Ace Cloud Interviews
All cheat sheets
☁️

AWS CLI Cheat Sheet

EC2, S3, IAM, VPC, RDS and ECS for cloud interviews

Key Concepts

Region vs Availability Zone

Region: geographic area (ap-south-1 = Mumbai). AZ: isolated data centre within a region (ap-south-1a, 1b, 1c). Spread resources across AZs for high availability.

IAM Users vs Roles vs Policies

User: long-term identity for a person or application (has access keys). Role: temporary identity assumed by services or users (no long-term credentials). Policy: JSON document defining permissions attached to users or roles.

Prefer roles over access keys wherever possible.

VPC: Public vs Private subnet

Public subnet: has a route to an Internet Gateway - resources get public IPs. Private subnet: routes outbound traffic through a NAT Gateway - no inbound from internet.

Security Group vs NACL

Security Group: stateful, instance-level firewall. Return traffic is automatically allowed. NACL: stateless, subnet-level. You must explicitly allow inbound AND outbound. SGs are the main control; NACLs add a layer for subnet-wide blocking.

ALB vs NLB

ALB (Application Load Balancer): Layer 7, HTTP/HTTPS, path and host-based routing, supports WAF. NLB (Network Load Balancer): Layer 4, TCP/UDP, ultra-low latency, preserves source IP. Use ALB for web apps, NLB for non-HTTP or extreme performance.

S3 storage classes

Standard: frequently accessed. Standard-IA: infrequent access, cheaper storage, retrieval fee. Glacier Instant/Flexible/Deep Archive: archival, retrieval from ms to hours. Intelligent-Tiering: automatically moves objects between tiers.

RDS Multi-AZ vs Read Replica

Multi-AZ: synchronous standby in another AZ for automatic failover (HA, not performance). Read Replica: asynchronous copy for read scaling. Read Replicas can be promoted to standalone in a DR scenario.

EC2 instance families

t: burstable (dev/test). m: general purpose (balanced CPU/memory). c: compute optimised (CPU-heavy). r: memory optimised (databases, caches). i: storage optimised. p/g: GPU. Suffix: latest gen (t3 > t2). Size: nano, micro, small, medium, large, xlarge, 2xlarge...

Spot vs On-Demand vs Reserved

On-Demand: pay per second, no commitment. Reserved: 1-3 year commitment, up to 72% cheaper. Spot: spare capacity, up to 90% cheaper, can be interrupted with 2 min notice. Use Spot for stateless, fault-tolerant workloads.

CloudFront OAC

Origin Access Control restricts S3 bucket access to only CloudFront, preventing direct S3 access. Replaces the older OAI (Origin Access Identity). Set bucket policy to allow only the specific CloudFront distribution.

ECS vs EKS vs Lambda

ECS: AWS-managed container orchestration, simpler, tight AWS integration. EKS: managed Kubernetes, portable, more complex. Lambda: serverless functions, event-driven, pay per invocation, 15 min max. Choose based on control vs simplicity tradeoff.

SQS vs SNS vs EventBridge

SQS: queue, pull-based, one consumer per message, great for decoupling and buffering. SNS: pub/sub, push-based, fan-out to multiple subscribers. EventBridge: event router, rule-based routing from AWS services or custom apps to targets.

Commands

EC2

# List instances
aws ec2 describe-instances   --filters "Name=instance-state-name,Values=running"   --query "Reservations[*].Instances[*].[InstanceId,PublicIpAddress,Tags[?Key=='Name'].Value|[0]]"   --output table

# Start / stop / terminate
aws ec2 start-instances --instance-ids i-0abc123
aws ec2 stop-instances --instance-ids i-0abc123
aws ec2 terminate-instances --instance-ids i-0abc123
# Create instance
aws ec2 run-instances   --image-id ami-0abcdef   --instance-type t3.small   --key-name my-key   --security-group-ids sg-0abc   --subnet-id subnet-0abc   --count 1

# Get instance metadata (from inside EC2)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/instance-id
# AMIs
aws ec2 describe-images   --owners amazon   --filters "Name=name,Values=al2023-ami-*"   --query "Images | sort_by(@, &CreationDate) | [-1].ImageId"

aws ec2 create-image   --instance-id i-0abc123   --name "my-golden-ami" --no-reboot

S3

# Bucket operations
aws s3 ls                          # list buckets
aws s3 ls s3://my-bucket/          # list contents
aws s3 ls s3://my-bucket/ --recursive

# Copy / sync
aws s3 cp file.txt s3://my-bucket/
aws s3 cp s3://my-bucket/file.txt ./
aws s3 sync ./local/ s3://my-bucket/prefix/
aws s3 sync s3://src/ s3://dst/ --delete
# Move / delete
aws s3 mv s3://my-bucket/old s3://my-bucket/new
aws s3 rm s3://my-bucket/file.txt
aws s3 rm s3://my-bucket/ --recursive

# Create / delete bucket
aws s3 mb s3://my-bucket
aws s3 rb s3://my-bucket --force   # force if not empty
# Presigned URL (temporary access)
aws s3 presign s3://my-bucket/file.txt   --expires-in 3600   # 1 hour

# Bucket policy
aws s3api get-bucket-policy --bucket my-bucket
aws s3api put-bucket-policy   --bucket my-bucket --policy file://policy.json

IAM

# Users
aws iam list-users
aws iam create-user --user-name alice
aws iam delete-user --user-name alice

# Access keys
aws iam create-access-key --user-name alice
aws iam list-access-keys --user-name alice
aws iam delete-access-key   --user-name alice --access-key-id AKIA...
# Roles
aws iam list-roles
aws iam get-role --role-name my-role
aws iam create-role   --role-name my-role   --assume-role-policy-document file://trust.json

# Attach/detach policy to role
aws iam attach-role-policy   --role-name my-role   --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

aws iam list-attached-role-policies --role-name my-role
# Who am I?
aws sts get-caller-identity

# Assume role (get temporary credentials)
aws sts assume-role   --role-arn arn:aws:iam::123456:role/my-role   --role-session-name my-session

# List policies
aws iam list-policies --scope Local  # your own
aws iam get-policy-version   --policy-arn <arn> --version-id v1

VPC & Networking

# VPC
aws ec2 describe-vpcs
aws ec2 describe-vpcs --filters   "Name=tag:Name,Values=my-vpc"

# Subnets
aws ec2 describe-subnets   --filters "Name=vpc-id,Values=vpc-0abc"

# Security groups
aws ec2 describe-security-groups
aws ec2 describe-security-groups   --filters "Name=group-name,Values=my-sg"
# Add inbound rule
aws ec2 authorize-security-group-ingress   --group-id sg-0abc   --protocol tcp --port 443   --cidr 0.0.0.0/0

# Remove inbound rule
aws ec2 revoke-security-group-ingress   --group-id sg-0abc   --protocol tcp --port 443   --cidr 0.0.0.0/0

RDS

# List instances
aws rds describe-db-instances
aws rds describe-db-instances   --db-instance-identifier my-db   --query "DBInstances[0].DBInstanceStatus"

# Start / stop (not Multi-AZ primary)
aws rds start-db-instance --db-instance-identifier my-db
aws rds stop-db-instance --db-instance-identifier my-db

# Reboot (with optional failover)
aws rds reboot-db-instance   --db-instance-identifier my-db   --force-failover   # promotes standby
# Snapshots
aws rds describe-db-snapshots   --db-instance-identifier my-db

aws rds create-db-snapshot   --db-instance-identifier my-db   --db-snapshot-identifier my-snap-$(date +%Y%m%d)

# Restore from snapshot
aws rds restore-db-instance-from-db-snapshot   --db-instance-identifier my-db-restored   --db-snapshot-identifier my-snap

ECS & ECR

# ECS
aws ecs list-clusters
aws ecs list-services --cluster my-cluster
aws ecs describe-services   --cluster my-cluster --services my-svc

# Force new deployment (rolling restart)
aws ecs update-service   --cluster my-cluster   --service my-svc   --force-new-deployment
# ECR - push an image
aws ecr get-login-password --region ap-south-1   | docker login --username AWS     --password-stdin 123456.dkr.ecr.ap-south-1.amazonaws.com

docker build -t my-app .
docker tag my-app:latest   123456.dkr.ecr.ap-south-1.amazonaws.com/my-app:latest
docker push   123456.dkr.ecr.ap-south-1.amazonaws.com/my-app:latest
# SSM - run command on EC2
aws ssm send-command   --instance-ids i-0abc123   --document-name AWS-RunShellScript   --parameters 'commands=["systemctl status nginx"]'

# Session Manager (shell without SSH key)
aws ssm start-session --target i-0abc123

CloudWatch

# Metrics
aws cloudwatch list-metrics --namespace AWS/EC2

aws cloudwatch get-metric-statistics   --namespace AWS/EC2   --metric-name CPUUtilization   --dimensions Name=InstanceId,Value=i-0abc   --statistics Average   --period 300   --start-time $(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%SZ)   --end-time $(date -u +%Y-%m-%dT%H:%M:%SZ)
# Logs
aws logs describe-log-groups
aws logs describe-log-streams   --log-group-name /aws/lambda/my-fn

# Query logs
aws logs filter-log-events   --log-group-name /var/log/app   --filter-pattern "ERROR"   --start-time $(date -d '1 hour ago' +%s000)

# CloudWatch Insights (CLI)
aws logs start-query   --log-group-name /var/log/app   --start-time $(date -d '1 hour ago' +%s)   --end-time $(date +%s)   --query-string 'fields @message | filter @message like /ERROR/'

CLI Tips

# Output formats
--output table    # human-readable table
--output json     # default JSON
--output text     # tab-separated, scriptable
--output yaml     # YAML

# JMESPath queries
--query "Reservations[*].Instances[*].InstanceId"
--query "length(@)"      # count results
--query "sort_by(@, &LaunchTime) | [-1]"   # newest

# Useful global flags
--profile <name>          # use named profile
--region ap-south-1       # override region
--no-cli-pager            # disable pager
# Profile setup
aws configure --profile my-profile
aws configure list --profile my-profile

# Use environment variables
export AWS_PROFILE=my-profile
export AWS_DEFAULT_REGION=ap-south-1
export AWS_ACCESS_KEY_ID=AKIA...
export AWS_SECRET_ACCESS_KEY=...

# Verify credentials
aws sts get-caller-identity

acecloudinterviews.com - Free forever. No login required.