Why do we need AWS CLI?
- Consider you have multiple services in AWS and you want to manage them through terminal session. Then you can configure AWS CLI and can manage your AWS services from a terminal session.
- You can control them and automate them as per business requirement.
What is AWS CLI?
- The AWS Command Line Interface (CLI) is a unified tool to manage your AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts.
- Now lets understand its practical through Lab. We will connect AWS CLI and will use our services like S3, EC2 etc.
- Step 1: Login to AWS Console. Navigate to IAM service.

Step 2: Navigate to User and create user.
- Click on Left side Pane – Users link. Enter UserName ,mark checkbox and provide next permission.

- Step 3: Create Group: Provide Group Name and select AdministratorAccess. Click on Create Group.


- Group is created.
Step 4: Click on next and user is created.

- Here we can find Access Key ID and Secret access Key and please download csv file.
Step 5: Create an EC2 Instance and connect to cmd.
How to install AWS CLI?
sudo apt-get install -y python-dev python-pip
sudo pip install awscli
aws –version
aws configure
install AWS CLIv2
sudo apt-get install -y python-dev python-pip
sudo pip install awscli
aws –version
aws configure
curl “https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip” -o “awscliv2.zip”
unzip awscliv2.zip
sudo ./aws/install
How to login EC2 instance through command line?
- At the end , we will get below EC2 connection:
- [ec2-user@ip-172-11-1-111 ~]$
- Type command aws s3 ls to see s3 buckets.

- It means , its not configured. So now lets configure aws cli.
- Type command as \
- Aws configure

- Post this command, it will ask above details as
- Access Key ID
- Secret Access Key
- Default region name
- And default output format.
- Now type command
- Aws s3 ls
- It will list out all S3 buckets present in aws region.
- Now lets navigate to root.
- And move to directory
.aws.
- Then list out through ls command.
- It will list out config and credentials.
- We can see credentials details through below command:
Nano credentials.

Question: Which AWS CLI command is used to retrieve Cost Explorer data?
Ans – aws ce get-cost-and-usage
list all trails
aws cloudtrail describe-trails
list all S3 buckets
aws s3 ls
How will you create a RDS Subnet Group through AWS CLI?
create-db-subnet-group
--db-subnet-group-name <value>
--db-subnet-group-description <value>
--subnet-ids <value>
[--tags <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
Example:
aws rds create-db-subnet-group \
--db-subnet-group-name cloudvikas\
--db-subnet-group-description "cloudvikas subnet group" \
--subnet-ids $Subnet1ID $Subnet2ID
Explain few points about AWS Availability Zones.
- In AWS, each region has many availability zones
(usually 3, min is 2, max is 6). Example:
• ap-southeast-2a
• ap-southeast-2b
• ap-southeast-2c
- Each availability zone (AZ) is one or more discrete data centers with redundant power,networking, and connectivity
- They’re separate from each other
- They’re isolated from disasters.
- They’re connected with high bandwidth,ultra-low latency networking.
create a new trail
aws cloudtrail create-subscription \
–name awslog \
–s3-new-bucket awslog2016
list the names of all trails
aws cloudtrail describe-trails –output text | cut -f 8
get the status of a trail
aws cloudtrail get-trail-status \
–name awslog
How to create a RDS Parameter Group using AWS CLI?
aws rds create-db-cluster-parameter-group \
--db-cluster-parameter-group-name cloudvikas \
--db-parameter-group-family aurora-postgresql10 \
--description "cloudvikas DB Cluster parameter group"
How to Create a VPC security group for the database?
DBcloudSecurityGroupId=$(aws ec2 create-security-group \
--group-name AWScloudvikas \
--description "Aurora Serverless vikas Security Group" \
--vpc-id $VPCId --output text --query GroupId)
delete a trail
aws cloudtrail delete-trail \
–name awslog
delete the S3 bucket of a trail
aws s3 rb s3://awslog2016 –force
add tags to a trail, up to 10 tags
aws cloudtrail add-tags \
–resource-id awslog \
–tags-list “Key=log-type,Value=all”
list the tags of a trail
aws cloudtrail list-tags \
–resource-id-list
delete a group
aws iam delete-group \
–group-name FullAdmins
How to Create a database cluster using CLI?
aws rds create-db-cluster \
--db-cluster-identifier cloudvikasdb \
--engine aurora-postgresql \
--engine-mode serverless \
--engine-version 10.16 \
--db-cluster-parameter-group-name cloudvikasdbparamgroup \
--master-username user \
--master-user-password $MasterPassword \
--db-subnet-group-name cloudvikasdbsubnetgroup \
--vpc-security-group-ids $DBSecurityGroupId
list existing S3 buckets
aws s3 ls
create a bucket name, using the current date timestamp
bucket_name=test_$(date “+%Y-%m-%d_%H-%M-%S”)
echo $bucket_name
list all security groups
aws ec2 describe-security-groups
create a security group
aws ec2 create-security-group \
–vpc-id vpc-1aert3c4d \
–group-name web-access \
–description “web access”
list details about a securty group
aws ec2 describe-security-groups \
–group-id sg-0000000
create a public facing bucket
aws s3api create-bucket –acl “public-read-write” –bucket $bucket_name
delete a security group
aws ec2 delete-security-group \
–group-id sg-000000123
How to delete the RDS database cluster?
aws rds delete-db-cluster \
--db-cluster-identifier cloudvikas01 \
--skip-final-snapshot
remove a tag from a trail
aws cloudtrail remove-tags \
–resource-id awslog \
–tags-list “Key=log-type,Value=all”
delete an AMI, by ImageId
aws ec2 deregister-image –image-id ami-00000000
list all instances running
aws ec2 describe-instances –filters Name=instance-state-name,Values=running
How to delete the RDS Subnet Group?
aws rds delete-db-subnet-group \
--db-subnet-group-name cloudvikas01
How to delete the security group for the database?
aws ec2 delete-security-group \
--group-id $DBSecurityGroupId01
stop an instance
aws ec2 terminate-instances \
–instance-ids
create new user
aws iam create-user \
–user-name aws-adminvikas
Which AWS IAM feature allows developers to access AWS services through the AWS CLI?
Ans:-Access keys
You would like to deploy an AWS lambda function using the AWS CLI. Before deploying what needs to be done?
Ans:-Package the local artefacts to S3 using cloudformation package CLI command
list all users
aws iam list-users –no-paginate
get a specific user’s info
aws iam get-user \
–user-name aws-adminvikas
You want to gradually migrate data directly from an on-prem RAID10 file server to S3 without moving it to other storage first. Which aws service will you use?
Correct Answer: AWS CLI
add a tag to an instance
aws ec2 create-tags \
–resources “ami-1a2b4d” \
–tags Key=name,Value=debian
delete a tag on an instance
aws ec2 delete-tags \
–resources “ami-1a2b3c4d” \
–tags Key=Name,Value=
Q) Is Roles more secure?
Ans: Roles are more secure compare to storing your access key and secret access key on individual EC2 instances. Roles are easier to manage. It can be assigned to an EC2 instance after it is created using both the console & command line. And it is universal — you can use this in any region.
- in the volume to Amazon S3, where it is stored in multiple Availability Zones.
create a log stream
aws logs create-log-stream \
–log-group-name “DefaultGroup” \
–log-stream-name “cloudaws”
AWS CLI is an important service in AWS. Via CLI, you can try to fetch some metadata from a file from an S3 bucket but got 404 Not Found error. You then realize the mistake and upload the file again. After the upload, you tried again to fetch the metadata and got. What was the reason for 404 issue?
Correct Answer: Because the upload is not propagated fully, we will receive a 404 Not Found. We will receive back the requested metadata.
list all access keys
aws iam list-access-keys
list details on a log stream
aws logs describe-log-streams \
–log-group-name “syslog”
aws logs describe-log-streams \
–log-stream-name-prefix “syslog”
list access keys of a specific user
aws iam list-access-keys \
–user-name aws-adminvikas2
delete a log stream
aws logs delete-log-stream \
–log-group-name “DefaultGroup” \
–log-stream-name “Default Stream”
create a new access key
aws iam create-access-key \
–user-name aws-adminvikas2 \
–output text | tee aws-adminvikas2.txt
list last access time of an access key
aws iam get-access-key-last-used \
–access-key-id AKIAI44XAMPLEQH8DHBE
deactivate an acccss key
aws iam update-access-key \
–access-key-id AKIAI44XAMPLEQH8DHBE \
–status Inactive \
–user-name aws-adminvikas
I want to test whether my EC2 machine is able to perform the termination of EC2 instances. There is an IAM role attached to my EC2 Instance. I should
ans:- Use the IAM Policy Simulator OR the dry run CLI option
delete an access key
aws iam delete-access-key \
–access-key-id AKIAI4BEXAMPLE4QH8DH \
–user-name aws-cloud
Which AWS IAM feature allows developers to access AWS services through the AWS CLI?
Ans:-Access keys
list all groups
aws iam list-groups
create a group
aws iam create-group –group-name FullAdmins
delete a group
aws iam delete-group \
–group-name FullAdmins
list all policies
aws iam list-policies
get a specific policy
aws iam get-policy \
–policy-arn
The AWS CLI depends on which language?
Ans:- Python
Can EC2 Instances retrieve the IAM Role policy JSON document that’s attached to them using the CLI without any role attached?
Ans:- No
list all users, groups, and roles, for a given policy
aws iam list-entities-for-policy \
–policy-arn
list policies, for a given group
aws iam list-attached-group-policies \
–group-name FullAdmins
add a policy to a group
aws iam attach-group-policy \
–group-name FullAdmins \
–policy-arn arn:aws:iam::aws:policy/AdministratorAccess
add a user to a group
aws iam add-user-to-group \
–group-name FullAdmins \
–user-name aws-adminvikas
I want to test whether my EC2 machine is able to perform the termination of EC2 instances. There is an IAM role attached to my EC2 Instance. I should
ans:- Use the IAM Policy Simulator OR the dry run CLI option
list users, for a given group
aws iam get-group \
–group-name FullAdmins
list groups, for a given user
aws iam list-groups-for-user \
–user-name aws-adminvikas
remove a user from a group
aws iam remove-user-from-group \
–group-name FullAdmins \
–user-name aws-admin2vikas
remove a policy from a group
aws iam detach-group-policy \
–group-name FullAdmins \
–policy-arn arn:aws:iam::aws:policy/AdministratorAccess
Does AWS provide any API to control AWS services?
VMs are software, if you want to start them remotely, you need hardware that can handle and fulfill your request. AWS provides an application programming interface (API) that can control every part of AWS over HTTP. Calling the HTTP API is very low-level and requires a lot of repetitive work, like authentication, data (de)serialization. AWS offers tools on top of the HTTP API that are easier to use. Those tools are:
- Command-line interface (CLI)—With one of the CLIs, you can make calls to the AWS API from your terminal.
- Software development kit (SDK)—SDKs, available for most programming languages, make it easy to call the AWS API from your programming language of choice.
- AWS CloudFormation—Templates are used to describe the state of the infrastructure. AWS CloudFormation translates these templates into API calls.Everything is available through the API. You can start a virtual machine with a single API call, create 1 TB of storage, or start a Hadoop cluster over the API.
Alex is working in banking company in United states and he needs to create an S3 bucket to act as a repository. It is for highly sensitive company accounting information and its all data at rest must be encrypted. Its key cryptographic material should be rotated at least once a year. How Alex can achieve this task?
Alex can use a Customer Managed CMK with optional yearly rotation enabled. KMS Customer Managed CMK optionally allows rotation to occur automatically every year. Procedure in Console:
- Log in to the AWS Management Console at [https://console.aws.amazon.com/].
- Open the Amazon KMS console.
- In the left navigation pane, select customer managed keys.
- Select the customer master key (CMK) in scope.
- Navigate to the Key Rotation tab.
- Select Rotate this key every year.
- Click Save.
CLI Command
Change the policy to enable key rotation using CLI command:
aws kms enable-key-rotation --key-id <kms_key_id>
What is Resource Tagging and how to do this?
- Tagging AWS resources means adding additional metadata, such as tying it to a project, a department, or a cost center.
- A tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value, both of which you define.
- Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment.
- Tagging can facilitate billing or searching and filtering for certain types of resources in the AWS cloud.
- In the AWS Management Console, when we create a new resource then we can work with tagging.
- For example, click the Create bucket button in S3 console.
- A dialog box labeled: Create bucket opens. It contains the following steps: Name and region, Configure options, Set permissions, and Review.
- The Name and region step is selected and the corresponding page is open. It includes a Bucket name text box and a Region drop-down list box.
- Provide any Bucket name and navigate to a section labeled: Tags. It includes Key and Value text boxes.
- For example, specify details for a project.
- In the Key text box, type Project. In the Value text box, type XYZ.
- click Next and accept all of the defaults to create the bucket.
- So, now we’ve created a new bucket that’s been tagged with a specific project XYZ.
- Now, we can also modify tags for an existing item. So, it’s not only during creation that we can tag resources.
- click on an existing bucket and navigate to Tags.
- And click on Tags and provide any new value.
- We can now see there are two tags for this specific resource.
How do I tag an existing resource in AWS?
- Find AWS resources to tag
- Sign in to the AWS Management Console, choose Resource Groups, and then choose Tag Editor.
- Choose at least one resource type from the Resource type drop-down list.
Which resources Cannot be tagged in AWS?
AWS spending that can’t be tagged
How do you automatically tag Amazon EC2 resources in response to API events?
- Clone the solution repo for that AWS resource.
- Select a CloudTrail trail service.
- Store your required AWS resource tags.
- Create the resource-auto-tagger Lambda function.
- Create a rule in CloudWatch Events.
What are the parts required for a tag?
- Each tag has two parts:
- A tag key (for example, CostCenter , Environment , or Project ). Tag keys are case sensitive.
- An optional field known as a tag value (for example, 1111 or Production ). Like tag keys, tag values are case sensitive.
Why is tag used?
We use tags to aid classification, mark ownership, note boundaries, and indicate online identity.
How do you tag Lambda?
- Open the Functions page on the Lambda console.
- Choose a function.
- Choose Configuration and then choose Tags.
- Under Tags, choose Manage tags.
- Enter a key and value. To add additional tags, choose Add new tag.
- Choose Save.
Question: Which CLI command is used to import a VM disk file?
Ans – aws ec2 import-image
Question: Which CLI command is used to import a VM disk image to S3?
Ans- aws ec2 import-image
Suppose you want to get a list of all running EC2 instances of type t2.micro. What cmmand will you execute?
$ aws ec2 describe-instances –filters “Name=instance-type,Values=t2.micro”
{
“Reservations”: [] 1
}
How do you get a list of all AMIs in JSON format through CLI command?
$ aws ec2 describe-images
{
"Images": [
{
"ImageId": "ami-147e2a7,
"State": "available"
},
[...]
{
"ImageId": "ami-b22ed3de",
"State": "available"
}
]
}