AWS Command Line Interface (AWS CLI)¶
What Is This Service?¶
AWS Command Line Interface (AWS CLI) is AWS’s command-line management tool that allows users to interact with AWS services through authenticated API calls from a terminal.
It provides:
- Service administration
- Automation
- Scripting
- Resource management
- Operational workflows
Mental model:
AWS CLI = terminal-based wrapper around AWS APIs.
CLI commands ultimately become:
AWS API Calls
CLI does not bypass IAM permissions.
Why It Matters for Security¶
CLI is one of the most common administrative and automation entry points.
Security goals:
- Eliminate long-lived credentials
- Use temporary sessions
- Enforce least privilege
- Secure automation pipelines
- Centralize authentication
Security outcomes:
- Reduced credential leakage
- Better operational security
- Automated secure access
- Strong identity propagation
Typical use cases:
- Infrastructure automation
- CI/CD
- Incident response
- Cross-account administration
- Bulk operations
- Security operations
Core Concepts¶
CLI → AWS API¶
CLI translates commands into APIs.
Example:
Command:
aws s3 cp file.txt s3://bucket
Actual API:
PutObject
CLI handles:
- Signing
- Serialization
- Authentication
- Retries
CLI Profiles (MOST TESTED)¶
Profiles isolate credentials.
Stored in:
~/.aws/config
~/.aws/credentials
Example:
aws s3 ls --profile prod
Supports:
- Multi-account access
- Environment separation
Credential Resolution Chain¶
CLI resolves credentials automatically.
Typical order:
Command Parameters
↓
Environment Variables
↓
Profile
↓
SSO
↓
Role
↓
Instance Metadata
Exam trap:
Explicit values override profile values.
Regions¶
CLI commands execute against:
Configured Region
Sources:
- Command flags
- Environment
- Profile
Output Formats¶
Supported:
json
yaml
yaml-stream
text
table
Useful for automation.
Important Integrations¶
AWS IAM Identity Center (VERY HIGH VALUE)¶
Modern login method.
Authentication:
aws configure sso
Flow:
User
↓
Browser Login
↓
Identity Center
↓
CLI Session
Preferred over access keys.
AWS STS¶
Provides:
Temporary Credentials
Common operations:
sts assume-role
sts get-caller-identity
IAM Roles¶
Supports:
- AssumeRole
- Role chaining
- Cross-account access
Preferred security pattern.
EC2 IMDSv2¶
CLI retrieves credentials automatically.
Pattern:
CLI
↓
IMDSv2
↓
Temporary Credentials
AWS SDK Credential Store¶
CLI and SDK commonly share:
~/.aws/
Exam nuance:
CLI and SDK often reuse profiles.
AWS CloudShell¶
Preinstalled environment.
Provides:
- Browser terminal
- Authenticated session
No local installation.
CI/CD Systems¶
Modern authentication:
- OIDC
- STS
- Temporary credentials
Avoid static keys.
Security Features¶
SigV4 Request Signing¶
CLI automatically signs requests.
Uses:
Signature Version 4
User does not implement signing.
Temporary Credential Support¶
Supports:
- STS
- Identity Center
- Roles
MFA Support¶
Supports MFA with:
AssumeRole
GetSessionToken
Session Isolation¶
Profiles isolate:
- Accounts
- Regions
- Permissions
TLS Communication¶
CLI uses HTTPS.
Least Privilege¶
CLI obeys:
IAM Policies
No elevated access.
Advanced Security and Operational Concepts¶
CLI Credential Precedence (MOST TESTED)¶
Typical order:
CLI Parameters
↓
Environment Variables
↓
Profile
↓
SSO
↓
Role
↓
Metadata
Exam trap:
Environment variables override profiles.
Identity Center Replaces Access Keys¶
Modern pattern:
aws configure sso
Benefits:
- Short-lived access
- Central governance
- MFA
Assume Role Workflow¶
Architecture:
CLI
↓
STS AssumeRole
↓
Temporary Credentials
↓
Target Account
Most common enterprise model.
get-caller-identity (HIGH VALUE)¶
Command:
aws sts get-caller-identity
Purpose:
Determine:
- Current account
- Current principal
- Current permissions context
Classic troubleshooting command.
Role Chaining¶
Pattern:
Account A
↓
Role
↓
Account B
↓
Role
↓
Target
Session duration constraints apply.
Web Identity Federation¶
Modern workloads:
- EKS
- GitHub Actions
CLI supports:
AssumeRoleWithWebIdentity
Environment:
AWS_WEB_IDENTITY_TOKEN_FILE
Retry Logic¶
CLI retries automatically.
Uses:
Exponential Backoff
+
Jitter
Purpose:
Prevent:
Thundering Herd
PrivateLink Endpoint Trap¶
Default:
Regional Endpoint
If Private DNS disabled:
Use:
--endpoint-url
Example:
aws s3 ls --endpoint-url https://vpce-xxxx
CLI Is NOT SDK¶
CLI:
Human automation
SDK:
Application integration
CLI v2 Improvements¶
Modern default.
Features:
- SSO support
- Better auth
- Improved installers
Exam recommendation:
Prefer CLI v2.
Architecture Example¶
flowchart LR
User
CLI[AWS CLI]
STS[STS]
Role[IAM Role]
Endpoint[Regional Endpoint]
AWS[AWS Services]
User --> CLI
CLI --> STS
STS --> Role
CLI --> Endpoint
Endpoint --> AWSWorkflow(s)¶
CLI Authentication Flow¶
sequenceDiagram
participant User
participant CLI
participant STS
participant AWS
User->>CLI: Execute command
CLI->>STS: Obtain credentials
STS-->>CLI: Temporary credentials
CLI->>CLI: SigV4 sign
CLI->>AWS: API requestCross-Account Access¶
sequenceDiagram
participant User
participant CLI
participant STS
participant Target
User->>CLI: Assume role
CLI->>STS: AssumeRole
STS-->>CLI: Temporary credentials
CLI->>Target: Authorized requestIdentity Center Login¶
sequenceDiagram
participant User
participant Browser
participant IdentityCenter
participant CLI
User->>CLI: aws configure sso
CLI->>Browser: Open login
Browser->>IdentityCenter: Authenticate
IdentityCenter-->>CLI: Session
CLI-->>User: ReadyComparisons¶
| Tool | Interface | Human Use | Programmatic | Credential Handling |
|---|---|---|---|---|
| AWS CLI | Terminal | Yes | Partial | Automatic |
| AWS SDK | Library | No | Yes | Automatic |
| Console | Browser | Yes | No | Session |
| CloudShell | Browser Terminal | Yes | Partial | Managed |
| STS | Credential Service | No | No | Yes |
Common Exam Traps¶
-
CLI commands become API calls.
-
CLI obeys IAM.
-
Environment variables override profiles.
-
CLI signs requests automatically.
-
Identity Center preferred over keys.
-
get-caller-identity is diagnostic.
-
CLI supports AssumeRole.
-
CLI retries with jitter.
-
CLI and SDK share credential files.
-
PrivateLink may require endpoint-url override.
-
CLI supports OIDC.
-
CLI v2 preferred.
5-Second Recall¶
- CLI = terminal AWS access
- Commands → API calls
- Profiles isolate accounts
- STS issues temporary creds
- Identity Center preferred
- SigV4 automatic
- get-caller-identity verifies identity
Quick Revision Notes¶
- Terminal-based AWS access
- Commands become APIs
- Profile-based auth
- SSO preferred
- STS everywhere
- Retry uses jitter
- Supports AssumeRole
- PrivateLink endpoint override
- CLI v2 recommended
- Avoid long-lived access keys