# AWS CLI Cheat Sheet [AWS CLI Reference Documentation](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/index.html#available-services) ## Setup ```sh # Cli command structure aws --region --profile # Configure aws cli aws configure aws configure --profile aws configure set aws_session_token --profile # Whoami aws sts get-caller-identity ``` ## IAM Commands ### Users/Roles/Groups ```sh # list iam users aws iam list-users # list iam roles aws iam list-roles # list iam groups aws iam list-groups # list all iam access keys for a user aws iam list-access-keys --user-name --profile # create iam access keys aws iam create-access-key --user-name --profile # assume an iam role aws sts assume-role --role-arn --role-session-name --profile ``` ### Policies #### User Enumeration ```bash # list iam Inline policies attached to user aws iam list-user-policies --user-name # list iam Managed policies attached to user aws iam list-attached-user-policies --user-name ``` #### Role Enumeration ```bash # list iam trust policy attached to role aws iam get-role --role-name --query 'Role.AssumeRolePolicyDocument' # list Inline policies attached to role aws iam list-role-policies --role-name # list Managed policies attached to role aws iam list-attached-role-policies --role-name ``` #### Policy Enumeration ```sh # view Managed policy info aws iam get-policy --policy-arn # view Managed policy version and actions aws iam get-policy-version --policy-arn --version-id # view Inline policy aws iam get-user-policy --user-name --policy-name # view available versions of a policy aws iam list-policy-versions --policy-arn # view the policy for a particular version aws iam get-policy-version --policy-arn --version-id # attach a specific version of a policy aws iam set-default-policy-version --policy-arn --version-id ``` ## Identity Center Commands {% code overflow="wrap" %} ```bash # list Identity Center instance, returns ARN aws sso-admin list-instances --region # view permission sets aws sso-admin list-permission-sets --instance-arn --region # view permission set details aws sso-admin describe-permission-set --instance-arn --permission-set-arn # view Inline policy for permission set aws sso-admin get-inline-policy-for-permission-set --instance-arn --permission-set-arn ``` {% endcode %} ## S3 {% code overflow="wrap" %} ```bash # list bucket contents aws s3 ls s3:// --recursive --no-sign-request # copy files aws s3 cp s3:// /local/path/download --recursive --no-sign-request aws s3 cp s3:///object /local/path/download --no-sign-request # get bucket versioning aws s3api list-object-versions --bucket # get particular version of an object aws s3api get-object --bucket --key "object/object" --version-id ``` {% endcode %} ## SSM * Multiple ways to run commands, see [Docs](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ssm/send-command.html#options) {% code overflow="wrap" %} ```bash # remote code execution aws ssm send-command \ --document-name "AWS-RunShellScript" \ --parameters 'commands=["echo HelloWorld"]' \ --targets "Key=instanceids,Values=i-1234567890abcdef0,," \ --comment "echo HelloWorld" # view command log, useful if command failed aws ssm list-command-invocations \ --instance-id "" --command-id "" --details # base64 encode commands aws ssm send-command \ --instance-id "" --document-name "" --comment "" --parameters '{"commands":["echo | base64 -d | bash"]}' ``` {% endcode %} ## Secrets Manager ```bash # list stored secrets aws secretsmanager list-secrets # read a secret aws secretsmanager get-secret-value --secret-id # read a secret (version, when available) aws secretsmanager get-secret-value --secret-id --version-id ``` ## DynamoDB ```bash # list tables aws dynamodb list-tables # read tables aws dynamodb scan --table-name ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.techwithtyler.dev/cloud-security/aws/cli-cheat-sheet.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.