Launching an AWS instance using CLI

Photo by Andras Vas on Unsplash

Read along to learn how to do the following AWS actions using the CLI:

  • Create a key pair
  • Create a security group
  • Launch an instance (using the key pair and security group created)
  • Create an EBS volume of 1 GB
  • Attach the above created volume to the instance


  • An IAM role with privileges to work with EC2
  • The AWS Command Line Interface. (Click here to install for Windows)

(The Windows command prompt is being used in this article, but you can get the AWS CLI for Mac and Linux here.)

Lets get started


Once AWS CLI has been installed (check the version installed by the command aws --version), we can start with the initial configuration by using the aws configure command (the --profile option is not necessary).

C:\>aws configure --profile ga_r
AWS Access Key ID [****************RLUC]: EXAMPLEKEYAZ5CD32RLUC
AWS Secret Access Key [****************KdBs]: EXAMPLEKEY780SjuKdBs
Default region name [ap-south-1]: ap-south-1
Default output format [None]:
  • The Access Key ID and Secret Access Key are received while creating a user, but if forgotten, a new Access Key can be created using IAM > Access Management > Users.
  • The Default region name is entered based on your preference. List of region names can be found in Regions and Endpoints. In my case, ap-south-1 is the region name for Asia Pacific (Mumbai).
  • The Default output format can be left unchanged by pressing Enter (by default it’s JSON).

Creating a key pair

To create a key pair, use the create-key-pair command with the --query option, and the --output text option to pipe your private key directly into a file.

C:\>aws ec2 create-key-pair --key-name CLIKeyPair --query 'KeyMaterial' --output text > CLIKeyPair.pem

The created key pair will also be shown the Web-UI under EC2 > Network & Security > Key Pairs

You can match the fingerprint of the key pair generated in the CLI with the one in AWS by using the command:

C:\>aws ec2 describe-key-pairs --key-name CLIKeyPair
"KeyPairs": [
"KeyPairId": "key-0500b6165650b7b62",
"KeyFingerprint": "4b:6a:29:a4:6f:a7:55:5e:08:0d:3c:17:f9:c1:36:24:7f:a8:f7:84",
"KeyName": "CLIKeyPair",
"Tags": []

To delete a key pair use,

C:\>aws ec2 delete-key-pair — key-name CLIKeyPair

We’ll keep the key pair for now as we need it to launch our instance later on.

Creating a Security Group

The create-security-group command under EC2 is used to create a security group in the AWS Virtual Private Cloud which is logically isolated to only one AWS account.

I used the VPC of the default Security Group that already existed to make this new EC2-VPC security group. Optionally, a user can also create an EC2-Classic security group without having to specify the vpc-ID.

C:\>aws ec2 create-security-group --group-name cli-sg --description "CLI security group" --vpc-id vpc-example7c
"GroupId": "sg-09f1example63b7ad"

To view the initial information for a security group, run the describe-security-groups command.

C:\>aws ec2 describe-security-groups — group-ids sg-09f1example63b7ad

To keep it simple, we’ll allow all traffic as an inbound rule for this security group (this is not preferred due to security risks, so I’ll recommend you to add inbound rules based on requirements).

C:\>aws ec2 authorize-security-group-ingress --group-id sg-09f1example63b7ad --protocol all --port all --cidr

Optionally, if you want to allow SSH from your local system, set --protocol ssh, --port 22, and --cidr as your public IP.

To delete a security group use delete-security-group command,

C:\>aws ec2 delete-security-group — group-id sg-09f1example63b7ad

We’ll keep the security group for now as we need it to launch our instance later on.

Launch an Instance

We will be launching a free-tier t2.micro instance using the security group and key pair created in the previous steps.

To launch an instance, we need

  • image-id (id of AMI)
  • count (number of instances)
  • instance-type (t2.micro in this case)
  • key-name (of the key pair we created in the first step)
  • security-group-id (of the security group we created using vpc in step 2)
  • subnet-id (only if using vpc)

The subnet-id can either be picked from existing ones or a new one can be created by navigating through VPC > Subnets > Create subnet.

For this example, we will create one Amazon Linux 2 AMI of instance type t2.micro, with key-name, security-group-id, and subnet-id as per your setup.

C:\>aws ec2 run-instances --image-id ami-0e306788ff2473ccb --count 1 --instance-type t2.micro --key-name CLIKeyPair --security-group-ids sg-09f1examplea63b7ad --subnet-id subnet-d57example5

If you created an EC2-Classic security group, the command would change to,

C:\>aws ec2 run-instances --image-id ami-0e306788ff2473ccb --count 1 --instance-type t2.micro --key-name CLIKeyPair --security-groups my-sg

Add tags to your instances using the create-tags command.

C:\>aws ec2 create-tags --resources i-0a6acd66b0b7ec8f4 --tags Key=Name,Value=CLIinstance

You can also list an instance with its details in the CLI using describe-instances command. Here, I used the tag as a filter.

C:\Users\w10>aws ec2 describe-instances --filters "Name=tag:Name,Values=CLIinstance"

This command can be used after any of the following steps to check if the changes have been reflected in the instance.

Creating an EBS Volume

We can directly attach an EBS volume by using the --block-device-mappings option in the run-instances command. But for this example, we will create a separate EBS volume using the create-volume command and then attach the volume to the running instance.

To create an EBS volume for our instance we need,

  • volume-type (gp2 for General Purpose SSD)
  • size (in GiBs)
  • availability-zone (should be the same as the instance)

The command and output would thus look like,

C:\>aws ec2 create-volume --volume-type gp2 --size 1 --availability-zone ap-south-1a
"AvailabilityZone": "ap-south-1a",
"CreateTime": "2020-11-01T12:01:33+00:00",
"Encrypted": false,
"Size": 1,
"SnapshotId": "",
"State": "creating",
"VolumeId": "vol-036a30f67a42debe2",
"Iops": 100,
"Tags": [],
"VolumeType": "gp2"

Attaching EBS Volume to instance

We use the attach-volume command to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name.

To attach a volume to an instance we need,

  • volume-id (of the EBS volume created in the previous step)
  • instance-id (of the target instance)
  • device (name of the volume to be attached — specified by user, eg. /dev/sdf)
C:\>aws ec2 attach-volume --volume-id vol-036a30f67a42debe2 --instance-id i-0a6acd66b0b7ec8f4 --device /dev/sdf
"AttachTime": "2020-11-01T12:14:49.066000+00:00",
"Device": "/dev/sdf",
"InstanceId": "i-0a6acd66b0b7ec8f4",
"State": "attaching",
"VolumeId": "vol-036a30f67a42debe2"

For the attached volume to be usable, further steps like creating partitions, formatting and mounting the drive need to be done by connecting to the instance using SSH. To follow these steps refer Making an EBS volume available for use.


With this we successfully launched an instance with a key pair and security group, created an EBS volume and attached it to the running instance, all using the Command Line Interface. Hope this walkthrough has been helpful :)

Cloud | Big Data | Software Development | System Administration | Aspiring to grow my skills in the field of computer science and technology.