Skip to main content

aws-ec2


title: "Aws Ec2" sidebar_label: "Aws Ec2" description: "AWS EC2 virtual machine management for instances, AMIs, and networking. Use when launching instances, configuring security groups, managing key pairs, troubleshooting connectivity, or automating instance lifecycle."​

Aws Ec2

AWS EC2 virtual machine management for instances, AMIs, and networking. Use when launching instances, configuring security groups, managing key pairs, troubleshooting connectivity, or automating instance lifecycle.

Details​

PropertyValue
Skill Directory.github/skills/aws-ec2/
PhaseGeneral
User Invocable✅ Yes
Usage/aws-ec2 Instance type, operation, or issue to look up (e.g. 't3.micro web server', 'security group SSH rule', 'IMDSv2', 'spot instance request')

Documentation​

AWS EC2

Amazon Elastic Compute Cloud (EC2) provides resizable compute capacity in the cloud. Launch virtual servers, configure networking and security, and manage storage.

Table of Contents​

Core Concepts​

Instance Types​

CategoryExampleUse Case
General Purposet3, m6iWeb servers, dev environments
Compute Optimizedc6iBatch processing, gaming
Memory Optimizedr6iDatabases, caching
Storage Optimizedi3, d3Data warehousing
Acceleratedp4d, g5ML, graphics

Purchasing Options​

OptionDescription
On-DemandPay by the hour/second
Reserved1-3 year commitment, up to 72% discount
SpotUnused capacity, up to 90% discount
Savings PlansFlexible commitment-based discount

AMI (Amazon Machine Image)​

Template containing OS, software, and configuration for launching instances.

Security Groups​

Virtual firewalls controlling inbound and outbound traffic.

Common Patterns​

Launch an Instance​

AWS CLI:

# Create key pair
aws ec2 create-key-pair \
--key-name my-key \
--query 'KeyMaterial' \
--output text > my-key.pem
chmod 400 my-key.pem

# Create security group
aws ec2 create-security-group \
--group-name web-server-sg \
--description "Web server security group" \
--vpc-id vpc-12345678

# Allow SSH from private range only
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 22 \
--cidr 10.0.0.0/8

aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 80 \
--cidr 0.0.0.0/0

# Launch instance
aws ec2 run-instances \
--image-id ami-0123456789abcdef0 \
--instance-type t3.micro \
--key-name my-key \
--security-group-ids sg-12345678 \
--subnet-id subnet-12345678 \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=web-server}]'

boto3:

import boto3

ec2 = boto3.resource('ec2')

instances = ec2.create_instances(
ImageId='ami-0123456789abcdef0',
InstanceType='t3.micro',
KeyName='my-key',
SecurityGroupIds=['sg-12345678'],
SubnetId='subnet-12345678',
MinCount=1,
MaxCount=1,
TagSpecifications=[{
'ResourceType': 'instance',
'Tags': [{'Key': 'Name', 'Value': 'web-server'}]
}]
)

instance = instances[0]
instance.wait_until_running()
instance.reload()
print(f"Instance ID: {instance.id}")
print(f"Public IP: {instance.public_ip_address}")

User Data Script​

aws ec2 run-instances \
--image-id ami-0123456789abcdef0 \
--instance-type t3.micro \
--key-name my-key \
--security-group-ids sg-12345678 \
--subnet-id subnet-12345678 \
--user-data '#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Hello from $(hostname)</h1>" > /var/www/html/index.html
'

Attach IAM Role​

# Create instance profile
aws iam create-instance-profile \
--instance-profile-name web-server-profile

aws iam add-role-to-instance-profile \
--instance-profile-name web-server-profile \
--role-name web-server-role

# Launch with profile
aws ec2 run-instances \
--image-id ami-0123456789abcdef0 \
--instance-type t3.micro \
--iam-instance-profile Name=web-server-profile \
--security-group-ids sg-12345678 \
--subnet-id subnet-12345678

Create AMI from Instance​

aws ec2 create-image \
--instance-id i-1234567890abcdef0 \
--name "my-custom-ami-$(date +%Y%m%d)" \
--description "Custom AMI with web server" \
--no-reboot

Spot Instance Request​

aws ec2 request-spot-instances \
--instance-count 1 \
--type "one-time" \
--launch-specification '{
"ImageId": "ami-0123456789abcdef0",
"InstanceType": "c5.large",
"KeyName": "my-key",
"SecurityGroupIds": ["sg-12345678"],
"SubnetId": "subnet-12345678"
}' \
--spot-price "0.05"

EBS Volume Management​

# Create volume
aws ec2 create-volume \
--availability-zone us-east-1a \
--size 100 \
--volume-type gp3 \
--iops 3000 \
--throughput 125 \
--encrypted

# Attach to instance
aws ec2 attach-volume \
--volume-id vol-12345678 \
--instance-id i-1234567890abcdef0 \
--device /dev/sdf

# Create snapshot
aws ec2 create-snapshot \
--volume-id vol-12345678 \
--description "Daily backup"

CLI Reference​

Instance Management​

CommandDescription
aws ec2 run-instancesLaunch instances
aws ec2 describe-instancesList instances
aws ec2 start-instancesStart stopped instances
aws ec2 stop-instancesStop running instances
aws ec2 reboot-instancesReboot instances
aws ec2 terminate-instancesTerminate instances
aws ec2 modify-instance-attributeModify instance settings

Security Groups​

CommandDescription
aws ec2 create-security-groupCreate security group
aws ec2 describe-security-groupsList security groups
aws ec2 authorize-security-group-ingressAdd inbound rule
aws ec2 revoke-security-group-ingressRemove inbound rule
aws ec2 authorize-security-group-egressAdd outbound rule

AMIs​

CommandDescription
aws ec2 describe-imagesList AMIs
aws ec2 create-imageCreate AMI from instance
aws ec2 copy-imageCopy AMI to another region
aws ec2 deregister-imageDelete AMI

EBS Volumes​

CommandDescription
aws ec2 create-volumeCreate EBS volume
aws ec2 attach-volumeAttach to instance
aws ec2 detach-volumeDetach from instance
aws ec2 create-snapshotCreate snapshot
aws ec2 modify-volumeResize/modify volume

Best Practices​

Security​

  • Use IAM roles instead of access keys on instances
  • Restrict security groups — principle of least privilege
  • Use private subnets for backend instances
  • Enable IMDSv2 to prevent SSRF attacks
  • Encrypt EBS volumes at rest
# Require IMDSv2
aws ec2 modify-instance-metadata-options \
--instance-id i-1234567890abcdef0 \
--http-tokens required \
--http-endpoint enabled

Performance​

  • Right-size instances — monitor and adjust
  • Use EBS-optimized instances
  • Choose appropriate EBS volume type
  • Use placement groups for low-latency networking

Cost Optimization​

  • Use Spot Instances for fault-tolerant workloads
  • Stop/terminate unused instances
  • Use Reserved Instances for steady-state workloads
  • Delete unused EBS volumes and snapshots

Reliability​

  • Use Auto Scaling Groups for high availability
  • Deploy across multiple AZs
  • Use Elastic Load Balancer for traffic distribution
  • Implement health checks

Troubleshooting​

Cannot SSH to Instance​

Checklist:

  1. Security group allows SSH (port 22) from your IP
  2. Instance has public IP or use bastion/SSM
  3. Key pair matches instance
  4. Instance is running
  5. Network ACL allows traffic
# Check security group
aws ec2 describe-security-groups --group-ids sg-12345678

# Check instance state
aws ec2 describe-instances \
--instance-ids i-1234567890abcdef0 \
--query "Reservations[].Instances[].{State:State.Name,PublicIP:PublicIpAddress}"

Use Session Manager instead:

aws ssm start-session --target i-1234567890abcdef0

Instance Won't Start​

Causes:

  • Reached instance limits
  • Insufficient capacity in AZ
  • EBS volume issue
  • Invalid AMI
# Check instance state reason
aws ec2 describe-instances \
--instance-ids i-1234567890abcdef0 \
--query "Reservations[].Instances[].StateReason"

Instance Unreachable​

Debug:

# Check instance status
aws ec2 describe-instance-status \
--instance-ids i-1234567890abcdef0

# Get console output
aws ec2 get-console-output \
--instance-id i-1234567890abcdef0

High CPU/Memory​

# Enable detailed monitoring
aws ec2 monitor-instances \
--instance-ids i-1234567890abcdef0

# Check CloudWatch metrics
aws cloudwatch get-metric-statistics \
--namespace AWS/EC2 \
--metric-name CPUUtilization \
--dimensions Name=InstanceId,Value=i-1234567890abcdef0 \
--start-time $(date -d '1 hour ago' -u +%Y-%m-%dT%H:%M:%SZ) \
--end-time $(date -u +%Y-%m-%dT%H:%M:%SZ) \
--period 300 \
--statistics Average

References​