Monday, April 21, 2025

How to Connect (ssh) into a instance with the Powershell Command Prompt | Overview & Hands-On.


An Overview and Hands-On to Connect (ssh) into a instance with the Powershell Command Prompt.

Focus:

  • Tailored for SRE, DevOps, Cloud, and DevSecOps Engineers

Breakdown:

  • Intro,
  • Versions and Availability,
  • Core Features,
  • Getting Started,
  • Project: Hands-On (SSH from PowerShell into EC2)
  • How twtech changes security permmisions for key.pem form basic to full pemissions on the Local Machine (windows11) via UI,
  • How twtech Troubleshoots ssh issues.
Intro:

  • PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework
  • Unlike many other shells that return text, PowerShell is built on the .NET framework and processes objects.
Versions and Availability
Windows PowerShell (5.1):
  •  Built on the .NET Framework and specifically for Windows. 
  • It is preinstalled on Windows 10 and 11 but is no longer actively developed beyond security updates.
PowerShell (7+):
  •  Formerly "PowerShell Core," this is the modern, open-source version built on .NET. 
  • It is cross-platform and available for Windows, macOS, and Linux.
2025 Updates:
  •  Recent developments in 2025 include the retirement of legacy MSOnline and AzureAD modules in favor of the Microsoft Graph SDK.
Core Features
Cmdlets:
  •  Built-in small commands (pronounced "command-lets") that perform specific operations and typically follow a Verb-Noun structure (e.g., Get-Service).
Pipelines:
  •  Allows the output of one command to be passed as the input to another.
  • Because it passes objects rather than text, data remains structured and easy to manipulate.
Modules: 
  • Packages that contain PowerShell members (cmdlets, functions, variables) to manage specific technologies like Azure, AWS, or SQL.
Desired State Configuration (DSC): 
  • A management framework that allows twtech to manage IT infrastructure as code by defining declarative configurations.
Getting Started
Opening PowerShell:
  • On Windows, type "PowerShell" in the Start menu or press Win + R and type powershell. To run as an administrator, right-click and select Run as Administrator.
Modern Editor:
  •  While the legacy Integrated Scripting Environment (ISE) still exists, Microsoft recommends using Visual Studio Code 
 https://code.visualstudio.com/ )
https://marketplace.visualstudio.com/items?itemName=ms-vscode.PowerShell
  •   (for all development).
Command Discovery:
  •  Use Get-Help to find instructions for any command or Get-Command to see all available cmdlets.
Community Resources: 

        https://www.powershellgallery.com/ 


Project:Hands-On.
  • How twtech use the PowerShell to connect (SSH) into its EC2 instances.
Step-1:
  • From the local Machine, Search for:  Powershell 

Or

Winds + R

Then run : powershell

Then: ok


Step-2:

  • twtech Verifies whether the ssh client is available on powershell 

ssh 

Step-3:

  • From the command prompt: Download the key.pem from the running Instance with the Hostname (Server IPaddress)

ssh -i .\devsecopspat.pem ubuntu@18.191.xxx.197

Step-4:

  • Navigate to the directory of the: key.pem

cd ~/Downloads

Step-5:

  • List content of directory to Verify that the key.pem (devsecopspat35.pem) is present in the directory.

Step-6:

  • Go to the running instance and Make sure  port 22 is open on the ec2 instance security group (twtech-db-server)


 Step-6:

  • Get the ssh Client command to run on the powershell terminal from the Instance

 Step-7:
  •  Go back to Powershell and run the command for SSH Client
ssh -i "devsecopspat35.pem" ubuntu@ec2-18-191-xxx-197.us-east-2.compute.amazonaws.com

Or: Simple run the command

ssh -i .\devsecopspat.pem ubuntu@18.191.xxx.197

Step-8:

  • twtech changes security permmisions form basic to full pemissions  on key.pem via UI
  • Got the directory with the key.pem.

  • Right-click on the key and naviage to properties


  • Go to the security tab to grant permission.
  • Then advance


  • Make sure the  owner of the file is owner of the local machine
  • Make changes to the permission


  • Type file owner name: devsecopspat35
  • Ok to save changes.

  • Remove SYSTEM administration, it does not need to have access to the key.pem

  • Disable inheritance: Then, Remove all inherited permissions from this object

  • Add inherited permissions.

  • Select a principal


  • Check principal name:



  • Give devsecopspat35 full control over the key.pem (devsecopspat.pem)

From:

To:

  • Verify that user (devsecopspat35) has full control of key.pem and ok.

  • Verify that only devsecopspat35 is the only person granted full security permission:




Step-9:

  • twtech tests  the key.pem configured (devsecopspat.pem) 
  • SSH into server again from PowerShell

ssh -i .\devsecopspat.pem ubuntu@18.191.xxx.197

  • Successful

Step-10:

How twtech Troubleshoots ssh issues.

A, Having Connection timeout.

  • Security group issue. Any timeout (not just for SSH) is related to security groups or a firewall. Make sure the security group  has port 22 opened from anywhere. 

B,  Still having connection timeout issue

  • If twtech security group is properly configured as above, and you still have connection timeout issues. 
  • Make sure the corporate firewall or a personal firewall is not blocking the connection.

C,  SSH does not work on Windows

·        If ssh command says: ssh command not found, twtech-user has to use Putty tool to connect to server.    

   D,  Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

This means either two things:

  •        Wrong security key,
  •        Not using a security key,
  •        Configure and assign the correct key,
  •        Wrong user. Redhat-users  is ec2-user  and Ubuntu-user is ubuntu,
  •       Wrong ssh command Format: ssh -i  .\key.pem user@<public-ip>

E,  Nothing seem to work.  Also try EC2 Instance Connect

  • Session is connected in the browser and not a terminal.

F,  twtech-user was Able to connect to server the last few hours, but  the same server won’t connect now.

  •     A stopped EC2 instance  exits the publicIPaddress.  
  • Reconfigure with the new publicIPaddress, if an elasticIP was not initially assigned to the instance.
  •      Check if there is proper configuration for putty, because a stopped instance would also release its public-IPaddress to aws and should only connect with the current PubIP-address.

G, Gomtime, ssh from Anywhere-IPv4 and Anywhere-IPv6 work together.

   H, Connection refusal

  • It means the instance is reachable, but no SSH utility is not running on the instance
  •         restart the server ( stop & start)
  • Stop the server completely for APIs to reset.

  • Start the server again.

I, 
  • Reach out to other engineers for help as well... Team Collaboration is always essential in any enterprise work environment.
  • Use Slack
     
  • Atlassian Jira
       or
  •  Microsoft Teams

J, 
  • Use stack overflow site to post the issue, because someone might have experienced that same issue already in their environment. 
  • https://stackoverflow.com/questions


K, 
  • Backup the instance and Terminate it, If it doesn't still work and create a new one.
  • This is the last option and should only be done in the dev environment.  

twtech-Insights.

  • Never ever Store the aws access keys  for several critical reasons:

1. Security Risk: Keys Can Be Stolen

  • If access keys are stored in plain text (e.g., environment variables, config files, or scripts on an EC2 instance), anyone with access to that instance can steal them — including:
    • Malicious insiders
    • Attackers exploiting a vulnerability
    • Malware injected via insecure software
  • These keys could then be used outside twtech environment to wreak havoc.

 2. Track & Rotate

Manually entered access keys:

  • Are difficult to audit and manage.
  • Rotation becomes a nightmare — if keys get leaked or need changing, you have to hunt down every instance manually.
  • This violates the principle of least privilege and automation.

3. Better Alternatives: Use IAM Roles

  • Make sure to Install aws cli utility and version verified.

sudo snap install aws-cli --classic

aws --version

  • The best practice is to assign IAM roles to twtech compute instances (e.g., EC2, Lambda, ECS). 
  • Benefits:
    • Temporary credentials are securely issued by the Instance Metadata Service (IMDS).
    • No manual handling of keys.
    • Automatic rotation and fine-grained permissions.

# bash

curl http://169.254.xxx.254/latest/meta-data/iam/security-credentials/

 4. Violates Compliance and Policy Standards

Manually entering the key.pem often violates:

  • Company security policies,
  • Industry compliance standards & Governance (like SOC2, ISO 27001, HIPAA)
  • AWS Well-Architected Framework guidelines.

 5. Risk of Accidental Exposure

Keys entered on instances are often:

  • Committed to Git repos by mistake
  • Logged in shell history or debug logs
  • Left lying around in user profiles.

NB:

  • Once exposed — it's game over for twtech AWS account.

 twtch-users Should Do This Instead

  • Use IAM roles with least privilege attached to your EC2/Lambda/ECS.
  • Use AWS Systems Manager Parameter Store or Secrets Manager for sensitive data.
  • For local dev, use AWS CLI with aws configure and scoped permissions.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...