Setting up with Amazon Batch - Amazon Batch
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting up with Amazon Batch

If you've already signed up for Amazon Web Services (Amazon) and are using Amazon Elastic Compute Cloud (Amazon EC2) or Amazon Elastic Container Service (Amazon ECS), you can soon use Amazon Batch. The setup process for these services is similar. This is because Amazon Batch uses Amazon ECS container instances in its compute environments. To use the Amazon CLI with Amazon Batch , you must use a version of the Amazon CLI that supports the latest Amazon Batch features. If you don't see support for an Amazon Batch feature in the Amazon CLI, upgrade to the latest version. For more information, see


Because Amazon Batch uses components of Amazon EC2, you use the Amazon EC2 console for many of these steps.

Complete the following tasks to get set up for Amazon Batch. If you already completed any of these steps, you can skip directly to installing the Amazon CLI.

Sign up for an Amazon Web Services account

If you do not have an Amazon Web Services account, use the following procedure to create one.

To sign up for Amazon Web Services
  1. Open and choose Sign Up.

  2. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to and choosing My Account.

Secure IAM users

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the IAM User Guide:

Create IAM roles for your compute environments and container instances

Your Amazon Batch compute environments and container instances require Amazon Web Services account credentials to make calls to other Amazon APIs on your behalf. Create an IAM role that provides these credentials to your compute environments and container instances, then associate that role with your compute environments.


The Amazon Batch compute environment and container instance roles are automatically created for you in the console first-run experience. So, if you intend to use the Amazon Batch console, you can move ahead to the next section. If you plan to use the Amazon CLI instead, complete the procedures in Using service-linked roles for Amazon Batch and Amazon ECS instance role before creating your first compute environment.

Create a key pair

Amazon uses public-key cryptography to secure the login information for your instance. A Linux instance, such as an Amazon Batch compute environment container instance, has no password to use for SSH access. You use a key pair to log in to your instance securely. You specify the name of the key pair when you create your compute environment, then provide the private key when you log in using SSH.

If you didn't create a key pair already, you can create one using the Amazon EC2 console. Note that, if you plan to launch instances in multiple Amazon Web Services Regions, create a key pair in each Region. For more information about Regions, see Regions and Availability Zones in the Amazon EC2 User Guide for Linux Instances.

To create a key pair
  1. Open the Amazon EC2 console at

  2. From the navigation bar, select an Amazon Web Services Region for the key pair. You can select any Region that's available to you, regardless of your location: however, key pairs are specific to a Region. For example, if you plan to launch an instance in the US West (Oregon) Region, create a key pair for the instance in the same Region.

  3. In the navigation pane, choose Key Pairs, Create Key Pair.

  4. In the Create Key Pair dialog box, for Key pair name, enter a name for the new key pair , and choose Create. Choose a name that you can remember, such as your user name, followed by -key-pair, plus the Region name. For example, me-key-pair-uswest2.

  5. The private key file is automatically downloaded by your browser. The base file name is the name that you specified as the name of your key pair, and the file name extension is .pem. Save the private key file in a safe place.


    This is the only chance for you to save the private key file. You need to provide the name of your key pair when you launch an instance and the corresponding private key each time that you connect to the instance.

  6. If you use an SSH client on a Mac or Linux computer to connect to your Linux instance, use the following command to set the permissions of your private key file. That way, only you can read it.

    $ chmod 400 your_user_name-key-pair-region_name.pem

For more information, see Amazon EC2 Key Pairs in the Amazon EC2 User Guide for Linux Instances.

To connect to your instance using your key pair

To connect to your Linux instance from a computer running Mac or Linux, specify the .pem file to your SSH client with the -i option and the path to your private key. To connect to your Linux instance from a computer running Windows, use either MindTerm or PuTTY. If you plan to use PuTTY, install it and use the following procedure to convert the .pem file to a .ppk file.

(Optional) To prepare to connect to a Linux instance from Windows using PuTTY
  1. Download and install PuTTY from Be sure to install the entire suite.

  2. Start PuTTYgen (for example, from the Start menu, choose All Programs, PuTTY, and PuTTYgen).

  3. Under Type of key to generate, choose RSA. If you're using an earlier version of PuTTYgen, choose SSH-2 RSA.

      Putty key type
  4. Choose Load. By default, PuTTYgen displays only files with the extension .ppk. To locate your .pem file, choose the option to display files of all types.

      Putty key file type
  5. Select the private key file that you created in the previous procedure and choose Open. Choose OK to dismiss the confirmation dialog box.

  6. Choose Save private key. PuTTYgen displays a warning about saving the key without a passphrase. Choose Yes.

  7. Specify the same name for the key that you used for the key pair. PuTTY automatically adds the .ppk file extension.

Create a VPC

With Amazon Virtual Private Cloud (Amazon VPC), you can launch Amazon resources into a virtual network that you've defined. We strongly recommend that you launch your container instances in a VPC.

If you have a default VPC, you also can skip this section and move to the next task Create a security group. To determine whether you have a default VPC, see Supported Platforms in the Amazon EC2 Console in the Amazon EC2 User Guide for Linux Instances

For information about how to create an Amazon VPC, see Create a VPC only in the Amazon VPC User Guide. Refer to the following table to determine what options to select.

Option Value

Resources to create

VPC only

Optionally provide a name for your VPC.

IPv4 CIDR block

IPv4 CIDR manual input

The CIDR block size must have a size between /16 and /28.

IPv6 CIDR block

No IPv6 CIDR block



For more information about Amazon VPC, see What is Amazon VPC? in the Amazon VPC User Guide.

Create a security group

Security groups act as a firewall for associated compute environment container instances, controlling both inbound and outbound traffic at the container instance level. A security group can be used only in the VPC for which it is created.

You can add rules to a security group that enable you to connect to your container instance from your IP address using SSH. You can also add rules that allow inbound and outbound HTTP and HTTPS access from anywhere. Add any rules to open ports that are required by your tasks.

Note that if you plan to launch container instances in multiple Regions, you need to create a security group in each Region. For more information, see Regions and Availability Zones in the Amazon EC2 User Guide for Linux Instances.


You need the public IP address of your local computer, which you can get using a service. For example, we provide the following service: or To locate another service that provides your IP address, use the search phrase "what is my IP address." If you're connecting through an Internet service provider (ISP) or from behind a firewall without a static IP address, find out the range of IP addresses that are used by client computers.

To create a security group using the console
  1. Open the Amazon VPC console at

  2. In the navigation pane, choose Security Groups.

  3. Choose Create security group.

  4. Enter a name and description for the security group. You cannot change the name and description of a security group after it is created.

  5. From VPC, choose the VPC.

  6. (Optional) By default, new security groups start with only an outbound rule that allows all traffic to leave the resource. You must add rules to enable any inbound traffic or to restrict the outbound traffic.

    Amazon Batch container instances don't require any inbound ports to be open. However, you might want to add an SSH rule. That way, you can log into the container instance and examine the containers in jobs with Docker commands. If you want your container instance to host a job that runs a web server, you can also add rules for HTTP. Complete the following steps to add these optional security group rules.

    On the Inbound tab, create the following rules and choose Create:

    • Choose Add Rule. For Type, choose HTTP. For Source, choose Anywhere (

    • Choose Add Rule. For Type, choose SSH. For Source, choose Custom IP, and specify the public IP address of your computer or network in Classless Inter-Domain Routing (CIDR) notation. If your company allocates addresses from a range, specify the entire range, such as To specify an individual IP address in CIDR notation, choose My IP. This adds the routing prefix /32 to the public IP address.


      For security reasons, we don't recommend that you allow SSH access from all IP addresses ( to your instance but only for testing purposes and only for a short time.

  7. You can add tags now, or you can add them later. To add a tag, choose Add new tag and enter the tag key and value.

  8. Choose Create security group.

To create a security group using the command line, see create-security-group (Amazon CLI)

For more information about security groups, see Work with security groups.

Install the Amazon CLI

To use the Amazon CLI with Amazon Batch, install the latest Amazon CLI version. For information about installing the Amazon CLI or upgrading it to the latest version, see Installing the Amazon Command Line Interface in the Amazon Command Line Interface User Guide.