Become an AWS Guru using this nifty AWS CLI cheat-sheet!

Share on:

aws Install AWS Cli

aws Table of Contents

aws Pro Tip!

If you have multiple AWS Accounts, you can use bash alias like the following. So you no longer need to pass --profile to aws tool.

1alias aws-prod="aws --profile work-prod"
2alias aws-dev="aws --profile work-dev"
3alias aws-self="aws --profile personal"
4alias aws="aws --profile work-dev"

To format aws command output into tables, you can pipe output to column -t.

1# aws ec2 describe-instances | jq ...
2i-0f112d652ecf13dac c3.x2large fisher.com
3i-0b3b5128445a332db t2.nano robinson.com
4
5# aws ec2 describe-instances | jq ... | column -t
6i-0f112d652ecf13dac  c3.x2large  fisher.com
7i-0b3b5128445a332db  t2.nano     robinson.com

EC2

List Instance ID, Type and Name

1aws ec2 describe-instances | jq -r '.Reservations[].Instances[]|.InstanceId+" "+.InstanceType+" "+(.Tags[] | select(.Key == "Name").Value)'
2i-0f112d652ecf13dac  c3.xlarge  fisher.com
3i-0b3b5128445a332db  t2.nano    robinson.com
4i-0d1c1cf4e980ac593  t2.micro   nolan.com
5i-004ee6b792c3b6914  t2.nano    grimes-green.net
6i-00f11e8e33c971058  t2.nano    garrett.com

List Instances with Public IP Address and Name

aws Tip: You can directly put this to your /etc/hosts

1aws ec2 describe-instances --query 'Reservations[*].Instances[?not_null(PublicIpAddress)]' | jq -r '.[][]|.PublicIpAddress+" "+(.Tags[]|select(.Key=="Name").Value)'
2223.64.72.64    fisher.com
3198.82.207.161  robinson.com
4182.139.20.233  nolan.com
5153.134.83.44   grimes-green.net
6202.32.63.121   garrett.com

List of VPCs and CIDR IP Block

1aws ec2 describe-vpcs | jq -r '.Vpcs[]|.VpcId+" "+(.Tags[]|select(.Key=="Name").Value)+" "+.CidrBlock'
2vpc-0d1c1cf4e980ac593  frontend-vpc  10.0.0.0/16
3vpc-00f11e8e33c971058  backend-vpc   172.31.0.0/16

List of Subnets for a VPC

1aws ec2 describe-subnets --filter Name=vpc-id,Values=vpc-0d1c1cf4e980ac593 | jq -r '.Subnets[]|.SubnetId+" "+.CidrBlock+" "+(.Tags[]|select(.Key=="Name").Value)'
2subnet-0dae5d4daa47fe4a2  10.0.128.0/20  Public Subnet 1
3subnet-0641a25faccb01f0f  10.0.32.0/19   Private Subnet 2
4subnet-09fb8038641f1f36f  10.0.0.0/19    Private Subnet 1
5subnet-02a63c67684d8deed  10.0.144.0/20  Public Subnet 2

List of Security Groups

1aws ec2 describe-security-groups | jq -r '.SecurityGroups[]|.GroupId+" "+.GroupName'
2sg-02a63c67684d8deed  backend-db
3sg-0dae5d4daa47fe4a2  backend-redis
4sg-0a56bff7b12264282  frontend-lb
5sg-0641a25faccb01f0f  frontend-https
6sg-09fb8038641f1f36f  internal-ssh
1aws ec2 describe-instances --instance-ids i-0dae5d4daa47fe4a2 | jq -r '.Reservations[].Instances[].SecurityGroups[]|.GroupId+" "+.GroupName'
2sg-02a63c67684d8deed  backend-db
3sg-0dae5d4daa47fe4a2  backend-redis

Edit Security Groups of an Instance

aws You have to provide existing Security Group IDs as well

1aws ec2 modify-instance-attribute --instance-id i-0dae5d4daa47fe4a2 --groups sg-02a63c67684d8deed sg-0dae5d4daa47fe4a2
1aws ec2 describe-security-groups --group-ids sg-02a63c67684d8deed | jq -r '.SecurityGroups[].IpPermissions[]|. as $parent|(.IpRanges[].CidrIp+" "+($parent.ToPort|tostring))'
2223.64.72.64/32    3306
3198.82.207.161/32  3306
4168.244.58.160/32  3306
5202.0.149.202/32   3306
6212.143.80.102/32  3306

Add Rule to Security Group

1aws ec2 authorize-security-group-ingress --group-id sg-02a63c67684d8deed --protocol tcp --port 443 --cidr 35.0.0.1

Delete Rule from Security Group

1aws ec2 revoke-security-group-ingress --group-id sg-02a63c67684d8deed --protocol tcp --port 443 --cidr 35.0.0.1

Edit Rules of Security Group

aws You have to provide All IP Ranges as well

1aws ec2 update-security-group-rule-descriptions-ingress --group-id sg-02a63c67684d8deed --ip-permissions 'ToPort=443,IpProtocol=tcp,IpRanges=[{CidrIp=202.171.186.133/32,Description=Home}]'

Delete Security Group

1aws ec2 delete-security-group --group-id sg-02a63c67684d8deed

S3

List Buckets

1aws s3 ls
22020-01-28 18:49:50 customer-data-primary
32020-01-28 18:50:22 customer-data-backup
42020-01-28 18:50:54 wordpress-cdn
52020-01-28 18:52:25 backend-artifacts-20200220-deployment

List Files in a Bucket

1aws s3 ls wordpress-cdn/wp-content/uploads/2019/10/04/
22019-10-04 15:02:02     133557 amazing-content.jpg
32019-10-04 15:02:02       2986 amazing-content-103x50.jpg
42019-10-04 15:02:02       5640 amazing-content-120x120.jpg
52019-10-04 15:02:02       7924 amazing-content-150x150.jpg

Create Bucket

1aws s3 mb s3://my-awesome-new-bucket
2make_bucket: my-awesome-new-bucket

Delete Bucket

1aws s3 rb s3://my-awesome-new-bucket --force

Download S3 Object to Local

1aws s3 cp s3://my-awesome-new-bucket .
2download: ./backup.tar from s3://my-awesome-new-bucket/backup.tar

Upload Local File as S3 Object

1aws s3 cp backup.tar s3://my-awesome-new-bucket
2upload: ./backup.tar to s3://my-awesome-new-bucket/backup.tar

Delete S3 Object

1aws s3 rm s3://my-awesome-new-bucket/secret-file.gz .
2delete: s3://my-awesome-new-bucket/secret-file.gz

Download Bucket to Local

1aws s3 sync s3://my-awesome-new-bucket/ /media/Passport-Ultra/Backup

Upload Local Directory to Bucket

1aws s3 sync /home/minhaz/Downloads s3://my-awesome-new-bucket/

Share S3 Object without Public Access

1aws s3 presign s3://my-awesome-new-bucket/business-reports.pdf --expires-in 3600
2https://my-awesome-new-bucket.s3.amazonaws.com/business-reports.pdf?AWSAccessKeyId=AKISUENSAKSIEUAA&Expires=1582876994&Signature=kizOEA93kaIHw7uv25wSFIKLmAx

API Gateway

List of API Gateway IDs and Names

1aws apigateway get-rest-apis | jq -r '.items[] | .id+" "+.name'
25e3221cf8  backend-api
369ef7d4c8  frontend-api
4bb1e3c281  partner-api
5f99796943  internal-crm-api
6ee86b4cde  import-data-api

List of API Gateway Keys

1aws apigateway get-api-keys | jq -r '.items[] | .id+" "+.name'
2ee86b4cde   backend-api-key
369ef7d4c8   partner-api-key

List API Gateway Domain Names

1aws apigateway get-domain-names | jq -r '.items[] | .domainName+" "+.regionalDomainName'
2backend-api.mdminhazulhaque.io   d-ee86b4cde.execute-api.ap-southeast-1.amazonaws.com
3frontend-api.mdminhazulhaque.io  d-bb1e3c281.execute-api.ap-southeast-1.amazonaws.com

List of Resources for API Gateway

1aws apigateway get-resources --rest-api-id ee86b4cde  | jq -r '.items[] | .id+" "+.path'
2ee86b4cde  /{proxy+}
369ef7d4c8  /

Find Lambda for API Gateway Resource

1aws apigateway get-integration --rest-api-id ee86b4cde --resource-id 69ef7d4c8 --http-method GET | jq -r '.uri'
2arn:aws:lambda:ap-southeast-1:987654321:function:backend-api-function-5d4daa47fe4a2:live/invocations

ELB

List of ELB Hostnames

1aws elbv2 describe-load-balancers --query 'LoadBalancers[*].DNSName'  | jq -r 'to_entries[] | .value'
2frontend-lb-1220186848339.ap-southeast-1.elb.amazonaws.com
3backend-lb-6208709163457.ap-southeast-1.elb.amazonaws.com

List of ELB ARNs

1aws elbv2 describe-load-balancers | jq -r '.LoadBalancers[] | .LoadBalancerArn'
2arn:aws:elasticloadbalancing:ap-southeast-1:987654321:loadbalancer/app/frontend-lb/1220186848339
3arn:aws:elasticloadbalancing:ap-southeast-1:987654321:loadbalancer/app/backend-lb/6208709163457

List of ELB Target Group ARNs

1aws elbv2 describe-target-groups | jq -r '.TargetGroups[] | .TargetGroupArn'
2arn:aws:elasticloadbalancing:ap-southeast-1:987654321:targetgroup/frontend/b6da07d35
3arn:aws:elasticloadbalancing:ap-southeast-1:987654321:targetgroup/backend/97ad3b13c

Find Instances for a Target Group

1aws elbv2 describe-target-health --target-group-arn arn:aws:elasticloadbalancing:ap-southeast-1:987654321:targetgroup/wordpress-ph/88f517d6b5326a26 | jq -r '.TargetHealthDescriptions[] | .Target.Id'
2i-0b3b5128445a332db
3i-0d1c1cf4e980ac593
4i-00f11e8e33c971058

RDS

List of DB Clusters

1aws rds describe-db-clusters | jq -r '.DBClusters[] | .DBClusterIdentifier+" "+.Endpoint'
2backend-prod   backend-prod.cluster-b6da07d35.ap-southeast-1.rds.amazonaws.com
3internal-prod  internal-dev.cluster-b6da07d35.ap-southeast-1.rds.amazonaws.com

List of DB Instances

1aws rds describe-db-instances | jq -r '.DBInstances[] | .DBInstanceIdentifier+" "+.DBInstanceClass+" "+.Endpoint.Address'
2backend-dev   db.t3.medium  backend-prod.b6da07d35.ap-southeast-1.rds.amazonaws.com
3internal-dev  db.t2.micro   internal-dev.b6da07d35.ap-southeast-1.rds.amazonaws.com

Take DB Instance Snapshot

1aws rds create-db-snapshot --db-snapshot-identifier backend-dev-snapshot-0001 --db-instance-identifier backend-dev
2aws rds describe-db-snapshots --db-snapshot-identifier backend-dev-snapshot-0001 --db-instance-identifier general

Take DB Cluster Snapshot

1aws rds create-db-cluster-snapshot --db-cluster-snapshot-identifier backend-prod-snapshot-0002 --db-cluster-identifier backend-prod
2aws rds describe-db-cluster-snapshots --db-cluster-snapshot-identifier backend-prod-snapshot-0002 --db-cluster-identifier backend-prod

ElastiCache

List of ElastiCache Machine Type and Name

1aws elasticache describe-cache-clusters | jq -r '.CacheClusters[] | .CacheNodeType+" "+.CacheClusterId'
2cache.t2.micro  backend-login-hk
3cache.t2.micro  backend-login-vn
4cache.t2.micro  backend-login-sg

List of ElastiCache Replication Groups

1aws elasticache describe-replication-groups | jq -r '.ReplicationGroups[] | .ReplicationGroupId+" "+.NodeGroups[].PrimaryEndpoint.Address'
2backend-login-hk backend-login-hk.6da35.ng.0001.apse1.cache.amazonaws.com
3backend-login-vn backend-login-vn.6da35.ng.0001.apse1.cache.amazonaws.com
4backend-login-sg backend-login-sg.6da35.ng.0001.apse1.cache.amazonaws.com

List of ElastiCache Snapshots

1aws elasticache describe-snapshots | jq -r '.Snapshots[] | .SnapshotName'
2automatic.backend-login-hk-2020-02-27-00-27
3automatic.backend-login-vn-2020-02-27-00-27
4automatic.backend-login-sg-2020-02-27-00-27

Create ElastiCache Snapshot

1aws elasticache create-snapshot --snapshot-name backend-login-hk-snap-0001 --replication-group-id backend-login-hk --cache-cluster-id backend-login-hk

Delete ElastiCache Snapshot

1aws elasticache delete-snapshot --snapshot-name backend-login-hk-snap-0001

Scale Up/Down ElastiCache Replica

1aws elasticache increase-replica-count --replication-group-id backend-login-hk --apply-immediately
2aws elasticache decrease-replica-count --replication-group-id backend-login-hk --apply-immediately

Lambda

List of Lambda Functions, Runtime and Memory

1aws lambda list-functions | jq -r '.Functions[] | .FunctionName+" "+.Runtime+" "+(.MemorySize|tostring)'
2backend-api-function           nodejs8.10  512
3backend-signup-email-function  nodejs10.x  128
4partner-api-8XJAP1VVLYA7       python3.7   128
5marketing-promo-sqs-function   nodejs10.x  128

List of Lambda Layers

1aws lambda list-layers | jq -r '.Layers[] | .LayerName'
2imagemagik-layer
3django-layer
4nodejs-extra-layer

List of Source Event for Lambda

1aws lambda list-event-source-mappings | jq -r '.EventSourceMappings[] | .FunctionArn+" "+.EventSourceArn'
2arn:aws:lambda:function:backend-api-function           arn:aws:dynamodb:table/prod-user-list/stream
3arn:aws:lambda:function:backend-signup-email-function  arn:aws:dynamodb:table/prod-user-email/stream
4arn:aws:lambda:function:partner-api-8XJAP1VVLYA7       arn:aws:sqs:partner-input-msg-queue
5arn:aws:lambda:function:marketing-promo-sqs-function   arn:aws:sqs:promo-input-msg-queue

Download Lambda Code

1aws lambda get-function --function-name DynamoToSQS | jq -r .Code.Location
2https://awslambda-ap-se-1-tasks.s3.ap-southeast-1.amazonaws.com/snapshots/987654321/backend-api-function-1fda0de7-a751-4586-bf64-5601a410c170

Cloudwatch

List of CloudWatch Alarms and Status

1aws cloudwatch describe-alarms | jq -r '.MetricAlarms[] | .AlarmName+" "+.Namespace+" "+.StateValue'
2backend-autoscale  AWS/EC2             OK
3backend-lb         AWS/ApplicationELB  OK
4partner-hk         AWS/ECS             ALARM
5partner-vn         AWS/ECS             ALARM
6partner-sg         AWS/ECS             ALARM
7userdata-read      AWS/DynamoDB        OK
8userdata-write     AWS/DynamoDB        OK

Create Alarm for EC2 High CPUUtilization

1aws cloudwatch put-metric-alarm --alarm-name high-cpu-usage --alarm-description "Alarm when CPU exceeds 70 percent" --metric-name CPUUtilization --namespace AWS/EC2 --statistic Average --period 300 --threshold 70 --comparison-operator GreaterThanThreshold  --dimensions "Name=InstanceId,Value=i-123456789" --evaluation-periods 2 --alarm-actions arn:aws:sns:ap-southeast-1:987654321:System-Alerts --unit Percent

Create Alarm for EC2 High StatusCheckFailed_Instance

1aws cloudwatch put-metric-alarm --alarm-name EC2-StatusCheckFailed-AppServer --alarm-description "EC2 StatusCheckFailed for AppServer" --metric-name StatusCheckFailed_Instance --namespace AWS/EC2 --statistic Average --period 60 --threshold 0 --comparison-operator GreaterThanThreshold  --dimensions "Name=InstanceId,Value=i-123456789" --evaluation-periods 3 --alarm-actions arn:aws:sns:ap-southeast-1:987654321:System-Alerts --unit Count

Route53

List Domains

1aws route53 list-hosted-zones | jq -r '.HostedZones[]|.Id+" "+.Name'
2/hostedzone/ZEB1PAH4U mysite.com.
3/hostedzone/ZQUOHGH3G yoursite.com.
4/hostedzone/ZEADEA0CO staywith.us.

List Records for a Domain (Zone)

1aws route53 list-resource-record-sets --hosted-zone-id /hostedzone/ZEB1PAH4U | jq -r '.ResourceRecordSets[]| if (.AliasTarget!=null) then .Type+" "+.Name+" "+.AliasTarget.DNSName else .Type+" "+.Name+" "+.ResourceRecords[].Value end'
2A      mysite.com.              dualstack.mysite-lb-967522168.ap-southeast-1.elb.amazonaws.com.
3A      mysite.com.              11.22.33.44
4TXT    _amazonses.mysite.com.   6c6d761371f0480bbe60de0df275b550
5A      test.mysite.com.         55.66.77.88
6CNAME  www.mysite.com.          mysite.com

SNS

List of SNS Topics

1aws sns list-topics | jq -r '.Topics[] | .TopicArn'
2arn:aws:sns:ap-southeast-1:987654321:backend-api-monitoring
3arn:aws:sns:ap-southeast-1:987654321:dynamodb-count-check
4arn:aws:sns:ap-southeast-1:987654321:partner-integration-check
5arn:aws:sns:ap-southeast-1:987654321:autoscale-notifications
1aws sns list-subscriptions | jq -r '.Subscriptions[] | .TopicArn+" "+.Protocol+" "+.Endpoint'
2arn:aws:sns:ap-southeast-1:autoscale-notifications    lambda  arn:aws:lambda:function:autoscale-function
3arn:aws:sns:ap-southeast-1:backend-api-monitoring     email   alert@mdminhazulhaque.io
4arn:aws:sns:ap-southeast-1:dynamodb-count-check       email   alert@mdminhazulhaque.io
5arn:aws:sns:ap-southeast-1:partner-integration-check  lambda  arn:aws:lambda:function:partner-function
6arn:aws:sns:ap-southeast-1:autoscale-notifications    lambda  arn:aws:lambda:function:autoscale-function

Publish to SNS Topic

1aws sns publish --topic-arn arn:aws:sns:ap-southeast-1:987654321:backend-api-monitoring \
2    --message "Panic!!!" \
3    --subject "The API is down!!!"

DynamoDB

List of DynamoDB Tables

1aws dynamodb list-tables | jq -r .TableNames[]
2userdata_hk
3userdata_vn
4userdata_sg
5providers
6events

Get All Items from a Table

:exclamation: This command will stream ALL items untill SIGINT is sent

1aws dynamodb scan --table-name events 

Get Item Count from a Table

1aws dynamodb scan --table-name events --select COUNT | jq .ScannedCount
2726119

Get Item using Key

 1aws dynamodb get-item --table-name events --key '{"email": {"S": "admin@mdminhazulhaque.io"}}'
 2{
 3    "Item": {
 4        "email": {
 5            "S": "admin@mdminhazulhaque.io"
 6        },
 7        "created_at": {
 8            "N": "1554780667296"
 9        },
10        "event_type": {
11            "S": "DISPATCHED"
12        }
13    }
14}

Get Specific Fields from an Item

1aws dynamodb get-item --table-name events --key '{"email": {"S": "admin@mdminhazulhaque.io"}}' --attributes-to-get event_type
2{
3    "Item": {
4        "event_type": {
5            "S": "DISPATCHED"
6        }
7    }
8}

Delete Item using Key

1aws dynamodb delete-item --table-name events --key '{"email": {"S": "admin@mdminhazulhaque.io"}}'

SQS

List Queues

1aws sqs list-queues | jq -r '.QueueUrls[]'
2https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo
3https://ap-southeast-1.queue.amazonaws.com/987654321/user-signup

Create Queue

1aws sqs create-queue --queue-name public-events.fifo | jq -r .QueueUrl
2https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo

Count Messages in Queue

1aws sqs get-queue-attributes --queue-url https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo | jq -r '.Attributes | .QueueArn + " " + .ApproximateNumberOfMessages'
2arn:aws:sqs:ap-southeast-1:987654321:events.fifo 42

Send Message

1aws sqs send-message --queue-url https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo --message-body Hello
2{
3    "MD5OfMessageBody": "37b51d194a7513e45b56f6524f2d51f2",
4    "MessageId": "4226398e-bab0-4bee-bf5a-8e7ae18c855a"
5}

Receive Message

1aws sqs receive-message --queue-url https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo | jq -r '.Messages[] | .Body'
2Hello

Delete Message

1aws sqs delete-message --queue-url https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo --receipt-handle "AQEBpqKLxNb8rIOn9ykSeCkKebNzn0BrEJ3Cg1RS6MwID2t1oYHCnMP06GnuVZGzt7kpWXZ5ieLQ=="

Purge Queue

1aws sqs purge-queue --queue-url https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo

Delete Queue

1aws sqs delete-queue --queue-url https://ap-southeast-1.queue.amazonaws.com/987654321/public-events.fifo

CloudFront

List of CloudFront Distributions and Origins

1aws cloudfront list-distributions | jq -r '.DistributionList.Items[] | .DomainName+" "+.Origins.Items[0].DomainName'
2d9d5bb1e3c281f.cloudfront.net  frontend-prod-hk.s3.amazonaws.com
3d12b09e8a0a996.cloudfront.net  frontend-prod-vn.s3.amazonaws.com
4db64e7e9b3cc22.cloudfront.net  frontend-prod-sg.s3.amazonaws.com
5d5e3221cf8b921.cloudfront.net  cdn.mdminhazulhaque.io

Create Cache Invalidation

1aws cloudfront create-invalidation --distribution-id D12B09E8A0A996  --path /blog/\* /blog/assets/\* | jq -r '.Invalidation.Id'
2IALJ5AL93ZD79

Check Cache Invalidation Status

1aws cloudfront get-invalidation --distribution-id D12B09E8A0A996 --id IALJ5AL93ZD79 | jq -r '.Invalidation.Status'
2Completed

Amplify

List of Amplify Apps and Source Repository

1aws amplify list-apps | jq -r '.apps[] | .name+" "+.defaultDomain+" "+.repository'
2fe-vn  d9d5bb1e3c281f.amplifyapp.com  https://bitbucket.org/aws/frontend-vn
3fe-hk  db64e7e9b3cc22.amplifyapp.com  https://bitbucket.org/aws/frontend-hk
4fe-sg  d5e3221cf8b921.amplifyapp.com  https://bitbucket.org/aws/frontend-sg

Cognito

List of User Pool IDs and Names

1aws cognito-idp list-user-pools --max-results 60 | jq -r '.UserPools[] | .Id+" "+.Name'
2ap-southeast-1_b6da07d35 prod-users
3ap-southeast-1_b6da07d34 dev-users

List of Phone and Email of All Users

1aws cognito-idp list-users --user-pool-id ap-southeast-1_b6da07d35 | jq -r '.Users[].Attributes | from_entries | .sub + " " + .phone_number + " " + .email'
2585fb96e-525c-4f9b-9d41-865d2dffde9b +601122334455 admin@mdminhazulhaque.io
371f2778c-8e21-4775-94dc-e363c77d1ae1 +601122334455 foo@bar.com
48fc1882e-e661-49db-88e6-45d370bc352a +601122334455 cli@aws.com

IAM User

List of UserId and UserName

1aws iam list-users | jq -r '.Users[]|.UserId+" "+.UserName'
2AIDAZBWIOJIQFOLNBXXCVSUQ kaiser
3AIDAZCTWYVXYOKSHVWXPYPLR thornton
4AIDAZUYALCGFQJENBCZFJTVX maldonado
5AIDAZKQAFIGQJWOKKSKRBLGE key
6AIDAZXUDGQVQCEWBFGIJOWWY nelson

Get Single User

1aws iam get-user --user-name kaiser

Add User

1aws iam create-user --user-name audit-temp

Delete User

1aws iam delete-user --user-name audit-temp

List Access Keys for User

1aws iam list-access-keys --user-name audit-temp | jq -r .AccessKeyMetadata[].AccessKeyId
2AKIABWIOJIQFOLNBXXCVSUQ
3AKIACTWYVXYOKSHVWXPYPLR
4AKIAUYALCGFQJENBCZFJTVX

Delete Access Key for User

1aws iam delete-access-key --user-name audit-temp --access-key-id AKIABWIOJIQFOLNBXXCVSUQ

Activate/Deactivate Access Key for User

1aws iam update-access-key --status Inactive --user-name audit-temp --access-key-id AKIABWIOJIQFOLNBXXCVSUQ
2aws iam update-access-key --status Active   --user-name audit-temp --access-key-id AKIABWIOJIQFOLNBXXCVSUQ

Generate New Access Key for User

1aws iam create-access-key --user-name audit-temp | jq -r '.AccessKey | .AccessKeyId+" "+.SecretAccessKey'
2AKIABWIOJIQFOLNBXXCVSUQ p9ge02ebLX9jobdQKmfikRqCiEw3HBylwHyXq0z

IAM Group

List Groups

1aws iam list-groups | jq -r .Groups[].GroupName
2developers
3administrators
4testers
5marketing-ro

Add/Delete Groups

1aws iam create-group --group-name business-ro
2aws iam delete-group --group-name business-ro

List of Policies and ARNs

1aws iam list-policies               | jq -r '.Policies[]|.PolicyName+" "+.Arn'
2aws iam list-policies --scope AWS   | jq -r '.Policies[]|.PolicyName+" "+.Arn'
3aws iam list-policies --scope Local | jq -r '.Policies[]|.PolicyName+" "+.Arn'

List of User/Group/Roles for a Policy

1aws iam list-entities-for-policy --policy-arn arn:aws:iam::987654321:policy/Marketing-ReadOnly

List Policies for a Group

1aws iam list-attached-group-policies --group-name business-ro

Add Policy to a Group

1aws iam attach-group-policy --group-name business-ro --policy-arn arn:aws:iam::aws:policy/DynamoDBReadOnlyAccess

Add User to a Group

1aws iam add-user-to-group --group-name business-ro --user-name marketing-michael

Remove User from a Group

1aws iam remove-user-from-group --group-name business-ro --user-name marketing-alice

List Users in a Group

1aws iam get-group --group-name business-ro

List Groups for a User

1aws iam list-groups-for-user --user-name qa-bob

Attach/Detach Policy to a Group

1aws iam detach-group-policy --group-name business-ro --policy-arn arn:aws:iam::aws:policy/DynamoDBFullAccess
2aws iam attach-group-policy --group-name business-ro --policy-arn arn:aws:iam::aws:policy/DynamoDBFullAccess