How to SSH into an EC2 Instance on AWS

To SSH into an EC2 instance, you need three things: a private key file (.pem), the instance’s public IP address, and port 22 open in the security group from your IP. The basic command is ssh -i your-key.pem username@public-ip. The most common failure points are wrong file permissions, wrong username, and a missing port 22 rule. If you need to access private instances or want a cleaner team workflow, Session Manager is worth reading about first. It requires no key pairs and no open ports at all.

Quick answer

  • SSH into an EC2 instance with: ssh -i your-key.pem username@public-ip
  • Run chmod 400 your-key.pem before connecting. SSH refuses to use a key file readable by other users.
  • The username depends on the AMI: ec2-user for Amazon Linux, ubuntu for Ubuntu, admin for Debian
  • Port 22 must be open in the security group, restricted to your IP only. Never open it to 0.0.0.0/0.

Before you start

All of these need to be in place before the connection will work:

  • A running Linux EC2 instance. Windows instances use RDP, not SSH.
  • A key pair. Either one created in AWS (gives you a .pem file to download) or an imported public key from your own machine.
  • The instance’s public IP or DNS. Only available on instances in public subnets. Private subnet instances have no public IP and need a different approach.
  • A security group rule for SSH. TCP port 22 must allow inbound traffic from your IP address.
  • The correct username. Depends on the OS/AMI (see the table further down).
  • An SSH client installed locally. macOS and Linux include one built in. Windows 10 and 11 include OpenSSH, or you can use PuTTY.

If you have not yet launched your first instance, the first EC2 instance guide walks through key pair creation, security group setup, and connecting for the first time.

Simple explanation

SSH uses a pair of mathematically linked keys. You hold the private key on your machine as a .pem file. The public key lives on the EC2 instance at ~/.ssh/authorized_keys. When you connect, your SSH client proves it holds the private key without ever sending it over the network. The instance checks that proof against the public key on file. If they match, you get a shell with no password required.

Think of it this way

The public key is like a padlock. You can give it to anyone and they can put it on their storage unit. The private key is the physical key that opens it. AWS bolts the padlock onto the instance when you launch it. Only the person holding the physical key can get in. If you lose the key, the padlock is still there — the unit is just locked with no way in unless you break the door.

The practical consequence: if you lose the private key, you lose direct SSH access. AWS never keeps a copy after the initial download. This is one reason Session Manager is often the better long-term choice. Access is controlled through IAM permissions rather than key files, so losing a .pem file is not a crisis.

How SSH access to EC2 works

Four things have to line up for a connection to succeed:

  • Key pair. When you launch an instance with a key pair, AWS injects the public key into the instance’s authorized_keys file. You must have the matching private key (.pem) to authenticate.
  • Public IP and reachability. You need a network route to the instance. Instances in public subnets get a public IP. Instances in private subnets only have private IPs and are not reachable from the internet. They need a bastion host, VPN, or Session Manager.
  • Security group on port 22. The security group acts as a virtual firewall. TCP port 22 must explicitly allow traffic from your source IP. If the rule is missing or points to a different IP, the connection will time out.
  • Correct username. Each AMI has a default OS user. Using the wrong one produces “Permission denied” even when the key is correct.

Understanding public vs private IP addresses in AWS will save you significant troubleshooting time when an instance appears unreachable.

Step-by-step: connect to an EC2 instance

1. Create or import a key pair

Create a new RSA key pair and save the private key:

aws ec2 create-key-pair \
  --key-name my-key \
  --key-type rsa \
  --key-format pem \
  --query "KeyMaterial" \
  --output text > my-key.pem

Or create an ED25519 key pair (more modern than RSA):

aws ec2 create-key-pair \
  --key-name my-key \
  --key-type ed25519 \
  --query "KeyMaterial" \
  --output text > my-key.pem

If you already have an SSH key pair on your machine, import the public key instead:

aws ec2 import-key-pair \
  --key-name my-key \
  --public-key-material fileb://~/.ssh/id_rsa.pub
Warning

AWS gives you the private key once, when you create it. Store the .pem file in a password manager or encrypted volume. If you lose it, you lose direct SSH access. See the recovery section below for your options.

2. Lock down the private key permissions

Run this immediately after saving the file. SSH refuses to use a key file that other users on your machine can read:

chmod 400 my-key.pem

3. Get the instance public IP or DNS

aws ec2 describe-instances \
  --instance-ids i-0abc12345def67890 \
  --query "Reservations[0].Instances[0].PublicIpAddress" \
  --output text

You can also find it in the EC2 console: Instances → select your instance → Public IPv4 address. If the field is empty, the instance is in a private subnet and has no public IP. You cannot SSH to it directly from the internet.

4. Confirm the security group allows SSH from your IP only

# Get your current public IP
MY_IP=$(curl -s https://checkip.amazonaws.com)

# Add an inbound SSH rule restricted to your IP
aws ec2 authorize-security-group-ingress \
  --group-id sg-0abc12345def67890 \
  --protocol tcp \
  --port 22 \
  --cidr ${MY_IP}/32
Security risk

Never open port 22 to 0.0.0.0/0. Within minutes of launch, automated scanners will attempt brute-force logins against any instance with port 22 open to the world. This is not theoretical — it happens to every public instance with an open port. Always restrict the rule to your own IP with /32 CIDR notation, or use Session Manager and remove port 22 entirely.

5. Use the correct SSH username

The username depends on the AMI. See the Default usernames by OS table below. Using the wrong username is one of the most common causes of “Permission denied (publickey)”, even when the key is perfectly valid.

6. Connect with SSH

# Amazon Linux 2023 / Amazon Linux 2
ssh -i my-key.pem ec2-user@<public-ip>

# Ubuntu
ssh -i my-key.pem ubuntu@<public-ip>

# Add -v for verbose output when debugging connection issues
ssh -v -i my-key.pem ec2-user@<public-ip>

7. Verify you are connected

Once connected, you should see the instance hostname in the shell prompt. Confirm you are on the right instance:

# Show the instance ID from metadata
curl -s http://169.254.169.254/latest/meta-data/instance-id

# Show OS details and hostname
uname -a
hostname

Default usernames by OS

Check this before assuming the key or security group is the problem. The wrong username produces the same “Permission denied (publickey)” error as a bad key, and it is a much faster fix.

AMI / OSDefault usernameNotes
Amazon Linux 2023ec2-userMost common choice for AWS workloads
Amazon Linux 2ec2-user
UbuntuubuntuApplies to all Ubuntu AMIs from Canonical
DebianadminSome older Debian AMIs may use debian. Check AMI documentation.
RHELec2-userSome older RHEL AMIs used root. Avoid logging in as root directly.
CentOScentosCommunity AMIs can vary. Verify with the AMI’s documentation page.
SUSEec2-user
WindowsAdministratorWindows uses RDP (port 3389), not SSH

For marketplace or custom AMIs, check the AMI’s documentation page. Vendors sometimes configure a different default user.

When to use SSH

SSH is a strong choice when you need:

  • Direct shell access. Interactive debugging, running ad-hoc commands, editing configuration files on the instance.
  • File transfers. Both scp and rsync run over SSH and are straightforward for copying files to and from an instance.
  • Port forwarding and tunneling. Forward a remote port (for example, a database listening on 5432) to your local machine without exposing it to the internet.
  • Remote development. VS Code Remote SSH connects to EC2 over SSH and gives you a full IDE experience running on the instance.
  • Bastion host patterns. A hardened public instance acts as a jump host into private instances behind it using SSH agent forwarding.
Good to know

SSH is also a useful fallback when Session Manager is not yet configured. If you are setting up a new instance and SSM Agent is not ready, SSH gets you in so you can configure everything else.

When to use Session Manager instead

Session Manager is the better operational choice when you want to:

  • Eliminate port 22 entirely. No inbound SSH rule means one less attack surface to manage.
  • Access private instances directly. Instances in private subnets with no public IP are fully accessible through Session Manager. No bastion host needed.
  • Stop managing key pairs. Access is controlled through IAM permissions, not .pem files. You grant and revoke access by updating IAM, not by distributing or rotating keys.
  • Get automatic audit logs. Every session is recorded to CloudWatch Logs or S3, giving you a full history of who ran what command and when.
  • Support multiple team members. Each IAM user gets their own audited access session without anyone sharing a key pair.

The trade-off: Session Manager requires the SSM Agent to be running on the instance and an IAM instance profile with SSM permissions attached. Applying the principle of least privilege to those instance profiles is important to avoid over-granting access.

SSH vs Session Manager vs EC2 Instance Connect

Each method has different trade-offs. Here is a practical comparison to help you choose:

MethodBest forRequires port 22Requires key pairWorks on private instancesOperational overhead
SSHFile transfers, port forwarding, remote dev toolsYesYesOnly via bastion or VPNKey pair management, port 22 rules
Session ManagerProduction access, private instances, audit requirementsNoNoYesSSM Agent + IAM instance profile
EC2 Instance ConnectQuick one-off access, recovery, no pre-setup neededYes (or via EC2 Instance Connect Endpoint)No, pushes a temporary key for 60 secondsWith EC2 Instance Connect EndpointLow, works on Amazon Linux and Ubuntu by default

For most production environments, Session Manager is the stronger operational choice. SSH remains useful for file transfers and port forwarding workflows that Session Manager does not natively support. EC2 Instance Connect is the best option for recovery or occasional access when you have not pre-configured either of the others.

Troubleshooting SSH failures

Permission denied (publickey)

  • Likely cause: Wrong username, wrong key pair, or file permissions too open
  • Fix: Run chmod 400 my-key.pem. Confirm the username matches the AMI (see the table above). Confirm this key pair was the one selected when the instance was launched, not a different one or none at all. Add -v to the SSH command for verbose output that identifies exactly where authentication fails.

Connection timed out

  • Likely cause: Port 22 is not open in the security group from your IP, or the instance is in a private subnet with no route from your machine
  • Fix: Check the security group inbound rules. TCP 22 must allow your source IP. Check whether the instance has a public IP. If it is in a private subnet, it is not reachable directly from the internet. See the network troubleshooting guide for diagnosing route and subnet issues.

Connection refused

  • Likely cause: The SSH daemon is not running, or the instance is still booting
  • Fix: Wait a minute and retry. Check the instance system log in the EC2 console under Actions, then Monitor and troubleshoot, then Get system log. If the SSH daemon crashed, you may need to recover via EC2 Instance Connect, Session Manager, or the EBS volume method below.

Host key verification failed

  • Likely cause: The instance was replaced and the new one got the same IP. Your local ~/.ssh/known_hosts file still has the old host key stored for that address.
  • Fix: Remove the stale entry with ssh-keygen -R <ip-address>. Reconnect and confirm the new host key fingerprint matches what you expect.

WARNING: UNPROTECTED PRIVATE KEY FILE

  • Likely cause: The .pem file has permissions wider than 400, meaning other users on the machine can read it
  • Fix: Run chmod 400 my-key.pem. SSH requires 400 or stricter and refuses to proceed until this is done.

No route to host / private subnet reachability

  • Likely cause: The instance is in a private subnet, has no public IP, or the VPC has no internet gateway attached
  • Fix: Confirm the instance has a public IP. If it does not, use a bastion host, VPN, or Session Manager. For deeper diagnosis, see debugging VPC connectivity problems.

Recovering when locked out

If you lose the private key and cannot SSH in, try these options in order of effort:

Option 1: EC2 Instance Connect

Try this first

EC2 Instance Connect is the fastest recovery path. It works on Amazon Linux 2023, Amazon Linux 2, and Ubuntu with no pre-configuration needed, and it does not require the original key pair.

It pushes a temporary public key to the instance for 60 seconds. Trigger it from the EC2 console Connect button, or from the CLI:

aws ec2-instance-connect send-ssh-public-key \
  --instance-id i-0abc12345def67890 \
  --instance-os-user ec2-user \
  --ssh-public-key file://~/.ssh/id_rsa.pub \
  --availability-zone us-east-1a

Immediately SSH in while the temporary key is valid:

ssh -i ~/.ssh/id_rsa ec2-user@<public-ip>

Option 2: Session Manager

If the instance has the SSM Agent running and an IAM instance profile with SSM permissions, Session Manager gives you a shell with no key pair or open port needed. This is the simplest recovery path when it is already configured.

Option 3: EBS volume recovery

Use this when neither of the above options are available. It takes longer but is reliable:

  1. Stop the locked-out instance (do not terminate it)
  2. Detach its root EBS volume
  3. Attach the volume to a working instance as a secondary disk (for example, /dev/sdf)
  4. Mount the volume and add your new public key to /home/ec2-user/.ssh/authorized_keys
  5. Unmount and detach the volume
  6. Reattach it to the original instance as the root volume and start the instance

This is the nuclear recovery option. It is a good reason to configure Session Manager before you need it.

Using SSH config to simplify connections

Instead of typing the full command each time, add the instance to your ~/.ssh/config file:

Host myserver
  HostName 54.123.45.67
  User ec2-user
  IdentityFile ~/.ssh/my-key.pem

Now you can connect with just ssh myserver. You can extend this to set up local port forwarding, for example to access a Postgres database on the instance from your local machine:

Host myserver
  HostName 54.123.45.67
  User ec2-user
  IdentityFile ~/.ssh/my-key.pem
  LocalForward 5432 localhost:5432
Do not disable host key checking

Avoid adding StrictHostKeyChecking no to your SSH config. It disables host key verification, which means a different server can silently intercept your connection with no warning. The default behaviour is the right one: prompt on first connection, error on changed key. If you want to auto-accept the first connection to a new instance without a manual prompt, StrictHostKeyChecking accept-new is a safer middle ground. It accepts new hosts but still rejects changed keys.

Common mistakes

  1. Forgetting chmod 400 on the .pem file. SSH prints a clear warning and refuses to connect if the key file has permissions wider than 400. Run chmod 400 my-key.pem immediately after downloading. This is the single most common first-time mistake.

  2. Using the wrong username. Amazon Linux uses ec2-user. Ubuntu uses ubuntu. Debian uses admin. The connection fails with “Permission denied (publickey)” even when the key is perfectly valid. Check the table above before troubleshooting anything else.

  3. Opening port 22 to 0.0.0.0/0. This exposes the instance to automated SSH brute-force attempts within minutes of launch. Always restrict the rule to your specific IP with /32 CIDR notation. If your IP changes regularly, use Session Manager and remove the port 22 rule entirely.

  4. Trying to SSH directly to a private instance from the internet. Instances in private subnets have no public IP. The connection times out rather than refuses, which looks identical to a firewall block and can mislead you into checking the wrong thing first. Confirm the instance has a public IP before investigating the key or username.

  5. Losing the private key with no recovery plan. Recovery is possible but slow. Store the .pem file securely from the start, or configure Session Manager so the key is never the only way in.

  6. Leaving port 22 open indefinitely. Remove the inbound rule when you are done with a session if you do not need persistent SSH access. A narrower attack surface is always better. This is the core of the principle of least privilege applied to network access.

Frequently asked questions

How do I SSH into an EC2 instance?

You need a .pem private key file, the instance public IP, and port 22 open in the security group from your IP. Run: ssh -i your-key.pem ec2-user@<public-ip> for Amazon Linux, or replace ec2-user with ubuntu for Ubuntu instances. Set chmod 400 on the .pem file first or SSH will refuse to use it.

What username should I use for Amazon Linux vs Ubuntu?

Use ec2-user for Amazon Linux 2023 and Amazon Linux 2. Use ubuntu for Ubuntu AMIs. Use admin for Debian. The wrong username causes a "Permission denied (publickey)" error even when everything else is correct.

Why do I get "Permission denied (publickey)"?

The most common causes are: wrong username for the OS, .pem file permissions not set to 400 (run chmod 400 your-key.pem), using the wrong key pair (not the one selected when launching the instance), or the instance was launched with no key pair at all.

Can I SSH into a private EC2 instance?

Not directly from the internet. Private instances only have private IP addresses and are not reachable from outside the VPC. To connect, use a bastion host in a public subnet, a VPN, or Session Manager, which works without any inbound ports or public IP.

What should I use instead of SSH on AWS?

AWS Systems Manager Session Manager is the modern alternative. It requires no key pairs, no open port 22, works on private instances, and logs all session activity. For occasional access or recovery, EC2 Instance Connect pushes a temporary key without any pre-configuration.

Last verified: 1 April 2026 Cloud services change frequently. Verify details against official documentation before making infrastructure decisions.