How do I access my EC2 macOS instance through a GUI?

Resolution

The following steps are tested on macOS Ventura 13.7.5, macOS Sonoma 14.7.5, and macOS Sequoia 15.4.1.

Important: Run the SSH session even when you're in a remote session.

Connect to your EC2 macOS instance

Use SSH to connect to your Amazon EC2 macOS instance.

Linux

To use SSH to connect to your EC2 macOS instance as ec2-user, run the following command:

ssh -i keypair_file ec2-user@Instance-Public-IP

Note: Replace keypair_file with your key pair, and Instance-Public-IP with the public IP address of your instance.

Windows

Windows 10 and later have an OpenSSH client installed by default. To activate the OpenSSH client, complete the following steps:

1. Choose Settings.
2. Choose Apps, and then choose Apps & features.
3. Choose Manage optional features.
4. Choose Add a feature, and then select OpenSSH Client. If you're using an earlier version of Windows, then use Git Bash to run the following command:

   ssh -i keypair_file ec2-user@Instance-Public-IP

Note: When the instance is in a public subnet, you can make it accessible through a public IP address or an Elastic IP address. To connect the instance through a private IP address, use a bastion or jump server. Or, use AWS VPN or AWS Direct Connect to establish a connection to your instance through a private IP address. It's a best practice to use SSH to tunnel traffic to the macOS screen sharing service. It's also a best practice to not open VNC ports in your security groups.

Install the macOS screen sharing SSH

To install and start the macOS screen sharing SSH from the macOS instance, run the following command:

sudo launchctl enable system/com.apple.screensharing 
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

To set a password for ec2-user, run the following command:

sudo passwd ec2-user

Confirm that the operating system (OS) is listening on port 5900:

sudo lsof -i -n -P | grep TCP | grep 5900

Port 5900 is the default for VNC servers.

Expected output:

launchd 1 root 15u IPv6 0xa78dfebd53aa990a 0t0 TCP *:5900 (LISTEN)
launchd 1 root 16u IPv4 0x7a1b35dd60e49ee6 0t0 TCP *:5900 (LISTEN)
launchd 1 root 19u IPv6 0xa78dfebd53aa990a 0t0 TCP *:5900 (LISTEN)
launchd 1 root 20u IPv4 0x7a1b35dd60e49ee6 0t0 TCP *:5900 (LISTEN)

Exit from the session.

Connect to your instance through the GUI

You can connect to the GUI either from the localhost or the instance's public IP address/DNS.

Use a localhost

Note: Before you connect to the GUI, you might have to turn off screen sharing on your local Mac machine. This is because both your local machine's screen sharing and the Amazon EC2 connection try to use port 5900 and cause a conflict. To turn off screen sharing, choose System Preferences, choose General, and then choose Screen Sharing. Set screen sharing to OFF.

Complete the following steps:

1. To create an SSH tunnel to the VNC port, run the following command:

   ssh -i keypair_file -L 5900:localhost:5900 ec2-user@Instance-Public-IP

   Note: Replace keypair_file with your SSH key path. Replace Instance-Public-IP with your instance's IP address or the DNS name. Or if you connect through a private network, then you can also use your private IP address.
2. Use a VNC client to connect to localhost:5900.
   macOS
   macOS has a built-in VNC client. To access the VNC viewer, open Finder, choose Go, and then choose Connect to Server. Or, use the keyboard shortcut CMD + K. Then, for Server Address, enter vnc://localhost:5900.
   Windows
   You can use a third-party VNC client such as RealVNC Viewer. If you use the RealVNC Viewer client, then from the File dropdown list, select New Connection. For VNC Server: localhost:5900 Encryption: Let VNC Server Choose, choose OK. Other clients, such as TightVNC on Windows, don't work with this resolution.
   Note: You might experience authentication errors when you connect to RealVNC Viewer. To resolve this issue, change the Encryption setting from Prefer On to Prefer Off, or from Prefer Off to Prefer On.
   Linux
   You can use a third-party VNC client such as Remmina. To download the tool, see How to install Remmina on the Remmina website.

Use a public IP address or DNS

If you don't want to turn on screen sharing on your Mac, then use a public IP address or DNS to connect to the instance through the GUI.

Run the following command:

ssh -i keypair_file ec2-user@Instance-Public-IP

Then, follow step 2 in the Localhost section to access the VNC viewer and connect:

vnc://Instance-Public-IP:5900 or vnc://Instance-DNS-address:5900

Note: To connect over a public IP address, allow port 5900 in your security group rules.

After the macOS GUI launches, connect to the remote session of the macOS instance as ec2-user with the new password that you created.

Related information

How do I install a GUI on my Amazon EC2 instance that's running Amazon Linux 2?

Connect to your Mac instance using SSH or a GUI

amazon-ec2-mac-getting-started on the GitHub website