Set up to use Amazon EC2 - Amazon Elastic Compute Cloud

Set up to use Amazon EC2

Complete the tasks in this section to get set up for launching an Amazon EC2 instance for the first time:

When you are finished, you will be ready for the Amazon EC2 Getting started tutorial.

Sign up for an AWS account

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account
  1. Open https://portal.aws.amazon.com/billing/signup.

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

    When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to an administrative user, and use only the root user to perform tasks that require root user access.

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.

Create an administrative user

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

Secure your AWS account root user
  1. Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.

  2. Turn on multi-factor authentication (MFA) for your root user.

    For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.

Create an administrative user
  1. Enable IAM Identity Center.

    For instructions, see Enabling AWS IAM Identity Center in the AWS IAM Identity Center User Guide.

  2. In IAM Identity Center, grant administrative access to an administrative user.

    For a tutorial about using the IAM Identity Center directory as your identity source, see Configure user access with the default IAM Identity Center directory in the AWS IAM Identity Center User Guide.

Sign in as the administrative user
  • To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

    For help signing in using an IAM Identity Center user, see Signing in to the AWS access portal in the AWS Sign-In User Guide.

Create a key pair

AWS uses public-key cryptography to secure the login information for your instance. A Linux instance has no password; you use a key pair to log in to your instance securely. You specify the name of the key pair when you launch your instance, then provide the private key when you log in using SSH.

If you haven't created a key pair already, you can create one by using the Amazon EC2 console. Note that if you plan to launch instances in multiple AWS Regions, you'll need to create a key pair in each Region. For more information about Regions, see Regions and Zones.

To create your key pair
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Key Pairs.

  3. Choose Create key pair.

  4. For Name, enter a descriptive name for the key pair. Amazon EC2 associates the public key with the name that you specify as the key name. A key name can include up to 255 ASCII characters. It can’t include leading or trailing spaces.

  5. For Key pair type, choose either RSA or ED25519. Note that ED25519 keys are not supported for Windows instances.

  6. For Private key file format, choose the format in which to save the private key. To save the private key in a format that can be used with OpenSSH, choose pem. To save the private key in a format that can be used with PuTTY, choose ppk.

  7. Choose Create key pair.

  8. The private key file is automatically downloaded by your browser. The base file name is the name you specified as the name of your key pair, and the file name extension is determined by the file format you chose. Save the private key file in a safe place.

    Important

    This is the only chance for you to save the private key file.

  9. If you plan to use an SSH client on a macOS or Linux computer to connect to your Linux instance, use the following command to set the permissions of your private key file so that only you can read it.

    chmod 400 key-pair-name.pem

    If you do not set these permissions, then you cannot connect to your instance using this key pair. For more information, see Error: Unprotected private key file.

For more information, see Amazon EC2 key pairs and Amazon EC2 instances.

Create a security group

Security groups act as a firewall for associated instances, controlling both inbound and outbound traffic at the instance level. You must add rules to a security group that enable you to connect to your instance from your IP address using SSH. You can also add rules that allow inbound and outbound HTTP and HTTPS access from anywhere.

Note that if you plan to launch instances in multiple AWS Regions, you'll need to create a security group in each Region. For more information about Regions, see Regions and Zones.

Prerequisites

You'll need the public IPv4 address of your local computer. The security group editor in the Amazon EC2 console can automatically detect the public IPv4 address for you. Alternatively, you can use the search phrase "what is my IP address" in an internet browser, or use the following service: Check IP. If you are connecting through an Internet service provider (ISP) or from behind a firewall without a static IP address, you need to find out the range of IP addresses used by client computers.

You can create a custom security group using one of the following methods.

Console
To create a security group with least privilege
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. From the top navigation bar, select an AWS Region for the security group. Security groups are specific to a Region, so you should select the same Region in which you created your key pair.

  3. In the left navigation pane, choose Security Groups.

  4. Choose Create security group.

  5. For Basic details, do the following:

    1. Enter a name for the new security group and a description. Use a name that is easy for you to remember, such as your user name, followed by _SG_, plus the Region name. For example, me_SG_uswest2.

    2. In the VPC list, select your default VPC for the Region.

  6. For Inbound rules, create rules that allow specific traffic to reach your instance. For example, use the following rules for a web server that accepts HTTP and HTTPS traffic. For more examples, see Security group rules for different use cases.

    1. Choose Add rule. For Type, choose HTTP. For Source, choose Anywhere-IPv4 to allow inbound HTTP traffic from any IPv4 address, or Anywhere-IPv6 to allow inbound HTTP traffic from any IPv6 address.

    2. Choose Add rule. For Type, choose HTTPS. For Source, choose Anywhere-IPv4 to allow inbound HTTPS traffic from any IPv4 address, or Anywhere-IPv6 to allow inbound HTTPS traffic from any IPv6 address.

    3. Choose Add rule. For Type, choose SSH. For Source, do one of the following:

      • Choose My IP to automatically add the public IPv4 address of your local computer.

      • Choose Custom and specify the public IPv4 address of your computer or network in CIDR notation. To specify an individual IP address in CIDR notation, add the routing suffix /32, for example, 203.0.113.25/32. If your company or your router allocates addresses from a range, specify the entire range, such as 203.0.113.0/24.

      Warning

      For security reasons, do not choose Anywhere-IPv4 or Anywhere-IPv6 for Source with a rule for SSH. This would allow access to your instance from all IP addresses on the internet. This is acceptable for a short time in a test environment, but it is unsafe for production environments.

  7. For Outbound rules, keep the default rule, which allows all outbound traffic.

  8. Choose Create security group.

AWS CLI

When you use the AWS CLI to create a security group, an outbound rule that allows all outbound traffic is automatically added to the security group. An inbound rule isn't automatically added; you'll need to add it.

In this procedure, you'll combine the create-security-group and authorize-security-group-ingress AWS CLI commands to create the security group and add the inbound rule that allows the specified inbound traffic. An alternative to the following procedure is to run the commands separately, first creating a security group, and then adding an inbound rule to the security group.

To create a security group and add an inbound rule to the security group

Use the create-security-group and authorize-security-group-ingress AWS CLI commands as follows:

aws ec2 authorize-security-group-ingress \ --region us-west-2 \ --group-id $(aws ec2 create-security-group \ --group-name myname_SG_uswest2 \ --description "Security group description" \ --vpc-id vpc-12345678 \ --output text \ --region us-west-2) \ --ip-permissions \ IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=0.0.0.0/0,Description="HTTP from anywhere"}]' \ IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges='[{CidrIp=0.0.0.0/0,Description="HTTPS from anywhere"}]' \ IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges='[{CidrIp=172.31.0.0/16,Description="SSH from private network"}]' \ IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges='[{CidrIp=203.0.113.25/32,Description="SSH from public IP"}]'

For:

  • --region – Specify the Region in which to create the inbound rules.

  • --group-id – Specify the create-security-group command and the following parameters to create the security group:

    • --group-name – Specify a name for the new security group. Use a name that is easy for you to remember, such as your user name, followed by _SG_, plus the Region name. For example, myname_SG_uswest2.

    • --description – Specify a description that will help you know what traffic the security group allows.

    • --vpc-id – Specify your default VPC for the Region.

    • --output – Specify text as the output format for the command.

    • --region – Specify the Region in which to create the security group. It should be the same Region that you specified for the inbound rules.

  • --ip-permissions – Specify the inbound rules to add to the security group. The rules in this example are for a web server that accepts HTTP and HTTPS traffic from anywhere, and that accepts SSH traffic from a private network (if your company or your router allocates addresses from a range) and a specified public IP address (such as the public IPv4 address of your computer or network in CIDR notation).

    Warning

    For security reasons, do not specify 0.0.0.0/0 for CidrIp with a rule for SSH. This would allow access to your instance from all IP addresses on the internet. This is acceptable for a short time in a test environment, but it is unsafe for production environments.

PowerShell

When you use the AWS Tools for Windows PowerShell to create a security group, an outbound rule that allows all outbound traffic is automatically added to the security group. An inbound rule isn't automatically added; you'll need to add it.

In this procedure, you'll combine the New-EC2SecurityGroup and Grant-EC2SecurityGroupIngress AWS Tools for Windows PowerShell commands to create the security group and add the inbound rule that allows the specified inbound traffic. An alternative to the following procedure is to run the commands separately, first creating a security group, and then adding an inbound rule to the security group.

To create a security group

Use the New-EC2SecurityGroup and Grant-EC2SecurityGroupIngress AWS Tools for Windows PowerShell commands as follows.

Import-Module AWS.Tools.EC2 New-EC2SecurityGroup -GroupName myname_SG_uswest2 -Description 'Security group description' -VpcId vpc-12345678 -Region us-west-2 | ` Grant-EC2SecurityGroupIngress ` -GroupName $_ ` -Region us-west-2 ` -IpPermission @( (New-Object -TypeName Amazon.EC2.Model.IpPermission -Property @{ IpProtocol = 'tcp'; FromPort = 80; ToPort = 80; Ipv4Ranges = @(@{CidrIp = '0.0.0.0/0'; Description = 'HTTP from anywhere'}) }), (New-Object -TypeName Amazon.EC2.Model.IpPermission -Property @{ IpProtocol = 'tcp'; FromPort = 443; ToPort = 443; Ipv4Ranges = @(@{CidrIp = '0.0.0.0/0'; Description = 'HTTPS from anywhere'}) }), (New-Object -TypeName Amazon.EC2.Model.IpPermission -Property @{ IpProtocol = 'tcp'; FromPort = 3389; ToPort = 3389; Ipv4Ranges = @( @{CidrIp = '172.31.0.0/16'; Description = 'RDP from private network'}, @{CidrIp = '203.0.113.25/32'; Description = 'RDP from public IP'} ) }) )

For the security group:

  • -GroupName – Specify a name for the new security group. Use a name that is easy for you to remember, such as your user name, followed by _SG_, plus the Region name. For example, myname_SG_uswest2.

  • -Description – Specify a description that will help you know what traffic the security group allows.

  • -VpcId – Specify your default VPC for the Region.

  • -Region – Specify the Region in which to create the security group.

For the inbound rules:

  • -GroupName – Specify $_ to reference the security group you're creating.

  • -Region – Specify the Region in which to create the inbound rules. It should be the same Region that you specified for the security group.

  • -IpPermission – Specify the inbound rules to add to the security group. The rules in this example are for a web server that accepts HTTP and HTTPS traffic from anywhere, and that accepts RDP traffic from a private network (if your company or your router allocates addresses from a range) and a specified public IP address (such as the public IPv4 address of your computer or network in CIDR notation).

    Warning

    For security reasons, do not specify 0.0.0.0/0 for CidrIp with a rule for RDP. This would allow access to your instance from all IP addresses on the internet. This is acceptable for a short time in a test environment, but it is unsafe for production environments.

For more information, see Amazon EC2 security groups for Linux instances.