How to Connect to Your Amazon EC2 Linux Instance securely through SSH

Remote instance management and configuration demand a reliable connection method, and Secure Shell (SSH) steps in as the trusted solution. SSH offers a secure pathway to remotely access and configure instances (EC2), ensuring data integrity and confidentiality.

With SSH, users can effortlessly establish connections to remote instances, enabling seamless management and configuration tasks. This article explores the various options available for connecting to EC2 (Elastic Compute Cloud) instances remotely, empowering users to maintain and optimize their digital infrastructure with ease.

Pre-requisite

• Have an active AWS account with billing enabled.
• Have a running EC2 instance to connect to check Setup EC2 instance else easily. If you just started your EC2 instance, allow some time to ensure your instance is up and running before you can connect to your instance. 
• Have downloaded and can access your EC2 instance primary key file for connecting to your instance (usually a .pem file) else check out I’ve lost my private key. How can I connect to my Linux instance

Browser-based SSH connection

You can use connect to your instance from the browser using a command line open for you from your AWS instance management console, this option is very easy to work with because you don’t need to run commands or install tools for you to use it, you don’t even get to open up the command line of your computer. AWS does the whole setup and authentication for you on your browser.

At the time of this writing, this method only works for Amazon Linux 2 instance.

Follow the steps below to use the browser-based SSH connection

• Open your instance details page, you see your instance details, type, IPV4 address, IPV4 DNS address. 
• Click on Connect from the top left side of the screen.
  
• Select EC2 instance connect from the top options, Select Connect using Ec2 instance connect. 
  
  
• Change the username there, default is root, use the username of your instance. Check the Troubleshooting section at the bottom of the article to see username for various instance type.
• Click on connect, a new window opens a browser-based command line. When connected you should see your IPV4 address in the command line qualifier. 
• Type whoami to confirm you are now connected. 

You can now configure and manage your EC2 instance remotely from you local computer.

If this did not work then you are not using Amazon Linux 2 instance.

Connecting remotely from a Windows machine

There are so many options for you to connect from a Windows machine mainly because Windows does not have a built-in SSH tool. These are four common options.

Using Git native SSH tool

Since Windows lacks native SSH support, Git installation offers a solution by including the Unix SSH tool. This option facilitates easy remote server connections for Windows users.

Check out my comprehensive guide for step-by-step instructions and troubleshooting tips, Connect your instance to EC2 server remotely through SSH.

Using OpenSSH

• Run this command to install OpenSSH on your system Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
  You should get the result below:
  Path :
  Online : True
  RestartNeeded : False
• Run the following command on your Windows command line or PowerShell to connect to your instance.
  ssh -i /path/key-pair-name.pem instance-user-name@instance-public-dns-name
  * Replace /path/key-pair with the actual path to your downloaded key-pair file
  * Replace instance-username with username of your instance, there so many options for username but Bitnami worked for me because I was hosting a WordPress website on my instance.
  * Replace Instance-public-dns-name with public IPV4 address of your instance its usually in the form ec2-IPV4 address.region-zone.compute.amazonaws.com
• You will get a warning on first connecting, asking you to confirm the fingerprint of your instance key and the one shown in screen match, this is to ensure that no main the middle attack is being done on your connection. Enter YES.
• After successfully connecting to your EC2 instance and making changes to it, you can uninstall OpenSSH if you wouldn’t need it again, with this command Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Check out the AWS documentation for a more detailed description of connecting to a Linux server with OpenSSH.

Using Windows Subsystem for Linux (WSL)

After you launch your instance, you can connect to it and use it to carry out all the management and configuration you need to do. 

Note that this is the most stressful of the options mainly because installing WSL is a painful and stressful process, it will take you to places on your computer you don’t want to go except when you plan on becoming a system admin, if you don’t plan on using WSL for something else, I will advise you not to use this option, I originally have WSL because I use it for practicing Linux commands.

WSL is free to download and enables you to run native Linux command line tools directly on Windows, alongside your traditional Windows desktop, without the overhead of a virtual machine but note that in WSL you are only simulating a Linux command line on your Windows machine and so it’s not a virtual machine. 

By installing WSL, you can use a native Linux environment to connect to your Linux EC2 instances. The Linux environment makes it easier to connect to your Linux instances because it comes with a native SSH client that you can use to connect to your Linux instances and change the permissions of the .pem key file.  

• Install WSL, follow the documentation to do the installation Windows Subsystem for Linux Installation Guide.
• Open the WSL Linux command line, like you would open your Windows command line. 
• Get the IPV4 address link of your EC2 instance, usually of the form ec2-IPV4-address.region-zone.compute.amazonaws.com, You can see how to get more of these details from the troubleshooting section at the end of the article. 
• Run the command below on your WSL command line, for the IPV4 connection
  ssh -i /path/key-pair-name.pem instance-user-name@my-instance-public-dns-name
  If you want to connect using the IPv6 address, run
  ssh -i /path/key-pair-name.pem instance-user-name@my-instance-IPv6-address
  
  Replace the path/to/key file with the actual path to your key file.
  Replace Username with the default username of your instance, check out the troubleshooting section at the bottom of the article to see the default username for each instance type.
  Replace the IPv4 address link with that for your IpV4 address instance or IPv6 address with that for your instance 
•  
• You see a response The authenticity of host ‘ec2-198-51-100-1.compute-1.amazonaws.com (10.254.142.33)’ can’t be established. RSA key fingerprint is 1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f. Are you sure you want to continue connecting (yes/no)?
  Else if you get an error of unprotected private key file, please check out the troubleshooting section at the bottom for a detailed explanation of what to do. 
• Confirm that the fingerprint match with that on your instance details and enter YES 
• You get the response Warning: Permanently added ‘ec2-IP-address.compute-1.amazonaws.com’ (RSA)  
  to the list of known hosts.
• Run command whoami to confirm you are connected. 
• You have now successfully connected to your EC2 instance, you can run installation and configuration commands to take effect on your instance from your remote command line. 

Run exit to leave the command line of your EC2 instance when you are done. 

You can uninstall WSL in case you won’t be needing it again, check How to uninstall WSL.

Using PuTTY, SSH App

PuTTy is a free SSH client for Windows machines, it enables you to connect to remote servers using SSH connection. 

Download and install PuTTY from the PuTTY download page. If you already have an earlier version of PuTTY installed, we recommend that you download the latest version. Be sure to install the entire suite. 

Putty does not support (.pem) file you downloaded for the key pair; you could have optionally downloaded the (.ppk) from your instance primary key file but you can convert the (.pem) file to (.ppk) file, by following the steps below. 

• From the Start menu, choose All Programs, PuTTY, and PuTTYgen. 
• Under Type of key to generate, choose RSA. If your version of PuTTYgen does not include this option, choose SSH-2 RSA.
  
  
• Choose Load. By default, PuTTYgen displays only files with the extension .ppk. To locate your .pem file, choose the option to display files of all types.
  
  
• Select your .pem file for the key pair that you specified when you launched your instance and choose Open. PuTTYgen displays a notice that the .pem file was successfully imported. Choose OK. 
• To save the key in the format that PuTTY can use, choose Save private key. PuTTYgen displays a warning about saving the key without a passphrase. Choose Yes. 
• Specify the same name for the key that you used for the key pair (for example, key-pair-name) and choose Save. PuTTY automatically adds the .ppk file extension. 

You can now connect to your instance through putty using the (.ppk) file. If you had any issues, see Convert private key file connecting to your instance. 

Follow the steps below to connect. 

• Open PuTTY (press the Windows button, search for PuTTY and then choose Open). 
• In the Category pane, choose Session and put in the following fields:
  – In the Host Name box, do one of the following:
  (Public DNS) To connect using your instance’s public DNS name, enter i
  instance-user-name@instance-public-dns-name
  (IPv6) Alternatively, if your instance has an IPv6 address, to connect using your instance’s IPv6 address, enter 
  instance-user-name@instance-IPv6-address
  
  Check out the troubleshooting section at the bottom of the article to learn the default username of your instance.
  Replace IP address or DNS with the appropriate value, to get the IPV4 DNS address or IPv6 address of your instance, Check the troubleshooting section.
  – Ensure that the Port value is 22. 
  – Under Connection type, select SSH.
  
  
• You can optionally configure PuTTY to automatically send ‘keepalive’ data at regular intervals to keep the session active. This is useful to avoid disconnecting from your instance due to session inactivity. In the Category pane, choose Connection, and then enter the required interval in Seconds between keepalives. For example, if your session disconnects after 10 minutes of inactivity, enter 180 to configure PuTTY to send keepalive data every 3 minutes. 
• In the Category pane, expand Connection, SSH, and Auth. Choose Credentials. 
• Next to the Private key file for authentication, choose Browse. In the Select Private Key File dialog box, select the .ppk file that you generated for your key pair. You can either double-click the file or choose to open it in the Select private key file dialog box. 
• Optionally, you can save the session if you plan to connect to this instance again. In the Category pane, choose Session. Enter a name for the session in Saved Sessions, and then choose Save. 
• Choose Open, to connect to the instance. 
• If this is the first time you have connected to this instance, PuTTY displays a security alert dialog box that asks whether you trust the host to which you are connecting.
• Verify that the fingerprint in the security alert dialog box matches the fingerprint of your instance, check out troubleshoot to get your instance fingerprint. This is a security check to find out if someone might be attempting a “man-in-the-middle” attack. If they match, choose Accept. A new window opens and you are now connected to your instance. 

If you experienced other issues not covered here, see AWS documentation Troubleshoot Connecting to your instance using PuTTY.

Connecting remotely from a Linux or macOS machine

Connecting to your Linux instance from Linux and MacOS machine is quite straightforward. Type ssh on the command to know if you have an SSH client installed on your computer, if you see a response that the command was not found then you don’t have an SSH client installed on your computer, you should download and install OpenSSH from the download webpage, https://www.openssh.com/ 

Follow the procedure below to connect to your AWS EC2 instance using SSH 

• Launch your terminal or command line ad run the command below to connect using IPV4 DNS
  ssh -i /path/key-pair-name.pem instance-user-name@instance-public-dns-name
  To connect using IPV6 address, use
  ssh -i /path/key-pair.pem instance-user-name@instance-IPv6-address
  
  Replace /path/key-pair.pem with the actual path to your key file 
  Replace instance-username with the default username of your instance, check out the Troubleshoot section to get the default username for different instance type. 
  Replace IPv4 DNS or IPV6 address with the public IPV4 DNS or IPV6 address of your instance respectively. The IPV4 DNS used here is usually of the form ec2-IP-address.region-zone.compute.amazonaws.com, also your IP DNS must be public. 
• You get a response The authenticity of host ‘ec2-198-51-100-1.compute-1.amazonaws.com (198-51-100-1)’ can’t be established. 
  ECDSA key fingerprint is l4UB/neBad9tvkgJf1QZWxheQmR59WgrgzEimCG6kZY. 
  Are you sure you want to continue connecting (yes/no)? 
• Enter YES after confirming that the fingerprint matches with that of your instance, check out the Troubleshoot section at the bottom of the article to know how to get your instance fingerprint.
  If you get a response about unprotected primary key file, check out the troubleshooting section to learn how you can tighten the permission of the primary key file, usually a (.pem) file.
• You get the response below confirming the connection Warning: Permanently added ‘ec2-198-51-100-1.compute-1.amazonaws.com’ (ECDSA) to the list of known hosts. 
• Enter whoami to confirm your connection.

You can now configure and manage your EC2 instance from your terminal. 

Troubleshooting common issues you might encountered

Getting your AWS EC2 instance details

• Locate your EC2 management console, you can search for it on the search bar or click Services, select it from the options.
• Select Instances form the left navigation and from your list of instance select the instance you want the details for.

Unprotected private key file

EC2 require that the private-key-files are protected and access to the file by third party is not allowed, You can change the file permission on Linux and Windows.

For Linux users run the command to change the file permission,make sure your are at the folder containing the file.
chmod 400 <filename>
Replace file name with your file name.

For Windows users run the command to change file permission
icacls "filename" /inheritance:r /grant:r <username>:(R)
Replace filename with the name of your key pair file, username with the username of your windows account.

Windows users can also modify permission from the file settings. Follow the steps below.

• Open File Explorer and right-click on the .pem file.
• Select Properties > Security tab and choose Advanced.
• Choose Disable inheritance.
• Remove access to all users except for the current user

Wrong Instance username

Using the wrong usernames on your connection string can lead to error, here are some usernames for different distributions of the Linux system.

• Ubuntu – ubuntu
• Debian – admin
• Amazon Linux – ec2-user
• Amazon Linux 2 – ec2-user
• Bitnami – bitnami
• Check out AWS documentation page to get the username of your EC2 instances username

Verify your Key Fingerprint

You need to check your key fingerprint from your instance details page and verify that it is the same from the one displayed on the terminal when you request to connect remotely, this to ensure there’s no man in the middle attack.

Follow the steps below to verify your fingerprint.

• Access the details page of your instance.
• Click on actions button at the top left, select monitor and troubleshoot 
• Click on get system log, a new page opens showing you the instance fingerprint given as SSH KEY FINGERPRINT. 

Get more info about confirming you key fingerprint.

For other troubleshooting, check out the AWS documentation guide for troubleshooting SSH connection.

Conclusion

You have successfully connected to and configured your AWS EC2 instance from your local Windows, Linux or macOS machine. You carry out configuration and management on your instance remotely depending on permission of the user.

Please drop your comment and questions below. Check out other articles below and practice with them.