What methods can I use to connect to my EC2 Linux instance?
I want to know what options are available for connecting to my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance.
Short description
There are four methods for connecting to Amazon EC2 Linux instances:
- Secure Shell (SSH)
- EC2 serial console for Linux instances
- Session Manager, a capability of AWS Systems Manager
- Amazon EC2 Instance Connect
Resolution
SSH
Limitations:
- SSH doesn't have built-in connection logging and audit.
- AWS deploys a single key pair for authenticating through SSH to each EC2 instance.
- If you lose the key pair, then you can't regenerate it. For more information, see How can I connect to my Amazon EC2 instance if I lost my SSH key pair after its initial launch?
Important: Make sure that you complete all prerequisites before connecting to your instance.
Method 1: Use a terminal window
Open a terminal window (Linux or macOS), and then run the SSH command to connect to the instance.
Use the public domain name:
ssh -i /path/key-pair-name.pem instance-user-name@instance-public-dns-name
Use the public IPv4 address:
ssh -i /path/key-pair-name.pem instance-user-name@instance-public-IPv4-address
Use the public IPv6 address:
ssh -i /path/key-pair-name.pem instance-user-name@instance-IPv6-address
For more information, see Connect to your Linux instance using an SSH client.
Method 2: Use OpenSSH from Windows
1. Run the following command to use PowerShell to install OpenSSH for Windows.
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Note: To install OpenSSH, you must run PowerShell as administrator.
2. Run the SSH command to connect to your instance:
Use the public domain name:
ssh -i /path/key-pair-name.pem instance-user-name@instance-public-dns-name
Use the public IPv4 address:
ssh -i /path/key-pair-name.pem instance-user-name@instance-public-IPv4-address
Use the public IPv6 address:
ssh -i /path/key-pair-name.pem instance-user-name@instance-IPv6-address
Method 3: Use PuTTY from Windows
1. Use PuTTYgen to convert your private key.
2. Use PuTTY to connect to your instance.
3. Start PuTTY.
4. Under Category, choose Session.
5. For Host Name, enter the username/hostname combination:
Use the public domain name:
instance-user-name@instance-public-dns-name
Use the public IPv4 address:
instance-user-name@instance-IPv4-address
Use the public IPv6 address:
instance-user-name@instance-IPv6-address
6. Make sure that the Port value matches the SSH service port (22 default).
7. For Connection type, choose SSH.
8. Under Category, expand Connection, expand SSH, and then choose Auth.
9. Choose Browse, and then select the .ppk file that you generated for your key pair.
10. Choose Open.
Note: The first time you connect to an instance, you must confirm that you trust the remote host.
EC2 serial console for Linux instances
The EC2 serial console establishes a serial connection to EC2 instances that allows you to troubleshoot boot and network connectivity issues.
Limitations:
- Only one active serial console connection is supported per instance.
- There must be at least a 30 second interval between sessions.
- There is a slight drop in your instance's throughput during the EC2 serial console session.
- Xen instances aren't supported.
- The EC2 serial console isn't supported for Wavelength Zones and AWS Outposts.
- The EC2 serial console is supported in only certain AWS Regions.
Important: Make sure that you complete all prerequisites before connecting using the E2 serial console.
Method 1: Use the browser-based client
1. Open the EC2 console.
2. Choose Instances.
3. Select your instance, and then choose Actions, Monitor and troubleshoot, EC2 Serial Console, Connect. Or, choose the instance, and then select Connect, EC2 Serial Console, Connect.
4. When the in-browser terminal window opens, press Enter. If a login prompt appears, then enter the username of the password-based user, and then press Enter.
At the Password prompt, enter the password, and then press Enter.
Method 2: Use SSH
1. Push your SSH public key to the instance to start a serial console session:
aws ec2-instance-connect send-serial-console-ssh-public-key \ --instance-id i-0123456789EXAMPLE \ --serial-port 0 \ --ssh-public-key file://my_key.pub \ --region us-east-1
Note: In the preceding example command, make sure that you add the file:// prefix to the SSH public key path.
2. Use your private key to connect to the serial console:
ssh -i my_key i-0123456789EXAMPLE.port0@serial-console.ec2-instance-connect.us-east-1.aws
3. (Optional) Verify the fingerprint. Compare the fingerprint that appears the first time that you connect to the serial console with the unique EC2 serial console fingerprint for the Region.
4. If a prompt returns, then enter the username of the password-based user, and then press Enter.
5. At the Password prompt, enter the password, and then press Enter.
Session Manager
Session Manager allows secure access to the managed nodes without opening inbound ports, or managing an SSH key. You can use AWS CloudTrail events to audit Session Manager sessions, and control the sessions with AWS Identity and Access Management (IAM) policies.
Limitations:
- You can't transfer files with Session Manager.
Note: Instead, use an S3 bucket and the AWS CLI to exchange data. - Logging isn't available for Session Manager sessions that connect through port forwarding or SSH. This is because SSH encrypts all session data, and Session Manager serves only as a tunnel for SSH connections.
- AWS Systems Manager isn't supported for all operating systems (OS). For more information, see Supported operating systems.
Important: Make sure that you complete all prerequisites before using Session Manager to connect to you instance.
It's a best practice to create VPC endpoints to use with Systems Manager:
- Open the Systems Manager console.
- Choose Session Manager.
- Choose Start session.
- (Optional) Enter a session description in the Reason for session field.
- Select the the managed node that you want to connect to, and then choose Start session to immediately launch the session.
-or-
(Optional) Use a custom document to configure session settings, including duration, encryption, and logging:
For Session options, choose Next.
For Session document, select the document that you want to run when the session starts. If your document supports runtime parameters, then you can enter one or more comma-separated values in each parameter field.
Choose Next.
Choose Start session.
Use the EC2 console to connect
- Open the EC2 console.
- Chose Instances.
- Select the instance, and then choose Connect.
- For Connection method, choose Session Manager.
- Choose Connect.
Use the AWS CLI to connect
Note:
- If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
- To use the AWS CLI to run session commands, you must install the Session Manager plugin on your local machine.
Run the following command:
aws ssm start-session --target instance-id
Use SSH over Session Manager to connect
Requirements:
- You must configure your target-managed instances to support SSH connections.
- The AWS Systems Manager Agent (AWS SSM Agent) version that's running must be 2.3.672.0 or later.
- You have access to the Privacy Enhanced Mail (PEM) certificate, and can use the account that's associated with it to connect. For example, user account "ubuntu" for Ubuntu managed nodes.
To use SSH to start a session, run the following command:
ssh -i /path/my-key-pair.pem username@instance-id,/code>
Amazon EC2 Instance Connect
EC2 Instance Connect allows secure access to your instance through SSH. EC2 Instance Connect provides multiple options to connect to your instance without sharing your SSH keys.
Limitations:
- EC2 Instance Connect has limited support for Linux distributions.
- The AuthorizedKeysCommand and AuthorizedKeysCommandUser settings must not already be configured.
- EC2 Instance Connect isn't supported in Local Zones.
- A public IPv4 address is mandatory to connect when you use the Amazon EC2 console.
- EC2 Instance Connect doesn't support using an IPv6 address to connect.
Important: Make sure that you complete all prerequisites before using Amazon EC2 Instance Connect.
Use the Amazon EC2 console to connect (only for instances with IPv4 Public address)
1. Open the Amazon EC2 console.
2. In the navigation pane, choose Instances.
3. Select the instance, and then choose Connect.
4. Choose EC2 Instance Connect.
5. Verify the username, and then choose Connect to open a terminal window.
Use your own key and SSH client to connect
Note: You must install the EC2 Instance Connect CLI on the instance that you're connecting to.
1. Run the following command to generate new SSH private and public keys:
ssh-keygen -t rsa -f my_key
2. Push your SSH public key to the instance:
Amazon Linux:
aws ec2-instance-connect send-ssh-public-key \ --region us-west-2 \ --instance-id i-0123456789Amzn \ --instance-os-user ec2-user \ --ssh-public-key file://my_key.pub
Ubuntu:
aws ec2-instance-connect send-ssh-public-key \ --region us-west-2 \ --instance-id i-0123456789Ubuntu \ --instance-os-user ubuntu\ --ssh-public-key file://my_key.pub
Note: In the preceding example command, make sure that you add the file:// prefix to the SSH public key path.
3. Use your private key to connect to the instance:
Amazon Linux:
ssh -o "IdentitiesOnly=yes" -i my_key ec2-user@instance-public-dns-name
Ubuntu:
ssh -o "IdentitiesOnly=yes" -i my_key ubuntu@instance-public-dns-name
Note: A standard Amazon EC2 instance public DNS name looks similar to ec2-12-34-56-78.us-west-2.compute.amazonaws.com. The name consists of the AWS domain, the service (compute, in this example), the Region, and a form of the public IP address.
Use the EC2 Instance CLI to connect
Amazon Linux:
$mssh i-0123456789Amzn
Ubuntu:
$mssh ubuntu@i-0123456789Ubuntu
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 4 months ago
