How to Disable UFW Firewall on AWS EC2 When Locked Out via SSH


2 views

Many administrators encounter this situation after enabling UFW (Uncomplicated Firewall) on Ubuntu without proper SSH rules:


# The problematic sequence:
sudo apt install ufw
sudo ufw enable
# Forgets to add: sudo ufw allow ssh
logout

Method 1: Using EC2 Instance Connect

If your region supports EC2 Instance Connect:

  1. Navigate to EC2 Dashboard
  2. Select your instance
  3. Click "Connect" > "EC2 Instance Connect"
  4. Run these commands:

sudo ufw disable
sudo ufw allow ssh
sudo ufw enable

Method 2: Using AWS Systems Manager

For instances with SSM Agent installed:


aws ssm start-session --target your-instance-id
sudo ufw disable
sudo ufw default allow incoming
sudo systemctl restart sshd

Method 3: Via Instance Recovery (Last Resort)

For EBS-backed instances:

  1. Stop the instance
  2. Detach root volume
  3. Attach to another instance as secondary
  4. Modify /etc/ufw/ufw.conf:

ENABLED=no

Always follow this sequence when enabling UFW:


sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable

Consider adding these safety measures:


# Set default policies first
sudo ufw default allow outgoing
sudo ufw default deny incoming

# Then add specific rules
sudo ufw allow 22/tcp
sudo ufw allow proto tcp from your.ip.address to any port 22

When you regain access, check your current configuration:


sudo ufw status numbered
sudo ufw show raw
sudo cat /etc/ufw/user.rules

You've just enabled UFW (Uncomplicated Firewall) on your AWS EC2 Ubuntu instance without adding any rules. In your haste, you logged out - only to realize SSH access is now blocked because UFW defaults to denying all incoming connections. Your website is down, and panic sets in. Here's how to regain control.

Since SSH is blocked, we need alternative access methods AWS provides:

# Method 1: AWS Systems Manager (SSM)
aws ssm start-session --target instance-id

# Method 2: EC2 Serial Console
# Requires IAM permissions and console access
# Enable via AWS Console under EC2 > Instances > Connect > Serial Console

If you can't use SSM or Serial Console, modify the instance's User Data:

#!/bin/bash
sudo systemctl stop ufw
sudo systemctl disable ufw
sudo iptables -F

Apply this by:

  1. Stop the EC2 instance (not terminate!)
  2. Edit instance attributes > User Data
  3. Paste the above script
  4. Start the instance

Always test firewall rules in a staging environment first. For production:

# ALWAYS add SSH rule before enabling UFW
sudo ufw allow ssh
sudo ufw enable

# Verify rules
sudo ufw status verbose

# Common web server rules
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

After regaining access, verify UFW status:

sudo ufw status
# Should show 'Status: inactive'

# To properly reconfigure:
sudo ufw reset
sudo ufw allow ssh
sudo ufw enable

As a last resort, modify your EC2 security group to allow all traffic from your IP temporarily:

# AWS CLI command to add permissive rule
aws ec2 authorize-security-group-ingress \
    --group-id sg-xxxxxxxx \
    --protocol all \
    --cidr your.ip.add.ress/32 \
    --port-range From=1,To=65535

Remember to revoke this rule immediately after fixing UFW!