Recovering EC2 SSH Access: Alternative Connection Methods When SSH Daemon Is Down


2 views

Accidentally killing the SSH daemon (sshd) on an EC2 instance is more common than you might think. When this happens, your primary access method vanishes, but AWS provides several recovery options. Let's explore them in detail.

For instances with EC2 Instance Connect enabled, you can use this browser-based SSH alternative:


# First, ensure you have the AWS CLI installed and configured
aws ec2-instance-connect send-ssh-public-key \
    --instance-id i-1234567890abcdef0 \
    --availability-zone us-east-1a \
    --instance-os-user ec2-user \
    --ssh-public-key file://my_key.pub

AWS Systems Manager Session Manager provides the most reliable alternative:


# Prerequisites:
# 1. Install SSM Agent (pre-installed on Amazon Linux 2 AMIs)
# 2. Attach AmazonSSMManagedInstanceCore policy to instance IAM role

# Start session:
aws ssm start-session --target i-1234567890abcdef0

# Once connected, restart SSH:
sudo systemctl start sshd

For critical situations, the EC2 Serial Console can be a lifesaver:


# Enable serial console access first via IAM
# Then connect through AWS CLI:
aws ec2-instance-connect open-serial-console \
    --instance-id i-1234567890abcdef0 \
    --serial-port 0

If all else fails, you can stop the instance and modify user data:


#!/bin/bash
systemctl start sshd

After adding this script via instance stop/modify/start, SSH will be available on reboot.

  • Always test SSH config changes with sshd -t before applying
  • Keep a backup SSH port open in /etc/ssh/sshd_config
  • Set up Session Manager as a backup access method

When you've accidentally terminated the SSH daemon on your EC2 instance, you still have several recovery paths through AWS management interfaces:

# Example AWS CLI command to check instance status
aws ec2 describe-instances --instance-ids i-1234567890abcdef0

AWS EC2 Instance Connect provides browser-based SSH access without requiring the SSH daemon to be running:

  1. Navigate to EC2 console → Select your instance
  2. Click "Connect" → Choose "EC2 Instance Connect"
  3. Use the built-in terminal to start your SSH service: 
    sudo systemctl start sshd
sudo systemctl enable sshd

For instances with SSM Agent installed (Amazon Linux 2/Ubuntu AMIs typically include it):

# Start a session via AWS CLI
aws ssm start-session --target i-1234567890abcdef0

# Once connected:
sudo service sshd restart

For stopped instances, you can modify user data to auto-repair on next boot:

#!/bin/bash
systemctl start sshd
systemctl enable sshd
  • Always test service restarts in screen/tmux sessions
  • Configure EC2 instance recovery options in AWS console
  • Set up CloudWatch alarms for critical process monitoring