Website logo

AWS CLI Command Cheat Sheet: Efficiently Working With Amazon S3 and AWS Lambda

Hemanta Sundaray

Published December 3, 2023

AWS CLI commands for efficiently working with AWS IAM, Amazon S3 and AWS Lambda.

AWS Account ID

Run the command below to find out your AWS account ID:

aws sts get-caller-identity --query Account --output text

AWS Permission Policy

Create a permission policy that allows a Lambda function to get objects from an Amazon S3 bucket and write to Amazon CloudWatch logs.

aws iam create-policy \
--policy-name <POLICY_NAME> \
--policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::*/*" } ] }'

AWS IAM

List all IAM roles

aws iam list-roles

This command outputs a JSON object containing detailed information about each IAM role.

If you are interested in retrieving just the role names, run the following command:

aws iam list-roles --query 'Roles[].RoleName' --output text | tr '\t' '\n'

In this command, --output text outputs the role names in text format, separated by tabs. | tr '\t' '\n' then pipes the output through the tr command, which replaces tab characters '\t' with newline characters '\n', placing each role name on its new line.

Attach a permission policy to an IAM role

aws iam attach-role-policy \
--role-name <ROLE_NAME> \
--policy-arn <PERMISSION_POLICY_ARN>

List all policies attached to an IAM role

aws iam list-attached-role-policies --role-name <ROLE_NAME>

Detach a policy attached to an IAM role

aws iam detach-role-policy --role-name <ROLE_NAME> --policy-arn <POLICY_ARN>

Delete an IAM role

aws iam delete-role --role-name <ROLE_NAME>

Amazon S3

Create a bucket

aws s3 mb s3://<BUCKET_NAME>

Delete a bucket

aws s3 rb s3://<BUCKET_NAME>

Note that the bucket must be empty before you can delete it.

If your bucket is not empty, and you want to delete the bucket along with all its contents, you can use the --force option:

aws s3 rb s3://<BUCKET_NAME> --force

Allow public access for a bucket

aws s3api put-public-access-block \
    --bucket <BUCKET_NAME> \
    --public-access-block-configuration "BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false"

Remember that just turning off these settings doesn't make the bucket's content public.You still need a bucket policy to explicitly grant public read or write access.

Set the bucket to public access via bucket policy

Run the following command to apply a bucket policy that grants public read access:

aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::<BUCKET_NAME>/*\"}]}"

This policy allows anyone to read the objects in your bucket. Make sure to adjust the policy according to your specific requirements.

List buckets

To list all buckets in Amazon S3, run the following command:

aws s3 ls

This command lists all the S3 buckets available in your AWS account under the currently configured AWS CLI profile. It provides a simple list of bucket names along with the creation date of each bucket.

List objects in a bucket

aws s3 ls s3://<BUCKET_NAME>

Delete objects in a bucket

aws s3 rm s3://<bucket-name> --recursive

Check the CORS configuration of an S3 bucket

aws s3api get-bucket-cors --bucket <BUCKET_NAME>

Set the CORS configuration of an S3 bucket

aws s3api put-bucket-cors --bucket <BUCKET_NAME> --cors-configuration '{"CORSRules":[{"AllowedHeaders":["*"],"AllowedMethods":["GET","POST","PUT","DELETE"],"AllowedOrigins":["*"]}]}'

Check an S3 bucket's notification configuration

aws s3api get-bucket-notification-configuration --bucket <BUCKET_NAME>

This command returns the bucket's notification configuration, which includes configurations for events that trigger Lambda functions, SQS queues, and SNS topics.

Delete an S3 bucket notification configuration

aws s3api put-bucket-notification-configuration --bucket <BUCKET_NAME> --notification-configuration "{}"

This command sets the notification configuration of a bucket to an empty configuration, effectivelt removing any existing configurations.

AWS Lambda

List lambda functions

aws lambda list-functions

This command shows a JSON object with detailed information about each Lambda function.

To list just the Lambda function names, each on their own line, run the command below:

aws lambda list-functions --query 'Functions[].FunctionName' --output text | tr '\t' '\n'

In this command, the --query parameter filters the output to only show the FunctionName for each function and formats the output as text. Then the tr command replaces tabs with newline characters, so each function name appears on its own line.

Retrieve configuration information of a Lambda function

aws lambda get-function-configuration --function-name <FUNCTION_NAME>

ARN of a lambda function

aws lambda get-function --function-name <FUNCTION_NAME> --query 'Configuration.FunctionArn'

Function URL of a lambda function

aws lambda get-function-url-config --function-name <FUNCTION_ NAME>

Create an execution role for a lambda function

aws iam create-role \
--role-name <ROLE_NAME> \
--assume-role-policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}'

Add environment variables to an existing lambda function

aws lambda update-function-configuration \
  --function-name explainChart \
  --environment "Variables={KEY=VALUE}"

Create a function URL for an existing lambda function

aws lambda create-function-url-config \
    --function-name <FUNCTION_NAME>\
    --auth-type NONE \
    --cors '{"AllowOrigins":["*"],"AllowHeaders":["content-type"],"AllowMethods":["*"]}'

Delete a Lambda function

aws lambda delete-function --function-name <FUNCTION_NAME>

Amazon ECR (Elastic Container Registry)

List all repositories

aws ecr describe-repositories

This command will return a list of all the ECR repositories in your current AWS account and region. The output includes information such as the repository name, URI, and details about the repository configuration.

List images in an Amazon ECR repository

aws ecr list-images --repository-name <REPOSITORY_NAME>

Delete images in an Amazon ECR repository

aws ecr batch-delete-image \
    --repository-name explain-formula \
    --image-ids imageDigest=<IMAGE_DIGEST_VALUE> \
                imageDigest=<IMAGE_DIGEST_VALUE> \
                imageDigest=<IMAGE_DIGEST_VALUE> \
                imageDigest=<IMAGE_DIGEST_VALUE>

Replace <IMAGE_DIGEST_VALUE> with the actual image digest values of the images you want to delete. You can find these digest values by running the command: aws ecr list-images --repository-name <REPOSITORY_NAME>. This command will list all images in the specified repository, along with their image digests.

Note

Mention as many imageDigest entries as the number of images you want to delete.

Delete an Amazon ECR repository

aws ecr delete-repository --repository-name <REPOSITORY_NAME> --force

Note

The --force flag is optional and used to delete the repository regardless of whether it contains images or not. If you don't use the --force flag and the repository contains images, the command will fail.