Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Set up to use Amazon EC2
Complete the tasks in this section to get set up for launching an Amazon EC2 instance for the
first time:
When you are finished, you will be ready for the Amazon EC2 Getting
started tutorial.
Sign up for an Amazon Web Services account
If you do not have an Amazon Web Services account, use the following procedure to create one.
Amazon sends you a confirmation email after the sign-up process is
complete. At any time, you can view your current account activity and manage your account by
going to http://www.amazonaws.cn/ and choosing My
Account.
Secure IAM users
After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For
instructions, see Enable a
virtual MFA device for an IAM user (console) in the IAM User Guide.
To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.
For more information about creating and securing IAM users, see the following topics in the IAM User Guide:
Create a key pair
Amazon uses public-key cryptography to secure the login information for your instance.
You specify the name of the key pair when you
launch your instance, then provide the private key
to obtain the administrator password for your Windows instance so
you can log in using Remote Desktop Protocol (RDP).
If you haven't created a key pair already, you can create one by using the Amazon EC2 console.
Note that if you plan to launch instances in multiple Amazon Web Services Regions, you'll need to
create a key pair in each Region. For more information about Regions, see Regions and Zones.
To create your key pair
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Key Pairs.
-
Choose Create key pair.
-
For Name, enter a descriptive name for the key pair. Amazon EC2
associates the public key with the name that you specify as the key name. A key name
can include up to 255 ASCII characters. It can’t include leading or trailing spaces.
-
For Key pair type, choose either RSA or
ED25519. Note that ED25519 keys
are not supported for Windows instances.
-
For Private key file format, choose the format in which to save
the private key. To save the private key in a format that can be used with
OpenSSH, choose pem. To save the private key in a format
that can be used with PuTTY, choose ppk.
-
Choose Create key pair.
-
The private key file is automatically downloaded by your browser. The base file name
is the name you specified as the name of your key pair, and the file name extension is
determined by the file format you chose. Save the private key file in a safe place.
This is the only chance for you to save the private key file.
For more information, see Amazon EC2 key pairs and Windows instances.
Create a security group
Security groups act as a firewall for associated instances, controlling both inbound and outbound traffic at the instance level.
You must add rules to a security group that enable you to connect to your instance from your IP address using RDP.
You can also add rules that allow inbound and outbound HTTP and HTTPS access from anywhere.
Note that if you plan to launch instances in multiple Amazon Web Services Regions, you'll need to create a
security group in each Region. For more information about Regions, see Regions and Zones.
Prerequisites
You'll need the public IPv4 address of your local computer. The security group editor in
the Amazon EC2 console can automatically detect the public IPv4 address for you.
Alternatively, you can use the search phrase "what is my IP address" in an internet
browser, or use the following service: Check IP. If you are connecting through an Internet service provider
(ISP) or from behind a firewall without a static IP address, you need to find out
the range of IP addresses used by client computers.
You can create a custom security group using one of the following methods.
- New console
-
To create a security group with least privilege
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
From the top navigation bar, select an Amazon Web Services Region for the security group. Security
groups are specific to a Region, so you should select the same
Region in which you created your key pair.
-
In the left navigation pane, choose Security Groups.
-
Choose Create security group.
-
For Basic details, do the following:
-
Enter a name for the new security group and a description. Use a name that is easy for you
to remember, such as your user name, followed by _SG_, plus the Region name.
For example, me_SG_uswest2.
-
In the VPC list, select your default VPC for the Region.
-
For Inbound rules, create rules that allow specific traffic to
reach your instance. For example, use the following rules for a web
server that accepts HTTP and HTTPS traffic. For more examples, see
Security group rules for different use
cases.
-
Choose Add rule. For Type,
choose HTTP. For Source, choose
Anywhere.
-
Choose Add rule. For Type,
choose HTTPS. For Source, choose
Anywhere.
-
Choose Add rule. For Type,
choose RDP. For Source,
do one of the following:
-
Choose My IP to automatically add the public
IPv4 address of your local computer.
-
Choose Custom and specify the public
IPv4 address of your computer or network in CIDR notation. To specify an
individual IP address in CIDR notation, add the routing suffix
/32
, for example, 203.0.113.25/32
.
If your company or your router allocates addresses from a range, specify the
entire range, such as 203.0.113.0/24
.
For security reasons, do not choose Anywhere for
Source with a rule for
RDP. This would allow access to your
instance from all IP addresses on the internet. This is
acceptable for a short time in a test environment, but
it is unsafe for production environments.
-
For Outbound rules, keep the default rule, which allows all outbound traffic.
-
Choose Create security group.
- Old console
-
To create a security group with least privilege
-
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the left navigation pane, choose Security Groups.
-
Choose Create Security Group.
-
Enter a name for the new security group and a description. Use a name that is easy for you
to remember, such as your user name, followed by _SG_, plus the Region name.
For example, me_SG_uswest2.
-
In the VPC list, select your default VPC for the Region.
On the Inbound rules tab, create the following rules (choose
Add rule for each new rule):
Choose HTTP from the Type list, and make sure that
Source is set to Anywhere
(0.0.0.0/0
).
Choose HTTPS from the Type list, and make sure that
Source is set to Anywhere
(0.0.0.0/0
).
-
Choose RDP from the
Type list. In the Source
box, choose My IP to automatically populate the
field with the public IPv4 address of your local computer.
Alternatively, choose Custom and specify the public
IPv4 address of your computer or network in CIDR notation. To specify an
individual IP address in CIDR notation, add the routing suffix
/32
, for example, 203.0.113.25/32
.
If your company allocates addresses from a range, specify the entire
range, such as 203.0.113.0/24
.
For security reasons, do not allow RDP access from all IP addresses
to your instance. This is acceptable for a short time in
a test environment, but it is unsafe for production
environments.
-
On the Outbound rules tab, keep the default rule, which allows all
outbound traffic.
-
Choose Create security group.
- Amazon CLI
-
When you use the Amazon CLI to create a security group, an outbound rule that allows all
outbound traffic is automatically added to the security group. An inbound
rule isn't automatically added; you'll need to add it.
In this procedure, you'll combine the create-security-group and authorize-security-group-ingress Amazon CLI
commands to create the security group and add the inbound rule that allows
the specified inbound traffic. An alternative to the following procedure is
to run the commands separately, first creating a security group, and then
adding an inbound rule to the security group.
To create a security group and add an inbound rule to the security group
Use the create-security-group and authorize-security-group-ingress Amazon CLI
commands as follows:
aws ec2 authorize-security-group-ingress \
--region us-west-2
\
--group-id $(aws ec2 create-security-group \
--group-name myname_SG_uswest2
\
--description "Security group description
" \
--vpc-id vpc-12345678
\
--output text \
--region us-west-2
) \
--ip-permissions \
IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=0.0.0.0/0,Description="HTTP from anywhere
"}]' \
IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges='[{CidrIp=0.0.0.0/0,Description="HTTPS from anywhere
"}]' \
IpProtocol=tcp,FromPort=3389,ToPort=3389,IpRanges='[{CidrIp=172.31.0.0/16
,Description="RDP from private network
"}]' \
IpProtocol=tcp,FromPort=3389,ToPort=3389,IpRanges='[{CidrIp=203.0.113.25/32
,Description="RDP from public IP
"}]'
For:
-
--region
– Specify the Region in which to
create the inbound rules.
-
--group-id
– Specify the
create-security-group
command and the following
parameters to create the security group:
-
--group-name
– Specify a name for the new security group. Use a
name that is easy for you to remember, such as your user
name, followed by _SG_
, plus the Region name.
For example, myname_SG_uswest2
.
-
--description
– Specify a description
that will help you know what traffic the security group
allows.
-
--vpc-id
– Specify your default VPC
for the Region.
-
--output
– Specify text
as the output format for the command.
-
--region
– Specify the Region in which
to create the security group. It should be the same Region
that you specified for the inbound rules.
-
--ip-permissions
– Specify the inbound rules to add to the security
group. The rules in this example are for a web server that accepts
HTTP and HTTPS traffic from anywhere, and that accepts
RDP traffic from a private network (if your company
or your router allocates addresses from a range) and a specified
public IP address (such as the public IPv4 address of your computer
or network in CIDR notation).
For security reasons, do not specify 0.0.0.0/0
for CidrIp
with a rule for RDP. This would allow access to
your instance from all IP addresses on the internet. This is
acceptable for a short time in a test environment, but it is
unsafe for production environments.
- PowerShell
-
When you use the Amazon Tools for Windows PowerShell to create a security group, an outbound rule that allows all
outbound traffic is automatically added to the security group. An inbound
rule isn't automatically added; you'll need to add it.
In this procedure, you'll combine the New-EC2SecurityGroup and Grant-EC2SecurityGroupIngress Amazon Tools for Windows PowerShell
commands to create the security group and add the inbound rule that allows
the specified inbound traffic. An alternative to the following procedure is
to run the commands separately, first creating a security group, and then
adding an inbound rule to the security group.
To create a security group
Use the New-EC2SecurityGroup and Grant-EC2SecurityGroupIngress Amazon Tools for Windows PowerShell
commands as follows.
Import-Module AWS.Tools.EC2
New-EC2SecurityGroup -GroupName myname_SG_uswest2
-Description 'Security group description
' -VpcId vpc-12345678
-Region us-west-2
| `
Grant-EC2SecurityGroupIngress `
-GroupName $_ `
-Region us-west-2
`
-IpPermission @(
(New-Object -TypeName Amazon.EC2.Model.IpPermission -Property @{
IpProtocol = 'tcp';
FromPort = 80;
ToPort = 80;
Ipv4Ranges = @(@{CidrIp = '0.0.0.0/0'; Description = 'HTTP from anywhere
'})
}),
(New-Object -TypeName Amazon.EC2.Model.IpPermission -Property @{
IpProtocol = 'tcp';
FromPort = 443;
ToPort = 443;
Ipv4Ranges = @(@{CidrIp = '0.0.0.0/0'; Description = 'HTTPS from anywhere
'})
}),
(New-Object -TypeName Amazon.EC2.Model.IpPermission -Property @{
IpProtocol = 'tcp';
FromPort = 3389;
ToPort = 3389;
Ipv4Ranges = @(
@{CidrIp = '172.31.0.0/16
'; Description = 'RDP from private network
'},
@{CidrIp = '203.0.113.25/32
'; Description = 'RDP from public IP
'}
)
})
)
For the security group:
-
-GroupName
– Specify a name for the new
security group. Use a name that is easy for you to remember, such as
your user name, followed by _SG_
, plus the Region name.
For example, myname_SG_uswest2
.
-
-Description
– Specify a description that will
help you know what traffic the security group allows.
-
-VpcId
– Specify your default VPC for the
Region.
-
-Region
– Specify the Region in which to
create the security group.
For the inbound rules:
-
-GroupName
– Specify $_
to
reference the security group you're creating.
-
-Region
– Specify the Region in which to create the inbound rules.
It should be the same Region that you specified for the security
group.
-
-IpPermission
– Specify the inbound rules to add to the security
group. The rules in this example are for a web server that accepts
HTTP and HTTPS traffic from anywhere, and that accepts RDP traffic
from a private network (if your company or your router allocates
addresses from a range) and a specified public IP address (such as
the public IPv4 address of your computer or network in CIDR
notation).
For security reasons, do not specify 0.0.0.0/0
for CidrIp
with a rule for RDP. This would allow access to your instance
from all IP addresses on the internet. This is acceptable for a
short time in a test environment, but it is unsafe for
production environments.
For more information, see Amazon EC2 security groups for Windows instances.