AWS CLI Aliases I Actually Use

Practical AWS CLI aliases from my aws-toolbox project that shorten repetitive CloudFormation, EC2, networking and security workflows.

0 views
--- likes

I kept catching myself re‑typing the same long AWS CLI incantations—describe a stack, pick out outputs, map an instance Name tag to a private IP, allow my current public IP in a security group, etc. Instead of letting muscle memory waste more time, I collected the patterns into a single alias file. If you’ve never seen AWS CLI aliases before, the official docs give a quick primer: AWS CLI alias documentation.

What you see below is the alias file I personally use. It lives in my public project aws-toolbox, which also contains other small scripts/utilities to automate routine AWS Cloud tasks (think: convenience wrappers, safety helpers, formatting queries). This post is just a convenient way to browse the aliases inline—go to the repo if you want the canonical version or the rest of the tooling.

Core philosophy: type intent, not ceremony. aws whoami, aws cfn-outputs mystack, aws name-ip bastion, aws allow-my-ip bastion-sg tcp 22 — instant answers without recreating verbose filters each time.

Why Aliases for the AWS CLI?

The AWS CLI is powerful but often:

  • Commands are long (lots of flags and filtering options)
  • Output defaults are noisy / unstructured
  • You repeatedly perform the same describe → filter → extract flow

This alias file solves that by:

  • Wrapping high‑signal queries with readable names
  • Providing filtered, concise table output
  • Standardizing patterns for CloudFormation introspection
  • Speeding up day‑to‑day troubleshooting (identity, instance mapping, networking)
  • Making ephemeral security access (allow-my-ip) a one‑liner

Install

Fastest path (AWS CLI v2): copy the alias file locally.

mkdir -p ~/.aws/cli
# Create/overwrite the alias file and paste the contents from this post (or curl it):
curl -fsSL https://raw.githubusercontent.com/towardsthecloud/aws-toolbox/main/cli/alias -o ~/.aws/cli/alias

That’s it. Invoke via the normal aws cli binary:

aws whoami
aws cfn-outputs myapp-prod
aws running-instances

The Alias File

Full file (kept in the repo). I keep the whole thing visible here so you can scan it or grab pieces selectively:

#  https://github.com/towardsthecloud/aws-toolbox
#  License: MIT
#
# This file allows you to run complex cli commands with easy to remember aliases.
#
# See https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-alias.html for more information about cli aliases.
#
# To install: copy this file to ~/.aws/cli/alias
# Alternatively create a symlink from this repository: ln -sf ~/aws-toolbox/cli/alias ~/.aws/cli/alias
# Usage: Use an alias in combination with the aws cli e.g. `aws whoami` to invoke the full command `aws sts get-caller-identity`

[toplevel]

whoami = sts get-caller-identity

#----------------#
# Cloudformation #
#----------------#

cfn = cloudformation

cfnls =
  !f() {
    aws cloudformation list-stacks
  }; f

cfn-list =
  !f() {
    aws cloudformation list-stacks \
      --query "StackSummaries[?StackStatus != 'DELETE_COMPLETE' && starts_with(StackName, '${1}')].{StackName: StackName, StackStatus: StackStatus, UpdateTime: LastUpdatedTime}" \
      --output table
  }; f

cfn-describe =
  !f() {
    if [ -z "$1" ]; then
      echo "usage: aws cfn-describe <stack_name>"
    else
      aws cloudformation describe-stacks --stack-name "$1" \
      --output table
    fi
  }; f

cfn-outputs =
  !f() {
    if [ -z "$1" ]; then
      echo "usage: aws cfn-outputs <stack_name>"
    else
      aws cloudformation describe-stacks \
        --stack-name "$1" \
        --query "Stacks[0].Outputs[].{OutputKey: OutputKey, OutputValue: OutputValue}" \
        --output table
    fi
  }; f

cfn-resources =
  !f() {
    if [ -z "$1" ]; then
      echo "usage: aws cfn-resources <stack_name>"
    else
      aws cloudformation describe-stack-resources \
        --stack-name "$1" \
        --query "StackResources[].{ResourceStatus: ResourceStatus, LogicalResourceId: LogicalResourceId, PhysicalResourceId: PhysicalResourceId}" \
        --output table
    fi
  }; f

cfn-events =
  !f() {
    if [ -z "$1" ]; then
      echo "usage: aws cfn-events <stack_name>"
    else
      aws cloudformation describe-stack-events \
        --stack-name "$1" \
        --query "StackEvents[].[Timestamp,ResourceStatus,LogicalResourceId,ResourceStatusReason]" \
        --output table
    fi
  }; f

cfn-errors =
  !f() {
    if [ -z "$1" ]; then
      echo "usage: aws cfn-errors <stack_name>"
    else
      aws cloudformation describe-stack-events \
        --stack-name "$1" \
        --query "StackEvents[?ResourceStatus=='CREATE_FAILED' || ResourceStatus=='UPDATE_FAILED' || ResourceStatus=='DELETE_FAILED'].[Timestamp,ResourceStatus,LogicalResourceId,ResourceStatusReason]" \
        --output table
    fi
  }; f

#-----------------------#
# Cloudformation deploy #
#-----------------------#

cfn-package =
  !f() {
    if [ -z "$1" ]; then
      echo "usage: aws cfn-package <s3bucket> [<source_template>] [<target_template>]"
      return 1
    fi

    template="${2:-template.yml}"
    packaged="${3:-packaged.yml}"

    aws cloudformation package \
      --template "$template" \
      --s3-bucket "$1" \
      --output-template-file "$packaged"
  }; f

cfn-deploy =
  !f() {
    if [ -z "$1" ]; then
      echo "usage: aws cfn-deploy <stack_name> [<template>]"
      return 1
    fi

    template="${2:-template.yml}"

    aws cloudformation deploy \
      --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM \
      --stack-name "$1" \
      --template-file "$template"
  }; f

cfn-delete =
  !f() {
    if [ -z "$1" ]; then
      echo "usage: aws cfn-delete <stack_name>"
      return 1
    fi

    aws cloudformation delete-stack --stack-name "$1"
  }; f

cfn-launch =
  !f() {
    if [ -z "$1" ] || [ -z "$2" ]; then
      echo "usage: aws cfn-launch <s3bucket> <stack_name> [<template>]"
      return 1
    fi

    template="${3:-template.yml}"

    if [ "$template" = "packaged.yml" ]; then
      echo "error: template should not be packaged.yml"
      return 1
    fi

    aws cloudformation package \
      --template "$template" \
      --s3-bucket "$1" \
      --output-template-file packaged.yml && \
    aws cloudformation deploy \
      --stack-name "$2" \
      --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM \
      --template-file packaged.yml
  }; f

#-----------------------#
# VPC                   #
#-----------------------#

# AMI Owner
ami-owner = !f() { aws ec2 describe-instances --filters Name=image-id,Values=ami-a6a7c1c6 --query 'Reservations[].Instances[].{Owner: Tags[?Key==`owner`].Value | [0],ID:InstanceId}' --output table; }; f

# Decode Authorization Message
de-auth = !f() {
    if [ -z "$1" ]; then
      echo "usage: aws de-auth <encoded_message>"
      return 1
    fi
    output_file="${2:-$HOME/Downloads/decoded-auth-message.json}"
    aws sts decode-authorization-message --encoded-message "$1" --output text > "$output_file" && \
    echo "Decoded message saved to: $output_file"
  }; f

# Instance ID from Name
name-id = !f() { aws ec2 describe-instances --query 'Reservations[].Instances[].InstanceId' --filters Name=instance-state-name,Values=running Name=tag:Name,Values="$1" --output text; }; f

# Instance DNS from ID
id-dns = !f() { aws ec2 describe-instances --instance-ids "$1" --query 'Reservations[0].Instances[0].PrivateDnsName' --output text; }; f

# Instance ENI from ID
id-eni = !f() { aws ec2 describe-instances --instance-ids "$1" --query 'Reservations[].Instances[].NetworkInterfaces[].NetworkInterfaceId' --output text; }; f

# Instance Name from Instance ID
id-name = !f() { aws ec2 describe-instances --instance-ids "$1" --query 'Reservations[0].Instances[0].Tags[?Key==`Name`].Value | [0]' --output text; }; f

# Instance KeyName from Instance ID
id-key = !f() { aws ec2 describe-instances --instance-ids "$1" --query 'Reservations[0].Instances[0].KeyName' --output text; }; f

# Instance ID from DNS Name
dns-id = !f() { aws ec2 describe-instances --filters Name=private-dns-name,Values="$1" --query 'Reservations[].Instances[].InstanceId' --output text; }; f

# Get SG ID from SG Name
sg-id = !f() { aws ec2 describe-security-groups --filters Name=group-name,Values="$1" --query 'SecurityGroups[0].GroupId' --output text; }; f

# List SG Rules from SG ID
sg-rules = !f() { aws ec2 describe-security-groups --group-ids "$1" --query 'SecurityGroups[0].IpPermissions'; }; f

# Instance DNS from Instance Name
name-dns = !f() { aws ec2 describe-instances --filters Name=tag:Name,Values="$1" Name=instance-state-name,Values=running --query 'Reservations[].Instances[].PrivateDnsName' --output text; }; f

# Instance IP from Instance Name
name-ip = !f() { aws ec2 describe-instances --filters Name=tag:Name,Values="$1" Name=instance-state-name,Values=running --query 'Reservations[].Instances[].PrivateIpAddress' --output text; }; f

# List KeyName using Instance Name
name-key = !f() { aws ec2 describe-instances --filters Name=tag:Name,Values="$1" Name=instance-state-name,Values=running --query 'Reservations[0].Instances[0].KeyName' --output text; }; f

# List of Machines Matching a Name
name-list = !f() { aws ec2 describe-instances --filters Name=tag:Name,Values="$1" Name=instance-state-name,Values=running --query 'Reservations[].Instances[].Tags[?Key==`Name`].Value | [0]' --output text; }; f

# Instance ID from Instance IP
ip-id = !f() { aws ec2 describe-instances --filters Name=network-interface.addresses.private-ip-address,Values="$1" --query 'Reservations[0].Instances[0].InstanceId' --output text; }; f

# Instance Name from Private IP
ip-name = !f() { aws ec2 describe-instances --filters Name=network-interface.addresses.private-ip-address,Values="$1" --query 'Reservations[0].Instances[0].Tags[?Key==`Name`].Value | [0]' --output text; }; f

# Instance DNS from Private IP
ip-dns = !f() { aws ec2 describe-instances --filters Name=network-interface.addresses.private-ip-address,Values="$1" --query 'Reservations[0].Instances[0].PrivateDnsName' --output text; }; f

# SecurityGroup ID from Private IP
ip-sgid = !f() { aws ec2 describe-instances --query 'Reservations[0].Instances[0].SecurityGroups[].GroupId' --filters Name=network-interface.addresses.private-ip-address,Values="$1" --output text; }; f

# Instance Key from Private IP
ip-key = !f() { aws ec2 describe-instances --filters Name=network-interface.addresses.private-ip-address,Values="$1" --query 'Reservations[0].Instances[0].KeyName' --output text; }; f

# List Image ID for an Instance ID
image-id = !f() { aws ec2 describe-instances --instance-ids "$1" --query 'Reservations[0].Instances[0].ImageId' --output text; }; f

# List or Set Your Region
region = !f() { [[ $# -eq 1 ]] && aws configure set region "$1" || aws configure get region; }; f

# List Network ACLs
net-acls = !f() { aws ec2 describe-network-acls --network-acl-ids "$1" --query 'NetworkAcls[0].Entries'; }; f

# List IAM Access Keys
iam-keys = !f() { for user in $(aws iam list-users --output text | awk '{print $NF}'); do aws iam list-access-keys --user "$user" --output text; done; }; f

# List All Availability Zones
list-azs = !f() { aws ec2 describe-availability-zones ${1:+--region "$1"} --query 'AvailabilityZones[].ZoneName' --output text; }; f

# Docker ECR Login
ecr-login =
  !f() {
    region="${1:-$(aws configure get region)}"
    endpoint=$(aws ecr get-authorization-token --region "$region" --output text --query 'authorizationData[0].proxyEndpoint')
    passwd=$(aws ecr get-authorization-token --region "$region" --output text --query 'authorizationData[0].authorizationToken' | base64 --decode | cut -d: -f2)
    echo "$passwd" | docker login -u AWS --password-stdin "$endpoint"
  }; f

# Instance Size by Name
instance-size =
  !f() {
    if [ -z "$1" ]; then
      echo "usage: aws instance-size <instance_name_pattern>"
      return 1
    fi
    aws ec2 describe-instances \
      --filters "Name=tag:Name,Values=$1" 'Name=instance-state-name,Values=running' \
      --query 'Reservations[].Instances[].{Name: Tags[?Key==`Name`].Value | [0],Size:InstanceType,ID:InstanceId}' \
      --output table
  }; f

# List VPC Peers
vpc-peers =
  !f() {
    aws ec2 describe-vpc-peering-connections \
    --query 'VpcPeeringConnections[].Tags[?Key==`Name`].Value' --output text | xargs -n1 | sort -d
  }; f

# List EC2 Instances
running-instances = ec2 describe-instances \
    --filter Name=instance-state-name,Values=running \
    --output table \
    --query 'Reservations[].Instances[].{ID: InstanceId,Hostname: PublicDnsName, PublicIp: PublicIpAddress,Name: Tags[?Key==`Name`].Value | [0],Type: InstanceType, Platform: Platform || `Linux`}'

# List EC2 Volumes
ebs-volumes = ec2 describe-volumes \
    --query 'Volumes[].{VolumeId: VolumeId,State: State,Size: Size,Name: Tags[0].Value,AZ: AvailabilityZone}' \
    --output table

# List Amazon Linux AMI's
amazon-linux-amis = ec2 describe-images \
    --filter \
      Name=owner-alias,Values=amazon \
      Name=name,Values="amzn-ami-hvm-*" \
      Name=architecture,Values=x86_64 \
      Name=virtualization-type,Values=hvm \
      Name=root-device-type,Values=ebs \
      Name=block-device-mapping.volume-type,Values=gp2 \
    --query "reverse(sort_by(Images, &CreationDate))[*].[ImageId,Name,Description]" \
    --output text

# List EC2 Security Groups
open-security-groups = ec2 describe-security-groups \
    --filters "Name=ip-permission.to-port,Values=22"  \
    --query 'SecurityGroups[?length(IpPermissions[?ToPort==`22` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupName: GroupName, TagName: Tags[?Key==`Name`].Value | [0]}' \
    --output table

myip =
  !f() {
    dig +short myip.opendns.com @resolver1.opendns.com 2>/dev/null || \
    curl -s https://checkip.amazonaws.com
  }; f

allow-my-ip =
  !f() {
    if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then
      echo "usage: aws allow-my-ip <security_group_name> <protocol> <port>"
      return 1
    fi
    my_ip=$(aws myip)
    if [ -z "$my_ip" ]; then
      echo "error: failed to determine public IP"
      return 1
    fi
    aws ec2 authorize-security-group-ingress --group-name "$1" --protocol "$2" --port "$3" --cidr "$my_ip/32"
  }; f

revoke-my-ip =
  !f() {
    if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then
      echo "usage: aws revoke-my-ip <security_group_name> <protocol> <port>"
      return 1
    fi
    my_ip=$(aws myip)
    if [ -z "$my_ip" ]; then
      echo "error: failed to determine public IP"
      return 1
    fi
    aws ec2 revoke-security-group-ingress --group-name "$1" --protocol "$2" --port "$3" --cidr "$my_ip/32"
  }; f

allow-my-ip-all =
  !f() {
    if [ -z "$1" ]; then
      echo "usage: aws allow-my-ip-all <security_group_name>"
      return 1
    fi
    aws allow-my-ip "$1" all all
  }; f

revoke-my-ip-all =
  !f() {
    if [ -z "$1" ]; then
      echo "usage: aws revoke-my-ip-all <security_group_name>"
      return 1
    fi
    aws revoke-my-ip "$1" all all
  }; f

Usage Patterns

Some quick examples you’ll likely adopt immediately:

# Who am I (identity troubleshooting)
aws whoami

# List active CloudFormation stacks with prefix
aws cfn-list myapp-

# Get stack outputs (great for piping into jq)
aws cfn-outputs platform-network

# Discover instance private IP by tag Name
aws name-ip bastion-east

# Show instances + instance types quickly
aws running-instances

# Temporarily allow your public IP for SSH (port 22)
aws allow-my-ip my-sg tcp 22

When Not to Use Aliases

Skip aliases when:

  • Writing shared/team scripts (clarity beats brevity)
  • One‑off exploration you won’t repeat
  • Anything security‑sensitive where explicit flags improve auditability
← Back to notes