AWS CLI Cheatsheet

15 September,2022 by Rambler

AWS CLI  commands and queries I use on a regular basis 



--get the aws cli help pages  

aws help

--get the service command list , example for Database Management Service (DMS)

aws dms commands


--list all RDS instances 

aws rds describe-db-instances 

--List rds with the Aurora engine starting with "aurora", Note : for pattern matching back ticks required 

aws rds describe-db-instances --query "DBInstances[?starts_with(Engine,'aurora')==`true`].DBInstanceIdentifier"

--list details for one RDS instance

aws rds describe-db-instances --db-instance-identifier <replace_with_my_rds_instance_name>

--list all RDS instances endpoints

aws rds describe-db-instances --query "DBInstances[].Endpoint[]"

--list the RDS Amazon Resource Name (ARN)

aws rds describe-db-instances --query "DBInstances[?DBInstanceIdentifier=='<replace_with_DBInstanceIdentifier>'].DBInstanceArn"

--list all RDS DBInstanceIdentifier and DBInstance ARN

aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,DBInstanceArn]"

--list RDS instance Endpoint  & Port number for a specific RDS . 

aws rds describe-db-instances --query "DBInstances[?DBInstanceIdentifier=='<replace_with_DDBInstanceIdentifier>'].Endpoint[]"

--list all RDS DBInstanceIdentifier & Status 

aws rds describe-db-instances --query "DBInstances[].[DBInstanceIdentifier,DBInstanceStatus] "

--start RDS instance 

aws rds start-db-instance --db-instance-identifier <replace_with_DBInstanceIdentifier>

--list the RDS VpcId of a single RDS Instance

aws rds describe-db-instances --query "DBInstances[*].DBSubnetGroup.VpcId" --db-instance-  <replace_rds_db_instance> --output text

--list the RDS DBSubnetGroupName 

aws rds describe-db-instances --db-instance-identifier  <replace_rds_db_instance> --query "DBInstances[].DBSubnetGroup.DBSubnetGroupName" --output text

--add tags to an RDS instance

aws rds add-tags-to-resource --resource-name <replace_with_resource_arn> --tags "[{\"Key\": \"MyKey\",\"Value\": \"MyValue\"}]"

--Enable automated backups for RDS

aws rds modify-db-instance --db-instance-identifier <replace_with_dbinstance identifier>   --backup-retention-period 3 --apply-immediately

--View RDS automated backups 

aws rds describe-db-instance-automated-backups --db-instance-identifier  <replace_with_dbinstance identifier>

--Disable RDS automated backups 

aws rds modify-db-instance --db-instance-identifier <replace_with_dbinstance identifier>  --backup-retention-period 0 --apply-immediately

--Check if RDS automated backups are disabled.  backup retention = 0 and mydbinstance status is available

aws rds describe-db-instances --db-instance-identifier <replace_with_dbinstance identifier> --query "DBInstances[*].[DBInstanceIdentifier,DBInstanceStatus,BackupRetentionPeriod]"

--create RDS DB snapshot

aws rds create-db-snapshot --db-instance-identifier myRDS --db-sn apshot-identifier myRDSsnapshotIdentifier

--List DBSnapshot details for a specific RD Instance

aws rds describe-db-snapshots --query "DBSnapshots[?DBInstanceIdentifier=='<repalce_with_resource_id>'']"

--List DBSnapshot for a specific RDS , returning DBSnapshotIdentifier,SnapshotCreateTime,SnapshotType

aws rds describe-db-snapshots --db-instance-identifier <REPLACE_WITH_RDS_IDENTIFIER> --query "DBSnapshots[].[DBSnapshotIdentifier,SnapshotCreateTime,SnapshotType]"

--List the latest DBSnapshot for a specific RDS - returning the DBSnapshotIdentifier 

aws rds describe-db-snapshots --db-instance-identifier <REPLACE_WITH_RDS_IDENTIFIER> --query "sort_by(DBSnapshots, &SnapshotCreateTime)[-1].{id:DBSnapshotIdentifier,time:SnapshotCreateTime}"

--List Domain Membership 

aws rds describe-db-instances --db-instance-identifier <REPLACE_WITH_RDS_IDENTIFIER> --query "DBInstances[].[DomainMemberships]"

--check the current RDS Deletion Protection status , true or false

aws rds describe-db-instances --query "DBInstances[?DBInstanceIdentifier==' <REPLACE_WITH_RDS_IDENTIFIER> '].DeletionProtection"

--Disable deletion protection on an RDS Instance 

aws rds modify-db-instance --db-instance-identifier <REPLACE_WITH_RDS_IDENTIFIER> --no-deletion-protection

--Delete the RDS Instance 

aws rds delete-db-instance --db-instance-identifier <REPLACE_WITH_RDS_IDENTIFIER> --final-db-snapshot-identifier <REPLACE_WITH_RDS_FINAL_SNAP_NAME> 

--Delete the RDS Instance  (with --no-delete-automated-backups ) 

aws rds delete-db-instance --db-instance-identifier test-run-instance --final-db-snapshot-identifier test-run-instance230123 --no-delete-automated-backups

---To identify the supported engine & version combinations -  execute the following command . Check --engine , --version , --region 

aws rds describe-orderable-db-instance-options --engine <replace_with_engine> --engine-version <replace_with_engine_version> --query "OrderableDBInstanceOptions[].{DBInstanceClass:DBInstanceClass,SupportedEngineModes:SupportedEngineModes[0]}" --output table --region <replace_with_region>


--list all backup plans

aws backup list-backup-plans

--list all backup plans BackupPlanName only 

aws backup list-backup-plans --query "BackupPlansList[].BackupPlanName[]"

--list all backup plans BackupPlanName & BackupPlanID

aws backup list-backup-plans --query "BackupPlansList[].[BackupPlanName,BackupPlanId]"

--return metadata for a Backup Plan 

aws backup list-backup-selections --backup-plan-id <replace_with_backup_plan_id>

--return metadata of the resources associated with the backup plan. For example - Tags 

aws backup get-backup-selection --backup-plan-id <REPLACE_WITH_BACKUP_PLAN_ID> --selection-id <REPLACE_WITH_SELECTION_ID>

--Get Backup Rules for a specific  Backup Plan - Rules, EnableContinuousBackup,TargetBackupvaultName,Lifecycle

aws backup get-backup-plan --backup-plan-id "<replace_with_backup_plan_id>"

--list resources selection for a backup plan 

aws backup list-backup-selections --backup-plan-id "<replace_with_backup_plan_id>"

--get tags for a backup selection i.e resources assignment

aws backup get-backup-selection --backup-plan-id "<replace_with_backup_plan_id>"  --selection-id "<replace_with_selection_id>"

--delete a Backup Plan (delete resource assignment , delete backup plan)

# Step 1 : Delete backup selection
aws backup delete-backup-selection --backup-plan-id  "989898988 --selection-id "89879879877"

# Step 2 : Delete backup plan
aws backup delete-backup-plan ----backup-plan-id  "989898988 

--Create an on-demand backup of RDS 

aws backup start-backup-job --backup-vault-name Default --resource-arn <replace_with_DBInstanceARN> --iam-role-arn xxxxxxxxxxxxxxxxxxxxxxxx 

--List protected resources

aws backup list-protected-resources 

--List protected resources , filtering for a specific resource type, - in this example I'm filtering on  RDS

aws backup list-protected-resources --query "Results[?ResourceType=='RDS']"

aws backup list-protected-resources --query "Results[?ResourceType=='DynamoDB']"


--Create a backup 

aws backup start-backup-job --backup-vault-name Default --resource-arn <replace_with_targeted_resource_arn> --iam-role-arn <replace_with_valid_iam_role>

-- Restore: Create a new DB instance from the DB snapshot , this process requires a few steps so added link to another post

How do I restore my AWS RDS? aws backup start-restore-job example

--Monitor currently RUNNING Restore Jobs 

aws backup list-restore-jobs --by-status RUNNING

--List COMPLETED restore jobs for a specific RESOURCE

aws backup list-backup-jobs --by-state COMPLETED --query "BackupJobs[?ResourceArn == '<replace_with_RDS_Resource_ARN>'].[ResourceType,CompletionDate,RecoveryPointArn]"


--List Backup  Jobs including AccountId,BackupVaultName, State , ResourceType,IamRoleArn ,StatusMessage, by default will be the last 30 days 

aws backup list-backup-jobs --query "BackupJobs[*].[AccountId,CompletionDate,BackupVaultName, State , ResourceType,IamRoleArn ,StatusMessage]"

--List FAILED Backup Jobs 

aws backup list-backup-jobs --by-state FAILED

--List Backup Vaults 

aws backup list-backup-vaults


Database Management Service (DMS)


--list subnet group configuration for DMS

aws dms describe-replication-subnet-groups

--list replication instances

aws dms describe-replication-instances

--list DMS replication tasks - display only the task name (identifier) & the  ReplicationTaskArn

aws dms describe-replication-tasks --query "ReplicationTasks[*].[ReplicationTaskIdentifier,ReplicationTaskArn]"

--start a DMS replication task - first time (start-replication)

aws dms start-replication-task --replication-task-arn <replace_with_replication_task_arn> --start-replication-task-type start-replication

--restart a DMS replication task - (reload-target)

aws dms start-replication-task --replication-task-arn <replace_with_replication_task_arn> --start-replication-task-type reload-target

--list Endpoints - Endpoint name

aws dms describe-endpoints --query "Endpoints[].EndpointIdentifier[]"

Identity & Access Management (IAM)


---Validate user’s permission on the SecretAccessRole using the IAM get-role command.

aws iam get-role --role-name ROLE_NAME

--Validate user’s permission on the secret using the Secrets Manager describe-secret
aws secretsmanager describe-secret --secret-id SECRET_NAME OR SECRET_ARN --region=REGION_NAME

--List policies limited to customer-managed 

aws iam list-policies --scope Local

--Get the role details 

aws iam get-role --role-name <replace_with_role_name>

--Get attached policies to a specific Role

aws iam list-attached-role-policies --role-name <replace_with_role_name>

--Get inline policies attached to a ROLE

aws iam list-role-policies --role-name <replace_with_iam_role>

--get the details of the policy  . Note: will need the policy ARN, get from list-attached-role-policies

aws iam get-policy --policy-arn <replace_with_policy_ARN>


--create a policy. Need a prepared policy file to place in a .json file

aws iam create-policy --policy-name <replace_with_a_policy_name>  --policy-document file://location.json

--Get the ARN value of the policy created 
aws iam list-policies --query "Policies[?PolicyName=='my-policy-name'].Arn" --output text

Create the IAM role  and attach the trust relationship. Need to place the trust relationship in a json 
aws iam create-role --role-name MY_ROLE_NAME --assume-role-policy-document file://assume_role_policy_document.json

Attach a policy to an existing Role

aws iam put-role-policy --role-name <replace_with_role_name> --policy-name <replace_with_policy> --policy-document file://location.json

--Get the ARN of a Role

aws iam list-roles --query "Roles[?RoleName=='my-role'].Arn" --output text

--Create a IAM Role ARN dynamically. Need jq installed 

aws sts get-caller-identity | jq -r --arg prefix "arn:aws:iam::" --arg suffix ":role/<replace_with_role_name>" ". = $prefix + .Account + $suffix"

--Detach a policy from an IAM role 

aws iam detach-role-policy --role-name <my_iam_role> --policy-arn <replace_with_policy_arn>

--Delete inline policy 

aws iam delete-role-policy --role-name <replace_with_role_name> --policy-name <replace_with_policy_name>

Security Token Service

--To get details about the current IAM identity

aws sts get-caller-identity

Key Management Service (KMS)


--List all the aws encryption key ARN, returns KeyID & KeyArn

aws kms list-keys

--Lists all aliases in the caller's Amazon Web Services account and region.Includes returning the TargetKeyID

aws kms list-aliases

--Return a list of identifiers within a certain Region

aws kms list-aliases --region us-east-1 --query "Aliases[*].TargetKeyId"

--Use the KMS alias name , this command will return details of an alias e.g aws/secretsmanager .
aws kms list-aliases --region us-east-1 --query "Aliases[?contains(AliasName,'aws/secretsmanager')]

--KMS describe-key ,In this example using key-id “alias/aws/secretsmanager” as an example. replace key-id with relevant key 
aws kms describe-key --key-id alias/aws/secretsmanager --query "KeyMetadata.Arn"


--List VPCId of current logged on Account

aws ec2 describe-vpcs --query "Vpcs[*].{VpcId:VpcId}" --output text

--List  VPC ID, CIDR Block and Name  of ALL the VPCs in an account

aws ec2 describe-vpcs --query "Vpcs[*].{VpcId:VpcId,Name:Tags[?Key=='Name'].Value|[0],CidrBlock:CidrBlock}" --output text

--List  VPC ID, CIDR Block and Name  of  a specific VPC in an account

aws ec2 describe-vpcs --query "Vpcs[?VpcId=='<replace_with_vpc_id>'].{VpcId:VpcId,Name:Tags[?Key=='Name'].Value|[0],CidrBlock:CidrBlock}"


--Dynamodb list  tables 

aws dynamodb list-tables

--Get Table ARN for a DynamoDB table 

aws dynamodb describe-table --table-name <replace_with_table_name> --query Table.TableArn

--List tags of resource 

aws dynamodb list-tags-of-resource --resource-arn <replace_with_resource_arn>

--Adding tags to a DynamoDB table

aws dynamodb tag-resource --resource-arn <replace_with_resource_arn --tags Key=MyKey,Value=MyValue

--Check Continuous backup  & PointInTimeRecoveryStatus of a DynamoDB table

aws dynamodb describe-continuous-backups --table-name <replace_with_Table_name>

--Enable Point in Time Recovery on a DynamoDB table

aws dynamodb update-continuous-backups --table-name <replace_with_Table_name> --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

--Restore DynamoDB to the latest Point In Time 

aws dynamodb restore-table-to-point-in-time --source-table-name <replace_with_source_Table_name> --target-table-name <replace_with_target_Table_name>  --use-latest-restorable-time

--DynamoDB Backup & Restore

Amazon DynamoDB Backup & Restore

--Delete  DynamoDB table 

aws dynamodb delete-table --table-name <replace_with_dynamodb_table_name>

VPC - Security Groups 

--Describe security Groups for a specific security group

aws ec2 aws ec2 describe-security-groups --group-ids sg-903004f9

--Create a new security in a specific VPC

aws ec2 create-security-group --group-name <replace_with_group_name> --description "rules for SQL Server" --vpc-id  <replace_with_vpc_id>

--Add a Name tag to the Security Group 

aws ec2 create-tags --resources <replace_with_security_group> --tags Key=Name,Value=<replace_with_security_group_name_tag>

--Create an ingress rule and associate with a security group

aws ec2 authorize-security-group-ingress --group-id <replace_with_security_group> --protocol <place_protocol_eg_tcp> --port <place_port_number> --cidr  <ip_range>

--Delete security group

aws ec2 delete-security-group --group-id  <security_group_id>

--Putting it all together to create a security group

How do I create a security group in AWS command line?


--List all the DBClusters - with some extra details 

aws rds describe-db-clusters --query "DBClusters[*].[DBClusterIdentifier]"

--Get the ARN for the Cluster 

aws rds describe-db-clusters --db-cluster-identifier <REPLACE_WITH_CLUSTER_NAME> --query "*[].{DBClusterArn:DBClusterArn}" --output text

--Add tags to a Resource 

aws rds add-tags-to-resource --resource-name <REPLACE_WITH_CLUSTER_ARN> --tags Key=mykey,Value=myvalue 

--View Aurora Earliest Restorable time & Latest restore time for Restore

aws rds describe-db-clusters --db-cluster-identifier <REPLACE_WITH_DBCLUSTER_ID> --query "DBClusters[*].[DBClusterIdentifier,EarliestRestorableTime,LatestRestorableTime]"

--Create a DB cluster snapshot 

aws rds create-db-cluster-snapshot --db-cluster-identifier <REPLACE_WITH_DB_CLUSTER> --db-cluster-snapshot-identifier <REPLACE_WITH_SNAPSHOT_IDENTIFIER>

--Add a Read replica to an existing DB Cluster

aws rds create-db-instance --db-instance-identifier <REPLACE_WITH_NEW_READ_REPLICA_NAME> --db-cluster-identifier <REPLACE_WITH_CLUSTER_NAME> --engine <REPLACE_WITH_ENGINE> --db-instance-class <REPLACE_WITH_IINSTANCE_CLASS e.g  db.r5.large> --availability-zone <EXAMPLE_us-east-1c>

--Disable deletion protection on an Aurora Cluster  

aws rds modify-db-cluster --db-cluster-identifier <REPLACE_WITH_CLUSTER_NAME> --no-deletion-protection

--Delete the Aurora Cluster 

aws rds delete-db-cluster --db-cluster-identifier <REPLACE_WITH_CLUSTER_NAME> --no-skip-final-snapshot --final-db-snapshot-identifier <REPLACE_WITH_CLUSTER_NAME_FINAL-SNAPSHOT_NAME>

***Note : You may get this error message : Be sure to delete all instances associated with the cluster before you delete the cluster.

Be sure to delete all instances associated with the cluster before you delete the cluster.

--Delete an instance related to the Aurora Cluster 

aws rds delete-db-instance --db-instance-identifier <REPLACE_WITH_THE_IDENTIFIER>



--list out all resourcesrces defined as RDS db , in preparation for tagging . Other resource-type-filter: rds:cluster , 

-- there is an issue with returning resources that have no tags /

aws resourcegroupstaggingapi get-resources --resource-type-filters rds:db --query "ResourceTagMappingList[*].ResourceARN" --output table

--list out all resources with a specific : Key & Value   combination.

aws resourcegroupstaggingapi get-resources --tag-filters Key=MyKey,Values=MyValue --query "ResourceTagMappingList[*].ResourceARN"

--tag the resources listed in --resource-arn-list   with the defined Key\Value pairing 

aws resourcegroupstaggingapi tag-resources --resource-arn-list --tags  MyKey=MyValue --resource-arn-list "arn:1" "arn:2"


Author: Rambler (


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment on AWS CLI Cheatsheet