Control command output from the Amazon CLI - Amazon Command Line Interface
Sensitive outputServer-side vs client-side output options
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Control command output from the Amazon CLI

This section describes the different ways to control the output from the Amazon Command Line Interface (Amazon CLI). Customizing the Amazon CLI output in your terminal can improve readability, streamline scripting automation and provide easier navigation through larger data sets.

The Amazon CLI supports multiple output formats, including json, text, yaml, and table. Some services have server-side pagination for their data and the Amazon CLI provides it's own client-side features for additional pagination options.

Lastly, the Amazon CLI has both server-side and client-side filtering that you can use individually or together to filter your Amazon CLI output.

Topics

Sensitive output

Some operations of the Amazon CLI might return information that could be considered sensitive, including information from environment variables. The exposure of this information might represent a security risk in certain scenarios; for example, the information could be included in continuous integration and continuous deployment (CI/CD) logs. It is therefore important that you review when you are including such output as part of your logs, and suppress the output when not needed.

For additional information about protecting sensitive data, see Data protection in the Amazon CLI.

Consider the following best practices:

  • Consider programmatically retrieving your secrets from a secrets store, such as Amazon Secrets Manager.

  • Review the contents of your build logs to ensure they do not contain sensitive information. Consider approaches such as piping to /dev/null or capturing the output as a bash or PowerShell variable to suppress command outputs.

    The following is a bash example for redirecting output, but not errors, to /dev/null:

    $ aws s3 ls > /dev/null

    For specifics on suppressing output for your terminal, see the user documentation of the terminal you use.

  • Consider the access of your logs and scope the access appropriately for your use case.

Server-side vs client-side output options

The Amazon CLI has both server-side and client-side filtering that you can use individually or together to filter your Amazon CLI output. Server-side filtering is processed first and returns your output for client-side filtering. Server-side filtering is supported by the service API. Client-side filtering is supported by the Amazon CLI client using the --query parameter.

Server-side output options are features directly supported by the Amazon Web Service API. Any data that is filtered or paged out is not sent to the client, which can speed up HTTP response times and improve bandwidth for larger data sets.

Client-side output options are features created by the Amazon CLI. All data is sent to the client, then the Amazon CLI filters or pages the content displayed. Client-side operations do not save on speed or bandwidth for larger datasets.

When server-side and client-side options are used together, server-side operations are completed first and then sent to the client for client-side operations. This uses the potential speed and bandwidth savings of server-side options, while using additional Amazon CLI features to get your desired output.