AWS CLI Cheat Sheet for Professionals
- S3 (Simple Storage Service)
- EC2 (Elastic Compute Cloud)
- IAM (Identity and Access Management)
- VPC (Virtual Private Cloud)
- Lambda
- DynamoDB
- CloudFormation
- RDS (Relational Database Service)
- SQS (Simple Queue Service)
- SNS (Simple Notification Service)
- CloudWatch
- EBS (Elastic Block Store)
- ECS (Elastic Container Service)
- EKS (Elastic Kubernetes Service)
- API Gateway
- Real World Examples
Top 100 AWS CLI Commands
Below is a categorized list of 100 commonly used AWS CLI commands across various services, selected for their relevance in penetration testing and security assessments.
S3 (Simple Storage Service)
| Command | Description |
|---|---|
aws s3 ls | List all S3 buckets |
aws s3 ls s3://bucketname | List contents of a specific bucket |
aws s3 mb s3://bucketname | Create a new bucket |
aws s3 rb s3://bucketname | Remove an empty bucket |
aws s3 cp localfile s3://bucketname/ | Upload a file to a bucket |
aws s3 cp s3://bucketname/object localfile | Download a file from a bucket |
aws s3 sync localdir s3://bucketname/ | Sync a local directory to a bucket |
aws s3 sync s3://bucketname/ localdir | Sync a bucket to a local directory |
aws s3 rm s3://bucketname/object | Delete an object from a bucket |
aws s3 presign s3://bucketname/object | Generate a pre-signed URL for an object |
EC2 (Elastic Compute Cloud)
| Command | Description |
|---|---|
| `aws ec2 describe-instances | List all EC2 instances |
aws ec2 run-instances --image-id ami-123 --count 1 --instance-type t2.micro --key-name MyKey --security-group-ids sg-123 --subnet-id subnet-123 | Launch a new instance |
aws ec2 terminate-instances --instance-ids i-123 | Terminate an instance |
aws ec2 start-instances --instance-ids i-123 | Start an instance |
aws ec2 stop-instances --instance-ids i-123 | Stop an instance |
aws ec2 describe-volumes | List all EBS volumes |
aws ec2 create-security-group --group-name MySG --description "My SG" | Create a security group |
aws ec2 authorize-security-group-ingress --group-id sg-123 --protocol tcp --port 22 --cidr 0.0.0.0/0 | Add an ingress rule to a security group |
aws ec2 describe-security-groups | List all security groups |
aws ec2 describe-subnets | List all subnets |
IAM (Identity and Access Management)
| Command | Description |
|---|---|
aws iam list-users | List all IAM users |
aws iam create-user --user-name Bob | Create a new IAM user |
aws iam delete-user --user-name Bob | Delete an IAM user |
aws iam attach-user-policy --user-name Bob --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess | Attach a policy to a user |
aws iam list-groups | List all IAM groups |
aws iam create-group --group-name MyGroup | Create a new IAM group |
aws iam add-user-to-group --user-name Bob --group-name MyGroup | Add a user to a group |
aws iam list-policies | List all IAM policies |
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess | Get details of a policy |
aws iam create-role --role-name MyRole --assume-role-policy-document file://trust-policy.json | Create an IAM role |
VPC (Virtual Private Cloud)
| Command | Description |
|---|---|
aws ec2 describe-vpcs | List all VPCs |
aws ec2 create-vpc --cidr-block 10.0.0.0/16 | Create a new VPC |
aws ec2 delete-vpc --vpc-id vpc-123 | Delete a VPC |
aws ec2 describe-subnets | List all subnets |
aws ec2 create-subnet --vpc-id vpc-123 --cidr-block 10.0.1.0/24 | Create a subnet |
aws ec2 delete-subnet --subnet-id subnet-123 | Delete a subnet |
aws ec2 describe-route-tables | List all route tables |
aws ec2 create-route-table --vpc-id vpc-123 | Create a route table |
aws ec2 associate-route-table --route-table-id rtb-123 --subnet-id subnet-123 | Associate a route table with a subnet |
aws ec2 describe-internet-gateways | List all internet gateways |
aws ec2 create-internet-gateway | Create an internet gateway |
aws ec2 attach-internet-gateway --internet-gateway-id igw-123 --vpc-id vpc-123 | Attach an internet gateway to a VPC |
Lambda
| Command | Description |
|---|---|
aws lambda list-functions | List all Lambda functions |
aws lambda create-function --function-name MyFunction --runtime python3.8 --role arn:aws:iam::123456789012:role/lambda-role --handler lambda_function.lambda_handler --zip-file fileb://function.zip | Create a Lambda function |
aws lambda invoke --function-name MyFunction output.txt | Invoke a Lambda function |
aws lambda update-function-code --function-name MyFunction --zip-file fileb://new_function.zip | Update a Lambda function’s code |
aws lambda delete-function --function-name MyFunction | Delete a Lambda function |
DynamoDB
| Command | Description |
|---|---|
aws dynamodb list-tables | List all DynamoDB tables |
aws dynamodb create-table --table-name MyTable --attribute-definitions AttributeName=Id,AttributeType=S --key-schema AttributeName=Id,KeyType=HASH --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 | Create a DynamoDB table |
aws dynamodb put-item --table-name MyTable --item '{"Id": {"S": "1"}, "Name": {"S": "John"}}' | Insert an item into a table |
aws dynamodb get-item --table-name MyTable --key '{"Id": {"S": "1"}}' | Retrieve an item from a table |
aws dynamodb scan --table-name MyTable | Scan all items in a table |
aws dynamodb delete-item --table-name MyTable --key '{"Id": {"S": "1"}}' | Delete an item from a table |
aws dynamodb delete-table --table-name MyTable | Delete a DynamoDB table |
CloudFormation
| Command | Description |
|---|---|
aws cloudformation create-stack --stack-name MyStack --template-body file://template.yaml | Create a CloudFormation stack |
aws cloudformation describe-stacks --stack-name MyStack | Describe a stack |
aws cloudformation update-stack --stack-name MyStack --template-body file://new_template.yaml | Update a stack |
aws cloudformation delete-stack --stack-name MyStack | Delete a stack |
aws cloudformation list-stacks | List all stacks |
RDS (Relational Database Service)
| Command | Description |
|---|---|
aws rds describe-db-instances | List all RDS instances |
aws rds create-db-instance --db-instance-identifier MyDB --db-instance-class db.t2.micro --engine mysql --master-username admin --master-user-password password --allocated-storage 20 | Create an RDS instance |
aws rds delete-db-instance --db-instance-identifier MyDB --skip-final-snapshot | Delete an RDS instance |
aws rds start-db-instance --db-instance-identifier MyDB | Start an RDS instance |
aws rds stop-db-instance --db-instance-identifier MyDB | Stop an RDS instance |
SQS (Simple Queue Service)
| Command | Description |
|---|---|
aws sqs list-queues | List all SQS queues |
aws sqs create-queue --queue-name MyQueue | Create a new queue |
aws sqs send-message --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/MyQueue --message-body "Hello" | Send a message to a queue |
aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/MyQueue | Receive a message from a queue |
aws sqs delete-message --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/MyQueue --receipt-handle <handle> | Delete a message from a queue |
aws sqs delete-queue --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/MyQueue | Delete a queue |
SNS (Simple Notification Service)
| Command | Description |
|---|---|
aws sns list-topics | List all SNS topics |
aws sns create-topic --name MyTopic | Create a new topic |
aws sns subscribe --topic-arn arn:aws:sns:us-east-1:123456789012:MyTopic --protocol email --notification-endpoint myemail@example.com | Subscribe to a topic |
aws sns publish --topic-arn arn:aws:sns:us-east-1:123456789012:MyTopic --message "Hello" | Publish a message to a topic |
aws sns delete-topic --topic-arn arn:aws:sns:us-east-1:123456789012:MyTopic | Delete a topic |
CloudWatch
| Command | Description |
|---|---|
aws cloudwatch describe-alarms | List all CloudWatch alarms |
aws cloudwatch put-metric-alarm --alarm-name MyAlarm --metric-name CPUUtilization --namespace AWS/EC2 --statistic Average --period 300 --threshold 80 --comparison-operator GreaterThanThreshold --dimensions Name=InstanceId,Value=i-1234567890abcdef0 --evaluation-periods 2 --alarm-actions arn:aws:sns:us-east-1:123456789012:MyTopic | Create a metric alarm |
aws cloudwatch delete-alarms --alarm-names MyAlarm | Delete an alarm |
aws cloudwatch get-metric-statistics --metric-name CPUUtilization --namespace AWS/EC2 --statistics Average --start-time 2023-01-01T00:00:00Z --end-time 2023-01-02T00:00:00Z --period 3600 --dimensions Name=InstanceId,Value=i-1234567890abcdef0 | Get metric statistics |
EBS (Elastic Block Store)
| Command | Description |
|---|---|
aws ec2 describe-volumes | List all EBS volumes |
aws ec2 create-volume --size 10 --availability-zone us-east-1a --volume-type gp2 | Create a new volume |
aws ec2 attach-volume --volume-id vol-123 --instance-id i-123 --device /dev/sdf | Attach a volume to an instance |
aws ec2 detach-volume --volume-id vol-123 | Detach a volume |
aws ec2 delete-volume --volume-id vol-123 | Delete a volume |
ECS (Elastic Container Service)
| Command | Description |
|---|---|
aws ecs list-clusters | List all ECS clusters |
aws ecs create-cluster --cluster-name MyCluster | Create a new cluster |
aws ecs register-task-definition --family MyTask --container-definitions file://container.json | Register a task definition |
aws ecs run-task --cluster MyCluster --task-definition MyTask | Run a task |
aws ecs list-tasks --cluster MyCluster | List tasks in a cluster |
aws ecs stop-task --cluster MyCluster --task <task-arn> | Stop a task |
EKS (Elastic Kubernetes Service)
| Command | Description |
|---|---|
aws eks list-clusters | List all EKS clusters |
aws eks create-cluster --name MyCluster --role-arn arn:aws:iam::123456789012:role/EKSRole --resources-vpcme-vpc-config subnetIds=subnet-123,subnet-456,securityGroupIds=sg-123 | Create a new cluster |
aws eks describe-cluster --name MyCluster | Describe a cluster |
aws eks delete-cluster --name MyCluster | Delete a cluster |
API Gateway
| Command | Description |
|---|---|
aws apigateway get-rest-apis | List all REST APIs |
aws apigateway create-rest-api --name MyAPI | Create a new REST API |
aws apigateway get-resources --rest-api-id <api-id> | List resources for an API |
aws apigateway create-resource --rest-api-id <api-id> --parent-id <parent-id> --path-part {proxy+} | Create a resource |
aws apigateway put-method --rest-api-id <api-id> --resource-id <resource-id> --http-method ANY --authorization-type NONE | Add a method to a resource |
aws apigateway put-integration --rest-api-id <api-id> --resource-id <resource-id> --http-method ANY --type HTTP --integration-http-method ANY --uri http://example.com | Add an integration to a method |
20 Real-World Examples
These examples demonstrate practical applications of AWS CLI commands in penetration testing and security management scenarios. Each example includes commands and a brief explanation of their use.
1. Create an S3 Bucket and Upload a File
Commands:
aws s3 mb s3://mybucket aws s3 cp localfile.txt s3://mybucket/
Explanation: Creates a new S3 bucket and uploads a file, useful for testing bucket permissions and data exposure.
2. List All S3 Buckets
Command:
aws s3 ls
Explanation: Lists all S3 buckets in the account, helping identify misconfigured or publicly accessible buckets.
3. Download a File from S3
Command:
aws s3 cp s3://mybucket/file.txt localfile.txt
Explanation: Downloads a file from an S3 bucket, useful for verifying access controls.
4. Sync a Local Directory with an S3 Bucket
Command:
aws s3 sync localdir s3://mybucket/
Explanation: Synchronizes a local directory with an S3 bucket, ideal for backing up data or testing sync permissions.
5. Launch an EC2 Instance
Command:
aws ec2 run-instances --image-id ami-123 --count 1 --instance-type t2.micro --key-name MyKey --security-group-ids sg-123 --subnet-id subnet-123
Explanation: Launches a new EC2 instance, useful for setting up test environments or simulating attacker infrastructure.
6. Terminate an EC2 Instance
Command:
aws ec2 terminate-instances --instance-ids i-123
Explanation: Terminates an EC2 instance, ensuring cleanup after testing to prevent unauthorized access.
7. Describe All EC2 Instances
Command:
aws ec2 describe-instances
Explanation: Lists all EC2 instances, helping identify running instances and their configurations.
8. Create a Security Group and Add a Rule
Commands:
aws ec2 create-security-group --group-name MySG --description "My SG" aws ec2 authorize-security-group-ingress --group-id sg-123 --protocol tcp --port 22 --cidr 0.0.0.0/0
Explanation: Creates a security group and adds an SSH ingress rule, useful for testing network access controls.
9. Create an IAM User and Attach a Policy
Commands:
aws iam create-user --user-name Bob aws iam attach-user-policy --user-name Bob --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
Explanation: Creates an IAM user and grants S3 read-only access, ideal for testing least privilege principles.
10. List All IAM Users
Command:
aws iam list-users
Explanation: Lists all IAM users, helping identify unauthorized or dormant accounts.
11. Create a Lambda Function
Command:
aws lambda create-function --function-name MyFunction --runtime python3.8 --role arn:aws:iam::123456789012:role/lambda-role --handler lambda_function.lambda_handler --zip-file fileb://function.zip
Explanation: Creates a Lambda function, useful for testing serverless application security.
12. Invoke a Lambda Function
Command:
aws lambda invoke --function-name MyFunction output.txt
Explanation: Invokes a Lambda function, allowing testers to verify function behavior and outputs.
13. Create a DynamoDB Table
Command:
aws dynamodb create-table --table-name MyTable --attribute-definitions AttributeName=Id,AttributeType=S --key-schema AttributeName=Id,KeyType=HASH --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5
Explanation: Creates a DynamoDB table, useful for testing data storage security.
14. Insert an Item into DynamoDB
Command:
aws dynamodb put-item --table-name MyTable --item '{"Id": {"S": "1"}, "Name": {"S": "John"}}'
Explanation: Inserts an item into a DynamoDB table, allowing testers to verify data access controls.
15. Get an Item from DynamoDB
Command:
aws dynamodb get-item --table-name MyTable --key '{"Id": {"S": "1"}}'
Explanation: Retrieves an item from a DynamoDB table, useful for testing read permissions.
16. Create a CloudFormation Stack
Command:
aws cloudformation create-stack --stack-name MyStack --template-body file://template.yaml
Explanation: Creates a CloudFormation stack, ideal for deploying test infrastructure reproducibly.
17. Describe a CloudFormation Stack
Command:
aws cloudformation describe-stacks --stack-name MyStack
Explanation: Describes a CloudFormation stack, helping verify deployed resources.
18. Create an RDS Database Instance
Command:
aws rds create-db-instance --db-instance-identifier MyDB --db-instance-class db.t2.micro --engine mysql --master-username admin --master-user-password password --allocated-storage 20
Explanation: Creates an RDS database instance, useful for testing database security configurations.
19. List All RDS Database Instances
Command:
aws rds describe-db-instances
Explanation: Lists all RDS instances, helping identify database configurations and potential vulnerabilities.
20. Set Up a CloudWatch Alarm for an EC2 Instance
Command:
aws cloudwatch put-metric-alarm --alarm-name CPUAlarm --metric-name CPUUtilization --namespace AWS/EC2 --statistic Average --period 300 --threshold 80 --comparison-operator GreaterThanThreshold --dimensions Name=InstanceId,Value=i-123 --evaluation-periods 2 --alarm-actions arn:aws:sns:us-east-1:123456789012:MyTopic
Explanation: Sets up a CloudWatch alarm to monitor CPU utilization, critical for detecting performance issues during testing.
Additional Resources
For further exploration, consult the following resources:
- Official AWS CLI Documentation for comprehensive command references.
- Blue Matador Cheat Sheet for quick command references.
- Pluralsight S3 Cheat Sheet for S3-specific commands.
- Scott Lowe’s Blog for practical command examples.
Security Best Practices
- Least Privilege: Ensure IAM policies grant only necessary permissions, as demonstrated in the IAM examples.
- Secure Configurations: Use secure settings for S3 buckets (e.g., block public access) and EC2 security groups (e.g., restrict ingress rules).
- Monitoring: Implement CloudWatch alarms and logs to detect unauthorized access or anomalies.
- Cleanup: Terminate test instances and delete unused resources to prevent exposure, as shown in the EC2 and S3 examples.
This cheat sheet equips penetration testers with the tools to manage and secure AWS environments effectively, aligning with enterprise security standards and compliance requirements.