EC2 Instance Connect vs EC2 SSH

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301318

Well-known Ports for L7 Protocols

🔧 Requires generation & storage of SSH keys
A4L.pem file needs to have 400 permissions
- 400 permissions = only owner of the file can read it, no other user from that local machine can read it → otherwise EC2 rejects SSH connection
Are you sure you want to continue connecting (yes/no/[fingerprint])?
- extra step to validate the authenticity of the server
- fingerprint → if admin of server shared a fingerprint with us, we can include it here to verify we're connecting to the correct server
- protects vs DNS exploits that might have replaced a legitimate DNS name with one which points at a non-legitimate server (can't always rely on DNS names)
Uses IP address of local machine (or IP address of the machine accessing via SSH)

🔧 Uses AWS permissions to connect to an instance → relevant identity policies
- Doesn't require generation & storage of keys
- scales better than SSH access → less admin overhead
‼️ Instance must have EC2 Instance Connect package installed!!
- Comes by default in Amazon Linux 2+ and Ubuntu 16.04+ instances
- Not all instances support this package (and thus, they can't use Instance Connect)
AWS attempts to automatically determine the correct user to use
- usually correct if using a default AMI
- often doesn't guess correctly with custom AMIs
❗ Does NOT originate connection from local machine
- you connect with your local machine to AWS
- the EC2 Instance Connect service connects to the EC2 instance
- the IP addresses used by AWS differ by region, but they are obviously not your local machine IP address → relevant when using SGs
- AWS IP ranges: https://ip-ranges.amazonaws.com/ip-ranges.json