A quick reference for the AWS CLI (v2). Covers EC2, S3, IAM, Lambda, CloudFormation, and common flags for day-to-day cloud operations.
EC2
| Command | Description |
|---|---|
| aws ec2 describe-instances | List all EC2 instances |
| aws ec2 run-instances --image-id ami-xxx --instance-type t3.micro | Launch an instance |
| aws ec2 start-instances --instance-ids i-xxx | Start a stopped instance |
| aws ec2 stop-instances --instance-ids i-xxx | Stop a running instance |
| aws ec2 terminate-instances --instance-ids i-xxx | Terminate an instance |
| aws ec2 describe-security-groups | List security groups |
| aws ec2 create-key-pair --key-name mykey | Create an SSH key pair |
| aws ec2 describe-vpcs | List VPCs |
S3
| Command | Description |
|---|---|
| aws s3 ls | List all buckets |
| aws s3 ls s3://bucket/prefix/ | List objects in bucket prefix |
| aws s3 cp file.txt s3://bucket/ | Upload file to S3 |
| aws s3 cp s3://bucket/file.txt . | Download file from S3 |
| aws s3 sync ./dir s3://bucket/dir | Sync local directory to S3 |
| aws s3 mb s3://new-bucket | Create a new bucket |
| aws s3 rb s3://bucket --force | Delete bucket and all objects |
| aws s3 presign s3://bucket/key --expires-in 3600 | Generate pre-signed URL (1hr) |
IAM
| Command | Description |
|---|---|
| aws iam create-user --user-name dev | Create IAM user |
| aws iam list-users | List all IAM users |
| aws iam create-access-key --user-name dev | Create access key for user |
| aws iam attach-user-policy --user-name dev --policy-arn arn:... | Attach policy to user |
| aws iam list-attached-user-policies --user-name dev | List user policies |
| aws iam create-role --role-name myrole --assume-role-policy-document file://trust.json | Create IAM role |
| aws sts get-caller-identity | Show current IAM identity |
| aws iam delete-user --user-name dev | Delete IAM user |
Lambda
| Command | Description |
|---|---|
| aws lambda list-functions | List all Lambda functions |
| aws lambda invoke --function-name myfn out.json | Invoke a function |
| aws lambda create-function --function-name myfn --runtime nodejs22.x --handler index.handler --zip-file fileb://fn.zip --role arn:... | Create a function (nodejs20.x is deprecated; AWS plans to block new nodejs20.x functions from late August 2026) |
| aws lambda update-function-code --function-name myfn --zip-file fileb://fn.zip | Update function code |
| aws lambda get-function --function-name myfn | Get function configuration |
| aws lambda delete-function --function-name myfn | Delete a function |
| aws logs tail /aws/lambda/myfn --follow | Tail function logs |
CloudFormation
| Command | Description |
|---|---|
| aws cloudformation deploy --template-file tpl.yaml --stack-name mystack | Deploy or update a stack |
| aws cloudformation describe-stacks --stack-name mystack | Describe a stack |
| aws cloudformation list-stacks | List all stacks |
| aws cloudformation describe-stack-events --stack-name mystack | Show stack events |
| aws cloudformation delete-stack --stack-name mystack | Delete a stack |
| aws cloudformation validate-template --template-body file://tpl.yaml | Validate a template |
Common Flags
| Flag | Description |
|---|---|
| --region us-east-1 | Override default AWS region |
| --profile staging | Use a named CLI profile |
| --output json | table | text | Set output format |
| --query "Reservations[].Instances[]" | JMESPath query — filters client-side, after the API responds |
| --dry-run | Validate permissions without executing |
| --no-paginate | Disable automatic pagination |
| --cli-auto-prompt | Enable interactive auto-prompt |
Configuration
| Command | Description |
|---|---|
| aws configure | Set up credentials interactively |
| aws configure list | Show current configuration |
| aws configure set region us-west-2 | Set a specific config value |
| aws configure list-profiles | List all configured profiles |
| export AWS_PROFILE=staging | Switch profile via environment |
| export AWS_DEFAULT_REGION=eu-west-1 | Set region via environment |
Common gotchas
aws s3andaws s3apiare different layers:s3gives high-level convenience commands (sync, recursive cp),s3apimaps 1:1 to API operations (get-bucket-policy, put-object-acl). If a flag seems missing, you are probably on the wrong one.aws s3 sync --deleteremoves anything in the destination that is missing locally — run with--dryrunfirst, especially against a production bucket.- Credential environment variables (
AWS_ACCESS_KEY_ID) beat theAWS_PROFILEvariable — a forgottenexportsilently overrides the profile you asked for; an explicit--profileflag still wins over both. Check who you are withaws sts get-caller-identity. See AWS Lambda environment variables for the Lambda side. presignURLs expire when the signing credentials do: signed with temporary STS/role credentials, the URL dies with the session no matter what--expires-insays. Sign with long-lived credentials for the full 7-day maximum.--query(JMESPath) filters on the client after full pagination;--filters(EC2 and friends) filters on the server. On large accounts the difference is minutes of wall-clock time and a lot of transferred JSON.
Related: storing credentials safely is covered in environment variable security, and VPC subnet math in the CIDR cheat sheet.