Computer scienceSystem administration and DevOpsAmazon Web ServicesCloud servers

Connecting to an EC2 instance

Provided by: JetBrains Academy
5 minutes read

Whether you're setting up a web server or deploying applications, seamless access to your instances is essential. This topic will walk you through the necessary steps to connect to your Linux and Windows instances. You'll gain insights into the prerequisites, various connection methods, and how to use AWS Systems Manager Session Manager to connect to your instances securely. Additionally, you'll learn how to troubleshoot common connectivity issues to ensure you can always access your instances when needed.

Prerequisites for connecting

Before you can connect to an EC2 instance, you need to meet several prerequisites. First, your instance needs to be running and have an associated key pair. Next, ensure you have the necessary IAM permissions. Your IAM user or role must have permissions like ec2:DescribeInstances, ec2:SendSSHPublicKey, and ssm:StartSession. These permissions are crucial for various connection methods.

Next, make sure your network configurations are accurate. Your instance should be in a VPC with a public IP address for direct connections, or establish a VPN Gateway or AWS Direct Connect setup for instances in private subnets. If you're using AWS Systems Manager, the Systems Manager Agent (SSM Agent) must be installed and active on your instances.

Finally, check that your security groups are set up correctly. Security groups act as virtual firewalls that control traffic to and from your instance. For SSH connections, make sure port 22 is open. For RDP connections to Windows instances, ensure port 3389 is open. Additionally, you should provide a list of IP addresses and ranges which your instance should accept connections from.

Connecting to a Linux instance

Connecting to a Linux instance can be done using various methods, such as SSH and EC2 Instance Connect. SSH (Secure Shell) is the most common method. To connect using SSH, you need an SSH client and the private key of the key pair associated with the instance. If you're on Linux or macOS, you must first ensure that your private key pair file has the correct permissions. Use the following command to set the appropriate permissions:

chmod 400 /path/to/your-key.pem

Then use the following command to connect to your instance:

ssh -i /path/to/your-key.pem ec2-user@your-instance-public-dns

For example, if you're connecting to an Amazon Linux 3 instance, it will look like the image below:

Windows PowerShell interface displaying SSH command to Amazon Linux server.

The first time you connect, you will be prompted to add the host to the list of known hosts. Once connected to your instance, you can run commands to install software and configure the system.

Alternatively, you can use EC2 Instance Connect. This method simplifies the connection process by allowing you to use temporary SSH keys and eliminating the need to manage long-term SSH keys for better security. To use EC2 Instance Connect, go to the EC2 Management Console, select your instance, and click on "Connect." Choose the "EC2 Instance Connect" tab and click "Connect." This will open an SSH session in your browser:

Terminal screen showing Amazon Linux 2023 ASCII art with command line activity.

Additionally, you can use the AWS CLI to send your SSH public key to the instance. If you don't already have an SSH key pair, generate one with the following command:

ssh-keygen -t rsa -b 2048 -f my-key

This will create my-key (the private key) and my-key.pub (the public key). Next, send your SSH public key to the instance. Replace the placeholders with your actual instance ID, availability zone, and the path to your public key file:

aws ec2-instance-connect send-ssh-public-key \
    --instance-id i-1234567890abcdef0 \
    --availability-zone us-west-2a \
    --instance-os-user ec2-user \
    --ssh-public-key file://my-key.pub

This command sends the public key to the instance, where it is temporarily authorized for SSH access. After sending the public key, you can connect to the instance using SSH with the private key:

ssh -i my-key [email protected]

Alternatively, you can upload your key-pair file to AWS CloudShell. Then, connect to your instance using SSH as you normally would on a locally installed shell:

Computer terminal with text showing an SSH connection to an Amazon EC2 instance and a completed yum update command.

When connecting to an EC2 instance via SSH, it is paramount to adhere to best practices to ensure security and efficiency. Here are some things to do:

  • Use a unique SSH key pair and never share your private key;

  • Configure security group rules to allow SSH traffic only from trusted IP addresses;

  • Disable password-based authentication; use key-based authentication exclusively;

  • Regularly rotate your SSH keys to minimize the risk associated with compromised credentials.

Connecting to a Windows instance

Connecting to a Windows instance typically involves using Remote Desktop Protocol (RDP). First, ensure your security group allows inbound traffic on port 3389. Then, retrieve the administrator password for your instance. In the EC2 Management Console, select your instance, click "Connect," and then "Get Windows Password." Decrypt the password using your key pair file:

Dialog box showing options to retrieve a Windows password using a private key file.

Next, open your Remote Desktop Client. On Windows, you can use the built-in Remote Desktop Connection tool. On macOS or Linux, you might need to install an RDP client like Microsoft Remote Desktop. You can download the provided RDP file, which contains all the necessary information, or enter the public DNS or public IP address of your instance. When prompted, enter the administrator username and the decrypted password:

Windows Security login prompt displaying fields for username and password.

Once successful, you will be connected to your Windows instance:

Windows Start menu open with system tools displayed on a Remote Desktop Connection session.

Now, you can perform the tasks you need just as if you were physically connected to the instance.

EC2 Instance Connect is not available for Windows instances.

Using AWS Systems Manager Session Manager

Sometimes, you might need to securely access your AWS instances in environments with stringent security requirements. Traditionally, a Bastion host was used in such scenarios. A Bastion host, also known as a jump server, acts as an intermediary for accessing your instances, providing an additional layer of security. Using a bastion host typically involves the following:

  • Launching an EC2 instance that will serve as the Bastion host. It is placed in a public subnet with a security group that allows inbound connections from your IP address;

  • Configuring the security groups for private instances to allow inbound SSH or RDP connections only from the Bastion host's security group;

  • Using SSH to connect to the Bastion host;

  • Connecting to your instance via the Bastion host.

However, Bastion hosts present a single point of failure. If compromised, everything they connect to could also be compromised. For this reason, alternative methods are used for secure connection such as VPN Gateways, Direct Connect, and Session Manager. Here, we will look at Session Manager and discuss VPN Gateways and Direct Connect in future topics.

Session Manager allows you to connect to your instances without needing SSH or RDP clients. It is part of AWS Systems Manager, a service that provides a suite of capabilities for managing EC2 instances at scale. Session Manager provides a secure way to connect to your instances particularly those in private subnets.

To use Session Manager, you need to ensure that the SSM Agent is installed and running on your instances first. By default, the agent is already installed on Amazon Linux, Ubuntu, Windows Server, and other AMIs. Additionally, you need the necessary permissions for Session Manager to perform actions on your instance. These include the AmazonSSMManagedInstanceCore policy attached to your instances and ssm:StartSession, ssm:DescribeInstanceInformation, and ssm:DescribeSessions permissions for the logged-in user.

To start a session from the AWS Management Console, navigate to Systems Manager, choose "Session Manager," and click on "Start session." Select the instance you want to connect to and click "Start session." This will open a terminal window in your browser, allowing you to run commands on your instance:

Terminal window with Amazon Systems Manager session commands and output shown.

For Windows, you can access a Powershell shell to perform administrative tasks:

AWS Systems Manager Session Manager interface with command-line outputs in a PowerShell window.

You can also start a session using the AWS CLI. Open your terminal and use the following command:

aws ssm start-session --target instance-id

AWS CloudShell interface with command line commands executed.

Session Manager also supports port forwarding, allowing you to access applications running on your instances securely. To start a session with port forwarding, you'd use a command like the one shown below:

aws ssm start-session \
    --target instance-id \
    --document-name AWS-StartPortForwardingSession \
    --parameters "portNumber1=80,localPortNumber1=8080"

AWS Systems Manager provides a treasure trove of capabilities for managing EC2 instances. You can read more about it in the AWS documentation.

Troubleshooting connection issues

When connecting to an EC2 instance, you may encounter various issues. Network misconfiguration is a common culprit. Ensure that your security groups allow inbound traffic on the necessary IP addresses on the required ports (22 for SSH, 3389 for RDP). Also, verify that your instance has a public IP address if you're connecting directly over the internet. Remember that the public IP address may have changed if the instance was stopped.

IAM permissions can also cause issues. Ensure that your IAM user or role has the necessary permissions for the connection method you're using. For example, you need ssm:StartSession and related permissions for Session Manager:

$ aws ssm start-session --target i-05b498855a500f7fb

An error occurred (AccessDeniedException) when calling the StartSession operation: 
User: arn:aws:iam::0123456789012:user/James is not authorized to perform: ssm:StartSession 
on resource: arn:aws:ssm:af-south-1:0123456789012:document/SSM-SessionManagerRunShell 
because no identity-based policy allows the ssm:StartSession action

Instance state is another factor. Ensure that your instance is in a running state. If your instance is stopped or terminated, you won't be able to connect. Also, check the instance's status checks in the EC2 Management Console to ensure there are no underlying issues. These checks include:

  • System Status Checks to ensure the underlying AWS infrastructure is functioning correctly, and;

  • Instance Status Checks to verify that the operating system and network configurations for the instance are correct.

SSM Agent issues can prevent connections through Session Manager. Ensure that the SSM Agent is installed and running on your instance. For Linux instances, you can check the agent's status with the following command:

sudo systemctl status amazon-ssm-agent

Terminal screen showing systemctl status of amazon-ssm-agent service.

For Windows instances, check the agent's status in the Services application:

Amazon SSM Agent Properties window on a computer screen showing service status and settings.

Hopefully, now you are able to address these common issues to ensure a successful connection to your EC2 instances.

Conclusion

By understanding the different methods available for connecting to Linux and Windows instances, you can choose the most appropriate and secure option for your needs. Whether you use SSH, RDP, EC2 Instance Connect, or Session Manager, each method offers unique benefits and considerations. Whether it's the simplicity of EC2 Instance Connect or the keyless access provided by Session Manager. By meeting the prerequisites and adhering to security best practices, you can always ensure a seamless and secure connection experience.

How did you like the theory?
Report a typo