What are best practices for accessing my EC2 Linux instance securely using SSH while avoiding unauthorized access?

5 minute read

I want to access my Amazon Elastic Compute Cloud (Amazon EC2) instance using SSH. What are best practices for keeping my instance secure and avoiding unauthorized access when using SSH?


Use the following best practices to secure your instances when using SSH. For steps that involve commands, be sure to run commands with root privileges. Run the sudo -i command to become the root user.

Use AWS Systems Manager Session Manager for shell access to EC2 instances

Session Manager allows AWS Identity and Access Management (IAM) users to log in to your instances with encryption and logging capabilities. Systems Manager's traffic goes through the Systems Manager Endpoint, allowing easy and secure access to private instances without opening inbound ports. For more information about Session Manager, see AWS Systems Manager Session Manager for shell access to EC2 instances.

Use EC2 Instance Connect for shell access to EC2 instances

Amazon EC2 Instance Connect allows you to connect to your Linux instances using Secure Shell (SSH) using IAM roles and policies. For more information about EC2 Instance Connect, see Connect to your Linux instance using EC2 Instance Connect.

Note: EC2 Instance Connect is supported in the following distributions:

  • Amazon Linux 2 (any version)
  • Ubuntu 16.04 or later

Don't allow the root user to use an SSH terminal

By default, Amazon-provided AMIs and most vendors from the AWS Marketplace don't allow the root user to log in from an SSH terminal. If your instance allows the root user to log in, then follow the steps below to deny access.

1.    Add an * (asterisk) to the password field in the /etc/shadow file to invalidate the root user's password:

Edit the file with vipw -s.

The first line is usually the root user's line. Change the root user's line as follows:


2.    Edit the SSH daemon's config file using an editor such as the vi editor:

vi /etc/ssh/sshd_config

Make sure that the following line is present and uncommented. This line denies login permission to the root user.

PermitRootLogin no

3.    Restart the SSH daemon:

systemctl restart sshd

For information on other parameters of the PermitRootLogin option, see sshd_config on OpenBSD.

Be sure that all users log in with an SSH key pair, and then deactivate password authentication

The default configuration for Amazon provided AMIs is logging in with an SSH key pair with password authentication deactivated. This is because using a password opens your instance to security risks such as brute force attacks. Weak passwords can be cracked to gain access.

So, if you altered your instance to use a password, revert to the default configuration using the following commands:

1.    Use the vi editor, or editor of your choice, to access the sshd_config file:

vi /etc/ssh/sshd_config

2.    Verify that the following line is present and uncommented:

PasswordAuthentication no

3.    Restart the SSH daemon:

systemctl restart sshd

Note: Make sure that you have key pairs installed before you deactivate password authentication. This prevents you from losing SSH access to the EC2 instance. Each user needs their public keys inserted in the path ~/.ssh/authorized_keys. For more information on key-based logins, see Amazon EC2 key pairs and Linux instances.

Restrict access from unknown sources

For public instances, leaving the SSH port open and unrestricted might allow intrusions if misconfigurations exist or if there are unexpected software vulnerabilities. To help prevent intrusions, follow these best practices:

1.    Keep the SSH daemon updated to the latest version supplied by your Linux distribution maintainer. Often the SSH daemon receives backport updates from later releases from the upstream provider. For more information on backporting, see Backporting security fixes on the Red Hat Customer Portal website.

yum -y install openssh-server # for Amazon Linux, RHEL, Centos
apt update && apt install openssh-server # For Ubuntu, Debian

2.    Restrict your security group to allow incoming connections to port 22 from trusted IPs only, such as corporate network IPs. For more information, see Authorize inbound traffic for your Linux instances.

3.    Some intruders might try to guess user names and passwords, or might try to overflow your SSH daemon if port 22 is opened to the world. The utility fail2ban monitors your log files for constant attempts to log in to your instance and then blocks the attempts after a few unsuccessful attempts. To install fail2ban**:**


apt -y install fail2ban

Amazon Linux, CentOS, RHEL:

Install the EPEL repository.

Run the following commands:

yum -y install fail2ban
systemctl enable fail2ban
systemctl start fail2ban

For details on how to configure fail2ban, see Linux security: Protect your systems with fail2ban on the Red Hat website.

AWS OFFICIALUpdated a year ago