47 min read

What is the AWS CLI?

November 4, 2021

What is the AWS CLI

The AWS Command Line Interface (CLI) is a downloadable tool that you can use to manage your AWS services.

The CLI can be downloaded and when installed is integrated into your Windows, MacOS or Linux terminal.

A new “aws” command is then available to execute instructions to AWS to perform the functions you can from the AWS console, like provisioning EC2 instances, moving files into S3 buckets etc.

The advantage the CLI has over navigating through the AWS console, is that you can place your CLI commands into scripts, so that lots of repetitive tasks that you may need to perform frequently, like stopping all your EC2 instance at the end of the day can be automated.

To install the AWS CLI you can go to https://aws.amazon.com/cli/


On the right hand side of the screen you will find the download instructions for Windows, MacOS or Linux. If you are using Amazon Linux, the AWS CLI comes pre-installed.

Selecting the MacOS option downloads the latest PKG installer package. At the time of writing, this is called AWSCLIV2.pkg

Double click the PKG file to execute the installation:


This will step through the installation Readme, Licence Details:


You will be provided with the chance to read the licence


The next step is to review the installation type. If you already have an older version of the CLI installed, the installer will detect it and indicate the installation will be an upgrade:


From there you select “install” and the AWS CLI will be installed.


To verify your installation has been successfully installed, you can open a terminal window and enter an aws help command like:

aws help --version


Configure the AWS CLI

Now you have the CLI installed, before you can use it with your AWS account, you will need to use the aws configure command to associate an AWS account with your CLI.

To do this create or open an IAM user account and copy the Access Key ID and the AWS Secret Access Key for the user.

In this instance, I will create a new IAM user called “MyCLI”



Then you can give the new user the same permissions as an existing user, add the new user to an existing user group, or select and attach some existing permission policies to the user - in this case we’ll select a few existing policies like EC2 and S3 permissions.


Then I can review the settings and create the user.


Once the user is created, we need to grab the Access Key ID and the Secret Access Key that is displayed on the success page.

You need to do this now as once you navigate away from this page, the secret key will no longer show anywhere. There is an option to download these details as a CSV, which is the best option.


Now you have the IAM credentials, you need to establish which region your account is set up in. The easiest way is to go to the AWS console home page. The region is displayed in the top right of the header menu bar.

In this example, you can see my account is set up in us-east-1


Now we have the necessary information to configure the CLI.

From the terminal window you need to enter “aws configure”

You will then get prompted for the access key id, secret key, region and the output format you would like the CLI to return details in. In the example below, i’ve asked for JSON 


You can think of AWS Configure as the command line interface login. Once logged in, you can start interacting with your AWS resources.

A good starting point is to type “aws help” and read through the help documentation. This will give you a run through of the available options.


The format of the AWS CLI is:

aws [options]  <command>  <subcommand> [parameters]

The CLI can be used to interact with most AWS services, these include;

accessanalyzer compute-optimizer greengrass marketplace-entitlement s3api
account configservice greengrassv2 marketplacecommerceanalytics s3control
acm configure groundstation mediaconnect s3outposts
acm-pca Connect guardduty mediaconvert sagemaker
alexaforbusiness connect-contact-lens health medialive
amp connectparticipant healthlake mediapackage
amplify cur help mediapackage-vod
amplifybackend customer-profiles history mediastore
apigateway databrew honeycode mediastore-data savingsplans
apigatewaymanagementapi dataexchange iam mediatailor schemas
apigatewayv2 datapipeline identitystore memorydb sdb
appconfig datasync imagebuilder meteringmarketplace
appflow dax importexport mgh securityhub
appintegrations ddb inspector mgn serverlessrepo
application-autoscaling deploy iot migrationhub-config service-quotas
application-insights detective iot-data mobile servicecatalog
applicationcostprofiler devicefarm iot-jobs-data mq
appmesh devops-guru iot1click-devices mturk
apprunner directconnect iot1click-projects mwaa ses
appstream discovery iotanalytics neptune sesv2
appsync dlm iotdeviceadvisor network-firewall shield
athena dms iotevents networkmanager signer
auditmanager docdb iotevents-data nimble sms
autoscaling ds iotfleethub opensearch
autoscaling-plans dynamodb iotsecuretunneling opsworks snowball
backup dynamodbstreams iotsitewise opsworks-cm sns
batch ebs iotthingsgraph organizations sqs
braket ec2 iotwireless outposts ssm
budgets ec2-instance-connect ivs panorama ssm-contacts
ce ecr kafka personalize ssm-incidents
chime ecr-public kafkaconnect personalize-events sso
chime-sdk-identity ecs kendra personalize-runtime sso-admin
chime-sdk-messaging efs kinesis pi sso-oidc
cli-dev eks kinesis-video-archived-media pinpoint stepfunctions
cloud9 elastic-inference kinesis-video-media pinpoint-email
cloudcontrol elasticache kinesis-video-signaling pinpoint-sms-voice sts
clouddirectory elasticbeanstalk kinesisanalytics polly support
cloudformation elastictranscoder kinesisanalyticsv2 pricing swf
cloudfront elb kinesisvideo proton synthetics
cloudhsm elbv2 kms qldb textract
cloudhsmv2 emr lakeformation qldb-session
cloudsearch emr-containers lambda quicksight
cloudsearchdomain es lex-models ram transcribe
cloudtrail events lex-runtime rds transfer
cloudwatch finspace lexv2-models rds-data Translate
codeartifact finspace-data lexv2-runtime redshift voice-id
codebuild firehose license-manager redshift-data waf
codecommit fis lightsail rekognition waf-regional
codeguru-reviewer fms location resource-groups wafv2
codeguruprofiler forecast logs resourcegroupstaggingapi wellarchitected
codepipeline forecastquery lookoutequipment robomaker wisdom
codestar frauddetector lookoutmetrics route53 workdocs
codestar-connections fsx lookoutvision route53-recovery-cluster worklink
codestar-notifications gamelift machinelearning route53-recovery-control-config workmail
cognito-identity glacier macie route53-recovery-readiness
cognito-idp globalaccelerator macie2 route53domains workspaces
cognito-sync glue managedblockchain route53resolver xray
comprehend grafana marketplace-catalog s3  


You can use the CLI to interrogate your AWS services.

Lets see what S3 buckets I have using “aws s3 ls


We can also easily list the contents of one of the buckets ie: “aws s3 ls 425magfiles”


You can see all the available commands for each service by typing “aws [service name] help

Or you can view the CLI documentation here : 


We can for instance list out our VPCs in JSON format (my default) by using the “aws EC2 describe-vpcs” command


Or look at the subnets I have configured using “aws EC2 describe-subnets


To see all the available subcommands for a service you can type help after the service name to bring up the CLI help for that service - for instance “aws EC2 help


Here you can see the available commands like ‘allocate-address’ which is followed by pages and pages of available commands you can execute from the command line.

So let's do something more practical. 

Launch an EC2 Instance using the AWS CLI

To launch an EC2 instance using the CLI we are going to need a key pair, the AMI ID of the EC2 instance type we want to launch and the instance size to launch.

First of all we’ll take a look in the console at the existing keypairs in the EC2 service console.


Now we can use the CLI to create a new Key Pair using :

aws ec2 create-key-pair --key-name MyCLIKeyPair --query 'KeyMaterial' --output text > MyCLIKeyPair.pem

This command will create a new key pair and then save the details locally in the .pem file


Now if we check the key pairs in the EC2 console (after refreshing the page) we can see the freshly created key pair.


We could also verify this using the CLI using the “aws ec2 describe-key-pairs” command


Now we can get the machine image ID of the EC2 instance we want to create. The easiest way is to go to launch instance in the EC2 dashboard and get to the “Choose an AMI” page and find the machine image type you wish to deploy.

In this example we’ll choose an Amazon Linux 2 AMI  (AMI Id - ami-01cc34ab2709337aa)


Then if I select it, it will give me a list of the available instance types. In this case, we’ll run with t2.micro

ami_instance_typeI can now exit out of the launch instance and return to the terminal window armed with the information needed to create the EC2 instance using the CLI

The parameters we will use with the run-instances command will be:

  • --image-id         -   ami-01cc34ab2709337aa  
  • --instance-type -   t2.micro
  • --count               -  2    (you can specify 1 or more to deploy multiple instances)
  • --key-name        -   MyCLIKeyPair

We could also specify a security group, however we’ll omit this so that AWS will use the default security group for our VPC

So if we look at my EC2 instances prior to executing the CLI command:


Now we’ll execute our command:

aws ec2 run-instances --image-id ami-01cc34ab2709337aa  --instance-type t2.micro --count 2 --key-name MyCLIKeyPair


Now in we take a look at the EC2 Instances Dashboard 


We could of course use the CLI to view the running instances using “aws ec2 describe-instances” which will return a JSON file with tons of information related to the running EC2 instances.

You can manipulate existing resources from the CLI. Say for example we wanted to add some tags to an existing instance, we could do something like:


Now if we look at the console and refresh, we can see the added tag


Now Jeff has enough cash to hop on a rocket into space, so we’ll clean up the instances we just created to stop the billing.

We do this using the terminate-instances command:


Now if we look into the console, we can see the 2 instances have been terminated.


We can also clean up the key pairs using : 

aws ec2 delete-key-pair --key-name MyCLIKeyPair 

Using the AWS CLI with S3

Moving files to and from S3 from a local machine is probably one of the major uses of the CLI.

As mentioned previously, we can list all our S3 buckets using:

AWS S3 ls


To create a new bucket we can use the mb (make bucket) command. The bucket name needs to be unique on S3 (not just your account)

aws s3 mb s3://my-hava-backups


Now if we check again, we can see the new bucket has been created.


Now you can move files in and out of the bucket using the cp command like:

aws s3 cp  localfile.txt s3://my-hava-backups


Or you could request a new folder be created during the copying process/

aws s3 cp  localfile.txt s3://my-hava-backups/new-folder

You can use the sync command to move the entire contents of a folder to or from S3

Aws s3 sync Downloads s3://my-hava-backups/downloads-backup

If you delete files locally and repeat the sync process, the files on S3 will not be deleted, however if you add the delete flag, the sync process will remove any files in S3 that are no longer present in your local folder:

Aws s3 sync Downloads s3://my-hava-backups/downloads-backup  --delete

To retrieve files back from S3 to your local machine, you simply reverse the source and the target

Aws s3 sync s3://my-hava-backups/downloads-backup Downloads

Other popular S3 CLI commands are:

rm - delete a file

mv - move a file

To clean up the bucket, we’ll need to use the “rb” remove bucket command. As a default, aws will not allow you to remove a bucket that has any files in it. If we attempted to rb a bucket with contents, we would get a “The bucket you tried to delete is not empty” error.

You can utilise the --force flag to delete a bucket with files in it.


So there we have it, a quick run through of the AWS Command Line Interface and some of the typical commands you are likely to encounter.

You can get more in depth details of all the commands available in the AWS CLI user guide which you can find here : https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html

If you are building on AWS and would like to automate your network topology diagrams, security group diagrams and aws well architected compliance reporting by simply attaching a cross-account role to Hava, we invite you to take a free trial using the button below.

Try Hava For Free Today!


Team Hava

Written by Team Hava

The Hava content team