How to SSH to an AWS Instance – 3 Different Methods!

There are many different ways to SSH to an instance hosted on AWS. The best way to connect depends on your configuration, whether you connect over a VPN or via AWS systems manager (SSM).

We will discuss all the popular methods of connecting and explain in detail how each method works.

Option 1: Connect via SSH Key Pair via a Public IPV4 Address

Here’s a detailed step-by-step guide on how to SSH into an AWS EC2 instance:

Prerequisites

• An active AWS account:
  You’ll need an AWS account with an EC2 instance running.
  
• A key pair:
  This is a pair of cryptographic keys (public and private) used for authentication. You’ll have created one when launching your instance or you can create a new one.
  
• SSH client:
  Most operating systems (macOS, Linux) have SSH built-in. Windows users can use tools like PuTTY or the Windows Subsystem for Linux (WSL).

Step 1 – Locate Your Instance Details:

Important: In order to connect to an instance, you need either a public-facing IP address attached to your instance or VPN connectivity to your VPC via something like a VPC Endpoint. I will discuss VPN access later in this article; see Option 3.

• Open the AWS Management Console: 
  Go to https://console.aws.amazon.com/ and sign in with your AWS credentials.
  
• Access EC2:
  • Click on “Services” in the top left corner.
  • Search for “EC2” and click on it.
    
• View Instances:
  In the left navigation pane, click on “Instances.”
  
• Select Your Instance: 
  Find the instance you want to connect to in the list and click on it.
  
• Note the Address: 
  In the instance details pane, locate and copy either the:
  • Public IPv4 address: 
    If you have a public IP, you’ll use this to make direct connections.
  • Public DNS name: 
    You’ll likely use the DNS name if you don’t have a public IP but are using a VPN.

Important Note: If your instance only has a private IP address, the steps to connect will be different. Proceed to Option 3 of this article to learn about VPN connectivity.

Step 2 – Configure Inbound SSH Access

Before connecting, you must ensure your EC2 instance allows incoming SSH connections. This is crucial for security and controlling who can access your instance.

• Navigate to Security Groups:
  In the EC2 dashboard (where you viewed instances), click on “Security Groups” in the left navigation pane.
  
• Select Your Instance’s Security Group: 
  Find the security group associated with your EC2 instance and click on it.
  
• Edit Inbound Rules:
  • Click on the “Inbound rules” tab.
  • Click the “Edit inbound rules” button.
    
• Add SSH Rule (if not present):
  • Click “Add rule.”
  • For “Type,” select “SSH.”
  • For “Source,” choose either:
    • “My IP”: This automatically fills in your current IP address.
    • “Custom”: Specify an IP address range (e.g., your office network) if needed.
  • Leave other fields as default.
  • Click “Save rules.”

Why This Matters:

• Port 22: SSH uses port 22 by default. Ensure it’s open.
• Source IP: Be mindful of which IP addresses you allow. Limiting it to your own or a trusted range enhances security.
• Existing Rules: If an SSH rule already exists, verify the source IP range is correct.
• Security: Without proper SSH configuration, anyone could potentially access your instance.
• Connectivity: If SSH traffic isn’t allowed, you won’t be able to connect, even with the correct IP address or DNS name.

Step 3 – Retrieve Your Private Key:

• In the EC2 dashboard, go to Network & Security -> Key Pairs.
• If you created a key pair during the instance launch, it will be listed here. Download the private key file (.pem or .ppk) if you haven’t already.

Step 4 – Secure Your Private Key:

It’s crucial to protect your private key:

• Change permissions: On macOS/Linux, use chmod 400 your-key.pem to ensure only you can read it.
• Store securely: Keep it in a safe location, like a password manager.

Step 5 – Connect using SSH (macOS/Linux):

Open your terminal.

Use the following command, remember to replace the placeholders:

ssh -i /path/to/your-key.pem ec2-user@your-instance-public-dns-name

#Further Information:
/path/to/your-key.pem: The path to your private key file.

ec2-user: The default username for Amazon Linux 2 or Amazon Linux 2023 AMIs. Replace if your instance uses a different AMI or you changed the username.
#
your-instance-public-dns-name: Replace with the actual public DNS name or Public IPv4 address of your instance 

Step 6 – Connect using SSH (Windows – PuTTY):

Open PuTTYgen.

• Load your .pem private key.
• Save the private key in PuTTY’s .ppk format.

Open PuTTY.

• In the “Host Name” field, enter your instance’s public DNS or IP address.
• Go to Connection -> SSH -> Auth, and browse to select the .ppk file you saved.
• Click “Open” to initiate the connection.

Troubleshooting

• Connection Timeout:
  • Check Security Group: Ensure inbound rule for SSH (port 22) exists and allows your IP address.
  • Verify Network Connectivity: Make sure your EC2 instance is associated with a public subnet and has a valid public IP.
  • Restart SSH Service: If the SSH service on the instance is unresponsive, try restarting it.
• Permission Denied (Public Key):
  • Key Pair Match: Double-check you’re using the correct private key that corresponds to the public key associated with the instance.
  • Key Permissions: Ensure your private key file has the correct permissions (chmod 400 on Linux/macOS).
• Connection Refused:
  • SSH Server: Confirm the SSH server is running on the EC2 instance.
  • Firewall: Check for any firewall rules on the instance that might be blocking SSH connections.

Option 2: Connect via SSM

You can use AWS Systems Manager (SSM) Session Manager to connect to your EC2 instance securely without needing to open inbound ports or manage SSH keys.

Here’s how:

Prerequisites

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession",
                "ssm:ResumeSession",
                "ssm:TerminateSession"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeSessions"
            ],
            "Resource": "*"
        }
    ]
}

Step 1 – Create a VPC Endpoint (Optional but Recommended):

For private instances without internet access, create a VPC endpoint for SSM to allow communication within your VPC.

Steps to Create a VPC Endpoint:

• Navigate to VPC: 
  In the AWS Management Console, go to the “VPC” service.
  
• Endpoints: 
  In the left navigation pane, click “Endpoints.”
  
• Create Endpoint:
  • Click “Create endpoint.”
  • For “Service Category,” select “AWS services.”
  • In the search bar, type “SSM” and select the “com.amazonaws.[region].ssm” service.
  • Choose the VPC where your EC2 instance resides.
  • Select the appropriate subnets for the endpoint.
  • For “Security groups,” choose or create a security group that allows inbound traffic from your IP address or network.
  • Click “Create endpoint.”

Step 2 – Navigate to SSM Console

• Open the AWS Management Console.
• Search for and select “Systems Manager”.

Step 3 – Start a Session:

• In the navigation pane, choose Session Manager.
• Click on Start session.
• Select your instance from the list.
• Click Start session.

Step 4 – Interact with Your Instance:

A browser-based shell session will open. You can now interact with your EC2 instance as you would in a regular SSH session.

Troubleshooting

• Session Fails to Start:
  • SSM Agent: Verify that the SSM Agent is installed and running on the instance.
  • IAM Permissions: Ensure the instance profile has the necessary permissions for SSM Session Manager.
  • VPC Endpoint: If using a private instance, make sure you’ve created a VPC endpoint for SSM and configured security groups accordingly.
• Connection Issues:
  • Network Connectivity: Check that your machine has network connectivity to AWS and that there are no firewall rules blocking SSM traffic.
  • Region: Make sure you’re using Session Manager in the same AWS region as your EC2 instance.

Option 3: Connect a VPN

If you’re using AWS VPN, there are a few scenarios depending on how you’ve set up your VPN and EC2 instances:

Scenario 1: AWS Client VPN

• Client VPN Endpoint:
  Your AWS Client VPN endpoint provides a secure connection for your individual devices (laptop, desktop, etc.).
  
• Connecting to Private EC2 Instances:
  Once connected to your Client VPN, you should be able to SSH to your EC2 instances using their private IP addresses, as if you were on the same VPC.
  
• Security Groups:
  Ensure your security groups allow SSH (port 22) traffic from the security group associated with your Client VPN endpoint.

Scenario 2: AWS Site-to-Site VPN

• On-Premises Network to VPC:
  AWS Site-to-Site VPN creates a secure connection between your on-premises network and your VPC.
  
• Connecting from On-Premises:
  Once the Site-to-Site VPN is established, you can SSH to your EC2 instances from your on-premises network using their private IP addresses.
  
• Route Tables:
  Make sure your route tables are configured to route traffic destined for your EC2 instances through the VPN connection.

Troubleshooting

• Cannot Reach Private IPs:
  • Client VPN: Ensure you’re connected to the Client VPN endpoint and that the security group allows SSH traffic.
  • Site-to-Site VPN: Confirm the VPN tunnel is established and that the route tables are correctly configured to route traffic through the VPN.
• Authentication Issues:
  • Key Pair: Use the correct key pair associated with the instance.
  • Username: Verify you’re using the correct username for the instance (e.g., ec2-user for Amazon Linux).

General Tips:

• Verbose Output: Use the -v flag with the SSH command (ssh -v ...) for detailed debugging information.
• AWS Documentation: Refer to the AWS documentation for specific troubleshooting steps for your chosen connection method.