How to Connect to EC2 Instance: Step-by-Step (SSH, PuTTY, EC2 Instance Connect, Session Manager)
TL;DR
Connecting to an EC2 instance requires an active instance with network access, proper security group rules allowing inbound traffic on port 22 (for SSH), the correct private key file, and the appropriate username for your AMI type. You can connect via SSH from Linux/macOS, PuTTY from Windows, EC2 Instance Connect from your browser, or AWS Systems Manager Session Manager without opening port 22 at all.
Table of Contents
Quick Steps
- Launch an EC2 instance and note its public IP or DNS name
- Configure security group to allow SSH (port 22) from your IP, or enable Session Manager
- Download your private key (.pem) and run
chmod 400 - Connect with
ssh -i key.pem username@public-ipor your preferred method - Verify connection and run commands
To connect to an EC2 instance, ensure the instance has a public IP or a private link (VPN/Transit), open port 22 in the instance’s security group, use the correct username for the AMI, and either SSH with your PEM key (ssh -i key.pem user@host), use EC2 Instance Connect, or start an AWS SSM Session Manager session.
How to Connect to EC2 Instance Prerequisites
Before you can connect to your EC2 instance, make sure you have:
- Active EC2 instance — Your instance must be in the “running” state in the AWS Console
- AWS IAM permissions — You need
ec2:DescribeInstancesat minimum; for Session Manager, you needssm:StartSession - Key pair — The private key (.pem file) you selected or created when launching the instance
- Security group configured — Inbound rule allowing SSH (TCP port 22) from your IP address, or no port 22 rule if using Session Manager
- Public IP or DNS — Instance must have a public IP (or you need VPN/Direct Connect for private instances)
- Correct AMI username — Different Linux distributions use different default usernames (see table below)
Method 1 — Connect with SSH (Linux / macOS)
SSH is the native way to connect from Unix-like systems. Here’s how to do it step by step.
Step 1: Set Correct Key Permissions
AWS requires your private key to be protected from unauthorized access. Set the file permissions to read-only for the owner:
chmod 400 ~/keys/mykey.pem
If you skip this step, SSH will reject your key with a “permissions are too open” error.
Step 2: Find Your Instance’s Public DNS or IP
Go to the EC2 Console, select your instance, and copy the Public IPv4 DNS or Public IPv4 address from the instance details pane. It will look like:
ec2-3-123-45-67.compute-1.amazonaws.com
or simply:
3.123.45.67
Step 3: Connect Using SSH
Run the SSH command with the -i flag to specify your key file:
ssh -i ~/keys/mykey.pem ec2-user@ec2-3-123-45-67.compute-1.amazonaws.com
Replace ec2-user with the correct username for your AMI (see the table below) and replace the hostname with your actual instance address.
Step 4: Accept the Host Key
The first time you connect, SSH will display a fingerprint and ask:
The authenticity of host 'ec2-3-123-45-67.compute-1.amazonaws.com (3.123.45.67)' can't be established.
ECDSA key fingerprint is SHA256:abcd1234...
Are you sure you want to continue connecting (yes/no)?
Type yes and press Enter. This adds the host to your ~/.ssh/known_hosts file.
Step 5: You’re In
Once connected, you’ll see a welcome message and a command prompt. You can now run commands on your remote EC2 instance.
[ec2-user@ip-172-31-16-20 ~]$
Method 2 — Connect with PuTTY (Windows)
PuTTY is the most popular SSH client for Windows. It requires converting your .pem key to PuTTY’s .ppk format first.
Step 1: Download and Install PuTTY
Download PuTTY and PuTTYgen from the official website. Install both tools.
Step 2: Convert PEM Key to PPK Format
- Open PuTTYgen
- Click Load and select your .pem file (you may need to change the file filter to “All Files”)
- Click Save private key (you can skip the passphrase for testing, though it’s not recommended for production)
- Save the file as
mykey.ppk
Step 3: Configure PuTTY Session
- Open PuTTY
- In the Host Name field, enter:
ec2-user@ec2-3-123-45-67.compute-1.amazonaws.com(replace with your instance’s public DNS and correct username) - Ensure Port is set to
22and Connection type isSSH
Step 4: Load Your Private Key
- In the left sidebar, navigate to Connection → SSH → Auth → Credentials
- Click Browse next to “Private key file for authentication”
- Select your
mykey.ppkfile
Step 5: Set Auto-login Username (Optional)
To avoid typing the username every time:
- Navigate to Connection → Data
- Enter your username (e.g.,
ec2-user) in the Auto-login username field
Step 6: Save Session and Connect
- Go back to Session in the left sidebar
- Enter a name under Saved Sessions (e.g., “My EC2 Instance”)
- Click Save
- Click Open to connect
You’ll see the same host key prompt as with SSH. Accept it and you’re connected.
Method 3 — EC2 Instance Connect (Browser)
EC2 Instance Connect lets you connect directly from the AWS Console using your browser. No local key management required.
Step 1: Verify AMI Support
EC2 Instance Connect works with Amazon Linux 2, Ubuntu 16.04+, and some other AMIs that have ec2-instance-connect pre-installed. Check the AWS documentation for supported AMIs.
Step 2: Enable Instance Connect
If your AMI doesn’t have it pre-installed, SSH in and run:
sudo yum install ec2-instance-connect # Amazon Linux
sudo apt install ec2-instance-connect # Ubuntu
Step 3: Configure Security Group
Add an inbound rule allowing SSH (port 22) from AWS’s Instance Connect IP ranges for your region. You can also use the managed prefix list: pl-xxxxx.
Step 4: Connect from Console
- Go to the EC2 Console and select your instance
- Click Connect at the top
- Choose the EC2 Instance Connect tab
- Verify the username is correct
- Click Connect
A new browser tab opens with a terminal session. This method pushes a temporary SSH key to the instance for 60 seconds, so you don’t need to manage keys locally.
Method 4 — AWS Systems Manager Session Manager
Session Manager is the most secure method because it doesn’t require opening port 22, doesn’t need a public IP, and provides full audit logging.
Step 1: Attach IAM Instance Profile
Your EC2 instance needs an IAM role with the AmazonSSMManagedInstanceCore policy attached.
- Create or select an IAM role with this policy
- Go to EC2 Console → Actions → Security → Modify IAM role
- Attach the role to your instance
Step 2: Verify SSM Agent
SSM Agent is pre-installed on Amazon Linux 2, Ubuntu 16.04+, and most modern AMIs. If it’s not running:
sudo systemctl status amazon-ssm-agent
sudo systemctl start amazon-ssm-agent
Step 3: Start Session from Console
- Go to AWS Systems Manager → Session Manager
- Click Start session
- Select your instance from the list
- Click Start session
Step 4: Start Session from CLI
If you have the AWS CLI installed and configured:
aws ssm start-session --target i-0123456789abcdef0
Replace the target with your actual instance ID. You’ll get a shell prompt without ever touching port 22.
Why Use Session Manager?
- No need to open SSH ports to the internet
- Works with private instances (no public IP required)
- Centralized audit logging in CloudTrail and S3
- Supports port forwarding and tunneling
- Fine-grained IAM permissions per instance or tag
Common Connection Examples (Usernames & AMI Types)
Different Linux distributions use different default usernames. Here’s a quick reference:
| AMI / Operating System | Default Username |
|---|---|
| Amazon Linux 2 / 2023 | ec2-user |
| Ubuntu | ubuntu |
| Red Hat Enterprise Linux (RHEL) | ec2-user |
| CentOS | centos |
| Debian | admin |
| Fedora | fedora |
| SUSE Linux | ec2-user |
| Bitnami AMIs | bitnami |
Example commands:
# Amazon Linux
ssh -i ~/keys/mykey.pem ec2-user@54.123.45.67
# Ubuntu
ssh -i ~/keys/mykey.pem ubuntu@ec2-3-123-45-67.compute-1.amazonaws.com
# Debian
ssh -i ~/keys/mykey.pem admin@10.0.1.25
If you’re not sure which username to use, check the AMI description in the AWS Marketplace or launch template.
Troubleshooting
Here are the most common connection problems and how to fix them.
1. Permission Denied (publickey)
Symptoms:
Permission denied (publickey).
Causes and Fixes:
- Wrong key file: You’re using a different key than the one assigned to the instance. Check the instance details and make sure you’re using the correct .pem file.
- Incorrect permissions: Run
chmod 400 yourkey.pemto fix file permissions. - Wrong username: You’re using the wrong default username. Check the table above and try the correct username for your AMI.
- Key not loaded: For SSH agent, run
ssh-add ~/keys/mykey.pemto load the key.
Debug command:
ssh -vvv -i ~/keys/mykey.pem ec2-user@HOST
The verbose output will show which keys SSH is trying and where it’s failing.
2. Connection Timed Out
Symptoms:
ssh: connect to host ec2-3-123-45-67.compute-1.amazonaws.com port 22: Connection timed out
Causes and Fixes:
- Security group not configured: Add an inbound rule allowing TCP port 22 from your IP address.
- Network ACLs blocking traffic: Check your subnet’s NACL to ensure it allows inbound port 22 and ephemeral outbound ports.
- No public IP: Instance must have a public IP or Elastic IP, or you must connect via VPN/Direct Connect.
- No Internet Gateway: Verify your VPC has an IGW attached and the route table has a route to
0.0.0.0/0via the IGW.
Debug command:
# Test if port 22 is reachable
telnet ec2-3-123-45-67.compute-1.amazonaws.com 22
# Or use netcat
nc -zv ec2-3-123-45-67.compute-1.amazonaws.com 22
If you get “Connection refused,” the port is reachable but SSH isn’t running. If you get “Connection timed out,” it’s a network issue.
3. Host Key Verification Failed
Symptoms:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Cause: You’ve connected to this hostname before, but the instance was replaced (same IP, different instance).
Fix:
ssh-keygen -R ec2-3-123-45-67.compute-1.amazonaws.com
This removes the old host key from your ~/.ssh/known_hosts file.
4. “Unprotected Private Key File” Error
Symptoms:
Permissions 0644 for 'mykey.pem' are too open.
It is required that your private key files are NOT accessible by others.
Fix:
chmod 400 mykey.pem
On Windows with WSL, you may need to move the key to a Linux filesystem path (not /mnt/c/) for permissions to work correctly.
5. SSM Start-Session Fails
Symptoms:
An error occurred (TargetNotConnected) when calling the StartSession operation
Causes and Fixes:
- SSM Agent not running: SSH into the instance via another method and run
sudo systemctl start amazon-ssm-agent - No IAM instance profile: Attach an IAM role with
AmazonSSMManagedInstanceCorepolicy - Outbound HTTPS blocked: SSM Agent needs outbound HTTPS (443) to AWS Systems Manager endpoints. Check security groups and NACLs.
- Wrong region: Make sure your CLI is configured for the correct region where the instance lives
Check agent status:
# From inside the instance
sudo systemctl status amazon-ssm-agent
# Check if instance appears in SSM
aws ssm describe-instance-information --filters "Key=InstanceIds,Values=i-0123456789abcdef0"
6. EC2 Instance Connect Not Available
Symptoms: The “EC2 Instance Connect” tab is grayed out or returns errors.
Causes and Fixes:
- AMI not supported: Use Amazon Linux 2, Ubuntu 16.04+, or manually install
ec2-instance-connect - Instance metadata disabled: Instance Connect requires IMDSv1 or IMDSv2 enabled
- No public IP: Instance Connect requires a public IP address
Check metadata service:
# From inside the instance
curl http://169.254.169.254/latest/meta-data/
Best Practices & Security
Key Management
- Rotate key pairs regularly: Generate new key pairs every 90 days and update instances.
- Use a key management system: Consider AWS Secrets Manager or Parameter Store for centralized key storage.
- Never commit keys to version control: Add
*.pemand*.ppkto your.gitignorefile. - Encrypt keys at rest: Use full-disk encryption on your laptop to protect stored keys.
Access Control
- Least privilege IAM: Grant only the permissions users need. Use IAM conditions to restrict by IP, time, or MFA status.
- Disable password authentication: Edit
/etc/ssh/sshd_configand setPasswordAuthentication noto prevent brute-force attacks. - Avoid root login: Set
PermitRootLogin noinsshd_configand usesudofor administrative tasks. - Use MFA for IAM users: Require MFA for any IAM user who can launch instances or start SSM sessions.
Network Security
- Restrict security group rules: Allow SSH only from your specific IP addresses or VPN CIDR blocks, not
0.0.0.0/0. - Use Session Manager when possible: Eliminates exposure of SSH ports entirely and provides centralized logging.
- Implement VPC endpoints for SSM: Keep SSM traffic private within your VPC without traversing the internet.
- Enable VPC Flow Logs: Monitor all network traffic for anomaly detection.
Audit and Compliance
- Enable CloudTrail: Log all API calls including
ec2:StartSessionandec2:SendSSHPublicKey. - Enable Session Manager logging: Configure S3 bucket and CloudWatch Logs to store session transcripts.
- Review access regularly: Use AWS Access Analyzer to identify overly permissive policies.
- Implement session timeout: Configure automatic session termination in Session Manager preferences.
Instance Hardening
- Keep SSH up to date: Regularly run
sudo yum updateorsudo apt update && sudo apt upgrade. - Use fail2ban: Install fail2ban to automatically block IPs after repeated failed login attempts.
- Change default SSH port (optional): Edit
sshd_configto use a non-standard port to reduce automated scanning. - Enable SELinux or AppArmor: Use mandatory access controls to limit what compromised processes can do.
Frequently Asked Questions
How do I find the public IP of my EC2 instance?
Go to the EC2 Console, select your instance, and look for “Public IPv4 address” or “Public IPv4 DNS” in the instance details pane at the bottom of the screen.
Which username should I use to SSH into EC2?
It depends on your AMI. Amazon Linux uses ec2-user, Ubuntu uses ubuntu, Debian uses admin, and CentOS uses centos. Check the AMI documentation if you’re unsure.
Why do I get “Permission denied (publickey)”?
This usually means you’re using the wrong key file, wrong username, or your key file has incorrect permissions. Run chmod 400 keyfile.pem and verify you’re using the correct username and key.
Can I connect without a key pair?
Yes, if you use AWS Systems Manager Session Manager. It doesn’t require a key pair at all, just proper IAM permissions and an instance profile with SSM access.
Is it safe to keep my PEM file on my laptop?
It’s safe if you protect it with proper permissions (chmod 400), full-disk encryption, and store it in a secure location. For higher security, use a hardware security key or Secrets Manager.
How to connect to EC2 in a private subnet?
Use AWS Systems Manager Session Manager (no public IP needed), set up a bastion host, or connect via VPN or AWS Direct Connect to route traffic into your VPC.
Can I use Session Manager for SFTP or port forwarding?
Yes! Session Manager supports port forwarding. You can forward a local port to the instance and then use tools like SFTP over that tunnel using the AWS CLI start-session command with --document-name parameter.
What to do if port 22 is blocked by ISP?
Use AWS Systems Manager Session Manager, which works over HTTPS (port 443), or change your EC2 SSH port to something like 2222 and update your security group accordingly.
Can I connect to a stopped instance?
No, the instance must be in the “running” state. You can start it from the EC2 Console and wait for status checks to pass before connecting.
How do I enable password authentication on EC2?
While possible, it’s not recommended. Edit /etc/ssh/sshd_config, set PasswordAuthentication yes, create user passwords with passwd, and restart sshd with sudo systemctl restart sshd. Use MFA if you do this.
What is the difference between Instance Connect and Session Manager?
Instance Connect temporarily pushes an SSH public key for 60 seconds and still uses port 22. Session Manager uses the SSM Agent over HTTPS (port 443) and doesn’t require SSH at all.
Can multiple users share the same key pair?
Technically yes, but it’s not recommended. Create separate IAM users and key pairs for each person, or use Session Manager with individual IAM permissions for better audit trails and access control.
Printable Cheat Sheet
# Set key permissions (must do first)
chmod 400 ~/keys/mykey.pem
# Connect via SSH (Linux/macOS)
ssh -i ~/keys/mykey.pem ec2-user@ec2-3-123-45-67.compute-1.amazonaws.com
# Connect via SSH with verbose debugging
ssh -vvv -i ~/keys/mykey.pem ec2-user@HOST
# Start Session Manager session (AWS CLI)
aws ssm start-session --target i-0123456789abcdef0
# Test if port 22 is reachable
nc -zv ec2-3-123-45-67.compute-1.amazonaws.com 22
# Remove old host key
ssh-keygen -R ec2-3-123-45-67.compute-1.amazonaws.com
# Check SSM agent status (from inside instance)
sudo systemctl status amazon-ssm-agent
# View instance metadata (from inside instance)
curl http://169.254.169.254/latest/meta-data/
# Check which instances are registered with SSM
aws ssm describe-instance-information
# Forward local port 8080 to remote port 80 via Session Manager
aws ssm start-session --target i-0123456789abcdef0 \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber=80,localPortNumber=8080"
This guide covers every practical method to connect to EC2 instances, from traditional SSH to modern cloud-native tools like Session Manager. Bookmark this page, share it with your team, and reference the cheat sheet whenever you need a quick command. Happy connecting!