CLI
IAM¶
| create a profile | $ aws configure --profile <profile_name> |
| get account information (current user) | $ aws iam get-user |
| find what policies are attached to a user | $ aws iam list-attached-user-policies --user-name <USERNAME_X># Returns:# arn:aws:iam::975426262029:policy/list_apigateways |
| get policy version | $ aws iam get-policy --policy-arn <arn:aws:iam::975426262029:policy/list_apigateways># Returns: <VERSION_X> |
| retrieve policy content | $ aws iam get-policy-version --policy-arn <arn:aws:iam::975426262029:policy/list_apigateways> --version-id <VERSION_X> |
| retrieve account ID | $ aws sts get-caller-identity |
| list policies attached to account | $ aws iam get-user$ aws iam list-attached-user-policies --user-name <user_name> |
| show content of policy | $ aws iam get-policy --policy-arn <policy_arn>$ aws iam get-policy-version s--policy-arn <policy_arn> --version-id <DefaultVersionId> |
| list all users of IAM | $ aws iam list-users |
| list users by ARN | $ aws iam list-users –output json | jq -r .Users[].Arn |
| list user's access key for IAM | $ aws iam list-access-keys --user-name [username] |
| list the groups a user belongs to | $ aws iam list-groups-for-user --user [username] |
| list policy names applied to a group | $ aws iam list-group-policies --group-name [groupname] |
| get the contents of a policy | $ aws iam get-group-policy --group-name [groupname] --policy-name [policyname] |
investigate policy starting from PolicyId |
$ aws iam list-policies | jq '.Policies | .[] | select(.PolicyId=="ANPXXXXXXXXX") | .'$ aws iam list-entities-for-policy --policy-arn="arn:aws:iam::aws:policy/IAMFullAccess"$ aws iam list-attached-role-policies --role-name="Bot"$ aws iam get-policy-version --policy-arn="arn:aws:iam::11111111111:policy/CIBot" --version-id=$(aws iam get-policy --policy-arn="arn:aws:iam::11111111111:policy/Bot" | jq -r '.Policy.DefaultVersionId')$ aws iam get-role --role-name="Bot" |
S3¶
| list S3 buckets associated with a profile | $ aws s3 ls |
| list content of bucket (no creds) | $ aws s3 ls s3://bucket-name --no-sign-request |
| list content of bucket (with creds) | $ aws s3 ls s3://bucket-name |
| copy local folder to S3 | $ aws s3 cp MyFolder s3://bucket-name --recursive |
| delete | $ aws s3 rb s3://bucket-name –-force |
| download a whole S3 bucket | $ aws s3 sync s3://<bucket>/ . --no-sign-request |
| move S3 bucket to different location | $ aws s3 sync s3://oldbucket s3://newbucket --source-region us-west-1 |
| list the sizes of an S3 bucket and its contents | $ aws s3api list-objects --bucket BUCKETNAME --output json --query "[sum(Contents[].Size), length(Contents[])]" |
| list permissions of bucket | $ aws s3api get-bucket-acl --bucket <bucketname> |
EC2¶
| list available images | $ aws ec2 describe-images [ | grep ubuntu] |
| list info about instances | $ aws --region us-east-1 ec2 describe-instances |
| list stopped instances | $ aws ec2 describe-instances --filters Name=instance-state-name,Values=stopped --region eu-west-1 --output json | jq -r .Reservations[].Instances[].StateReason.Message |
| list volumes | $ aws --region us-east-1 ec2 describe-volumes |
list available snapshots (ID retrieved from sts get-caller-identity) |
$ aws ec2 describe-snapshots --owner-id <ID> |
| create a volume using a snapshot | $ aws ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id <snap-0b49342abd1bdcb89># Attach new volume to instance$ aws ec2 attach-volume --device /dev/sdh --instance-id <INSTANCE-ID> --volume-id <VOLUME-ID># mount the snapshot from within the VM$ sudo file -s /dev/xvdb1# Returns:# /dev/xvdb1: Linux rev 1.0 ext4 filesystem data, UUID=5a2075d0-d095-4511-bef9-802fd8a7610e, volume name "cloudimg-rootfs" (extents) (large files) (huge files)$ sudo mount /dev/xvdb1 /mnt |
| list user's access keys for EC2 | $ aws --region us-east-1 ec2 describe-key-pairs |
| get current output | $ aws --region us-east-1 ec2 get-console-output --instance-id [id] |
| list security groups | $ aws --region us-east-1 ec2 describe-security-groups |
ELB¶
List internet-facing ELBs |
$ aws elb describe-load-balancers | jq '.LoadBalancerDescriptions[] | select( .Scheme | contains("internet-facing")) | .DNSName' |
Lambda¶
| List lambda functions | $ aws lambda list-functions |
| List runtimes | $ aws lambda list-functions --function-version ALL --output json | jq '.Functions[] | .FunctionName + " " + .Runtime' |
| Retrieve function's policy | $ aws lambda get-policy --function-name <NAME> |
| Download lambda's code | $ aws lambda get-function --function-name FUNCTION_NAME --query Code.Location |
| Call lambda function | $ aws lambda invoke --function-name FUNCTION_NAME /tmp/out |
CloudTrail¶
| list logs | $ aws --region us-east-1 cloudtrail describe-trails |
| get log status | $ aws --region us-east-1 cloudtrail get-trail-status --name [default] |
| stop logging | $ aws --region us-east-1 cloudtrail stop-logging --name [default] |
CloudWatch¶
| Follow logs | $ aws logs tail "<log_group_name>" --follow |
| Get logs | $ aws logs get-log-events --log-group-name "<log_group_name>" --log-stream-name "<log_stream_name>" --output text > <output_file> |
CloudFormation¶
| list stacks | $ aws cloudformation list-stacks |
| describe stacks | $ aws cloudformation describe-stacks |
ECS¶
| list images in registry (if ECR is public) | $ aws ecr list-images --repository-name REPO_NAME --registry-id ACCOUNT_ID |
ECR¶
| authenticate to ECR | $ aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin <registry> |
RDS¶
| find snapshots | $ aws rds describe-db-snapshots --include-public --snapshot-type public |
| restore snapshot as new instance | $ aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <ID> --db-snapshot-identifier <ID> --availability-zone us-west-2a |
| reset credentials of MasterUsername | $ aws rds modify-db-instance --db-instance-identifier <ID> --master-user-password <NewPassword> --apply-immediately |