Setting Up with Amazon EC2

If you've already signed up for Amazon Web Services (AWS), you can start
using Amazon EC2 immediately. You can open the Amazon EC2 console,
click Launch Instance, and follow the steps in the launch wizard to launch
your first instance.
If you haven't signed up for AWS yet, or if you need assistance launching your
first instance, complete the following tasks to get set up to use Amazon EC2:
1. Sign Up for AWS
2. Create an IAM User
3. Create a Key Pair
4. Create a Virtual Private Cloud (VPC)
5. Create a Security Group

Sign Up for AWS

When you sign up for Amazon Web Services (AWS), your AWS account is
automatically signed up for all services in AWS, including Amazon EC2. You are
charged only for the services that you use.
With Amazon EC2, you pay only for what you use. If you are a new AWS
customer, you can get started with Amazon EC2 for free. For more information,
see AWS Free Tier.
If you have an AWS account already, skip to the next task. If you don't have an
AWS account, use the following procedure to create one.
To create an AWS account
1. Open http://aws.amazon.com/, and then click Sign Up.
2. Follow the on-screen instructions.
Part of the sign-up procedure involves receiving a phone call and
entering a PIN using the phone keypad.
Note your AWS account number, because you'll need it for the next task.

Create an IAM User

Services in AWS, such as Amazon EC2, require that you provide credentials
when you access them, so that the service can determine whether you have
permission to access its resources. The console requires your password. You
can create access keys for your AWS account to access the command line
interface or API. However, we don't recommend that you access AWS using the
credentials for your AWS account; we recommend that you use AWS Identity
and Access Management (IAM) instead. Create an IAM user, and then add the
user to an IAM group with administrative permissions or and grant this user
administrative permissions. You can then access AWS using a special URL and
the credentials for the IAM user.

If you signed up for AWS but have not created an IAM user for yourself, you
can create one using the IAM console. If you aren't familiar with using the
console, see Working with the AWS Management Console for an overview.
To create the Administrators group
1. Sign in to the AWS Management Console and open the IAM console
at https://console.aws.amazon.com/iam/.
2. In the navigation pane, click Groups, then click Create New Group.
3. In the Group Name box, type Administrators and then click Next
Step.
4. In the list of policies, select the check box next to
the AdministratorAccess policy. You can use the Filter menu and
the Search box to filter the list of policies.
5. Click Next Step, then click Create Group.
Your new group is listed under Group Name.
To create an IAM user for yourself, add the user to the Administrators
group, and create a password for the user
1. In the navigation pane, click Users and then click Create New Users.
2. In box 1, enter a user name. Clear the check box next to Generate an
access key for each user, then click Create.
3. In the list of users, click the name (not the check box) of the user you
just created. You can use the Search box to search for the user name.
4. In the Groups section, click Add User to Groups.
5. Select the check box next to the Administrators group, then click Add
to Groups.
6. Scroll down to the Security Credentials section. Under Sign-In
Credentials, click Manage Password.
7. Select Assign a custom password, then enter a password in
the Password and Confirm Password boxes. When you are finished,
click Apply.
To sign in as this new IAM user, sign out of the AWS console, then use the
following URL, where your_aws_account_id is your AWS account number
without the hyphens (for example, if your AWS account number is 1234-56789012, your AWS account ID is 123456789012):

https://your_aws_account_id.signin.aws.amazon.com/console/
Enter the IAM user name and password that you just created. When you're
signed in, the navigation bar displays
"your_user_name @ your_aws_account_id".
If you don't want the URL for your sign-in page to contain your AWS account
ID, you can create an account alias. From the IAM dashboard,
click Customize and enter an alias, such as your company name. To sign in

after you create an account alias, use the following URL:

https://your_account_alias.signin.aws.amazon.com/console/
To verify the sign-in link for IAM users for your account, open the IAM console
and check under IAM users sign-in link on the dashboard.
For more information about IAM, see IAM and Amazon EC2.

Create a Key Pair

AWS uses public-key cryptography to secure the login information for your
instance. A Linux instance has no password; you use a key pair to log in to
your instance securely.You specify the name of the key pair when you launch
your instance, then provide the private key when you log in using SSH.
If you haven't created a key pair already, you can create one using the Amazon
EC2 console. Note that if you plan to launch instances in multiple regions, you'll
need to create a key pair in each region. For more information about regions,
see Regions and Availability Zones.
To create a key pair
1. Sign in to AWS using the URL that you created in the previous section.
Open the Amazon EC2 console.
2. From the navigation bar, select a region for the key pair. You can select
any region that's available to you, regardless of your location. However,
key pairs are specific to a region; for example, if you plan to launch an
instance in the US West (Oregon) region, you must create a key pair for
the instance in the US West (Oregon) region.

3. Click Key Pairs in the navigation pane.

4. Click Create Key Pair.
5. Enter a name for the new key pair in the Key pair name field of
the Create Key Pair dialog box, and then click Create. Choose a name
that is easy for you to remember, such as your IAM user name, followed
by -key-pair, plus the region name. For example, me-key-pair-uswest2.
6. The private key file is automatically downloaded by your browser. The
base file name is the name you specified as the name of your key pair,
and the file name extension is .pem. Save the private key file in a safe
place.
Important
This is the only chance for you to save the private key file. You'll need to
provide the name of your key pair when you launch an instance and the
corresponding private key each time you connect to the instance.
7. If you will use an SSH client on a Mac or Linux computer to connect to
your Linux instance, use the following command to set the permissions
of your private key file so that only you can read it.

$ chmod 400 your_user_name-key-pair-region_name.pem

For more information, see Amazon EC2 Key Pairs.
To connect to your instance using your key pair

To your Linux instance from a computer running Mac or Linux, you'll specify
the .pem file to your SSH client with the -i option and the path to your private
key. To connect to your Linux instance from a computer running Windows, you
can use either MindTerm or PuTTY. If you plan to use PuTTY, you'll need to
install it and use the following procedure to convert the .pem file to a .ppk file.
(Optional) To prepare to connect to a Linux instance from Windows
using PuTTY
1. Download and install PuTTY
from http://www.chiark.greenend.org.uk/~sgtatham/putty/. Be sure to
install the entire suite.
2. Start PuTTYgen (for example, from the Start menu, click All Programs
> PuTTY > PuTTYgen).
3. Under Type of key to generate, select SSH-2 RSA.

4. Click Load. By default, PuTTYgen displays only files with the

extension .ppk. To locate your .pem file, select the option to display files
of all types.

5. Select the private key file that you created in the previous procedure and
click Open. Click OK to dismiss the confirmation dialog box.
6. Click Save private key. PuTTYgen displays a warning about saving the
key without a passphrase. Click Yes.
7. Specify the same name for the key that you used for the key pair. PuTTY
automatically adds the .ppk file extension.

Create a Virtual Private Cloud (VPC)

Amazon VPC enables you to launch AWS resources into a virtual network that
you've defined. If you have a default VPC, you can skip this section and move
to the next task,Create a Security Group. To determine whether you have a
default VPC, see Supported Platforms in the Amazon EC2 Console. Otherwise,
you can create a nondefault VPC in your account using the steps below.
Important
If your account supports EC2-Classic in a region, then you do not have a
default VPC in that region. T2 instances must be launched into a VPC.
To create a nondefault VPC
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. From the navigation bar, select a region for the VPC. VPCs are specific to

a region, so you should select the same region in which you created your
key pair.
3. On the VPC dashboard, click Start VPC Wizard.
4. On the Step 1: Select a VPC Configuration page, ensure that VPC
with a Single Public Subnet is selected, and click Select.
5. On the Step 2: VPC with a Single Public Subnet page, enter a
friendly name for your VPC in the VPC name field. Leave the other
default configuration settings, and click Create VPC. On the
confirmation page, click OK.
For more information about Amazon VPC, see What is Amazon VPC? in
the Amazon VPC User Guide.

Create a Security Group

Security groups act as a firewall for associated instances, controlling both
inbound and outbound traffic at the instance level. You must add rules to a
security group that enable you to connect to your instance from your IP
address using SSH. You can also add rules that allow inbound and outbound
HTTP and HTTPS access from anywhere.
Note that if you plan to launch instances in multiple regions, you'll need to
create a security group in each region. For more information about regions,
see Regions and Availability Zones.
Prerequisites
You'll need the public IP address of your local computer, which you can get
using a service. For example, we provide the following
service: http://checkip.amazonaws.com/. To locate another service that
provides your IP address, use the search phrase "what is my IP address." If you
are connecting through an Internet service provider (ISP) or from behind a
firewall without a static IP address, you need to find out the range of IP
addresses used by client computers.
To create a security group with least privilege
1. Open the Amazon EC2 console.
Tip
Alternatively, you can use the Amazon VPC console to create a security
group. However, the instructions in this procedure don't match the
Amazon VPC console. Therefore, if you switched to the Amazon VPC
console in the previous section, either switch back to the Amazon EC2
console and use these instructions, or use the instructions in Set Up a
Security Group for Your VPC in the Amazon VPC Getting Started Guide.
2. From the navigation bar, select a region for the security group. Security
groups are specific to a region, so you should select the same region in
which you created your key pair.

3. Click Security Groups in the navigation pane.

4. Click Create Security Group.
5. Enter a name for the new security group and a description. Choose a
name that is easy for you to remember, such as your IAM user name,
followed by _SG_, plus the region name. For example, me_SG_uswest2.
6. In the VPC list, select your VPC. If you have a default VPC, it's the one
that is marked with an asterisk (*).
Note
If your account supports EC2-Classic, select the VPC that you created in
the previous task.
7. On the Inbound tab, create the following rules (click Add Rule for each
new rule), and then click Create:
Select HTTP from the Type list, and make sure that Source is set
to Anywhere (0.0.0.0/0).
Select HTTPS from the Type list, and make sure that Source is
set to Anywhere (0.0.0.0/0).
Select SSH from the Type list. In the Source box,
ensure Custom IP is selected, and specify the public IP address
of your computer or network in CIDR notation. To specify an
individual IP address in CIDR notation, add the routing prefix /32.
For example, if your IP address is 203.0.113.25,
specify203.0.113.25/32. If your company allocates addresses
from a range, specify the entire range, such as 203.0.113.0/24.

Caution
For security reasons, we don't recommend that you
allow SSH access from all IP addresses (0.0.0.0/0) to your
instance, except for testing purposes and only for a short time.
For more information, see Amazon EC2 Security Groups for Linux Instances.