Fast Guide to Launching an EC2 Instance w/ SSH Access

AWS, ec2, ssh, Windows

Concepts

Minimal number of concepts to understand:

  • Key pair — a pair of public and private cryptographic keys that will be used to establish a secure shell/terminal to the launched EC2 instance.
  • Security group — a group of access rules that determine what network traffic and go into (inbound rules) and go out of (outbound rules) the EC2 instance.
  • IAM role — a collection of rules that determine what AWS services the EC2 instance will have access to (and what kind of access). E.g. read-only access to S3.
  • AMI — an image that prescribes an OS and some software to run when an EC2 instance comes up.

Shared Key Pair

The only thing that is shared between EC2 and the SSH program that matters in this example is the key pair. The instructions here will describe how to create a new key pair.

Creating a Key Pair

  • Log into the AWS console. The remaining steps to launch an instance will be done in the AWS Console.
  • Access Services > EC2 > Key Pairs from AWS Console.
  • Click “Create Key Pair”
  • Give it a name “KP”
  • Once it’s created, a “.pem” file will be downloaded. Remember the name and where the file is downloaded. It will be needed later.

Create a Security Group

  • Access Services > EC2 > Security Groups
  • Click “Create Security Group” to create a security group. Name it “SG.”
  • In the “Inbound” rules, add an entry for Type SSH, Protocol TCP, Port Range 22. For the Source, select “My IP” to let the tool automatically select your IP address.
  • Add other rules to open up more ports as needed.

Create an IAM Role

  • Access Services > Security, Identity, & Compliance > IAM > Roles
  • Click “Create Role” and select “EC2” (as opposed to Lambda)
  • Click “Next: Permissions”
  • Add permissions as needed (e.g. add “AmazonS3ReadOnlyAccess” if read-only access to S3 is needed).
  • Give the role a name and description.

Launch Instance

  • Access Services > EC2 > EC2 Dashboard
  • Click “Launch Instance”
  • Select an appropriate AMI (e.g. any of the Amazon Linux ones) to use for the EC2 instance. For the instance type, start with “t2.nano” to experiment with since it’s cheapest. Once the instance is up and running, larger instance types can be used as needed.
  • Click “Next: Configure Instance Details.”
  • For IAM role, select the role created above. Everything else can stay as-is.
  • Click “Next: Add Storage.”
  • Edit as desired, but the default is fine.
  • Click “Next: Add Tags.”
  • Add tags as needed. These are optional.
  • Click “Next: Configure Security Group.”
  • Choose “Select an existing security group” and select the security group “SG” created above.
  • Click “Review and Launch.”
  • Click “Launch” after everything looks right.
  • A modal comes up to allow selection of a key pair to use to access the instance. Select “KP” as created above.
  • Continue the launch.
  • Click on the “i-xxxxxxxxx” link to see the status of the instance.
  • Wait until Instance State is “running” and Status Checks is “2/2.”
  • Note the “Public DNS (IPv4)” value. It is the host name to SSH into.

Connecting to The EC2 Instance

Windows with Bitvise SSH Client

  • Download and start Bitvise SSH Client.
  • Click “New profile”
  • Go to “Login” tab
  • Click the link “Client key manager”
  • Click “Import”
  • Change file filter to (*.*)
  • Locate the .pem file downloaded above and import it. Accept default settings.
  • In the “Server” tab, enter the Public DNS host name from above. Use port 22.
  • In the “Authentication” section, enter “ec2-user” as the Username.
  • Use “publickey” as the Initial Method.
  • For “Client key,” select the profile created earlier when importing the .pem file.
  • Click “Log in” and confirm any dialogs.

Mac OS

Change the permission of the downloaded .pem file to allow only the owner access:

chmod 400 ~/Downloads/mykey.pem

Use ssh with the .pem file:

ssh -i ~/Downloads/mykey.pem ec2-user@xx-xx-xx-xx.yyyy.amazonaws.com

EC2: “chmod ugo+rw ~” breaks SSH

AWS, ec2, programming, ssh

“chmod go+rw ~” breaks SSH

Quick note: running

chmod go+rw /home/ec2-user

could break subsequent attempts to SSH into the EC2 instance.

When all the usual suspects regarding SSH identity files, keypairs, etc., are ruled out, one not-well documented cause for the dreaded

Permission denied (publickey).

error could be that the default permissions on /home/ec2-user was modified.

The permissions can be modified temporarily in order to perform some tasks. However, before exiting that SSH session, be sure to restore the original ACL (0700) on that home dir lest all subsequent SSH attempts will fail.