us-east-1
export AWS_DEFAULT_OUTPUT=json
export AWS_PAGER=""

A useful candidate habit is to run aws configure list and aws sts get-caller-identity before making changes. These two commands answer two critical questions: which configuration is active, and which AWS principal is authorized to act?

Interactive AWS CLI Command Finder

Filter by topic or search directly. Each card includes a safe template. Replace placeholder names such as my-bucket, my-profile, i-1234567890abcdef0, my-function, and us-east-1 before running commands. Copy buttons use your browser clipboard.

S3

List S3 buckets

aws s3 ls

Shows buckets visible to the current identity.

S3

List objects recursively

aws s3 ls s3://my-bucket/path/ --recursive

Lists all objects under a prefix. Useful for checking uploads, static assets, and backup paths.

S3

Upload a file

aws s3 cp ./file.pdf s3://my-bucket/folder/file.pdf

Copies one local file to a bucket key.

S3

Download a file

aws s3 cp s3://my-bucket/folder/file.pdf ./file.pdf

Copies one object from S3 to the current machine.

S3

Sync build folder to S3

aws s3 sync ./dist s3://my-bucket --delete

Common for static website deployment. --delete removes destination objects that no longer exist locally.

S3

Preview S3 sync

aws s3 sync ./dist s3://my-bucket --dryrun

Use --dryrun before destructive sync operations.

S3

Create a bucket

aws s3 mb s3://my-unique-bucket-name --region us-east-1

Bucket names must be globally unique. Region behavior matters for real deployments.

S3

Remove objects safely

aws s3 rm s3://my-bucket/path/ --recursive --dryrun

Start with --dryrun. Remove it only after checking the deletion list.

EC2

List EC2 instances

aws ec2 describe-instances --output table

Raw output is large. Add --query to show IDs, states, names, and IPs only.

EC2

Show EC2 instance summary

aws ec2 describe-instances \
  --query "Reservations[*].Instances[*].{ID:InstanceId,State:State.Name,Type:InstanceType,AZ:Placement.AvailabilityZone,PublicIP:PublicIpAddress}" \
  --output table

A practical interview-ready JMESPath example.

EC2

Start an EC2 instance

aws ec2 start-instances --instance-ids i-1234567890abcdef0

Requires permission and a valid instance state.

EC2

Stop an EC2 instance

aws ec2 stop-instances --instance-ids i-1234567890abcdef0

Stopping can affect workloads. Confirm environment and ownership first.

EC2

Inspect a security group

aws ec2 describe-security-groups \
  --group-ids sg-1234567890abcdef0 \
  --output table

Use before changing inbound or outbound rules.

EC2

List EBS volumes

aws ec2 describe-volumes \
  --query "Volumes[*].{ID:VolumeId,State:State,Size:Size,Type:VolumeType}" \
  --output table

Useful for cost reviews and cleanup checks.

IAM

List IAM users

aws iam list-users --output table

Works with IAM permissions. IAM is global, but commands still use the current identity.

IAM

List IAM role names

aws iam list-roles --query "Roles[*].RoleName" --output table

Good for identifying execution roles and application roles.

IAM

List policies attached to a user

aws iam list-attached-user-policies --user-name my-user

Helps diagnose permission boundaries and access errors.

IAM

List access keys for a user

aws iam list-access-keys --user-name my-user

Used in key rotation and incident response. Do not expose secret access keys.

Lambda

List Lambda functions

aws lambda list-functions \
  --query "Functions[*].FunctionName" \
  --output table

Fast way to see available functions in a region.

Lambda

Invoke a Lambda function

aws lambda invoke \
  --function-name my-function \
  --payload '{"ping":"test"}' \
  response.json

Writes the function response to response.json. Payload quoting differs by shell.

Lambda

Update Lambda code from zip

aws lambda update-function-code \
  --function-name my-function \
  --zip-file fileb://function.zip

Use fileb:// for binary zip upload.

CloudFormation

Deploy a CloudFormation stack

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name my-stack \
  --capabilities CAPABILITY_NAMED_IAM

Use capabilities when templates create or modify IAM resources.

CloudFormation

Show stack outputs

aws cloudformation describe-stacks \
  --stack-name my-stack \
  --query "Stacks[0].Outputs" \
  --output table

Useful after deployments to find URLs, ARNs, bucket names, and endpoints.

CloudFormation

Validate a template

aws cloudformation validate-template \
  --template-body file://template.yaml

Checks template syntax before deployment.

Logs

Tail CloudWatch logs

aws logs tail /aws/lambda/my-function --follow

Streams logs for troubleshooting Lambda and other services that write to CloudWatch Logs.

Logs

List log groups

aws logs describe-log-groups \
  --query "logGroups[*].logGroupName" \
  --output table

Use this when you do not remember the exact log group name.

DynamoDB

List DynamoDB tables

aws dynamodb list-tables --output table

Shows tables in the selected region.

DynamoDB

Describe a DynamoDB table

aws dynamodb describe-table --table-name my-table

Returns keys, indexes, billing mode, table status, size, and item count.

RDS

List RDS instances

aws rds describe-db-instances \
  --query "DBInstances[*].{DB:DBInstanceIdentifier,Engine:Engine,Status:DBInstanceStatus,Class:DBInstanceClass}" \
  --output table

Useful for inventory and operational visibility.

ECR

Log in Docker to ECR

aws ecr get-login-password --region us-east-1 | \
docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com

Modern ECR authentication pattern for Docker.

ECR

List ECR repositories

aws ecr describe-repositories \
  --query "repositories[*].repositoryName" \
  --output table

Shows container repositories in the selected region.

ECS

List ECS clusters

aws ecs list-clusters --output table

Start here before inspecting services or tasks.

EKS

Update kubeconfig for EKS

aws eks update-kubeconfig \
  --name my-cluster \
  --region us-east-1

Adds cluster access information for kubectl, assuming IAM permissions are correct.

Secrets

Read a secret value

aws secretsmanager get-secret-value \
  --secret-id my-secret \
  --query SecretString \
  --output text

Use only where policy allows. Avoid printing secrets in shared terminals and CI logs.

KMS

List KMS keys

aws kms list-keys --output table

Useful when investigating encryption dependencies.

SSM

Read Parameter Store value

aws ssm get-parameter \
  --name /app/prod/db-url \
  --with-decryption

Use --with-decryption for encrypted SecureString values.

Route 53

List hosted zones

aws route53 list-hosted-zones --output table

Useful for DNS inventory and domain operations.

ELB

List application/network load balancers

aws elbv2 describe-load-balancers \
  --query "LoadBalancers[*].{Name:LoadBalancerName,DNS:DNSName,State:State.Code}" \
  --output table

Shows names, DNS endpoints, and states.

Audit

Review recent CloudTrail events

aws cloudtrail lookup-events \
  --max-results 10 \
  --output table

Good for quick investigation of recent API activity.

AWS S3 CLI Commands Cheat Sheet

Amazon S3 is one of the most searched AWS CLI topics because file operations are common in development, analytics, deployment, backups, static hosting, and data engineering. Candidates should distinguish aws s3 and aws s3api. The aws s3 commands are high-level and feel similar to local file operations. The aws s3api commands map more closely to the S3 API and expose more precise options.

Use aws s3 when...

  • You need to copy, move, sync, list, or remove files quickly.
  • You are deploying static files from a build folder.
  • You want simple commands such as cp, sync, ls, mb, and rm.

Use aws s3api when...

  • You need exact API-level control.
  • You are working with object versions, policies, encryption, lifecycle, tagging, or metadata.
  • You need strong output filtering with --query.

Common S3 Patterns

# List buckets
aws s3 ls

# List one bucket path
aws s3 ls s3://my-bucket/folder/

# Upload one file
aws s3 cp report.pdf s3://my-bucket/reports/report.pdf

# Download one file
aws s3 cp s3://my-bucket/reports/report.pdf ./report.pdf

# Upload a folder recursively
aws s3 cp ./assets s3://my-bucket/assets --recursive

# Sync local folder to S3
aws s3 sync ./dist s3://my-bucket --delete

# Preview sync first
aws s3 sync ./dist s3://my-bucket --dryrun

# Remove objects under a prefix
aws s3 rm s3://my-bucket/tmp/ --recursive --dryrun

S3 Safety Checklist

  • Use --dryrun before large copy, sync, or delete operations. This is the simplest way to prevent accidental data loss.
  • Confirm account identity. Run aws sts get-caller-identity before production operations.
  • Confirm region and bucket ownership. S3 bucket names are globally unique, and similar names can cause mistakes.
  • Understand --delete. It makes the destination match the source by removing destination files that no longer exist in the source.
  • Use versioning for critical buckets. Versioning can reduce risk from accidental overwrites and deletes.

Simple storage estimate formula: If each object has average size \(s\) MB and there are \(n\) objects, approximate storage is \(\frac{n \times s}{1024}\) GB. This is a planning shortcut, not a replacement for AWS billing data.

AWS Services List Cheat Sheet for CLI Users

AWS CLI service names are not always identical to product names. For example, Elastic Load Balancing v2 uses elbv2, CloudWatch Logs uses logs, Systems Manager uses ssm, and Secrets Manager uses secretsmanager. Candidates should know the most common service namespaces because they make command discovery faster.

Service AreaCLI NamespaceCommon CommandsWhat to Remember
Storages3, s3api, ebsec2, efss3 sync, s3api list-objects-v2, ec2 describe-volumesS3 has high-level and API-level command sets.
Computeec2, lambda, autoscalingdescribe-instances, list-functions, describe-auto-scaling-groupsRegion selection is critical.
Identityiam, sts, ssolist-users, get-caller-identity, sso loginUse STS to verify who you are.
Networkingec2, elbv2, route53, apigatewaydescribe-vpcs, describe-load-balancers, list-hosted-zonesMany networking resources are described through EC2 APIs.
Databasesrds, dynamodb, elasticache, redshiftdescribe-db-instances, list-tables, describe-cache-clustersInventory queries are common in operations.
Containersecr, ecs, eksget-login-password, list-clusters, update-kubeconfigECR login and EKS kubeconfig are high-frequency tasks.
Monitoringcloudwatch, logs, cloudtraildescribe-alarms, logs tail, lookup-eventsUse logs and CloudTrail for diagnostics.
Security Datasecretsmanager, ssm, kmsget-secret-value, get-parameter, list-keysAvoid exposing secret values in logs.
Infrastructure as Codecloudformation, cloudcontroldeploy, validate-template, describe-stacksCloudFormation commands are often used in CI/CD.
Messagingsqs, sns, events, schedulerlist-queues, list-topics, list-rulesUnderstand queues, topics, and event rules.

Output, Query, Pagination, and Filtering

The --query option is one of the highest-value AWS CLI skills. It lets you filter a JSON response before displaying it. The query language is JMESPath. You do not need to become a JMESPath expert on day one, but you should know how to select fields, flatten arrays, create readable labels, filter by values, and change output format.

Output Formats

Use json when a script or tool will process the result. Use table when a human needs to read a summary quickly. Use text for shell pipelines. Use yaml when the structure should be readable and compatible with YAML-focused tooling. Use yaml-stream for large responses where streaming helps responsiveness. Use off in automation cases where the exit code matters and stdout should stay quiet.

Query

Select EC2 instance IDs

aws ec2 describe-instances \
  --query "Reservations[*].Instances[*].InstanceId" \
  --output text

Extracts only instance IDs.

Query

Create labeled columns

aws ec2 describe-instances \
  --query "Reservations[*].Instances[*].{ID:InstanceId,State:State.Name,Type:InstanceType}" \
  --output table

Turns raw JSON into a readable table.

Query

Filter running instances

aws ec2 describe-instances \
  --query "Reservations[*].Instances[?State.Name=='running'].InstanceId" \
  --output text

Filters response data client-side after the AWS service returns it.

Pagination

Limit output items

aws s3api list-objects-v2 \
  --bucket my-bucket \
  --max-items 100

Good for sampling or manually walking through large lists.

Server-Side Filters vs Client-Side Queries

A server-side filter is handled by the AWS service before the response is returned. It can reduce network traffic and speed up large result sets. A client-side query is handled by the AWS CLI after the response is received. It is excellent for formatting and final shaping, but it does not reduce the service-side work. A mature command often combines both.

# Server-side filter: ask EC2 for running instances
aws ec2 describe-instances \
  --filters "Name=instance-state-name,Values=running"

# Client-side query: shape the response into a readable table
aws ec2 describe-instances \
  --filters "Name=instance-state-name,Values=running" \
  --query "Reservations[*].Instances[*].{ID:InstanceId,Type:InstanceType,AZ:Placement.AvailabilityZone}" \
  --output table

Pagination Strategy

Most list-style commands can return many results. The AWS CLI may automatically call the service multiple times to retrieve all pages. Use --page-size when individual service calls time out. Use --max-items when you want fewer items printed. Use --starting-token when continuing from a previous paged response. Avoid mixing incompatible values for --page-size and --max-items unless you understand the consequences for ordering and duplicate or missing items.

Pagination planning formula: If a list contains \(N\) items and the page size is \(p\), the approximate number of service calls is \(\lceil N / p \rceil\). For example, \(3500\) objects with a page size of \(1000\) need about \(\lceil 3500/1000 \rceil = 4\) calls.

AWS CLI for Automation, GitHub Actions, and CI/CD

Automation is where AWS CLI becomes especially valuable. A single command can deploy files, trigger infrastructure updates, fetch parameters, rotate artifacts, or verify a release. However, automated commands must be stricter than manual commands. Always define the profile or role, region, output behavior, error handling, and cleanup behavior. CI/CD jobs should use short-lived credentials and least-privilege policies.

Safe Bash Script Pattern

#!/usr/bin/env bash
set -euo pipefail

export AWS_REGION="us-east-1"

echo "Checking active AWS identity..."
aws sts get-caller-identity --output table

echo "Validating template..."
aws cloudformation validate-template --template-body file://template.yaml

echo "Deploying stack..."
aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name my-stack \
  --capabilities CAPABILITY_NAMED_IAM \
  --no-cli-pager

Static Website Deploy Pattern

# Build your app first, then preview
npm run build
aws s3 sync ./dist s3://my-static-site-bucket --dryrun

# Deploy after checking the dry run output
aws s3 sync ./dist s3://my-static-site-bucket --delete

# Optional CloudFront invalidation
aws cloudfront create-invalidation \
  --distribution-id E1234567890ABC \
  --paths "/*"

GitHub Actions Conceptual Pattern

In GitHub Actions, avoid storing long-lived AWS access keys where possible. Prefer OpenID Connect with an AWS IAM role that trusts the GitHub repository and workflow context. The CLI commands inside the workflow should still be explicit about region, stack names, S3 paths, and output formats. A candidate does not need to memorize every YAML line, but should understand the principle: CI assumes a temporary role, then runs deterministic CLI commands.

# Conceptual deploy steps inside CI
aws sts get-caller-identity
aws cloudformation deploy --template-file template.yaml --stack-name app-prod --capabilities CAPABILITY_NAMED_IAM
aws s3 sync ./dist s3://app-prod-assets --delete

Automation Rules

  • Use explicit regions. Do not rely on hidden defaults in production scripts.
  • Use explicit identities. Verify the caller before making infrastructure changes.
  • Use dry runs where supported. Especially for S3 copy, sync, and remove commands.
  • Fail fast. In shell scripts, use set -euo pipefail and handle expected non-zero cases clearly.
  • Do not print secrets. Mask secret output, avoid debug logs around secrets, and restrict CI log access.
  • Prefer roles over long-lived keys. Temporary credentials reduce blast radius.

AWS CLI Security Cheat Sheet

AWS CLI security is mostly about identity, permissions, logging, and safe handling of credentials. The CLI itself does what the active credentials permit. That means the same command can be harmless in a sandbox account and destructive in production. Candidates should always explain how they confirm account, principal, region, action scope, and rollback options.

Never run destructive commands from a cheat sheet without replacing placeholders and checking the active identity. Commands like delete-stack, terminate-instances, rm --recursive, and delete-bucket can cause real data loss.

High-Value Security Commands

# Confirm current principal
aws sts get-caller-identity

# List policies attached to a role
aws iam list-attached-role-policies --role-name my-role

# Get account password policy
aws iam get-account-password-policy

# List access keys for a user
aws iam list-access-keys --user-name my-user

# Get CloudTrail recent events
aws cloudtrail lookup-events --max-results 20 --output table

# Read a secure SSM parameter only when authorized
aws ssm get-parameter --name /app/prod/api-key --with-decryption

Least-Privilege Interview Answer

A strong candidate answer sounds like this: “Before I run the command, I confirm the AWS account and role with aws sts get-caller-identity, specify --region, use a named --profile or temporary role, prefer read-only commands first, preview changes with dry runs or change sets, and ensure IAM permissions are scoped to the exact resources needed.”

Secrets Handling

When commands retrieve sensitive data from Secrets Manager, SSM Parameter Store, or KMS-protected resources, avoid printing output to shared screens or logs. Use environment variables carefully. Avoid shell history leaks. In Bash, a leading space may prevent history storage in some shell configurations, but do not rely on that as a security control. The better approach is to design workflows that do not display secrets at all.

Troubleshooting AWS CLI Errors

AWS CLI errors usually come from one of seven causes: missing credentials, wrong profile, wrong region, insufficient permissions, invalid parameters, service-side resource state, or network configuration. Troubleshooting should be systematic. Do not randomly add administrator permissions. Diagnose the active identity, region, command syntax, and API error message first.

Error / SymptomLikely CauseDiagnostic CommandFix Direction
Unable to locate credentialsNo active credentials found.aws configure listConfigure a profile, login with SSO, or provide role-based credentials.
AccessDeniedCurrent identity lacks permission.aws sts get-caller-identityCheck IAM policy, role, permission boundary, SCP, or resource policy.
InvalidClientTokenIdInvalid or expired credentials.aws sts get-caller-identity --debugRefresh SSO, rotate keys, or renew temporary credentials.
Resource not foundWrong region, wrong name, or deleted resource.aws configure get regionSpecify the correct --region and verify exact resource ID.
Output opens in pagerCLI pager is active.echo $AWS_PAGERUse --no-cli-pager or set AWS_PAGER="".
Command returns too much JSONNo query or output format selected.Add --query and --output tableShape the response with JMESPath.
S3 sync would delete files--delete removes destination-only objects.Run with --dryrunReview exactly what will be removed before executing.
Timeout on large listLarge response or service call timeout.Try --page-size 100Use server-side filters and smaller page size.

Diagnostic Sequence

# 1. Confirm CLI version
aws --version

# 2. Check profile and config sources
aws configure list

# 3. Confirm active identity
aws sts get-caller-identity

# 4. Confirm region
aws configure get region

# 5. Run read-only command first
aws ec2 describe-regions --output table

# 6. Add debug only when needed
aws s3 ls --debug

Candidate Study Guide: What You Need to Know

A candidate does not need to memorize every AWS CLI command. AWS has too many services for that approach. Instead, learn patterns. Know how to get help, how to identify the current caller, how to list resources, how to filter output, how to change regions, and how to apply safe automation habits. Most AWS CLI tasks are variations of the same pattern: describe, list, get, put, create, update, delete, wait, and tag.

Command Verbs to Recognize

VerbTypical MeaningExamples
list-*Return names or IDs of resources.list-users, list-functions, list-tables
describe-*Return detailed resource metadata.describe-instances, describe-db-instances
get-*Return one resource, policy, object, or value.get-caller-identity, get-secret-value
put-*Create or replace configuration, policy, or item.put-object, put-role-policy
create-*Create a new resource.create-bucket, create-function
update-*Modify existing resource configuration.update-function-code, update-kubeconfig
delete-*Delete a resource or configuration.delete-stack, delete-function
waitPause until a resource reaches a target state.cloudformation wait stack-create-complete

Interview Questions and Strong Answers

How do you check which AWS account your CLI command will use?

Run aws sts get-caller-identity. It returns the account ID and ARN for the active credentials. In production, run it before any mutating operation.

What is the difference between aws s3 and aws s3api?

aws s3 is a high-level command set for common object and bucket operations like copy, sync, move, list, and remove. aws s3api maps more closely to S3 APIs and gives finer control over policies, versioning, lifecycle, object metadata, tagging, and advanced operations.

Why should you use --query?

Because many AWS responses are large JSON structures. --query lets you extract only the fields needed for humans, scripts, reports, or audits. It improves readability and reduces manual parsing.

When should you use --region?

Use it whenever a command targets regional resources or when automation must be deterministic. Relying on hidden default regions can cause commands to fail or affect the wrong environment.

How do you safely run a delete command?

Verify identity, profile, and region. Run read-only checks first. Use dry run if supported. Confirm exact resource IDs. Prefer change sets or staged deletion workflows for infrastructure. Keep backups or versioning where appropriate.

Practice Tasks

These tasks help a candidate move from reading to real command fluency. Use a sandbox AWS account or training environment. Do not practice destructive commands in production.

  1. Install AWS CLI v2 and run aws --version.
  2. Create or select a training profile, then run aws configure list-profiles.
  3. Run aws sts get-caller-identity and write down the account ID.
  4. List S3 buckets with aws s3 ls.
  5. Create a test bucket only if your training account allows it.
  6. Upload a small file with aws s3 cp.
  7. Preview a folder sync with aws s3 sync --dryrun.
  8. List EC2 instances and use --query to show only ID, state, type, and availability zone.
  9. List CloudWatch log groups and tail a test Lambda log group.
  10. Write a small shell script that checks identity, validates a CloudFormation template, and prints stack outputs.

Focus tip: Learn one command family at a time. Start with identity and configuration, then S3, then EC2, then logs. This avoids memorization overload and builds operational confidence.

Deep Notes for Better Ranking and Better Learning

The fastest way to become fluent with AWS CLI is to treat every command as a small API request. The service namespace tells AWS where the request is going, the operation tells AWS what action is requested, and the parameters provide the resource names, identifiers, filters, or input files. This mental model makes new commands easier to learn. If you know aws ec2 describe-instances, you can understand aws rds describe-db-instances, aws elbv2 describe-load-balancers, and aws logs describe-log-groups because they follow the same read-only inventory pattern.

A good cheat sheet should not only list commands; it should teach decision-making. For example, aws s3 sync is powerful, but the decision to use --delete depends on whether the S3 destination should exactly match the local source. That is correct for many static website deployments, but risky for shared buckets or backup locations. Similarly, --output table is excellent for manual inspection, while --output json is more reliable for automation. A candidate who can explain these tradeoffs is stronger than a candidate who only memorizes command text.

In real projects, AWS CLI is often used with infrastructure-as-code tools rather than replacing them. Terraform, AWS CDK, CloudFormation, and Pulumi may own infrastructure state, while AWS CLI is used to verify outputs, inspect logs, upload assets, invalidate CloudFront distributions, or perform operational diagnostics. The safest rule is simple: if a resource is managed by infrastructure as code, avoid manual changes that create drift unless the change is part of an approved emergency procedure and is later reconciled back into code.

For production environments, logging and auditability matter. AWS CLI calls are AWS API calls, so they can appear in CloudTrail when the service records them. This makes the CLI suitable for controlled operations when identities, roles, and permissions are properly managed. However, shell history, terminal scrollback, CI logs, and screenshots can still leak information. Avoid placing secrets directly in commands. Prefer files, secure stores, masked variables, and short-lived credentials. When using --debug, remember that diagnostic output can include sensitive request details.

For learning, build a three-level progression. Level one is safe reading: list, describe, and get commands. Level two is controlled writing: upload a file to S3, deploy a small test stack, update a Lambda function in a sandbox, or create a test parameter. Level three is operational automation: combine identity checks, validation, dry runs, deployment, output capture, and log inspection in a repeatable script. This progression develops confidence without encouraging reckless production experimentation.

Finally, every AWS CLI learner should practice reading command help. Use aws help, aws s3 help, and aws ec2 describe-instances help. The help pages explain parameters, examples, pagination, output, and required values. When AWS adds or changes service features, the command reference and help output are more reliable than old blog snippets. A cheat sheet is the map; official command help is the live reference.

Official Learning Resources

For long-term accuracy, candidates should use official AWS references whenever a command changes or a service adds new parameters.

FAQ: AWS CLI Cheat Sheet

What is the best AWS CLI command for beginners?

The best beginner command is aws sts get-caller-identity. It tells you which AWS account and identity your CLI is using. After that, learn aws configure list, aws s3 ls, and aws ec2 describe-instances.

What is the most useful AWS S3 CLI command?

aws s3 sync is one of the most useful S3 commands because it synchronizes a local folder and an S3 location. Use --dryrun first and be careful with --delete.

How do I create an AWS CLI cheat sheet PDF?

Use the Print / Save as PDF button on this page, or use your browser print menu and select “Save as PDF.” The page is styled to hide filters and copy buttons in print mode.

What is the difference between --output table and --output json?

--output table is easier for humans to read. --output json is better for scripts, tools, and reliable parsing. Use JSON for automation and table for quick manual inspection.

Why does AWS CLI show the wrong account?

The command may be using a different default profile, environment variable, SSO session, or credentials file than expected. Run aws configure list and aws sts get-caller-identity to diagnose it.

Should I use AWS CLI v1 or v2?

Use AWS CLI version 2 for modern workflows unless a legacy project specifically requires version 1. Version 2 is the current major version and supports modern CLI features.

Can I use AWS CLI with GitHub Actions?

Yes. In serious environments, prefer temporary credentials through an IAM role and OpenID Connect rather than long-lived access keys. Then run explicit CLI commands with a defined region and least-privilege permissions.

How do I find help for any AWS CLI command?

Use aws help, aws <service> help, or aws <service> <operation> help. Example: aws ec2 describe-instances help.

Final AWS CLI Candidate Checklist

Before an interview or practical cloud task, make sure you can install the CLI, configure a profile, verify identity, set a region, list resources, filter output, run S3 copy and sync commands, read logs, deploy a simple CloudFormation stack, and explain how to avoid destructive mistakes. This is the practical command-line foundation behind many AWS, DevOps, backend, SRE, and cloud support roles.

  • Identity first: aws sts get-caller-identity
  • Configuration second: aws configure list
  • Region explicit: --region us-east-1
  • Profile explicit: --profile dev
  • Readable output: --output table
  • Scriptable output: --output json
  • Focused output: --query
  • S3 safety: --dryrun before sync or remove

Printed from RevisionTown AWS CLI Cheat Sheet.

Shares: