The AWS CLI is the foundation of any cloud engineer's toolkit. It lets you manage AWS resources from your terminal, automate tasks with scripts, and integrate AWS operations into CI/CD pipelines. Here's a complete setup guide.
Why Use the CLI?
The AWS Console is fine for exploration, but the CLI is where real productivity lives:
- Automation -- Script repetitive tasks instead of clicking through the console
- Reproducibility -- CLI commands can be version-controlled and shared
- Speed -- Most operations are faster from the terminal
- Integration -- Combine with shell scripts, CI/CD pipelines, and other tools
Step 1: Install AWS CLI
macOS
brew install awscli
Windows
Download the MSI installer from aws.amazon.com/cli and run it.
Linux
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
Verify
aws --version
Step 2: Configure Credentials
Run the interactive setup:
aws configure
You'll be prompted for four values:
AWS Access Key ID: YOUR_ACCESS_KEY
AWS Secret Access Key: YOUR_SECRET_KEY
Default region name: us-east-1
Default output format: json
This creates two files: ~/.aws/credentials (your keys) and ~/.aws/config (your preferences).
Tip: Use named profiles for multiple accounts:
aws configure --profile production
aws configure --profile development
Then use --profile production with any command, or set export AWS_PROFILE=production in your shell.
Step 3: Create an IAM User (Best Practice)
Never use root account credentials. Create a dedicated IAM user:
Via CLI
# Create user
aws iam create-user --user-name deploy-user
# Attach a policy (use least-privilege in production)
aws iam attach-user-policy \
--user-name deploy-user \
--policy-arn arn:aws:iam::aws:policy/PowerUserAccess
# Generate access keys
aws iam create-access-key --user-name deploy-user
Save the AccessKeyId and SecretAccessKey from the output -- you won't see the secret key again.
Via Console
- Go to IAM in the AWS Console
- Click Users, then Add User
- Select "Programmatic access"
- Attach policies or add to a group
- Download the credentials CSV
Step 4: Essential Commands
Once configured, here are the commands you'll use daily:
# Identity -- verify who you're authenticated as
aws sts get-caller-identity
# S3 -- list buckets
aws s3 ls
# S3 -- copy a file
aws s3 cp myfile.txt s3://my-bucket/
# S3 -- sync a directory
aws s3 sync ./build s3://my-website-bucket --delete
# EC2 -- list running instances
aws ec2 describe-instances \
--filters "Name=instance-state-name,Values=running" \
--query "Reservations[].Instances[].[InstanceId,InstanceType,Tags[?Key=='Name'].Value|[0]]" \
--output table
# CloudFormation -- list stacks
aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE
# Lambda -- invoke a function
aws lambda invoke --function-name my-function output.json
Step 5: Level Up with JMESPath Queries
The --query parameter uses JMESPath syntax to filter JSON output. This is incredibly powerful:
# Get just instance IDs of running instances
aws ec2 describe-instances \
--query "Reservations[].Instances[?State.Name=='running'].InstanceId[]" \
--output text
# Get all S3 buckets created in the last 30 days
aws s3api list-buckets \
--query "Buckets[?CreationDate>='2024-04-01'].Name" \
--output table
Security Best Practices
- Never commit credentials -- Add
~/.aws/to your global gitignore - Use IAM roles over access keys when possible (especially for EC2 and Lambda)
- Enable MFA on your IAM user
- Rotate access keys regularly (every 90 days minimum)
- Use least-privilege policies -- Start with minimal permissions and add as needed
For more AWS and DevOps guides, check out the blog.