What methods can I use to connect to my EC2 Linux instance?

8 minute read
0

I want to know what options are available for connecting to my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance.

Short description

There are four methods for connecting to Amazon EC2 Linux instances:

  • Secure Shell (SSH)
  • EC2 serial console for Linux instances
  • Session Manager, a capability of AWS Systems Manager
  • Amazon EC2 Instance Connect

Resolution

SSH

Limitations:

Important: Make sure that you complete all prerequisites before connecting to your instance.

Method 1: Use a terminal window

Open a terminal window (Linux or macOS), and then run the SSH command to connect to the instance.

Use the public domain name:

ssh -i /path/key-pair-name.pem instance-user-name@instance-public-dns-name

Use the public IPv4 address:

ssh -i /path/key-pair-name.pem instance-user-name@instance-public-IPv4-address

Use the public IPv6 address:

ssh -i /path/key-pair-name.pem instance-user-name@instance-IPv6-address

For more information, see Connect to your Linux instance using an SSH client.

Method 2: Use OpenSSH from Windows

1.    Run the following command to use PowerShell to install OpenSSH for Windows.

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Note: To install OpenSSH, you must run PowerShell as administrator.

2.    Run the SSH command to connect to your instance:

Use the public domain name:

ssh -i /path/key-pair-name.pem instance-user-name@instance-public-dns-name

Use the public IPv4 address:

ssh -i /path/key-pair-name.pem instance-user-name@instance-public-IPv4-address

Use the public IPv6 address:

ssh -i /path/key-pair-name.pem instance-user-name@instance-IPv6-address

Method 3: Use PuTTY from Windows

1.     Use PuTTYgen to convert your private key.

2.    Use PuTTY to connect to your instance.

3.    Start PuTTY.

4.    Under Category, choose Session.

5.    For Host Name, enter the username/hostname combination:

Use the public domain name:

instance-user-name@instance-public-dns-name

Use the public IPv4 address:

instance-user-name@instance-IPv4-address

Use the public IPv6 address:

instance-user-name@instance-IPv6-address

6.    Make sure that the Port value matches the SSH service port (22 default).

7.    For Connection type, choose SSH.

8.    Under Category, expand Connection, expand SSH, and then choose Auth.

9.    Choose Browse, and then select the .ppk file that you generated for your key pair.

10.    Choose Open.

Note: The first time you connect to an instance, you must confirm that you trust the remote host.

EC2 serial console for Linux instances

The EC2 serial console establishes a serial connection to EC2 instances that allows you to troubleshoot boot and network connectivity issues.

Limitations:

  • Only one active serial console connection is supported per instance.
  • There must be at least a 30 second interval between sessions.
  • There is a slight drop in your instance's throughput during the EC2 serial console session.
  • Xen instances aren't supported.
  • The EC2 serial console isn't supported for Wavelength Zones and AWS Outposts.
  • The EC2 serial console is supported in only certain AWS Regions.

Important: Make sure that you complete all prerequisites before connecting using the E2 serial console.

Method 1: Use the browser-based client

1.    Open the EC2 console.

2.    Choose Instances.

3.    Select your instance, and then choose Actions, Monitor and troubleshoot, EC2 Serial Console, Connect. Or, choose the instance, and then select Connect, EC2 Serial Console, Connect.

4.    When the in-browser terminal window opens, press Enter. If a login prompt appears, then enter the username of the password-based user, and then press Enter.

At the Password prompt, enter the password, and then press Enter.

Method 2: Use SSH

1.    Push your SSH public key to the instance to start a serial console session:

aws ec2-instance-connect send-serial-console-ssh-public-key \
    --instance-id i-0123456789EXAMPLE \
    --serial-port 0 \
    --ssh-public-key file://my_key.pub \
    --region us-east-1

Note: In the preceding example command, make sure that you add the file:// prefix to the SSH public key path.

2.    Use your private key to connect to the serial console:

ssh -i my_key i-0123456789EXAMPLE.port0@serial-console.ec2-instance-connect.us-east-1.aws

3.    (Optional) Verify the fingerprint. Compare the fingerprint that appears the first time that you connect to the serial console with the unique EC2 serial console fingerprint for the Region.

4.    If a prompt returns, then enter the username of the password-based user, and then press Enter.

5.    At the Password prompt, enter the password, and then press Enter.

Session Manager

Session Manager allows secure access to the managed nodes without opening inbound ports, or managing an SSH key. You can use AWS CloudTrail events to audit Session Manager sessions, and control the sessions with AWS Identity and Access Management (IAM) policies.

Limitations:

  • You can't transfer files with Session Manager.
    Note: Instead, use an S3 bucket and the AWS CLI to exchange data.
  • Logging isn't available for Session Manager sessions that connect through port forwarding or SSH. This is because SSH encrypts all session data, and Session Manager serves only as a tunnel for SSH connections.
  • AWS Systems Manager isn't supported for all operating systems (OS). For more information, see Supported operating systems.

Important: Make sure that you complete all prerequisites before using Session Manager to connect to you instance.

It's a best practice to create VPC endpoints to use with Systems Manager:

  1. Open the Systems Manager console.
  2. Choose Session Manager.
  3. Choose Start session.
  4. (Optional) Enter a session description in the Reason for session field.
  5. Select the the managed node that you want to connect to, and then choose Start session to immediately launch the session.
    -or-
    (Optional) Use a custom document to configure session settings, including duration, encryption, and logging:
    For Session options, choose Next.
    For Session document, select the document that you want to run when the session starts. If your document supports runtime parameters, then you can enter one or more comma-separated values in each parameter field.
    Choose Next.
    Choose Start session.

Use the EC2 console to connect

  1. Open the EC2 console.
  2. Chose Instances.
  3. Select the instance, and then choose Connect.
  4. For Connection method, choose Session Manager.
  5. Choose Connect.

Use the AWS CLI to connect

Note:

Run the following command:

aws ssm start-session --target instance-id

Use SSH over Session Manager to connect

Requirements:

  • You must configure your target-managed instances to support SSH connections.
  • The AWS Systems Manager Agent (AWS SSM Agent) version that's running must be 2.3.672.0 or later.
  • You have access to the Privacy Enhanced Mail (PEM) certificate, and can use the account that's associated with it to connect. For example, user account "ubuntu" for Ubuntu managed nodes.

To use SSH to start a session, run the following command:

ssh -i /path/my-key-pair.pem username@instance-id,/code>

Amazon EC2 Instance Connect

EC2 Instance Connect allows secure access to your instance through SSH. EC2 Instance Connect provides multiple options to connect to your instance without sharing your SSH keys.

Limitations:

  • EC2 Instance Connect has limited support for Linux distributions.
  • The AuthorizedKeysCommand and AuthorizedKeysCommandUser settings must not already be configured.
  • EC2 Instance Connect isn't supported in Local Zones.
  • A public IPv4 address is mandatory to connect when you use the Amazon EC2 console.
  • EC2 Instance Connect doesn't support using an IPv6 address to connect.

Important: Make sure that you complete all prerequisites before using Amazon EC2 Instance Connect.

Use the Amazon EC2 console to connect (only for instances with IPv4 Public address)

1.    Open the Amazon EC2 console.

2.    In the navigation pane, choose Instances.

3.    Select the instance, and then choose Connect.

4.    Choose EC2 Instance Connect.

5.    Verify the username, and then choose Connect to open a terminal window.

Use your own key and SSH client to connect

Note: You must install the EC2 Instance Connect CLI on the instance that you're connecting to.

1.    Run the following command to generate new SSH private and public keys:

ssh-keygen -t rsa -f my_key

2.    Push your SSH public key to the instance:

Amazon Linux:

aws ec2-instance-connect send-ssh-public-key \
    --region us-west-2 \
    --instance-id i-0123456789Amzn \
    --instance-os-user ec2-user \
    --ssh-public-key file://my_key.pub

Ubuntu:

aws ec2-instance-connect send-ssh-public-key \
    --region us-west-2 \
    --instance-id i-0123456789Ubuntu \
    --instance-os-user ubuntu\
    --ssh-public-key file://my_key.pub

Note: In the preceding example command, make sure that you add the file:// prefix to the SSH public key path.

3.    Use your private key to connect to the instance:

Amazon Linux:

ssh -o "IdentitiesOnly=yes" -i my_key ec2-user@instance-public-dns-name

Ubuntu:

ssh -o "IdentitiesOnly=yes" -i my_key ubuntu@instance-public-dns-name

Note: A standard Amazon EC2 instance public DNS name looks similar to ec2-12-34-56-78.us-west-2.compute.amazonaws.com. The name consists of the AWS domain, the service (compute, in this example), the Region, and a form of the public IP address.

Use the EC2 Instance CLI to connect

Amazon Linux:

$mssh i-0123456789Amzn

Ubuntu:

$mssh ubuntu@i-0123456789Ubuntu
AWS OFFICIAL
AWS OFFICIALUpdated a year ago