# Connect to your Linux instance using a public IP address and EC2 Instance Connect Connect using a public IP and EC2 Instance Connect Amazon EC2 Instance Connect provides a secure way to connect to your Linux instances over Secure Shell (SSH). With EC2 Instance Connect, you use AWS Identity and Access Management (IAM) [policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) to control SSH access to your instances, removing the need to share and manage SSH keys. All connection requests using EC2 Instance Connect are [logged to AWS CloudTrail](monitor-with-cloudtrail.md#ec2-instance-connect-cloudtrail) so that you can audit connection requests. You can use EC2 Instance Connect to connect to your instances using the Amazon EC2 console or the SSH client of your choice. When you connect to an instance using EC2 Instance Connect, the EC2 Instance Connect API pushes an SSH public key to the [instance metadata](ec2-instance-metadata.md) where it remains for 60 seconds. An IAM policy attached to your user authorizes your user to push the public key to the instance metadata. The SSH daemon uses `AuthorizedKeysCommand` and `AuthorizedKeysCommandUser`, which are configured when EC2 Instance Connect is installed, to look up the public key from the instance metadata for authentication, and connects you to the instance. **Tip** EC2 Instance Connect is one of the options to connect to your Linux instance. For other options, see [Connect to your Linux instance using SSH](connect-to-linux-instance.md). To connect to a Windows instance, see [Connect to your Windows instance using RDP](connecting_to_windows_instance.md). **Pricing** EC2 Instance Connect is available at no additional cost. **Region availability** EC2 Instance Connect is available in all AWS Regions. It is not supported in Local Zones. **Topics** + [Tutorial](ec2-instance-connect-tutorial.md) + [Prerequisites](ec2-instance-connect-prerequisites.md) + [Permissions](ec2-instance-connect-configure-IAM-role.md) + [Install EC2 Instance Connect](ec2-instance-connect-set-up.md) + [Connect to an instance](ec2-instance-connect-methods.md) + [ # Uninstall EC2 Instance Connect ](ec2-instance-connect-uninstall.md) For a blog post that discusses how to improve the security of your bastion hosts using EC2 Instance Connect, see [Securing your bastion hosts with Amazon EC2 Instance Connect](https://aws.amazon.com/blogs/infrastructure-and-automation/securing-your-bastion-hosts-with-amazon-ec2-instance-connect/). # Tutorial: Complete the configuration required to connect to your instance using EC2 Instance Connect Tutorial To connect to your instance using EC2 Instance Connect in the Amazon EC2 console, you first need to complete the prerequisite configuration that will allow you to successfully connect to your instance. The purpose of this tutorial is to guide you through the tasks to complete the prerequisite configuration. **Tutorial overview** In this tutorial, you'll complete the following four tasks: + [Task 1: Grant permissions required to use EC2 Instance Connect](#eic-tut1-task1) First you'll create an IAM policy that contains the IAM permissions that allow you to push a public key to the instance metadata. You'll attach this policy to your IAM identity (user, user group, or role) so that your IAM identity gets these permissions. + [Task 2: Allow inbound traffic from the EC2 Instance Connect service to your instance](#eic-tut1-task2) Then you'll create a security group that allows traffic from the EC2 Instance Connect service to your instance. This is required when you use EC2 Instance Connect in the Amazon EC2 console to connect to your instance. + [Task 3: Launch your instance](#eic-tut1-task3) You'll then launch an EC2 instance using an AMI that is pre-installed with EC2 Instance Connect and you'll add the security group that you created in the previous step. + [Task 4: Connect to your instance](#eic-tut1-task4) Finally, you'll use EC2 Instance Connect in the Amazon EC2 console to connect to your instance. If you can connect, then you can be sure that the prerequisite configuration you completed in Tasks 1, 2, and 3 were successful. ## Task 1: Grant permissions required to use EC2 Instance Connect When you connect to an instance using EC2 Instance Connect, the EC2 Instance Connect API pushes an SSH public key to the [instance metadata](ec2-instance-metadata.md) where it remains for 60 seconds. You need an IAM policy attached to your IAM identity (user, user group, or role) to grant you the required permission to push the public key to the instance metadata. **Task objective** You'll create the IAM policy that grants the permission to push the public key to the instance. The specific action to allow is `ec2-instance-connect:SendSSHPublicKey`. You must also allow the `ec2:DescribeInstances` action so that you can view and select your instance in the Amazon EC2 console. After you've created the policy, you'll attach the policy to your IAM identity (user, user group, or role) so that your IAM identity gets the permissions. You'll create a policy that is configured as follows: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2-instance-connect:SendSSHPublicKey", "Resource": "*" }, { "Effect": "Allow", "Action": "ec2:DescribeInstances", "Resource": "*" } ] } ``` ------ **Important** The IAM policy created in this tutorial is a highly permissive policy; it allows you to connect to any instance using any AMI username. We're using this highly permissive policy to keep the tutorial simple and focused on the specific configurations that this tutorial is teaching. However, in a production environment, we recommend that your IAM policy is configured to provide [least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege). For example IAM policies, see [Grant IAM permissions for EC2 Instance Connect](ec2-instance-connect-configure-IAM-role.md). **To create and attach an IAM policy that allows you to use EC2 Instance Connect to connect to your instances** 1. **First create the IAM policy** 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane, choose **Policies**. 1. Choose **Create policy**. 1. On the **Specify permission** page, do the following: 1. For **Service**, choose **EC2 Instance Connect**. 1. Under **Actions allowed**, in the search field start typing **send** to show the relevant actions, and then select **SendSSHPublicKey**. 1. Under **Resources**, choose **All**. For a production environment, we recommend specifying the instance by its ARN, but for this tutorial, you're allowing all instances. 1. Choose **Add more permissions**. 1. For **Service**, choose **EC2**. 1. Under **Actions allowed**, in the search field start typing **describein** to show the relevant actions, and then select **DescribeInstances**. 1. Choose **Next**. 1. On the **Review and create** page, do the following: 1. For **Policy name**, enter a name for the policy. 1. Choose **Create policy**. 1. **Then attach the policy to your identity** 1. In the IAM console, in the navigation pane, choose **Policies**. 1. In the list of policies, select the option button next to the name of the policy you created. You can use the search box to filter the list of policies. 1. Choose **Actions**, **Attach**. 1. Under **IAM entities**, select the checkbox next to your identity (user, user group, or role). You can use the search box to filter the list of entities. 1. Choose **Attach policy**. ### View an animation: Create an IAM policy ![\[This animation shows how to create an IAM policy. For the text version of this animation, see the steps in the preceding procedure.\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/images/eic-tut1-task1-create-iam-policy.gif) ### View an animation: Attach an IAM policy ![\[This animation shows how to attach an IAM policy to an IAM identity. For the text version of this animation, see the steps in the preceding procedure.\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/images/eic-tut1-task1-attach-iam-policy.gif) ## Task 2: Allow inbound traffic from the EC2 Instance Connect service to your instance When you use EC2 Instance Connect in the Amazon EC2 console to connect to an instance, the traffic that must be allowed to reach the instance is traffic from the EC2 Instance Connect service. This is different to connecting from your local computer to an instance; in that case, you must allow traffic from your local computer to your instance. To allow traffic from the EC2 Instance Connect service, you must create a security group that allows inbound SSH traffic from the IP address range for the EC2 Instance Connect service. AWS uses prefix lists to manage IP address ranges. The names of the EC2 Instance Connect prefix lists are as follows, with *region* replaced by the Region code: + IPv4 prefix list name: `com.amazonaws.region.ec2-instance-connect` + IPv6 prefix list name: `com.amazonaws.region.ipv6.ec2-instance-connect` **Task objective** You'll create a security group that allows inbound SSH traffic on port 22 from the IPv4 prefix list in the Region in which your instance is located. **To create a security group that allows inbound traffic from the EC2 Instance Connect service to your instance** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, choose **Security Groups**. 1. Choose **Create security group**. 1. Under **Basic details**, do the following: 1. For **Security group name**, enter a meaningful name for your security group. 1. For **Description**, enter a meaningful description for your security group. 1. Under **Inbound rules**, do the following: 1. Choose **Add rule**. 1. For **Type**, choose **SSH**. 1. For **Source**, leave **Custom**. 1. In the field next to **Source**, select the prefix list for EC2 Instance Connect. For example, if your instance is located in the US East (N. Virginia) (`us-east-1`) Region and your users will connect to its public IPv4 address, choose the following prefix list: **com.amazonaws.us-east-1.ec2-instance-connect** 1. Choose **Create security group**. ### View an animation: Create the security group ![\[This animation shows how to configure a security group. For the text version of this animation, see the steps in the preceding procedure.\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/images/tut1-task2-eic-security-group.gif) ## Task 3: Launch your instance When you launch an instance, you must specify an AMI that contains the information required to launch the instance. You can choose to launch an instance with or without EC2 Instance Connect pre-installed. In this task, we specify an AMI that comes pre-installed with EC2 Instance Connect. If you launch your instance without EC2 Instance Connect pre-installed, and you want to use EC2 Instance Connect to connect to your instance, you'll need to perform additional configuration steps. These steps are outside the scope of this tutorial. **Task objective** You'll launch an instance with the Amazon Linux 2023 AMI, which comes pre-installed with EC2 Instance Connect. You'll also specify the security group that you created earlier so that you can use EC2 Instance Connect in the Amazon EC2 console to connect to your instance. Because you'll use EC2 Instance Connect to connect to your instance, which pushes a public key to your instance's metadata, you won't need to specify an SSH key when you launch your instance. **To launch an instance that can use EC2 Instance Connect in the Amazon EC2 console for connection** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation bar at the top of the screen, the current AWS Region is displayed (for example, **Ireland**). Select a Region in which to launch your instance. This choice is important because you created a security group that allows traffic for a specific Region, so you must select the same Region in which to launch your instance. 1. From the Amazon EC2 console dashboard, choose **Launch instance**. 1. (Optional) Under **Name and tags**, for **Name**, enter a descriptive name for your instance. 1. Under **Application and OS Images (Amazon Machine Image)**, choose **Quick Start**. **Amazon Linux** is selected by default. Under **Amazon Machine Image (AMI)**, **Amazon Linux 2023 AMI** is selected by default. Keep the default selection for this task. 1. Under **Instance type**, for **Instance type**, keep the default selection, or choose a different instance type. 1. Under **Key pair (login)**, for **Key pair name**, choose **Proceed without a key pair (Not recommended)**. When you use EC2 Instance Connect to connect to an instance, EC2 Instance Connect pushes a key pair to the instance's metadata, and it is this key pair that is used for the connection. 1. Under **Network settings**, do the following: 1. For **Auto-assign public IP**, leave **Enable**. **Note** To use EC2 Instance Connect in the Amazon EC2 console to connect to an instance, the instance must have a public IPv4 or IPv6 address. 1. For **Firewall (security groups)**, choose **Select existing security group**. 1. Under **Common security groups**, choose the security group that you created earlier. 1. In the **Summary** panel, choose **Launch instance**. ### View an animation: Launch your instance ![\[This animation shows how to launch an instance. For the text version of this animation, see the steps in the preceding procedure.\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/images/tut1-task3-launch-an-instance.gif) ## Task 4: Connect to your instance When you connect to an instance using EC2 Instance Connect, the EC2 Instance Connect API pushes an SSH public key to the [instance metadata](ec2-instance-metadata.md) where it remains for 60 seconds. The SSH daemon uses `AuthorizedKeysCommand` and `AuthorizedKeysCommandUser` to look up the public key from the instance metadata for authentication, and connects you to the instance. **Task objective** In this task, you'll connect to your instance using EC2 Instance Connect in the Amazon EC2 console. If you completed the prerequisite Tasks 1, 2, and 3, the connection should be successful. **Steps to connect to your instance** Use the following steps to connect to your instance. To view an animation of the steps, see [View an animation: Connect to your instance](#eic-tut1-task4-animation). **To connect an instance using EC2 Instance Connect in the Amazon EC2 console** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation bar at the top of the screen, the current AWS Region is displayed (for example, **Ireland**). Select the Region in which your instance is located. 1. In the navigation pane, choose **Instances**. 1. Select your instance and choose **Connect**. 1. Choose the **EC2 Instance Connect** tab. 1. Choose **Connect using a Public IP**. 1. Choose **Connect**. A terminal window opens in the browser, and you are connected to your instance. ### View an animation: Connect to your instance ![\[This animation shows how to connect an instance using EC2 Instance Connect. For the text version of this animation, see the steps in the preceding procedure.\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/images/eic-tut1-task4-connect.gif) # Prerequisites for EC2 Instance Connect Prerequisites **Topics** + [ ## Install EC2 Instance Connect ](#eic-prereqs-install-eic-on-instance) + [ ## Ensure network connectivity ](#eic-prereqs-network-access) + [ ## Allow inbound SSH traffic ](#ec2-instance-connect-setup-security-group) + [ ## Grant permissions ](#eic-prereqs-grant-permissions) + [ ## Install an SSH client on your local computer ](#eic-prereqs-install-ssh-client) + [ ## Meet username requirements ](#eic-prereqs-username) ## Install EC2 Instance Connect To use EC2 Instance Connect to connect to an instance, the instance must have EC2 Instance Connect installed. You can either launch the instance using an AMI that comes pre-installed with EC2 Instance Connect, or you can install EC2 Instance Connect on instances that are launched with supported AMIs. For more information, see [Install EC2 Instance Connect on your EC2 instances](ec2-instance-connect-set-up.md). ## Ensure network connectivity Instances can be configured to allow users to connect to your instance over the internet or through the instance's private IP address. Depending on how your users will connect to your instance using EC2 Instance Connect, you must configure the following network access: + If your users will connect to your instance over the internet, then your instance must have a public IPv4 or IPv6 address and be in a public subnet with a route to the internet. If you haven't modified your default public subnet, then it contains a route to the internet for IPv4 only, and not for IPv6. For more information, see [Enable VPC internet access using internet gateways](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#vpc-igw-internet-access) in the *Amazon VPC User Guide*. + If your users will connect to your instance through the instance's private IPv4 address, then you must establish private network connectivity to your VPC, such as by using AWS Direct Connect, AWS Site-to-Site VPN, or VPC peering, so that your users can reach the instance's private IP address. If your instance does not have a public IPv4 or IPv6 address and you prefer not to configure the network access as described above, you can consider EC2 Instance Connect Endpoint as an alternative to EC2 Instance Connect. With EC2 Instance Connect Endpoint, you can connect to an instance using SSH or RDP even if the instance does not have a public IPv4 or IPv6 address. For more information, see [Connect to your Linux instance using the Amazon EC2 console](connect-using-eice.md#connect-using-the-ec2-console). ## Allow inbound SSH traffic **When using the Amazon EC2 console to connect to an instance** When users connect to an instance using the Amazon EC2 console, the traffic that must be allowed to reach the instance is traffic from the EC2 Instance Connect service. The service is identified by specific IP address ranges, which AWS manages through prefix lists. You must create a security group that allows inbound SSH traffic from the EC2 Instance Connect service. To configure this, for the inbound rule, in the field next to **Source**, select the EC2 Instance Connect prefix list. AWS provides different managed prefix lists for IPv4 and IPv6 addresses for each Region. The names of the EC2 Instance Connect prefix lists are as follows, with *region* replaced by the Region code: + IPv4 prefix list name: `com.amazonaws.region.ec2-instance-connect` + IPv6 prefix list name: `com.amazonaws.region.ipv6.ec2-instance-connect` For the instructions for creating the security group, see [Task 2: Allow inbound traffic from the EC2 Instance Connect service to your instance](ec2-instance-connect-tutorial.md#eic-tut1-task2). For more information, see [Available AWS-managed prefix lists](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html#available-aws-managed-prefix-lists) in the *Amazon VPC User Guide*. **When using the CLI or SSH to connect to an instance** Ensure that the security group associated with your instance [allows inbound SSH traffic](security-group-rules-reference.md#sg-rules-local-access) on port 22 from your IP address or from your network. The default security group for the VPC does not allow incoming SSH traffic by default. The security group created by the launch instance wizard allows incoming SSH traffic by default. For more information, see [Rules to connect to instances from your computer](security-group-rules-reference.md#sg-rules-local-access). ## Grant permissions You must grant the required permissions to every IAM user who will use EC2 Instance Connect to connect to an instance. For more information, see [Grant IAM permissions for EC2 Instance Connect](ec2-instance-connect-configure-IAM-role.md). ## Install an SSH client on your local computer If your users will connect using SSH, they must ensure that their local computer has an SSH client. A user's local computer most likely has an SSH client installed by default. They can check for an SSH client by typing **ssh** at the command line. If their local computer doesn't recognize the command, they can install an SSH client. For information about installing an SSH client on Linux or macOS X, see [http://www.openssh.com](http://www.openssh.com/). For information about installing an SSH client on Windows 10, see [OpenSSH in Windows](https://learn.microsoft.com/en-us/windows-server/administration/OpenSSH/openssh-overview). There is no need to install an SSH client on a local computer if your users use only the Amazon EC2 console to connect to an instance. ## Meet username requirements When using EC2 Instance Connect to connect to an instance, the username must meet the following requirements: + First character: Must be a letter (`A-Z`, `a-z`), a digit (`0-9`), or an underscore (`_`) + Subsequent characters: Can be letters (`A-Z`, `a-z`), digits (`0-9`), or the following characters: `@ . _ -` + Minimum length: 1 character + Maximum length: 31 characters # Grant IAM permissions for EC2 Instance Connect Permissions To connect to an instance using EC2 Instance Connect, you must create an IAM policy that grants your users permissions for the following actions and condition: + `ec2-instance-connect:SendSSHPublicKey` action – Grants permission to push the public key to an instance. + `ec2:osuser` condition – Specifies the name of the OS user that can push the public key to an instance. Use the default username for the AMI that you used to launch the instance. The default username for AL2023 and Amazon Linux 2 is `ec2-user`, and for Ubuntu it's `ubuntu`. + `ec2:DescribeInstances` action – Required when using the EC2 console because the wrapper calls this action. Users might already have permission to call this action from another policy. + `ec2:DescribeVpcs` action – Required when connecting to an IPv6 address. Consider restricting access to specific EC2 instances. Otherwise, all IAM principals with permission for the `ec2-instance-connect:SendSSHPublicKey` action can connect to all EC2 instances. You can restrict access by specifying resource ARNs or by using resource tags as [condition keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2instanceconnect.html#amazonec2instanceconnect-policy-keys). For more information, see [Actions, resources, and condition keys for Amazon EC2 Instance Connect](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2instanceconnect.html). For information about creating IAM policies, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*. ## Allow users to connect to specific instances The following IAM policy grants permission to connect to specific instances, identified by their resource ARNs. In the following example IAM policy, the following actions and condition are specified: + The `ec2-instance-connect:SendSSHPublicKey` action grants users permission to connect to two instances, specified by the resource ARNs. To grant users permission to connect to *all* EC2 instances, replace the resource ARNs with the `*` wildcard. + The `ec2:osuser` condition grants permission to connect to the instances only if the *ami-username* is specified when connecting. + The `ec2:DescribeInstances` action is specified to grant permission to users who will use the console to connect to your instances. If your users will only use an SSH client to connect to your instances, you can omit `ec2:DescribeInstances`. Note that the `ec2:Describe*` API actions do not support resource-level permissions. Therefore, the `*` wildcard is necessary in the `Resource` element. + The `ec2:DescribeVpcs` action is specified to grant permission to users who will use the console to connect to your instances using an IPv6 address. If your users will only use a public IPv4 address, you can omit `ec2:DescribeVpcs`. Note that the `ec2:Describe*` API actions do not support resource-level permissions. Therefore, the `*` wildcard is necessary in the `Resource` element. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2-instance-connect:SendSSHPublicKey", "Resource": [ "arn:aws:ec2:us-east-1:111122223333:instance/i-1234567890abcdef0", "arn:aws:ec2:us-east-1:111122223333:instance/i-0598c7d356eba48d7" ], "Condition": { "StringEquals": { "ec2:osuser": "ami-username" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeVpcs" ], "Resource": "*" } ] } ``` ------ ## Allow users to connect to instances with specific tags Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on tags that can be attached to users and AWS resources. You can use resource tags to control access to an instance. For more information about using tags to control access to your AWS resources, see [Controlling access to AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-resources) in the *IAM User Guide*. In the following example IAM policy, the `ec2-instance-connect:SendSSHPublicKey` action grants users permission to connect to any instance (indicated by the `*` wildcard in the resource ARN) on condition that the instance has a resource tag with key=`tag-key` and value=`tag-value`. The `ec2:DescribeInstances` action is specified to grant permission to users who will use the console to connect to your instances. If your users will use only an SSH client to connect to your instances, you can omit `ec2:DescribeInstances`. Note that the `ec2:Describe*` API actions do not support resource-level permissions. Therefore, the `*` wildcard is necessary in the `Resource` element. The `ec2:DescribeVpcs` action is specified to grant permission to users who will use the console to connect to your instances using an IPv6 address. If your users will only use a public IPv4 address, you can omit `ec2:DescribeVpcs`. Note that the `ec2:Describe*` API actions do not support resource-level permissions. Therefore, the `*` wildcard is necessary in the `Resource` element. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2-instance-connect:SendSSHPublicKey", "Resource": "arn:aws:ec2:us-east-1:111122223333:instance/*", "Condition": { "StringEquals": { "aws:ResourceTag/tag-key": "tag-value" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeVpcs" ], "Resource": "*" } ] } ``` ------ # Install EC2 Instance Connect on your EC2 instances Install EC2 Instance Connect To connect to a Linux instance using EC2 Instance Connect, the instance must have EC2 Instance Connect installed. Installing EC2 Instance Connect configures the SSH daemon on the instance. For more information about the EC2 Instance Connect package, see [aws/aws-ec2-instance-connect-config ](https://github.com/aws/aws-ec2-instance-connect-config) on the GitHub website. **Note** If you configured the `AuthorizedKeysCommand` and `AuthorizedKeysCommandUser` settings for SSH authentication, the EC2 Instance Connect installation will not update them. As a result, you can't use EC2 Instance Connect. ## Install prerequisites Before you install EC2 Instance Connect, ensure that you meet the following prerequisites. + **Verify that the instance uses one of the following:** + Amazon Linux 2 prior to version 2.0.20190618 \$1 + AL2023 minimal AMI or Amazon ECS-optimized AMI + CentOS Stream 8 and 9 + macOS Sonoma prior to 14.2.1, Ventura prior to 13.6.3, and Monterey prior to 12.7.2 \$1 + Red Hat Enterprise Linux (RHEL) 8 and 9 + Ubuntu 16.04 and 18.04 \$1 **Tip** \$1 For Amazon Linux 2, macOS, and Ubuntu: If you launched your instance using a later version than those listed above, EC2 Instance Connect comes preinstalled and no manual installation is required. + **Verify the general prerequisites for EC2 Instance Connect.** For more information, see [Prerequisites for EC2 Instance Connect](ec2-instance-connect-prerequisites.md). + **Verify the prerequisites for connecting to your instance using an SSH client on your local machine.** For more information, see [Connect to your Linux instance using SSH](connect-to-linux-instance.md). + **Get the ID of the instance.** You can get the ID of your instance using the Amazon EC2 console (from the **Instance ID** column). If you prefer, you can use the [describe-instances](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html) (AWS CLI) or [Get-EC2Instance](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2Instance.html) (AWS Tools for Windows PowerShell) command. ## Manually install EC2 Instance Connect **Note** If you launched your instance using one of the following AMIs, EC2 Instance Connect is pre-installed and you can skip this procedure: AL2023 standard AMI Amazon Linux 2 2.0.20190618 or later macOS Sonoma 14.2.1 or later macOS Ventura 13.6.3 or later macOS Monterey 12.7.2 or later Ubuntu 20.04 or later Use one of the following procedures for installing EC2 Instance Connect, depending on the operating system of your instance. ------ #### [ Amazon Linux 2 ] **To install EC2 Instance Connect on an instance launched with Amazon Linux 2** 1. Connect to your instance using SSH. Replace the example values in the following command with your values. Use the SSH key pair that was assigned to your instance when you launched it and the default username of the AMI that you used to launch your instance. For Amazon Linux 2, the default username is `ec2-user`. ``` $ ssh -i my_ec2_private_key.pem ec2-user@ec2-a-b-c-d.us-west-2.compute.amazonaws.com ``` For more information about connecting to your instance, see [Connect to your Linux instance using an SSH client](connect-linux-inst-ssh.md). 1. Install the EC2 Instance Connect package on your instance. ``` [ec2-user ~]$ sudo yum install ec2-instance-connect ``` You should see three new scripts in the `/opt/aws/bin/` folder: ``` eic_curl_authorized_keys eic_parse_authorized_keys eic_run_authorized_keys ``` 1. (Optional) Verify that EC2 Instance Connect was successfully installed on your instance. ``` [ec2-user ~]$ sudo less /etc/ssh/sshd_config ``` EC2 Instance Connect was successfully installed if the `AuthorizedKeysCommand` and `AuthorizedKeysCommandUser` lines contain the following values: ``` AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f AuthorizedKeysCommandUser ec2-instance-connect ``` + `AuthorizedKeysCommand` sets the `eic_run_authorized_keys` script to look up the keys from the instance metadata + `AuthorizedKeysCommandUser` sets the system user as `ec2-instance-connect` **Note** If you previously configured `AuthorizedKeysCommand` and `AuthorizedKeysCommandUser`, the EC2 Instance Connect installation will not change the values and you will not be able to use EC2 Instance Connect. ------ #### [ CentOS ] **To install EC2 Instance Connect on an instance launched with CentOS** 1. Connect to your instance using SSH. Replace the example values in the following command with your values. Use the SSH key pair that was assigned to your instance when you launched it and the default username of the AMI that you used to launch your instance. For CentOS, the default username is `centos` or `ec2-user`. ``` $ ssh -i my_ec2_private_key.pem centos@ec2-a-b-c-d.us-west-2.compute.amazonaws.com ``` For more information about connecting to your instance, see [Connect to your Linux instance using an SSH client](connect-linux-inst-ssh.md). 1. If you use an HTTP or HTTPS proxy, you must set the `http_proxy` or `https_proxy` environment variables in the current shell session. If you're not using a proxy, you can skip this step. + For an HTTP proxy server, run the following commands: ``` $ export http_proxy=http://hostname:port $ export https_proxy=http://hostname:port ``` + For an HTTPS proxy server, run the following commands: ``` $ export http_proxy=https://hostname:port $ export https_proxy=https://hostname:port ``` 1. Install the EC2 Instance Connect package on your instance by running the following commands. The EC2 Instance Connect configuration files for CentOS are provided in a Red Hat Package Manager (RPM) package, with different RPM packages for CentOS 8 and CentOS 9 and for instance types that run on Intel/AMD (x86\$164) or ARM (AArch64). Use the command block for your operating system and CPU architecture. + CentOS 8 Intel/AMD (x86\$164) ``` [ec2-user ~]$ mkdir /tmp/ec2-instance-connect [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect-2.0.0-5.rhel8.x86_64.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect.rpm [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect-selinux-2.0.0-5.noarch.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm [ec2-user ~]$ sudo yum install -y /tmp/ec2-instance-connect/ec2-instance-connect.rpm /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm ``` ARM (AArch64) ``` [ec2-user ~]$ mkdir /tmp/ec2-instance-connect [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_arm64/ec2-instance-connect-2.0.0-5.rhel8.aarch64.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect.rpm [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_arm64/ec2-instance-connect-selinux-2.0.0-5.noarch.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm [ec2-user ~]$ sudo yum install -y /tmp/ec2-instance-connect/ec2-instance-connect.rpm /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm ``` + CentOS 9 Intel/AMD (x86\$164) ``` [ec2-user ~]$ mkdir /tmp/ec2-instance-connect [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect-2.0.0-5.rhel9.x86_64.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect.rpm [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect-selinux-2.0.0-5.noarch.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm [ec2-user ~]$ sudo yum install -y /tmp/ec2-instance-connect/ec2-instance-connect.rpm /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm ``` ARM (AArch64) ``` [ec2-user ~]$ mkdir /tmp/ec2-instance-connect [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_arm64/ec2-instance-connect-2.0.0-5.rhel9.aarch64.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect.rpm [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_arm64/ec2-instance-connect-selinux-2.0.0-5.noarch.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm [ec2-user ~]$ sudo yum install -y /tmp/ec2-instance-connect/ec2-instance-connect.rpm /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm ``` You should see the following new script in the `/opt/aws/bin/` folder: ``` eic_run_authorized_keys ``` 1. (Optional) Verify that EC2 Instance Connect was successfully installed on your instance. + For CentOS 8: ``` [ec2-user ~]$ sudo less /lib/systemd/system/sshd.service.d/ec2-instance-connect.conf ``` + For CentOS 9: ``` [ec2-user ~]$ sudo less /etc/ssh/sshd_config.d/60-ec2-instance-connect.conf ``` EC2 Instance Connect was successfully installed if the `AuthorizedKeysCommand` and `AuthorizedKeysCommandUser` lines contain the following values: ``` AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f AuthorizedKeysCommandUser ec2-instance-connect ``` + `AuthorizedKeysCommand` sets the `eic_run_authorized_keys` script to look up the keys from the instance metadata + `AuthorizedKeysCommandUser` sets the system user as `ec2-instance-connect` **Note** If you previously configured `AuthorizedKeysCommand` and `AuthorizedKeysCommandUser`, the EC2 Instance Connect installation will not change the values and you will not be able to use EC2 Instance Connect. ------ #### [ macOS ] **To install EC2 Instance Connect on an instance launched with macOS** 1. Connect to your instance using SSH. Replace the example values in the following command with your values. Use the SSH key pair that was assigned to your instance when you launched it and the default username of the AMI that you used to launch your instance. For macOS instances, the default username is `ec2-user`. ``` $ ssh -i my_ec2_private_key.pem ec2-user@ec2-a-b-c-d.us-west-2.compute.amazonaws.com ``` For more information about connecting to your instance, see [Connect to your Linux instance using an SSH client](connect-linux-inst-ssh.md). 1. Update Homebrew using the following command. The update will list the software that Homebrew knows about. The EC2 Instance Connect package is provided via Homebrew on macOS instances. For more information, see [Update the operating system and software on Amazon EC2 Mac instances](mac-instance-updates.md). ``` [ec2-user ~]$ brew update ``` 1. Install the EC2 Instance Connect package on your instance. This will install the software and configure sshd to use it. ``` [ec2-user ~]$ brew install ec2-instance-connect ``` You should see the following new script in the `/opt/aws/bin/` folder: ``` eic_run_authorized_keys ``` 1. (Optional) Verify that EC2 Instance Connect was successfully installed on your instance. ``` [ec2-user ~]$ sudo less /etc/ssh/sshd_config.d/60-ec2-instance-connect.conf ``` EC2 Instance Connect was successfully installed if the `AuthorizedKeysCommand` and `AuthorizedKeysCommandUser` lines contain the following values: ``` AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f AuthorizedKeysCommandUser ec2-instance-connect ``` + `AuthorizedKeysCommand` sets the `eic_run_authorized_keys` script to look up the keys from the instance metadata + `AuthorizedKeysCommandUser` sets the system user as `ec2-instance-connect` **Note** If you previously configured `AuthorizedKeysCommand` and `AuthorizedKeysCommandUser`, the EC2 Instance Connect installation will not change the values and you will not be able to use EC2 Instance Connect. ------ #### [ RHEL ] **To install EC2 Instance Connect on an instance launched with Red Hat Enterprise Linux (RHEL)** 1. Connect to your instance using SSH. Replace the example values in the following command with your values. Use the SSH key pair that was assigned to your instance when you launched it and the default username of the AMI that you used to launch your instance. For RHEL, the default username is `ec2-user` or `root`. ``` $ ssh -i my_ec2_private_key.pem ec2-user@ec2-a-b-c-d.us-west-2.compute.amazonaws.com ``` For more information about connecting to your instance, see [Connect to your Linux instance using an SSH client](connect-linux-inst-ssh.md). 1. If you use an HTTP or HTTPS proxy, you must set the `http_proxy` or `https_proxy` environment variables in the current shell session. If you're not using a proxy, you can skip this step. + For an HTTP proxy server, run the following commands: ``` $ export http_proxy=http://hostname:port $ export https_proxy=http://hostname:port ``` + For an HTTPS proxy server, run the following commands: ``` $ export http_proxy=https://hostname:port $ export https_proxy=https://hostname:port ``` 1. Install the EC2 Instance Connect package on your instance by running the following commands. The EC2 Instance Connect configuration files for RHEL are provided in a Red Hat Package Manager (RPM) package, with different RPM packages for RHEL 8 and RHEL 9 and for instance types that run on Intel/AMD (x86\$164) or ARM (AArch64). Use the command block for your operating system and CPU architecture. + RHEL 8 Intel/AMD (x86\$164) ``` [ec2-user ~]$ mkdir /tmp/ec2-instance-connect [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect-2.0.0-5.rhel8.x86_64.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect.rpm [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect-selinux-2.0.0-5.noarch.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm [ec2-user ~]$ sudo yum install -y /tmp/ec2-instance-connect/ec2-instance-connect.rpm /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm ``` ARM (AArch64) ``` [ec2-user ~]$ mkdir /tmp/ec2-instance-connect [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_arm64/ec2-instance-connect-2.0.0-5.rhel8.aarch64.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect.rpm [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_arm64/ec2-instance-connect-selinux-2.0.0-5.noarch.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm [ec2-user ~]$ sudo yum install -y /tmp/ec2-instance-connect/ec2-instance-connect.rpm /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm ``` + RHEL 9 Intel/AMD (x86\$164) ``` [ec2-user ~]$ mkdir /tmp/ec2-instance-connect [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect-2.0.0-5.rhel9.x86_64.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect.rpm [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect-selinux-2.0.0-5.noarch.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm [ec2-user ~]$ sudo yum install -y /tmp/ec2-instance-connect/ec2-instance-connect.rpm /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm ``` ARM (AArch64) ``` [ec2-user ~]$ mkdir /tmp/ec2-instance-connect [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_arm64/ec2-instance-connect-2.0.0-5.rhel9.aarch64.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect.rpm [ec2-user ~]$ curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_arm64/ec2-instance-connect-selinux-2.0.0-5.noarch.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm [ec2-user ~]$ sudo yum install -y /tmp/ec2-instance-connect/ec2-instance-connect.rpm /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm ``` You should see the following new script in the `/opt/aws/bin/` folder: ``` eic_run_authorized_keys ``` 1. (Optional) Verify that EC2 Instance Connect was successfully installed on your instance. + For RHEL 8: ``` [ec2-user ~]$ sudo less /lib/systemd/system/sshd.service.d/ec2-instance-connect.conf ``` + For RHEL 9: ``` [ec2-user ~]$ sudo less /etc/ssh/sshd_config.d/60-ec2-instance-connect.conf ``` EC2 Instance Connect was successfully installed if the `AuthorizedKeysCommand` and `AuthorizedKeysCommandUser` lines contain the following values: ``` AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f AuthorizedKeysCommandUser ec2-instance-connect ``` + `AuthorizedKeysCommand` sets the `eic_run_authorized_keys` script to look up the keys from the instance metadata + `AuthorizedKeysCommandUser` sets the system user as `ec2-instance-connect` **Note** If you previously configured `AuthorizedKeysCommand` and `AuthorizedKeysCommandUser`, the EC2 Instance Connect installation will not change the values and you will not be able to use EC2 Instance Connect. ------ #### [ Ubuntu ] **To install EC2 Instance Connect on an instance launched with Ubuntu 16.04 or later** 1. Connect to your instance using SSH. Replace the example values in the following command with your values. Use the SSH key pair that was assigned to your instance when you launched it and use the default username of the AMI that you used to launch your instance. For an Ubuntu AMI, the username is `ubuntu`. ``` $ ssh -i my_ec2_private_key.pem ubuntu@ec2-a-b-c-d.us-west-2.compute.amazonaws.com ``` For more information about connecting to your instance, see [Connect to your Linux instance using an SSH client](connect-linux-inst-ssh.md). 1. (Optional) Ensure your instance has the latest Ubuntu AMI. Run the following commands to update all the packages on your instance. ``` ubuntu:~$ sudo apt-get update ``` ``` ubuntu:~$ sudo apt-get upgrade ``` 1. Install the EC2 Instance Connect package on your instance. ``` ubuntu:~$ sudo apt-get install ec2-instance-connect ``` You should see three new scripts in the `/usr/share/ec2-instance-connect/` folder: ``` eic_curl_authorized_keys eic_parse_authorized_keys eic_run_authorized_keys ``` 1. (Optional) Verify that EC2 Instance Connect was successfully installed on your instance. ``` ubuntu:~$ sudo less /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf ``` EC2 Instance Connect was successfully installed if the `AuthorizedKeysCommand` and `AuthorizedKeysCommandUser` lines contain the following values: ``` AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %%u %%f AuthorizedKeysCommandUser ec2-instance-connect ``` + `AuthorizedKeysCommand` sets the `eic_run_authorized_keys` script to look up the keys from the instance metadata + `AuthorizedKeysCommandUser` sets the system user as `ec2-instance-connect` **Note** If you previously configured `AuthorizedKeysCommand` and `AuthorizedKeysCommandUser`, the EC2 Instance Connect installation will not change the values and you will not be able to use EC2 Instance Connect. ------ # Connect to a Linux instance using EC2 Instance Connect Connect to an instance The following instructions explain how to connect to your Linux instance using EC2 Instance Connect through the Amazon EC2 console, the AWS CLI, or an SSH client. When you connect to an instance using EC2 Instance Connect through the console or AWS CLI, the EC2 Instance Connect API automatically pushes an SSH public key to the [instance metadata](ec2-instance-metadata.md) where it remains for 60 seconds. An IAM policy attached to your user authorizes this action. If you prefer using your own SSH key, you can use an SSH client and explicitly push your SSH key to the instance using EC2 Instance Connect. **Considerations** After connecting to an instance using EC2 Instance Connect, the connection persists until the SSH session is terminated. The duration of the connection is not determined by the duration of your IAM credentials. If your IAM credentials expire, the connection continues to persist. When using the EC2 Instance Connect console experience, if your IAM credentials expire, terminate the connection by closing the browser page. When using your own SSH client and EC2 Instance Connect to push your key, you can set a SSH timeout value to terminate the SSH session automatically. **Requirements** Before you begin, be sure to review the [prerequisites](ec2-instance-connect-prerequisites.md). **Topics** + [ ## Connect using the Amazon EC2 console ](#ec2-instance-connect-connecting-console) + [ ## Connect using the AWS CLI ](#connect-linux-inst-eic-cli-ssh) + [ ## Connect using your own key and SSH client ](#ec2-instance-connect-connecting-aws-cli) + [ ## Troubleshoot ](#ic-troubleshoot) ## Connect using the Amazon EC2 console You can connect to an instance using EC2 Instance Connect through the Amazon EC2 console. **Requirements** To connect using the Amazon EC2 console, the instance must have either a public IPv4 or IPv6 address. If the instance only has a private IPv4 address, you can use the [ec2-instance-connect AWS CLI](#connect-linux-inst-eic-cli-ssh) to connect. **To connect to your instance using the Amazon EC2 console** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, choose **Instances**. 1. Select the instance and choose **Connect**. 1. Choose the **EC2 Instance Connect** tab. 1. Choose **Connect using a Public IP**. 1. If there is a choice, select the IP address to connect to. Otherwise, the IP address is selected automatically. 1. For **Username**, verify the username. 1. Choose **Connect** to establish a connection. An in-browser terminal window opens. ## Connect using the AWS CLI You can use the [ec2-instance-connect](https://docs.aws.amazon.com/cli/latest/reference/ec2-instance-connect/index.html) AWS CLI to connect to your instance with an SSH client. EC2 Instance Connect attempts to establish a connection using an available IP address in a predefined order, based on the specified connection type. If an IP address isn't available, it automatically tries the next one in the order.Connection types `auto` (default) EC2 Instance Connect tries to connect using the instance's IP addresses in the following order and with the corresponding connection type: 1. Public IPv4: `direct` 1. Private IPv4: `eice` 1. IPv6: `direct` `direct` EC2 Instance Connect tries to connect using the instance's IP addresses in the following order: 1. Public IPv4 1. IPv6 1. Private IPv4 (it does not connect over an EC2 Instance Connect Endpoint) `eice` EC2 Instance Connect tries to connect using the instance's private IPv4 address and an [EC2 Instance Connect Endpoint](connect-with-ec2-instance-connect-endpoint.md). **Note** In the future, we might change the behavior of the `auto` connection type. To ensure that your desired connection type is used, we recommend that you explicitly set the `--connection-type` to either `direct` or `eice`. **Requirements** You must use AWS CLI version 2. For more information, see [Install or update to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). **To connect to an instance using the instance ID** If you only know the instance ID, and want to let EC2 Instance Connect determine the connection type to use when connecting to your instance, use the [ec2-instance-connect ssh](https://docs.aws.amazon.com/cli/latest/reference/ec2-instance-connect/ssh.html) CLI command with the instance ID. ``` aws ec2-instance-connect ssh --instance-id i-1234567890example ``` **To connect to an instance using the instance ID and an EC2 Instance Connect Endpoint** If you want to connect to your instance over an [EC2 Instance Connect Endpoint](connect-with-ec2-instance-connect-endpoint.md), use the preceding command and also specify the `--connection-type` parameter with the `eice` value. ``` aws ec2-instance-connect ssh --instance-id i-1234567890example --connection-type eice ``` **To connect to an instance using the instance ID and your own private key file** If you want to connect to your instance over an EC2 Instance Connect Endpoint using your own private key, specify the instance ID and the path to the private key file. Do not include *file://* in the path; the following example will fail: *file:///path/to/key*. ``` aws ec2-instance-connect ssh --instance-id i-1234567890example --private-key-file /path/to/key.pem ``` **Tip** If you get an error when using these commands, make sure that you're using AWS CLI version 2, because the `ssh` command is only available in this major version. We also recommend regularly updating to the latest minor version of AWS CLI version 2 to access the latest features. For more information, see [About AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html#welcome-versions-v2) in the *AWS Command Line Interface User Guide*. ## Connect using your own key and SSH client You can use your own SSH key and connect to your instance from the SSH client of your choice while using the EC2 Instance Connect API. This enables you to benefit from the EC2 Instance Connect capability to push a public key to the instance. This connection method works for instances with public and private IP addresses. **Requirements** + Requirements for key pairs + Supported types: RSA (OpenSSH and SSH2) and ED25519 + Supported lengths: 2048 and 4096 + For more information, see [Create a key pair using a third-party tool and import the public key to Amazon EC2](create-key-pairs.md#how-to-generate-your-own-key-and-import-it-to-aws). + When connecting to an instance that has only private IP addresses, the local computer from which you are initiating the SSH session must have connectivity to the EC2 Instance Connect service endpoint (to push your SSH public key to the instance) as well as network connectivity to the instance's private IP address to establish the SSH session. The EC2 Instance Connect service endpoint is reachable over the internet or over an Direct Connect public virtual interface. To connect to the instance's private IP address, you can leverage services such as [Direct Connect](https://aws.amazon.com/directconnect/), [AWS Site-to-Site VPN](https://aws.amazon.com/vpn/), or [VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html). **To connect to your instance using your own key and any SSH client** 1. **(Optional) Generate new SSH private and public keys** You can generate new SSH private and public keys, `my_key` and `my_key.pub`, using the following command: ``` ssh-keygen -t rsa -f my_key ``` 1. **Push your SSH public key to the instance** Use the [https://docs.aws.amazon.com/cli/latest/reference/ec2-instance-connect/send-ssh-public-key.html](https://docs.aws.amazon.com/cli/latest/reference/ec2-instance-connect/send-ssh-public-key.html) command to push your SSH public key to the instance. If you launched your instance using AL2023 or Amazon Linux 2, the default username for the AMI is `ec2-user`. If you launched your instance using Ubuntu, the default username for the AMI is `ubuntu`. The following example pushes the public key to the specified instance in the specified Availability Zone, to authenticate `ec2-user`. ``` aws ec2-instance-connect send-ssh-public-key \ --region us-west-2 \ --availability-zone us-west-2b \ --instance-id i-001234a4bf70dec41EXAMPLE \ --instance-os-user ec2-user \ --ssh-public-key file://my_key.pub ``` 1. **Connect to the instance using your private key** Use the **ssh** command to connect to the instance using the private key before the public key is removed from the instance metadata (you have 60 seconds before it is removed). Specify the private key that corresponds to the public key, the default username for the AMI that you used to launch your instance, and the instance's public DNS name (if connecting over a private network, specify the private DNS name or IP address). Add the `IdentitiesOnly=yes` option to ensure that only the files in the ssh config and the specified key are used for the connection. ``` ssh -o "IdentitiesOnly=yes" -i my_key ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com ``` The following example uses `timeout 3600` to set your SSH session to terminate after 1 hour. Processes started during the session may continue running on your instance after the session terminates. ``` timeout 3600 ssh -o “IdentitiesOnly=yes” -i my_key ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com ``` ## Troubleshoot If you receive an error while attempting to connect to your instance, see the following: + [Troubleshoot issues connecting to your Amazon EC2 Linux instance](TroubleshootingInstancesConnecting.md) + [How do I troubleshoot issues connecting to my EC2 instance using EC2 Instance Connect?](https://repost.aws/knowledge-center/ec2-instance-connect-troubleshooting) # Uninstall EC2 Instance Connect To disable EC2 Instance Connect, connect to your Linux instance and uninstall the `ec2-instance-connect` package that is installed on the OS. If the `sshd` configuration matches what it was set to when you installed EC2 Instance Connect, uninstalling `ec2-instance-connect` also removes the `sshd` configuration. If you modified the `sshd` configuration after installing EC2 Instance Connect, you must update it manually. ------ #### [ Amazon Linux ] You can uninstall EC2 Instance Connect on AL2023 and Amazon Linux 2 2.0.20190618 or later, where EC2 Instance Connect is preconfigured. **To uninstall EC2 Instance Connect on an instance launched using Amazon Linux** 1. Connect to your instance using SSH. Specify the SSH key pair you used for your instance when you launched it and the default username for the AL2023 or Amazon Linux 2 AMI, which is `ec2-user`. For example, the following **ssh** command connects to the instance with the public DNS name `ec2-a-b-c-d.us-west-2.compute.amazonaws.com`, using the key pair `my_ec2_private_key.pem`. ``` $ ssh -i my_ec2_private_key.pem ec2-user@ec2-a-b-c-d.us-west-2.compute.amazonaws.com ``` 1. Uninstall the `ec2-instance-connect` package using the **yum** command. ``` [ec2-user ~]$ sudo yum remove ec2-instance-connect ``` ------ #### [ Ubuntu ] **To uninstall EC2 Instance Connect on an instance launched using an Ubuntu AMI** 1. Connect to your instance using SSH. Specify the SSH key pair you used for your instance when you launched it and the default username for the Ubuntu AMI, which is `ubuntu`. For example, the following **ssh** command connects to the instance with the public DNS name `ec2-a-b-c-d.us-west-2.compute.amazonaws.com`, using the key pair `my_ec2_private_key.pem`. ``` $ ssh -i my_ec2_private_key.pem ubuntu@ec2-a-b-c-d.us-west-2.compute.amazonaws.com ``` 1. Uninstall the `ec2-instance-connect` package using the **apt-get** command. ``` ubuntu:~$ sudo apt-get remove ec2-instance-connect ``` ------