AWS CLI Explained for Beginners: Commands, Profiles, Output, and Examples
The AWS CLI is a terminal tool that lets you manage AWS services by typing commands instead of clicking through the console. Once you learn the basic command pattern, you can list resources, upload files, manage permissions, and automate tasks from a single terminal window.
What the AWS CLI is in simple terms
If you have used the AWS Management Console, you already understand what AWS services do. You click buttons, fill in forms, and things happen in your account. The AWS CLI does the same things, but through typed commands in a terminal.
For example, instead of opening the S3 console, navigating to your bucket, and clicking “Upload,” you type:
aws s3 cp report.csv s3://my-bucket/That single command uploads the file. Behind the scenes, both the console and the CLI talk to the same AWS APIs. The CLI is just a different way to send those API requests.
Think of the AWS Console as a restaurant where you order from a menu by pointing at pictures. The AWS CLI is like calling the same restaurant on the phone and placing your order by name. The kitchen (AWS API) is the same either way. The phone is just faster when you already know what you want.
You can install the AWS CLI on macOS, Linux, or Windows. Once installed and configured with credentials, every AWS service is accessible from your terminal.
Why people use the AWS CLI
The console works well for exploring services and learning how things fit together. But for day-to-day work, the CLI has clear advantages:
- Repeatability. A CLI command can be run identically every time. A sequence of console clicks cannot be reliably repeated.
- Scripting. You can put CLI commands in a shell script and run ten operations with one command.
- Automation. CLI commands work in CI/CD pipelines, cron jobs, and deployment scripts where a browser is not available.
- Version control. A script with CLI commands can be committed to Git, reviewed in a pull request, and tracked over time.
- Speed for bulk tasks. Tagging 50 instances, listing resources across regions, or cleaning up old snapshots is much faster from the terminal.
None of this means you should stop using the console. The best approach is to use both: the console for exploration and visual confirmation, the CLI for repeatable work and automation.
AWS CLI vs Console vs CloudShell
AWS gives you three main ways to interact with services. Each is best in different situations:
| AWS CLI (local) | Management Console | CloudShell | |
|---|---|---|---|
| Interface | Terminal on your machine | Web browser | Terminal in the browser |
| Setup required | Install CLI + configure credentials | None (sign in to AWS) | None (opens from console) |
| Scriptable | Yes | No | Limited (session-based) |
| Best for | Automation, scripting, daily workflows | Exploring, learning, visual dashboards | Quick ad-hoc commands |
| Persistent storage | Full local filesystem | N/A | 1 GB per region |
AWS CloudShell is a good middle ground when you need to run a quick command but do not have the CLI installed locally. For anything beyond one-off tasks, a local CLI installation gives you full control.
If you are unsure which tool to use, start in the console to understand what you are doing, then convert your workflow to CLI commands once you want to repeat it. This is how most engineers naturally adopt the CLI.
How the AWS CLI works
Every CLI command translates into an API call to an AWS service. The mental model is straightforward:
- You type a command that names a service and an operation.
- The CLI signs the request using your access key credentials and sends it to the correct AWS API endpoint.
- AWS processes the request and returns structured data (usually JSON).
- The CLI displays the response in your chosen output format.
The CLI is like a translator standing between you and the AWS API. You speak in short, readable commands (aws s3 ls). The translator converts that into a signed HTTPS request, sends it to the right AWS endpoint, and reads the response back to you in the format you prefer. The console does the same translation, but hides it behind buttons and forms.
Basic AWS CLI command structure
Every AWS CLI command follows the same pattern:
aws <service> <operation> [options]The service is the AWS product (like s3, ec2, or iam).
The operation is the action (like ls, describe-instances,
or list-users). Options are extra parameters like filters, output format, or the
target resource.
# List your S3 buckets
aws s3 ls
# Describe all EC2 instances in the current region
aws ec2 describe-instances
# List all IAM users in your account
aws iam list-users
# Check who you are authenticated as
aws sts get-caller-identityYou can get help for any level of the hierarchy. Run aws help to list all services.
Run aws s3 help to see S3 operations. Run aws s3 cp help to see options
for a specific command.
The pattern aws <service> <operation> maps directly to the underlying
AWS API action. Once you learn the pattern for
one service, you can apply it to any of the 200+ services available in AWS. The structure is
always the same.
Output formats and the —query flag
CLI commands return structured data. You control the format with the —output flag:
json(default): full JSON, good for piping to tools likejqtext: tab-separated values, useful inside shell scriptstable: human-readable ASCII table, useful for quick visual checksyaml: YAML output, handy when comparing with CloudFormation templates
# Default JSON output
aws sts get-caller-identity
# Same command, but only the Account ID as plain text
aws sts get-caller-identity --query Account --output text
# EC2 instances displayed as a table
aws ec2 describe-instances \
--query 'Reservations[*].Instances[*].{ID:InstanceId,State:State.Name,Type:InstanceType}' \
--output tableFiltering output with JMESPath
AWS commands often return large JSON payloads. The —query flag filters the response
using a language called JMESPath, so you only see what matters.
Think of JMESPath as a path into the JSON structure. If the response has a top-level key called
Buckets containing an array, —query ‘Buckets[*].Name’ pulls out just
the bucket names.
# List only bucket names
aws s3api list-buckets --query 'Buckets[*].Name'
# Get instance IDs of running instances
aws ec2 describe-instances \
--filters "Name=instance-state-name,Values=running" \
--query 'Reservations[*].Instances[*].InstanceId' \
--output text
# Get the ARN of a specific IAM role
aws iam get-role \
--role-name MyAppRole \
--query 'Role.Arn' \
--output textStart simple. Use —query to pull a single field, then build up to more complex
filters as you get comfortable. Combining —query with —output text
is especially useful when you need a clean value to assign to a script variable.
Profiles, credentials, and authentication
Before the CLI can make API calls, it needs credentials that prove who you are. When you run
aws configure, the CLI stores your
access key and secret key in files under
~/.aws/.
Named profiles
If you work with more than one AWS account (dev, staging, production), named profiles let you switch between them without editing your credentials each time:
# Create a named profile
aws configure --profile mycompany-dev
# Use a specific profile for one command
aws s3 ls --profile mycompany-dev
# Set a profile for the entire terminal session
export AWS_PROFILE=mycompany-devEach profile can have its own region, output format, and credential type. Profile credentials
live in ~/.aws/credentials and configuration in ~/.aws/config.
Named profiles work like saved logins in a web browser. Each profile remembers a different set of credentials and settings. When you pass —profile production, it is like switching to a different browser profile. You do not need to sign out and sign back in.
Verifying your identity before sensitive actions
Before running any command that changes resources, confirm which account and identity you are using:
aws sts get-caller-identityThis returns your account ID, user or role ARN, and the identity you are authenticated as. It costs nothing and takes a second. Making this a habit prevents the most common CLI mistake: running a destructive command against the wrong account.
Long-lived access keys are the most common source of AWS security incidents. If a key leaks in a Git commit or a log file, anyone can use it until you manually revoke it. Prefer temporary credentials from AWS STS, which expire automatically and limit the blast radius of a leak.
When to use the AWS CLI
The CLI is not always the right tool. Here are the scenarios where it shines:
Checking your identity or account quickly.
aws sts get-caller-identityconfirms who you are in one command, faster than navigating the console.Listing or inspecting resources. Commands like
aws ec2 describe-instancesoraws s3 lsgive you a fast summary without loading a web page.Uploading files to S3.
aws s3 cpandaws s3 synchandle single files or entire directories. See the S3 overview for more on how S3 works.Scripting and CI/CD. CLI commands in shell scripts or pipeline steps can deploy code, run database migrations, or clean up old resources automatically.
Switching between accounts. With named profiles, you can target any account without signing out and back in to the console.
Managing IAM from the command line. Creating users, attaching policies, and listing roles are faster from the CLI when you already know what you need.
For visual exploration, dashboards, and tasks you have never done before, the Management Console is usually the better starting point.
Common beginner mistakes
Running commands in the wrong region. Many commands return empty results or fail quietly when the region is not set. Fix this by running
aws configureto set a default region, or pass—region us-east-1explicitly. See Regions and Availability Zones to understand how regions work.Using the wrong profile or account. Running a destructive command against production when you meant to target dev is a serious risk. Always run
aws sts get-caller-identitybefore making changes.Hardcoding credentials in scripts. Never paste access keys directly into scripts or files that get committed to version control. Use named profiles, IAM roles, or a secrets manager instead. Read Access Keys Explained for safer alternatives.
Not checking identity before sensitive operations. It takes one second to run
aws sts get-caller-identity. Skipping this step is how people accidentally delete production resources.Skipping —dry-run when it is available. Many EC2 commands support
—dry-run, which checks your permissions without actually executing the operation. Use it before running anything destructive. It tells you whether the command would succeed without making any changes.
Real examples beginners actually need
These are the commands you will reach for most often when getting started:
# Confirm your identity and account
aws sts get-caller-identity
# List your S3 buckets
aws s3 ls
# List objects inside a specific bucket
aws s3 ls s3://my-bucket/
# Upload a file to S3
aws s3 cp report.csv s3://my-bucket/reports/
# Sync a local directory to S3
aws s3 sync ./build s3://my-bucket/static/
# List EC2 instances with useful columns
aws ec2 describe-instances \
--query 'Reservations[*].Instances[*].{ID:InstanceId,State:State.Name,Type:InstanceType}' \
--output table
# List IAM users
aws iam list-users --output table
# Get your account ID as a plain string (useful in scripts)
aws sts get-caller-identity --query Account --output text
# Use a named profile for a single command
aws s3 ls --profile production
# Check permissions before stopping an instance (dry run)
aws ec2 stop-instances --instance-ids i-0abc123 --dry-runEach of these commands follows the same aws <service> <operation> pattern.
Once you are comfortable with these, you can extend to any AWS service. The structure stays the same.
Frequently asked questions
What is the AWS CLI?
The AWS CLI (Command Line Interface) is a free, open-source tool that lets you manage AWS services from a terminal. Instead of clicking through the AWS Management Console, you type commands like aws s3 ls or aws ec2 describe-instances. Every action available in the console can also be performed through the CLI, and commands can be saved, scripted, and run repeatedly.
Is AWS CLI different from the AWS Management Console?
Yes. The AWS Management Console is a graphical web interface where you click buttons and fill forms. The AWS CLI is a text-based tool you run in a terminal. Both talk to the same AWS APIs and can perform the same actions, but the CLI is faster for repetitive tasks and can be automated in scripts and CI/CD pipelines.
Do I need to install AWS CLI to use AWS from the terminal?
You need the CLI installed on your own machine, but AWS also provides CloudShell, a browser-based terminal with the CLI pre-installed and pre-authenticated. CloudShell is useful for quick tasks. For regular use, installing the CLI locally gives you more control over configuration, profiles, and scripting.
How does the AWS CLI authenticate?
The CLI looks for credentials in a specific order: environment variables first, then the credentials and config files in ~/.aws/, and finally instance metadata if you are running on EC2. You set up credentials with aws configure, which stores an access key and secret key. For stronger security, you can use temporary credentials from AWS STS or SSO sessions through IAM Identity Center.
Should I use AWS CLI v1 or v2?
Use AWS CLI v2. It is the current, actively developed version with better output formatting, built-in paging, auto-complete, and native support for AWS SSO. CLI v1 still works but is in maintenance mode and does not receive new features. Run aws --version to check which version you have installed.