Private EC2 with EC2 Instance Connect Endpoint

If your instance is a supported OS (Amazon Linux 2 and Ubuntu), you can configure EC2 instance connect as per blog Secure Connectivity from Public to Private: Introducing EC2 Instance Connect Endpoint

If you have problems connecting with ssh from cmdli e you can also try clicking ”connect” from AWS console to narrow down if the problem would be in EC2 or client/network part.

I launched an ec2 instance of type ( t2.micro ) and made the following relationships with the instance:

• • IAM ( User ) com permissões : AdministratorAccess, AmazonEC2FullAccess, IAMUserChangePassword e a personalizada ( AccessEc2Policy ), segue o Json para analise . . . :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EC2InstanceConnectPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2-instance-connect:SendSSHPublicKey",
                "ec2-instance-connect:OpenTunnel",
                "ec2-instance-connect:SendSerialConsoleSSHPublicKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DescribeInstancesPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceConnectEndpoints"
            ],
            "Resource": "*"
        }
    ]
}

• VPC ( attached to instance - )

• Subnet (connected to VPC - Ok)

• Security groups, setup : ... IPV4 ( SSH - TCP - 22 - sg... ) ... IPV4 ( HTTP - TCP - 80 - 0.0.0.0/0 ) ... IPV4 ( HTTPS - TCP - 443 - 0.0.0.0/0 ) ... IPV6 ( HTTP - TCP - 80 - ::/0 ) ... IPV6 ( HTTPS - TCP - 443 -- ::/0 )

• Terminal : ssh -i "mykey.pem" admin@xxx.xx.xxx

• Aws CLI : aws ec2 run-instances --image-id $ami_id --instance-type $instance_type --key-name $key_pair_name --security-group-ids $security_group_id --subnet-id $subnet_id --region $ region_id --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=$instance_name}]"

( 0v0 ) -> I tried but could not connect to the instance through ( SSH and CLI ) ?

You may connect via AWS Console, please find the step as below.

AWS Console

Pre-requisites:

To create an EC2 Instance Connect Endpoint, users require permissions for the following actions: · ec2:CreateInstanceConnectEndpoint · ec2:CreateNetworkInterface · ec2:CreateTags · iam:CreateServiceLinkedRole

To describe and delete EC2 Instance Connect Endpoints, users require permissions for the following actions: · ec2:DescribeInstanceConnectEndpoints · ec2:DeleteInstanceConnectEndpoint

Then assign the policy to users (IAM/Identity Center).

1. To create EC2 Instance Connect Endpoint login to AWS Management Console -> VPC -> Endpoints -> Create endpoint
2. Select VPC, Security Groups and Subnet where your instance locate at. Tags are optional and click submit.
3. After successful creation you will receive a confirmation message.
4. Navigate to the EC2 instance in AWS console and select the EC2 instance you would like to connect to
5. Select and Connect. A new option “Connect using EC2 Instance Connect Endpoint” will show up.
6. Hit Connect and new instance will be launched at cloudshell.

1. Create the Endpoint connection for the particular VPC
2. Configure your instance security group and your endpoint security group
3. Attach the correct policy for the IAM users.
4. Then update the aws -cli (above 2.13)

If need more information check my git repo. In the below, I attached

https://github.com/Joy-karthik/Secure-EIC.git

This tool lets you easily connect to EC2 instances with EC2 Instance Connect Endpoint: https://github.com/ivoronin/ec2ssh