Follow dba-ninja.com

Subscribe to RSS feed  Follow @jackvamvas - Twitter

*Use the Comments section for questions

dba-ninja.com Links

Dba_db2_button

Sqlserver_dba_button

AWS CLI Cheatsheet - RDS, AWS Backup , DMS, IAM, Security Token Service,KMS,EC2, DynamoDB,VPC,Aurora, Aurora Global,RESOURCEGROUPSTAGGINGAPI,DocumentDB,CloudTrail

15 September,2022 by Rambler

AWS CLI  commands and queries I use on a regular basis 

RDS CLI commands
AWS Backup CLI commands
AWS Database Management Service (DMS) CLI commands
Identity & Access Management (IAM) CLI commands
Security Token Service CLI commands
Key Management Service (KMS) CLI commands
EC2 CLI commands
DynamoDB CLI commands
VPC - Security Groups CLI commands
Aurora CLI commands
Aurora Global CLI commands
RESOURCEGROUPSTAGGINGAPI CLI commands
DocumentDB CLI commands
Cloudtrail CLI Commands
Route 53

 

 

--get the aws cli help pages  

aws help

--get the service command list , example for Database Management Service (DMS)

aws dms commands

--get the current region

aws configure get region

RDS

--list all RDS instances 

aws rds describe-db-instances 

--List rds with the Aurora engine starting with "aurora", Note : for pattern matching back ticks required, Will be part of a DBCluster  

aws rds describe-db-instances --query "DBInstances[?starts_with(Engine,'aurora')==`true`].DBInstanceIdentifier"

--List rds Instance with the postgres. Return DB InstanceIdentifier

aws rds describe-db-instances --query "DBInstances[?starts_with(Engine,'postgres')==`true`].DBInstanceIdentifier"

--List rds Instance with the mysql. Return DB InstanceIdentifier

aws rds describe-db-instances --query "DBInstances[?starts_with(Engine,'mysql')==`true`].DBInstanceIdentifier"

--List rds based  on the  DBInstanceIdentifier starting with a certain string

aws rds describe-db-instances --query "DBInstances[?starts_with(DBInstanceIdentifier,'MyValue')==`true`].DBInstanceIdentifier"

--list details for one RDS instance

aws rds describe-db-instances --db-instance-identifier <replace_with_my_rds_instance_name>

--list all RDS instances endpoints

aws rds describe-db-instances --query "DBInstances[].Endpoint[]"

--list the RDS DB Parameter Group Name for a specific RDS

aws rds describe-db-instances --db-instance-identifier <REPLACE_WITH_RDS_INSTANCE> --query "DBInstances[].{Name:DBParameterGroups[0].DBParameterGroupName}"

--Grab the  ds.force_ssl from the ParamaterGroup associated to the RDS

aws rds describe-db-parameters --db-parameter-group-name <REPLACE_WITH-PARAMETER_GROUP> --query "Parameters[?ParameterName=='ssl'].[ParameterName,ParameterValue]"

--Grab the  rds.force_ssl from the ParamaterGroup associated to the RDS

aws rds describe-db-parameters --db-parameter-group-name <REPLACE_WITH_PARAMATER_GROUP> --query "Parameters[?ParameterName=='rds.force_ssl'].[ParameterName,ParameterValue]"

--Grab the  ssl from the ParamaterGroup associated to the RDS

aws rds describe-db-parameters --db-parameter-group-name <REPLACE_WITH_PARAMATER_GROUP> --query "Parameters[?ParameterName=='ssl'].[ParameterName,ParameterValue]"

--list the RDS instance DBSubnet Group

aws rds describe-db-instances --db-instance-identifier <replace_rds_db_instance> --query "DBInstances[].DBSubnetGroup.DBSubnetGroupName" 

--list the VPC Security GroupId

aws rds describe-db-instances --db-instance-identifier <replace_rds_instance> --query "DBInstances[*].{ID:VpcSecurityGroups[0].VpcSecurityGroupId}" 

--list the DB Instance Class

aws rds describe-db-instances --db-instance-identifier <replace_rds_instance> --query "DBInstances[*].DBInstanceClass" 

--list the RDS MultiAZ status for a specific instance 

aws rds describe-db-instances --db-instance-identifier <replace_rds_instance> --query "DBInstances[*].MultiAZ" 

Convert Single-AZ AWS RDS to Multi-AZ

--list the RDS Secondary Availability Zone for a specific instance - if MultiAZ is used 

aws rds describe-db-instances --db-instance-identifier <replace_rds_instance> --query "DBInstances[*].SecondaryAvailabilityZone" 

--list the DB Instance Engine

aws rds describe-db-instances --db-instance-identifier <replace_rds_instance> --query "DBInstances[*].Engine" 

--list the DB KMS KeyId

aws rds describe-db-instances --db-instance-identifier <replace_with_rds_instance> --query "DBInstances[].KmsKeyId" 

--list the RDS Amazon Resource Name (ARN)

aws rds describe-db-instances --query "DBInstances[?DBInstanceIdentifier=='<replace_with_DBInstanceIdentifier>'].DBInstanceArn"

--list all RDS DBInstanceIdentifier and DBInstance ARN

aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,DBInstanceArn]"

--list RDS instance Endpoint  & Port number for a specific RDS . 

aws rds describe-db-instances --query "DBInstances[?DBInstanceIdentifier=='<replace_with_DDBInstanceIdentifier>'].Endpoint[]"

--list all RDS DBInstanceIdentifier & Status 

aws rds describe-db-instances --query "DBInstances[].[DBInstanceIdentifier,DBInstanceStatus] "

--list a single RDS DBInstanceIdentifier & Status 

aws rds describe-db-instances --db-instance-identifier <replace_with_rds_instance> --query "DBInstances[].[DBInstanceIdentifier,DBInstanceStatus] "

--start RDS instance 

aws rds start-db-instance --db-instance-identifier <replace_with_DBInstanceIdentifier>

--list the RDS VpcId of a single RDS Instance

aws rds describe-db-instances --query "DBInstances[*].DBSubnetGroup.VpcId" --db-instance-  <replace_rds_db_instance> --output text

--list all the DBParameterGroupName

aws rds describe-db-parameter-groups --query "DBParameterGroups[].DBParameterGroupName" 

--list all the DBSubnet group names

aws rds describe-db-subnet-groups  --query "DBSubnetGroups[].DBSubnetGroupName" 

--list the RDS DBSubnetGroupName 

aws rds describe-db-instances --db-instance-identifier  <replace_rds_db_instance> --query "DBInstances[].DBSubnetGroup.DBSubnetGroupName" --output text

--list the RDS tags 

aws rds list-tags-for-resource --resource-name <replace_with_resource_arn>

--add tags to an RDS instance

aws rds add-tags-to-resource --resource-name <replace_with_resource_arn> --tags "[{\"Key\": \"MyKey\",\"Value\": \"MyValue\"}]"

--modify RDS multi-AZ to true

 RDS modify Multi AZ to true

--List the AwsBackupRecoveryPointArn for an RDS Instance 

aws rds describe-db-instances --db-instance-identifier <replace_with_DBIdentifier> --query "DBInstances[].AwsBackupRecoveryPointArn"

--Enable automated backups for RDS

aws rds modify-db-instance --db-instance-identifier <replace_with_dbinstance identifier>   --backup-retention-period 3 --apply-immediately

--RDS Backup-LatestRestorableTime

aws rds describe-db-instances --db-instance-identifier <replace_with_DBIdentifier> --query "DBInstances[].LatestRestorableTime"

--View RDS automated backups 

aws rds describe-db-instance-automated-backups --db-instance-identifier  <replace_with_dbinstance identifier>

--Disable RDS automated backups 

aws rds modify-db-instance --db-instance-identifier <replace_with_dbinstance identifier>  --backup-retention-period 0 --apply-immediately

--Check if RDS automated backups are disabled.  backup retention = 0 and mydbinstance status is available

aws rds describe-db-instances --db-instance-identifier <replace_with_dbinstance identifier> --query "DBInstances[*].[DBInstanceIdentifier,DBInstanceStatus,BackupRetentionPeriod]"

--create RDS DB snapshot

aws rds create-db-snapshot --db-instance-identifier myRDS --db-sn apshot-identifier myRDSsnapshotIdentifier

--List DBSnapshot details for a specific RD Instance

aws rds describe-db-snapshots --query "DBSnapshots[?DBInstanceIdentifier=='<repalce_with_resource_id>'']"

--List DBSnapshot for a specific RDS , returning DBSnapshotIdentifier,SnapshotCreateTime,SnapshotType

aws rds describe-db-snapshots --db-instance-identifier <REPLACE_WITH_RDS_IDENTIFIER> --query "DBSnapshots[].[DBSnapshotIdentifier,SnapshotCreateTime,SnapshotType]"

--List the latest DBSnapshot for a specific RDS - returning the DBSnapshotIdentifier 

aws rds describe-db-snapshots --db-instance-identifier <REPLACE_WITH_RDS_IDENTIFIER> --query "sort_by(DBSnapshots, &SnapshotCreateTime)[-1].{id:DBSnapshotIdentifier,time:SnapshotCreateTime}"

--List Domain Membership 

aws rds describe-db-instances --db-instance-identifier <REPLACE_WITH_RDS_IDENTIFIER> --query "DBInstances[].[DomainMemberships]"

--check the current RDS Deletion Protection status , true or false

aws rds describe-db-instances --query "DBInstances[?DBInstanceIdentifier==' <REPLACE_WITH_RDS_IDENTIFIER> '].DeletionProtection"

--Disable deletion protection on an RDS Instance 

aws rds modify-db-instance --db-instance-identifier <REPLACE_WITH_RDS_IDENTIFIER> --no-deletion-protection

--Delete the RDS Instance 

aws rds delete-db-instance --db-instance-identifier <REPLACE_WITH_RDS_IDENTIFIER> --final-db-snapshot-identifier <REPLACE_WITH_RDS_FINAL_SNAP_NAME> 

--Delete the RDS Instance  (with --no-delete-automated-backups ) 

aws rds delete-db-instance --db-instance-identifier test-run-instance --final-db-snapshot-identifier test-run-instance230123 --no-delete-automated-backups

---To identify the supported engine & version combinations -  execute the following command . Check --engine , --version , --region 

aws rds describe-orderable-db-instance-options --engine <replace_with_engine> --engine-version <replace_with_engine_version> --query "OrderableDBInstanceOptions[].{DBInstanceClass:DBInstanceClass,SupportedEngineModes:SupportedEngineModes[0]}" --output table --region <replace_with_region>

--Create RDS Read Replica  & Promote to a standalone RDS Instance

Manage Cross Region RDS Read Replicas with AWS CLI

AWS BACKUP SERVICE

--list all backup plans

aws backup list-backup-plans

--list all backup plans BackupPlanName only 

aws backup list-backup-plans --query "BackupPlansList[].BackupPlanName[]"

--list all backup plans BackupPlanName & BackupPlanID

aws backup list-backup-plans --query "BackupPlansList[].[BackupPlanName,BackupPlanId]"

--return metadata for a Backup Plan 

aws backup list-backup-selections --backup-plan-id <replace_with_backup_plan_id>

--return metadata of the resources associated with the backup plan. For example - Tags 

aws backup get-backup-selection --backup-plan-id <REPLACE_WITH_BACKUP_PLAN_ID> --selection-id <REPLACE_WITH_SELECTION_ID>

--Get Backup Rules for a specific  Backup Plan - Rules, EnableContinuousBackup,TargetBackupvaultName,Lifecycle

aws backup get-backup-plan --backup-plan-id "<replace_with_backup_plan_id>"

--list resources selection for a backup plan 

aws backup list-backup-selections --backup-plan-id "<replace_with_backup_plan_id>"

--get tags for a backup selection i.e resources assignment

aws backup get-backup-selection --backup-plan-id "<replace_with_backup_plan_id>"  --selection-id "<replace_with_selection_id>"

--delete a Backup Plan (delete resource assignment , delete backup plan)

# Step 1 : Delete backup selection
aws backup delete-backup-selection --backup-plan-id  "989898988 --selection-id "89879879877"

# Step 2 : Delete backup plan
aws backup delete-backup-plan ----backup-plan-id  "989898988 

--Create an on-demand backup of RDS 

aws backup start-backup-job --backup-vault-name Default --resource-arn <replace_with_DBInstanceARN> --iam-role-arn xxxxxxxxxxxxxxxxxxxxxxxx 

--List protected resources

aws backup list-protected-resources 

--List protected resources , filtering for a specific resource type, - in this example I'm filtering on  RDS

aws backup list-protected-resources --query "Results[?ResourceType=='RDS']"

aws backup list-protected-resources --query "Results[?ResourceType=='DynamoDB']"

--List protected resources , filtering for a wildcard search on ResourceArn 

aws backup list-protected-resources --query "Results[?contains(ResourceArn,'<REPLACE_WITH_RESOURCE_NAME')]

--List Recovery Points based on Backup Vault , for a specific Resouce and "continuous" in the RecoveryPointARN

aws backup  list-recovery-points-by-backup-vault --backup-vault-name <REPLACE_WITH_BACKUP_VAULT> --query "RecoveryPoints[?ResourceArn=='<REPLACE_WITH_RDS_INSTANCE_NAME>' && Status=='AVAILABLE' && contains(RecoveryPointArn,'continuous')]

--List all Recovery Points based on Backup Vault , 

aws backup list-recovery-points-by-backup-vault --backup-vault-name  <REPLACE_WITH_BACKUP_VAULT> --query "RecoveryPoints[].RecoveryPointArn,ResourceArn,CreationDate,CompletionDate,ResourceType,StatusMessage,Status]"

--List all Recovery Points based on Backup Vault for DynamoDB for a specific data range

aws backup list-recovery-points-by-backup-vault --backup-vault-name <REPLACE_WITH_BACKUP_VAULT> --query "RecoveryPoints[?ResourceType=='DynamoDB' && SourceBackupVaultArn==null ].[ResourceName,CreationDate]" --by-created-after "2024-04-19T00:00:01+01:00" --by-created-before "2024-04-19T23:59:59+01:00" 

 

--Create a backup 

aws backup start-backup-job --backup-vault-name Default --resource-arn <replace_with_targeted_resource_arn> --iam-role-arn <replace_with_valid_iam_role>

-- Restore: Create a new DB instance from the DB snapshot , this process requires a few steps so added link to another post

How do I restore my AWS RDS? aws backup start-restore-job example

--Monitor currently RUNNING Restore Jobs 

aws backup list-restore-jobs --by-status RUNNING

--List COMPLETED restore jobs for a specific RESOURCE based on ResourceArn 

aws backup list-backup-jobs --by-state COMPLETED --query "BackupJobs[?ResourceArn == '<replace_with_RDS_Resource_ARN>'].[ResourceType,CompletionDate,RecoveryPointArn]"

--List COMPLETED restore jobs for a specific RESOURCE based on ResourceName

aws backup list-backup-jobs --by-state COMPLETED --query "BackupJobs[?ResourceName == '<replace_with_resource_name>'].[CompletionDate,RecoveryPointArn]"

--List Backup  Jobs including AccountId,BackupVaultName, State , ResourceType,IamRoleArn ,StatusMessage, by default will be the last 30 days 

aws backup list-backup-jobs --query "BackupJobs[*].[AccountId,CompletionDate,BackupVaultName, State , ResourceType,IamRoleArn ,StatusMessage]"

--List Backup  Jobs including by resource type ,  by backup-vault-name after a certain date 

aws backup list-backup-jobs --query "BackupJobs[].[ResourceArn,CompletionDate]" --by-backup-vault-name MuBackupVault --by-resource-type DynamoDB --by-complete-after 2024-09-23T018:58:58.035000+01:00 

--List FAILED Backup Jobs 

aws backup list-backup-jobs --by-state FAILED

--List Backup Vaults 

aws backup list-backup-vaults

--View resource tags for resources in AWS Backup 

 How to view resource tags in AWS Backup using list-tags

Database Management Service (DMS)

 

--list subnet group configuration for DMS

aws dms describe-replication-subnet-groups

--list replication instances

aws dms describe-replication-instances

--Check status and version 

aws dms describe-replication-instances --query "ReplicationInstances[?ReplicationInstanceIdentifier=='ReplicationInstance'].[ReplicationInstanceIdentifier,ReplicationInstanceStatus,EngineVersion]"

--List all Replication Instances , ReplicationInstanceArnm associated EngiveVersion

aws dms describe-replication-instances --query "ReplicationInstances[].[ReplicationInstanceIdentifier,ReplicationInstanceArn,EngineVersion]"

--Modify the the Replication Instance Engine Version  This will cause an outage , via apply-immediately .Check there are no jobs running on the Replication Instance

aws dms modify-replication-instance --replication-instance-arn <REPLACE_WITH_REPLICATION_INSTANCE_ARN> --engine-version <REPLACE_WITH_ENGINE_VERSION> --allow-major-version-upgrade --apply-immediately

--list DMS replication tasks - display only the task name (identifier) & the  ReplicationTaskArn

aws dms describe-replication-tasks --query "ReplicationTasks[*].[ReplicationTaskIdentifier,ReplicationTaskArn]"

 

--start a DMS replication task - first time (start-replication)

aws dms start-replication-task --replication-task-arn <replace_with_replication_task_arn> --start-replication-task-type start-replication

--restart a DMS replication task - (reload-target)

aws dms start-replication-task --replication-task-arn <replace_with_replication_task_arn> --start-replication-task-type reload-target

--list Endpoints - Endpoint name

aws dms describe-endpoints --query "Endpoints[].EndpointIdentifier[]"

--get Replication Instance Class
aws dms describe-replication-instances --query "ReplicationInstances[?ReplicationInstanceIdentifier=='<myReplicationInstance>'].ReplicationInstanceClass" --output table

--get Replication Storage
aws dms describe-replication-instances --query "ReplicationInstances[?ReplicationInstanceIdentifier=='<myReplicationInstance>'].AllocatedStorage" --output table

--get MultiAZ status
aws dms describe-replication-instances --query "ReplicationInstances[?ReplicationInstanceIdentifier=='<myReplicationInstance>'].MultiAZ" --output table

Identity & Access Management (IAM)

 

---Validate user’s permission on the SecretAccessRole using the IAM get-role command.

aws iam get-role --role-name ROLE_NAME

--Validate user’s permission on the secret using the Secrets Manager describe-secret
command.
aws secretsmanager describe-secret --secret-id SECRET_NAME OR SECRET_ARN --region=REGION_NAME

--Get the secret value 

 Get secret value from AWS Secrets Manager

--List policies limited to customer-managed 

aws iam list-policies --scope Local

--Get the role details 

aws iam get-role --role-name <replace_with_role_name>

--Get attached policies to a specific Role

aws iam list-attached-role-policies --role-name <replace_with_role_name>

--Get inline policies attached to a ROLE

aws iam list-role-policies --role-name <replace_with_iam_role>

--get the details of the policy  . Note: will need the policy ARN, get from list-attached-role-policies

aws iam get-policy --policy-arn <replace_with_policy_ARN>

 

--create a policy. Need a prepared policy file to place in a .json file

aws iam create-policy --policy-name <replace_with_a_policy_name>  --policy-document file://location.json

--delete a policy . Need the policy arn - use Get the ARN value of the policy created 

aws iam delete-policy --policy-arn arn:aws:iam::123456789012:policy/MySamplePolicy

--Get the ARN value of the policy created 
aws iam list-policies --query "Policies[?PolicyName=='my-policy-name'].Arn" --output text

Create the IAM role  and attach the trust relationship. Need to place the trust relationship in a json 
aws iam create-role --role-name MY_ROLE_NAME --assume-role-policy-document file://assume_role_policy_document.json

Attach a policy to an existing Role

aws iam put-role-policy --role-name <replace_with_role_name> --policy-name <replace_with_policy> --policy-document file://location.json

--Get the ARN of a Role

aws iam list-roles --query "Roles[?RoleName=='my-role'].Arn" --output text

--Create a IAM Role ARN dynamically. Need jq installed 

aws sts get-caller-identity | jq -r --arg prefix "arn:aws:iam::" --arg suffix ":role/<replace_with_role_name>" ". = $prefix + .Account + $suffix"

--Detach a policy from an IAM role 

aws iam detach-role-policy --role-name <my_iam_role> --policy-arn <replace_with_policy_arn>

--Delete inline policy 

aws iam delete-role-policy --role-name <replace_with_role_name> --policy-name <replace_with_policy_name>

Security Token Service

--To get details about the current IAM identity

aws sts get-caller-identity

--To switch role access with aws cli 

Switch role access with aws-cli

Key Management Service (KMS)

 

--List all the aws encryption key ARN, returns KeyID & KeyArn

aws kms list-keys

--Lists all aliases in the caller's Amazon Web Services account and region.Includes returning the TargetKeyID

aws kms list-aliases

--Return a list of identifiers within a certain Region

aws kms list-aliases --region us-east-1 --query "Aliases[*].TargetKeyId"

--Use the KMS alias name , this command will return details of an alias e.g aws/secretsmanager .
aws kms list-aliases --region us-east-1 --query "Aliases[?contains(AliasName,'aws/secretsmanager')]

--KMS describe-key ,In this example using key-id “alias/aws/secretsmanager” as an example. replace key-id with relevant key 
aws kms describe-key --key-id alias/aws/secretsmanager --query "KeyMetadata.Arn"

--KMS disable-key 

aws kms disable-key --key-id <REPLACE_WITH_VALID_KEY_ARN>

--KMS enable-key 

aws kms enable-key --key-id <REPLACE_WITH_VALID_KEY_ARN>

EC2

--List VPCId of current logged on Account

aws ec2 describe-vpcs --query "Vpcs[*].{VpcId:VpcId}" --output text

--List  VPC ID, CIDR Block and Name  of ALL the VPCs in an account

aws ec2 describe-vpcs --query "Vpcs[*].{VpcId:VpcId,Name:Tags[?Key=='Name'].Value|[0],CidrBlock:CidrBlock}" --output text

--List  VPC ID, CIDR Block and Name  of  a specific VPC in an account

aws ec2 describe-vpcs --query "Vpcs[?VpcId=='<replace_with_vpc_id>'].{VpcId:VpcId,Name:Tags[?Key=='Name'].Value|[0],CidrBlock:CidrBlock}"

--List all availability zone names only

aws ec2 describe-availability-zones --query "AvailabilityZones[*].ZoneName" 

DynamoDB

--Dynamodb list  tables 

aws dynamodb list-tables

--Get Table ARN for a DynamoDB table 

aws dynamodb describe-table --table-name <replace_with_table_name> --query Table.TableArn

--List tags of resource 

aws dynamodb list-tags-of-resource --resource-arn <replace_with_resource_arn>

--Adding tags to a DynamoDB table

aws dynamodb tag-resource --resource-arn <replace_with_resource_arn --tags Key=MyKey,Value=MyValue

--Get the Time-to-Live settings

aws dynamodb describe-time-to-live --table-name myTblName --query TimeToLiveDescription.[TimeToLiveStatus,AttributeName]

--Get the DynamoDB table KMS Key status 

aws dynamodb describe-table --table-name <replace_with_dynamodb_table> --query Table.SSEDescription

--Get the DynamoDB GlobalTableVersion 

-- Version 2019.11.21 (Current) & --2017.11.29 (Legacy)

aws dynamodb describe-table --table-name <replace_with_dynamodb_table> --query Table.GlobalTableVersion 

 

--Get the DynamoDB table Status 

aws dynamodb describe-table --table-name <replace_with_dynamodb_table> --query Table.TableStatus

--Adding to Time to Live   

aws dynamodb update-time-to-live --table-name <REPLACE_WITH_TABLE_NAME> --time-to-live-specification "Enabled=true, AttributeName=<replace_with_attribute_name>"

--Check Continuous backup  & PointInTimeRecoveryStatus of a DynamoDB table

aws dynamodb describe-continuous-backups --table-name <replace_with_Table_name>

--Get the  backup-arn from the List of backups . As the backup is a local snapshot , so the backup Type is USER. Make a note of the BackupArn

aws dynamodb list-backups --table-name <REPLACE_WITH_TABLE_NAME> --backup-type USER --region <replace_with_region>

--Get the  backup-arn from the List of backups . Backup Type = System. Make a note of the BackupArn

aws dynamodb list-backups --table-name <REPLACE_WITH_TABLE_NAME> --backup-type SYSTEM --region <replace_with_region>

--Get the DynamoDB Point-in-time recovery settings

aws dynamodb describe-continuous-backups --table-name myTblName --query ContinuousBackupsDescription.PointInTimeRecoveryDescription.PointInTimeRecoveryStatus

--Enable Point in Time Recovery on a DynamoDB table

aws dynamodb update-continuous-backups --table-name <replace_with_Table_name> --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

--Restore DynamoDB to the latest Point In Time 

aws dynamodb restore-table-to-point-in-time --source-table-name <replace_with_source_Table_name> --target-table-name <replace_with_target_Table_name>  --use-latest-restorable-time

--DynamoDB Backup & Restore

Amazon DynamoDB Backup & Restore

--Delete  DynamoDB table . Note: If this is a Global Table and version 2019.11.21 the replica won't be deleted 

aws dynamodb delete-table --table-name <replace_with_dynamodb_table_name>

--Delete a Global DynamoDB table version 2019.11.21 

How to delete a Global DynamoDB table

VPC - Security Groups 

--get the vpcid for for the target 

 

--Describe security Groups for a specific security group

aws ec2 describe-security-groups --group-ids sg-903004f9

--Create a new security group in a specific VPC

aws ec2 create-security-group --group-name <replace_with_group_name> --description "rules for SQL Server" --vpc-id  <replace_with_vpc_id>

--Add a Name tag to the Security Group 

aws ec2 create-tags --resources <replace_with_security_group> --tags Key=Name,Value=<replace_with_security_group_name_tag>

--Create an ingress rule and associate with a security group

aws ec2 authorize-security-group-ingress --group-id <replace_with_security_group> --protocol <place_protocol_eg_tcp> --port <place_port_number> --cidr  <ip_range>

--Delete security group

aws ec2 delete-security-group --group-id  <security_group_id>

--Putting it all together to create a security group

How do I create a security group in AWS command line?

 

 

AURORA

--List all the Aurora DBClusters - with some extra details 

aws rds describe-db-clusters --query "DBClusters[?contains(Engine,'aurora')].[DBClusterIdentifier]"

--Get the ARN for the Cluster 

aws rds describe-db-clusters --db-cluster-identifier <REPLACE_WITH_CLUSTER_NAME> --query "*[].{DBClusterArn:DBClusterArn}" --output text

--Get the status of the Aurora Cluster

aws rds describe-db-clusters --db-cluster-identifier <REPLACE_WITH_CLUSTER_NAME>  --query "*[].Status" --output text

--Get the Backtracking window of the Aurora Cluster 

aws rds describe-db-clusters --db-cluster-identifier <REPLACE_WITH_CLUSTER_NAME>  --query "*[].BacktrackWindow" --output text

--List the endpoints of a specific  Aurora Cluster 

aws rds describe-db-clusters --db-cluster-identifier  <REPLACE_WITH_CLUSTER_NAME> --query "*[].{Endpoint:Endpoint,ReaderEndpoint:ReaderEndpoint,CustomEndpoints:CustomEndpoints}"

--List the endpoints of a all  Aurora Clusters

aws rds describe-db-clusters  --query "*[].{Endpoint:Endpoint,ReaderEndpoint:ReaderEndpoint,CustomEndpoints:CustomEndpoints}"

--List the AwsBackupRecoveryPointArn of an Aurora Cluster if it has an AWS Backup Continuous Backup 

aws rds describe-db-clusters --db-cluster-identifier <REPLACE_WITH_CLUSTER_NAME> --query "DBClusters[].AwsBackupRecoveryPointArn"

--List the tags for all Aurora DBClusters 

aws rds describe-db-clusters --query "DBClusters[?contains(Engine,'aurora')].[DBClusterIdentifier,TagList]"

--list the Aurora Cluster DBSubnetGroupName

aws rds describe-db-clusters --db-cluster-identifier  <REPLACE_WITH_CLUSTER_NAME> --query "DBClusters[].DBSubnetGroup" --output text --output text

--List the AwsBackupRecoveryPointArn for an Aurora Cluster

aws rds describe-db-clusters --db-cluster-identifier <REPLACE_WITH_CLUSTER_NAME> --query "DBClusters[].AwsBackupRecoveryPointArn"

--list the VPC Security GroupId

aws rds describe-db-clusters --db-cluster-identifier <REPLACE_WITH_CLUSTER_NAME> --query "DBClusters[*].{ID:VpcSecurityGroups[0].VpcSecurityGroupId}" --output text

--list the DBClusterParameterGroup

aws rds describe-db-clusters --db-cluster-identifier  <REPLACE_WITH_CLUSTER_NAME> --query "DBClusters[*].DBClusterParameterGroup" --output text

--Get the Writer and Reader Instances of the Cluster

aws rds describe-db-clusters --db-cluster-identifier babelfish-poc --query "DBClusters[*].{ID:DBClusterMembers[*].[DBInstanceIdentifier,IsClusterWriter]}"

--Get the Aurora KMS Primary Cluster Key Id 

aws rds describe-db-clusters --db-cluster-identifier my-cluster-prim --query "DBClusters[*].KmsKeyId" --output text

--Add tags to a Resource 

aws rds add-tags-to-resource --resource-name <REPLACE_WITH_CLUSTER_ARN> --tags Key=mykey,Value=myvalue 

--View Aurora Earliest Restorable time & Latest restore time for Restore

aws rds describe-db-clusters --db-cluster-identifier <REPLACE_WITH_DBCLUSTER_ID> --query "DBClusters[*].[DBClusterIdentifier,EarliestRestorableTime,LatestRestorableTime]"

--Get the Aurora Cluster Port 

aws rds describe-db-clusters --db-cluster-identifier my-cluster-prim --query "DBClusters[*].Port"

--Get the AWS Backup Recovery Point ARN - i.e when AWS Backup is managing the Point in Time Recovery Backup 

aws rds describe-db-cluster-automated-backups --db-cluster-identifier  <replace_with_dbcluster_id> --query "DBClusterAutomatedBackups[*].AwsBackupRecoveryPointArn"

--Create a DB cluster snapshot 

aws rds create-db-cluster-snapshot --db-cluster-identifier <REPLACE_WITH_DB_CLUSTER> --db-cluster-snapshot-identifier <REPLACE_WITH_SNAPSHOT_IDENTIFIER>

--Add a Read replica to an existing DB Cluster

aws rds create-db-instance --db-instance-identifier <REPLACE_WITH_NEW_READ_REPLICA_NAME> --db-cluster-identifier <REPLACE_WITH_CLUSTER_NAME> --engine <REPLACE_WITH_ENGINE> --db-instance-class <REPLACE_WITH_IINSTANCE_CLASS e.g  db.r5.large> --availability-zone <EXAMPLE_us-east-1c>

--Failover the  database in a Cluster . This will failover the existing Writer Cluster to  an RDS Read Replica 

aws rds failover-db-cluster --db-cluster-identifier  <REPLACE_WITH_CLUSTER_NAME> 

--Disable deletion protection on an Aurora Cluster  

aws rds modify-db-cluster --db-cluster-identifier <REPLACE_WITH_CLUSTER_NAME> --no-deletion-protection

--Delete the Aurora Cluster 

aws rds delete-db-cluster --db-cluster-identifier <REPLACE_WITH_CLUSTER_NAME> --no-skip-final-snapshot --final-db-snapshot-identifier <REPLACE_WITH_CLUSTER_NAME_FINAL-SNAPSHOT_NAME>

***Note : You may get this error message : Be sure to delete all instances associated with the cluster before you delete the cluster.

Be sure to delete all instances associated with the cluster before you delete the cluster.

--Delete an instance related to the Aurora Cluster 

aws rds delete-db-instance --db-instance-identifier <REPLACE_WITH_THE_IDENTIFIER>

AURORA GLOBAL

--list all Aurora Global Cluster  returning  GlobalClusterIdentifier,Engine,EngineVersion,DatabaseName,StorageEncrypted,Status,DeletionProtection

aws rds describe-global-clusters --query "GlobalClusters[*].[GlobalClusterIdentifier,Engine,EngineVersion,DatabaseName,StorageEncrypted,Status,DeletionProtection]"

--Get details for a single Aurora Global Cluster 

aws rds describe-global-clusters --global-cluster-identifier <replace_with_global_cluster_identifier> 

--Get the Aurora Global Cluster members

aws rds describe-global-clusters --global-cluster-identifier <replace_with_global_cluster_identifier> --query "GlobalClusters[*].{ID:GlobalClusterMembers[*].[DBClusterArn,IsWriter]}"

--Remove Primary Cluster from a Global Cluster 

aws rds --region primary_region remove-from-global-cluster --db-cluster-identifier primary_cluster_ARN --global-cluster-identifier global_database_id

--Create a new Global Cluster with an existing Primary Cluster 

aws rds create-global-cluster --global-cluster-identifier  <NEW_GLOBAL_IDENTIFIER> --source-db-cluster-identifier <replace_with_source_db_cluster_ARN>

--SwitchOver Global Cluster - used for planned failovers 

aws rds --region <replace_with_primary_region> switchover-global-cluster --global-cluster-identifier  <REPLACE_WITH_GLOBAL_IDENTIFIER> --target-db-cluster-identifier  <REPLACE_WITH_arn_of_secondary_to_promote>

 

--Failover Global Cluster - used for unplanned failovers 

aws rds --region <replace_region_of_selected_secondary> failover-global-cluster --global-cluster-identifier <replace_global_database_id> --target-db-cluster-identifier <replace_arn_of_secondary_to_promote> --allow-data-loss

RESOURCEGROUPSTAGGINGAPI

--list out all resourcesrces defined as RDS db , in preparation for tagging . Other resource-type-filter: rds:cluster , 

-- there is an issue with returning resources that have no tags /

aws resourcegroupstaggingapi get-resources --resource-type-filters rds:db --query "ResourceTagMappingList[*].ResourceARN" --output table

 

--list out all resources with a specific : Key & Value   combination.

aws resourcegroupstaggingapi get-resources --tag-filters Key=MyKey,Values=MyValue --query "ResourceTagMappingList[*].ResourceARN"

aws resourcegroupstaggingapi get-resources --tag-filters Key=MyBackupTag,Values=MyBackupValye --query "ResourceTagMappingList[*].ResourceARN" --resource-type-filters dynamodb:table 

--tag the resources listed in --resource-arn-list   with the defined Key\Value pairing 

aws resourcegroupstaggingapi tag-resources --resource-arn-list --tags  MyKey=MyValue --resource-arn-list "arn:1" "arn:2"

 

DocumentDB

--List DocumentDB Clusters with full description

aws docdb describe-db-clusters --query "DBClusters[?Engine=='docdb']"

--List DocumentDB Clusters with DBCluster Name 

aws docdb describe-db-clusters --query "DBClusters[?Engine=='docdb'].[DBClusterIdentifier]"

--Get ResourceArn of a DocumentDB Cluster 

aws docdb describe-db-clusters --db-cluster-identifier <replace_with_cluster_id> --query "DBClusters[].DBClusterArn"

--List tags for the DocumentDB DBCluster 

aws docdb list-tags-for-resource --resource-name <replace_with_resource_arn>

--Add tags to DocumentDB resource 

aws docdb add-tags-to-resource --resource-name <replace_with_resource_arn>  --tags Key="MyKey",Value="MyValue"

--Cluster Members (Readers & Writers) 

aws docdb describe-db-clusters --db-cluster-identifier   <replace_with_DBCluster_name> --query "DBClusters[].DBClusterMembers[].[DBInstanceIdentifier,IsClusterWriter]"

--List DocDB DBSubnetGroup 

aws docdb describe-db-clusters --db-cluster-identifier <replace_with_DBCluster_name> --query "DBClusters[].DBSubnetGroup" --output text --output text

--Get the Docdb cluster : EarliestRestorableTime  & LatestRestorableTime - Useful for Point-In-Time-Recovery restore 

 aws docdb describe-db-clusters --db-cluster-identifier <replace_with_dbcluster_id>  --query "DBClusters[*].[EarliestRestorableTime,LatestRestorableTime]"

Cloudtrail

 How do I search logs in CloudTrail for a KMS key?

--Look for Aurora DB Deleted DB Clusters in Cloudtrail 

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteDBCluster

Route 53

How to create a CNAME record for a Route 53 Domain


Author: Rambler (http://www.dba-ninja.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on AWS CLI Cheatsheet - RDS, AWS Backup , DMS, IAM, Security Token Service,KMS,EC2, DynamoDB,VPC,Aurora, Aurora Global,RESOURCEGROUPSTAGGINGAPI,DocumentDB,CloudTrail


dba-ninja.com