Initial Setup of Amazon Linux AMI in the EC2 Cloud

The following guide shows how in 10 easy steps you can connect to and perform a base configuration of an Amazon Linux AMI running in the EC2 cloud.  The configuration includes customization and important security settings.

Amazon’s native Linux AMIs are optimized for their cloud environment and are eligible for the free tier, which allows you to run your own Linux server free for a year.

The following tutorial assumes that you have registered for an AWS account, and have just launched a new EC2 instance based on one of the Amazon Linux AMIs. To start using your new Linux server, you’ll need to connect via SSH and manage it via the command-line interface (shell). Read on to learn how…

Step 1. Connect to the Instance

First things first, you need to connect to your shiny new Linux server. To do so, you will need access to a system with some sort of SSH  client installed on it. If you have a Linux or Mac system, you can use SSH from the command-line using the standard “ssh” command. If you’re using Windows, you can  use the Putty program instead.

To connect, you need 2 things:

  1. The public hostname assigned to the instance by Amazon. While logged into your AWS account, click the EC2 tab, and go to “Instances”. Select the new instance  and note the “Public DNS” as listed in the instance “Description”. The hostname should look something like:
  2. The private key.  Typically, each Amazon AWS account has an associated keypair that’s assigned to each instance launched from that account. When you initially create the keypair, you’ll be prompted to save the private key as a “.pem” file. You need to store this file on the system where you’re using SSH to connect. If you forgot to download it, you can access it via the AWS menu by clicking on your account name at top and then selecting “Security Credentials”.

Once you have these things, you’re ready to connect via SSH. The default username is “ec2-user”. If you’re using SSH from the command-line, change into the directory where the “.pem” file is stored, and connect as follows:     ssh -i mykeypair.pem

If you’re using the Windows “Putty” program to connect, go to “Connection, Data” and input “ec2-user” as the username.  Then go to “SSH, Auth” and browse to select the location of your “.pem” private key file.

Step 2. Add a New User Account

You’re now connected to your new Linux server. The first thing to do is add a new user account to use instead of the default user account. In this case, we’ll add a user account called “myadmin”:

  1. First, open a root shell: sudo -s
  2. Create the new user account: useradd myadmin
  3. Assign password to new user: passwd myadmin

Step 3. Configure SSH Server

Next, configure the SSH server to allow access via standard username/password logins (instead of the key). To edit the SSH config file and most other Linux config files, you’ll need to use a text editor program. The recommended one is vi, which gets invoked from the command-line as: vi FILE.

Follow these steps to configure the SSH server:

  1. Open file for editing: vi /etc/ssh/sshd_config
  2. Scroll down until you see the line that reads PasswordAuthentication no  … change the “no” to “yes”
  3. Save your changes by entering :wq

Once you are done updating the SSH config file, you must restart the server to apply your changes. To do so, you can make the command /etc/init.d/sshd restart while logged in as root (sudo -s, see above).

Step 4. Further Lock Down SSH Server

This is optional, but usually a good idea. You can lock down SSH server security by adding an AllowUsers line to the SSH config file.  You can add it anywhere. The directive is followed by a space-separated listed of users who are allowed to connect, as in the following example:   AllowUsers myadmin myadmin1 myadmin2

With the above line in place, only those specific users will be allowed to log in via SSH. Remember that you have to restart the SSH  server (/etc/init.d/sshd restart) after making any changes to the config.

Step 5. Test New SSH Connection

Once you’ve added your new user account(s) and re-configured SSH, make absolutely sure that you can log into it again before closing your existing session!!!

In other words, keep your active SSH session open, and try initiating an additional SSH connection using the new user account you have configured. If you are able to log in, you’re good to go. Otherwise, check your SSH config file again and make sure you’ve followed the above steps.

Step 6. Set New Root Password

Next set a new root password. For security reasons, set something different than for your main user account.  To change the root password, simply make the passwd command while logged in as root. You’ll be prompted to change it.

Once you’ve set the new root password, make sure that you can open a root shell by making the su command and entering it.

Step 7. Get Rid of Default User

Now that you have custom user account with SSH access and a working root password, you should get rid of the default “ec2-user” account for security reasons. To do so, use the following steps:

  1. Lock the account by making this command as root:    passwd -l ec2-user
  2. Remove the account from the “/etc/sudoers” file. To do so, make the visudo command and then find the line for the “ec2-user” account and either delete it or comment it out, then save (:wq) your changes

Step 8. Set Hostname

You can set a new hostname, which will be displayed in the command prompt so you can make sure that you’re in the right place. To change the hostname, make sure you’re logged in as root and make the command: hostname NAME

The name you set with the above command will not be saved if the system gets rebooted. To make it permanent, edit the “/etc/sysconfig/network” file  and set the name in the line: HOSTNAME=NAME

Step 9. Set Timezone

All Amazon instances are in GMT time by default. To make sure that logs and such reflect the correct times, you should set the correct local timezone. To do so, you first point the correct timezone data file at your “/etc/localtime” file, and then edit the “/etc/sysconfig/clock” file to ensure that the correct timezone gets applied the next time the system reboots.

In the following example, we set the local timezone to US Eastern Time via the America/New_York timezone data:

  1. Update “/etc/localtime” link:  ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
  2. Make the change permanent by adding the following line to the "/etc/sysconfig/clock" file: ZONE="America/New_York"

Step 10. Set Login Message

The last thing that you should consider doing is setting up a custom login message to display whenever a user logs in. The main file used to set this is “/etc/motd”, but on some of the new Amazon AMI versions you may need to set it in one of the files in the “/etc/update-motd.d/” directory instead.

…At this point, you’re all set! The next thing to do is start adding new software to the instance. This will be discussed in a future post.

To Learn More:

This entry was posted in Cloud Computing, Linux. Bookmark the permalink.

Leave a Reply