General connection prerequisites - Amazon Elastic Compute Cloud

General connection prerequisites

The following are general prerequisites to connect to an instance. Note that there might be additional prerequisites that are specific to the connection option that you choose.

General prerequisites

Get the required instance details

To prepare to connect to your instance, get the following information from the Amazon EC2 console or by using the command line.

The Instances pane of the Amazon EC2 console.
  • Get the public DNS name of the instance.

    You can get the public DNS for your instance from the Amazon EC2 console. Check the Public IPv4 DNS column of the Instances pane. If this column is hidden, choose the settings icon ( The gear icon. ) in the top-right corner of the screen, and select Public IPv4 DNS. You can also find the public DNS in the instance information section of the Instances pane. When you select the instance in the Instances pane of the Amazon EC2 console, information about that instance will appear on the lower half of the page. Under the Details tab, look for Public IPv4 DNS.

    If you prefer, you can use the describe-instances (AWS CLI) or Get-EC2Instance (AWS Tools for Windows PowerShell) commands.

    If no Public IPv4 DNS is displayed, verify that the Instance state is Running, and that you have not launched the instance in a private subnet. If you launched your instance using the launch instance wizard, you may have edited the Auto-assign public IP field under Network settings and changed the value to Disable. If you disable the Auto-assign public IP option, the instance is not assigned a public IP address when it is launched.

  • (IPv6 only instances) Get the IPv6 address of the instance.

    If you assigned an IPv6 address to your instance, you can optionally connect to the instance using its IPv6 address instead of a public IPv4 address or public IPv4 DNS hostname. Your local computer must have an IPv6 address and must be configured to use IPv6. You can get the IPv6 address of your instance from the Amazon EC2 console. Check the IPv6 IPs column of the Instances pane. Or, you can find the IPv6 address in the instance information section. When you select the instance in the Instances pane of the Amazon EC2 console, information about that instance will appear on the lower half of the page. Under the Details tab, look for IPv6 address.

    If you prefer, you can use the describe-instances (AWS CLI) or Get-EC2Instance (AWS Tools for Windows PowerShell) commands. For more information about IPv6, see IPv6 addresses.

  • (Linux instances) Get the username for your instance.

    You can connect to your instance using the username for your user account or the default username for the AMI that you used to launch your instance.

    • Get the username for your user account.

      For more information about how to create a user account, see Manage system users on your Amazon EC2 Linux instance.

    • Get the default username for the AMI that you used to launch your instance.

      • Amazon Linuxec2-user

      • CentOScentos or ec2-user

      • Debianadmin

      • Fedorafedora or ec2-user

      • RHELec2-user or root

      • SUSEec2-user or root

      • Ubuntuubuntu

      • Oracleec2-user

      • Bitnamibitnami

      • Rocky Linuxrocky

      • Other – Check with the AMI provider

Locate the private key and set permissions

You must know the location of your private key file to make the initial connection to a Linux instance using SSH or a Windows instances using RDP. For SSH connections, you must set file permissions so that only you can read the private key.

For information about how key pairs work when using Amazon EC2, see Amazon EC2 key pairs and Amazon EC2 instances.

  • Locate the private key.

    Get the fully-qualified path to the location on your computer of the .pem file for the key pair that you specified when you launched the instance. For more information, see Identify the public key specified at launch.

    If you can't find your private key file, see I've lost my private key. How can I connect to my instance?

    (Linux instances) If you are connecting to your instance using PuTTY and need to convert the .pem file to .ppk, see Convert your private key using PuTTYgen.

  • (Linux instances) Set the permissions of your private key so that only you can read it.

    • Connect from macOS or Linux

      If you plan to use an SSH client on a macOS or Linux computer to connect to your Linux instance, use the following command to set the permissions of your private key file so that only you can read it.

      chmod 400 key-pair-name.pem

      If you do not set these permissions, then you cannot connect to your instance using this key pair. For more information, see Error: Unprotected private key file.

    • Connect from Windows

      Open File Explorer and right-click on the .pem file. Select Properties > Security tab and choose Advanced. Choose Disable inheritance. Remove access to all users except for the current user.

(Optional) Get the instance fingerprint

To protect yourself from man-in-the-middle attacks, you can verify the authenticity of the instance you're about to connect to by verifying the fingerprint that is displayed. Verifying the fingerprint is useful if you launched your instance from a public AMI provided by a third party.

Task overview

First, get the instance fingerprint from the instance. Then, when you connect to the instance and are prompted to verify the fingerprint, compare the fingerprint you obtained in this procedure with the fingerprint that is displayed. If the fingerprints don't match, someone might be attempting a man-in-the-middle attack. If they match, you can confidently connect to your instance.

Prerequisites to get the instance fingerprint
  • The instance must not be in the pending state. The fingerprint is available only after the first boot of the instance is complete.

  • You must be the instance owner to get the console output.

  • There are various ways to get the instance fingerprint. If you want to use the AWS CLI, it must be installed on your local computer. For information about installing the AWS CLI, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.

To get the instance fingerprint

In Step 1, you get the console output, which includes the instance fingerprint. In Step 2, you find the instance fingerprint in the console output.

  1. Get the console output using one of the following methods.

    Console
    1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

    2. From the left navigator, choose Instances.

    3. Select your instance, and then choose Actions, Monitor and troubleshoot, Get system log.

    AWS CLI

    On your local computer (not on the instance you're connecting to), use the get-console-output (AWS CLI) command. If the output is large, you can pipe it to a text file, where it might be easier to read. Note that you must specify an AWS Region when you use the AWS CLI, either explicitly or by setting a default Region. For information about how to set or specify a Region, see Configure the AWS CLI in the AWS Command Line Interface User Guide.

    aws ec2 get-console-output --instance-id instance_id --query Output --output text > temp.txt
  2. In the console output, find the instance (host) fingerprint, which is located under BEGIN SSH HOST KEY FINGERPRINTS. There might be several instance fingerprints. When you connect to your instance, it will display only one of the fingerprints.

    The exact output can vary by operating system, AMI version, and whether AWS created the key pairs. The following is example output.

    ec2:############################################################# ec2: -----BEGIN SSH HOST KEY FINGERPRINTS----- ec2: 256 SHA256:l4UB/neBad9tvkgJf1QZWxheQmR59WgrgzEimCG6kZY no comment (ECDSA) ec2: 256 SHA256:kpEa+rw/Uq3zxaYZN8KT501iBtJOIdHG52dFi66EEfQ no comment (ED25519) ec2: 2048 SHA256:L8l6pepcA7iqW/jBecQjVZClUrKY+o2cHLI0iHerbVc no comment (RSA) ec2: -----END SSH HOST KEY FINGERPRINTS----- ec2: #############################################################
    Note

    You'll reference this fingerprint when you connect to the instance.