Differences

This shows you the differences between the selected revisions of the page.

guide_amazon_ec2 2014-07-16 guide_amazon_ec2 2024-08-19 (current)
Line 1: Line 1:
-====== Connecting Securely to Amazon EC2 Server ======+====== Connecting securely to Amazon EC2 server with SFTP ======
With WinSCP you can easily upload and manage files on your Amazon EC2 (Elastic Compute Cloud) instance/server over [[sftp|SFTP protocol]]. With WinSCP you can easily upload and manage files on your Amazon EC2 (Elastic Compute Cloud) instance/server over [[sftp|SFTP protocol]].
 +
 +===== Direct Connection =====
Before starting you should: Before starting you should:
  * [[guide_install|Have WinSCP installed]];   * [[guide_install|Have WinSCP installed]];
-  * [[http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.html|Have Amazon EC2 instance running]]; +  * [[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html|Have Amazon EC2 instance running]]; 
-  * [[http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html|Have enabled inbound SSH traffic from your IP address to your instance]]; +  * [[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-security-group.html|Have enabled inbound SSH traffic from your IP address to your instance]]; 
-  * Have your [[http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html|key pair]] ready;+  * Have your [[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html|key pair]] ready;
-First you need to [[ui_puttygen#other_formats|convert your private key]] from ''.pem'' format to ''.ppk'': +~~AD~~
-  * Use [[ui_puttygen|PuTTYgen]] tool for conversion; +
-  * PuTTYgen installs by default with WinSCP. One way to run it is using //Tools > Run PuTTYgen// command on WinSCP [[ui_login|Login dialog]]. +
-  * In PuTTYgen window, use //[[ui_puttygen#other_formats|Conversions > Import]]// command and locate your private key in ''.pem'' format. +
-  * Optionally enter passphrase for the converted key to protect it. +
-  * [[ui_puttygen#saving_private|Save private key]] to ''.ppk'' format using //Save private key// button.+
Collect information about your EC2 instance: Collect information about your EC2 instance:
-  * Host name: Check //Public DNS// column on //Instances// page of Amazon EC2 console. Note that the public DNS may change when instance is restarted.+  * Host name: Check //Public %%DNS%%// column on //Instances// page of Amazon EC2 console. Note that the public DNS may change when instance is restarted.
  * Host key fingerprint: On the first connect you will be prompted to [[ssh_verifying_the_host_key|verify server host key]].   * Host key fingerprint: On the first connect you will be prompted to [[ssh_verifying_the_host_key|verify server host key]].
-    * The only way we know how to get host key safely to verify it, is to locate its fingerprint in server's initial start log, when host keys are generated. Use //Actions > Get System Log// command on //Instances// page of Amazon EC2 console: \\ \\ &amp;screenshotpict(ec2_hostkey) \\ \\ Alternatively use ''[[http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-GetConsoleOutput.html|ec2-get-console-output]]'' command-line tool. \\ Look for RSA (or DSA) key fingerprint. WinSCP does not support ECDSA keys. +    * To securely acquire a fingerprint of the host key, use EC2 web-based terminal. Go to //Actions > Connect > EC2 Instance Connect > Connect// on //Instances// page of Amazon EC2 console. In the terminal, use ''[[https://man.openbsd.org/ssh-keygen|ssh-keygen]]'' command to display a fingerprint of any number of host keys algorithms. The following example shows SHA-256 and MD5 fingerprints of Ed25519 hostkey: \\ &lt;code bash>sudo ssh-keygen -l -f /etc/<nohilite>ssh</nohilite>/ssh_host_ed25519_key 
-   * If you did not save the fingerprint on the first instance run, but you have another EC2 instance that you can connect to safely (you know its fingerprints), you can connect to the target instance using private IP from the trusted instance. Staying within private Amazon network should keep you safe from [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]]. When on the trusted instance terminal, you can use following commands to collect fingerprints: \\ <code> +sudo ssh-keygen -l -f /etc/&lt;nohilite&gt;ssh&lt;/nohilite&gt;/ssh_host_ed25519_key -E md5
-$ ssh-keyscan <target_instance_private_ip> &gt; ec2key +
-$ ssh-keygen -l -f ec2key +
-2048 cc:3d:ac:a7:13:61:4c:14:25:47:80:ae:f1:f3:aa:10 172.31.30.101 (RSA) +
-256 ea:bc:4d:5f:ae:00:48:75:45:ba:97:43:fe:e1:a3:e9 172.31.30.101 (ECDSA)+
</code> </code>
-·····* Otherwise you probably have no way to connect to your instance safely. Consider disposing the instance and creating a new one (you may want to use action //Launch More Like this//).+ 
 +~~AD~~
Start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: Start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog:
Line 34: Line 28:
  * //User name// differs with instance type:   * //User name// differs with instance type:
    * For an Amazon Linux AMI, the user name is ''ec2-user''.     * For an Amazon Linux AMI, the user name is ''ec2-user''.
-    * For a RHEL5 AMI, the user name is either root or ''ec2-user''.+    * For a RHEL5 AMI, the user name is either ''root'' or ''ec2-user''.
    * For an Ubuntu AMI, the user name is ''ubuntu''.     * For an Ubuntu AMI, the user name is ''ubuntu''.
 +    * For an Centos AMI, the user name is ''centos''.
    * For a Fedora AMI, the user name is either ''fedora'' or ''ec2-user''.     * For a Fedora AMI, the user name is either ''fedora'' or ''ec2-user''.
-    * For SUSE Linux, the user name is ''root''.+    * For SUSE Linux, the user name is ''root'' or ''ec2-user''.
  * Press //Advanced// button to open [[ui_login_advanced|Advanced site settings dialog]] and go to //[[ui_login_authentication|SSH > Authentication page]]//.   * Press //Advanced// button to open [[ui_login_advanced|Advanced site settings dialog]] and go to //[[ui_login_authentication|SSH > Authentication page]]//.
-  * In //Private key file// box select file you have saved your private key in ''.ppk'' format.+  * In //Private key file// box select the ''.pem'' private key file. WinSCP will need to convert the key to its ''.ppk'' format (you can then use the converted ''.ppk'' key for example with [[integration_putty|PuTTY]] SSH client).
  * Submit Advanced site settings dialog with //OK// button.   * Submit Advanced site settings dialog with //OK// button.
-  * Save your site settings using //Save// button. \\ \\ &screenshotpict(ec2_login) \\+  * Save your site settings using //Save// button. \\ \\ &screenshotpict(ec2_login) \\ \\
  * Login using //Login// button.   * Login using //Login// button.
  * [[ssh_verifying_the_host_key|Verify the host key]] by comparing fingerprints with those collected before (see above).   * [[ssh_verifying_the_host_key|Verify the host key]] by comparing fingerprints with those collected before (see above).
-===== Further reading ===== +//If you are managing a large amount of servers, and it is not feasible for you to save a site for each of them in WinSCP, consider using the user script [[guide_injecting_sftp_ftp_url_to_page|*]].//
-  * Guide to [[guide_upload|uploading files to SFTP server]]; +
-  * Guide to [[guide_automation|automating operations]] (including upload); +
-  * [[http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html|Official guide for connecting using PuTTY/WinSCP]].+
 +===== [[vpc]] Connecting to EC2 instance in VPC =====
 +
 +To connect to an EC2 instance in an Amazon VPC, you can tunnel through a [[https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html|NAT instance]].
 +
 +For details, see [[guide_tunnel|*]].
 +
 +===== [[ssm]] Connecting using AWS SSM (Session Manager) =====
 +
 +In //Host name//, specify your //Instance ID//.
 +
 +Press //Advanced// button to open [[ui_login_advanced|Advanced site settings dialog]] and go to //[[ui_login_proxy|Connection > Proxy page]]//. There:
 +
 +  * For //Proxy type//, select //Local//.
 +  * In //Local proxy command//, specify: \\ <code>aws ssm start-session --target %host --document-name AWS-StartSSHSession --parameters "portNumber=%port" --profile <aws profile> --region <region></code>
 +  * You may need to set //Do DNS name lookup at proxy end// to //Yes//.
 +
 +===== Further reading =====
 +  * [[guide_upload|*]];
 +  * [[guide_automation|*]];
 +  * [[faq_su|*]]
 +  * [[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-linux-inst-from-windows.html|Official AWS guide for connecting using PuTTY/WinSCP]];
 +  * [[https://docs.aws.amazon.com/transfer/latest/userguide/transfer-file.html#winscp|Official AWS guide for transfering files using a WinSCP]]
 +  * [[guide_google_compute_engine|*]];
 +  * [[guide_microsoft_azure|*]].

Last modified: by martin