Become an AWS Guru using this nifty AWS CLI cheat-sheet!
Install AWS Cli
Table of Contents
- EC2
- List Instance ID, Type and Name
- List Instances with Public IP Address and Name
- List of VPCs and CIDR IP Block
- List of Subnets for a VPC
- List of Security Groups
- Print Security Groups for an Instance
- Edit Security Groups of an Instance
- Print Security Group Rules as FromAddress and ToPort
- Add Rule to Security Group
- Delete Rule from Security Group
- Edit Rules of Security Group
- Delete Security Group
- S3
- API Gateway
- ELB
- RDS
- ElastiCache
- Lambda
- Cloudwatch
- Route53
- SNS
- DynamoDB
- SQS
- CloudFront
- Amplify
- Cognito
- IAM User
- IAM Group
Pro Tip!
If you have multiple AWS Accounts, you can use bash alias like the following. So you no longer need to pass --profile to aws tool.
1alias aws-prod="aws --profile work-prod"
2alias aws-dev="aws --profile work-dev"
3alias aws-self="aws --profile personal"
4alias aws="aws --profile work-dev"
To format aws command output into tables, you can pipe output to column -t.
1# aws ec2 describe-instances | jq ...
2i-0f112d652ecf13dac c3.x2large fisher.com
3i-0b3b5128445a332db t2.nano robinson.com
4
5# aws ec2 describe-instances | jq ... | column -t
6i-0f112d652ecf13dac c3.x2large fisher.com
7i-0b3b5128445a332db t2.nano robinson.com
EC2
List Instance ID, Type and Name
1aws ec2 describe-instances | jq -r '.Reservations[].Instances[]|.InstanceId+" "+.InstanceType+" "+(.Tags[] | select(.Key == "Name").Value)'
2i-0f112d652ecf13dac c3.xlarge fisher.com
3i-0b3b5128445a332db t2.nano robinson.com
4i-0d1c1cf4e980ac593 t2.micro nolan.com
5i-004ee6b792c3b6914 t2.nano grimes-green.net
6i-00f11e8e33c971058 t2.nano garrett.com
List Instances with Public IP Address and Name
Tip: You can directly put this to your /etc/hosts
1aws ec2 describe-instances --query 'Reservations[*].Instances[?not_null(PublicIpAddress)]' | jq -r '.[][]|.PublicIpAddress+" "+(.Tags[]|select(.Key=="Name").Value)'
2223.64.72.64 fisher.com
3198.82.207.161 robinson.com
4182.139.20.233 nolan.com
5153.134.83.44 grimes-green.net
6202.32.63.121 garrett.com
List of VPCs and CIDR IP Block
1aws ec2 describe-vpcs | jq -r '.Vpcs[]|.VpcId+" "+(.Tags[]|select(.Key=="Name").Value)+" "+.CidrBlock'
2vpc-0d1c1cf4e980ac593 frontend-vpc 10.0.0.0/16
3vpc-00f11e8e33c971058 backend-vpc 172.31.0.0/16
List of Subnets for a VPC
1aws ec2 describe-subnets --filter Name=vpc-id,Values=vpc-0d1c1cf4e980ac593 | jq -r '.Subnets[]|.SubnetId+" "+.CidrBlock+" "+(.Tags[]|select(.Key=="Name").Value)'
2subnet-0dae5d4daa47fe4a2 10.0.128.0/20 Public Subnet 1
3subnet-0641a25faccb01f0f 10.0.32.0/19 Private Subnet 2
4subnet-09fb8038641f1f36f 10.0.0.0/19 Private Subnet 1
5subnet-02a63c67684d8deed 10.0.144.0/20 Public Subnet 2
List of Security Groups
1aws ec2 describe-security-groups | jq -r '.SecurityGroups[]|.GroupId+" "+.GroupName'
2sg-02a63c67684d8deed backend-db
3sg-0dae5d4daa47fe4a2 backend-redis
4sg-0a56bff7b12264282 frontend-lb
5sg-0641a25faccb01f0f frontend-https
6sg-09fb8038641f1f36f internal-ssh
Print Security Groups for an Instance
1aws ec2 describe-instances --instance-ids i-0dae5d4daa47fe4a2 | jq -r '.Reservations[].Instances[].SecurityGroups[]|.GroupId+" "+.GroupName'
2sg-02a63c67684d8deed backend-db
3sg-0dae5d4daa47fe4a2 backend-redis
Edit Security Groups of an Instance
You have to provide existing Security Group IDs as well
1aws ec2 modify-instance-attribute --instance-id i-0dae5d4daa47fe4a2 --groups sg-02a63c67684d8deed sg-0dae5d4daa47fe4a2
Print Security Group Rules as FromAddress and ToPort
1aws ec2 describe-security-groups --group-ids sg-02a63c67684d8deed | jq -r '.SecurityGroups[].IpPermissions[]|. as $parent|(.IpRanges[].CidrIp+" "+($parent.ToPort|tostring))'
2223.64.72.64/32 3306
3198.82.207.161/32 3306
4168.244.58.160/32 3306
5202.0.149.202/32 3306
6212.143.80.102/32 3306
Add Rule to Security Group
1aws ec2 authorize-security-group-ingress --group-id sg-02a63c67684d8deed --protocol tcp --port 443 --cidr 35.0.0.1
Delete Rule from Security Group
1aws ec2 revoke-security-group-ingress --group-id sg-02a63c67684d8deed --protocol tcp --port 443 --cidr 35.0.0.1
Edit Rules of Security Group
You have to provide All IP Ranges as well
1aws ec2 update-security-group-rule-descriptions-ingress --group-id sg-02a63c67684d8deed --ip-permissions 'ToPort=443,IpProtocol=tcp,IpRanges=[{CidrIp=202.171.186.133/32,Description=Home}]'
Delete Security Group
1aws ec2 delete-security-group --group-id sg-02a63c67684d8deed
S3
List Buckets
1aws s3 ls
22020-01-28 18:49:50 customer-data-primary
32020-01-28 18:50:22 customer-data-backup
42020-01-28 18:50:54 wordpress-cdn
52020-01-28 18:52:25 backend-artifacts-20200220-deployment
List Files in a Bucket
1aws s3 ls wordpress-cdn/wp-content/uploads/2019/10/04/
22019-10-04 15:02:02 133557 amazing-content.jpg
32019-10-04 15:02:02 2986 amazing-content-103x50.jpg
42019-10-04 15:02:02 5640 amazing-content-120x120.jpg
52019-10-04 15:02:02 7924 amazing-content-150x150.jpg
Create Bucket
1aws s3 mb s3://my-awesome-new-bucket
2make_bucket: my-awesome-new-bucket
Delete Bucket
1aws s3 rb s3://my-awesome-new-bucket --force
Download S3 Object to Local
1aws s3 cp s3://my-awesome-new-bucket .
2download: ./backup.tar from s3://my-awesome-new-bucket/backup.tar
Upload Local File as S3 Object
1aws s3 cp backup.tar s3://my-awesome-new-bucket
2upload: ./backup.tar to s3://my-awesome-new-bucket/backup.tar
Delete S3 Object
1aws s3 rm s3://my-awesome-new-bucket/secret-file.gz .
2delete: s3://my-awesome-new-bucket/secret-file.gz
Download Bucket to Local
1aws s3 sync s3://my-awesome-new-bucket/ /media/Passport-Ultra/Backup
Upload Local Directory to Bucket
1aws s3 sync /home/minhaz/Downloads s3://my-awesome-new-bucket/
Share S3 Object without Public Access
1aws s3 presign s3://my-awesome-new-bucket/business-reports.pdf --expires-in 3600
2https://my-awesome-new-bucket.s3.amazonaws.com/business-reports.pdf?AWSAccessKeyId=AKISUENSAKSIEUAA&Expires=1582876994&Signature=kizOEA93kaIHw7uv25wSFIKLmAx
API Gateway
List of API Gateway IDs and Names
1aws apigateway get-rest-apis | jq -r '.items[] | .id+" "+.name'
25e3221cf8 backend-api
369ef7d4c8 frontend-api
4bb1e3c281 partner-api
5f99796943 internal-crm-api
6ee86b4cde import-data-api
List of API Gateway Keys
1aws apigateway get-api-keys | jq -r '.items[] | .id+" "+.name'
2ee86b4cde backend-api-key
369ef7d4c8 partner-api-key
List API Gateway Domain Names
1aws apigateway get-domain-names | jq -r '.items[] | .domainName+" "+.regionalDomainName'
2backend-api.mdminhazulhaque.io d-ee86b4cde.execute-api.ap-southeast-1.amazonaws.com
3frontend-api.mdminhazulhaque.io d-bb1e3c281.execute-api.ap-southeast-1.amazonaws.com
List of Resources for API Gateway
1aws apigateway get-resources --rest-api-id ee86b4cde | jq -r '.items[] | .id+" "+.path'
2ee86b4cde /{proxy+}
369ef7d4c8 /
Find Lambda for API Gateway Resource
1aws apigateway get-integration --rest-api-id ee86b4cde --resource-id 69ef7d4c8 --http-method GET | jq -r '.uri'
2arn:aws:lambda:ap-southeast-1:987654321:function:backend-api-function-5d4daa47fe4a2:live/invocations
ELB
List of ELB Hostnames
1aws elbv2 describe-load-balancers --query 'LoadBalancers[*].DNSName' | jq -r 'to_entries[] | .value'
2frontend-lb-1220186848339.ap-southeast-1.elb.amazonaws.com
3backend-lb-6208709163457.ap-southeast-1.elb.amazonaws.com
List of ELB ARNs
1aws elbv2 describe-load-balancers | jq -r '.LoadBalancers[] | .LoadBalancerArn'
2arn:aws:elasticloadbalancing:ap-southeast-1:987654321:loadbalancer/app/frontend-lb/1220186848339
3arn:aws:elasticloadbalancing:ap-southeast-1:987654321:loadbalancer/app/backend-lb/6208709163457
List of ELB Target Group ARNs
1aws elbv2 describe-target-groups | jq -r '.TargetGroups[] | .TargetGroupArn'
2arn:aws:elasticloadbalancing:ap-southeast-1:987654321:targetgroup/frontend/b6da07d35
3arn:aws:elasticloadbalancing:ap-southeast-1:987654321:targetgroup/backend/97ad3b13c
Find Instances for a Target Group
1aws elbv2 describe-target-health --target-group-arn arn:aws:elasticloadbalancing:ap-southeast-1:987654321:targetgroup/wordpress-ph/88f517d6b5326a26 | jq -r '.TargetHealthDescriptions[] | .Target.Id'
2i-0b3b5128445a332db
3i-0d1c1cf4e980ac593
4i-00f11e8e33c971058
RDS
List of DB Clusters
1aws rds describe-db-clusters | jq -r '.DBClusters[] | .DBClusterIdentifier+" "+.Endpoint'
2backend-prod backend-prod.cluster-b6da07d35.ap-southeast-1.rds.amazonaws.com
3internal-prod internal-dev.cluster-b6da07d35.ap-southeast-1.rds.amazonaws.com
List of DB Instances
1aws rds describe-db-instances | jq -r '.DBInstances[] | .DBInstanceIdentifier+" "+.DBInstanceClass+" "+.Endpoint.Address'
2backend-dev db.t3.medium backend-prod.b6da07d35.ap-southeast-1.rds.amazonaws.com
3internal-dev db.t2.micro internal-dev.b6da07d35.ap-southeast-1.rds.amazonaws.com
Take DB Instance Snapshot
1aws rds create-db-snapshot --db-snapshot-identifier backend-dev-snapshot-0001 --db-instance-identifier backend-dev
2aws rds describe-db-snapshots --db-snapshot-identifier backend-dev-snapshot-0001 --db-instance-identifier general
Take DB Cluster Snapshot
1aws rds create-db-cluster-snapshot --db-cluster-snapshot-identifier backend-prod-snapshot-0002 --db-cluster-identifier backend-prod
2aws rds describe-db-cluster-snapshots --db-cluster-snapshot-identifier backend-prod-snapshot-0002 --db-cluster-identifier backend-prod
ElastiCache
List of ElastiCache Machine Type and Name
1aws elasticache describe-cache-clusters | jq -r '.CacheClusters[] | .CacheNodeType+" "+.CacheClusterId'
2cache.t2.micro backend-login-hk
3cache.t2.micro backend-login-vn
4cache.t2.micro backend-login-sg
List of ElastiCache Replication Groups
1aws elasticache describe-replication-groups | jq -r '.ReplicationGroups[] | .ReplicationGroupId+" "+.NodeGroups[].PrimaryEndpoint.Address'
2backend-login-hk backend-login-hk.6da35.ng.0001.apse1.cache.amazonaws.com
3backend-login-vn backend-login-vn.6da35.ng.0001.apse1.cache.amazonaws.com
4backend-login-sg backend-login-sg.6da35.ng.0001.apse1.cache.amazonaws.com
List of ElastiCache Snapshots
1aws elasticache describe-snapshots | jq -r '.Snapshots[] | .SnapshotName'
2automatic.backend-login-hk-2020-02-27-00-27
3automatic.backend-login-vn-2020-02-27-00-27
4automatic.backend-login-sg-2020-02-27-00-27
Create ElastiCache Snapshot
1aws elasticache create-snapshot --snapshot-name backend-login-hk-snap-0001 --replication-group-id backend-login-hk --cache-cluster-id backend-login-hk
Delete ElastiCache Snapshot
1aws elasticache delete-snapshot --snapshot-name backend-login-hk-snap-0001
Scale Up/Down ElastiCache Replica
1aws elasticache increase-replica-count --replication-group-id backend-login-hk --apply-immediately
2aws elasticache decrease-replica-count --replication-group-id backend-login-hk --apply-immediately
Lambda
List of Lambda Functions, Runtime and Memory
1aws lambda list-functions | jq -r '.Functions[] | .FunctionName+" "+.Runtime+" "+(.MemorySize|tostring)'
2backend-api-function nodejs8.10 512
3backend-signup-email-function nodejs10.x 128
4partner-api-8XJAP1VVLYA7 python3.7 128
5marketing-promo-sqs-function nodejs10.x 128
List of Lambda Layers
1aws lambda list-layers | jq -r '.Layers[] | .LayerName'
2imagemagik-layer
3django-layer
4nodejs-extra-layer
List of Source Event for Lambda
1aws lambda list-event-source-mappings | jq -r '.EventSourceMappings[] | .FunctionArn+" "+.EventSourceArn'
2arn:aws:lambda:function:backend-api-function arn:aws:dynamodb:table/prod-user-list/stream
3arn:aws:lambda:function:backend-signup-email-function arn:aws:dynamodb:table/prod-user-email/stream
4arn:aws:lambda:function:partner-api-8XJAP1VVLYA7 arn:aws:sqs:partner-input-msg-queue
5arn:aws:lambda:function:marketing-promo-sqs-function arn:aws:sqs:promo-input-msg-queue
Download Lambda Code
1aws lambda get-function --function-name DynamoToSQS | jq -r .Code.Location
2https://awslambda-ap-se-1-tasks.s3.ap-southeast-1.amazonaws.com/snapshots/987654321/backend-api-function-1fda0de7-a751-4586-bf64-5601a410c170
Cloudwatch
List of CloudWatch Alarms and Status
1aws cloudwatch describe-alarms | jq -r '.MetricAlarms[] | .AlarmName+" "+.Namespace+" "+.StateValue'
2backend-autoscale AWS/EC2 OK
3backend-lb AWS/ApplicationELB OK
4partner-hk AWS/ECS ALARM
5partner-vn AWS/ECS ALARM
6partner-sg AWS/ECS ALARM
7userdata-read AWS/DynamoDB OK
8userdata-write AWS/DynamoDB OK
Create Alarm for EC2 High CPUUtilization
1aws cloudwatch put-metric-alarm --alarm-name high-cpu-usage --alarm-description "Alarm when CPU exceeds 70 percent" --metric-name CPUUtilization --namespace AWS/EC2 --statistic Average --period 300 --threshold 70 --comparison-operator GreaterThanThreshold --dimensions "Name=InstanceId,Value=i-123456789" --evaluation-periods 2 --alarm-actions arn:aws:sns:ap-southeast-1:987654321:System-Alerts --unit Percent
Create Alarm for EC2 High StatusCheckFailed_Instance
1aws cloudwatch put-metric-alarm --alarm-name EC2-StatusCheckFailed-AppServer --alarm-description "EC2 StatusCheckFailed for AppServer" --metric-name StatusCheckFailed_Instance --namespace AWS/EC2 --statistic Average --period 60 --threshold 0 --comparison-operator GreaterThanThreshold --dimensions "Name=InstanceId,Value=i-123456789" --evaluation-periods 3 --alarm-actions arn:aws:sns:ap-southeast-1:987654321:System-Alerts --unit Count
Route53
List Domains
1aws route53 list-hosted-zones | jq -r '.HostedZones[]|.Id+" "+.Name'
2/hostedzone/ZEB1PAH4U mysite.com.
3/hostedzone/ZQUOHGH3G yoursite.com.
4/hostedzone/ZEADEA0CO staywith.us.
List Records for a Domain (Zone)
1aws route53 list-resource-record-sets --hosted-zone-id /hostedzone/ZEB1PAH4U | jq -r '.ResourceRecordSets[]| if (.AliasTarget!=null) then .Type+" "+.Name+" "+.AliasTarget.DNSName else .Type+" "+.Name+" "+.ResourceRecords[].Value end'
2A mysite.com. dualstack.mysite-lb-967522168.ap-southeast-1.elb.amazonaws.com.
3A mysite.com. 11.22.33.44
4TXT _amazonses.mysite.com. 6c6d761371f0480bbe60de0df275b550
5A test.mysite.com. 55.66.77.88
6CNAME www.mysite.com. mysite.com
SNS
List of SNS Topics
1aws sns list-topics | jq -r '.Topics[] | .TopicArn'
2arn:aws:sns:ap-southeast-1:987654321:backend-api-monitoring
3arn:aws:sns:ap-southeast-1:987654321:dynamodb-count-check
4arn:aws:sns:ap-southeast-1:987654321:partner-integration-check
5arn:aws:sns:ap-southeast-1:987654321:autoscale-notifications
List of SNS Topic and related Subscriptions
1aws sns list-subscriptions | jq -r '.Subscriptions[] | .TopicArn+" "+.Protocol+" "+.Endpoint'
2arn:aws:sns:ap-southeast-1:autoscale-notifications lambda arn:aws:lambda:function:autoscale-function
3arn:aws:sns:ap-southeast-1:backend-api-monitoring email alert@mdminhazulhaque.io
4arn:aws:sns:ap-southeast-1:dynamodb-count-check email alert@mdminhazulhaque.io
5arn:aws:sns:ap-southeast-1:partner-integration-check lambda arn:aws:lambda:function:partner-function
6arn:aws:sns:ap-southeast-1:autoscale-notifications lambda arn:aws:lambda:function:autoscale-function
Publish to SNS Topic
1aws sns publish --topic-arn arn:aws:sns:ap-southeast-1:987654321:backend-api-monitoring \
2 --message "Panic!!!" \
3 --subject "The API is down!!!"
DynamoDB
List of DynamoDB Tables
1aws dynamodb list-tables | jq -r .TableNames[]
2userdata_hk
3userdata_vn
4userdata_sg
5providers
6events
Get All Items from a Table
:exclamation: This command will stream ALL items untill SIGINT is sent
1aws dynamodb scan --table-name events
Get Item Count from a Table
1aws dynamodb scan --table-name events --select COUNT | jq .ScannedCount
2726119
Get Item using Key
1aws dynamodb get-item --table-name events --key '{"email": {"S": "admin@mdminhazulhaque.io"}}'
2{
3 "Item": {
4 "email": {
5 "S": "admin@mdminhazulhaque.io"
6 },
7 "created_at": {
8 "N": "1554780667296"
9 },
10 "event_type": {
11 "S": "DISPATCHED"
12 }
13 }
14}
Get Specific Fields from an Item
1aws dynamodb get-item --table-name events --key '{"email": {"S": "admin@mdminhazulhaque.io"}}' --attributes-to-get event_type
2{
3 "Item": {
4 "event_type": {
5 "S": "DISPATCHED"
6 }
7 }
8}
Delete Item using Key
1aws dynamodb delete-item --table-name events --key '{"email": {"S": "admin@mdminhazulhaque.io"}}'
SQS
List Queues
1aws sqs list-queues | jq -r '.QueueUrls[]'
2https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo
3https://ap-southeast-1.queue.amazonaws.com/987654321/user-signup
Create Queue
1aws sqs create-queue --queue-name public-events.fifo | jq -r .QueueUrl
2https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo
Count Messages in Queue
1aws sqs get-queue-attributes --queue-url https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo | jq -r '.Attributes | .QueueArn + " " + .ApproximateNumberOfMessages'
2arn:aws:sqs:ap-southeast-1:987654321:events.fifo 42
Send Message
1aws sqs send-message --queue-url https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo --message-body Hello
2{
3 "MD5OfMessageBody": "37b51d194a7513e45b56f6524f2d51f2",
4 "MessageId": "4226398e-bab0-4bee-bf5a-8e7ae18c855a"
5}
Receive Message
1aws sqs receive-message --queue-url https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo | jq -r '.Messages[] | .Body'
2Hello
Delete Message
1aws sqs delete-message --queue-url https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo --receipt-handle "AQEBpqKLxNb8rIOn9ykSeCkKebNzn0BrEJ3Cg1RS6MwID2t1oYHCnMP06GnuVZGzt7kpWXZ5ieLQ=="
Purge Queue
1aws sqs purge-queue --queue-url https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo
Delete Queue
1aws sqs delete-queue --queue-url https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo
CloudFront
List of CloudFront Distributions and Origins
1aws cloudfront list-distributions | jq -r '.DistributionList.Items[] | .DomainName+" "+.Origins.Items[0].DomainName'
2d9d5bb1e3c281f.cloudfront.net frontend-prod-hk.s3.amazonaws.com
3d12b09e8a0a996.cloudfront.net frontend-prod-vn.s3.amazonaws.com
4db64e7e9b3cc22.cloudfront.net frontend-prod-sg.s3.amazonaws.com
5d5e3221cf8b921.cloudfront.net cdn.mdminhazulhaque.io
Create Cache Invalidation
1aws cloudfront create-invalidation --distribution-id D12B09E8A0A996 --path /blog/\* /blog/assets/\* | jq -r '.Invalidation.Id'
2IALJ5AL93ZD79
Check Cache Invalidation Status
1aws cloudfront get-invalidation --distribution-id D12B09E8A0A996 --id IALJ5AL93ZD79 | jq -r '.Invalidation.Status'
2Completed
Amplify
List of Amplify Apps and Source Repository
1aws amplify list-apps | jq -r '.apps[] | .name+" "+.defaultDomain+" "+.repository'
2fe-vn d9d5bb1e3c281f.amplifyapp.com https://bitbucket.org/aws/frontend-vn
3fe-hk db64e7e9b3cc22.amplifyapp.com https://bitbucket.org/aws/frontend-hk
4fe-sg d5e3221cf8b921.amplifyapp.com https://bitbucket.org/aws/frontend-sg
Cognito
List of User Pool IDs and Names
1aws cognito-idp list-user-pools --max-results 60 | jq -r '.UserPools[] | .Id+" "+.Name'
2ap-southeast-1_b6da07d35 prod-users
3ap-southeast-1_b6da07d34 dev-users
List of Phone and Email of All Users
1aws cognito-idp list-users --user-pool-id ap-southeast-1_b6da07d35 | jq -r '.Users[].Attributes | from_entries | .sub + " " + .phone_number + " " + .email'
2585fb96e-525c-4f9b-9d41-865d2dffde9b +601122334455 admin@mdminhazulhaque.io
371f2778c-8e21-4775-94dc-e363c77d1ae1 +601122334455 foo@bar.com
48fc1882e-e661-49db-88e6-45d370bc352a +601122334455 cli@aws.com
IAM User
List of UserId and UserName
1aws iam list-users | jq -r '.Users[]|.UserId+" "+.UserName'
2AIDAZBWIOJIQFOLNBXXCVSUQ kaiser
3AIDAZCTWYVXYOKSHVWXPYPLR thornton
4AIDAZUYALCGFQJENBCZFJTVX maldonado
5AIDAZKQAFIGQJWOKKSKRBLGE key
6AIDAZXUDGQVQCEWBFGIJOWWY nelson
Get Single User
1aws iam get-user --user-name kaiser
Add User
1aws iam create-user --user-name audit-temp
Delete User
1aws iam delete-user --user-name audit-temp
List Access Keys for User
1aws iam list-access-keys --user-name audit-temp | jq -r .AccessKeyMetadata[].AccessKeyId
2AKIABWIOJIQFOLNBXXCVSUQ
3AKIACTWYVXYOKSHVWXPYPLR
4AKIAUYALCGFQJENBCZFJTVX
Delete Access Key for User
1aws iam delete-access-key --user-name audit-temp --access-key-id AKIABWIOJIQFOLNBXXCVSUQ
Activate/Deactivate Access Key for User
1aws iam update-access-key --status Inactive --user-name audit-temp --access-key-id AKIABWIOJIQFOLNBXXCVSUQ
2aws iam update-access-key --status Active --user-name audit-temp --access-key-id AKIABWIOJIQFOLNBXXCVSUQ
Generate New Access Key for User
1aws iam create-access-key --user-name audit-temp | jq -r '.AccessKey | .AccessKeyId+" "+.SecretAccessKey'
2AKIABWIOJIQFOLNBXXCVSUQ p9ge02ebLX9jobdQKmfikRqCiEw3HBylwHyXq0z
IAM Group
List Groups
1aws iam list-groups | jq -r .Groups[].GroupName
2developers
3administrators
4testers
5marketing-ro
Add/Delete Groups
1aws iam create-group --group-name business-ro
2aws iam delete-group --group-name business-ro
List of Policies and ARNs
1aws iam list-policies | jq -r '.Policies[]|.PolicyName+" "+.Arn'
2aws iam list-policies --scope AWS | jq -r '.Policies[]|.PolicyName+" "+.Arn'
3aws iam list-policies --scope Local | jq -r '.Policies[]|.PolicyName+" "+.Arn'
List of User/Group/Roles for a Policy
1aws iam list-entities-for-policy --policy-arn arn:aws:iam::987654321:policy/Marketing-ReadOnly
List Policies for a Group
1aws iam list-attached-group-policies --group-name business-ro
Add Policy to a Group
1aws iam attach-group-policy --group-name business-ro --policy-arn arn:aws:iam::aws:policy/DynamoDBReadOnlyAccess
Add User to a Group
1aws iam add-user-to-group --group-name business-ro --user-name marketing-michael
Remove User from a Group
1aws iam remove-user-from-group --group-name business-ro --user-name marketing-alice
List Users in a Group
1aws iam get-group --group-name business-ro
List Groups for a User
1aws iam list-groups-for-user --user-name qa-bob
Attach/Detach Policy to a Group
1aws iam detach-group-policy --group-name business-ro --policy-arn arn:aws:iam::aws:policy/DynamoDBFullAccess
2aws iam attach-group-policy --group-name business-ro --policy-arn arn:aws:iam::aws:policy/DynamoDBFullAccess