How to Use Claude Code with AWS CLI

Table of Contents

AWS has a lot of services. And each service has its own console, its own navigation, its own way of doing things. Every time I need to check something — CloudWatch logs, an ECS task, an S3 bucket — I find myself clicking through a maze of menus, forgetting where things are, and opening five tabs just to find one error message. I can never remember what’s the right button to click.

And yes, I can ask an LLM for the right command. But that workflow is still scattered — copy the command from the LLM, switch to the terminal, paste it, read the output, switch back to ask for a different flag, copy, paste, repeat. You’re still bouncing between windows, and it still feels like a very manual process. What if the LLM could just run the command for you directly?

A couple of days ago, I shared how to use Claude Code with Snowflake CLI. There’s a trend I’ve been noticing: the best tools for AI agents are moving from MCP servers to CLI tools plus skills. That’s what prompted me to try Claude Code with Snowflake CLI — and it worked great. Now, AWS also has a great CLI tool, and Claude Code is very good at using CLI tools. So why don’t I just do the same?

So I tried it. And it works really well.

Instead of navigating the AWS console to find CloudWatch logs, I just ask Claude Code: “show me the last 30 minutes of error logs from the staging travel backend.” Claude runs the right aws logs command and gives me the answer. No tab-switching, no menu-hunting. I’m so glad I tried this — I could never remember where things are in the AWS console, and now I don’t have to.

The goal of this post is to walk you through how to set up the same workflow for your own AWS account.

📋 Prerequisites
#

Claude Code installed (claude.com/claude-code)
Homebrew installed (brew.sh)
An AWS account with SSO (IAM Identity Center) or IAM credentials

Part 1: For Those Who Already Have AWS CLI + SSO Configured
#

If you already have the AWS CLI installed and SSO configured — great, you’re basically ready. Here’s the workflow:

Step 1: Log In via SSO
#

aws sso login --profile your-profile-name

Approve the browser prompt, and you’re authenticated.

Step 2: Set Your Profile
#

export AWS_PROFILE=your-profile-name

This tells every AWS CLI command (including the ones Claude Code runs) which account and role to use.

💡 Tip: Add export AWS_PROFILE=your-profile-name to your ~/.zshrc so you don’t have to set it every time you open a new terminal.

Step 3: Start Claude Code and Ask Away
#

That’s it. Open Claude Code and start asking questions in plain English:

CloudWatch Logs:

You:    Show me the last 30 minutes of logs from /ecs/stage-travel-backend-web-task
Claude: [runs aws logs tail → returns the log output]

Search for errors:

You:    Find all ERROR or 500 logs in the staging travel backend from the last 2 hours
Claude: [runs aws logs filter-log-events with the right filter pattern → shows matching entries]

ECS service status:

You:    Are all tasks healthy in the staging travel backend cluster?
Claude: [runs aws ecs describe-services → "3/3 tasks running, all healthy"]

S3:

You:    What's the total size of the stage-travel-assets bucket?
Claude: [runs aws s3 ls with --summarize → returns file count and total size]

Follow-ups work naturally:

You:    Now show me just the ones with "timeout" in the message
Claude: [refines the previous query with an additional filter]

Because Claude Code maintains conversation context, you can drill down naturally — “filter that to just the last 10 minutes” or “now check if the same error appears in production.”

Part 2: Setting Up AWS CLI + SSO From Scratch
#

If you don’t have the AWS CLI installed yet, or haven’t configured SSO, here’s how to get there.

Step 1: Install AWS CLI
#

brew install awscli

Verify the installation:

aws --version

You should see something like aws-cli/2.x.x Python/3.x.x ....

Step 2: Configure SSO
#

If your organization uses AWS IAM Identity Center (SSO), run:

aws configure sso

It will walk you through a series of prompts:

SSO session name: pick any name (e.g., my-company)
SSO start URL: the URL of your AWS access portal (ask your admin if you don’t know it)
SSO region: the region your SSO is configured in (e.g., us-east-1)
SSO registration scopes: press Enter to accept the default

A browser window will open for you to authenticate. After that, the CLI will show your available accounts and roles. Select the ones you want, and give the profile a name you’ll remember.

⚠️ Not using SSO? If your org uses IAM access keys instead, run aws configure and enter your Access Key ID, Secret Access Key, and default region. The rest of this guide works the same way — just skip the aws sso login step.

Step 3: Test the Connection
#

aws sso login --profile your-profile-name

This opens a browser window where you authenticate. Once approved, you’re connected.

If you want to double-check, you can run:

aws sts get-caller-identity --profile your-profile-name

STS (Security Token Service) is the AWS service that handles temporary credentials — this command is basically whoami for AWS. It returns your account ID, user ARN, and role.

Step 4: Set Your Profile and Start Using Claude Code
#

export AWS_PROFILE=your-profile-name

Now open Claude Code and you’re ready. Jump back to Part 1 to see example queries.

🎯 What Else Can Claude Code Do with AWS CLI?
#

CloudWatch logs were my starting point, but the same pattern works for a lot more:

ECS — check service status, see running tasks, force a new deployment, view task definitions, or even restart a service. For example, “show me the running tasks for the stage-travel-backend service” or “force a redeployment of the staging service.”
S3 — list buckets, upload/download files, check bucket sizes, sync folders. Things like “what’s in the stage-travel S3 bucket?” or “download the latest backup file.”
RDS / Databases — check database instance status, see if there are any performance issues, check storage usage, or view recent events.
Route 53 — look up DNS records — helpful for figuring out where a domain like stage-labs.outsideapi.com is pointing.
Secrets Manager / Parameter Store — look up configuration values (useful when debugging why staging behaves differently than production).
Cost Explorer — “how much did we spend on ECS last month?” — great for keeping an eye on costs.
IAM — check what permissions a role has, which can help debug access issues.
ECR — list container images, check when the latest image was pushed, clean up old images.
ALB / Load Balancers — check target health, see if any targets are unhealthy — useful when you see 500 errors and want to know if it’s a container health issue.

The beauty of using Claude Code for this is that you don’t need to memorize the AWS CLI syntax. You just describe what you want in plain English and it builds the right command. So instead of looking up aws ecs describe-services --cluster ... --services ..., you just ask “are all the tasks healthy in the stage travel backend cluster?”

🛠 Tips
#

SSO sessions expire. Typically after 8–12 hours. When your session expires, just run aws sso login --profile your-profile-name again and you’re back.
Use AWS_PROFILE in your shell config. Add export AWS_PROFILE=your-profile-name to ~/.zshrc so it’s always set. One less thing to remember.
Claude Code remembers context. You can build on previous queries — “now filter that to just 500 errors” or “compare that with production.” This is the biggest advantage over copy-pasting CLI commands one by one.
Pair it with CLAUDE.md. Just like with the Snowflake setup, you can create a CLAUDE.md file in your project directory with your AWS account details, common log group names, cluster names, and other context. This way Claude Code doesn’t have to discover them every time.

🔧 Troubleshooting
#

“The SSO session associated with this profile has expired” Run aws sso login --profile your-profile-name to re-authenticate.

“Unable to locate credentials” Make sure you’ve set AWS_PROFILE in your current terminal session, or pass --profile your-profile-name explicitly.

Claude Code commands fail with permission errors Check which permission set you’re using. If you logged in with a restricted role, some commands may not be allowed. Try a role with broader access (like AdministratorAccess) for debugging.

“command not found: aws” The AWS CLI isn’t installed or isn’t in your PATH. Run brew install awscli and open a new terminal window.

📋 Prerequisites #

Part 1: For Those Who Already Have AWS CLI + SSO Configured #

Step 1: Log In via SSO #

Step 2: Set Your Profile #

Step 3: Start Claude Code and Ask Away #

Part 2: Setting Up AWS CLI + SSO From Scratch #

Step 1: Install AWS CLI #

Step 2: Configure SSO #

Step 3: Test the Connection #

Step 4: Set Your Profile and Start Using Claude Code #

🎯 What Else Can Claude Code Do with AWS CLI? #

🛠 Tips #

🔧 Troubleshooting #