AWS CLI Beast Mode
Overview
Advanced AWS CLI patterns for speed, precision, and security-first automation. Covers JMESPath queries, bulk operations, waiters, cross-account access, and destructive operation safety.
When to Use
- Bulk operations across thousands of AWS resources
- Advanced JMESPath filtering and output transformation
- Automated scripts for AWS routines
- Multi-profile and multi-region management
- Security auditing and compliance checks
- CLI-driven infrastructure-as-code workflows
Instructions
Step 1: Categorize the Request
| Category | Services | Commands | |----------|----------|----------| | Compute | EC2, Lambda | describe-instances, invoke, publish-version | | Storage | S3 | sync, cp, mb, rb, presign | | Database | DynamoDB, RDS | query, scan, batch-write-item | | Networking | VPC, Route53 | describe-vpcs, describe-security-groups | | Security | IAM | simulate-principal-policy, get-policy-version | | Observability | CloudWatch | get-metric-statistics, filter-log-events |
Step 2: Apply Beast Mode Principles
- Dry-run first: Always validate with
--dryrunor--dry-run - Query server-side: Use
--querywith JMESPath to filter before transfer - Batch intelligently: Paginate with
--max-resultsand parallelize with xargs - Wait properly: Use built-in waiters or exponential backoff polling
- Switch contexts: Use
--profileand--regionfor multi-account operations
Step 3: Validate Destructive Operations
MANDATORY for any destructive operation:
# S3 sync with delete - MUST dry-run first
aws s3 sync s3://source/ s3://dest/ --delete --dryrun
# Review output, then remove --dryrun only if satisfied
# Bulk EC2 stop - validate targets first
aws ec2 describe-instances \
--filters "Name=tag:Environment,Values=development" \
--query 'Reservations[].Instances[?State.Name==`running`].InstanceId' \
--output text
# Confirm list, then pipe to stop command
# IAM policy attachment - simulate first
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::123456789012:user/myuser \
--action-names s3:DeleteObject \
--resource-arns arn:aws:s3:::my-bucket/*
Step 4: Reference Detailed Guides
compute-mastery.md- EC2, Lambda, Spot Fleets, ASGdata-ops-beast.md- S3 multipart, DynamoDB batch, RDS snapshotsnetworking-security-hardened.md- VPC Flow Logs, IAM policies, security groupsautomation-patterns.md- Shell aliases, JMESPath templates, CI/CD integration
Examples
Example 1: Bulk EC2 Stop
"Stop all development instances"
# 1. Dry-run: identify targets
aws ec2 describe-instances \
--filters "Name=tag:Environment,Values=development" \
"Name=instance-state-name,Values=running" \
--query 'Reservations[].Instances[].InstanceId' \
--output text
# 2. Confirm IDs, then execute
aws ec2 describe-instances \
--filters "Name=tag:Environment,Values=development" \
"Name=instance-state-name,Values=running" \
--query 'Reservations[].Instances[].InstanceId' \
--output text | xargs aws ec2 stop-instances --instance-ids
Example 2: S3 Migration with Encryption
"Migrate data between buckets with SSE"
# 1. Dry-run migration
aws s3 sync s3://source-bucket/ s3://dest-bucket/ \
--sse AES256 \
--storage-class GLACIER \
--exclude "*.tmp" \
--dryrun
# 2. Enable versioning on destination
aws s3api put-bucket-versioning \
--bucket dest-bucket \
--versioning-configuration Status=Enabled
# 3. Execute after review
aws s3 sync s3://source-bucket/ s3://dest-bucket/ \
--sse AES256 \
--storage-class GLACIER \
--exclude "*.tmp"
Example 3: IAM Security Audit
"Find overprivileged IAM users"
aws iam list-users --query 'Users[].UserName' --output text | \
while read user; do
echo "Checking $user..."
aws iam simulate-principal-policy \
--policy-source-arn "arn:aws:iam::123456789012:user/$user" \
--action-names DeleteItem,DeleteTable,DeleteFunction \
--resource-arns "*" \
--query 'EvaluationResults[?EvalDecision==`allowed`]'
done
Example 4: Multi-Region Lambda Deployment
"Deploy Lambda to all regions"
for region in us-east-1 us-west-2 eu-west-1; do
echo "Deploying to $region..."
aws lambda update-function-code \
--function-name my-function \
--zip-file fileb://function.zip \
--region $region \
--publish
aws lambda wait function-active \
--function-name my-function \
--region $region
done
Example 5: JMESPath Advanced Filtering
"Get running instances with specific tags as table"
aws ec2 describe-instances \
--query 'Reservations[].Instances[?State.Name==`running`].[InstanceId,Tags[?Key==`Name`].Value[0]|[0],PrivateIpAddress]' \
--output table
Best Practices
- Use
--output jsonfor programmatic processing - Filter with JMESPath server-side before transfer
- Implement retry logic with exponential backoff
- Use waiters instead of manual polling loops
- Tag all resources for cost allocation and automation
- Separate dev/staging/prod with AWS profiles
- Enable CloudTrail for audit compliance
- Validate IAM policies with simulate-principal-policy before attachment
- Use --dry-run on every state-modifying operation
- Enable MFA for security-sensitive operations
Constraints and Warnings
Rate Limiting
- AWS API throttling applies; use
--max-throttleand exponential backoff - Check
aws service-quotasfor current limits
Pagination
- Default page size is variable; use
--max-resultsfor consistency - Use
--no-paginatewith jq for full dataset processing
Destructive Operations
- S3 sync --delete: Irreversibly removes files not in source
- EC2 terminate-instances: Cannot be undone; validate instance IDs first
- IAM detach/policy: May break existing access; simulate before applying
- RDS delete-db-instance: Snapshots do not protect all scenarios; verify retention
Security
- Never commit AWS credentials; use
aws configureor environment variables - Rotate access keys regularly with
aws iam create-access-key - Use least-privilege: simulate before granting permissions