Why do we need AWS CLI?
  • Consider you have multiple services in AWS and you want to manage them through terminal session. Then you can configure AWS CLI and can manage your AWS services from a terminal session.
  • You can control them and automate them as per business requirement.
What is AWS CLI?
  • The AWS Command Line Interface (CLI) is a unified tool to manage your AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts.
  • Now lets understand its practical through Lab. We will connect AWS CLI and will use our services like S3, EC2 etc.
  • Step 1: Login to AWS Console. Navigate to IAM service.

Step 2: Navigate to User and create user.

  • Click on Left side Pane – Users link. Enter UserName ,mark checkbox and provide next permission.
  • Step 3: Create Group: Provide Group Name and select AdministratorAccess. Click on Create Group.
A screenshot of a cell phone

Description automatically generated
  • Group is created.

Step 4: Click on next and user is created.

A screenshot of a social media post

Description automatically generated
  • Here we can find Access Key ID and Secret access Key and please download csv file.

Step 5: Create an EC2 Instance and connect to cmd.

How to install AWS CLI?

sudo apt-get install -y python-dev python-pip
sudo pip install awscli
aws –version
aws configure

install AWS CLIv2

sudo apt-get install -y python-dev python-pip
sudo pip install awscli
aws –version
aws configure
curl “” -o “”
sudo ./aws/install

How to login EC2 instance through command line?
  • At the end , we will get below EC2 connection:
  • [ec2-user@ip-172-11-1-111 ~]$
  • Type command aws s3 ls to see s3 buckets.
  • It means , its not configured. So now lets configure aws cli.
  • Type command as \
    • Aws configure
  • Post this command, it will ask above details as
    • Access Key ID
    • Secret Access Key
    • Default region name
    • And default output format.
  • Now type command
  • Aws s3 ls
  •  It will list out all S3 buckets present in aws region.
  • Now lets navigate to root.
  • And move to directory


  • Then list out through ls command.
  • It will list out config and credentials.
  • We can see credentials details through below command:

Nano credentials.

Question: Which AWS CLI command is used to retrieve Cost Explorer data?

Ans – aws ce get-cost-and-usage

list all trails

aws cloudtrail describe-trails

list all S3 buckets

aws s3 ls

How will you create a RDS Subnet Group through AWS CLI?
--db-subnet-group-name <value>
--db-subnet-group-description <value>
--subnet-ids <value>
[--tags <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

aws rds create-db-subnet-group \ 
--db-subnet-group-name cloudvikas\ 
--db-subnet-group-description "cloudvikas subnet group" \ 
--subnet-ids $Subnet1ID $Subnet2ID
Explain few points about AWS Availability Zones.
  • In AWS, each region has many availability zones
    (usually 3, min is 2, max is 6). Example:
    • ap-southeast-2a
    • ap-southeast-2b
    • ap-southeast-2c
  • Each availability zone (AZ) is one or more discrete data centers with redundant power,networking, and connectivity
  • They’re separate from each other
  • They’re isolated from disasters.
  • They’re connected with high bandwidth,ultra-low latency networking.
create a new trail

aws cloudtrail create-subscription \
–name awslog \
–s3-new-bucket awslog2016

list the names of all trails

aws cloudtrail describe-trails –output text | cut -f 8

get the status of a trail

aws cloudtrail get-trail-status \
–name awslog

How to create a RDS Parameter Group using AWS CLI?
aws rds create-db-cluster-parameter-group \
--db-cluster-parameter-group-name cloudvikas \
--db-parameter-group-family aurora-postgresql10 \
--description "cloudvikas DB Cluster parameter group"
How to Create a VPC security group for the database?
DBcloudSecurityGroupId=$(aws ec2 create-security-group \
--group-name AWScloudvikas \
--description "Aurora Serverless vikas Security Group" \
--vpc-id $VPCId --output text --query GroupId)
delete a trail

aws cloudtrail delete-trail \
–name awslog

delete the S3 bucket of a trail

aws s3 rb s3://awslog2016 –force

add tags to a trail, up to 10 tags

aws cloudtrail add-tags \
–resource-id awslog \
–tags-list “Key=log-type,Value=all”

list the tags of a trail

aws cloudtrail list-tags \

delete a group

aws iam delete-group \
–group-name FullAdmins

How to Create a database cluster using CLI?
aws rds create-db-cluster \
--db-cluster-identifier cloudvikasdb \
--engine aurora-postgresql \
--engine-mode serverless \
--engine-version 10.16 \
--db-cluster-parameter-group-name cloudvikasdbparamgroup \
--master-username user \
--master-user-password $MasterPassword \
--db-subnet-group-name cloudvikasdbsubnetgroup \
--vpc-security-group-ids $DBSecurityGroupId
list existing S3 buckets

aws s3 ls

create a bucket name, using the current date timestamp

bucket_name=test_$(date “+%Y-%m-%d_%H-%M-%S”)
echo $bucket_name

list all security groups

aws ec2 describe-security-groups

create a security group

aws ec2 create-security-group \
–vpc-id vpc-1aert3c4d \
–group-name web-access \
–description “web access”

list details about a securty group

aws ec2 describe-security-groups \
–group-id sg-0000000

create a public facing bucket

aws s3api create-bucket –acl “public-read-write” –bucket $bucket_name

delete a security group

aws ec2 delete-security-group \
–group-id sg-000000123

How to delete the RDS database cluster?
aws rds delete-db-cluster \
--db-cluster-identifier cloudvikas01 \
remove a tag from a trail

aws cloudtrail remove-tags \
–resource-id awslog \
–tags-list “Key=log-type,Value=all”

delete an AMI, by ImageId

aws ec2 deregister-image –image-id ami-00000000

list all instances running

aws ec2 describe-instances –filters Name=instance-state-name,Values=running

How to delete the RDS Subnet Group?
aws rds delete-db-subnet-group \
--db-subnet-group-name cloudvikas01
How to delete the security group for the database?
aws ec2 delete-security-group \
--group-id $DBSecurityGroupId01
stop an instance

aws ec2 terminate-instances \

create new user

aws iam create-user \
–user-name aws-adminvikas

Which AWS IAM feature allows developers to access AWS services through the AWS CLI?

Ans:-Access keys

You would like to deploy an AWS lambda function using the AWS CLI. Before deploying what needs to be done?

Ans:-Package the local artefacts to S3 using cloudformation package CLI command

list all users

aws iam list-users –no-paginate

get a specific user’s info

aws iam get-user \
–user-name aws-adminvikas

You want to gradually migrate data directly from an on-prem RAID10 file server to S3 without moving it to other storage first. Which aws service will you use?

Correct Answer: AWS CLI

add a tag to an instance

aws ec2 create-tags \
–resources “ami-1a2b4d” \
–tags Key=name,Value=debian

delete a tag on an instance

aws ec2 delete-tags \
–resources “ami-1a2b3c4d” \
–tags Key=Name,Value=

Q) Is Roles more secure?

Ans: Roles are more secure compare to storing your access key and secret access key on individual EC2 instances. Roles are easier to manage. It can be assigned to an EC2 instance after it is created using both the console & command line. And it is universal — you can use this in any region.

  •  in the volume to Amazon S3, where it is stored in multiple Availability Zones.
create a log stream

aws logs create-log-stream \
–log-group-name “DefaultGroup” \
–log-stream-name “cloudaws”

AWS CLI is an important service in AWS. Via CLI, you can try to fetch some metadata from a file from an S3 bucket but got 404 Not Found error. You then realize the mistake and upload the file again. After the upload, you tried again to fetch the metadata and got. What was the reason for 404 issue?

Correct Answer: Because the upload is not propagated fully, we will receive a 404 Not Found. We will receive back the requested metadata.

list all access keys

aws iam list-access-keys

list details on a log stream

aws logs describe-log-streams \
–log-group-name “syslog”
aws logs describe-log-streams \
–log-stream-name-prefix “syslog”

list access keys of a specific user

aws iam list-access-keys \
–user-name aws-adminvikas2

delete a log stream

aws logs delete-log-stream \
–log-group-name “DefaultGroup” \
–log-stream-name “Default Stream”

create a new access key

aws iam create-access-key \
–user-name aws-adminvikas2 \
–output text | tee aws-adminvikas2.txt

list last access time of an access key

aws iam get-access-key-last-used \
–access-key-id AKIAI44XAMPLEQH8DHBE

deactivate an acccss key

aws iam update-access-key \
–access-key-id AKIAI44XAMPLEQH8DHBE \
–status Inactive \
–user-name aws-adminvikas

I want to test whether my EC2 machine is able to perform the termination of EC2 instances. There is an IAM role attached to my EC2 Instance. I should

ans:- Use the IAM Policy Simulator OR the dry run CLI option

delete an access key

aws iam delete-access-key \
–access-key-id AKIAI4BEXAMPLE4QH8DH \
–user-name aws-cloud

Which AWS IAM feature allows developers to access AWS services through the AWS CLI?

Ans:-Access keys

list all groups

aws iam list-groups

create a group

aws iam create-group –group-name FullAdmins

delete a group

aws iam delete-group \
–group-name FullAdmins

list all policies

aws iam list-policies

get a specific policy

aws iam get-policy \

The AWS CLI depends on which language?

Ans:- Python

Can EC2 Instances retrieve the IAM Role policy JSON document that’s attached to them using the CLI without any role attached?

Ans:- No

list all users, groups, and roles, for a given policy

aws iam list-entities-for-policy \

list policies, for a given group

aws iam list-attached-group-policies \
–group-name FullAdmins

add a policy to a group

aws iam attach-group-policy \
–group-name FullAdmins \
–policy-arn arn:aws:iam::aws:policy/AdministratorAccess

add a user to a group

aws iam add-user-to-group \
–group-name FullAdmins \
–user-name aws-adminvikas

I want to test whether my EC2 machine is able to perform the termination of EC2 instances. There is an IAM role attached to my EC2 Instance. I should

ans:- Use the IAM Policy Simulator OR the dry run CLI option

list users, for a given group

aws iam get-group \
–group-name FullAdmins

list groups, for a given user

aws iam list-groups-for-user \
–user-name aws-adminvikas

remove a user from a group

aws iam remove-user-from-group \
–group-name FullAdmins \
–user-name aws-admin2vikas

remove a policy from a group

aws iam detach-group-policy \
–group-name FullAdmins \
–policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Does AWS provide any API to control AWS services?

VMs are software, if you want to start them remotely, you need hardware that can handle and fulfill your request. AWS provides an application programming interface (API) that can control every part of AWS over HTTP. Calling the HTTP API is very low-level and requires a lot of repetitive work, like authentication, data (de)serialization. AWS offers tools on top of the HTTP API that are easier to use. Those tools are:

  • Command-line interface (CLI)—With one of the CLIs, you can make calls to the AWS API from your terminal.
  • Software development kit (SDK)—SDKs, available for most programming languages, make it easy to call the AWS API from your programming language of choice.
  • AWS CloudFormation—Templates are used to describe the state of the infrastructure. AWS CloudFormation translates these templates into API calls.Everything is available through the API. You can start a virtual machine with a single API call, create 1 TB of storage, or start a Hadoop cluster over the API.
Alex is working in banking company in United states and he needs to create an S3 bucket to act as a repository. It is for highly sensitive company accounting information and its all data at rest must be encrypted. Its key cryptographic material should be rotated at least once a year. How Alex can achieve this task?

Alex can use a Customer Managed CMK with optional yearly rotation enabled. KMS Customer Managed CMK optionally allows rotation to occur automatically every year. Procedure in Console:

  1. Log in to the AWS Management Console at [].
  2. Open the Amazon KMS console.
  3. In the left navigation pane, select customer managed keys.
  4. Select the customer master key (CMK) in scope.
  5. Navigate to the Key Rotation tab.
  6. Select Rotate this key every year.
  7. Click Save.

CLI Command

Change the policy to enable key rotation using CLI command:

aws kms enable-key-rotation --key-id <kms_key_id>
What is Resource Tagging and how to do this?
  • Tagging AWS resources means adding additional metadata, such as tying it to a project, a department, or a cost center.
  • A tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value, both of which you define.
  • Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment.
  • Tagging can facilitate billing or searching and filtering for certain types of resources in the AWS cloud.
  • In the AWS Management Console, when we create a new resource then we can work with tagging.
    • For example, click the Create bucket button in S3 console.
    • A dialog box labeled: Create bucket opens. It contains the following steps: Name and region, Configure options, Set permissions, and Review.
    • The Name and region step is selected and the corresponding page is open. It includes a Bucket name text box and a Region drop-down list box.
    • Provide any Bucket name and navigate to a section labeled: Tags. It includes Key and Value text boxes.
    • For example, specify details for a project.
    • In the Key text box, type Project. In the Value text box, type XYZ.
    • click Next and accept all of the defaults to create the bucket.
  • So, now we’ve created a new bucket that’s been tagged with a specific project XYZ.
  • Now, we can also modify tags for an existing item. So, it’s not only during creation that we can tag resources.
    • click on an existing bucket and navigate to Tags.
    • And click on Tags and provide any new value.
  • We can now see there are two tags for this specific resource.
How do I tag an existing resource in AWS?
  • Find AWS resources to tag
  • Sign in to the AWS Management Console, choose Resource Groups, and then choose Tag Editor.
  • Choose at least one resource type from the Resource type drop-down list.
Which resources Cannot be tagged in AWS?

AWS spending that can’t be tagged

How do you automatically tag Amazon EC2 resources in response to API events?
  • Clone the solution repo for that AWS resource.
  • Select a CloudTrail trail service.
  • Store your required AWS resource tags.
  • Create the resource-auto-tagger Lambda function.
  • Create a rule in CloudWatch Events.
What are the parts required for a tag?
  • Each tag has two parts:
    • A tag key (for example, CostCenter , Environment , or Project ). Tag keys are case sensitive.
    • An optional field known as a tag value (for example, 1111 or Production ). Like tag keys, tag values are case sensitive.
Why is tag used?

We use tags to aid classification, mark ownership, note boundaries, and indicate online identity.

How do you tag Lambda?
  • Open the Functions page on the Lambda console.
  • Choose a function.
  • Choose Configuration and then choose Tags.
  • Under Tags, choose Manage tags.
  • Enter a key and value. To add additional tags, choose Add new tag.
  • Choose Save.

Question: Which CLI command is used to import a VM disk file?

Ans – aws ec2 import-image

Question: Which CLI command is used to import a VM disk image to S3?

Ans- aws ec2 import-image

Suppose you want to get a list of all running EC2 instances of type t2.micro. What cmmand will you execute?

$ aws ec2 describe-instances –filters “Name=instance-type,Values=t2.micro”
“Reservations”: [] 1

How do you get a list of all AMIs in JSON format through CLI command?
$ aws ec2 describe-images
  "Images": [
      "ImageId": "ami-147e2a7,
      "State": "available"
      "ImageId": "ami-b22ed3de",
      "State": "available"