All posts
September 11, 20251 min read

Running AWS CLI in an Air-Gapped Environment

The data room had no wires, no internet, no exits for bits. An air-gapped system. And yet, the AWS CLI still had work to do. Running AWS CLI in an air-gapped environment is not a contradiction. It’s a discipline. It means depth of planning, tight control of dependencies, and a workflow that survives without ever calling home. The core challenge is simple: isolate infrastructure while keeping automation sharp. Start with the AWS CLI installation. In an air-gapped network, package managers won’t

Free White Paper

Just-in-Time Access + AWS IAM Policies: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The data room had no wires, no internet, no exits for bits. An air-gapped system. And yet, the AWS CLI still had work to do.

Running AWS CLI in an air-gapped environment is not a contradiction. It’s a discipline. It means depth of planning, tight control of dependencies, and a workflow that survives without ever calling home. The core challenge is simple: isolate infrastructure while keeping automation sharp.

Start with the AWS CLI installation. In an air-gapped network, package managers won’t reach the public internet. Download the CLI binaries from an approved, connected machine. Scan them. Transfer with secure media. Verify signatures before running a single command. This is the trust boundary. Nothing crosses without checks.

Configuration comes next. IAM credentials should be provisioned through secure, offline channels. Use profiles to store them locally. Combine with --profile and --region flags to avoid leaking requests to unintended endpoints. Make S3 commands, EC2 provisioning, and CloudFormation stacks operate without any DNS lookups to the outside.

Dependency management matters more here than anywhere. If scripts depend on Python libraries or shell tools, pull those packages from a curated offline mirror. Freeze versions so builds are repeatable and tested. Avoid runtime fetches. Every byte you need must be inside the wall before you run the first job.

Continue reading? Get the full guide.

Just-in-Time Access + AWS IAM Policies: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

For S3-like workflows, use AWS CLI with endpoint overrides pointing to a private object store service. This keeps your commands familiar but routes them internally. For EC2 AMI building, use pre-approved base images stored locally. CloudFormation templates must be hosted on internal endpoints so that aws cloudformation deploy never touches the public network.

Logging is your guardrail. In air-gapped AWS CLI operations, log everything to a local, centralized store. The air gap reduces attack surface, but not the need for auditing. Command history, output files, and logs should be immutable.

The AWS CLI in an air-gapped system works best when automation is baked in early. Scripts, Lambdas, and pipelines should all be deployable with the same offline toolchain. That means testing in a simulated air-gapped environment before production. Every failure to prepare upstream becomes an outage downstream.

You can run serious AWS CLI workflows without the internet. You can keep infrastructure sealed and still ship fast. You just need the tooling to make it effortless.

See it live in minutes at hoop.dev — build air-gapped AWS CLI workflows without friction.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts