BlowStack
->
Blog
->
How to set up EC2 instance connect

How to set up EC2 instance connect
Last update 10.2022
#CONNECT-TO-EC2

TABLE OF CONTENTS

How does EC2 instance connect work
EC2 instance connect basic requirements and setup
How secure is EC2 instance connect
Summary

How does EC2 instance connect work

EC2 instance connect is a one of three dedicated AWS services enabling command line access to an EC2 instance without the required ssh key (others are: Session Manager and EC2 serial console). At least partially. It still uses internally its own short lived ssh keys to connect to an EC2 but you won't be asked for any. After connecting to EC2 you will gain control of Bash interactive console with the same functionality as available through SSH client.

Super cool feature is that you are authenticating to EC2 using IAM user and not ssh keys. That way it's a lot easier to manage who has the access as the ssh key can be provided by anyone. There is no pricing because the service is totally free.

EC2 instance connect from the AWS console

The service is available from the connect menu. You can access it in a variety of ways. One of them is to go to EC2 instances lists and follow the Connect button.

On the new page you should be able to use EC2 instance connect as the first option by default but it will be only available if you use Amazon Linux 2 or at least Ubuntu 16.04 distributions.

EC2 instance connect basic requirements and setup

If you can connect then omit subsequent paragraphs with Task subtitles. However there are chances that when you first click connect it will crash and an error related to one of four Tasks will pop up.

This is happening because in order to use EC2 instance connect you will have to fulfill four tasks (three if you drop using CLI and stick with the AWS console). This post shows the usual use case when users connect to the EC2 using public IP addresses in simplified and congested form. If you are interested in more details on how to accomplish those requirements or want to use private IP addresses then refer to the official AWS docs.

Task 1 - set up network access (public IP)

If Task 1 is not achieved then after trying to connect to your EC2 you will get such (or similar) error:

Failed to connect to your instance
We were unable to connect to your instance. Make sure that your instance network settings are configured correctly for EC2 Instance Connect. For more information, check Task 1 under the Set up EC2 Instance Connect AWS documentation.

In order to use EC2 instance connect there must be properly configured network access enabling connection between the service and the EC2. It works similarly as if you would like to connect directly using an SSH client where host, user, some sort of key (or password) and proper firewall rules settings have to be provided. With EC2 instance connect it works almost the same but keys won't be needed. Let's start with the host.

Host

First check if the public IP address is already attached to your EC2 (this can be done through EC2 list or EC2 detail). If you didn't explicitly disabled auto assign IP address during EC2 creation then you are ready to go to the next requirement.

Otherwise auto assigning a public IP address on EC2 that is already launched will be only possible if the VPC and the subnet have IPv6 CIDR assigned (it's not default). To assign an IPv6 address to an instance after its launch refer to the official docs. Another possibility is to create an EC2 image and during re-creation enabling auto-assign public IP. If none of the above suits you, the last resort is to create Elastic IP and attach it to the Network interface of EC2 using manage IP addresses context menu (network interface can be found in the Networking tab on the EC2 detail). Notice that Elastic IP will cost you additional money compared to auto-assign options.

Security group (firewall rules)

Next step is to allow EC2 instances to connect using the EC2 ssh protocol. If your security group has associated SSH type with Anywhere-IPv4 Source then it will always work but then your firewall literally won't exist for this type of connection. Way better is to get the IP addresses used by EC2 instance connect service and fill the rules accordingly. You can get such IPs range by going to ip-ranges AWS page and filter out (ctrl+f) EC2_INSTANCE_CONNECT as a service name. You can choose only those IP addresses that network_border_group is the same as your EC2 network interface. For example for eu-west-1c it will be the following entry (if it's eu-west-1c than eu-west-1 is ok):

    {
      "ip_prefix": "18.202.216.48/29",
      "region": "eu-west-1",
      "service": "EC2_INSTANCE_CONNECT",
      "network_border_group": "eu-west-1"
    }

You should end up having in your security group (inbound rules) the following record:

EC2 instance connect service allowed IPs.

Task 2 - installing EC2 instance connect agent

If task 2 is not fulfilled then the following error will popup (notice that task number is not mentioned this time):

Failed to connect to your instance
Error establishing SSH connection to your instance. Please wait and try again later

The only solution is to connect to the EC2 using a standard SSH client and install lacking packages. If you use i.e. Ubuntu Server 18.04 which doesn't have a pre-installed EC2 instance connect agent and somehow you lost the required SSH key then you won't be able to use EC2 instance connect!

After successfully login using SSH Client, update packages list, upgrade the system and finally install the package using the below codes respectively for Amazon and Ubuntu operating systems.

sudo yum install ec2-instance-connect

sudo apt-get install ec2-instance-connect

Task 3 - install CLI

There won't be an error related to Task 3 as this is not an obligatory step related to CLI usage (you can still use the AWS console instead). Anyway, the urge for using CLI will force you to use the Python package and add in the security group your IP address for SSH connections.

Task 4 - user permissions

When using an EC2 instance connect both from CLI or the console you are actually logging in using the IAM mechanism not SSH Client. In order to access several permissions have to be granted for the user. If they are not attached then expect one of the following errors to pop up.

An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.

Failed to connect to your instance
Access denied by EC2 Instance Connect. Either your AWS credentials are not valid or you do not have access to the EC2 instance.

To fix those errors add the following permissions to the user (see json below). Remember to replace region, accountId, instanceId and ec2:osuser value with your instance region, account id, instance id and instance user name respectively (defaults for ec2:osuser are ec2-user for Amazon images and ubuntu for Ubuntu images).

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "ec2-instance-connect:SendSSHPublicKey",
        "Resource": [
            "arn:aws:ec2:{region}:{accountId}:instance/{instanceId}"
        ],
        "Condition": {
            "StringEquals": {
                "ec2:osuser": "{"ec2-user | ubuntu | differentNotDefaultUserName}"
            }
        }
      },
      {
        "Effect": "Allow",
        "Action": "ec2:DescribeInstances",
        "Resource": "arn:aws:ec2:{region}:{accountId}:instance/{instanceId}"
      }
    ]
}

Notice that apart from the above required permissions your user has to be granted Programmatic access for CLI or AWS Management Console access for the console interactions.

How secure is EC2 instance connect

It's far more secure than using an old school ssh client from your local computer. Why? Because all authentication and authorization is handled by AWS IAM making access to the EC2 as difficult as access to the AWS itself.

There is a few things you could do to make EC2 instance connect even more secure:

always use MFA (this will be required also for CLI)
combine ec2 instance connect with CloudTrail in order to follow who when and what done in your EC2
create and use the least privileged ssh users instead of the default root users (ec2-user or ubuntu) as this can inflict real damage to your EC2
attach each AMI connecting user a separate ssh user
never use 0.0.0.0/0 for EC2 security group, specify exact EC2 instance connect IP addresses (the Task 1)
specify exact instance ARN and user name when creating user permissions (the Task 4)

Summary

EC2 instance connect is a great AWS service which definitely facilitates ssh connections but only to Amazon and Ubuntu instances. You just don't have to worry about ssh keys even so they are used under the hood. However it's worth considering at least switching on MFA and creating a new (not sudo privileged) ssh user for each IAM user with access to EC2.