Link Search Menu Expand Document

AWS Cheat Sheet

Drawing AWS Architectures

Use the AWS library for draw.io

Configuring Profiles

aws configure set help

aws configure set aws_access_key_id <key id>
aws configure set aws_secret_access_key <secret>
aws configure set default.region <region>
aws configure set region <region>

To query/configure specific profiles prefix the profile to the config key

aws configure get <profile>.region
aws configure set <profile>.region <region>

EC2 CLI Commands

aws ec2 describe-instances                           # List all
aws ec2 reboot-instances --instance-ids <ids>

EC2 Instance Lookup

Find instances by name

aws ec2 describe-tags --region us-east-1 |\
jq -r '.Tags[]|select(.Key == "Name") | select( .Value | contains("<part of name>") )| .Value'

List instances by name and selected properties

 aws ec2 describe-instances |\
 jq '.Reservations[].Instances[] | .InstanceId, .State["Name"], .InstanceType, .Placement.AvailabilityZone, .PublicIpAddress' |\
 xargs -n 5

EC2 Instance Types

IAM

aws iam list-roles
aws iam list-roles | jq -r '.Roles[].RoleName'       # Print role names
aws iam list-roles | jq -r '.Roles[].Arn'            # Print ARNs

aws iam get-role --role-name <name>
aws iam create-role --role-name <name> --asume-role-policy-document '<text>'
aws iam delete-role --role-name                      # Note: you need to detach all policies first!

To list policies you need 2 commands, as there are 2 types of policies: attached policies and inline policies

# For attached policies
aws iam list-attached-role-policies --role-name <name>

# For inline policies
aws iam list-role-policies --role-name <name>

To add/remove an inline policy

aws iam put-role-policy --role-name <role name> --policy-name <policy name> --policy-document '<text>'
aws iam delete-role-policy --role-name <role name> --policy-name <policy name>

To attach/detach an existing policy

aws iam attach-role-policy --role-name <role name> --policy-arn <policy arn>
aws iam detach-role-policy -q-role-name <role name> --policy-arn <policy arn>

IAM Roles in ~/.aws/credentials

From other credential

[marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
source_profile = user1

From within EC2 instance

[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
credential_source = Ec2InstanceMetadata

IAM via EC2

Inside an instance perform a call against the metadata API

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

to see your active role, and run

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>

to fetch credentials

Logging IAM Roles/Policies

STS

aws sts get-caller-identity | jq -r '.Account'                      # Resolve your account id
aws sts assume-role --role-arn <arn> --role-session-name <any name>

EBS

ELB

CloudFormation

  • Nesting Templates with AWS::Include

    Transform:
      Name: 'AWS::Include'
      Parameters:
      Location: 's3://MyAmazonS3BucketName/MyFileName.yaml'
    
  • CLI Stack Handling

    # Check if stack exists
    if aws cloudformation describe-stacks --stack-name "$STACK_NAME" >/dev/null 2>/dev/null; then
       echo "$STACK_NAME exists!"
    fi
      
    # Delete stack and wait for completion
    aws cloudformation delete-stack --stack-name "$STACK_NAME"
    aws cloudformation wait stack-delete-complete --stack-name "$STACK_NAME"
      
    # Create stack and wait for completion
    aws cloudformation create-stack \
       --region "$AWS_REGION" \
       --stack-name "$STACK_NAME" \
       --template-body "file://mytemplate.yaml" \
       --parameters <parameters>
       ...
    aws cloudformation wait stack-create-complete --stack-name "$STACK_NAME"
    
  • Automation with Ansible