Ways of connecting to the server
We can use many ways to connect to the server. AWS gives us several ways, which I describe below.
EC2 Instance Connect
Important:
- You don't need to share and manage SSH keys.
- The instance must have a public IPv4 address.
- You can connect to the instance over a private network EC2 Instance Connect CLI from other servers.
- As a username, you can specify any user that exists in the system and has the ability to log in.
Read more:
Session Manager
Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI
Important:
- SSM Agent should be installed on the instance.
- Create IAM Instance Profile and attach IAM role to instance.
- Security group added to VPC endpoint must allow inbound HTTPS (port 443) traffic from the resources in your VPC that communicate with the service.
- Enabling private DNS requires both enableDnsSupport and enableDnsHostnames VPC attributes set to true for VPC.
Example of a connection AWS CLI:
aws ssm start-session --target INSTANCE_ID
Read more:
- SSM Agent https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html
- Session Manager https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/session-manager.html
- Instance Profile https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html
- Attach IAM role https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#attach-iam-role
SSH client
Important:
- You need to share and manage SSH keys.
- The security group must allow inbound SSH (port 22).
Example of a connection
ssh -i /path/key-pair-name.pem instance-user-name@instance-public-dns-name
Read more:
- Putty https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html
- OpenSSH https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/openssh.html
- WSL https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/WSL.html
EC2 serial console
Important:
- You need to Allowed "EC2 Serial Console" in "EC2 Settings".
- We need to be able to log into the server from the local console. Login with a password.
- We must use an instance type that is built on the AWS Nitro System.
When to use?
- When we want to change the password
- When we want to regain access to the server
Enable EC2 Serial Console:
aws ec2 enable-serial-console-access --region us-east-1
Read more:
- Configure access to the EC2 Serial Console https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html
- Instances built on the Nitro System https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.htmlicmpid=docs_ec2_console#ec2-nitro-instances
- Default users: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/managing-users.html
How to regain access to the server ?
Case:
- We don't have SSH keys.
- The SSH server is not working.
- We do not have a password for the user
- The SSM agent has not been installed.
By default, no password is generated for the user "ec2-user" in the Amazon Linux 2 image. We can set this password, put the SSH public key or fix other things.
We have a few popular ways to do this:
- Create an AMI from the failed server/EBS and create a new server with the AMI.
- Shut down the instance, disconnect the EBS and attach the EBS to a new temporary server where we can repair the services/files on that EBS.
- Set a password for the local user.
Set a password for the local user on EC2
We can use "User data" for this purpose. By default, the user data works when the server is first started.
We can run the following command to set the password for user ec2-user:
echo "password" | passwd --stdin ec2-user
Example of a script that runs once:
#!/bin/bash
/bin/echo "Hello World" >> /tmp/helloworld.txt
echo "password" | passwd --stdin ec2-user
What we should to do?
We can add the following script to "User data", that runs every time the server starts.
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
echo "password" | passwd --stdin ec2-user
--//--
This set a password (password) for the user ec2-user.
Read more: