EC2

SSH Key-pairs

A key pair, consisting of a public key and a private key, is a set of security credentials that you use to prove your identity when connecting to an Amazon EC2 instance. Amazon EC2 stores the public key on your instance, and you store the private key. The public key is saved within the ~/.ssh/authorized_keys file. For Linux instances, the private key allows you to securely SSH into your instance. Anyone who possesses your private key can connect to your instances, so it's important that you store your private key in a secure place.

As an alternative to key pairs, you can use AWS Systems Manager Session Manager to connect to your instance with an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI).

Source: AWS - Amazon EC2 key pairs and Linux instances

Also see: https://digitalcompanion.gitbook.io/home/dev-sec-ops/cloud-aws/how-to#create-ec2-keypair

Create a key pair

Source: AWS - Create key pairs

Convert PPK to PEM file using Command

Source: How to Convert PPK to PEM file using Command

Connect to EC2 instance using SSH

Refer to:

• Authorize inbound traffic for your Linux instances

• Connect to your Linux instance from Windows using PuTTY

Connect to EC2 private instance via bastion

Source: Securely Connect to Linux Instances Running in a Private Amazon VPC

To connect to the EC2 instance with public IP, from a remote computer, requires the username and private SSH key. For example, the setup for termius ssh client is shown below; in this case the key file is stored locally on the remote computer and it's called "gabe2022oregon.ppk".

However, if the EC2 instance does not have public IP or is not accessible from the internet, then a common practice is to setup a "bastion host" in the AWS VPC that provides the ssh connection. The "bastion host" is an EC2 instance that is configured to provide the secure ssh access.

The best practice to securely connect to EC2 instances in private Amazon VPC subnets is to use the SSH agent forwarding. This allows you to connect from the bastion host to EC2 instances without storing the private key on the bastion. Otherwise, you need to ssh into bastion host from computer with the private ssh key, as shown above, and then upload the private ssh key to bastion before ssh from bastion to other private EC2 instance. You should never store your private ssh key in bastion.

Step-by-step instructions - linux

• Make the ssh key pem file available on the computer. If you have ppk file, see Convert PPK to PEM file using Command.

• ssh-agent comes pre-installed with Ubuntu; see man ssh-add

• add the key to the ssh agent

$ ssh-add -K myPrivateKey.pem
Enter passphrase for myPrivateKey.pem:
Passphrase stored in keychain: myPrivateKey.pem
Identity added: myPrivateKey.pem (myPrivateKey.pem)
$

Metadata

Source: AWS - Instance metadata and user data

Note: the following commands need to be performed from the corresponding EC2 instance.

// meta-data 
$ curl http://169.254.169.254/latest/meta-data/

// user-data
$ curl http://169.254.169.254/latest/user-data/

// instance attributes
$ curl http://169.254.169.254/latest/dynamic/instance-identity/document

How-to

Connect to my linux instance if I lost my private key (of the key pairs)

See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#replacing-lost-key-pair