cloudboxio Technologies Logo
CloudBoxio Icon Technologies Logo
Learn Practice Login Get Pro

Environment and Base Setup

Creating the Key Pair

Before launching an instance, you need an SSH key pair. AWS stores the public key; you retain the private key locally. There is no way to retrieve the private key from AWS after creation — if you lose it, you cannot SSH into your instance and must replace it.

Navigate to EC2 > Key Pairs > Create key pair. Name it lab-ec2-key. Select RSA, PEM format (required for OpenSSH-based clients on macOS and Linux; PPK is for PuTTY on Windows). Download the file and move it to a known location.

Immediately restrict the private key permissions. SSH clients refuse to use key files with open permissions:

chmod 400 ./lab-ec2-key.pem

This is not optional. Without it, ssh will reject the key with a permissions warning.

Identifying Your Public IP

You need your current public IP address to scope the SSH security group rule correctly. You can find it by visiting https://checkip.amazonaws.com or running:

curl https://checkip.amazonaws.com

Note the returned IP. You will use it as <your-ip>/32 when creating the security group rule. If you are behind a NAT or VPN, use the IP that this service returns — that is what AWS sees as your source address.

Creating the Security Group

Navigate to EC2 > Security Groups > Create security group. Name it lab-ec2-sg. Assign it to your default VPC.

Add one inbound rule:

  • Type: SSH
  • Protocol: TCP
  • Port: 22
  • Source: Custom — enter <your-ip>/32

Do not add any other inbound rules. The default outbound rule (all traffic to 0.0.0.0/0) is intentional — instances need to reach the internet for package updates and AWS API calls.

The description field on the inbound rule is not cosmetic. In production, every security group rule should have a description explaining its purpose: SSH access from ops engineer workstation — review quarterly. This is the discipline that prevents security groups from accumulating unexplained rules over time.

Security Group Configuration Placeholder

Creating the IAM Role and Instance Profile

Navigate to IAM > Roles > Create role. Select AWS service as the trusted entity type, then EC2 as the use case. This creates the trust policy that allows EC2 to assume the role — which is what makes the instance profile mechanism work.

Do not attach any permission policies. Name the role lab-ec2-role. On the final screen, AWS automatically creates an instance profile with the same name. This is the object EC2 will attach to your instance.

After creation, confirm the role exists at IAM > Roles > lab-ec2-role and that the Trust relationships tab shows ec2.amazonaws.com as a trusted service.

In this section, I confirmed:

0 of 5 completed
Previous Next

Choose your language

Select your preferred language for the site