Infrastructure Design

Eliminate SSH Key Management with EC2 Instance Connect - Secure Connections from Browser and CLI

Learn about keyless SSH connections with EC2 Instance Connect, IAM-based access control, and Endpoint usage.

約 4 分で読めます

Overview of EC2 Instance Connect

EC2 Instance Connect is a service that enables secure connections to EC2 instances without pre-distributing SSH keys. Traditional SSH connections required creating, distributing, rotating, and handling lost key pairs, all of which added operational overhead. Instance Connect uses ephemeral public keys, eliminating the need for key management.

Endpoint and Private Connectivity

EC2 Instance Connect Endpoint is an endpoint created within a VPC that allows connections to instances in private subnets without public IPs or bastion servers. IAM policies control the ec2-instance-connect:OpenTunnel action to restrict connections to specific instances or subnets. During connection, a temporary SSH public key is placed in the instance metadata for 60 seconds and automatically removed after the connection is established, leaving no persistent keys behind.

EC2 Instance Connect Endpoint

EC2 Instance Connect Endpoint (EIC Endpoint) enables SSH/RDP connections to instances in private subnets without public IP addresses or bastion servers. Create an EIC Endpoint within a VPC and use IAM policies to control which users can connect to which target instances. Connections are tunneled via AWS PrivateLink, so there is no need to open inbound SSH ports in the instance's security group. CloudTrail records who connected to which instance and when for auditing purposes. SSH key management is also unnecessary. A single EIC Endpoint can connect to instances across multiple subnets within the VPC at no additional cost. For a systematic understanding of SSH connections, related books (Amazon) are also a helpful reference.

Comparing and Choosing Connection Methods

There are three connection methods for EC2: EC2 Instance Connect, Systems Manager Session Manager, and traditional SSH key pairs. Instance Connect injects ephemeral public keys via the metadata service, eliminating the need for persistent SSH key management. Session Manager is agent-based and does not use the SSH protocol, requiring no port openings at all, making it ideal for the strictest security requirements. Traditional SSH key pairs offer high compatibility with existing workflows but carry the operational burden of key rotation and distribution. Instance Connect's simplicity suits development environments, while Session Manager's auditability and security are better suited for production environments.

EC2 Instance Connect Pricing

EC2 Instance Connect is free to use. There are no additional charges for browser-based SSH connections, CLI connections, or Instance Connect Endpoint usage. Session Manager (Systems Manager) is also free, so the connection itself costs nothing regardless of which option you choose. Using Instance Connect Endpoint allows connections to instances in private subnets without public IP addresses, reducing costs for NAT Gateways and bastion servers.

Summary

EC2 Instance Connect eliminates SSH key management and provides IAM-based access control. EIC Endpoint enables connections to instances in private subnets without public IPs or bastion servers, and CloudTrail records connection audit logs. By choosing between Instance Connect and Session Manager, you can select the appropriate connection method for development and production environments.

Related Services

Amazon EC2 Instance ConnectA service for securely connecting to EC2 instances without pre-distributing SSH keysAmazon EC2A compute service that provides virtual servers in the cloudAWS IAMAn authentication and authorization service for securely managing access to AWS resources

Related Articles

Fleet Management with AWS Systems Manager - Automating Patch Management, Inventory, and Run CommandAutomate patch management with Patch Manager, streamline remote operations with Run Command, and enable SSH-free shell access with Session Manager.Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Demand-Driven Infrastructure with AWS Auto Scaling - Designing and Optimizing Scaling PoliciesLearn how to use target tracking, predictive, and scheduled scaling policies effectively, and optimize costs with mixed instances policies that leverage Spot Instances.

More on This Topic

Why Auto Scaling Scales Out Fast but Scales In Cautiously - The Design Intent Behind Asymmetric Decision LogicThis article explains why EC2 Auto Scaling executes scale-out immediately while applying a cooldown period for scale-in, the flapping prevention mechanism, and the internal logic of target tracking scaling.Demand-Driven Infrastructure with AWS Auto Scaling - Designing and Optimizing Scaling PoliciesLearn how to use target tracking, predictive, and scheduled scaling policies effectively, and optimize costs with mixed instances policies that leverage Spot Instances.AWS Fault Domain Design - How the Three-Layer Structure of AZs, Regions, and Partitions Protects AvailabilityLearn why AWS infrastructure is designed with three layers of fault domains - AZs (fault isolation), Regions (geographic separation), and Partitions (political separation) - and how far failures propagate at each layer, with real-world examples.Distributed Systems Principles Learned from AWS Outages - How Past Major Incidents Reshaped ArchitectureUsing AWS's published incident reports as case studies - including the S3 outage (2017), Kinesis outage (2020), and the unique nature of us-east-1 - this article explains design principles such as Shuffle Sharding, Static Stability, and Cell-based Architecture.Why AWS Builds Regions Where It Does - The Hidden Criteria Behind Data Center Site SelectionWe explain the criteria AWS considers when deciding region locations, including power supply, geopolitical risk, data sovereignty legislation, network connectivity, and natural disaster risk, with concrete examples from specific regions.Why AWS Availability Zone IDs Differ Per Account - The Design Intent Behind AZ MappingExplains how us-east-1a maps to different physical AZs per account, why AZ IDs (use1-az1) were introduced, the design intent of even capacity distribution, and considerations for cross-account AZ specification.Batch Computing Infrastructure - Large-Scale Parallel Processing with AWS BatchLearn how to build large-scale batch processing with AWS Batch. Covers job queue design, auto-scaling compute environments, cost optimization with Spot Instances, and building batch infrastructure ideal for scientific computing and large-scale data processing.Automating Batch Computing with AWS Batch - Designing Job Queues and Compute EnvironmentsLearn about job scheduling with AWS Batch, choosing between Fargate and EC2 compute environments, and leveraging Spot Instances for cost optimization.

Similar Articles and Services

AWS Systems ManagerA service that centralizes operational management of EC2 instances and on-premises servers, enabling patch application, command execution, parameter management, and session connections securely without SSHAWS Direct ConnectA service that provides a dedicated network connection between on-premises environments and AWS, delivering stable, low-latency connectivity that bypasses the public internetAWS Systems Manager Operational Automation - A Unified Operations Platform from Patch Management to Session ManagementExplain the advantages of AWS Systems Manager as a unified operational automation platform, focusing on Patch Manager, Inventory, Run Command, and Session Manager, compared with Azure Automation.Dedicated Connection Design - Achieving Stable Private Network Connectivity with Direct ConnectLearn about dedicated connection design with AWS Direct Connect, including choosing between dedicated and hosted connections, redundancy configurations, and achieving stable private network connectivity through VPC integration.