Amazon EC2 is the most popular service in the AWS ecosystem. Almost every course that teaches AWS emphasizes the importance of understanding the basics of an EC2 instance. In my book Techtionary, I mentioned an Amazon EC2 instance in detail, explaining how it works and how it relates to real-life examples that we can easily connect with.
According to the Amazon EC2 official page, Amazon EC2 is defined as
Secure and resizable compute capacity for virtually any workload
Meaning EC2 has the capacity for any application workload, small or large. This discourse is not focused on everything Amazon EC2 has to offer in terms of capacity and usage, but one important part of Amazon EC2, which is how to connect to use it for deploying workloads or applications. Without connecting to an EC2 instance, it is impossible to deploy workloads. But before you connect to an EC2 instance, it needs to be created first.
Creating an EC2 Instance
Similar to other AWS resources, there are primary methods for creating any resource in AWS: using the AWS Management Console or the AWS CLI. Additionally, more advanced methods for provisioning Amazon EC2 instances and other AWS resources include: CloudFormation, AWS CDK, Terraform, Pulumi, and OpenTofu. The following documentation on Amazon EC2 describes how to create an EC2 instance in AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html. Alternatively, a quicker option is to ask Amazon Q on the AWS management console; AI to the rescue.
The response of Amazon Q shows the AWS Management Console option and the AWS CLI option for creating an EC2 instance, as I mentioned earlier.
At this point, we have our EC2 instance running after a successful launch. The next thing is connecting to the EC2 instance. For Linux instances, the popular mode of connecting is via SSH client, but are there many cons that exist with connecting to a Linux EC2 instance via SSH? Let’s explore some of the demerits.
Demerits of SSH Access Method
Security Risks: SSH requires managing private keys, which can be compromised if not securely stored. If keys are lost or exposed, unauthorized access becomes a risk.
Lack of Access Control: SSH provides limited access control and auditing compared to more advanced tools like AWS Systems Manager, making it harder to track user actions and enforce policies.
Dependency on SSH Clients: SSH requires additional software on client machines, which may not be readily available or configured correctly across all environments.
Network Dependency: SSH requires open network ports (typically port 22) and access to the instance’s public or private IP, increasing the potential attack surface.
Key Management Complexity: For teams, managing and distributing SSH keys for multiple users can be challenging, especially when users join or leave, requiring key updates on instances.
With all these demerits of using SSH as the method of access to an EC2 instance, it is still the most popular. However, other secure alternatives do not require the complex management of SSH keys, dependency on SSH clients, and the security issues with managing private keys that can be compromised or managing key rotation across your EC2 instances to enhance security access.
Alternatives for Connecting to an Amazon EC2 Instance
The three other major alternatives to connecting to a Linux EC2 Instance are:
- EC2 Instance Connect
- Session Manager (from AWS Systems Manager)
- EC2 Serial Console
EC2 Instance Connect: This is a simple, secure way to access your EC2 instances through your web browser or command line without needing SSH keys. It lets you connect quickly by sending a temporary, short-lived SSH key to your instance, which provides easy access while keeping your instance secure. This approach is ideal for quick tasks and doesn’t require complex key management.
Session Manager is a service that enables secure connections to your EC2 instances without the need for SSH access or open ports. It can be accessed through the AWS Management Console, AWS CLI, or SDKs, offering both browser-based and command-line interfaces. Session Manager is secure because it eliminates the need for SSH keys and provides activity logs for auditing purposes. It is particularly useful for managing instances in private networks or when you need better control over access and permissions.
EC2 Serial Console: is a tool that lets you directly access the console of your EC2 instance, even if it’s not responding to SSH or other remote connections. It offers a text-based, low-level interface that helps you diagnose and resolve issues, such as operating system or boot problems. This feature helps recover instances when other connection methods are not available.
From the descriptions of each option for connecting to EC2, they all have specific use cases where they excel. Out of all these options, my preferred choice is the Session Manager. It is quite easy and seamless to use, packed with good security features like an audit trail, which can be viewed from AWS CloudTrail, and works tightly with AWS IAM for granular access control.
Conclusion
In summary, you can connect to an Amazon EC2 instance using various methods based on your needs and expertise. Common options include SSH for secure terminal access, EC2 Instance Connect for quick browser-based access, and AWS Systems Manager Session Manager for advanced access without SSH keys. Each method offers unique benefits, making it easy to manage EC2 instances securely and flexibly.
