Connecting Securely to Amazon EC2 Server

With WinSCP you can easily upload and manage files on your Amazon EC2 (Elastic Compute Cloud) instance/server over SFTP protocol.

Before starting you should:

• Have WinSCP installed;
• Have Amazon EC2 instance running;
• Have enabled inbound SSH traffic from your IP address to your instance;
• Have your key pair ready;

First you need to convert your private key from .pem format to .ppk:

• Use PuTTYgen tool for conversion;
• PuTTYgen installs by default with WinSCP. One way to run it is using Tools > Run PuTTYgen command on WinSCP Login dialog.
• In PuTTYgen window, use Conversions > Import command and locate your private key in .pem format.
• Optionally enter passphrase for the converted key to protect it.
• Save private key to .ppk format using Save private key button.

Collect information about your EC2 instance:

• Host name: Check Public DNS column on Instances page of Amazon EC2 console. Note that the public DNS may change when instance is restarted.
• Host key fingerprint: On the first connect you will be prompted to verify server host key.
  • The only way we know how to get host key safely to verify it, is to locate its fingerprint in server’s initial start log, when host keys are generated (Actions > Get System Log command on Instances page of Amazon EC2 console):
    
    
    
    Look for RSA (or DSA) key fingerprint. WinSCP does not support ECDSA keys.
  • If you did not save the fingerprint on the first instance run, but you have another EC2 instance that you can connect to safely (you know its fingerprints), you can connect to the target instance using private IP from the trusted instance. Staying within private Amazon network should keep you safe from man-in-the-middle attacks. When on the trusted instance terminal, you can use following commands to collect fingerprints:
    

    $ ssh-keyscan <target_instance_private_ip> > ec2key
    $ ssh-keygen -l -f ec2key
    2048 cc:3d:ac:a7:13:61:4c:14:25:47:80:ae:f1:f3:aa:10 172.31.30.101 (RSA)
    256 ea:bc:4d:5f:ae:00:48:75:45:ba:97:43:fe:e1:a3:e9 172.31.30.101 (ECDSA)
    

  • Otherwise you probably have no way to connect to your instance safely. Consider disposing the instance and creating a new one (you may want to use action Launch More Like this).

Start WinSCP. Login dialog will appear. On the dialog:

• Make sure New site node is selected.
• On New site node, make sure SFTP protocol is selected.
• Enter your EC2 instance public DSN name (see above) into Host name box.
• User name differs with instance type:
  • For an Amazon Linux AMI, the user name is ec2-user.
  • For a RHEL5 AMI, the user name is either root or ec2-user.
  • For an Ubuntu AMI, the user name is ubuntu.
  • For a Fedora AMI, the user name is either fedora or ec2-user.
  • For SUSE Linux, the user name is root.
• Press Advanced button to open Advanced site settings dialog and go to SSH > Authentication page.
• In Private key file box select file you have saved your private key in .ppk format.
• Submit Advanced site settings dialog with OK button.
• Save your site settings using Save button.
  
  
  
• Login using Login button.
• Verify the host key by comparing fingerprints with those collected before (see above).