This is a collection of AWS CLI commands I put together while I was learning and that I still use as a reference. I hope they’re as useful to you as they have been to me. The first thing you need to do is install and configure the AWS CLI.
Remember to use CTRL+F to search with and without accents, since I sometimes wrote this using an English keyboard and it wasn’t easy to type accented characters.
For example, if you want to see how to create a new policy, search for "politica" (without the accent) and jump through the results until you find what you’re looking for.
– configure the keys
aws configure
– Get the current account ID
aws sts get-caller-identity --query 'Account' --output text
– See the account alias or the friendly name given to the account
aws iam list-account-aliases --query 'AccountAliases[0]' --output text
– Identify which account you are working in (similar to whoami in Linux)
aws sts get-caller-identity
The result will be a JSON with information similar to the following:
{
"UserId": "AIDA52SZJW52SZM5KLUIS",
"Account": "888888999999",
"Arn": "arn:aws:iam::888888999999:user/hackvolution"
}
– Describe the account’s trails
aws cloudTrail describe-trails
– Get the status of a trail
aws cloudTrail get-trail-status --name arn:aws:cloudtrail:us-east-1:888888999999:trail/kolibers-cloudtrail-org-prod-security
– List the accounts that are part of the organization
aws organizations list-accounts
– List all users in an account and filter by users whose name contains “luis”. Please note that the quotes around the name are backticks, not single quotes.
aws iam list-users --query 'Users[?contains(UserName, `luis`)].UserName' --output text
– Use grep on AWS CLI output
aws iam list-users |grep luis
– List all access keys in an account
for user in $(AWS IAM list-users --output-text | awk '{print $NF}'); do
aws iam list-access-keys --user $user --output text;
done
– List all access keys in an account; if you have more than one profile, add the –profile option
for user in $(AWS IAM list-users --output-text --profile miperfil2aws | awk '{print $NF}'); do
aws iam list-access-keys --user $user --output text --profile miperfil2aws;
done
– List the S3 buckets in the account (or those you have access to)
aws s3 ls
– List the files in a bucket
aws s3 ls s3://el-nombre-de-tu-bucket/
– Calculate the size of a bucket. Be careful: if you have many buckets, this can take a long time, so you may prefer to do it in parts.
aws s3 ls s3://el-nombre-de-tu-bucket --recursive --human-readable --summarize
Te dará una salida como la siguiente:
2022-02-22 11:04:13 121Kib Bytes archivos_importantes/0054321.csv
2022-02-22 11:04:21 57.9 MiB Bytes archivos_importantes/hackvolution_ai-x000.csv
2022-02-22 11:04:40 0 Bytes archivos_importantes_kolibers/*EXITO
2022-02-22 11:04:40 0 Bytes media_kolibers/registros_27000.csv
2022-02-22 11:04:40 147 Bytes archivos_importantes*/hvt_20230404.csv
Total Objects: 2486
Total Size: 3.4 GiB
– List all Kinesis delivery streams:
aws firehose list-delivery-streams
– Describe specific delivery streams
aws firehose describe-delivery-stream --delivery-stream-name nombre-del-delivery-stream
– List all WAFs in an account
aws wafv2 list-web-acls --scope REGIONAL
– List all CloudWatch log groups
aws logs describe-log-groups
– List the log streams inside a log group:
aws logs describe-log-streams --log-group-name tu-log-group-del-waf
– View the logs of a specific stream using the following command:
aws logs get-log-events --log-group-name mis-logs-waf --log-stream-name "us-east-1_prod-APIWAFy_9"
– Get the domain names associated with an API Gateway
aws apigatewayv2 get-domain-names
– To filter only the DomainName element from the JSON returned by the previous command, you can use jq as follows:
aws apigatewayv2 get-domain-names| jq '.Items[].DomainName'
– View the contents of a policy
aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/AllowCreateEnableMFA --version-id v2 --query 'PolicyVersion.Document' --output json
– View the default version of a policy
aws iam get-policy --policy-arn arn:aws:iam::123456789012:policy/AllowCreateEnableMFA --query 'Policy.DefaultVersionId' --output text
– See which policies are attached to a user
aws iam list-user-policies --user-name mi-usuario-aws
– See which inline policies are attached to a user
aws iam list-attached-user-policies --user-name mi-usuario-aws
– Create a new version of a policy, update the policy, and set it as the default
aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/AllowCreateEnableMFA --policy-document file://habilitar-mfa.json --set-as-default
– Retrieve a specific version of a policy
aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/AllowCreateEnableMFA --version-id v1 --query 'PolicyVersion.Document' --output json
– List the roles in an account and output only their names
aws iam list-roles --query 'Roles[].RoleName'
– List the roles in an account and output only their names, then filter matches using grep, for example with “toys”
aws iam list-roles --query 'Roles[].RoleName'|grep -i toys
– List existing SCPs
aws organizations list-policies --filter SERVICE_CONTROL_POLICY --max-items 25
You can change the number of items; in this example we used 25.
– Find which SCP policies apply to a specific account. The first step is to list all accounts in the organization:
aws organizations list-accounts
– Look for the account whose details you want and note its ID. With that ID we will now find which OU (organizational unit) it belongs to. For example, the ID in this case is: 123456789012
aws organizations list-parents --child-id 123456789012
– Again, note the OU ID (for example, in this case ou-klbr-srebil0k) and run the following command
aws organizations list-policies-for-target --target-id ou-klbr-srebil0k --filter SERVICE_CONTROL_POLICY
If there are policies applied to this OU, they will be shown.
It’s also possible that a policy is applied directly to a specific account. In that case, run the following command:
aws organizations list-policies-for-target --target-id 123456789012 --filter SERVICE_CONTROL_POLICY
– List all account names in the organization and show only the ID and the name on the same line
aws organizations list-accounts |jq -r '.Accounts[] | "(.Id) - (.Name)"'
You can add the “–profile” parameter; account-master is used to indicate that you’re using the credentials of the master or management account.
– Create a virtual MFA device
aws iam create-virtual-mfa-device --virtual-mfa-device-name mi-dispositivo-MFA --bootstrap-method QRCodePNG --outfile CodigoQR.png
{
"VirtualMFADevice": {
"SerialNumber": "arn:aws:iam::123456789012:mfa/mi-dispositivo-MFA"
}
}
– Enable an MFA device
aws iam enable-mfa-device --user-name mi-dispositivo-MFA --serial-number arn:aws:iam::123456789012:mfa/mi-dispositivo-MFA --authentication-code-1 866541 --authentication-code-2 987645
– Attach the policy to the user
aws iam attach-user-policy --user-name mi-usuario-AWS --policy-arn arn:aws:iam::123456789012:policy/AllowCreateEnableMFA
– Create the policy file with your favorite editor
vi habilitar-mfa.json
{
"Policy": {
"PolicyName": "AllowCreateEnableMFA",
"PolicyId": "ABCDEFGHI5LUISN74EMXX",
"Arn": "arn:aws:iam::123456789012:policy/AllowCreateEnableMFA",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2023-04-21T23:40:35+00:00",
"UpdateDate": "2023-04-21T23:40:35+00:00"
}
}
– Create the policy using the file you just created
aws iam create-policy --policy-name AllowCreateEnableMFA --policy-document file://habilitar-mfa.json
– List all AWS accounts in the organization
aws organizations list-accounts
The output will look something like this:
{
"Accounts": [
{
"Id": "111111111111",
"Arn": "arn:aws:organizations::999999999999:account/o-4x69pob97t/111111111111",
"Email": "[aws-toys@kolibers.com](mailto:aws-toys@kolibers.com)",
"Name": "toys",
"Status": "ACTIVE",
"JoinedMethod": "CREATED",
"JoinedTimestamp": "2020-05-27T13:36:19.045000-06:00"
},
{
"Id": "222222222222",
"Arn": "arn:aws:organizations::999999999999:account/o-4x69pob97t/222222222222",
"Email": "[aws-kolibers-nonprod@kolibers.com](mailto:aws-kolibers-nonprod@kolibers.com)",
"Name": "kolibers-nonprod",
"Status": "ACTIVE",
"JoinedMethod": "CREATED",
"JoinedTimestamp": "2023-01-28T15:40:25.079000-06:00"
},
{
"Id": "333333333333",
"Arn": "arn:aws:organizations::999999999999:account/o-4x69pob97t/333333333333",
"Email": "[aws-apps-prod@kolibers.com](mailto:aws-apps-prod@kolibers.com)",
"Name": "apps-prod",
"Status": "ACTIVE",
"JoinedMethod": "CREATED",
"JoinedTimestamp": "2022-01-25T10:38:07.487000-06:00"
},
{
"Id": "444444444444",
"Arn": "arn:aws:organizations::999999999999:account/o-3x69pob97t/444444444444",
"Email": "[aws-security@kolibers.com](mailto:aws-security@kolibers.com)",
"Name": "security",
"Status": "ACTIVE",
"JoinedMethod": "CREATED",
"JoinedTimestamp": "2022-04-27T13:40:07.647000-06:00"
}
]
}
– To list only the account numbers, in this example we use jq, a utility for working with JSON files.
aws organizations list-accounts |jq -r '.Accounts[] | .Id'
– List all accounts in the organization and their friendly names on the same line. In this example we use jq, a utility for working with JSON files. The “–profile cuenta-master” parameter is optional and will depend on your own configuration file.
aws organizations list-accounts --profile cuenta-master |jq -r '.Accounts[] | "(.Id) - (.Name)"'
Now the output looks like this:
111111111111 - toys
222222222222 - kolibers-nonprod
333333333333 - apps-prod
444444444444 - security
The result can be pasted into a text file for future reference, or it can be saved directly from the command line as shown below (again, the “–profile cuenta-master” parameter is optional and depends on your configuration file):
aws organizations list-accounts --profile cuenta-master |jq -r '.Accounts[] | "(.Id) - (.Name)"' > cuentas.txt
– How to get the alternate contacts for an account in the organization
aws account get-alternate-contact --alternate-contact-type=SECURITY --account-id 123456789012
You’ll get output similar to the following:
{
"AlternateContact": {
"AlternateContactType": "SECURITY",
"EmailAddress": "[lmoreno@kolibers.com](mailto:lmoreno@kolibers.com)",
"Name": "Luis Moreno",
"PhoneNumber": "+525558765432",
"Title": "Cloud Security Architect"
}
}
– How to change AWS alternate contacts from the command line. If the command works correctly, it won’t produce any output.
aws account put-alternate-contact
--account-id $word
--alternate-contact-type=SECURITY
--email-address=[lmoreno@kolibers.com](mailto:lmoreno@kolibers.com)
--name="Luis Moreno"
--phone-number="+525566778899"
--title="Cloud Security Architect"
– How to change the security contacts for the whole organization. First you’ll need to get a list of all accounts with one of the commands above, and then use a bit of Linux command-fu as shown below. To confirm the changes, run the previous command on any of the accounts.
for cuentas in `cat accounts-numbers.txt`; do aws account put-alternate-contact
--account-id $cuentas
--alternate-contact-type=SECURITY
--email-address=[lmoreno@kolibers.com](mailto:lmoreno@kolibers.com)
--name="Luis Moreno"
--phone-number="+525566778899"
--title="Cloud Security Architect"
; done;
– List a user’s access keys (the –profile mi-perfil option is optional)
aws iam list-access-keys --user-name luismoreno --profile mi-perfil
– Delete an access key (the –profile mi-perfil option is optional)
aws iam delete-access-key --user-name luismoreno --access-key-id AKIA36UO4MZQN5ZZZZZZ --profile mi-perfil
– List a user’s attached policies (the –profile miperfil option is optional)
aws iam list-attached-user-policies --user-name luismoreno --profile miperfil
– Detach a policy (the –profile mi-perfil option is optional)
aws iam detach-user-policy --user-name luismoreno --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess --profile mi-perfil
– List the groups a user belongs to (the –profile miperfil option is optional)
aws iam list-groups-for-user --user-name luismoreno --profile miperfil
– List inline policies for a user (the –profile miperfil option is optional)
aws iam list-user-policies --user-name luismoreno --profile miperfil
– Remove an inline policy (the –profile miperfil option is optional)
aws iam delete-user-policy --user-name luismoreno --policy-name mi-política --profile miperfil
– Delete a user. Before you can delete the user, you must remove their access keys, attached policies, and inline policies, as shown in the previous commands.
aws iam delete-user --user-name lmorenodiagrams --profile kolibers-prod
