AWS Command Line Interface

AWS Command Line Interface

AWS Command Line Interface is very useful because, with just that, you can monitor multiple AWS services from the CLI, and automate many time-consuming tasks. In this post, I will explain how to install and configure the AWS CLI on Windows, Linux, Mac, or Unix OS.

What is AWS CLI?

You can use one of the following terminal programs for CLI:

  • Linux shells: Use common shell programs such as Bash, Zsh, and Tsch to run commands in Linux, Mac OS, or Unix.
  • Windows command line: On Microsoft Windows, run commands in either PowerShell or the Windows Command Processor.
  • Remotely: Run commands on Amazon EC2 instances through a remote terminal such as PuTTY or SSH, or with Amazon EC2 systems manager.

With AWS CLI you can simplify many multi-step processes using one command, and also automate repetitive tasks. For example, you can accomplish the following very easily and quickly using the AWS CLI versus using the AWS Management Console.

  • Sync all files from one s3 bucket to another s3 bucket, while also removing the ones that are deleted.
  • Get the list of all IAM users in your AWS account who access a specific bucket prefix.
  • Terminate all EC2 instances in your AWS account that are launched with a specific key pair.

Key Features of AWS CLI:

  • Manage all AWS resources using a single tool.
  • Simple Configuration.
  • Easy to use, and can combine with other scripting languages.

How to install AWS CLI?

To install on Windows, download one of the appropriate installers:

AWS CLI MSI Installer for Windows 64-bit
AWS CLI MSI Installer for Windows 32-bit

Follow the prompts on the installer to complete the installation.
As an alternative, run this installer batch script in an Administrator command prompt to download and run the installer.

How to install AWS CLI on Linux/Unix/MacOS:

  1. Install Python (skip this step, if python is already installed). Python Version 2.6.5 or later is required.
  2. Install pip (skip this step, if pip is already installed)

You can download and install pip using following commands:

curl -O https://bootstrap.pypa.io/get-pip.py
python get-pip.py –user

3. Install AWS CLI using pip

With python and pip installed, you can install AWS CLI using the following command:

pip install awscli --upgrade --user

Once AWS CLI is installed, you need to configure it. The configuration enables the CLI to authenticate with AWS as a user with a fixed set of permissions.

If you are trying to use the CLI on your machine or AWS EC2 instance, then you can follow the below instructions:

First, you will need a pair of Access Key ID and Secret Access Key. If you don’t already have one, you will need to generate it by going to IAM->Users and select the user you want to create the pair for (see the screenshot below).

AWS Command Line Interface

You will only be able to view the secret access key on the console while creating, and then you won’t be able to view it again anytime in the future. So, make sure you write it down and save it somewhere.

Note: In case you lose your secret access key, or if someone steals it(for security concerns), you will have to generate a new one and then configure on all the machines that you use the AWS CLI on.

AWS Command Line Interface

Once you have the keys, then run the command “aws configure” on the command line, and enter the keys as shown below. Region and Output format values are optional and can be left blank.

AWS Command Line Interface

With this setup done, you can now access/query the AWS resources from your command line.
If you want to save multiple user profiles, then you can create user profiles using the command:

aws configure --user fakeuser
AWS Command Line Interface

Using multiple profiles allows you to test different roles or authorization to ensure that you are not allowing or restricting more or less than what you should. You can then easily configure the CLI to use the profile of your choice.

How to make it more secure? Use IAM Roles

Let’s say, a hacker hacks and get access to your EC2 instance and reads the Access Key ID and Secret Access Key values. Then, that person can use these from any machine with public internet access to change or break your environment against your will. This could become a big security concern.

To avoid situations like these, a better alternative is to create an IAM role with all the necessary permissions and attach those permissions to your EC2 instance. With this type of setup, if your instance gets compromised, you may kill your instance or update the role authorizations.

For example, you want your EC2 web server instance to access your RDS instances and the S3 bucket in your AWS account. You can use the following steps to enable AWS CLI to be able to access those resources:

  1. Create IAM role ‘CustomAccess_S3_RDS’ with permissions: ‘AmazonS3FullAccess’, ‘AmazonRDSFullAccess’.

2. When launching the EC2 instance, assign IAM role ‘CustomAccess_S3_RDS’.

Now, if you have AWS CLI installed on your EC2 instance, then you do not need to run the ‘aws configure’ command to access S3 and RDS. Your EC2 instance is already attached to a role with the necessary permissions, and so you can start accessing your resources directly.
If you want to access more resources from your EC2, then you can still go and update the role’s permissions to add/remove access rights or privileges as needed.

AWS CLI cheat sheet:

aws [command] [subcommand] [options and parameters*]

Command Help:

aws [service] help

Here, I will go over some examples for a few services to give you an idea.

AWS S3 (Simple Storage Service):

Print a list of all buckets in your AWS account:

aws s3 ls

Sync all the files from your s3 bucket to the local path:

aws s3 sync --delete s3://my-test-bucket C:\Users\amolk\my_test_folder

The — delete tag will also remove a file/object from the local path if it has been deleted from the s3 bucket.

aws s3 sync --delete s3://my-test-bucket C:\Users\amolk\my_test_folder

Similarly, changing the location of the paths/URLs will change the direction of file transfer.
Sync all the files from your local path to s3 bucket:

aws s3 sync C:\Users\amolk\my_test_folder s3://my-test-bucket

The — delete tag will also remove a file/object from the local path if it has been deleted from the s3 bucket.

aws s3 sync --delete C:\Users\amolk\my_test_folder s3://my-test-bucket

AWS EC2 (Elastic Cloud Compute):

Get the description of all EC2 instances:

aws ec2 describe-instances

Get the description of a specific EC2 instance:

aws ec2 describe-instances --instance-ids i-1234567890###

AWS IAM (Identity and Access Management):

List all the IAM users in the current AWS account:

aws iam list-users

Get information about am IAM user in the AWS account:

aws iam get-user fakeuser

Conclusion

Look forward to waking up every day to an interesting challenge!