Category: EC2

AWS Nitro Enclaves create isolated compute environments within EC2 instances that process highly sensitive data with hardware-enforced isolation. Even root users and AWS administrators cannot access data inside a running enclave—only cryptographically verified code can decrypt and process your secrets.

Key Takeaways

AWS Nitro Enclaves partition CPU and memory from your EC2 instance to create an isolated execution environment with no persistent storage, no interactive access, and no external networking. Enclaves communicate with the parent instance exclusively through virtual sockets (vsock). Cryptographic attestation proves which exact code is running before AWS KMS releases encryption keys. This enables you to process PII, financial data, healthcare records, and private keys while meeting compliance requirements like HIPAA, PCI-DSS, and GDPR. You pay only standard EC2 costs with no additional charges for the enclave capability.

What AWS Nitro Enclaves Actually Are

Think of a Nitro Enclave as a hardened virtual machine carved from your EC2 instance. When you create an enclave, AWS allocates dedicated CPU cores and memory from your parent instance to run completely isolated workloads.

The isolation happens at the hardware level through the Nitro Hypervisor. Your enclave has:

• Its own dedicated CPU cores (not shared)
• Its own memory partition (completely separate)
• No persistent storage (everything lives in RAM)
• No network access (except to AWS KMS)
• No SSH, console, or interactive access

The only way to communicate with an enclave is through a local socket connection called vsock. This creates a secure channel between your parent EC2 instance and the enclave using standard POSIX socket APIs.

How Cryptographic Attestation Works

Attestation is where enclaves get interesting. Before processing sensitive data, you need proof that the correct code is running—not compromised code or a different version.

When your enclave starts, it generates an attestation document cryptographically signed by the AWS Nitro Attestation PKI. This document contains cryptographic hashes of your enclave image and the exact container version running inside.

Here’s what makes this powerful: You configure AWS KMS key policies to verify these attestation measurements before decrypting data. This means encrypted data only decrypts when running inside the exact Docker image you specified—not just when the right IAM user requests it.

Gotcha: Attestation only proves the specified container is running. It doesn’t guarantee your code is secure or bug-free. You still need rigorous security reviews.

Communication Through Virtual Sockets

Vsock is the lifeline between your enclave and the outside world. You build a client-server architecture where the parent EC2 instance and enclave exchange data through socket connections using Context IDs (CID) and port numbers.

The parent instance gets CID 3. Each enclave receives a unique CID starting from 4. You write code on both sides using familiar socket APIs: connect, listen, accept.

Warning: Socket programming in enclaves requires careful error handling. If you don’t retry on EINTR errors, you’ll drop valid connections. If you don’t handle zero-length returns from recv(), you’ll create infinite loops when peers disconnect.

I’ve seen production enclaves go down because developers forgot to implement connection timeouts. Without timeouts, a single user can occupy a socket indefinitely and block everyone else.

Which EC2 Instances Support Enclaves

Nitro Enclaves work on most Graviton, Intel, and AMD Nitro System instances including M5, C5, R5 families and newer. Your parent instance needs at least 2 vCPUs.

But here’s the catch: Many small instance sizes don’t work. All .metal instances are excluded. T3 instances don’t work. Most .large sizes in Intel/AMD families won’t work either.

Generally, use at least .xlarge instances for Intel/AMD and .large for Graviton. Verify compatibility before enabling enclaves—the exception list is extensive.

Real-World Use Cases

Nitro Enclaves shine when you need to process sensitive data without exposing it to privileged users or administrators.

Financial services use enclaves to tokenize credit card numbers. The plaintext card data enters the enclave, gets tokenized using keys only the enclave can access, and the token exits—the parent instance never sees the actual card number.

Healthcare platforms process HIPAA-protected patient data inside enclaves where even their own DevOps teams can’t access the information.

Web3 applications run hosted wallet services where private keys never leave the enclave. ACINQ runs Lightning Network nodes with “nearly no code modifications” to protect payment channel keys.

Multi-party computation becomes practical when all parties encrypt data with AWS KMS and trust the attested enclave code to process combined inputs. But remember: all parties must use AWS KMS—there’s no cross-cloud compatibility with Google or Azure key management services.

Critical Security Limitations

Enclaves are vulnerable to timing side-channel attacks. The parent EC2 instance can make nearly system-clock-precise time measurements. If your code takes 1.2 seconds to encrypt dog images but 1.0 seconds for cat images, attackers can deduce content without breaking encryption.

You must implement all cryptographic operations in constant time. Network jitter provides no protection in this threat model.

L3 cache side-channels are another concern. Enclaves may share L3 cache with the parent instance when they don’t occupy a full NUMA node. Recent research shows these attacks work in public clouds. For highly sensitive workloads, allocate a full NUMA node or experiment with Intel’s Cache Allocation Technology.

Treat your parent instance as adversary-controlled. Implement socket timeouts and async connection handling to prevent denial-of-service through vsock blocking. Keep error messages generic to prevent information leakage and oracle attacks.

Memory and Resource Constraints

Everything your enclave needs must fit in RAM. There’s no persistent storage. The enclave’s init process doesn’t mount a new root filesystem—it keeps the initial initramfs, limiting filesystem size to about 40-50% of total RAM.

This makes memory expensive and constraining. For large-scale data processing, you’ll pass data in chunks with encryption/decryption overhead at each boundary.

You also can’t access PCI devices like GPUs. This is a hard limitation with no workaround. Compute-intensive workloads requiring GPU acceleration can’t leverage Nitro Enclaves.

You can run up to four enclaves per parent instance. Each enclave is isolated from the others—they can’t communicate directly. When the parent instance stops or terminates, all enclaves automatically terminate and lose any processing state.

AWS KMS Integration

Enclaves communicate directly with AWS KMS over TLS without going through the parent instance. This enables attestation-based key policies that validate enclave measurements before allowing cryptographic operations.

Traditional KMS policies control *who* can decrypt data. Attestation-based policies control *which exact code* can decrypt data. This distinction matters when protecting against privileged user threats.

AWS Certificate Manager for Nitro Enclaves provisions SSL/TLS certificates with private keys isolated in the enclave. The parent instance can’t access the private keys. ACM handles automatic certificate renewal within the enclave and integrates with NGINX 1.18+.

Debugging Challenges

Debugging enclave applications is painful. You lose access except through the vsock connection—no console messages, no logs, no visibility except socket input and output.

Design your application architecture with comprehensive logging and monitoring through the socket interface before deployment. You won’t have traditional troubleshooting access afterward.

Verify your clock source is set to kvm-clock, not TSC. I’ve seen enclaves boot with dates like November 30, 1999 when using TSC in virtualized environments, breaking TLS certificate validation.

Check at runtime that rng_current is set to nsm-hwrng to ensure the AWS Nitro RNG is active. Use getrandom() for randomness—don’t call nsm_get_random() directly as it bypasses the kernel’s entropy mixing.

Getting Started

Install the Nitro Enclaves CLI and SDK on a supported EC2 instance. Both Linux and Windows parent instances work, though enclaves themselves must run Linux.

Build your enclave image file (.eif) using the CLI tools. This packages your application container with the necessary enclave runtime.

Key commands include build-enclave, run-enclave, describe-enclaves, and terminate-enclave. Your application needs code both inside the enclave and on the parent instance that communicate via vsock.

For production deployments, use Infrastructure as Code tools like CloudFormation or CDK. The configuration complexity typically requires engaging an AWS DevOps engineer for large-scale implementations.

Regional Availability and Pricing

Nitro Enclaves is supported in all standard AWS Regions and GovCloud. It’s not available in Local Zones, Wavelength Zones, or on AWS Outposts.

There are no additional charges for Nitro Enclaves beyond standard EC2 instance costs. You pay for the instance size you need to allocate sufficient CPU and memory to both the parent and enclave.

You cannot enable both hibernation and enclaves on the same instance. Choose based on your use case requirements.

Conclusion

AWS Nitro Enclaves provide hardware-enforced isolation for processing sensitive data within EC2 instances. The combination of cryptographic attestation and KMS integration enables you to prove which exact code is accessing your encrypted data—not just which user requested it. You trade convenience (no persistent storage, limited debugging, memory constraints) for strong isolation guarantees that even AWS administrators cannot bypass. This makes enclaves suitable for regulatory compliance scenarios, multi-party computation, and protecting cryptographic keys, but requires careful architecture around constant-time programming, side-channel protection, and vsock communication patterns.

EC2 Reserved Instances let you commit to using specific instance types for 1 or 3 years in exchange for significant discounts (up to 72% off), while Spot Instances let you bid on unused EC2 capacity at up to 90% off, but AWS can terminate them with just a 2-minute warning when they need the capacity back.

Key Takeaways

Reserved Instances require a 1 or 3-year commitment and guarantee capacity, making them ideal for steady-state workloads like databases and web servers. Spot Instances offer deeper discounts but can be interrupted anytime, making them suitable for fault-tolerant workloads like batch processing, data analysis, and CI/CD jobs. Reserved Instances provide cost predictability, while Spot Instances require architectural resilience to handle sudden terminations.

Reserved Instances: Commit and Save

When you purchase a Reserved Instance, you’re making a capacity reservation with AWS. You commit to a specific instance type, operating system, and region for either one or three years. In return, AWS gives you a discount compared to On-Demand pricing.

You have three payment options: All Upfront (pay everything now for maximum discount), Partial Upfront (pay some now, the rest monthly), or No Upfront (pay monthly with a smaller discount). The All Upfront option gives you the best rates, but ties up your capital.

Gotcha: Reserved Instances aren’t actual instances. They’re billing discounts that apply to matching On-Demand instances you launch. I’ve seen teams buy Reserved Instances thinking they’re pre-provisioned servers sitting ready to use. They’re not. You still launch instances normally, and the discount applies automatically.

Standard Reserved Instances lock you into a specific instance family and size. Convertible Reserved Instances cost slightly more but let you change instance families, operating systems, or tenancy during the term. This flexibility matters when your workload requirements evolve.

Use Reserved Instances for workloads that run continuously: production databases, domain controllers, monitoring systems, or always-on application servers. If you know you’ll need specific capacity for the next year or three, Reserved Instances make financial sense.

Spot Instances: High Risk, High Reward

Spot Instances use AWS’s unused capacity. You specify the maximum price you’re willing to pay, and as long as the Spot price stays below your maximum, your instances run. When demand increases and the Spot price exceeds your maximum (or AWS needs the capacity), you get a 2-minute warning before termination.

That 2-minute warning is critical. Your application needs to handle it gracefully. AWS sends a termination notice through instance metadata and CloudWatch Events. You should checkpoint your work, save state, or gracefully shut down within those 120 seconds.

Warning: Spot Instances can terminate in the middle of processing. I learned this the hard way running a video encoding job that lost 6 hours of progress because I didn’t implement checkpointing. Always design for interruption.

Spot pricing varies by instance type and availability zone. You can see historical pricing in the EC2 console. Some instance types in certain zones almost never get interrupted, while others fluctuate wildly. Check the interruption frequency rating AWS provides for each instance type.

Spot Instances work brilliantly for stateless, fault-tolerant workloads: batch processing, big data analytics, containerized applications with auto-scaling, CI/CD pipelines, web crawlers, and rendering farms. Anything that can checkpoint progress or restart without data loss is a good candidate.

You can also use Spot Fleets, which request multiple instance types across multiple availability zones. This diversification reduces your interruption risk. If one instance type becomes expensive or unavailable, the fleet automatically launches different types to maintain your target capacity.

Gotcha: Spot Instances don’t work with all AWS services. You can’t use them with RDS, for example. But you can use them with ECS, EKS, EMR, and Batch. Always check service compatibility before planning your architecture.

When to Use Each

Choose Reserved Instances when you need guaranteed capacity and can forecast demand. Your production database that runs 24/7? Reserved Instance. Your application servers that need to be available for customers? Reserved Instances for the baseline capacity.

Choose Spot Instances when you can tolerate interruptions and your workload is flexible. Your nightly ETL job? Spot Instances. Your Jenkins build agents? Spot Instances. Your Kubernetes worker nodes that can drain gracefully? Spot Instances.

Many teams use both. They run baseline capacity on Reserved Instances and handle burst traffic or batch processing with Spot Instances. This hybrid approach balances cost savings with reliability.

One more consideration: commitment level. Reserved Instances require planning and lock you in. If your business is unpredictable or you’re in a growth phase where requirements change rapidly, that commitment becomes risky. Spot Instances give you massive savings without long-term obligations, but require engineering effort to handle interruptions properly.

Conclusion

Reserved Instances trade commitment for cost savings and capacity guarantees, making them perfect for predictable, always-on workloads. Spot Instances offer deeper discounts by using spare capacity, but can be interrupted with minimal notice, requiring your applications to be fault-tolerant. The best cost optimization strategy often combines both: use Reserved Instances for your baseline capacity and Spot Instances for flexible, interruptible workloads. Choose based on your workload characteristics, risk tolerance, and ability to engineer for interruption handling.

AWS Secrets Manager and Systems Manager Parameter Store are both AWS services for storing configuration data and secrets, but they serve different purposes: Secrets Manager is purpose-built for managing sensitive credentials with automatic rotation, encryption, and fine-grained access control, while Parameter Store is a general-purpose configuration store that can handle both secrets and non-sensitive parameters at a lower cost with simpler features.

Key Takeaways

Secrets Manager costs $0.40 per secret per month plus API call charges, while Parameter Store standard parameters are free and advanced parameters cost $0.05 per month. Secrets Manager provides automatic secret rotation, cross-region replication, and generates random secrets, features that Parameter Store lacks. Parameter Store offers higher throughput (10,000 TPS vs 5,000 TPS) and stores configuration data alongside secrets in a hierarchical structure. Secrets Manager encrypts all secrets by default using KMS, while Parameter Store supports both encrypted (SecureString) and plaintext parameters. Choose Secrets Manager for database credentials and API keys requiring rotation, Parameter Store for application configuration, feature flags, and cost-sensitive deployments with simple secrets.

What They Are

AWS Secrets Manager

Secrets Manager is a dedicated secrets management service designed specifically for storing and rotating sensitive information like database credentials, API keys, and OAuth tokens. It focuses on the complete lifecycle of secrets—creation, rotation, access control, and auditing.

The service includes built-in rotation capabilities for common databases like RDS, DocumentDB, and Redshift. You can also implement custom rotation logic using Lambda functions. Secrets Manager handles the complexity of updating credentials without causing application downtime.

All secrets are encrypted at rest using AWS KMS keys. The service integrates tightly with AWS services like RDS, which can create and rotate database credentials automatically without manual intervention.

Systems Manager Parameter Store

Parameter Store is part of AWS Systems Manager and serves as a general-purpose configuration store. It holds both secrets and non-sensitive data like configuration values, AMI IDs, license codes, and feature flags.

The service organizes parameters in a hierarchical structure using paths like /production/database/endpoint or /dev/api/timeout. This structure makes it easy to retrieve related parameters and manage permissions at different levels.

Parameter Store supports three parameter types: String for plaintext data, StringList for comma-separated values, and SecureString for encrypted secrets using KMS. You choose encryption based on sensitivity rather than having all values encrypted by default.

Pricing Comparison

Secrets Manager Costs

Secrets Manager charges $0.40 per secret per month, prorated hourly. A secret stored for 15 days costs approximately $0.20. If you store 100 database credentials, the monthly cost is $40 just for storage.

API calls cost $0.05 per 10,000 calls. Applications frequently retrieving secrets can accumulate significant API charges. A service making 1 million requests per month pays $5 in API fees.

There’s no free tier. Even a single secret costs $0.40 monthly. For small deployments with few secrets, this adds up quickly compared to free alternatives.

Parameter Store Costs

Standard parameters are completely free. You can store up to 10,000 parameters at no charge. Standard parameters support up to 4 KB of data, standard throughput (40 TPS per region), and don’t support parameter policies.

Advanced parameters cost $0.05 per parameter per month. These support up to 8 KB of data, higher throughput (1,000 TPS initially, 10,000 with limits increase), and parameter policies for expiration and notifications. Storing 100 advanced parameters costs $5 monthly.

API calls to Parameter Store are free regardless of volume. Applications can retrieve parameters millions of times without incurring API charges, making it cost-effective for high-traffic scenarios.

Cost Comparison Example

For 10 database credentials retrieved 100,000 times monthly: Secrets Manager costs $4.50 ($4 storage + $0.50 API calls). Parameter Store with advanced parameters costs $0.50 (storage only, free API calls). Parameter Store with standard parameters costs nothing.

The cost difference becomes substantial at scale. One hundred secrets cost $40/month in Secrets Manager versus $5/month for Parameter Store advanced parameters or free for standard parameters.

Secret Rotation

Secrets Manager Rotation

Secrets Manager provides automatic rotation out of the box. For supported databases like RDS MySQL, PostgreSQL, Oracle, and SQL Server, you enable rotation with a few clicks. Secrets Manager creates a Lambda function that handles the entire rotation process.

The rotation process follows AWS best practices: create new credentials, update the secret, verify the new credentials work, then mark them as current. Applications automatically get new credentials on the next retrieval without code changes.

You can configure rotation schedules from every few days to once a year. Secrets Manager sends CloudWatch Events when rotation succeeds or fails, enabling monitoring and alerting.

For custom secrets like third-party API keys, you write Lambda functions implementing rotation logic. Secrets Manager provides a rotation template and handles scheduling, but you implement the actual credential update with the external service.

Parameter Store Rotation

Parameter Store has no built-in rotation capability. If you need to rotate secrets stored in Parameter Store, you must build the entire system yourself.

You’d create Lambda functions triggered by CloudWatch Events, implement rotation logic, update parameters, and handle failures. This requires significant development and maintenance effort.

Parameter policies provide expiration notifications. You can configure a parameter to send CloudWatch Events before it expires, triggering manual or automated rotation workflows. However, this is just notification—the actual rotation logic is entirely your responsibility.

Features and Capabilities

Secrets Manager Features

Secrets Manager can generate random passwords and secrets. When creating a database credential, it generates complex passwords meeting your requirements without you having to create them manually.

Cross-region replication automatically copies secrets to multiple regions. This ensures availability during regional failures and simplifies multi-region deployments. Replicated secrets stay synchronized—rotating in one region updates all replicas.

Secret versioning maintains previous versions automatically. You can retrieve older versions by version ID or staging labels. Applications can test new credentials before promoting them to production.

Resource-based policies attach directly to secrets, allowing cross-account access without modifying IAM roles in other accounts. This simplifies secrets sharing across organizational boundaries.

Parameter Store Features

Hierarchical organization lets you structure parameters logically. You can retrieve all parameters under a path with a single API call, useful for loading application configuration at startup.

Parameter Store integrates with AWS services like EC2, ECS, Lambda, and CloudFormation. You can reference parameters directly in CloudFormation templates or pass them to containers as environment variables.

Parameter policies (advanced parameters only) enable expiration dates and change notifications. You can set parameters to expire after a certain time, triggering alerts to rotate or update them.

Parameter Store supports parameter labels for versioning. You can create labels pointing to specific versions, though this is less sophisticated than Secrets Manager’s staging label system.

Public parameters provide access to AWS-published data like AMI IDs and service endpoints. You can query the latest Amazon Linux AMI without hardcoding IDs.

Encryption

Secrets Manager Encryption

All secrets are encrypted at rest using AWS KMS. You cannot store unencrypted secrets in Secrets Manager. This enforces security best practices but means you must use KMS encryption for everything.

You choose between AWS managed keys (free) or customer managed keys (KMS charges apply). Customer managed keys provide more control over key policies, rotation, and auditing.

Secrets are encrypted in transit using TLS. The service never exposes secrets in plaintext outside secure API calls.

Parameter Store Encryption

Parameter Store offers three parameter types. String and StringList types store data in plaintext without encryption. Use these for non-sensitive configuration like region names or feature flags.

SecureString parameters encrypt data using KMS. You specify the KMS key when creating the parameter. This gives you flexibility—encrypt secrets while keeping non-sensitive data unencrypted to avoid unnecessary KMS costs.

You can use AWS managed keys or customer managed keys for SecureString encryption. Each SecureString retrieval incurs a KMS API call, contributing to KMS costs and potential throttling at high volumes.

Performance and Limits

Secrets Manager Limits

Secrets Manager supports up to 5,000 API requests per second per account per region. For most applications, this is sufficient, but high-traffic services might hit throttling limits.

Each secret can store up to 65,536 bytes (64 KB) of data. You can store complex JSON structures containing multiple credentials in a single secret.

You can store up to 500,000 secrets per region per account. This limit is rarely a concern for typical workloads.

Parameter Store Limits

Standard parameters support 40 requests per second per region. This is much lower than Secrets Manager and can cause throttling for high-traffic applications.

Advanced parameters support higher throughput: 1,000 TPS initially, increasable to 10,000 TPS through service limit requests. This makes Parameter Store suitable for high-volume scenarios when using advanced parameters.

Standard parameters hold up to 4 KB of data, advanced parameters up to 8 KB. For larger configuration data, you might need to split across multiple parameters or use alternative storage like S3.

You can store up to 10,000 parameters per account per region. This includes all parameter types. Organizations with extensive configuration needs might hit this limit and need to request increases.

Integration with AWS Services

Secrets Manager Integration

RDS and Aurora integrate directly with Secrets Manager. You can create a database with credentials stored and rotated by Secrets Manager automatically. The database and secret are linked, simplifying credential management.

ECS and EKS can inject secrets as environment variables or mount them as files. Applications retrieve secrets without calling AWS APIs directly, reducing code complexity.

CloudFormation supports dynamic references to Secrets Manager, letting you use secrets in templates without exposing them in plaintext.

Parameter Store Integration

Parameter Store integrates with more AWS services due to its broader purpose. EC2 instances can reference parameters in user data scripts. Lambda functions read parameters at startup or runtime.

CloudFormation supports dynamic references and AWS::SSM::Parameter resources. You can reference parameters without including actual values in templates.

Systems Manager automation documents and Run Command can retrieve parameters for executing tasks across fleets of instances.

AppConfig integrates with Parameter Store for feature flag and configuration management with deployment strategies like gradual rollouts and validation.

Access Control

Secrets Manager Access Control

Secrets Manager supports both IAM policies and resource-based policies. IAM policies control what users and roles can do with secrets. Resource-based policies attach to individual secrets, defining who can access them.

Resource-based policies simplify cross-account access. You attach a policy to a secret granting another account permission without modifying IAM roles in that account.

You can restrict access to specific secret versions or rotation operations. Fine-grained permissions let you limit who can rotate secrets versus who can only read them.

Parameter Store Access Control

Parameter Store uses IAM policies exclusively. You grant permissions using IAM roles and policies based on parameter names or paths.

The hierarchical structure enables path-based permissions. You can grant access to all parameters under /production/* while denying access to /production/database/*, creating flexible security boundaries.

Tags on parameters enable attribute-based access control. You can create IAM policies that grant access based on parameter tags rather than explicit parameter names.

Monitoring and Auditing

Both services integrate with CloudTrail for auditing API calls. You can see who accessed which secrets or parameters and when.

Secrets Manager provides CloudWatch Events for rotation success, rotation failure, and secret deletion. You can build alerting and automation around secret lifecycle events.

Parameter Store generates CloudWatch Events for parameter changes and expiration (advanced parameters). You can trigger Lambda functions or notifications when parameters are updated.

Both services publish CloudWatch metrics. Secrets Manager tracks API call counts and errors. Parameter Store tracks similar metrics and supports custom dashboards for monitoring parameter access patterns.

When to Use Secrets Manager

Use Secrets Manager for database credentials that require automatic rotation. The built-in RDS integration and rotation capabilities save significant development effort and reduce security risk from stale credentials.

Choose Secrets Manager for API keys and OAuth tokens from third-party services when you need rotation. While you’ll implement custom rotation logic, the framework and scheduling are handled for you.

Secrets Manager makes sense when you need cross-region replication for disaster recovery or multi-region deployments. The automatic synchronization simplifies architecture.

<

Amazon EC2 (Elastic Compute Cloud) is a cornerstone AWS service that provides resizable virtual servers, known as “instances,” in the cloud. It allows you to run applications on the AWS infrastructure, giving you complete control over your computing resources, including the operating system, networking, and storage, much like a physical server but with the elastic scalability and pay-as-you-go flexibility of the cloud.

Key Takeaways

• EC2 provides virtual servers called “Instances.” This is the fundamental compute service in AWS.
• Instances are launched from an Amazon Machine Image (AMI), which is a template containing the operating system and software.
• Instance Types define the hardware profile of your instance, including CPU, memory, storage, and networking capacity (e.g., t2.micro, c5.large).
• Security Groups act as a virtual, stateful firewall for an instance, controlling inbound and outbound traffic. By default, all inbound traffic is denied.
• Key Pairs are used for securely connecting to Linux instances via SSH. You download the private key, and AWS stores the public key.
• Instances get a Private IP Address from their VPC subnet and can optionally have a Public IP Address for internet access.

AWS EC2 Explained

Now that we understand the basics of AWS, let’s look at the most fundamental compute service: Amazon Elastic Compute Cloud, or EC2. If you need to run a web server, an application server, or even a virtual router in the cloud, EC2 is where you will start. We’re going to dive into the core components you need to know to launch and connect to your first virtual server.

Core Components of an EC2 Instance

When we launch an EC2 instance, we are essentially building a virtual server from a set of components. Let’s look at the most important ones.

• Amazon Machine Image (AMI): An AMI is a pre-configured template for your instance. It includes the operating system (e.g., Amazon Linux, Ubuntu, Windows Server) and can also include pre-installed application software. You can choose from AMIs provided by AWS, the AWS Marketplace, or even create your own.
• Instance Type: This determines the hardware resources for your instance. AWS offers a wide variety of instance types optimized for different tasks. For example, “t” series (like t2.micro) are general-purpose and burstable, while “c” series are compute-optimized. Your choice affects both performance and cost.
• Amazon EBS (Elastic Block Store): EBS provides persistent block-level storage volumes for use with EC2 instances. Think of an EBS volume as a virtual hard drive. It persists independently from the life of an instance, so if you terminate the instance, the data on the EBS volume can be preserved.
• Networking: When you launch an instance, it must be placed in a VPC (Virtual Private Cloud) and a specific Subnet within that VPC. It automatically receives a private IP address from the subnet’s range and can optionally be assigned a public IP address for internet connectivity.
• Security Group: This is a virtual firewall for your EC2 instance that controls inbound and outbound traffic. Security groups are stateful, meaning if you allow an inbound connection, the return traffic is automatically allowed. By default, security groups block all incoming traffic.
• Key Pair: For Linux instances, a key pair is used to securely authenticate when you connect via SSH. It consists of a public key that AWS stores on the instance and a private key that you download and store securely. You cannot download the private key after you create it, so you must save it in a safe place.

Let’s Launch an EC2 Instance

Let’s walk through the high-level steps to launch a basic EC2 instance in the AWS Console. This process beautifully illustrates how all the components come together.

1. In the AWS Console, navigate to the EC2 service and click Launch instances.
2. Choose an AMI: We’ll start by selecting an AMI. A good choice for beginners is the “Amazon Linux” AMI, which is maintained by AWS and is eligible for the Free Tier.
3. Choose an Instance Type: Next, we select the hardware. The t2.micro instance type is also Free Tier eligible and is perfect for learning and small tests.
4. Configure a Key Pair: This is a critical step for access. We’ll be prompted to create a new key pair. Give it a name (e.g., aws-key) and download the .pem file. Store this file securely!
5. Network Settings: Here we can select the VPC and subnet. For now, the default VPC is fine. We will also configure the Security Group. Click “Edit” and create a new security group that allows inbound SSH traffic (port 22) from your current IP address for security. Without this rule, you won’t be able to connect.
6. Launch: Review the summary and click Launch instance. In a minute or two, your virtual server will be running in the cloud!

Connecting to Our Instance

Once the instance state is “running,” we can connect to it. Select the instance in the console, and in the details pane, find its Public IPv4 address.

Using a terminal on your local machine (macOS, Linux, or Windows with WSL/PuTTY), you can connect using SSH. The command will look like this. Make sure you are in the same directory where you saved your .pem key file.

# First, ensure your key file has the correct permissions
chmod 400 aws-key.pem

# Connect to the instance using SSH
ssh -i "aws-key.pem" ec2-user@YOUR_PUBLIC_IP_ADDRESS

Replace YOUR_PUBLIC_IP_ADDRESS with the IP of your instance. The default username for Amazon Linux is `ec2-user`. If you successfully connect, you’ll have a command prompt on your new cloud server!

Conclusion

We’ve now seen how Amazon EC2 acts as the foundational compute service within AWS. We learned that an instance is a virtual server built from components like an AMI, an instance type, and EBS storage. We also covered the critical role of networking, Security Groups, and key pairs in launching and securing our instance. Having hands-on experience launching and connecting to an EC2 instance is a fundamental skill for anyone working with AWS and is a core topic in certifications like the AWS Certified Solutions Architect.