# Learn how to export Lightsail snapshots to Amazon EC2 Export snapshots to EC2 You can export Lightsail snapshots to Amazon EC2, create EC2 resources from exported snapshots, choose compatible EC2 instance types, connect to EC2 instances, and secure EC2 instances created from Lightsail snapshots. Amazon Lightsail instance and block storage disk snapshots can be exported to Amazon Elastic Compute Cloud (Amazon EC2) using one of the following methods: + The Lightsail console. For more information, see [Export snapshots to Amazon EC2](amazon-lightsail-exporting-snapshots-to-amazon-ec2.md). + The Lightsail API, AWS Command Line Interface (AWS CLI), or SDKs. For more information, see the [ExportSnapshot operation](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_ExportSnapshot.html) in the Lightsail API documentation, or the [export-snapshot command](https://docs.aws.amazon.com/cli/latest/reference/lightsail/export-snapshot.html) in the AWS CLI documentation. You can export instance snapshots and block storage disk snapshots. However, snapshots of cPanel & WHM (CentOS 7) instances cannot be exported to Amazon EC2. Snapshots are exported to the same AWS Region from Lightsail to Amazon EC2. To export snapshots to a different Region, first copy the snapshot to a different Region in Lightsail, then perform the export. For more information, see [Copy snapshots from one AWS Region to another](amazon-lightsail-copying-snapshots-from-one-region-to-another.md). Exporting a Lightsail instance snapshot results in an Amazon Machine Image (AMI) and an Amazon Elastic Block Store (Amazon EBS) snapshot being created in Amazon EC2. This is because Lightsail instances consist of an image and a system disk, which are grouped together as a single instance entity in the Lightsail console for more efficient management. If the source Lightsail instance had one or more block storage disks attached to it when the snapshot was created, then additional EBS snapshots for each attached disk will be created in Amazon EC2. Exporting a Lightsail block storage disk snapshot results in a single EBS snapshot being created in Amazon EC2. All exported resources in Amazon EC2 have their own distinct unique identifiers that are different than their Lightsail counterparts. ![\[Exporting Lightsail snapshots to Amazon EC2.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-export-snapshot-diagram.png) **Note** Lightsail uses an AWS Identity and Access Management (IAM) service-linked role (SLR) to export snapshots to Amazon EC2. For more information about SLRs, see [Service-linked roles](amazon-lightsail-using-service-linked-roles.md). The export process can take a while. It depends on the size and configuration of the source instance or block storage disk. Use the **Exports** section in the Lightsail console to track the status of your export. For more information, see [Track snapshot export status in Lightsail](amazon-lightsail-task-monitor.md). ## Create Amazon EC2 resources from exported Lightsail snapshots After a Lightsail snapshot is exported and available in Amazon EC2 (as an AMI, EBS snapshot, or both), you can create Amazon EC2 resources from the snapshot using one of the following methods: + The **Create an Amazon EC2 instance** page in the Lightsail console, also known as the Upgrade to Amazon EC2 Wizard. For more information, see [Create Amazon EC2 instances from exported snapshots](amazon-lightsail-creating-ec2-instances-from-exported-snapshots.md). + The Lightsail API, AWS CLI, or SDKs. For more information, see the [CreateCloudFormationStack operation](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_CreateCloudFormationStack.html) in the Lightsail API documentation, or the [create-cloud-formation-stack command](https://docs.aws.amazon.com/cli/latest/reference/lightsail/create-cloud-formation-stack.html) in the AWS CLI documentation. **Note** Lightsail can be used to create Amazon EC2 instances from exported instance snapshots, but it cannot be used to create EBS volumes from exported block storage disk snapshots. For this, you must use the Amazon EC2 console, API, or AWS CLI. For more information, see [Create Amazon EBS volumes from exported disk snapshots](amazon-lightsail-creating-ebs-volumes-from-exported-snapshots.md). + The Amazon EC2 console, Amazon EC2 API, AWS CLI, or SDKs. For more information, see [Launching an Instance Using the Launch Instance Wizard](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.html) or [Restoring an Amazon EBS Volume from a Snapshot](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-restoring-volume.html) in the Amazon EC2 documentation. Creating an Amazon EC2 instance from an exported instance snapshot (AMI and EBS snapshot) results in a single EC2 instance being launched. The AMI and EBS snapshot that resulted from exporting the Lightsail instance snapshot are automatically linked together to form the EC2 instance. The exported Lightsail block storage disk snapshot (EBS snapshot) can be used to create an EBS volume in Amazon EC2. ![\[Exporting Lightsail snapshots to Amazon EC2.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-create-resources-diagram.png) **Note** Lightsail uses a CloudFormation stack to create instances and their related resources in EC2. For more information, see [CloudFormation stacks for Lightsail](amazon-lightsail-cloudformation-stacks.md). The process to create Amazon EC2 resources from an exported snapshot can take a while. It depends on the size and configuration of the source instance. Use the **Exports** section in the Lightsail console to track the status of your export. For more information, see [Track snapshot export status in Lightsail](amazon-lightsail-task-monitor.md).. ## Choosing an Amazon EC2 instance type Amazon EC2 offers a wider range of instance options than are available in Lightsail. In Amazon EC2, you can choose instance types that are optimized for compute (C5), memory (R5), or a balance of both (T3 and M5). Lightsail provides these options in the **Create an Amazon EC2 instance** page; however, more instance type options are available if you use Amazon EC2 to create new instances from an exported snapshot. For more information about EC2 instance types, see [Instance Types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the Amazon EC2 documentation. Before you create EC2 instances from exported snapshots, it is important to understand the instance price differences between Lightsail and Amazon EC2. For more information about instance pricing, see the [Lightsail pricing](https://aws.amazon.com/lightsail/pricing/) and [Amazon EC2 pricing](https://aws.amazon.com/ec2/pricing/on-demand/) pages. **Lightsail and Amazon EC2 instance type compatibility** Some Lightsail instances are incompatible with the current generation EC2 instance types (T3, M5, C5, or R5) because they are not enabled for enhanced networking. If your source Lightsail instance is incompatible, you will need to choose a previous generation instance type (T2, M4, C4, or R4) when creating an EC2 instance from your exported snapshot. These options are presented to you when creating an EC2 instance using the **Create an Amazon EC2 instance** page in the Lightsail console. To use the latest generation EC2 instance types when the source Lightsail instance is incompatible, you need to create the new EC2 instance using a previous generation instance type (T2, M4, C4, or R4), update the networking driver, and then upgrade the instance to the desired current generation instance type. For more information, see [Enhanced networking for Amazon EC2 instances](amazon-lightsail-updating-ec2-instances.md). ## Connect to Amazon EC2 instances You can connect to Amazon EC2 instances similar to how you connect to Lightsail instances. This means using SSH for Linux and Unix instances and RDP for Windows Server instances. However, the browser-based SSH/RDP client that you might have used in the Lightsail console might not be available in Amazon EC2 depending on the browser version that you're using, so you may need to configure your own SSH/RDP client to connect to your EC2 instances. For more information, see the following guides: + [Connect to an Amazon EC2 Linux or Unix instance that was created from a Lightsail snapshot](amazon-lightsail-connecting-to-linux-unix-amazon-ec2-instances.md) + [Connect to an Amazon EC2 Windows Server instance that was created from a Lightsail snapshot](amazon-lightsail-connecting-to-windows-server-amazon-ec2-instances.md) ## Secure an Amazon EC2 instance After you create an EC2 instance from an exported Lightsail snapshot, you may need to perform a few actions to improve the security of your new instances. The actions are different depending on the operating system of your EC2 instance. **Securing Linux and Unix instances in Amazon EC2** If you create a Linux or Unix instance in Amazon EC2 from an exported snapshot using EC2 (the EC2 console, the EC2 API, AWS CLI for EC2, or SDKs for EC2), the new EC2 instance may contain residual SSH keys from the Lightsail service. We recommend removing these keys to better secure the new instance. For more information, see [Secure an Amazon EC2 Linux or Unix instance that was created from a Lightsail snapshot](amazon-lightsail-securing-linux-unix-amazon-ec2-instances.md). **Securing Windows Server instances in Amazon EC2** After you create a Windows Server instance in Amazon EC2 from an exported snapshot, any user in your AWS account with access to Lightsail and EC2 will be able to retrieve the default administrator password first assigned to the source instance, which is also the password for the new EC2 instance. For increased security, we recommend that you change the default administrator password for your Amazon EC2 instance, if you haven’t already done so. For more information, see [Secure an Amazon EC2 Windows Server instance that was created from a Lightsail snapshot](amazon-lightsail-securing-windows-server-amazon-ec2-instances.md). # Export Lightsail snapshots to Amazon EC2 How to export snapshots You can export Amazon Lightsail instance and block storage disk snapshots to Amazon Elastic Compute Cloud (Amazon EC2). Exporting a Lightsail instance snapshot results in an Amazon Machine Image (AMI) and an Amazon Elastic Block Store (Amazon EBS) snapshot being created in Amazon EC2. This is because Lightsail instances consist of an image and a system disk, which are grouped together as a single instance entity in the Lightsail console for more efficient management. If the source Lightsail instance has one or more block storage disks attached to it when the snapshot is created, then additional EBS snapshots for each attached disk are created in Amazon EC2. Exporting a Lightsail block storage disk snapshot results in a single EBS snapshot being created in Amazon EC2. All exported resources in Amazon EC2 have their own distinct unique identifiers that are different than their Lightsail counterparts. This guide describes how to export a Lightsail snapshot, track the status of your export, and the next steps after the exported snapshot is available in Amazon EC2 (as an AMI, EBS snapshot, or both). **Important** We recommend getting familiar with the Lightsail export process before completing the steps in this guide. For more information, see [Export snapshots to Amazon EC2](amazon-lightsail-exporting-snapshots.md). **Contents** + [Service-linked role and required IAM permissions to export Lightsail snapshots](#service-linked-role-details) + [Prerequisites](#exporting-snapshots-to-amazon-ec2-prerequisites) + [Export a Lightsail snapshot to Amazon EC2](#exporting-a-lightsail-snapshot) + [Track the status of your export](#track-the-status-of-your-export) ## Service-linked role and required IAM permissions to export Lightsail snapshots Lightsail uses an AWS Identity and Access Management (IAM) service-linked role (SLR) to export snapshots to Amazon EC2. For more information about SLRs, see [Service-linked roles](amazon-lightsail-using-service-linked-roles.md). The following additional permissions may need to be configured in IAM depending on the user that will perform the snapshot export: + If the [Amazon account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) will perform the export, then continue to the [Prerequisites section](#exporting-snapshots-to-amazon-ec2-prerequisites) of this guide. The account root user already has the required permissions to perform the snapshot export. + If an IAM user will perform the export, then an AWS account administrator must add the following policy to the user. For more information about how to change permissions for a user, see [Changing Permissions for an IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the IAM documentation. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/lightsail.amazonaws.com/AWSServiceRoleForLightsail*", "Condition": {"StringLike": {"iam:AWSServiceName": "lightsail.amazonaws.com"}} }, { "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/lightsail.amazonaws.com/AWSServiceRoleForLightsail*" } ] } ``` ------ ## Prerequisites Create a snapshot of the Lightsail instance or block storage disk that you want to export to Amazon EC2. For more information, see one of the following guides: + [Create a snapshot of your Linux or Unix instance](lightsail-how-to-create-a-snapshot-of-your-instance.md) + [Create a snapshot of your Windows Server instance](prepare-windows-based-instance-and-create-snapshot.md) + [Create a block storage disk snapshot](create-block-storage-disk-snapshot.md) ## Export a Lightsail snapshot to Amazon EC2 The most efficient way to export a snapshot to Amazon EC2 is by using the Lightsail console. You can also export snapshots using the Lightsail API, AWS Command Line Interface (AWS CLI), or SDKs. For more information, see the [ExportSnapshot operation](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_ExportSnapshot.html) in the Lightsail API documentation, or the [export-snapshot command](https://docs.aws.amazon.com/cli/latest/reference/lightsail/export-snapshot.html) in the AWS CLI documentation. **Note** Snapshots are exported to the same AWS Region from Lightsail to Amazon EC2. To export snapshots to a different Region, first copy the snapshot to a different Region in Lightsail, then perform the export. For more information, see [Copy snapshots from one AWS Region to another](amazon-lightsail-copying-snapshots-from-one-region-to-another.md). **To export a Lightsail snapshot to Amazon EC2** 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. Choose **Snapshots** in the left navigation pane. 1. Locate the instance or block storage disk that you want to export, and expand the node to view the available snapshots for that resource. 1. Choose the **Action** menu for the desired snapshot, then choose **Export to Amazon EC2**. ![\[Export snapshot in the Lightsail console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-action-menu-export-snapshot.png) **Note** Snapshots of cPanel & WHM (CentOS 7) instances cannot be exported to Amazon EC2. 1. Review the important details displayed on the prompt. 1. If you agree to export to Amazon EC2, choose **Yes, continue** to begin the process. The export process can take a while. It depends on the size and configuration of the source instance or block storage disk. Use the **Exports** section in the Lightsail console to track the status of your export. For more information, see [Track snapshot export status in Lightsail](amazon-lightsail-task-monitor.md). ## Track the status of your export Track the status of your export in the **Exports** section of the Lightsail console. It can be accessed from the left navigation pane on all pages of the Lightsail console. For more information, see [Track snapshot export status in Lightsail](amazon-lightsail-task-monitor.md). The following information is displayed in **Exports**: + **Snapshot name** — The name of the source Lightsail snapshot. + **Status** — The status of the export. This can be `In progress`, `Successful`, or `Failed`. + **Export started** — The date and time the snapshot export was started. + **Source details** — The specifications of the source Lightsail instance, such as the memory, processing, and storage. + **Source instance name** — The name of the source instance for the snapshot. + **Snapshot type** — The type of the Lightsail snapshot. It’s either an instance snapshot or disk snapshot. + **Snapshot created** — The date and time the source Lightsail snapshot was created. The following information is displayed in the **Task history** section for the completed export: + **Create instance in EC2** — Choose this option to create a new instance in Amazon EC2 using the Lightsail console. For more information, see [Create Amazon EC2 instances from exported snapshots](amazon-lightsail-creating-ec2-instances-from-exported-snapshots.md). + **Open EC2** — Choose this option to use the Amazon EC2 console to create new EC2 resources from your exported snapshot. If you exported a Lightsail block storage disk snapshot, then you must use Amazon EC2 to create an EBS volume from the snapshot (an EBS snapshot). For more information, see [Launching an Instance Using the Launch Instance Wizard](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.html) or [Restoring an Amazon EBS Volume from a Snapshot](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-restoring-volume.html) in the Amazon EC2 documentation. **Note** Delete the source Lightsail snapshot if you no longer need it. Otherwise, you will be billed for storing it. # Track snapshot export status in Lightsail Monitor exports The **Exports** section on the Amazon Lightsail console, is where you can track the status of exporting Lightsail snapshots to Amazon EC2, or creating new EC2 instances from exported instance snapshots. Export tasks can take a while depending on the size and configuration of the source instance or block storage disk. **Exports** can be accessed from the left navigation pane on all pages of the Lightsail console. ![\[The exports section of the Lightsail console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-task-monitor.png) For more information about exporting Lightsail snapshots to Amazon EC2, or creating EC2 instances from exported snapshots, see the following guides: + [Export snapshots to Amazon EC2](amazon-lightsail-exporting-snapshots-to-amazon-ec2.md) + [Create Amazon EC2 instances from exported snapshots](amazon-lightsail-creating-ec2-instances-from-exported-snapshots.md) # Create Amazon EC2 instances from exported Lightsail snapshots Create EC2 instances from exported snapshots After a Lightsail instance snapshot is exported and available in Amazon EC2 (as an AMI and an EBS snapshot), you can create an Amazon EC2 instance from the snapshot using the **Create an Amazon EC2 instance** page in the Amazon Lightsail console, also known as the Upgrade to Amazon EC2 wizard. It guides you through the EC2 instance configuration options, such as choosing an EC2 instance type that matches your requirements, configuring your security group ports, adding a launch script, and more. The wizard in the Lightsail console simplifies the process of creating new EC2 instances and their related resources. **Note** To create Amazon Elastic Block Store (Amazon EBS) volumes from exported block storage disk snapshots, see [Create Amazon EBS volumes from exported disk snapshots](amazon-lightsail-creating-ebs-volumes-from-exported-snapshots.md). You can also create new EC2 instances using the Lightsail API, AWS CLI, or SDKs. For more information, see the [CreateCloudFormationStack operation](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_CreateCloudFormationStack.html) in the Lightsail API documentation, or the [create-cloud-formation-stack command](https://docs.aws.amazon.com/cli/latest/reference/lightsail/create-cloud-formation-stack.html) in the AWS CLI documentation. Or if you're comfortable with Amazon EC2, you can use the EC2 console, Amazon EC2 API, AWS CLI, or SDKs. For more information, see [Launching an Instance Using the Launch Instance Wizard](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.html) or [Restoring an Amazon EBS Volume from a Snapshot](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-restoring-volume.html) in the Amazon EC2 documentation. **Important** We recommend getting familiar with the Lightsail export process before completing the steps in this guide. For more information, see [Export snapshots to Amazon EC2](amazon-lightsail-exporting-snapshots.md). **Contents** + [CloudFormation stack for Lightsail](#aws-cloud-formation-stack) + [Prerequisites](#creating-ec2-instances-from-exported-snapshots-prerequisites) + [Access the Create an Amazon EC2 instance page in the Lightsail console](#access-the-create-an-instance-page) + [Create an Amazon EC2 instance](#create-new-instances) + [Track the status of your new Amazon EC2 instance](#track-the-status) ## CloudFormation stack for Lightsail Lightsail uses an CloudFormation stack to create EC2 instances and their related resources. For more information about the CloudFormation stacks for Lightsail, see [CloudFormation stacks for Lightsail](amazon-lightsail-cloudformation-stacks.md). The following additional permissions may need to be configured in IAM depending on the user that will create the EC2 instance using the **Create an Amazon EC2 instance** page: + If the [Amazon account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) will create the EC2 instance, then continue to the [Prerequisites section](#creating-ec2-instances-from-exported-snapshots-prerequisites) of this guide. The root user already has the required permissions to create EC2 instances using Lightsail. + If an IAM user will create the EC2 instance, then an AWS account administrator must add the following permissions to the user. For more information about how to change permissions for a user, see [Changing Permissions for an IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the IAM documentation. + The following permissions are required for users to create Amazon EC2 instances using Lightsail: **Note** These permissions allow the CloudFormation stack to be created. However, if the creation fails, the rollback process might require more permissions. Lack of permissions may lead to remaining resources not rolled back in Amazon EC2. If this happens, you can go to the CloudFormation console and manually delete the EC2 resources. For more information, see [CloudFormation stacks for Lightsail](amazon-lightsail-cloudformation-stacks.md) + ec2:DescribeAvailabilityZones + ec2:DescribeSubnets + ec2:DescribeRouteTables + ec2:DescribeInternetGateways + ec2:DescribeVpcs + cloudformation:CreateStack + cloudformation:ValidateTemplate + iam:CreateServiceLinkedRole + iam:PutRolePolicy + The following permissions are required if the user will configure ports in the security group for the EC2 instance: + ec2:DescribeSecurityGroups + ec2:CreateSecurityGroup + ec2:AuthorizeSecurityGroupIngress + The following permissions are required if the user is creating a Windows Server instance in Amazon EC2: + ec2:DescribeKeyPairs + ec2:ImportKeyPair + The following permissions are required if the user is creating Amazon EC2 instances for the first time, or when the virtual private cloud (VPC) fails to configure completely: + ec2:AssociateRouteTable + ec2:AttachInternetGateway + ec2:CreateInternetGateway + ec2:CreateRoute + ec2:CreateRouteTable + ec2:CreateSubnet + ec2:CreateVpc + ec2:ModifySubnetAttribute + ec2:ModifyVpcAttribute ## Prerequisites Export a Lightsail instance snapshot to Amazon EC2. For more information, see [Export snapshots to Amazon EC2](amazon-lightsail-exporting-snapshots-to-amazon-ec2.md). ## Access the Create an Amazon EC2 instance page in the Lightsail console The **Create an Amazon EC2 instance** page in the Lightsail console can be accessed from the task monitor only after an instance snapshot is successfully exported to EC2. **To access the Create an Amazon EC2 instance page in the Lightsail console** 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. From the top navigation pane, choose the **Task monitor** icon. 1. Locate the completed instance snapshot export in the **Task history** section, then choose **Create instance in EC2**. ![\[Task monitor in the Lightsail console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-task-monitor-create-instance.png) The **Create an Amazon EC2 instance** page appears. Continue to the following [Create an Amazon EC2 instance](#create-new-instances) section of this guide to learn how to configure and create an EC2 instance using this page. ## Create an Amazon EC2 instance Use the **Create an Amazon EC2 instance** page to create an EC2 instance. To create more than one EC2 instance from an exported Lightsail snapshot, repeat the following steps multiple times but wait until each instance is created before creating the next one. **To create an Amazon EC2 instance** 1. On the **Amazon EC2 AMI details** section of the page, confirm that the Amazon Machine Image (AMI) details displayed match the specifications of the source Lightsail instance. ![\[Amazon EC2 AMI details on the Create an Amazon EC2 instance page.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-create-an-ec2-instance-ami-details.png) 1. On the **Resource location** section of the page, change the Availability Zone of your instance if necessary. The Amazon EC2 resources are created in the same AWS Region as the source Lightsail snapshot. **Note** Not all Availability Zones may be available for all users. Choosing an unavailable Availability Zone will result in an error when creating the EC2 instance. ![\[Resource location options on the Create an Amazon EC2 instance page.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-create-an-ec2-instance-resource-location.png) 1. On the **Compute resource** section of the page, choose one of the following options: ![\[Compute resource options on the Create an Amazon EC2 instance page.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-create-an-ec2-instance-compute-resource.png) 1. **Find closest match** to automatically select an Amazon EC2 instance type that closely matches the specifications of the source Lightsail instance. 1. **Help me choose** to answer a quick questionnaire about the specifications of your new Amazon EC2 instance. You can select from instance types that are compute optimized, memory optimized, or balanced between the two. 1. **Select manually** to view a list of instance types available through the **Create an Amazon EC2 instance** page. **Note** Some Lightsail instances are incompatible with the current generation EC2 instance types (T3, M5, C5, or R5) because they are not enabled for enhanced networking. If your source Lightsail instance is incompatible, you will need to choose a previous generation instance type (T2, M4, C4, or R4) when creating an EC2 instance from your exported snapshot. These instance type options are presented to you on the **Create an Amazon EC2 instance** page in the Lightsail console. To use the latest generation EC2 instance types when the source Lightsail instance is incompatible, you need to create the new EC2 instance using a previous generation instance type (T2, M4, C4, or R4), update the networking driver, and then upgrade the instance to the desired current generation instance type. For more information, see [Update Amazon EC2 instances for enhanced networking](amazon-lightsail-updating-ec2-instances.md). 1. On the **Optional** section of the page: ![\[Optional settings on the Create an Amazon EC2 instance page.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-create-an-ec2-instance-optional-settings.png) 1. Choose **Specify port configuration** to select the firewall settings for your Amazon EC2 instance, then choose one of the following options: ![\[Security group settings on the Create an Amazon EC2 instance page.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-create-an-ec2-instance-security-groups.png) 1. **Use the default firewall settings from the Lightsail image** to configure the default ports from the source Lightsail blueprint on your new EC2 instance. For more information about the default ports for Lightsail blueprints, see [Firewalls and ports](understanding-firewall-and-port-mappings-in-amazon-lightsail.md). 1. **Use the source Lightsail instance firewall settings** to configures the ports from the source Lightsail instance on your new EC2 instance. This option is only available when the source Lightsail instance is still running. 1. On the **Launch script** section of the page, choose **Add launch script** if you wish to add a script that configures your EC2 instance when it launches. 1. On the **Connection security** section of the page, determine how you connected to the source Lightsail instance. This ensures that you get the correct SSH key to connect to your new EC2 instance. You may have connected to the source Lightsail instance using one of the following methods: 1. **Using the default Lightsail key pair for the source instance’s region** — Download and use the unique default Lightsail key for that AWS Region to connect to your EC2 instance. **Note** The default Lightsail key pair is always used on Windows Server instances in Lightsail. 1. **Using your own key pair** — Locate the private key and use it to connect to your EC2 instance. **Note** Lightsail does not store your personal private keys. Therefore; the option to download your private key is not provided. If you are unable to locate your private key, then you will not be able to connect to your EC2 instance. 1. On the **Storage resources** section of the page, confirm that the EBS volumes being created match the system disk and any attached block storage disks for the source Lightsail instance. ![\[Storage resources on the Create an Amazon EC2 instance page.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-create-an-ec2-instance-storage-resources.png) 1. Review the important details about creating resources outside of Lightsail. 1. If you agree to create the instance in Amazon EC2, choose **Create resources in EC2**. Lightsail confirms that your instance is being created, and information about the CloudFormation stack is displayed. Lightsail uses a CloudFormation stack to create the EC2 instance and its related resources. For more information, see [CloudFormation stacks for Lightsail](amazon-lightsail-cloudformation-stacks.md). Continue to the [Track the status of your new Amazon EC2 instance](#track-the-status) section of this guide to track the status of your new EC2 instance. **Important** Wait until after your new EC2 instance is created to create another EC2 instance from the same exported snapshot. ## Track the status of your new Amazon EC2 instance Use the **Exports** section in the Lightsail console to track the status of your EC2 instance. For more information, see [Track snapshot export status in Lightsail](amazon-lightsail-task-monitor.md). The following information is displayed for EC2 instances being created: + **Source name** — The name of the source Lightsail snapshot. + **Started** — The date and time that the create request was started. The following information is displayed in the task monitor for EC2 instances that have been created: + **Created** is displayed if the Amazon EC2 resources were successfully created. + **Failed** is displayed if there was a problem creating EC2 instance. # Create Amazon Elastic Block Store volumes from exported Lightsail disk snapshots Create EBS volumes from exported snapshots After a Lightsail block storage disk snapshot is exported and available in Amazon EC2 (as an EBS snapshot), you can create an EBS volume from the snapshot using the Amazon EC2 console. **Note** To create EC2 instances from exported instance snapshots, see [Creating Amazon EC2 instances from exported snapshots in Lightsail](amazon-lightsail-creating-ec2-instances-from-exported-snapshots.md#amazon-lightsail-creating-ec2-instances-from-exported-snapshots.title). You can also create new EBS volumes using the Amazon EC2 API, AWS CLI, or SDKs. For more information, see [Launch an Instance Using the Launch Instance Wizard](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.html) or [Restoring an Amazon EBS Volume from a Snapshot](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-restoring-volume.html) in the Amazon EC2 documentation. **Important** We recommend getting familiar with the Lightsail export process before completing the steps in this guide. For more information, see [Export snapshots to Amazon EC2](amazon-lightsail-exporting-snapshots.md). ## Prerequisites Export a Lightsail block storage disk snapshot to Amazon EC2. For more information, see [Export snapshots to Amazon EC2](amazon-lightsail-exporting-snapshots-to-amazon-ec2.md). ## Create an EBS volume from an exported Lightsail block storage disk snapshot Use the Amazon EC2 console to create a new EBS volume from an exported Lightsail block storage disk snapshot. **Note** These steps are also in the Amazon EC2 documentation. To learn more, see [Restoring an Amazon EBS Volume from a Snapshot](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-restoring-volume.html) in the Amazon EC2 documentation. **To create an EBS volume from an exported Lightsail block storage disk snapshot** 1. Sign in to the [Amazon EC2 console](https://console.aws.amazon.com/ec2/). 1. From the navigation bar, select the region that your snapshot is located in. 1. In the left navigation pane, under **Elastic Block Store**, choose **Snapshots**. 1. Locate and select the exported Lightsail block storage disk snapshot. Exported disk snapshot can be identified by the *A disk snapshot exported from Amazon Lightsail* description of the EBS snapshot as shown in the following screenshot: ![\[EBS snapshots in the Amazon EC2 console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ec2-console-ebs-snapshots.png) 1. Choose **Actions**, then choose **Create Volume**. 1. Choose a volume type from the **Volume Type** drop-down menu. For more information, see [Amazon EBS Volume Types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the Amazon EC2 documentation. 1. For **Size (GiB)**, type the size of the volume, or verify that the default size of the snapshot is adequate. 1. With a Provisioned IOPS SSD volume, for **IOPS**, type the maximum number of input/output operations per second (IOPS) that the volume should support. 1. For **Availability Zone**, choose the Availability Zone in which to create the volume. EBS volumes can only be attached to EC2 instances in the same Availability Zone. 1. (Optional) Choose **Create additional tags** to add tags to the volume. For each tag, provide a tag key and a tag value. 1. Choose **Create Volume**. After your volume is created, it is listed in the **Elastic Block Store > Volumes** section of the Amazon EC2 console. # Connect to a Linux Amazon EC2 instance created from a Lightsail snapshot Connect to Linux EC2 instances After a Linux or Unix instance is created in Amazon Elastic Compute Cloud (Amazon EC2) from an Amazon Lightsail snapshot, you can connect to the instance via SSH similar to how you connected to the source Lightsail instance. To authenticate to your instance, use either the default Lightsail key pair for the source instance’s AWS Region, or your own key pair. This guide shows you how to connect to your Linux or Unix instance in EC2 using PuTTY. **Note** For more information about connecting to a Windows Server instance, see [Connect to an Amazon EC2 Windows Server instance that was created from a Lightsail snapshot](amazon-lightsail-connecting-to-windows-server-amazon-ec2-instances.md). **Contents** + [Get the key for your instance](#get-the-key-linux-unix-instance) + [Get the public DNS address for your instance](#get-the-public-dns-address-for-your-linux-unix-instance) + [Download and install PuTTY](#download-and-install-putty) + [Configure the key with PuTTYgen](#configure-the-key-with-puttygen) + [Configure PuTTY to connect to your instance](#configure-putty-to-connect) + [Next steps](#connecting-to-linux-unix-instances-next-steps) ## Get the key for your instance Get the correct key required to connect to your new Amazon EC2 instance. The key that you need depends on how you connected to the source Lightsail instance. You may have connected to the source Lightsail instance using one of the following methods: + **Using the default Lightsail key pair for the source instance’s Region** — Download the default private key from the **SSH keys** tab on the [Lightsail account page](https://lightsail.aws.amazon.com/ls/webapp/account/keys). For more information about the default Lightsail keys, see [SSH key pairs](understanding-ssh-in-amazon-lightsail.md). **Note** After you connect to your EC2 instance, we recommend removing the default Lightsail key from the instance and replacing it with your own key pair. For more information, see [Secure your Linux or Unix instance in Amazon EC2 created from a Lightsail snapshot](amazon-lightsail-securing-linux-unix-amazon-ec2-instances.md). + **Using your own key pair** — Locate your private key and use it to connect to your Amazon EC2 instance. Lightsail does not store your private key when you use your own key pair. If you’ve lost your private key, you cannot connect to your Amazon EC2 instance. ## Get the public DNS address for your instance Get the public DNS address for your Amazon EC2 instance, so that you can use it when configuring an SSH client, such as PuTTY, to connect to your instance. **To get the public DNS address for your instance** 1. Sign in to the [Amazon EC2 console](https://console.aws.amazon.com/ec2/). 1. Choose **Instances** from the left navigation pane. 1. Choose the running Linux or Unix instance that you want to connect to. 1. In the lower pane, locate the **Public DNS** address for your instance. This is the address that you will use when configuring an SSH client to connect to your instance. Continue to the [Download and install PuTTY](#download-and-install-putty) section of this guide to learn how to download and install the PuTTY SSH client. ![\[An instance's public DNS in the Amazon EC2 console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ec2-public-dns.png) ## Download and install PuTTY PuTTY is a free SSH client for Windows. For more information about [PuTTY, see PuTTY: a free SSH and Telnet client](http://www.chiark.greenend.org.uk/~sgtatham/putty/). This website also describes the restrictions in countries where encryption isn't allowed. If you already have PuTTY, you can skip to the following *Configure the key with PuTTYgen* section of this guide. [Download the PuTTY installer or executable file](http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). We recommend using the latest version. However, for information about which download to choose, see the [PuTTY documentation](http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html). Continue to the [Configure the key with PuTTYgen](#configure-the-key-with-puttygen) section of this guide to configure the key with PuTTYgen. ## Configure the key with PuTTYgen PuTTYgen generates pairs of public and private keys to be used with PuTTY. This step is required to use the key file type (.PPK) that PuTTY accepts. **To configure the key with PuTTYgen** 1. Start PuTTYgen. For example, choose the **Windows Start** menu, choose **All Programs**, choose **PuTTY**, and choose **PuTTYgen**. ![\[PuTTY Key Generator.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/puttygen-key-generator.png) 1. Choose **Load**. By default, PuTTYgen displays only files with the .PPK extension. To locate your .PEM file, select the option to display files of all types. ![\[Load the Lightsail private key to the PuTTY Key Generator.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-putty-load-private-key.png) 1. Choose the default Lightsail key file (.PEM) that you downloaded earlier in this guide, and then choose **Open**. 1. After PuTTYgen confirms that you successfully imported the key, choose **OK**. ![\[PuTTY Key Generator notice.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-putty-puttygen-notice.png) 1. Choose **Save private key**, and then confirm that you don't want to save it with a passphrase. If you create a passphrase as an extra measure of security, you must enter it every time you connect to your instance using PuTTY. ![\[Save your private key in the PuTTY Key Generator.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-putty-save-private-key.png) 1. Specify a name and a location to save your private key, and then choose **Save**. PuTTYgen saves your new key file as a .PPK file type. 1. Close PuTTYgen. Continue to the [Configure PuTTY to connect to your instance](#configure-putty-to-connect) section of this guide to use the new .PPK file that you generated to configure PuTTY and connect to your Linux or Unix instance in Amazon EC2. ## Configure PuTTY to connect to your instance Configure PuTTY, now that you have all of the requirements to connect to your Linux or Unix instance using SSH. **To configure PuTTY to connect to your Linux or Unix instance** 1. Open PuTTY. For example, choose the **Windows Start** menu, choose **All Programs**, choose **PuTTY**, and choose **PuTTY**. 1. In the **Host Name** text box, enter the public DNS address for your instance that you obtained from the Amazon EC2 console earlier in this guide. ![\[PuTTY SSH client.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-putty-host-name.png) 1. Under the **Connection** section in the left navigation pane, choose **Data**. 1. In the **Auto-login username** text box, enter a user name to use when logging in to the instance. ![\[Instance user name in PuTTY.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-putty-login-details.png) Enter one of the following default user names depending on the blueprint of the source Lightsail instance: + AlmaLinux, Amazon Linux 2, Amazon Linux 2023, CentOS Stream 9, FreeBSD, and openSUSE instances: `ec2-user` + Debian instances: `admin` + Ubuntu instances: `ubuntu` + Bitnami instances: `bitnami` + Plesk instances: `ubuntu` + cPanel & WHM instances: `centos` 1. Under the **Connection** section in the left navigation pane, expand **SSH**, and then choose **Auth**. 1. Choose **Browse** to navigate to the .PPK file that you created in the previous section of this guide, and then choose **Open**. ![\[PuTTY authentication parameters.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-putty-authentication-parameters.png) 1. Choose **Open** to connect to your instance, and then choose **Yes** to trust this connection in the future. You should see a screen similar to the following if you've successfully connected to your instance: ![\[PuTTY connected to an EC2 instance.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-putty-connected.png) ## Next steps Your new Linux or Unix instance in Amazon EC2 contains residual keys from the Lightsail service, if you use Amazon EC2 to create new instances from your exported snapshots. We recommend removing these keys to enhance security for your new Amazon EC2 instance. For more information, see [Secure your Linux or Unix instance in Amazon EC2 created from a Lightsail snapshot](amazon-lightsail-securing-linux-unix-amazon-ec2-instances.md). # Secure Amazon EC2 instances launched from Lightsail snapshots Secure Linux or Unix EC2 instances Amazon Lightsail, and Amazon Elastic Compute Cloud (Amazon EC2), use public–key cryptography to encrypt and decrypt login information. Public–key cryptography uses a public key to encrypt a piece of data, such as a password, then the recipient uses the private key to decrypt the data. The public and private keys are known as a key pair. When you export a Linux or Unix Lightsail instance to EC2, the new EC2 instance will contain residual keys from the Lightsail service. As a security best practice, you should remove unused keys from your instance. To improve the security of a Linux or Unix instance in EC2 that was created from a Lightsail snapshot, we recommend that you perform the following actions after creating the instance: + Remove and replace the Lightsail default key if you used it to connect to the source instance in Lightsail. The Lightsail default key is not present in your Amazon EC2 instance if you used your own key to connect to your instance, or you created a key for your instance in the Lightsail console. + Remove the Lightsail system key, also known as the `lightsail_instance_ca.pub` key. This key on Linux and Unix instances enables the Lightsail browser-based SSH client to connect. The `lightsail_instance_ca.pub` key is automatically removed when an EC2 instance is created using the **Create an Amazon EC2 instance** page in the Lightsail console or the Lightsail API. **Contents** + [Create a private key using Amazon EC2](#create-a-private-key-using-ec2) + [Create the public key using PuTTYgen](#create-the-public-key-using-puttygen) + [Connect to your Linux or Unix instance in Amazon EC2](#connect-to-your-linux-or-unix-instance-in-amazon-ec2) + [Add the public key to your instance and test the connection](#add-the-public-key-to-your-instance-and-test) + [Remove the Lightsail default key](#remove-the-lightsail-default-key) + [Remove the Lightsail system key](#remove-the-lightsail-system-ssh-key) ## Create a private key using Amazon EC2 Use the Amazon EC2 console to create a new key pair that you can use to replace the Lightsail default key pair. **To create a private key using Amazon EC2** 1. Sign in to the [Amazon EC2 console](https://console.aws.amazon.com/ec2/). 1. From the left navigation pane, choose **Key Pairs**. 1. Choose **Create key pair**. ![\[Key pairs in the Amazon EC2 console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ec2-console-key-pairs.png) 1. Enter a name for the key into the **Key pair name** text box, then choose **Create key pair**. For more information on the creating key pairs in Amazon EC2, see [Create a key pair for your Amazon EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html) in the *Amazon Elastic Compute Cloud User Guide*. The new private key is automatically downloaded. Make note of where the private key is saved. You need it in the following *Create the public key using PuTTYgen* section of this guide to create a public key. ![\[Create key pairs in the Amazon EC2 console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ec2-console-create-key-pair.png) ## Create the public key using PuTTYgen PuTTYgen is a tool that is included with PuTTY. Use PuTTYgen to generate the public key text that you add to your instance later in this guide. **Note** For more information about how to configure PuTTY to connect to your Linux or Unix instance, see [Connect to an Amazon EC2 Linux or Unix instance that was created from a Lightsail snapshot](amazon-lightsail-connecting-to-linux-unix-amazon-ec2-instances.md). **To create the public key using PuTTYgen** 1. Start PuTTYgen. For example, choose the **Windows Start** menu, choose **All Programs**, choose **PuTTY**, and choose **PuTTYgen**. ![\[PuTTY Key Generator.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/puttygen-key-generator.png) 1. Choose **Load**. By default, PuTTYgen displays only files with the .PPK extension. To locate your .PEM file, select the option to display files of all types. ![\[Load the Lightsail private key to the PuTTY Key Generator.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-putty-load-ec2-private-key.png) 1. Navigate to the location of your private key that was created earlier in this guide. Choose the private key, and then choose **Open**. 1. After PuTTYgen confirms that you successfully imported the key, choose **OK**. 1. Highlight the contents of the **Public key** text box and copy it to your clipboard by pressing **Ctrl\$1C** if you’re using Windows, or **Cmd\$1C** if you’re using macOS. Open a text editor, such as Notepad or TextEdit, and paste the public key text into it by pressing **Ctrl\$1V** if you're using Windows, or **Cmd\$1V** if you're using macOS. Save the file with your public key text; you will need it later in this guide. ![\[PuTTY key generator.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-putty-key-generator.png) 1. Continue to the [Connect to your Linux or Unix instance in Amazon EC2](#connect-to-your-linux-or-unix-instance-in-amazon-ec2) section of this guide to connect to your EC2 instance and add the public key. ## Connect to your Linux or Unix instance in Amazon EC2 Connect to your Linux or Unix instance in Amazon EC2 using SSH to remove the Lightsail default key and system key. For more information, see [Connect to a Linux or Unix instance in Amazon EC2 created from an Amazon Lightsail snapshot](amazon-lightsail-connecting-to-linux-unix-amazon-ec2-instances.md). Continue to the [Add the public key to your instance and test the connection](#add-the-public-key-to-your-instance-and-test) section of this guide after you’re connected to your instance in Amazon EC2. ## Add the public key to your instance and test the connection Public key content is saved in the `~/.ssh/authorized_keys` file on Linux and Unix instances. Edit the file to remove and replace the Lightsail default key from your Linux or Unix instance in Amazon EC2. **To add the public key to your instance and test the connection** 1. After you establish an SSH connection to your instance, enter the following command to edit the `authorized_keys` file using the Vim text editor. ``` sudo vim ~/.ssh/authorized_keys ``` **Note** These steps use Vim for demonstration purposes. However, you can use any text editor for these steps. ![\[Lightsail default key.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-lightsail-default-ssh-key.png) 1. Press the `I` key to enter the insert mode in the Vim editor. 1. Enter an extra line after the Lightsail default key. 1. Copy and paste the public key text that you saved earlier in this guide. The result should look like the following: ![\[Lightsail default key.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-lightsail-default-ssh-key-and-new-key.png) 1. Press the `ESC` key, and then enter `:wq!` to save your edits, and quit Vim. 1. Enter the following command to restart the Open SSH server: ``` sudo /etc/init.d/sshd restart ``` You should see a result similar to the following: ![\[Lightsail default key.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-restarting-sshd.png) Your new public key is now added to your instance. To test the new key pair, disconnect from your instance. Configure PuTTY to use your new private key instead of the Lightsail default key. If you’re able to successfully connect to your instance using your new key pair, continue to the [Remove the Lightsail default key](#remove-the-lightsail-default-key) section of this guide to remove the Lightsail default key. ## Remove the Lightsail default key Remove the Lightsail default key after you’ve added a new public key to your instance, and successfully connected to it using the new key pair. **To remove the Lightsail default key** 1. After you establish an SSH connection to your instance, enter the following command to edit the `authorized_keys file` using the Vim text editor. ``` sudo vim ~/.ssh/authorized_keys ``` 1. Press the `I` key to enter the insert mode in the Vim editor. 1. Delete the line that ends with `LightsailDefaultKeyPair`. This is the Lightsail default key. ![\[Lightsail default key.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-lightsail-default-delete-ssh-key.png) 1. Press the `ESC` key, and then enter `:wq!` to save your edits, and quit Vim. 1. Enter the following command to restart the Open SSH server: ``` sudo /etc/init.d/sshd restart ``` You should see a result similar to the following: ![\[Lightsail default key.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-restarting-sshd.png) The Lightsail default key is now removed from your instance. Your instance will now refuse connections that use the Lightsail default key. Continue to the [Remove the Lightsail system key](#remove-the-lightsail-system-ssh-key) section of this guide to remove the Lightsail system key. ## Remove the Lightsail system key The Lightsail system key, also known as the `lightsail_instance_ca.pub` key, on Linux and Unix instances enables the Lightsail browser-based SSH client to connect. Perform the following steps to remove the `lightsail_instance_ca.pub` key from your Linux or Unix instance in Amazon EC2, and edit the `/etc/ssh/sshd_config` file. The `/etc/ssh/sshd_config` file defines parameters for SSH connections to your instance. **To remove the Lightsail system key** 1. In an SSH terminal window connected to your instance, enter the following command to remove the `lightsail_instance_ca.pub` key: ``` sudo rm –r /etc/ssh/lightsail_instance_ca.pub ``` 1. Enter the following command to edit the `sshd_config` file using the Vim text editor. ``` sudo vim /etc/ssh/sshd_config ``` 1. Press the `I` key to enter the insert mode in the Vim editor. 1. Delete the following text from the file, if it's present: ``` TrustedUserCAKeys /etc/ssh/lightsail_instance_ca.pub ``` 1. Press the `ESC` key, and then enter `:wq!` to save your edits, and quit Vim. 1. Enter the following command to restart the Open SSH server: ``` sudo /etc/init.d/sshd restart ``` You should see a result similar to the following: ![\[Lightsail default key.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-restarting-sshd.png) The `lightsail_instance_ca.pub` key is now removed from your instance. The associated `sshd_config` file is updated to exclude that key. # Connect to a Windows Server Amazon EC2 instance created from a Lightsail snapshot Connect to Windows EC2 instances After your new Windows Server instance is created in Amazon Elastic Compute Cloud (Amazon EC2), you can connect to it using Remote Desktop Protocol (RDP). This is similar to how you connected to the source Amazon Lightsail instance. Connect to your EC2 instance using the default Lightsail key pair for the source instance’s AWS Region. This guide shows you how to connect to your Windows Server instance using Microsoft Remote Desktop Connection. **Note** For more information about connecting to a Linux or Unix instance, see [Connect to a Linux or Unix instance in Amazon EC2 created from a Lightsail snapshot](amazon-lightsail-connecting-to-linux-unix-amazon-ec2-instances.md). **Contents** + [Get the key for your instance](#get-the-key-windows-instance) + [Get the public DNS address for your instance](#get-the-public-dns-address-for-your-windows-instance) + [Get the password for your Windows Server instance](#get-the-password-for-your-windows-instance) + [Configure Remote Desktop Connection to connect to your Windows Server instance](#configure-remote-desktop-connection) + [Next steps](#connecting-to-windows-server-amazon-ec2-instances-next-steps) ## Get the key for your instance Your Windows Server instance in Amazon EC2 uses the default Lightsail key pair for the source instance’s Region to retrieve the default administrator password. Download the default private key from the **SSH keys** tab on the [Lightsail account page](https://lightsail.aws.amazon.com/ls/webapp/account/keys). For more information about the default Lightsail SSH keys, see [SSH key pairs](understanding-ssh-in-amazon-lightsail.md). **Note** After you connect to your EC2 instance, we recommend changing the administrator password for your Windows Server instance in Amazon EC2. It removes the association between the default Lightsail key pair and your Windows Server instance in Amazon EC2. For more information, see [Secure an Amazon EC2 Windows Server instance that was created from a Lightsail snapshot](amazon-lightsail-securing-windows-server-amazon-ec2-instances.md). ## Get the public DNS address for your instance Get the public DNS address for your Amazon EC2 instance, so that you can use it when configuring an RDP client, such as Microsoft Remote Desktop Connection, to connect to your instance. **To get the public DNS address for your instance** 1. Sign in to the [Amazon EC2 console](https://console.aws.amazon.com/ec2/). 1. Choose **Instances** from the left navigation pane. 1. Choose the running Windows Server instance that you want to connect to. 1. In the lower pane, locate the **Public DNS** address for your instance. This is the address that you use when configuring an RDP client to connect to your instance. Continue to the [Get the password for your Windows Server instance](#get-the-password-for-your-windows-instance) section of this guide to learn how to get the default administrator password for your Windows Server instance in Amazon EC2. ![\[An instance's public DNS in the Amazon EC2 console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ec2-public-dns.png) ## Get the password for your Windows Server instance Get the password for your Windows Server instance from the Amazon EC2 console. You need this password to sign in to your Windows Server instance when connecting to it through RDP. **To get the password for your Windows Server instance** 1. Sign in to the [Amazon EC2 console](https://console.aws.amazon.com/ec2/). 1. From the left navigation pane, choose **Instances**. 1. Choose the Windows Server instance that you want to connect to. 1. For **Actions**, choose **Security**, **Get Windows Password**. ![\[Getting the Windows Server default administrator password in the Amazon EC2 console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ec2-get-windows-password.png) 1. At the prompt, choose **Browse** and open the default private key file that you downloaded from Lightsail earlier in this guide. 1. Choose **Decrypt Password**. ![\[Decrypting the Windows default administrator password in the Amazon EC2 console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ec2-decrypt-password.png) The password, user name, and private IP address are displayed. Copy the password to your clipboard so that you can use it in the following [Configure Remote Desktop Connection to connect to your Windows Server instance](#configure-remote-desktop-connection) section of this guide. Highlight the password, and press **Ctrl\$1C** if you’re using Windows, or **Cmd\$1C** if you’re using macOS. ![\[Decrypted Windows default administrator password in the Amazon EC2 console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ec2-decrypted-password.png) Continue to the [Configure Remote Desktop Connection to connect to your Windows Server instance](#configure-remote-desktop-connection) section of this guide to learn how to configure Remote Desktop Connection to connect to your Windows Server instance in Amazon EC2. ## Configure Remote Desktop Connection to connect to your Windows Server instance Remote Desktop Connection is an RDP client that comes pre-installed on most Windows operating systems. Use it to graphically connect to your Windows Server instance in Amazon EC2. **To configure Remote Desktop Connection to connect to your Windows Server instance** 1. Open Remote Desktop Connection. For example, choose the **Windows Start** menu, then search for **Remote Desktop Connection**. 1. In the **Computer** text box, enter the public DNS address for your Windows Server instance in Amazon EC2 obtained earlier in this guide. 1. Choose **Show Options** to view additional options. 1. Enter `Administrator` into the **User name** text box. ![\[Microsoft Remote Desktop Connection.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-rdc-configuration.png) 1. Choose **Connect** to connect to your Windows Server instance. 1. At the Windows Security prompt, enter the password for your Windows Server instance into the **Password** text box, then choose **OK**. ![\[Microsoft Remote Desktop Connection password prompt.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-rdc-password.png) 1. At the Remote Desktop Connection prompt, chose **Yes** to connect. ![\[Microsoft Remote Desktop Connection security prompt.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-rdc-certificate-errors.png) You should see a screen similar to the following if you've successfully connected to your instance: ![\[Microsoft Remote Desktop Connection connected to instance.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-rdc-connected.png) ## Next steps We recommend changing the administrator password for your Windows Server instance in Amazon EC2. It removes the association between the default Lightsail key pair and your Windows Server instance in Amazon EC2. For more information, see [Secure a Windows Server instance in Amazon EC2 created from a Lightsail snapshot](amazon-lightsail-securing-windows-server-amazon-ec2-instances.md). # Secure Windows Server Amazon EC2 instances launched from Lightsail snapshots Secure Windows EC2 instances To improve the security of a Windows Server instance in Amazon Elastic Compute Cloud (Amazon EC2) created from an Amazon Lightsail snapshot, we recommend that you change the default administrator password. This removes the association between your Lightsail key pairs and your new Windows Server instance in Amazon EC2. **Note** If you created Linux or Unix instances in Amazon EC2 from a Lightsail snapshot, then you should perform a few steps to secure those instances. For more information, see [Secure an Amazon EC2 Linux or Unix instance that was created from a Lightsail snapshot](amazon-lightsail-securing-linux-unix-amazon-ec2-instances.md). **Contents** + [Connect to your Windows Server instance in Amazon EC2](#connect-to-your-windows-server-instance-in-ec2) + [Change the default administrator password of your Windows Server instance in Amazon EC2](#change-the-password-of-your-windows-server-instance-in-ec2) ## Connect to your Windows Server instance in Amazon EC2 To change your Windows Server administrator password, connect to your Windows Service instance in Amazon EC2 using Remote Desktop Protocol (RDP). To learn how to connect to your instance, see [Connect to a Windows Server instance in Amazon EC2 created from a Lightsail snapshot](amazon-lightsail-connecting-to-windows-server-amazon-ec2-instances.md). Continue to the [Change the default administrator password of your Windows Server instance in Amazon EC2](#change-the-password-of-your-windows-server-instance-in-ec2) section of this guide after you’re connected to your instance in Amazon EC2. ## Change the default administrator password of your Windows Server instance in Amazon EC2 Change the default password on your Windows Server instance to remove the association between your Lightsail key pairs and your new Windows Server instance in Amazon EC2. **To change the default administrator password of your Windows Server instance in Amazon EC2** 1. After you establish an RDP connection to your instance, open a Command Prompt and enter the following command. ``` net user Administrator "Password" ``` In the command, replace *Password* with your new password. **Example:** ``` net user Administrator "EXAMPLE%4=Bwk^GEAg8$u@5" ``` You should see a result similar to the following: ![\[Password reset on Windows Server in Amazon EC2.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ec2-window-server-password-reset.png) 1. Store the new password in a safe place. You cannot retrieve the new password using the Amazon EC2 console. The console can retrieve only the default password. If you attempt to connect to the instance using the default password after changing it, an error message appears stating that your credentials did not work. If you lose your password or it expires, you can generate a new password. For password reset procedures, see [Resetting a Lost or Expired Windows Administrator Password](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ResettingAdminPassword.html) in the Amazon EC2 documentation. # View CloudFormation stacks for Lightsail instances CloudFormation stacks Amazon Lightsail uses CloudFormation to create Amazon Elastic Compute Cloud (Amazon EC2) instances from exported snapshots. A CloudFormation stack is created when you request to create an Amazon EC2 instance using the Lightsail console or Lightsail API. The stack performs a series of actions in your Amazon Web Services (AWS) account to create all of the related resources for the instance, such as the Amazon EC2 instance from an Amazon Machine Image (AMI), the Elastic Block Store (EBS) system volume from an EBS snapshot, and the security group for the instance. To learn more about CloudFormation stacks, see [Working with Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) in the CloudFormation documentation. You can access the CloudFormation stacks through the Lightsail console or in the CloudFormation console. This guide shows you how to access both. **Note** The CloudFormation stack used to create your Amazon EC2 resources is permanently linked to your Amazon EC2 resources. If you delete the stack, then all related resources are automatically deleted. Because of this, you should not delete any of the CloudFormation stacks created by Lightsail, and instead delete your Amazon EC2 resources using the EC2 console. ## Accessing the CloudFormation stacks through the Lightsail console After you choose to create an instance in Amazon EC2 using the Lightsail console or the Lightsail API, an CloudFormation stack is created and its status is tracked in the **Exports** section of the Lightsail console.. To learn more about **Exports**, see [Track snapshot export status in Lightsail](amazon-lightsail-task-monitor.md). **To view your CloudFormation stacks in the Lightsail console** 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. Choose **Exports** in the left navigation pane. 1. To access a CloudFormation stack for a previously created Amazon EC2 instance, choose **View details** for a task labeled with **Created EC2 resources**. ![\[The task history in the Lightsail console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-task-manager-cloud-formation-stack.png) 1. The confirmation page that appears lists the CloudFormation stack for the task. Choose the stack name to open the stack details in the CloudFormation console. ## Accessing the stacks in the CloudFormation console You can also access your stack details through the [CloudFormation console](https://console.aws.amazon.com/cloudformation). The stacks created by Lightsail begin with “Lightsail-stack” and have a description of “CloudFormation stack used to create Amazon EC2 resources” as shown in the following screenshot. Stacks with a **CREATE\$1IN\$1PROGRESS** status are in the process of creating Amazon EC2 resources from your exported Lightsail snapshots. Stacks with a **CREATE\$1COMPLETED** status have completed the process of creating Amazon EC2 resources. To view the resources created by a stack, choose the checkbox next to the stack name, and then choose the **Resources** tab. ![\[CloudFormation stack details.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-cloud-formation-stack-details.png)