Amazon Elastic Compute Cloud
User Guide (API Version 2013-02-01)
AWS Documentation » Amazon EC2 » User Guide » Amazon EC2 Instances » Connecting to Amazon EC2 Instances » Authorizing Network Access to Your Instances
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...
Filter View:

Authorizing Network Access to Your Instances

Your AWS account comes with a default security group named default. This security group does not permit access on any ports, so if your instance is associated with that security group, you will not be able to connect to it. To access your instance with SSH or RDP, your instance must allow incoming traffic on port 22 or 3389, respectively. To open a port for incoming traffic, add a security group rule to a security group that's associated with your instance. You can use the AWS Management Console or the command line tools. If you use the command line tools, use them on your local system, not on the instance itself.

The following instructions authorize incoming SSH or RDP traffic for your instance, but only from your local system's public IP address. If your IP address is dynamic, you must authorize access each time it changes. To allow additional IP address ranges, add a new security group rule for each range.

Important

If you used the Launch Wizard to launch your instance, and it automatically created the quicklaunch-x or quick-start-x security group for you, be aware that these security groups allow all incoming SSH or RDP traffic by default. For security reasons, it is not recommended that you allow access from all IP addresses (0.0.0.0/0) to your instance, so you should update the rules in these security groups as soon as possible. For more information about security groups, see Amazon EC2 Security Groups.

Before You Get Started

Decide who requires access to your instance, for example, a single host or a specific network that you trust. In this case, we will use your local system's public IP address. You can get the public IP address of your local computer using a service. To locate a service that provides your IP address, use the search phrase "what is my IP address". If you are connecting through an ISP or from behind your firewall without a static IP address, you need to find out the range of IP addresses used by client computers.

AWS Management Console

To add a rule to a security group for SSH access for Linux instances

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, click Instances. Select your instance and look at the Description tab; the Security Groups field lists the security groups that are associated with the instance. Click the view rules link to display a list of the rules that are in effect for the instance.

  3. In the navigation pane, click Security Groups. Select one of the EC2 security groups associated with your instance.

  4. On the Inbound tab, select SSH from the Create a new rule drop-down list.

    Security group: add SSH rule

  5. In the Source field, specify your local system's public IP address in CIDR notation. For example, if your IP address is 203.0.113.0, enter 203.0.113.0/32.

  6. Click Add Rule.

    An asterisk appears on the Inbound tab, indicating that the rule hasn't been applied.

  7. When you're finished adding rules, click Apply Rule Changes.

    The new rules are applied to all instances that are associated with the security group.

To add a rule to a security group for RDP access for Windows instances

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, click Instances. Select your instance and look at the Description tab; the Security Groups field lists the security groups that are associated with the instance. Click the view rules link to display a list of the rules that are in effect for the instance.

  3. In the navigation pane, click Security Groups. Select one of the EC2 security groups associated with your instance.

  4. On the Inbound tab, select RDP from the Create a new rule drop-down list.

    Security group: add RDP rule

  5. In the Source field, specify your local system's public IP address in CIDR notation. For example, if your IP address is 203.0.113.0, enter 203.0.113.0/32.

  6. Click Add Rule.

    An asterisk appears on the Inbound tab, indicating that the rule hasn't been applied.

  7. When you're finished adding rules, click Apply Rule Changes.

    The new rules are applied to all instances that are associated with the security group.

Command Line Interface

Use the ec2-authorize command. For information about the command, see ec2-authorize in the Amazon EC2 Command Line Reference.

To add a rule to a security group for SSH access

  • The following command adds a rule to the default security group that allows incoming traffic on port 22 (SSH port) from your IP address.

    PROMPT>  ec2-authorize default -p 22 -s your_ip_address/32
GROUP default
PERMISSION default ALLOWS tcp 22 22 FROM CIDR your_ip_address/32

To add a rule to a security group for RDP access

  • The following command opens port 3389 (RDP port) to your IP address.

    PROMPT>  ec2-authorize default -p 3389 -s your_ip_address/32
GROUP default
PERMISSION default ALLOWS tcp 3389 3389 FROM CIDR your_ip_address/32
Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...