Key Pairs, Security Groups, and Instance Networking

Security and networking are fundamental to running EC2 instances. This lesson covers the three pillars you configure for every instance: key pairs for authentication, security groups for firewall rules, and VPC networking for connectivity.

---

Key Pairs

How Key Pairs Work

EC2 uses asymmetric cryptography (public/private key pairs) to control access to instances.

1. You create a key pair in the EC2 console or CLI.
2. AWS stores the public key and injects it into the instance at launch.
3. You download and securely store the private key (.pem file).
4. When connecting, you present the private key to prove your identity.

# Create a key pair
aws ec2 create-key-pair \
  --key-name my-app-key \
  --key-type ed25519 \
  --query "KeyMaterial" \
  --output text > my-app-key.pem

chmod 400 my-app-key.pem

Key Pair Types

Type	Description
RSA	Traditional; widely supported; 2048-bit or 4096-bit
ED25519	Modern; smaller keys; faster authentication; recommended for new instances

Best Practices for Key Pairs

• Never share private keys — each team member should have their own key pair, or use EC2 Instance Connect / SSM Session Manager instead.
• Use ED25519 for new key pairs — smaller, faster, and more secure than RSA.
• Rotate keys periodically — create new key pairs and update the ~/.ssh/authorized_keys file on instances.
• Consider keyless access — AWS Systems Manager Session Manager lets you connect to instances without opening SSH ports or managing key pairs.

EC2 Instance Connect

EC2 Instance Connect pushes a temporary SSH key to the instance metadata for 60 seconds. You do not need to manage long-lived key pairs:

# Push a temporary key and connect
aws ec2-instance-connect send-ssh-public-key \
  --instance-id i-0123456789abcdef0 \
  --instance-os-user ec2-user \
  --ssh-public-key file://my-temporary-key.pub

# Then SSH as usual
ssh -i my-temporary-key ec2-user@<public-ip>

SSM Session Manager

Session Manager provides a browser-based or CLI shell without any SSH key or open inbound port:

# Start a session (requires SSM Agent on the instance and appropriate IAM role)
aws ssm start-session --target i-0123456789abcdef0

Advantages: no open inbound ports, all sessions are logged to CloudTrail, supports IAM-based access control.

---

Security Groups

What Is a Security Group?

A security group is a stateful virtual firewall that controls traffic to and from one or more EC2 instances. "Stateful" means that if you allow inbound traffic, the corresponding outbound response is automatically allowed (and vice versa).

Default Behaviour

Direction	Default Rule
Inbound	All traffic denied (no rules = no access)
Outbound	All traffic allowed (default rule permits all outbound)

Anatomy of a Security Group Rule

Each rule specifies:

Field	Description	Example
Type	Protocol / service	SSH, HTTP, Custom TCP
Protocol	TCP, UDP, ICMP, or All	TCP
Port range	Single port or range	22, 443, 8080-8090
Source / Destination	IP range (CIDR), security group ID, or prefix list	10.0.0.0/16, sg-0abc123

Common Security Group Configurations

Web Server Security Group:
  Inbound:
    HTTP   (TCP 80)   from 0.0.0.0/0
    HTTPS  (TCP 443)  from 0.0.0.0/0
    SSH    (TCP 22)   from 203.0.113.0/24  (your office IP)
  Outbound:
    All traffic to 0.0.0.0/0

Database Security Group:
  Inbound:
    MySQL  (TCP 3306) from sg-web-server  (reference by SG ID)
  Outbound:
    All traffic to 0.0.0.0/0

Key insight: Referencing another security group as the source (e.g., sg-web-server) is more secure than using IP addresses. It automatically adapts when instances are added or removed.

Security Groups vs NACLs