Oliver Nassar

Logging into my first AWS micro instance

August 01, 2011

While I've done a descent amount of AWS/EC2 work, I setup my first micro instance today from my home computer, and wanted to make note of a couple things I ran into.

Firstly, my AWS console was completely empty except for a single S3 bucket. Other than that, it was a fresh start. I went about creating my first micro instance (ami-548c783d; Ubuntu Maverick 10.10 AMD 64-bit server), and was prompted to generate my first key. I named it and downloaded the generated pem file. Straight-forward enough so far.

I was then prompted to set up a security group for the new instance. While there is a default, I opted to create a 'production' ready one, which I aptly named 'Production'. I had started by creating only two TCP rules; port 80 and port 443 for all IP ranges. This would allow straight-forward web requests to both a secured and unsecured web server from any IP/host. Initially I'd forgotten to open up port 22 for SSH requests, so I had to do that as well.

To login, I then ran the following simple command:

ssh -i ~/path/to/pem/file.pem ubuntu@public-dns

In this case, public-dns can be found by clicking on the EC2 tab in your AWS console, choosing your newly-launched instance, and viewing the Public DNS entry record in the second-pane in the lower-half of the page.

After trying to run that command, however, I received the following:

Permissions 0644 for '/path/to/pem/file.pem' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /path/to/pem/file.pem
Permission denied (publickey).

I found the thread "Can not access through ssh to running instance" on the Amazon AWS Forum, and ran the following from my OSX terminal:

chmod 400 /path/to/pem/file.pem

After that, logging in with the above command worked properly. There ya have it.

Side note: while my SSH is currently wide-open to all IPs accessing it via port 22, I would close this off to only certain IPs that I work under (eg. work, home, etc.). This would add an additional level of security, should your pem file ever find it's way into the wrong-person's hands.