Conceptual Foundations

EC2 in the Context of AWS Networking

An EC2 instance does not exist in isolation. It lives inside a subnet, which lives inside a VPC. A VPC is your private, logically isolated network inside AWS. Every AWS account comes with a default VPC in each region, pre-configured with a subnet in each Availability Zone and an attached Internet Gateway. For this lab, you will use the default VPC — not because it is the production-correct choice, but because understanding it first makes the decisions involved in custom VPCs more legible later.

The key thing to understand about the default VPC is that its subnets are configured to auto-assign public IP addresses. That means any instance launched into the default VPC gets a public IP, which is why you can reach it from your laptop. In a non-default, production VPC, this is not the default behavior — and you would route traffic through a load balancer or bastion host instead.

Security Groups as Stateful Firewalls

A security group is not a network ACL. It is a stateful firewall that operates at the instance level. Stateful means that if you allow inbound traffic on port 22 from your IP, the return traffic is automatically permitted without a corresponding outbound rule. Security groups default to denying all inbound traffic and permitting all outbound traffic.

The most common mistake beginners make is setting the source of an SSH rule to 0.0.0.0/0. That exposes port 22 to every IP address on the internet. Automated scanners will find your instance within minutes. In this lab, you will scope the SSH rule to your specific IP address — a /32 CIDR — which restricts access to exactly one address.

IAM Roles and Instance Profiles

An EC2 instance that needs to call AWS APIs (for example, reading from S3 or writing to CloudWatch) must have credentials. The wrong approach is to create an IAM user, generate access keys, and store them on the instance in ~/.aws/credentials. Those credentials can be extracted if the instance is compromised, and they persist long after the instance is gone.

The correct approach is an IAM role with an instance profile. The instance profile is the container that allows an IAM role to be attached to an EC2 instance. When the instance boots, the EC2 metadata service at 169.254.169.254 provides temporary, auto-rotating credentials scoped to that role. No static keys on disk. When the instance is terminated, the credentials are gone.

For this lab, you will create a role with no attached policies — it grants no permissions — but the architectural habit of always attaching an instance profile from the start is important to establish.

AMI Selection

An Amazon Machine Image (AMI) is the snapshot from which your instance boots. You will use Amazon Linux 2023. It is AWS-maintained, receives regular security patches, and includes the AWS CLI pre-installed. The default user for Amazon Linux 2023 is ec2-user.