Amazon Elastic Compute Cloud
User Guide for Linux Instances

Connecting to Your Linux Instance Using EC2 Instance Connect

Amazon EC2 Instance Connect provides a simple and secure way to connect to your instances using Secure Shell (SSH). With EC2 Instance Connect, you use AWS Identity and Access Management (IAM) policies and principals to control SSH access to your instances, removing the need to share and manage SSH keys. All connection requests using EC2 Instance Connect are logged to AWS CloudTrail so that you can audit connection requests.

You can use the Instance Connect feature to connect to your Linux instances from the Amazon EC2 console, the Amazon EC2 Instance Connect CLI, or the Amazon EC2 API.


If you are connecting to a Linux instance from a local computer running Windows, see the following documentation instead: Connecting to Your Linux Instance from Windows Using PuTTY and Connecting to Your Linux Instance from Windows Using Windows Subsystem for Linux.

How EC2 Instance Connect Works

When you connect to an instance using EC2 Instance Connect, the Instance Connect API pushes a one-time-use SSH public key to the instance metadata where it remains for 60 seconds. The IAM policy attached to your IAM user authorizes your IAM user to push the public key to the instance metadata. The AuthorizedKeysCommand and AuthorizedKeysCommandUser, configured when Instance Connect is installed, tells the SSH daemon to look up the public key from the instance metadata for authentication, and connects you to the instance.

You can use Instance Connect to connect to your instances using any SSH client of your choice or the Instance Connect CLI, or you can connect to your instances by using the new browser-based SSH client in the Amazon EC2 console.