As a Cloud Engineer, the AWS Console is great for exploration, but the AWS Command Line Interface (CLI) is where true automation and speed live. Whether you are auditing security groups, cleaning up unused resources, or managing complex identity profiles, mastering the CLI is non-negotiable.
Before diving into how the AWS CLI lets you interact with your cloud without opening the console, it’s worth grounding this discussion in secure, scalable authentication practices. In modern AWS environments, using AWS IAM Identity Center (formerly AWS SSO) to federate access through a corporate identity provider (such as Microsoft Entra ID, Okta, or Active Directory) is a foundational best practice for production. This approach centralizes access control and eliminates long-lived static credentials, issuing temporary, least-privilege credentials to users and tools instead of permanent IAM user access keys.
In this post, I’ll walk through some essential patterns I use to interact with AWS programmatically, focusing on profile management, the crucial difference between filtering and querying, and real-world auditing scripts.
1. Identity and Access Management
Before running commands, you need to know who you are and where you are pointing. Managing multiple environments (Dev, Staging, Prod) often requires switching between credentials quickly.
Managing Profiles
Instead of relying on default credentials, it is best practice to use named profiles.
# Create a specific profile for a project or environment
aws configure --profile <ProfileName>
# List all available profiles on your machine
aws configure list-profiles
Verifying Identity
When scripting, you often need to verify which identity is currently active to prevent running production commands in a dev environment. The sts get-caller-identity command is the standard “who am I” check.
# Check default identity
aws sts get-caller-identity
# Check identity for a specific profile
aws sts get-caller-identity --profile <ProfileName>
2. The Art of Data Extraction: Filters vs. Queries
One of the most common interview questions and practical hurdles is understanding how to narrow down data. There are two distinct ways to do this in the AWS CLI, and knowing the difference shows a deep understanding of the API.
Filters (Server-Side)
Filters happen on the AWS side. You are asking AWS to only send you data that matches specific criteria. This is faster and saves bandwidth because less data travels over the network.
- Syntax:
Name=string,Values=string
# "Hey AWS, only send me instances that are currently running."
aws ec2 describe-instances \
--filters "Name=instance-state-name,Values=running" \
--output table
Note: for windows poweshell use backtick ` instead of backword \ slash to add new line to your command.
Queries (Client-Side)
Queries (using the --query parameter) happen on your machine. AWS sends all the data, and your CLI client filters and formats it using JMESPath syntax. This is powerful for transforming complex JSON structures into readable lists or custom objects.
- Syntax:
Key:Valueinside{}for custom objects.
# Extract specific fields and rename them for clarity
aws ec2 describe-instances \
--query "Reservations[*].Instances[*].{InstanceId:InstanceId,State:State.Name,InstanceType:InstanceType}" \
--output table
Combining Both
For maximum efficiency, use Filters to reduce the dataset size and Queries to format the output.
aws ec2 describe-instances \
--filters "Name=instance-state-name,Values=running" \
--query "Reservations[*].Instances[*].{ID:InstanceId,PrivateIP:PrivateIpAddress}" \
--output table
Note: The CLI supports multiple output formats including json, text, table, and yaml.
3. Real-World Auditing & Automation Tasks
Here are three practical scenarios where CLI scripting is superior to clicking through the console.
Scenario A: IAM Security Audit
Identifying users who might be service accounts or inactive users (indicated by a lack of password usage) is a common security task.
# List users who have not used a password, displaying name and creation date
aws iam list-users \
--query "Users[?PasswordLastUsed==null].{User:UserName, Created:CreateDate}" \
--output table
Scenario B: Network Security Audit
A critical vulnerability is having SSH (Port 22) open to the entire world (0.0.0.0/0). We can find these security groups instantly:
aws ec2 describe-security-groups \
--filters "Name=ip-permission.from-port,Values=22" "Name=ip-permission.cidr,Values=0.0.0.0/0" \
--query "SecurityGroups[*].{ID:GroupId,Name:GroupName}" \
--output table
Scenario C: Cost Optimization (EBS Volumes)
Unattached EBS volumes cost money despite not being used (Available). This command finds “zombie” volumes so they can be reviewed for deletion.
aws ec2 describe-volumes \
--filters "Name=status,Values=available" \
--query "Volumes[*].{ID:VolumeId,sizeInGB:Size}" \
--output table
Conclusion
The AWS CLI is more than just a way to launch instances; it is a data extraction and auditing tool. you can learn about every single service in your infrastructure and also have full control of every settings of your resources. The official documentation is your friend.
