Notes to Self

Alex Sokolsky's Notes on Computers and Programming

AWS Elastic Compute Cloud (EC2) CLI

Key-pair Create/Delete

Begin with:

export AWS_PROFILE=default

Create the key-pair:

aws ec2 create-key-pair --key-name _name_ --key-type ed25519 \
    --query "KeyMaterial" --output text > _name_.pem


chmod 400 _name_.pem

To create a .pub public key from .pem:

ssh-keygen -y -f _name_.pem >

Delete the key-pair:

aws ec2 delete-key-pair --key-name _name_



aws ec2 describe-instances --instance-ids _id_

A more practical approach:

  1. Define a shell alias function:
# add this to you .zshprofile
function refresh_ec2_instances()
    okta-aws default sts get-caller-identity > /dev/null
    aws ec2 describe-instances --region=us-east-1 \
        --query 'Reservations[*].Instances[*].{Id:InstanceId,Name:Tags[?Key==`Name`]|[0].Value,Image:ImageId,Type:InstanceType,VPC:VpcId,AZ:Placement.AvailabilityZone,Subnet:SubnetId,PriIP\
:PrivateIpAddress,PubIP:PublicIpAddress,IAM:IamInstanceProfile.Arn,Launched:LaunchTime,State:State.Name}' \
        --output table | sed -e 's/arn:.*\///' > $HOME/.ec2instances.txt
    echo "$HOME/.ec2instances.txt updated"
  1. Call this function at shell prompt to update ~/.ec2instances.txt

  2. Search the ~/.ec2instances.txt for IPs

# find IPs of instances of interest:
grep _name_ ~/.ec2instances.txt | awk -F\| '{print $8}'| sed 'H;1h;$!d;x;y/\n/,/'| sed 's/ //g'

To execute command on multiple instances, e.g. sudo docker ps -a :

pdsh -w $(grep _name_ ~/.ec2instances.txt | awk -F\| '{print $8}' | sed 'H;1h;$!d;x;y/\n/,/' | sed -e 's/ //g') 'sudo docker ps -a '



Find the instance by an IP:

aws ec2 describe-instances --filter Name=private-ip-address,Values=$ip

Find the instance by name:

aws ec2 describe-instances --filter Name=tag:Name,Values=$name

Auto Scaling Group

Special case for instance termination when the instance belongs to an ASG - use terminate-instance-in-auto-scaling-group - you also need to specify whether desired capacity should be changed.

aws autoscaling terminate-instance-in-auto-scaling-group --instance-id  _id_ --should-decrement-desired-capacity

Transit Gateways


aws ec2 describe-transit-gateways

and then delete-transit-gateway

aws ec2 delete-transit-gateway --transit-gateway-id <value>

Route Tables vs Transit Gateway Route Tables

Note that describe-route-tables and describe-transit-gateway-route-tables operate on different types of objects!

aws ec2 describe-route-tables
aws ec2 describe-transit-gateway-route-tables --transit-gateway-route-table-ids _id_

Transit Gateway Attachment, VPC vs Peering


aws ec2 describe-transit-gateway-attachments

and then [delete-transit-gateway-vpc-attachment]

aws ec2 delete-transit-gateway-vpc-attachment --transit-gateway-attachment-id _id_

To locate attachments to a TGW by id:

aws ec2 describe-transit-gateway-attachments --filters Name=transit-gateway-id,Values=_id_



aws ec2 describe-vpcs

then delete-vpc only after you delete all the gateways and resources associated with the VPC.

aws ec2 delete-vpc --vpc-id _id_

finding VPC dependencies see


Use describe-subnets:

aws ec2 describe-subnets

then delete-subnet:

aws ec2 delete-subnet --subnet-id _id_

Find Load Balancer IP

Use elb-find-load-balancer-ip:

aws ec2 describe-network-interfaces \
  --filters Name=description,Values="ELB elb-name" \
  --query 'NetworkInterfaces[*].PrivateIpAddresses[*].PrivateIpAddress' \
  --output text

VPN Connection and Tunnels

Use describe-vpn-connections to retrieve gateway configuration:

aws ec2 describe-vpn-connections \
    --filter 'Name=vpn-connection-id,Values=vpn-12345678' \
    --query 'VpnConnections[0].CustomerGatewayConfiguration'
    --output text

Retrieve the pre-shared key:

aws ec2 describe-vpn-connections \
    --filter 'Name=vpn-connection-id,Values=vpn-12345678' \
    --query 'VpnConnections[0].CustomerGatewayConfiguration' \
    --output text | grep pre_shared_key

Use modify-vpn-tunnel-options to replace the pre-shared key:

aws ec2 modify-vpn-tunnel-options \
    --vpn-connection-id vpn-12345678 \
    --vpn-tunnel-outside-ip-address \
    --tunnel-options 'PreSharedKey=secret' --dry-run