can't SSH into EC2 instance, but have AWS console access

Question

I have admin access to the AWS console and can view EC2 instances, start/stop, and so on. But I can't SSH into an EC2. I wasn't sure if the .pem key was wrong.

What option do I have to get in?

I can just reset the root password in Linode or Digital Ocean, and remote SSH in. But I don't these options on AWS.

I've tried this and it's hang. Ex. my VM IP = 1.1.1.1

➜  ~ ssh -i ~/.ssh/app.pem ubuntu@1.1.1.1 -v
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/alpha/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to 1.1.1.1 [1.1.1.1] port 22.
^C
➜  ~

How can I debug this further? How do I gain SSH access?

What should I do?

Answer 1

You brought up a good point about home routers, but don't be too quick to dismiss it. My Netgear N300 (Ancient I know) has a blocked services area.

I battled the ssh operation timeout for a long time, and finally I disabled all my router blocking services and I was able to immediately ssh into my aws linix instance

Answer 2

You should step through all the connection elements you need in order to create that SSH connection to AWS.

1. First, ensure your local network is permitting the connection. Most home routers allow outbound to any port, but if you are using a work network, it is possible they are filtering port 22 (default for SSH). You may need to ensure that your outbound request to the machine is not being dropped by your firewall.

2. Next, you need to make sure that the NACLs aren't causing problems. The VPC subnet that your EC2 instance is sitting in has NACLs. By default, they don't filter anything. However, you should ensure that you aren't filtering inbound port 22 TCP, or outbound ephemeral ports (ports 1024->65535). These ephemeral ports are needed since the return port (your side) will be dynamic and random in that port range.

3. You need to make sure that you have a security group attached to your instance and that it allows port 22 TCP (SSH) inbound. This is important since by default, it will NOT permit any inbound ports. If you need to create a security group, you can do that on the EC2 service page. Create a new one with an inbound of SSH permitted, TCP, on at least your IP (If you have an ip that is 2.3.4.5, you should enter 2.3.4.5/32 into the address field). Then attach it to your instance. The attachment should be instantaneous (no need to reboot). Warning: Allowing all IPs (0.0.0.0/0) can be dangerous if you don't have a properly secured instance as it will permit all IPs the ability to try to connect in through that port. Unlike NACLs, security groups are stateful so there is no need to list ephemeral ports in your security group.

4. I assume you are using a 'sane' AMI to boot from, but if this previously worked and now it doesn't, you should consider if you locked yourself out with a firewall at the OS level. If you some way put a rule in at the OS level to reject port 22, or if sshd isn't running, you are going to have issues for obvious reasons. The fix here would be complicated, but possible, if this is what you did.

5. You are already aware that you need to make sure you have the right keypair. Verify which keypair you used by looking at the instance data on the EC2 page and use that key to login. Make sure you are using the proper default username for your distribution (they can vary by type - typically it is 'ec2-user', but centos for example is user 'centos'. YMMV, so look it up!)

If you continue to have issues, you could always enable VPC flow logs on the VPC containing your instance. This will make a log entry for every packet flow into and out of your VPC so you can at least see if the traffic is making it to the VPC, and if so, if it is being denied or forwarded to the instance.

Answer 3

To be able to SSH into an EC2 instance, you need to configure EC2 key pair. If you have done that, but somehow got "locked out", e.g., you lost your key, you should be able to use Systems Manager (SSM) to regain access.

Have a look here on how to connect to an EC2 instance using SSM: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html

Best,Stefan