AWS CLI Cheatsheet

15 September,2022 by Rambler

AWS CLI  commands and queries I use on a regular basis 


--get the aws cli help pages  

aws help

--get the service command list , example for Database Management Service (DMS)

aws dms commands


--list all RDS instances 

aws rds describe-db-instances 

--list details for one RDS instance

aws rds describe-db-instances --db-instance-identifier <replace_with_my_rds_instance_name>

--list all RDS instances endpoints

aws rds describe-db-instances --query "DBInstances[].Endpoint[]"

--list the RDS Amazon Resource Name (ARN)

aws rds describe-db-instances --query "DBInstances[?DBInstanceIdentifier=='<replace_with_DBInstanceIdentifier>'].DBInstanceArn"

--list all RDS DBInstanceIdentifier and DBInstance ARN

aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,DBInstanceArn]"

--list RDS instance Endpoint  & Port number for a specific RDS . 

aws rds describe-db-instances --query "DBInstances[?DBInstanceIdentifier=='<replace_with_DDBInstanceIdentifier>'].Endpoint[]"

--list all RDS DBInstanceIdentifier & Status 

aws rds describe-db-instances --query "DBInstances[].[DBInstanceIdentifier,DBInstanceStatus] "

--list the RDS VpcId of a single RDS Instance

aws rds describe-db-instances --query "DBInstances[*].DBSubnetGroup.VpcId" --db-instance-identifier <replace_db_instance> --output text

--add tags to an RDS instance

aws rds add-tags-to-resource --resource-name <replace_with_resource_arn> --tags "[{\"Key\": \"MyKey\",\"Value\": \"MyValue\"}]"

--create RDS DB snapshot

aws rds create-db-snapshot --db-instance-identifier myRDS --db-snapshot-identifier myRDSsnapshotIdentifier

--List DBSnapshot details for a specific RD Instance

aws rds describe-db-snapshots --query "DBSnapshots[?DBInstanceIdentifier=='<repalce_with_resource_id>'']"

--List DBSnapshot for a specific RDS , returning DBSnapshotIdentifier,SnapshotCreateTime,SnapshotType

aws rds describe-db-snapshots --db-instance-identifier <REPLACE_WITH_RDS_IDENTIFIER> --query "DBSnapshots[].[DBSnapshotIdentifier,SnapshotCreateTime,SnapshotType]"

--List the latest DBSnapshot for a specific RDS - returning the DBSnapshotIdentifier 

aws rds describe-db-snapshots --db-instance-identifier <REPLACE_WITH_RDS_IDENTIFIER> --query "sort_by(DBSnapshots, &SnapshotCreateTime)[-1].{id:DBSnapshotIdentifier,time:SnapshotCreateTime}"

--List Domain Membership 

aws rds describe-db-instances --db-instance-identifier <REPLACE_WITH_RDS_IDENTIFIER> --query "DBInstances[].[DomainMemberships]"




--list all backup plans

aws backup list-backup-plans

--list all backup plans BackupPlanName only 

aws backup list-backup-plans --query "BackupPlansList[].BackupPlanName[]"

--list all backup plans BackupPlanName & BackupPlanID

aws backup list-backup-plans --query "BackupPlansList[].[BackupPlanName,BackupPlanId]"

--return metadata for a Backup Plan 

aws backup list-backup-selections --backup-plan-id <replace_with_backup_plan_id>

--return metadata of the resources associated with the backup plan. For example - Tags 

aws backup get-backup-selection --backup-plan-id <REPLACE_WITH_BACKUP_PLAN_ID> --selection-id <REPLACE_WITH_SELECTION_ID>

--Get Backup Rules for a specific  Backup Plan 

aws backup get-backup-plan --backup-plan-id "<replace_with_backup_plan_id>"

--list resources selection for a backup plan 

aws backup list-backup-selections --backup-plan-id "<replace_with_backup_plan_id>"

--get tags for a backup selection i.e resources assignment

aws backup get-backup-selection --backup-plan-id "<replace_with_backup_plan_id>"  --selection-id "<replace_with_selection_id>"

--delete a Backup Plan (delete resource assignment , delete backup plan)

# Step 1 : Delete backup selection
aws backup delete-backup-selection --backup-plan-id  "989898988 --selection-id "89879879877"

# Step 2 : Delete backup plan
aws backup delete-backup-plan ----backup-plan-id  "989898988 

--Create an on-demand backup of RDS 

aws backup start-backup-job --backup-vault-name Default --resource-arn <replace_with_DBInstanceARN> --iam-role-arn xxxxxxxxxxxxxxxxxxxxxxxx 

--List protected resources

aws backup list-protected-resources 

--List protected resources , filtering for a specific resource type, - in this example I'm filtering on  RDS

aws backup list-protected-resources --query "Results[?ResourceType=='RDS']"

aws backup list-protected-resources --query "Results[?ResourceType=='DynamoDB']"


--Create a backup 

aws backup start-backup-job --backup-vault-name Default --resource-arn <replace_with_targeted_resource_arn> --iam-role-arn <replace_with_valid_iam_role>

-- Restore: Create a new DB instance from the DB snapshot , this process requires a few steps so added link to another post

How do I restore my AWS RDS? aws backup start-restore-job example

--Monitor currently RUNNING Restore Jobs 

aws backup list-restore-jobs --by-status RUNNING

--List COMPLETED restore jobs 

aws backup list-backup-jobs --by-state COMPLETED --query "BackupJobs[?ResourceArn == '<replace_with_RDS_Resource_ARN>'].[ResourceType,CompletionDate,RecoveryPointArn]"



Database Management Service (DMS)


--list subnet group configuration for DMS

aws dms describe-replication-subnet-groups

--list replication instances

aws dms describe-replication-instances

--list DMS replication tasks - display only the task name (identifier) & the  ReplicationTaskArn

aws dms describe-replication-tasks --query "ReplicationTasks[*].[ReplicationTaskIdentifier,ReplicationTaskArn]"

--start a DMS replication task - first time (start-replication)

aws dms start-replication-task --replication-task-arn <replace_with_replication_task_arn> --start-replication-task-type start-replication

--restart a DMS replication task - (reload-target)

aws dms start-replication-task --replication-task-arn <replace_with_replication_task_arn> --start-replication-task-type reload-target

Identity & Access Management (IAM)


---Validate user’s permission on the SecretAccessRole using the IAM get-role command.

aws iam get-role --role-name ROLE_NAME

--Validate user’s permission on the secret using the Secrets Manager describe-secret
aws secretsmanager describe-secret --secret-id SECRET_NAME OR SECRET_ARN --region=REGION_NAME

--List policies limited to customer-managed 

aws iam list-policies --scope Local

--Get the role details 

aws iam get-role --role-name <replace_with_role_name>

--Get attached policies to a specific Role

aws iam list-attached-role-policies --role-name <replace_with_role_name>

--Get inline policies attached to a ROLE

aws iam list-role-policies --role-name <replace_with_iam_role>

--get the details of the policy  . Note: will need the policy ARN, get from list-attached-role-policies

aws iam get-policy --policy-arn <replace_with_policy_ARN>


--create a policy. Need a prepared policy file to place in a .json file

aws iam create-policy --policy-name <replace_with_a_policy_name>  --policy-document file://location.json

--Get the ARN value of the policy created 
aws iam list-policies --query "Policies[?PolicyName=='my-policy-name'].Arn" --output text

Create the IAM role  and attach the trust relationship. Need to place the trust relationship in a json 
aws iam create-role --role-name MY_ROLE_NAME --assume-role-policy-document file://assume_role_policy_document.json

Attach a policy to an existing Role

aws iam put-role-policy --role-name <replace_with_role_name> --policy-name <replace_with_policy> --policy-document file://location.json

--Get the ARN of a Role

aws iam list-roles --query "Roles[?RoleName=='my-role'].Arn" --output text

--Create a IAM Role ARN dynamically. Need jq installed 

aws sts get-caller-identity | jq -r --arg prefix "arn:aws:iam::" --arg suffix ":role/<replace_with_role_name>" ". = $prefix + .Account + $suffix"

--Detach a policy from an IAM role 

aws iam detach-role-policy --role-name <my_iam_role> --policy-arn <replace_with_policy_arn>

--Delete inline policy 

aws iam delete-role-policy --role-name <replace_with_role_name> --policy-name <replace_with_policy_name>

Security Token Service

--To get details about the current IAM identity

aws sts get-caller-identity

Key Management Service (KMS)


--List all the aws encryption key ARN, returns KeyID & KeyArn

aws kms list-keys

--Lists all aliases in the caller's Amazon Web Services account and region.Includes returning the TargetKeyID

aws kms list-aliases

--Return a list of identifiers within a certain Region

aws kms list-aliases --region us-east-1 --query "Aliases[*].TargetKeyId"

--Use the KMS alias name , this command will return details of an alias e.g aws/secretsmanager .
aws kms list-aliases --region us-east-1 --query "Aliases[?contains(AliasName,'aws/secretsmanager')]

--KMS describe-key ,In this example using key-id “alias/aws/secretsmanager” as an example. replace key-id with relevant key 
aws kms describe-key --key-id alias/aws/secretsmanager --query "KeyMetadata.Arn"


--List VPCId of current logged on Account

aws ec2 describe-vpcs --query "Vpcs[*].{VpcId:VpcId}" --output text

--List  VPC ID, CIDR Block and Name  of ALL the VPCs in an account

aws ec2 describe-vpcs --query "Vpcs[*].{VpcId:VpcId,Name:Tags[?Key=='Name'].Value|[0],CidrBlock:CidrBlock}" --output text

--List  VPC ID, CIDR Block and Name  of  a specific VPC in an account

aws ec2 describe-vpcs --query "Vpcs[?VpcId=='<replace_with_vpc_id>'].{VpcId:VpcId,Name:Tags[?Key=='Name'].Value|[0],CidrBlock:CidrBlock}"



--Get Table ARN for a DynamoDB table 

aws dynamodb describe-table --table-name <replace_with_table_name> --query Table.TableArn

--Adding tags to a DynamoDB table

aws dynamodb tag-resource --resource-arn <replace_with_resource_arn --tags Key=MyKey,Value=MyValue


VPC - Security Groups 

--Describe security Groups for a specific security group

aws ec2 aws ec2 describe-security-groups --group-ids sg-903004f9

--Create a new security in a specific VPC

aws ec2 create-security-group --group-name <replace_with_group_name> --description "rules for SQL Server" --vpc-id  <replace_with_vpc_id>

--Add a Name tag to the Security Group 

aws ec2 create-tags --resources <replace_with_security_group> --tags Key=Name,Value=<replace_with_security_group_name_tag>

--Create an ingress rule and associate with a security group

aws ec2 authorize-security-group-ingress --group-id <replace_with_security_group> --protocol <place_protocol_eg_tcp> --port <place_port_number> --cidr  <ip_range>

--Delete security group

aws ec2 delete-security-group --group-id  <security_group_id>

--Putting it all together to create a security group

How do I create a security group in AWS command line?


--Get the ARN for the Cluster 

aws rds describe-db-clusters --db-cluster-identifier <REPLACE_WITH_CLUSTER_NAME> --query "*[].{DBClusterArn:DBClusterArn}" --output text

--Add tags to a Resource 

aws rds add-tags-to-resource --resource-name <REPLACE_WITH_CLUSTER_ARN> --tags Key=mykey,Value=myvalue 

Author: Rambler (


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment on AWS CLI Cheatsheet