Using an EC2 Instance Safely
Once launched, instances can be managed over the Internet. AWS has a number of services and resources to ensure that this management can be done simply and safely.
Addressing an instance
There are several ways in which an instance can be accessed on the web after creation:
Public Domain Name System (DNS): When you start an instance, AWS creates a DNS name that can be used to access the instance. This DNS name is generated automatically and can not be specified by the client. The name can be found on the Description tab of the AWS Management Console or the Command Line Interface (CLI) or the Application Programming Interface (API). This DNS name persists only while the instance is running and can not be transferred to another instance.
Public IP Address: The instance can also have a public IP address assigned. This IP Address is assigned from the addresses reserved by AWS and can not be specified. This IP address is unique on the Internet, persists only while the instance is running and can not be transferred to another instance.
Elastic IP: An elastic IP address is a unique Internet address that you independently reserve and associates with an instance of Amazon EC2. Although similar to a public IP, there are some important differences. This IP address persists until the client releases it and is not tied to the life or status of an individual instance.
Amazon EC2 uses public-key encryption to encrypt and decrypt login information.
Publickey encryption uses a public key to encrypt a piece of data and an associated private key to decrypt the data. These two keys together are called a pair of keys. Key pairs can be created through the AWS Management Console, CLI, or API, or clients can upload their own key pairs.
AWS stores the public key and the private key is held by the client. The private key is essential to gaining secure access to an instance for the first time.
Store your private keys safely. When Amazon EC2 launches a Linux instance, the public key is stored in the /.ssh/authorized_keys file in the instance and the initial user is created. The initial user may vary depending on the OS. For example, the initial user of the Amazon Linux distribution is ec2-user. Initial access to the instance is obtained using ec2-user and the private key to log in via SSH. At this point, you can configure other users and subscribe to a directory, such as LDAP.
When you start a Windows instance, Amazon EC2 generates a random password for the local administrator account and encrypts the password using the public key. The initial access to the instance is obtained by decoding the password with the private key, both in the console and in the API. The decrypted password can be used to log in to the instance with the local administrator account via RDP. At this point, you can create other local users and / or connect to an Active Directory domain.
It is a best practice to change the initial local administrator password