How to SSH into an EC2 Instance on AWS
To SSH into an EC2 instance, you need three things: a private key file (.pem), the instance’s public IP address, and port 22 open in the security group from your IP. The basic command is ssh -i your-key.pem username@public-ip. The most common failure points are wrong file permissions, wrong username, and a missing port 22 rule. If you need to access private instances or want a cleaner team workflow, Session Manager is worth reading about first. It requires no key pairs and no open ports at all.
Quick answer
- SSH into an EC2 instance with:
ssh -i your-key.pem username@public-ip - Run
chmod 400 your-key.pembefore connecting. SSH refuses to use a key file readable by other users. - The username depends on the AMI:
ec2-userfor Amazon Linux,ubuntufor Ubuntu,adminfor Debian - Port 22 must be open in the security group, restricted to your IP only. Never open it to
0.0.0.0/0.
Before you start
All of these need to be in place before the connection will work:
- A running Linux EC2 instance. Windows instances use RDP, not SSH.
- A key pair. Either one created in AWS (gives you a .pem file to download) or an imported public key from your own machine.
- The instance’s public IP or DNS. Only available on instances in public subnets. Private subnet instances have no public IP and need a different approach.
- A security group rule for SSH. TCP port 22 must allow inbound traffic from your IP address.
- The correct username. Depends on the OS/AMI (see the table further down).
- An SSH client installed locally. macOS and Linux include one built in. Windows 10 and 11 include OpenSSH, or you can use PuTTY.
If you have not yet launched your first instance, the first EC2 instance guide walks through key pair creation, security group setup, and connecting for the first time.
Simple explanation
SSH uses a pair of mathematically linked keys. You hold the private key on your machine as a .pem file. The public key lives on the EC2 instance at ~/.ssh/authorized_keys. When you connect, your SSH client proves it holds the private key without ever sending it over the network. The instance checks that proof against the public key on file. If they match, you get a shell with no password required.
The public key is like a padlock. You can give it to anyone and they can put it on their storage unit. The private key is the physical key that opens it. AWS bolts the padlock onto the instance when you launch it. Only the person holding the physical key can get in. If you lose the key, the padlock is still there — the unit is just locked with no way in unless you break the door.
The practical consequence: if you lose the private key, you lose direct SSH access. AWS never keeps a copy after the initial download. This is one reason Session Manager is often the better long-term choice. Access is controlled through IAM permissions rather than key files, so losing a .pem file is not a crisis.
How SSH access to EC2 works
Four things have to line up for a connection to succeed:
- Key pair. When you launch an instance with a key pair, AWS injects the public key into the instance’s
authorized_keysfile. You must have the matching private key (.pem) to authenticate. - Public IP and reachability. You need a network route to the instance. Instances in public subnets get a public IP. Instances in private subnets only have private IPs and are not reachable from the internet. They need a bastion host, VPN, or Session Manager.
- Security group on port 22. The security group acts as a virtual firewall. TCP port 22 must explicitly allow traffic from your source IP. If the rule is missing or points to a different IP, the connection will time out.
- Correct username. Each AMI has a default OS user. Using the wrong one produces “Permission denied” even when the key is correct.
Understanding public vs private IP addresses in AWS will save you significant troubleshooting time when an instance appears unreachable.
Step-by-step: connect to an EC2 instance
1. Create or import a key pair
Create a new RSA key pair and save the private key:
aws ec2 create-key-pair \
--key-name my-key \
--key-type rsa \
--key-format pem \
--query "KeyMaterial" \
--output text > my-key.pemOr create an ED25519 key pair (more modern than RSA):
aws ec2 create-key-pair \
--key-name my-key \
--key-type ed25519 \
--query "KeyMaterial" \
--output text > my-key.pemIf you already have an SSH key pair on your machine, import the public key instead:
aws ec2 import-key-pair \
--key-name my-key \
--public-key-material fileb://~/.ssh/id_rsa.pubAWS gives you the private key once, when you create it. Store the .pem file in a password manager or encrypted volume. If you lose it, you lose direct SSH access. See the recovery section below for your options.
2. Lock down the private key permissions
Run this immediately after saving the file. SSH refuses to use a key file that other users on your machine can read:
chmod 400 my-key.pem3. Get the instance public IP or DNS
aws ec2 describe-instances \
--instance-ids i-0abc12345def67890 \
--query "Reservations[0].Instances[0].PublicIpAddress" \
--output textYou can also find it in the EC2 console: Instances → select your instance → Public IPv4 address. If the field is empty, the instance is in a private subnet and has no public IP. You cannot SSH to it directly from the internet.
4. Confirm the security group allows SSH from your IP only
# Get your current public IP
MY_IP=$(curl -s https://checkip.amazonaws.com)
# Add an inbound SSH rule restricted to your IP
aws ec2 authorize-security-group-ingress \
--group-id sg-0abc12345def67890 \
--protocol tcp \
--port 22 \
--cidr ${MY_IP}/32Never open port 22 to 0.0.0.0/0. Within minutes of launch, automated scanners will attempt brute-force logins against any instance with port 22 open to the world. This is not theoretical — it happens to every public instance with an open port. Always restrict the rule to your own IP with /32 CIDR notation, or use Session Manager and remove port 22 entirely.
5. Use the correct SSH username
The username depends on the AMI. See the Default usernames by OS table below. Using the wrong username is one of the most common causes of “Permission denied (publickey)”, even when the key is perfectly valid.
6. Connect with SSH
# Amazon Linux 2023 / Amazon Linux 2
ssh -i my-key.pem ec2-user@<public-ip>
# Ubuntu
ssh -i my-key.pem ubuntu@<public-ip>
# Add -v for verbose output when debugging connection issues
ssh -v -i my-key.pem ec2-user@<public-ip>7. Verify you are connected
Once connected, you should see the instance hostname in the shell prompt. Confirm you are on the right instance:
# Show the instance ID from metadata
curl -s http://169.254.169.254/latest/meta-data/instance-id
# Show OS details and hostname
uname -a
hostnameDefault usernames by OS
Check this before assuming the key or security group is the problem. The wrong username produces the same “Permission denied (publickey)” error as a bad key, and it is a much faster fix.
| AMI / OS | Default username | Notes |
|---|---|---|
| Amazon Linux 2023 | ec2-user | Most common choice for AWS workloads |
| Amazon Linux 2 | ec2-user | |
| Ubuntu | ubuntu | Applies to all Ubuntu AMIs from Canonical |
| Debian | admin | Some older Debian AMIs may use debian. Check AMI documentation. |
| RHEL | ec2-user | Some older RHEL AMIs used root. Avoid logging in as root directly. |
| CentOS | centos | Community AMIs can vary. Verify with the AMI’s documentation page. |
| SUSE | ec2-user | |
| Windows | Administrator | Windows uses RDP (port 3389), not SSH |
For marketplace or custom AMIs, check the AMI’s documentation page. Vendors sometimes configure a different default user.
When to use SSH
SSH is a strong choice when you need:
- Direct shell access. Interactive debugging, running ad-hoc commands, editing configuration files on the instance.
- File transfers. Both
scpandrsyncrun over SSH and are straightforward for copying files to and from an instance. - Port forwarding and tunneling. Forward a remote port (for example, a database listening on 5432) to your local machine without exposing it to the internet.
- Remote development. VS Code Remote SSH connects to EC2 over SSH and gives you a full IDE experience running on the instance.
- Bastion host patterns. A hardened public instance acts as a jump host into private instances behind it using SSH agent forwarding.
SSH is also a useful fallback when Session Manager is not yet configured. If you are setting up a new instance and SSM Agent is not ready, SSH gets you in so you can configure everything else.
When to use Session Manager instead
Session Manager is the better operational choice when you want to:
- Eliminate port 22 entirely. No inbound SSH rule means one less attack surface to manage.
- Access private instances directly. Instances in private subnets with no public IP are fully accessible through Session Manager. No bastion host needed.
- Stop managing key pairs. Access is controlled through IAM permissions, not .pem files. You grant and revoke access by updating IAM, not by distributing or rotating keys.
- Get automatic audit logs. Every session is recorded to CloudWatch Logs or S3, giving you a full history of who ran what command and when.
- Support multiple team members. Each IAM user gets their own audited access session without anyone sharing a key pair.
The trade-off: Session Manager requires the SSM Agent to be running on the instance and an IAM instance profile with SSM permissions attached. Applying the principle of least privilege to those instance profiles is important to avoid over-granting access.
SSH vs Session Manager vs EC2 Instance Connect
Each method has different trade-offs. Here is a practical comparison to help you choose:
| Method | Best for | Requires port 22 | Requires key pair | Works on private instances | Operational overhead |
|---|---|---|---|---|---|
| SSH | File transfers, port forwarding, remote dev tools | Yes | Yes | Only via bastion or VPN | Key pair management, port 22 rules |
| Session Manager | Production access, private instances, audit requirements | No | No | Yes | SSM Agent + IAM instance profile |
| EC2 Instance Connect | Quick one-off access, recovery, no pre-setup needed | Yes (or via EC2 Instance Connect Endpoint) | No, pushes a temporary key for 60 seconds | With EC2 Instance Connect Endpoint | Low, works on Amazon Linux and Ubuntu by default |
For most production environments, Session Manager is the stronger operational choice. SSH remains useful for file transfers and port forwarding workflows that Session Manager does not natively support. EC2 Instance Connect is the best option for recovery or occasional access when you have not pre-configured either of the others.
Troubleshooting SSH failures
Permission denied (publickey)
- Likely cause: Wrong username, wrong key pair, or file permissions too open
- Fix: Run
chmod 400 my-key.pem. Confirm the username matches the AMI (see the table above). Confirm this key pair was the one selected when the instance was launched, not a different one or none at all. Add-vto the SSH command for verbose output that identifies exactly where authentication fails.
Connection timed out
- Likely cause: Port 22 is not open in the security group from your IP, or the instance is in a private subnet with no route from your machine
- Fix: Check the security group inbound rules. TCP 22 must allow your source IP. Check whether the instance has a public IP. If it is in a private subnet, it is not reachable directly from the internet. See the network troubleshooting guide for diagnosing route and subnet issues.
Connection refused
- Likely cause: The SSH daemon is not running, or the instance is still booting
- Fix: Wait a minute and retry. Check the instance system log in the EC2 console under Actions, then Monitor and troubleshoot, then Get system log. If the SSH daemon crashed, you may need to recover via EC2 Instance Connect, Session Manager, or the EBS volume method below.
Host key verification failed
- Likely cause: The instance was replaced and the new one got the same IP. Your local
~/.ssh/known_hostsfile still has the old host key stored for that address. - Fix: Remove the stale entry with
ssh-keygen -R <ip-address>. Reconnect and confirm the new host key fingerprint matches what you expect.
WARNING: UNPROTECTED PRIVATE KEY FILE
- Likely cause: The .pem file has permissions wider than 400, meaning other users on the machine can read it
- Fix: Run
chmod 400 my-key.pem. SSH requires 400 or stricter and refuses to proceed until this is done.
No route to host / private subnet reachability
- Likely cause: The instance is in a private subnet, has no public IP, or the VPC has no internet gateway attached
- Fix: Confirm the instance has a public IP. If it does not, use a bastion host, VPN, or Session Manager. For deeper diagnosis, see debugging VPC connectivity problems.
Recovering when locked out
If you lose the private key and cannot SSH in, try these options in order of effort:
Option 1: EC2 Instance Connect
EC2 Instance Connect is the fastest recovery path. It works on Amazon Linux 2023, Amazon Linux 2, and Ubuntu with no pre-configuration needed, and it does not require the original key pair.
It pushes a temporary public key to the instance for 60 seconds. Trigger it from the EC2 console Connect button, or from the CLI:
aws ec2-instance-connect send-ssh-public-key \
--instance-id i-0abc12345def67890 \
--instance-os-user ec2-user \
--ssh-public-key file://~/.ssh/id_rsa.pub \
--availability-zone us-east-1aImmediately SSH in while the temporary key is valid:
ssh -i ~/.ssh/id_rsa ec2-user@<public-ip>Option 2: Session Manager
If the instance has the SSM Agent running and an IAM instance profile with SSM permissions, Session Manager gives you a shell with no key pair or open port needed. This is the simplest recovery path when it is already configured.
Option 3: EBS volume recovery
Use this when neither of the above options are available. It takes longer but is reliable:
- Stop the locked-out instance (do not terminate it)
- Detach its root EBS volume
- Attach the volume to a working instance as a secondary disk (for example,
/dev/sdf) - Mount the volume and add your new public key to
/home/ec2-user/.ssh/authorized_keys - Unmount and detach the volume
- Reattach it to the original instance as the root volume and start the instance
This is the nuclear recovery option. It is a good reason to configure Session Manager before you need it.
Using SSH config to simplify connections
Instead of typing the full command each time, add the instance to your ~/.ssh/config file:
Host myserver
HostName 54.123.45.67
User ec2-user
IdentityFile ~/.ssh/my-key.pemNow you can connect with just ssh myserver. You can extend this to set up local port forwarding, for example to access a Postgres database on the instance from your local machine:
Host myserver
HostName 54.123.45.67
User ec2-user
IdentityFile ~/.ssh/my-key.pem
LocalForward 5432 localhost:5432Avoid adding StrictHostKeyChecking no to your SSH config. It disables host key verification, which means a different server can silently intercept your connection with no warning. The default behaviour is the right one: prompt on first connection, error on changed key. If you want to auto-accept the first connection to a new instance without a manual prompt, StrictHostKeyChecking accept-new is a safer middle ground. It accepts new hosts but still rejects changed keys.
Common mistakes
Forgetting chmod 400 on the .pem file. SSH prints a clear warning and refuses to connect if the key file has permissions wider than 400. Run
chmod 400 my-key.pemimmediately after downloading. This is the single most common first-time mistake.Using the wrong username. Amazon Linux uses
ec2-user. Ubuntu usesubuntu. Debian usesadmin. The connection fails with “Permission denied (publickey)” even when the key is perfectly valid. Check the table above before troubleshooting anything else.Opening port 22 to 0.0.0.0/0. This exposes the instance to automated SSH brute-force attempts within minutes of launch. Always restrict the rule to your specific IP with
/32CIDR notation. If your IP changes regularly, use Session Manager and remove the port 22 rule entirely.Trying to SSH directly to a private instance from the internet. Instances in private subnets have no public IP. The connection times out rather than refuses, which looks identical to a firewall block and can mislead you into checking the wrong thing first. Confirm the instance has a public IP before investigating the key or username.
Losing the private key with no recovery plan. Recovery is possible but slow. Store the .pem file securely from the start, or configure Session Manager so the key is never the only way in.
Leaving port 22 open indefinitely. Remove the inbound rule when you are done with a session if you do not need persistent SSH access. A narrower attack surface is always better. This is the core of the principle of least privilege applied to network access.
Summary
- Connect with:
ssh -i your-key.pem username@public-ip - Run
chmod 400on your .pem file first. SSH will not use a key file readable by other users. - Default usernames:
ec2-userfor Amazon Linux,ubuntufor Ubuntu,adminfor Debian - Restrict port 22 to your own IP with
/32. Never open it to0.0.0.0/0. - Private instances have no public IP. Use a bastion host, VPN, or Session Manager to reach them.
- Session Manager is the modern alternative: no key pairs, no port 22, works on private instances, with full audit logging
- EC2 Instance Connect is the fastest recovery option when locked out. No pre-configuration needed.
- Never set
StrictHostKeyChecking no. It silently disables host key verification.
Frequently asked questions
How do I SSH into an EC2 instance?
You need a .pem private key file, the instance public IP, and port 22 open in the security group from your IP. Run: ssh -i your-key.pem ec2-user@<public-ip> for Amazon Linux, or replace ec2-user with ubuntu for Ubuntu instances. Set chmod 400 on the .pem file first or SSH will refuse to use it.
What username should I use for Amazon Linux vs Ubuntu?
Use ec2-user for Amazon Linux 2023 and Amazon Linux 2. Use ubuntu for Ubuntu AMIs. Use admin for Debian. The wrong username causes a "Permission denied (publickey)" error even when everything else is correct.
Why do I get "Permission denied (publickey)"?
The most common causes are: wrong username for the OS, .pem file permissions not set to 400 (run chmod 400 your-key.pem), using the wrong key pair (not the one selected when launching the instance), or the instance was launched with no key pair at all.
Can I SSH into a private EC2 instance?
Not directly from the internet. Private instances only have private IP addresses and are not reachable from outside the VPC. To connect, use a bastion host in a public subnet, a VPN, or Session Manager, which works without any inbound ports or public IP.
What should I use instead of SSH on AWS?
AWS Systems Manager Session Manager is the modern alternative. It requires no key pairs, no open port 22, works on private instances, and logs all session activity. For occasional access or recovery, EC2 Instance Connect pushes a temporary key without any pre-configuration.