Cheat sheet

AWS CLI

EKS, ECR, S3, IAM, EC2, SSM — common commands for platform and cloud engineers.

EKS

# Update kubeconfig for a cluster
aws eks update-kubeconfig \
  --name my-cluster --region us-east-1

# List clusters
aws eks list-clusters

# Describe cluster (auth mode, version, endpoint)
aws eks describe-cluster --name my-cluster

# List node groups
aws eks list-nodegroups --cluster-name my-cluster

# Create access entry (API auth mode)
aws eks create-access-entry \
  --cluster-name my-cluster \
  --principal-arn arn:aws:iam::123456789:role/my-role \
  --type STANDARD

# Associate access policy
aws eks associate-access-policy \
  --cluster-name my-cluster \
  --principal-arn arn:aws:iam::123456789:role/my-role \
  --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy \
  --access-scope type=cluster

ECR

# Authenticate Docker to ECR
aws ecr get-login-password --region us-east-1 \
  | docker login --username AWS \
    --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com

# Create a repository
aws ecr create-repository --repository-name my-app

# List repositories
aws ecr describe-repositories

# List images in a repo
aws ecr list-images --repository-name my-app

# Delete an image
aws ecr batch-delete-image \
  --repository-name my-app \
  --image-ids imageTag=v1.0.0

S3

# List buckets
aws s3 ls

# List objects in a bucket
aws s3 ls s3://my-bucket/prefix/

# Copy file to S3
aws s3 cp ./file.txt s3://my-bucket/path/

# Sync directory to S3
aws s3 sync ./dist s3://my-bucket --delete

# Download from S3
aws s3 cp s3://my-bucket/file.txt ./file.txt

# Remove object
aws s3 rm s3://my-bucket/file.txt

# Presigned URL (15 min expiry)
aws s3 presign s3://my-bucket/file.txt \
  --expires-in 900

IAM

# Get current caller identity
aws sts get-caller-identity

# List roles
aws iam list-roles --query 'Roles[].RoleName'

# Get role trust policy
aws iam get-role --role-name my-role \
  --query 'Role.AssumeRolePolicyDocument'

# Attach managed policy to role
aws iam attach-role-policy \
  --role-name my-role \
  --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

# Assume a role (get temporary credentials)
aws sts assume-role \
  --role-arn arn:aws:iam::123456789:role/my-role \
  --role-session-name my-session

EC2

# List running instances
aws ec2 describe-instances \
  --filters "Name=instance-state-name,Values=running" \
  --query 'Reservations[].Instances[].[InstanceId,InstanceType,PublicIpAddress]' \
  --output table

# Start / stop instance
aws ec2 start-instances --instance-ids i-1234567890abcdef0
aws ec2 stop-instances --instance-ids i-1234567890abcdef0

# Describe security groups
aws ec2 describe-security-groups \
  --filters "Name=group-name,Values=my-sg"

# Get latest Amazon Linux 2023 AMI
aws ec2 describe-images \
  --owners amazon \
  --filters "Name=name,Values=al2023-ami-*" \
  --query 'sort_by(Images,&CreationDate)[-1].ImageId'

SSM & Secrets

# SSM Session Manager (no SSH needed)
aws ssm start-session --target i-1234567890abcdef0

# Get SSM parameter
aws ssm get-parameter \
  --name /myapp/db-password --with-decryption \
  --query 'Parameter.Value' --output text

# Put SSM parameter (--overwrite required to update existing)
aws ssm put-parameter \
  --name /myapp/db-password \
  --value "secret" \
  --type SecureString \
  --overwrite

# Get Secrets Manager secret
aws secretsmanager get-secret-value \
  --secret-id my-secret \
  --query 'SecretString' --output text

Profiles & output

# Use a named profile
aws --profile staging s3 ls

# Set default profile
export AWS_PROFILE=staging

# Set default region
export AWS_DEFAULT_REGION=eu-west-1

# Output formats: json (default), yaml, table, text
aws ec2 describe-instances --output table
aws s3 ls --output text

# Query with JMESPath
aws ec2 describe-instances \
  --query 'Reservations[*].Instances[*].InstanceId' \
  --output text

# Update kubeconfig for a cluster aws eks update-kubeconfig \ --name my-cluster --region us-east-1 # List clusters aws eks list-clusters # Describe cluster (auth mode, version, endpoint) aws eks describe-cluster --name my-cluster # List node groups aws eks list-nodegroups --cluster-name my-cluster # Create access entry (API auth mode) aws eks create-access-entry \ --cluster-name my-cluster \ --principal-arn arn:aws:iam::123456789:role/my-role \ --type STANDARD # Associate access policy aws eks associate-access-policy \ --cluster-name my-cluster \ --principal-arn arn:aws:iam::123456789:role/my-role \ --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy \ --access-scope type=cluster

# Authenticate Docker to ECR aws ecr get-login-password --region us-east-1 \ | docker login --username AWS \ --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com # Create a repository aws ecr create-repository --repository-name my-app # List repositories aws ecr describe-repositories # List images in a repo aws ecr list-images --repository-name my-app # Delete an image aws ecr batch-delete-image \ --repository-name my-app \ --image-ids imageTag=v1.0.0

# List buckets aws s3 ls # List objects in a bucket aws s3 ls s3://my-bucket/prefix/ # Copy file to S3 aws s3 cp ./file.txt s3://my-bucket/path/ # Sync directory to S3 aws s3 sync ./dist s3://my-bucket --delete # Download from S3 aws s3 cp s3://my-bucket/file.txt ./file.txt # Remove object aws s3 rm s3://my-bucket/file.txt # Presigned URL (15 min expiry) aws s3 presign s3://my-bucket/file.txt \ --expires-in 900

# Get current caller identity aws sts get-caller-identity # List roles aws iam list-roles --query 'Roles[].RoleName' # Get role trust policy aws iam get-role --role-name my-role \ --query 'Role.AssumeRolePolicyDocument' # Attach managed policy to role aws iam attach-role-policy \ --role-name my-role \ --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess # Assume a role (get temporary credentials) aws sts assume-role \ --role-arn arn:aws:iam::123456789:role/my-role \ --role-session-name my-session

# List running instances aws ec2 describe-instances \ --filters "Name=instance-state-name,Values=running" \ --query 'Reservations[].Instances[].[InstanceId,InstanceType,PublicIpAddress]' \ --output table # Start / stop instance aws ec2 start-instances --instance-ids i-1234567890abcdef0 aws ec2 stop-instances --instance-ids i-1234567890abcdef0 # Describe security groups aws ec2 describe-security-groups \ --filters "Name=group-name,Values=my-sg" # Get latest Amazon Linux 2023 AMI aws ec2 describe-images \ --owners amazon \ --filters "Name=name,Values=al2023-ami-*" \ --query 'sort_by(Images,&CreationDate)[-1].ImageId'

# SSM Session Manager (no SSH needed) aws ssm start-session --target i-1234567890abcdef0 # Get SSM parameter aws ssm get-parameter \ --name /myapp/db-password --with-decryption \ --query 'Parameter.Value' --output text # Put SSM parameter (--overwrite required to update existing) aws ssm put-parameter \ --name /myapp/db-password \ --value "secret" \ --type SecureString \ --overwrite # Get Secrets Manager secret aws secretsmanager get-secret-value \ --secret-id my-secret \ --query 'SecretString' --output text

# Use a named profile aws --profile staging s3 ls # Set default profile export AWS_PROFILE=staging # Set default region export AWS_DEFAULT_REGION=eu-west-1 # Output formats: json (default), yaml, table, text aws ec2 describe-instances --output table aws s3 ls --output text # Query with JMESPath aws ec2 describe-instances \ --query 'Reservations[*].Instances[*].InstanceId' \ --output text