Amazon EC2 Instance Connect provides a simple and secure way to connect to your EC2 instances using Secure Shell (SSH). It provides a direct way to access your instances without needing to manage SSH keys for individual instances. Here's how EC2 Instance Connect works:
Temporary Key Push:
When you connect to an instance using EC2 Instance Connect, the system pushes a temporary SSH public key to the instance's metadata.
This temporary key is automatically expired after a short amount of time, enhancing the security of your instance.
Browser-based or CLI connection:
- You can initiate the connection either from the EC2 console, which provides a browser-based SSH connection, or using the AWS Command Line Interface (CLI).
IAM Policies for Authorization:
EC2 Instance Connect integrates with AWS Identity and Access Management (IAM). This means you can define which IAM users or roles can connect to which instances.
You can define fine-grained permissions, for example, allowing a particular user to only connect to a specific instance or a group of instances.
Logging with AWS CloudTrail:
- All connection requests using EC2 Instance Connect are logged in AWS CloudTrail. This provides a way to audit and monitor who accessed which instances and when.
Installation:
To use EC2 Instance Connect, you'll need to ensure the EC2 Instance Connect client is installed on the instance. Newer Amazon Machine Images (AMIs) typically have this pre-installed.
For some distributions, you might need to install the EC2 Instance Connect package manually.
Connection Flow:
When you request a connection, EC2 Instance Connect API pushes the SSH key to the instance metadata.
The EC2 Instance Connect client on the instance polls for this key and uses it to update the local
~/.ssh/authorized_keys
of the specified OS user.You are then granted access to SSH into the instance using the temporary key.
After the key's validity period expires, it's no longer usable for authentication.
It's worth noting that while EC2 Instance Connect provides a convenient and secure way to connect to instances, it's one of many ways to manage access. Depending on your organization's requirements, you might also consider traditional key management, AWS Systems Manager Session Manager, or other methods.
The validity period of short-lived SSH public keys
The default validity period for the temporary SSH key provided by Amazon EC2 Instance Connect is 60 seconds. This means that after EC2 Instance Connect pushes the SSH public key to the instance's metadata, you have 60 seconds to initiate and establish the SSH connection using that key. Once the connection is established within this period, you can maintain it as long as needed. However, if you try to initiate a new connection after the 60-second window, the key won't be accepted, and you'll need to request a new one through EC2 Instance Connect.
This short-lived nature of the key helps in ensuring that even if someone intercepts it, they won't have much time to misuse it. Furthermore, because the key is automatically expired and removed after 60 seconds, there's no need to manage or rotate old keys, making the access process both secure and convenient.
Prerequisites for EC2 instance connect
To access an EC2 instance via EC2 Instance Connect through a browser, certain configurations and prerequisites must be met:
Supported OS: Ensure the EC2 instance is running a supported operating system. Amazon Linux 2, Ubuntu, and some other distributions are supported. Always check the AWS documentation for the latest list of supported OSes.
IAM Permissions:
The AWS user trying to access the EC2 instance should have the necessary IAM permissions. Specifically, you need the
ec2-instance-connect:SendSSHPublicKey
permission.Additionally, the EC2 instance's associated IAM role must have the
ec2-instance-connect:SendSSHPublicKey
permission.
EC2 Instance Connect Client: The EC2 instance must have the EC2 Instance Connect client installed. While newer Amazon Linux 2 and Ubuntu AMIs come with this pre-installed, for other distributions or older AMIs, you might have to install it manually.
Security Group Settings:
The security group associated with the EC2 instance must allow inbound SSH traffic (typically on port 22) from your IP address or the IP range you are connecting from.
💡You must ensure that you have allowed AWS traffic to your EC2 instance from IP address range that belongs to the region where EC2 instance is hosted
EC2 Instance Metadata:
- Ensure that the EC2 instance has access to the EC2 instance metadata service. This is typically available at
169.254.169.254
. EC2 Instance Connect uses this to push the temporary SSH key to the instance.
- Ensure that the EC2 instance has access to the EC2 instance metadata service. This is typically available at
SSH Key Configuration:
- The OS user you are trying to connect to (e.g., ec2-user, ubuntu) must have the
~/.ssh/authorized_keys
file set up in such a way that the EC2 Instance Connect service can manage it. The EC2 Instance Connect client usually manages this.
- The OS user you are trying to connect to (e.g., ec2-user, ubuntu) must have the
Browser Requirements:
- Use a recent version of a popular web browser. AWS Management Console and its features like EC2 Instance Connect generally support the latest versions of Chrome, Firefox, Safari, and Edge. Ensure you don’t have extensions or plugins that might block necessary scripts or pop-ups.
Network Connectivity:
- Ensure you have a stable internet connection and can access the AWS Management Console and the instance itself.
Once everything is correctly set up, you can go to the AWS Management Console, navigate to the EC2 Dashboard, select the instance you wish to connect to, and then use the "Connect" button to launch EC2 Instance Connect via the browser.
Connection options
The connection option to use depends on whether your instance has a public IPv4 address:
Amazon EC2 console – To connect using the Amazon EC2 console, the instance must have a public IPv4 address.
SSH client – If the instance does not have a public IP address, you can connect to the instance over a private network using an SSH client. For example, you can connect from within the same VPC or through a VPN connection, transit gateway, or AWS Direct Connect.
EC2 Instance Connect does not support connecting using an IPv6 address.
Connect using the Amazon EC2 console
You can connect to an instance using the Amazon EC2 console by selecting the instance from the console and choosing to connect using EC2 Instance Connect. Instance Connect handles the permissions and provides a successful connection.
To connect using the Amazon EC2 console, the instance must have a public IPv4 address.
To connect to your instance using the browser-based client from the Amazon EC2 console
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Instances.
Select the instance and choose Connect.
Choose EC2 Instance Connect.
Verify the user name and choose Connect to open a terminal window.
Troubleshoot EC2 instance connection errors
If you receive the following error when trying to connect to the instance:
Then it is likely that your Security Group was not properly configured.
EC2 Instance Connect uses specific IP address ranges for browser-based SSH connections to your instance (when users use the Amazon EC2 console to connect to an instance). If your users will use the Amazon EC2 console to connect to an instance, ensure that the security group associated with your instance allows inbound SSH traffic from the IP address range for EC2_INSTANCE_CONNECT
. To identify the address range, download the JSON file provided by AWS and filter for the subset for EC2 Instance Connect, using EC2_INSTANCE_CONNECT
as the service value. These IP address ranges differ between AWS Regions. For more information about downloading the JSON file and filtering by service, see AWS IP address ranges in the Amazon VPC User Guide.
To look for AWS IP address ranges for each service in each region, use the following JSON file available at https://ip-ranges.amazonaws.com/ip-ranges.json
For example, IP address range for the EC2 instance connect service at the us-east-1 region is: