Amazon AWS

Amazon AWS

Tag Database
Needs Improvment

Can't SSH into AWS Instance

It's a common issue

From time to time I'll get a request from someone who is trying to get into their AWS server via SSH but are unable to. There's a number of reason why this occurs.

  1. Lost Key Pair private key (SSH Private Key)
  2. Developer setup Key Pairs and disappeared.
  3. Locked out of SSH

Rule #1 - Always set a root password!

When you deploy a server, make sure to set the root password and store it somewhere securely. I suggest 1Password (Affiliate Link) for storing this password.

Having the root password will allow you to access the server using an OOB method (Out of Band) usually through the console.

Rule #2 - Setup EC2 Instance Connect to Manage SSH Keys

Amazon AWS provides a tool called EC2 Instance Connect. You install an agent on your EC2 Instance and setup the appropriate IAM permissions for the users in your organization.

You can then login to your instance using the EC2 Console (Web Based) without dealing with SSH Keys.

You can also download the aws cli to your local computer and push your SSH Key's to any instance and then login with either Putty or another SSH client.

Optionally you can use the EC2 Instance Connect CLI and run a command called mssh which generates a one time ssh key and pushes it to the instance and removes it after 60 seconds.

Here's a link to the EC2 Instance Connect guide.

Rule #3 - Setup Systems Manager

AWS Systems Manager comes with Session Manager, which you can use to access your EC2 instances for free. Just be sure to setup Session Manager only.

Gaining SSH access to your AWS Instance

You can gain access to your AWS instance using a couple of methods.

Method #1 - Using the EC2 Serial Console + Password

Back in March of 2021 Amazon AWS released the EC2 Serial Console. This let's you access your servers console and login with any user.

You don't have to have your root login, you can use an low level system user such as ec2-user or ubuntu and run sudo or su -.Granted this won't work if you setup SSH key authentication only, and didn't setup a password.

Here's the guide from the Amazon AWS blog.

Method #2 - Using the EC2 Serial Console + Single User Mode

If you don't have a password for the system. You can use the EC2 Serial Console and boot your instance into what's called Single User Mode

You can mount your local filesystem and then make changes. Such as resetting the root or local user password. Adding an SSH key is can be done by using the Copy and Paste function in the EC2 Serial Console.

Here's a link to the specific section of the previously mentioned article.

Method #3 - Using cloudinit

I didn't know about this one, but if your server has cloudinit enabled it can be configured to use a new EC2 Key Pair.

Here's the guide from the Amazon AWS knowledgebase. Look at Method #1.

Method #4 - Donnor Instance

This method is probably the last on you ever want to use. Launch a small temporary instance, stop the instance that you can't connect to via SSH, unmount the main OS storage and mount it on the small temporary instance.

You can then login to the temporary instance, mount the disk and add your SSH keys.

Here's the guide from the Amazon AWS User Guide

Method #5 - Session Manager via AWS Systems Manager

You can use Session Manager to gain acecss to your AWS EC2 instance. However you have to setup AWS Systems Manager first.

Here's the guide

All in one Guide

Pretty much each method is highlighted on the following page.