This guide details the steps required for connecting to AWS instances using the PuTTY client on Windows operating systems. It also provides instructions for creating key pairs through the AWS Console which enables remote access to EC2 instances.
The following will be required:
- An AWS account (you can sign up for a free account here)
- A Linux instance running within the AWS EC2 service
- The PuTTY SSH client (available from the PuTTY download page)
A key pair consists of a public and private key which serves as the security credentials used to authenticate your identity when connecting to an instance.
Note: Key pairs are specific to a given region. You will need to ensure that each region requiring connectivity will have its own key pairs created.
- Access the AWS Console
- Log in to the AWS console and navigate to the EC2 service which can be found under Compute.
- Generate the keys
- Click on Key Pairs which can be found under Network & Security in the EC2 Dashboard on the left of the screen.
- Click on Create Key Pair, specify a name for the key pair, and click Create.
- Confirm download
- The key pair will then be saved to the Downloads folder on the Windows machine.
- Ensure that a file with the name specified above and an extension of
.pemexists in this folder.
The key that has just been downloaded will be in the .pem format, however PuTTY requires keys to be of the .ppk type. Follow the steps below to convert the downloaded key to the required file format.
- Import the key
- Open PuTTYgen from the Start Menu (All Programs > PuTTY > PuTTYgen).
- Click on the Load button next to Load an existing private key file.
- By default, PuTTYgen will only show
.ppkfiles. Click on the down facing arrow next to PuTTY Private Key Files (*.ppk) and select All Files (*.*). - Navigate to the Downloads folder and select the key that was downloaded earlier, then click Open.
- A message will appear indicating that PuTTYgen has successfully imported the foreign key, as shown below.
- Save the generated key
- Click OK to close the notification and click the Save private key button next to Save the generated key.
- A warning will be displayed asking if you want to save the key without a passphrase, as shown below.
- Select Yes.
A passphrase for a private key provides an additional layer of security, however this comes at the cost of making automation more difficult as human intervention is required when logging on to instances.
- Navigate to the location where the key should be stored, provide a name for the key, and click Save.
- Confirm success
- Ensure that the file exists in the location specified above with an extension of
.ppk. - Close PuTTYgen.
- Ensure that the file exists in the location specified above with an extension of
By default, traffic originating from the Internet is not authorised to access EC2 instances. Security groups provide the means of opening this inbound connectivity.
Note that either the default security group or a custom security group can be used. Custom security groups can be applied to only the specific instances requiring SSH connectivity. For brevity, it is assumed that a security group has already been created. For more details regarding security groups, consult the official AWS documentation detailing Amazon EC2 security groups for Linux instances.
- From the Amazon EC2 console, select Instances. Select the relevant instance and note the Description tab. The Security groups section will show the specific security groups associated with this instance. Select view inbound rules to see the inbound rules currently enabled.
- Select Security Groups from the navigation pane, and select the security group noted in the previous step.
- Select Edit under the Inbound tab, which can be found in the details pane.
- Choose Add Rule and set the Type to be SSH.
- In the Source field, select the IP protocol to allow (either IPv4 or IPv6) and specify either a specific IP address or an address range. If the address is unknown, a value of
0.0.0.0/0can be used to allow all IP addresses. - Click Save.
By default, traffic originating from the Internet is not authorised to access EC2 instances. Security groups provide the means of opening this inbound connectivity.
- Load the authentication key
- Open PuTTY from the Start Menu (All Programs > PuTTY > PuTTY).
- In the Category pane, select SSH.
- Select Auth.
- Click on the Browse button under Private key for authentication.
- Select the private key of type
.ppkthat was generated above and choose Open.
- Configure session details
- In the Category pane, select Session.
- Ensure that Connection type is set to SSH.
- Enter the following details in the Host Name (or IP address):
- If using the public DNS name, enter
my-instance-user-name@my-instance-public-dns-name. - If using the IP address, enter
my-instance-user-name@my-instance-IPv6-address.
- If using the public DNS name, enter
For details regarding getting information about your instance, refer to the official AWS documentation covering General prerequisites for connecting to your instance.
- Connect to the instance
- Provide a name for the session under Saved Sessions.
- Click on the Save button to save the session for future use.
- Click Open.
- Verify details
- If this is the first time you are connecting to the instance, PuTTY will display a security alert asking whether the host should be trusted.
For additional security, you can optionally verify that the fingerprint in the dialog box matches the fingerprint of the instance being connected to. This can be obtained by referring to the (Optional) Get the instance fingerprint documentation.
- Choose Yes.
The above process will enable access to the AWS EC2 CLI. Once you're in the CLI, you will need to have valid user-level permissions to run specific commands. For example, if a user tried to create an S3 bucket without the necessary permissions, the following message would be received.
[root@ip-<IP address> ec2-user]# aws s3 mb s3://<bucket name>
make_bucket failed: s3://<bucket name> Unable to locate credentials
There are two methods available to supply the necessary permissions required above:
- Provide credentials of a user already configured in IAM
- Use roles
The first option above can impact the security of your AWS environment, as a successful compromise of an individual instance would provide an attacker with credentials that can be used across other instances. For this reason, it is recommended to use roles, which use temporary keys as needed.
Details for configuring roles can be obtained by referring to the Use temporary security credentials (IAM roles) instead of long-term access keys documentation.
Please refer to the below documentation for additional information:
- General prerequisites for connecting to your instance
- Connecting to your Linux instance from Windows using PuTTY
- Authorizing inbound traffic for your Linux instances
- Amazon EC2 security groups for Linux instances
- Best practices for managing AWS access keys
- Troubleshooting connecting to your instance