Differences

This shows you the differences between the selected revisions of the page.

guide_amazon_ec2 2020-05-04 guide_amazon_ec2 2024-08-19 (current)
Line 1: Line 1:
-====== Connecting Securely to Amazon EC2 Server with SFTP ======+====== Connecting securely to Amazon EC2 server with SFTP ======
With WinSCP you can easily upload and manage files on your Amazon EC2 (Elastic Compute Cloud) instance/server over [[sftp|SFTP protocol]]. With WinSCP you can easily upload and manage files on your Amazon EC2 (Elastic Compute Cloud) instance/server over [[sftp|SFTP protocol]].
Line 6: Line 6:
Before starting you should: Before starting you should:
  * [[guide_install|Have WinSCP installed]];   * [[guide_install|Have WinSCP installed]];
-  * [[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.html|Have Amazon EC2 instance running]]; +  * [[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html|Have Amazon EC2 instance running]]; 
-  * [[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html|Have enabled inbound SSH traffic from your IP address to your instance]];+  * [[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-security-group.html|Have enabled inbound SSH traffic from your IP address to your instance]];
  * Have your [[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html|key pair]] ready;   * Have your [[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html|key pair]] ready;
Line 16: Line 16:
  * Host name: Check //Public %%DNS%%// column on //Instances// page of Amazon EC2 console. Note that the public DNS may change when instance is restarted.   * Host name: Check //Public %%DNS%%// column on //Instances// page of Amazon EC2 console. Note that the public DNS may change when instance is restarted.
  * Host key fingerprint: On the first connect you will be prompted to [[ssh_verifying_the_host_key|verify server host key]].   * Host key fingerprint: On the first connect you will be prompted to [[ssh_verifying_the_host_key|verify server host key]].
-    * You can locate key fingerprint in server's initial start log, when host keys are generated.((Using ''cloud-init'' script.)) Use //Actions > Instance Settings > Get System Log// command on //Instances// page of Amazon EC2 console: \\ \\ &screenshotpict(ec2_hostkey) \\ \\ The format of host key display in the log may differ with distribution or its version. \\ Alternatively use ''[[https://docs.aws.amazon.com/cli/latest/reference/ec2/get-console-output.html|aws ec2 get-console-output]]'' command+    * To securely acquire a fingerprint of the host key, use EC2 web-based terminal. Go to //Actions > Connect > EC2 Instance Connect > Connect// on //Instances// page of Amazon EC2 console. In the terminal, use ''[[https://man.openbsd.org/ssh-keygen|ssh-keygen]]'' command to display a fingerprint of any number of host keys algorithms. The following example shows SHA-256 and MD5 fingerprints of Ed25519 hostkey: \\ &lt;code bash>sudo ssh-keygen -l -f /etc/<nohilite>ssh</nohilite>/ssh_host_ed25519_key 
-   * If you did not save the fingerprint on the first instance run, but you have another EC2 instance that you can connect to safely (you know its fingerprints), you can connect to the target instance using private IP from the trusted instance. Staying within private Amazon network keeps you safe from [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]]. When on the trusted instance terminal, you can use following commands to collect fingerprints: \\ <code> +sudo ssh-keygen -l -f /etc/<nohilite>ssh</nohilite>/ssh_host_ed25519_key -E md5
-$ ssh-keyscan <target_instance_private_ip> &gt; ec2key +
-$ ssh-keygen -l -f ec2key +
-256 SHA256:oZHeiMEPLKetRgd3M5Itgwaqr2zJJH93EvSdx5UoHbQ <ip> (ED25519+
-2048 SHA256:8zg105EUFFrPFpVzdfTGsgXnxuSpTiQd85k0uNapUio <ip> (RSA+
-256 SHA256:L7UXLw0djE5B9W7ZhvrkYVSTZyi1MEQ2dBaRtpkkUGY <ip> (ECDSA)+
</code> </code>
-    * If you do not have another trusted instance, you can create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using it's initial start log. Then collect keys of the target instance by connecting to it from the temporary instance. After that you can discard the temporary instance. 
~~AD~~ ~~AD~~
Line 46: Line 40:
  * [[ssh_verifying_the_host_key|Verify the host key]] by comparing fingerprints with those collected before (see above).   * [[ssh_verifying_the_host_key|Verify the host key]] by comparing fingerprints with those collected before (see above).
-//If you are managing a large amount of servers, and it is not feasible for you to save a site for each of them in WinSCP, consider using an user script that [[guide_injecting_sftp_ftp_url_to_page|injects "Open in WinSCP" link to an Amazon EC2 management portal]].//+//If you are managing a large amount of servers, and it is not feasible for you to save a site for each of them in WinSCP, consider using the user script [[guide_injecting_sftp_ftp_url_to_page|*]].//
===== [[vpc]] Connecting to EC2 instance in VPC ===== ===== [[vpc]] Connecting to EC2 instance in VPC =====
Line 52: Line 46:
To connect to an EC2 instance in an Amazon VPC, you can tunnel through a [[https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html|NAT instance]]. To connect to an EC2 instance in an Amazon VPC, you can tunnel through a [[https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html|NAT instance]].
-For details, see a guide to [[guide_tunnel|connecting to an SFTP server which can be accessed via another server only]].+For details, see [[guide_tunnel|*]].
===== [[ssm]] Connecting using AWS SSM (Session Manager) ===== ===== [[ssm]] Connecting using AWS SSM (Session Manager) =====
Line 58: Line 52:
In //Host name//, specify your //Instance ID//. In //Host name//, specify your //Instance ID//.
-On [[ui_login_advanced|Advanced Site Settings dialog]], go to //Proxy Page//. There:+Press //Advanced// button to open [[ui_login_advanced|Advanced site settings dialog]] and go to //[[ui_login_proxy|Connection > Proxy page]]//. There:
  * For //Proxy type//, select //Local//.   * For //Proxy type//, select //Local//.
  * In //Local proxy command//, specify: \\ <code>aws ssm start-session --target %host --document-name AWS-StartSSHSession --parameters "portNumber=%port" --profile <aws profile> --region <region></code>   * In //Local proxy command//, specify: \\ <code>aws ssm start-session --target %host --document-name AWS-StartSSHSession --parameters "portNumber=%port" --profile <aws profile> --region <region></code>
-  * For //Do DNS name lookup at proxy end//, select //No//.+  * You may need to set //Do DNS name lookup at proxy end// to //Yes//.
===== Further reading ===== ===== Further reading =====
-  * Guide to [[guide_upload|uploading files to SFTP server]]; +  * [[guide_upload|*]]; 
-  * Guide to [[guide_automation|automating operations]] (including upload)+  * [[guide_automation|*]]; 
-  * [[faq_su|How do I change user after login (e.g. su root)?]] +  * [[faq_su|*]] 
-  * [[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html|Official guide for connecting using PuTTY/WinSCP]]; +  * [[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-linux-inst-from-windows.html|Official AWS guide for connecting using PuTTY/WinSCP]]; 
-  * Guide to [[guide_google_compute_engine|connecting to Google Compute Engine server with SFTP]]; +  * [[https://docs.aws.amazon.com/transfer/latest/userguide/transfer-file.html#winscp|Official AWS guide for transfering files using a WinSCP]] 
-  * Guide to [[guide_microsoft_azure|connecting to Microsoft Azure Service with SFTP or FTPS]].+  * [[guide_google_compute_engine|*]]; 
 +  * [[guide_microsoft_azure|*]].

Last modified: by martin