AWS EC2 Instance Connect is a service that enables you to securely connect to your EC2 instances using Secure Shell (SSH) without the need to use a bastion host or create and manage SSH keys. With EC2 Instance Connect, you can quickly establish SSH connections to your EC2 instances using the EC2 console or the AWS CLI.
EC2 Instance Connect uses AWS Identity and Access Management (IAM) policies to control access to your EC2 instances. When you use EC2 Instance Connect to an instance, you use your IAM user or role credentials to authenticate with AWS, and then AWS generates a one-time-use SSH public key that is sent to the instance. The public key is used to authenticate your SSH session, which is then deleted when the session is terminated.
EC2 Instance Connect is a more secure alternative to traditional SSH access because it eliminates the need to manage and distribute SSH keys, which can be a security risk if not properly managed. Additionally, because EC2 Instance Connect does not require a bastion host, it simplifies your architecture and reduces the cost of managing your EC2 instances.
In this tutorial, we’ll discuss setting up the EC2 Instance Connect on your EC2 VMs and test the connection using the web console and the CLI.
Table of Contents
Requirements
- You must have an active AWS account. The free-tier account is sufficient for this tutorial.
- An EC2 instance you can access. This example will use two EC2 instances for demonstration: Amazon Linux 2 and Ubuntu.
Installing the EC2 Instance Connect on an Instance
Note. You can skip this step if your EC2 instance is running the following operating systems:
-
Amazon Linux 2 2.0.20190618 or later
-
Ubuntu 20.04 or later
When you first launch an instance, you either create a new SSH key or use an existing one. This SSH key is needed to connect to your EC2 instance using an SSH client so you can install the EC2 instance connect package.
First, SSH into your EC2 instance using your preferred SSH client. In this example, I’m using the built-in SSH command.
ssh -i aws_private_key.pem \ ubuntu@ec2-3-135-209-28.us-east-2.compute.amazonaws.com
Ubuntu Instance
Run the following commands to install the EC2 Instance Connect on an Ubuntu instance.
To install the EC2 Instance Connect on an Ubuntu instance.
# Update the local package index sudo apt-get update # Install the ec2-instance-connect package sudo apt-get install -y ec2-instance-connect
The package installs four scripts in /usr/share/ec2-instance-connect/.
Confirm that the EC2 Instance Connect is installed.
sudo cat /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf
The presence of this line confirms that EC2 Instance Connect is correctly installed.
ExecStart=/usr/sbin/sshd -D -o "AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %%u %%f" -o "AuthorizedKeysCommandUser ec2-instance-connect" $SSHD_OPTS
Amazon Linux 2 Instance
Run the following command to install the EC2 Instance Connect on an Amazon Linux instance.
sudo yum install ec2-instance-connect
The package installs three scripts in /opt/aws/bin/.
Confirm the /etc/ssh/sshd_config file.
sudo cat /etc/ssh/sshd_config
If the lines below appear in /etc/ssh/sshd_config, EC2 Instance Connect is installed.
AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
AuthorizedKeysCommandUser ec2-instance-connect
Connect to EC2 Instance Connect from the EC2 Console (Web)
After installing the EC2 Instance Connect on the instance, you can now connect to it. One way to SSH into AWS EC2 Instance is from the EC2 console.
Log in to your AWS EC2 console and navigate to the EC2 instances. Select the instance you want to connect to and click Connect.
On the Connect to Instance page, select the EC2 Instance Connect tab, and click Connect.
The CloudShell instance automatically connects to your EC2 instance without you entering any SSH keys or credentials.
Connect to EC2 Instance Connect from the Command Line Interface (CLI)
The web-based SSH client in the EC2 console may be enough for some admins. But for others, a local client would still be the de-facto tool for remote management. In this case, you can install the EC2 Instance Connect CLI on your computer.
EC2 Instance Connect CLI Requirements
- The target EC2 instance SSH port must be open to the internet.
- To install, your computer must have Python and PIP installed.
- To use, you must install and configure the AWS CLI first.
Install the EC2 Instance Connect CLI
Open a terminal session on your computer and run the below command to download the EC2 Instance Connect CLI archive.
aws s3api get-object \ --bucket ec2-instance-connect \ --key cli/ec2instanceconnectcli-latest.tar.gz \ ec2instanceconnectcli-latest.tar.gz
Once the ec2instanceconnectcli-latest.tar.gz file is downloaded, install the package using the following command.
sudo pip install ec2instanceconnectcli-latest.tar.gz
EC2 Instance Connect is now installed, and the mssh command is now available. This command lets you connect to the EC2 instance using the configured profile(s) in AWS CLI.
To use this command, the syntax is:
# For Ubuntu Instance
mssh ubuntu@{instance-id}
# For Amazon Linux 2 Instance
mssh ec2-user@{instance-id}
Conclusion
In conclusion, AWS EC2 Instance Connect provides a convenient and secure way to access your EC2 instances using SSH. By leveraging the AWS Identity and Access Management (IAM) system, you can grant granular permissions to users and groups to connect to your instances. Additionally, EC2 Instance Connect eliminates the need to manage and distribute SSH keys, making it easier to maintain access control and auditability.
With EC2 Instance Connect, you can use your existing SSH client to connect to your instances without having to set up a bastion host or expose SSH ports to the public internet. This reduces the attack surface of your instances and improves the security posture of your infrastructure.
AWS EC2 Instance Connect is a powerful tool that simplifies and streamlines SSH access management for your EC2 instances. Following the steps outlined in this blog post, you can get started with EC2 Instance Connect and take advantage of its many benefits.
