# Connect to your instances using a private IP address and EC2 Instance Connect Endpoint
EC2 Instance Connect Endpoint allows you to connect securely to an instance from the internet, without using a bastion host, or requiring that your virtual private cloud (VPC) has direct internet connectivity.
**Benefits**
+ You can connect to your instances without requiring the instances to have a public IPv4 or IPv6 address. AWS charges for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the **Public IPv4 Address** tab on the [Amazon VPC pricing page](https://aws.amazon.com/vpc/pricing/).
+ You can connect to your instances from the internet without requiring that your VPC has direct internet connectivity through an [internet gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html).
+ You can control access to the creation and use of the EC2 Instance Connect Endpoints to connect to instances using [ IAM policies and permissions](permissions-for-ec2-instance-connect-endpoint.md).
+ All attempts to connect to your instances, both successful and unsuccessful, are logged to [CloudTrail](log-ec2-instance-connect-endpoint-using-cloudtrail.md).
**Pricing**
There is no additional cost for using EC2 Instance Connect Endpoints. If you use an EC2 Instance Connect Endpoint to connect to an instance in a different Availability Zone, there is an [additional charge for data transfer](https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer_within_the_same_AWS_Region) across Availability Zones.
**Topics**
+ [How it works](#how-eice-works)
+ [Considerations](#ec2-instance-connect-endpoint-prerequisites)
+ [Permissions](permissions-for-ec2-instance-connect-endpoint.md)
+ [Security groups](eice-security-groups.md)
+ [Create an EC2 Instance Connect Endpoint](create-ec2-instance-connect-endpoints.md)
+ [Modify an EC2 Instance Connect Endpoint](modify-ec2-instance-connect-endpoint.md)
+ [Delete an EC2 Instance Connect Endpoint](delete-ec2-instance-connect-endpoint.md)
+ [Connect to an instance](connect-using-eice.md)
+ [Log connections](log-ec2-instance-connect-endpoint-using-cloudtrail.md)
+ [Service-linked role](eice-slr.md)
+ [Quotas](eice-quotas.md)
## How it works
EC2 Instance Connect Endpoint is an identity-aware TCP proxy. The EC2 Instance Connect Endpoint Service establishes a private tunnel from your computer to the endpoint using the credentials for your IAM entity. Traffic is authenticated and authorized before it reaches your VPC.
You can [configure additional security group rules](eice-security-groups.md) to restrict inbound traffic to your instances. For example, you can use inbound rules to allow traffic on management ports only from the EC2 Instance Connect Endpoint.
You can configure route table rules to allow the endpoint to connect to any instance in any subnet of the VPC.
The following diagram shows how a user can connect to their instances from the internet using an EC2 Instance Connect Endpoint. First, create an **EC2 Instance Connect Endpoint** in subnet A. We create a network interface for the endpoint in the subnet, which serves as the entry point for traffic destined to your instances in the VPC. If the route table for subnet B allows traffic from subnet A, then you can use the endpoint to reach instances in subnet B.
![\[Overview of the EC2 Instance Connect Endpoint flow.\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/images/ec2-instance-connect-endpoint.png)
## Considerations
Before you begin, consider the following.
+ EC2 Instance Connect Endpoint is intended specifically for management traffic use cases, not for high volume data transfers. High volume data
transfers are throttled.
+ You can create an EC2 Instance Connect Endpoint to support traffic to an instance that has a private IPv4 address or IPv6 address. The IP address type of the endpoint must match the IP address of the instance. You can create an endpoint that supports all IP address types.
+ (Linux instances) If you use your own key pair, you can use any Linux AMI. Otherwise, your instance must have EC2 Instance Connect installed. For information about which AMIs include EC2 Instance Connect and how to install it on other supported AMIs, see [Install EC2 Instance Connect](ec2-instance-connect-set-up.md).
+ You can assign a security group to an EC2 Instance Connect Endpoint. Otherwise, we use the default security group for the VPC. The security group for an EC2 Instance Connect Endpoint must allow outbound traffic to the destination instances. For more information, see [Security groups for EC2 Instance Connect Endpoint](eice-security-groups.md).
+ You can configure an EC2 Instance Connect Endpoint to preserve the source IP addresses of clients when routing requests to the instances. Otherwise, the IP address of the network interface becomes the client IP address for all incoming traffic.
+ If you turn on client IP preservation, the security groups for the instances must allow traffic from the clients. Also, the instances must be in the same VPC as the EC2 Instance Connect Endpoint.
+ If you turn off client IP preservation, the security groups for the instances must allow traffic from the VPC. This is the default.
+ Client IP preservation is only supported on IPv4 EC2 Instance Connect Endpoints. To use client IP preservation, the IP address type of the EC2 Instance Connect Endpoint must be IPv4. Client IP preservation is not supported when the IP address type is dual-stack or IPv6.
+ The following instance types do not support client IP preservation: C1, CG1, CG2, G1, HI1, M1, M2, M3, and T1. If you turn on client IP preservation and attempt to connect to an instance with one of these instance types by using EC2 Instance Connect Endpoint, the connection fails.
+ Client IP preservation is not supported when traffic is routed through a transit gateway.
+ When you create an EC2 Instance Connect Endpoint, a service-linked role is automatically created for the Amazon EC2 service in AWS Identity and Access Management (IAM). Amazon EC2 uses the service-linked role to provision network interfaces in your account, which are required when creating EC2 Instance Connect Endpoints. For more information, see [Service-linked role for EC2 Instance Connect Endpoint](eice-slr.md).
+ You can create only 1 EC2 Instance Connect Endpoint per VPC and per subnet. For more information, see [Quotas for EC2 Instance Connect Endpoint](eice-quotas.md). If you need to create another EC2 Instance Connect Endpoint in a different Availability Zone within the same VPC, you must first delete the existing EC2 Instance Connect Endpoint. Otherwise, you'll receive a quota error.
+ Each EC2 Instance Connect Endpoint can support up to 20 concurrent connections.
+ The maximum duration for an established TCP connection is 1 hour (3,600 seconds). You can specify the maximum allowed duration in an IAM policy, which can be up to 3,600 seconds. For more information, see [Permissions to use EC2 Instance Connect Endpoint to connect to instances](permissions-for-ec2-instance-connect-endpoint.md#iam-OpenTunnel).
The duration of the connection is not determined by the duration of your IAM credentials. If your IAM credentials expire, the connection continues to persist until the specified maximum duration is reached. When you connect to an instance using the EC2 Instance Connect Endpoint console experience, set **Max tunnel duration (seconds)** to a value that is less than the duration of your IAM credentials. If your IAM credentials expire early, terminate the connection to your instance by closing the browser page.
# Grant permissions to use EC2 Instance Connect Endpoint
By default, IAM entities don't have permission to create, describe, or modify EC2 Instance Connect Endpoints. An IAM administrator can create IAM policies that grant the permissions required to perform specific actions on the resources that they need.
For information about creating IAM policies, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
The following example policies show how you can control the permissions that users have to EC2 Instance Connect Endpoints.
**Topics**
+ [Permissions to create, describe, modify, and delete EC2 Instance Connect Endpoints](#iam-CreateInstanceConnectEndpoint)
+ [Permissions to use EC2 Instance Connect Endpoint to connect to instances](#iam-OpenTunnel)
+ [Permissions to connect only from a specific IP address range](#iam-sourceip)
## Permissions to create, describe, modify, and delete EC2 Instance Connect Endpoints
To create and modify an EC2 Instance Connect Endpoint, users require permissions for the following actions:
+ `ec2:CreateInstanceConnectEndpoint`
+ `ec2:CreateNetworkInterface`
+ `ec2:CreateTags`
+ `ec2:ModifyInstanceConnectEndpoint`
+ `iam:CreateServiceLinkedRole`
To describe and delete EC2 Instance Connect Endpoints, users require permissions for the following actions:
+ `ec2:DescribeInstanceConnectEndpoints`
+ `ec2:DeleteInstanceConnectEndpoint`
You can create a policy that grants permission to create, describe, modify, and delete EC2 Instance Connect Endpoints in all subnets. Alternatively, you can restrict actions for specified subnets only by specifying the subnet ARNs as the allowed `Resource` or by using the `ec2:SubnetID` condition key. You can also use the `aws:ResourceTag` condition key to explicitly allow or deny endpoint creation with certain tags. For more information, see [Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
**Example IAM policy**
In the following example IAM policy, the `Resource` section grants permission to create, modify, and delete endpoints in all subnets, specified by the asterisk (`*`). The `ec2:Describe*` API actions do not support resource-level permissions. Therefore, the `*` wildcard is necessary in the `Resource` element.
## Permissions to use EC2 Instance Connect Endpoint to connect to instances
The `ec2-instance-connect:OpenTunnel` action grants permission to establish a TCP connection to an instance to connect over the EC2 Instance Connect Endpoint. You can specify the EC2 Instance Connect Endpoint to use. Alternatively, a `Resource` with an asterisk (`*`) allows users to use any available EC2 Instance Connect Endpoint. You can also restrict access to instances based on the presence or absence of resource tags as condition keys.
**Conditions**
+ `ec2-instance-connect:remotePort` – The port on the instance that can be used to establish a TCP connection. When this condition key is used, attempting to connect to an instance on any other port other than the port specified in the policy results in a failure.
+ `ec2-instance-connect:privateIpAddress` – The destination private IP address associated with the instance that you want to establish a TCP connection with. You can specify a single IP address, such as `10.0.0.1/32`, or a range of IPs through CIDRs, such as `10.0.1.0/28`. When this condition key is used, attempting to connect to an instance with a different private IP address or outside the CIDR range results in a failure.
+ `ec2-instance-connect:maxTunnelDuration` – The maximum duration for an established TCP connection. The unit is seconds and the duration ranges from a minimum of 1 second to a maximum of 3,600 seconds (1 hour). If the condition is not specified, the default duration is set to 3,600 seconds (1 hour). Attempting to connect to an instance for longer than the specified duration in the IAM policy or for longer than the default maximum results in a failure. The connection is disconnected after the specified duration.
If `maxTunnelDuration` is specified in the IAM policy and the value specified is less than 3,600 seconds (the default), then you must specify `--max-tunnel-duration` in the command when connecting to an instance. For information about how to connect to an instance, see [Connect to an Amazon EC2 instance using EC2 Instance Connect Endpoint](connect-using-eice.md).
You can also grant a user access to establish connections to instances based on the presence of resource tags on the EC2 Instance Connect Endpoint. For more information, see [Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
For Linux instances, the `ec2-instance-connect:SendSSHPublicKey` action grants permission to push the public key to an instance. The `ec2:osuser` condition specifies the name of the OS (operating system) user that can push the public key to an instance. Use the [default username for the AMI](connection-prereqs-general.md#connection-prereqs-get-info-about-instance) that you used to launch the instance. For more information, see [Grant IAM permissions for EC2 Instance Connect](ec2-instance-connect-configure-IAM-role.md).
**Example IAM policy**
The following example IAM policies allow an IAM principal to connect to an instance using only the specified EC2 Instance Connect Endpoint, identified by the specified endpoint ID `eice-123456789abcdef`. The connection is successfully established only if all the conditions are satisfied.
**Note**
The `ec2:Describe*` API actions do not support resource-level permissions. Therefore, the `*` wildcard is necessary in the `Resource` element.
------
#### [ Linux ]
This example evaluates if the connection to the instance is established on —port 22 (SSH), if the private IP address of the instance lies within the range of `10.0.1.0/31` (between `10.0.1.0` and `10.0.1.1`), and the `maxTunnelDuration` is less than or equal to `3600` seconds. The connection is disconnected after `3600` seconds (1 hour).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "EC2InstanceConnect",
"Action": "ec2-instance-connect:OpenTunnel",
"Effect": "Allow",
"Resource": "arn:aws:ec2:us-east-1:111122223333:instance-connect-endpoint/eice-123456789abcdef",
"Condition": {
"NumericEquals": {
"ec2-instance-connect:remotePort": "22"
},
"IpAddress": {
"ec2-instance-connect:privateIpAddress": "10.0.1.0/31"
},
"NumericLessThanEquals": {
"ec2-instance-connect:maxTunnelDuration": "3600"
}
}
},
{
"Sid": "SSHPublicKey",
"Effect": "Allow",
"Action": "ec2-instance-connect:SendSSHPublicKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:osuser": "ami-username"
}
}
},
{
"Sid": "Describe",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceConnectEndpoints"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
------
#### [ Windows ]
This example evaluates if the connection to the instance is established on port 3389 (RDP), if the private IP address of the instance lies within the range of `10.0.1.0/31` (between `10.0.1.0` and `10.0.1.1`), and the `maxTunnelDuration` is less than or equal to `3600` seconds. The connection is disconnected after `3600` seconds (1 hour).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "EC2InstanceConnect",
"Action": "ec2-instance-connect:OpenTunnel",
"Effect": "Allow",
"Resource": "arn:aws:ec2:us-east-1:111122223333:instance-connect-endpoint/eice-123456789abcdef",
"Condition": {
"NumericEquals": {
"ec2-instance-connect:remotePort": "3389"
},
"IpAddress": {
"ec2-instance-connect:privateIpAddress": "10.0.1.0/31"
},
"NumericLessThanEquals": {
"ec2-instance-connect:maxTunnelDuration": "3600"
}
}
},
{
"Sid": "Describe",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceConnectEndpoints"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
------
## Permissions to connect only from a specific IP address range
The following example IAM policy allows an IAM principal to connect to an instance on condition they are connecting from an IP address within the IP address range specified in the policy. If the IAM principal calls `OpenTunnel` from an IP address not within `192.0.2.0/24` (the example IP address range in this policy), the response is `Access Denied`. For more information, see [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip) in the *IAM User Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2-instance-connect:OpenTunnel",
"Resource": "arn:aws:ec2:us-east-1:111122223333:instance-connect-endpoint/eice-123456789abcdef",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.0.2.0/24"
},
"NumericEquals": {
"ec2-instance-connect:remotePort": "22"
}
}
},
{
"Sid": "SSHPublicKey",
"Effect": "Allow",
"Action": "ec2-instance-connect:SendSSHPublicKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:osuser": "ami-username"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceConnectEndpoints"
],
"Resource": "*"
}
]
}
```
------
# Security groups for EC2 Instance Connect Endpoint
A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. For example, we deny traffic to and from an Amazon EC2 instance unless it is specifically allowed by the security groups associated with the instance.
The following examples show you how to configure the security group rules for the EC2 Instance Connect Endpoint and the target instances.
**Topics**
+ [EC2 Instance Connect Endpoint security group rules](#eice-security-group-rules)
+ [Target instance security group rules](#resource-security-group-rules)
## EC2 Instance Connect Endpoint security group rules
The security group rules for an EC2 Instance Connect Endpoint must allow outbound traffic destined for the target instances to leave the endpoint. You can specify either the instance security group or the IPv4 or IPv6 address range of the VPC as the destination.
Traffic to the endpoint originates from the EC2 Instance Connect Endpoint Service, and it is allowed regardless of the inbound rules for the endpoint security group. To control who can use EC2 Instance Connect Endpoint to connect to an instance, use an IAM policy. For more information, see [Permissions to use EC2 Instance Connect Endpoint to connect to instances](permissions-for-ec2-instance-connect-endpoint.md#iam-OpenTunnel).
**Example outbound rule: Security group referencing**
The following example uses security group referencing, which means that the destination is a security group associated with the target instances. This rule allows outbound traffic from the endpoint to all instances that use this security group.
| Protocol | Destination | Port range | Comment |
| --- | --- | --- | --- |
| TCP | ID of instance security group | 22 | Allows outbound SSH traffic to all instances associated with the instance security group |
**Example outbound rule: IPv4 address range**
The following example allows outbound traffic to the specified IPv4 address range. The IPv4 addresses of an instance is assigned from its subnet, so you can use the IPv4 address range of the VPC.
| Protocol | Destination | Port range | Comment |
| --- | --- | --- | --- |
| TCP | VPC IPv4 CIDR | 22 | Allows outbound SSH traffic to the VPC |
**Example outbound rule: IPv6 address range**
The following example allows outbound traffic to the specified IPv6 address range. The IPv6 addresses of an instance is assigned from its subnet, so you can use the IPv6 address range of the VPC.
| Protocol | Destination | Port range | Comment |
| --- | --- | --- | --- |
| TCP | VPC IPv6 CIDR | 22 | Allows outbound SSH traffic to the VPC |
## Target instance security group rules
The security group rules for target instances must allow inbound traffic from the EC2 Instance Connect Endpoint. You can specify either the endpoint security group or an IPv4 or IPv6 address range as the source. If you specify an IPv4 address range, the source depends on whether client IP preservation is off or on. For more information, see [Considerations](connect-with-ec2-instance-connect-endpoint.md#ec2-instance-connect-endpoint-prerequisites).
Because security groups are stateful, the response traffic is allowed to leave the VPC regardless of the outbound rules for the instance security group.
**Example inbound rule: Security group referencing**
The following example uses security group referencing, which means that the source is the security group associated with the endpoint. This rule allows inbound SSH traffic from the endpoint to all instances that use this security group, whether client IP preservation is on or off. If there are no other inbound security group rules for SSH, then the instances accept SSH traffic only from the endpoint.
| Protocol | Source | Port range | Comment |
| --- | --- | --- | --- |
| TCP | ID of endpoint security group | 22 | Allows inbound SSH traffic from the resources associated with the endpoint security group |
**Example inbound rule: Client IP preservation off**
The following example allows inbound SSH traffic from the specified IPv4 address range. Because client IP preservation is off, the source IPv4 address is the address of the endpoint network interface. The address of the endpoint network interface is assigned from its subnet, so you can use the IPv4 address range of the VPC to allow connections to all instances in the VPC.
| Protocol | Source | Port range | Comment |
| --- | --- | --- | --- |
| TCP | VPC IPv4 CIDR | 22 | Allows inbound SSH traffic from the VPC |
**Example inbound rule: Client IP preservation on**
The following example allows inbound SSH traffic from the specified IPv4 address range. Because client IP preservation is on, the source IPv4 address is the address of the client.
| Protocol | Source | Port range | Comment |
| --- | --- | --- | --- |
| TCP | Public IPv4 address range | 22 | Allows inbound traffic from the specified client IPv4 address range |
# Create an EC2 Instance Connect Endpoint
You can create an EC2 Instance Connect Endpoint to allow secure connection to your instances.
**Considerations**
+ **Shared subnets** – You can create an EC2 Instance Connect Endpoint in a subnet shared with you. However, you can't use EC2 Instance Connect Endpoints that the VPC owner created in a subnet shared with you.
+ **IP address types** – EC2 Instance Connect Endpoints support the following address types, which must be compatible with your subnet:
+ `ipv4` – Connect only to EC2 instances with private IPv4 addresses.
+ `dualstack` – Connect to EC2 instances with either private IPv4 addresses or IPv6 addresses.
+ `ipv6` – Connect only to EC2 instances with IPv6 addresses.
**Prerequisites**
You must have the required IAM permissions to create an EC2 Instance Connect Endpoint. For more information, see [Permissions to create, describe, modify, and delete EC2 Instance Connect Endpoints](permissions-for-ec2-instance-connect-endpoint.md#iam-CreateInstanceConnectEndpoint).
------
#### [ Console ]
**To create an EC2 Instance Connect Endpoint**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the left navigation pane, choose **Endpoints**.
1. Choose **Create endpoint**, and then specify the endpoint settings as follows:
1. (Optional) For **Name tag**, enter a name for the endpoint.
1. For **Type**, choose **EC2 Instance Connect Endpoint**.
1. Under **Network settings**, for **VPC**, select the VPC that has the target instances.
1. (Optional) To preserve client IP addresses, expand **Additional settings** and select the **Preserve Client IP** check box. Otherwise, the default is to use the endpoint network interface as the client IP address.
**Note**
This option is only available when the endpoint's IP address type is configured as IPv4.
1. (Optional) For **Security groups**, select the security group to associate with the endpoint. Otherwise, the default is to use the default security group for the VPC. For more information, see [Security groups for EC2 Instance Connect Endpoint](eice-security-groups.md).
1. For **Subnet**, select the subnet in which to create the endpoint.
1. For **IP address type**, choose the IP address type for the endpoint. Choose **Dualstack** if you need to support both IPv4 and IPv6 connections to your instances. Choose **IPv4** if you need to support client IP preservation.
1. (Optional) To add a tag, choose **Add new tag** and enter the tag key and the tag value.
1. Review your settings and then choose **Create endpoint**.
The initial status of the endpoint is **Pending**. Before you can connect to an instance using this endpoint, you must wait until the endpoint status is **Available**. This can take a few minutes.
1. To connect to an instance using your endpoint, see [Connect to an instance](connect-using-eice.md).
------
#### [ AWS CLI ]
**To create an EC2 Instance Connect Endpoint**
Use the [https://docs.aws.amazon.com/cli/latest/reference/ec2/create-instance-connect-endpoint.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-instance-connect-endpoint.html) command.
```
aws ec2 create-instance-connect-endpoint \
--subnet-id subnet-0123456789example
```
To specify the type of traffic that the endpoint supports, include the `--ip-address-type` parameter. Valid values are `ipv4`, `dualstack`, or `ipv6`. The subnet must support the IP address type that you specify. When the `--ip-address-type` parameter is omitted, the default value is determined by the IP address type supported by the subnet.
```
aws ec2 create-instance-connect-endpoint \
--subnet-id subnet-0123456789example \
--ip-address-type ipv4
```
The following is example output.
```
{
"OwnerId": "111111111111",
"InstanceConnectEndpointId": "eice-0123456789example",
"InstanceConnectEndpointArn": "arn:aws:ec2:us-east-1:111111111111:instance-connect-endpoint/eice-0123456789example",
"State": "create-complete",
"StateMessage": "",
"DnsName": "eice-0123456789example.0123abcd.ec2-instance-connect-endpoint.us-east-1.amazonaws.com",
"FipsDnsName": "eice-0123456789example.0123abcd.fips.ec2-instance-connect-endpoint.us-east-1.amazonaws.com",
"NetworkInterfaceIds": [
"eni-0123abcd"
],
"VpcId": "vpc-0123abcd",
"AvailabilityZone": "us-east-1a",
"AvailabilityZoneId": "use1-az4",
"CreatedAt": "2023-04-07T15:43:53.000Z",
"SubnetId": "subnet-0123abcd",
"PreserveClientIp": false,
"SecurityGroupIds": [
"sg-0123abcd"
],
"Tags": [],
"IpAddressType": "ipv4"
}
```
**To monitor the creation status**
The initial value for the `State` field is `create-in-progress`. Before you can connect to an instance using this endpoint, wait until the state is `create-complete`. Use the [https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instance-connect-endpoints.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instance-connect-endpoints.html) command to monitor the status of the EC2 Instance Connect Endpoint. The `--query` parameter filters the results to the `State` field.
```
aws ec2 describe-instance-connect-endpoints --instance-connect-endpoint-ids eice-0123456789example --query InstanceConnectEndpoints[*].State --output text
```
The following is example output.
```
create-complete
```
------
#### [ PowerShell ]
**To create the EC2 Instance Connect Endpoint**
Use the [https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2InstanceConnectEndpoint.html](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2InstanceConnectEndpoint.html) cmdlet.
```
New-EC2InstanceConnectEndpoint -SubnetId subnet-0123456789example
```
To specify the type of traffic that the endpoint supports, include the `-IpAddressType` parameter. Valid values are `ipv4`, `dualstack`, or `ipv6`. The subnet must support the IP address type that you specify. When the `-IpAddressType` parameter is omitted, the default value is determined by the IP address type supported by the subnet.
```
New-EC2InstanceConnectEndpoint -SubnetId subnet-0123456789example -IpAddressType ipv4
```
The following is example output.
```
OwnerId : 111111111111
InstanceConnectEndpointId : eice-0123456789example
InstanceConnectEndpointArn : arn:aws:ec2:us-east-1:111111111111:instance-connect-endpoint/eice-0123456789example
State : create-complete
StateMessage :
DnsName : eice-0123456789example.0123abcd.ec2-instance-connect-endpoint.us-east-1.amazonaws.com
FipsDnsName : eice-0123456789example.0123abcd.fips.ec2-instance-connect-endpoint.us-east-1.amazonaws.com
NetworkInterfaceIds : {eni-0123abcd}
VpcId : vpc-0123abcd
AvailabilityZone : us-east-1a
AvailabilityZoneId : use1-az4
CreatedAt : 4/7/2023 3:43:53 PM
SubnetId : subnet-0123abcd
PreserveClientIp : False
SecurityGroupIds : {sg-0123abcd}
Tags : {}
IpAddressType : ipv4
```
**To monitor the creation status**
The initial value for the `State` field is `create-in-progress`. Before you can connect to an instance using this endpoint, wait until the state is `create-complete`. Use the [https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2InstanceConnectEndpoint.html](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2InstanceConnectEndpoint.html) cmdlet to monitor the status of the EC2 Instance Connect Endpoint. `.State.Value` filters the results to the `State` field.
```
(Get-EC2InstanceConnectEndpoint -InstanceConnectEndpointId "eice-0123456789example").State.Value
```
The following is example output.
```
create-complete
```
------
# Modify an EC2 Instance Connect Endpoint
You can modify existing EC2 Instance Connect Endpoints using the AWS CLI or an SDK. The Amazon EC2 console doesn't support endpoint modification.
Before you begin, you must have the required IAM permissions. For more information, see [Permissions to create, describe, modify, and delete EC2 Instance Connect Endpoints](permissions-for-ec2-instance-connect-endpoint.md#iam-CreateInstanceConnectEndpoint).
## Parameters you can modify
You can modify the following EC2 Instance Connect Endpoint parameters:
**Security groups**
You can specify new security groups for the EC2 Instance Connect Endpoint. The new security groups replace the current security groups.
When modifying the security groups, you must specify:
+ At least one security group, even if it's just the default security group in the VPC.
+ The IDs of the security groups, not the names.
**IP address type**
You can specify a new IP address type for the EC2 Instance Connect Endpoint.
Valid values: `ipv4` \$1 `dualstack` \$1 `ipv6`
**Preserve client IP setting**
You can specify whether to preserve the client IP address as the source.
Preserving the client IP is only supported on IPv4 EC2 Instance Connect Endpoints. When enabling `PreserveClientIp`, either the endpoint's existing IP address type must be `ipv4`, or if modifying the IP address type in the same request, the new value must be `ipv4`.
------
#### [ AWS CLI ]
**To modify an EC2 Instance Connect Endpoint**
Use the [https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-connect-endpoint.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-connect-endpoint.html) command and specify the EC2 Instance Connect Endpoint and the parameters to modify. The following example modifies all the parameters in a single request.
```
aws ec2 modify-instance-connect-endpoint \
--instance-connect-endpoint-id eice-0123456789example \
--security-group-ids sg-0123456789example \
--ip-address-type dualstack \
--no-preserve-client-ip
```
The following is example output.
```
{
"Return": true
}
```
**To monitor the update status**
During modification, the EC2 Instance Connect Endpoint status changes to `update-in-progress`. The update process runs asynchronously and completes with either an `update-complete` or `update-failed` status. The endpoint uses its old configuration until the status changes to `update-complete`.
Use the [https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instance-connect-endpoints.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instance-connect-endpoints.html) command to monitor the update status. The `--query` parameter filters the results to the `State` field.
```
aws ec2 describe-instance-connect-endpoints \
--instance-connect-endpoint-ids eice-0123456789example \
--query InstanceConnectEndpoints[*].State --output text
```
The following is example output.
```
update-complete
```
------
#### [ PowerShell ]
**To modify an EC2 Instance Connect Endpoint**
Use the [https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2InstanceConnectEndpoint.html](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2InstanceConnectEndpoint.html) cmdlet and specify the EC2 Instance Connect Endpoint and the parameters to modify. The following example modifies all the parameters in a single request.
```
Edit-EC2InstanceConnectEndpoint `
-InstanceConnectEndpointId eice-0123456789example `
-SecurityGroupIds sg-0123456789example `
-IpAddressType dualstack `
-PreserveClientIp $false
```
The following is example output.
```
True
```
**To monitor the update status**
During modification, the EC2 Instance Connect Endpoint status changes to `update-in-progress`. The update process runs asynchronously and completes with either an `update-complete` or `update-failed` status. The endpoint uses its old configuration until the status changes to `update-complete`.
Use the [https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2InstanceConnectEndpoint.html](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2InstanceConnectEndpoint.html) command to monitor the update status. `.State.Value` filters the results to the `State` field.
```
(Get-EC2InstanceConnectEndpoint -InstanceConnectEndpointId "eice-0123456789example").State.Value
```
The following is example output.
```
update-complete
```
------
# Delete an EC2 Instance Connect Endpoint
When you are finished with an EC2 Instance Connect Endpoint, you can delete it.
You must have the required IAM permissions to create an EC2 Instance Connect Endpoint. For more information, see [Permissions to create, describe, modify, and delete EC2 Instance Connect Endpoints](permissions-for-ec2-instance-connect-endpoint.md#iam-CreateInstanceConnectEndpoint).
When you delete an EC2 Instance Connect Endpoint using the console, it enters the **Deleting** state. If deletion is successful, the deleted endpoint no longer appears. If deletion fails, the state is **delete-failed** and **Status message** provides the failure reason.
When you delete an EC2 Instance Connect Endpoint using the AWS CLI, it enters the `delete-in-progress` state. If deletion is successful, it enters the `delete-complete` state. If deletion fails, the state is `delete-failed` and `StateMessage` provides the failure reason.
------
#### [ Console ]
**To delete an EC2 Instance Connect Endpoint**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the left navigation pane, choose **Endpoints**.
1. Select the endpoint.
1. Choose **Actions**, **Delete VPC endpoints**.
1. When prompted for confirmation, enter **delete**.
1. Choose **Delete**.
------
#### [ AWS CLI ]
**To delete an EC2 Instance Connect Endpoint**
Use the [https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-instance-connect-endpoint.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-instance-connect-endpoint.html) command and specify the ID of the EC2 Instance Connect Endpoint to delete.
```
aws ec2 delete-instance-connect-endpoint --instance-connect-endpoint-id eice-03f5e49b83924bbc7
```
The following is example output.
```
{
"InstanceConnectEndpoint": {
"OwnerId": "111111111111",
"InstanceConnectEndpointId": "eice-0123456789example",
"InstanceConnectEndpointArn": "arn:aws:ec2:us-east-1:111111111111:instance-connect-endpoint/eice-0123456789example",
"State": "delete-in-progress",
"StateMessage": "",
"NetworkInterfaceIds": [],
"VpcId": "vpc-0123abcd",
"AvailabilityZone": "us-east-1d",
"AvailabilityZoneId": "use1-az2",
"CreatedAt": "2023-02-07T12:05:37+00:00",
"SubnetId": "subnet-0123abcd"
}
}
```
------
#### [ PowerShell ]
**To delete an EC2 Instance Connect Endpoint**
Use the [https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-instance-connect-endpoint.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-instance-connect-endpoint.html) cmdlet and specify the ID of the EC2 Instance Connect Endpoint to delete.
```
Remove-EC2InstanceConnectEndpoint -InstanceConnectEndpointId eice-03f5e49b83924bbc7
```
The following is example output.
```
@{
InstanceConnectEndpoint = @{
OwnerId = "111111111111"
InstanceConnectEndpointId = "eice-0123456789example"
InstanceConnectEndpointArn = "arn:aws:ec2:us-east-1:111111111111:instance-connect-endpoint/eice-0123456789example"
State = "delete-in-progress"
StateMessage = ""
NetworkInterfaceIds = @()
VpcId = "vpc-0123abcd"
AvailabilityZone = "us-east-1d"
AvailabilityZoneId = "use1-az2"
CreatedAt = "2023-02-07T12:05:37+00:00"
SubnetId = "subnet-0123abcd"
}
}
```
------
# Connect to an Amazon EC2 instance using EC2 Instance Connect Endpoint
You can use EC2 Instance Connect Endpoint to connect to an Amazon EC2 instance that supports SSH or RDP.
**Prerequisites**
+ You must have the required IAM permission to connect to an EC2 Instance Connect Endpoint. For more information, see [Permissions to use EC2 Instance Connect Endpoint to connect to instances](permissions-for-ec2-instance-connect-endpoint.md#iam-OpenTunnel).
+ The EC2 Instance Connect Endpoint must be in one of the following states:
+ **create-complete** for a new endpoint
+ **update-in-progress**, **update-complete**, or **update-failed** for an existing endpoint being modified. When modifying an endpoint, it continues using its original configuration until the status changes to **update-complete**.
If your VPC doesn't have an EC2 Instance Connect Endpoint, you can create one. For more information, see [Create an EC2 Instance Connect Endpoint](create-ec2-instance-connect-endpoints.md).
+ The EC2 Instance Connect Endpoint IP address type must be compatible with the IP address type of the instance. If your endpoint IP address type is dual-stack, then it can work for both IPv4 and IPv6 addresses.
+ (Linux instances) To use the Amazon EC2 console to connect to your instance, or to use the CLI to connect and have EC2 Instance Connect handle the ephemeral key, your instance must have EC2 Instance Connect installed. For more information, see [Install EC2 Instance Connect](ec2-instance-connect-set-up.md).
+ Ensure that the security group of the instance allows inbound SSH traffic from the EC2 Instance Connect Endpoint. For more information, see [Target instance security group rules](eice-security-groups.md#resource-security-group-rules).
**Topics**
+ [Connect to your Linux instance using the Amazon EC2 console](#connect-using-the-ec2-console)
+ [Connect to your Linux instance using SSH](#eic-connect-using-ssh)
+ [Connect to your Linux instance with its instance ID using the AWS CLI](#eic-connect-using-cli)
+ [Connect to your Windows instance using RDP](#eic-connect-using-rdp)
+ [Troubleshoot](#troubleshoot-eice)
## Connect to your Linux instance using the Amazon EC2 console
You can connect to an instance using the Amazon EC2 console (a browser-based client) as follows.
**To connect to your instance using the Amazon EC2 console**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Instances**.
1. Select the instance, and then choose **Connect**.
1. Choose the **EC2 Instance Connect** tab.
1. For **Connection type**, choose **Connect using a Private IP**.
1. Choose either **Private IPv4 address** or **IPv6 address**. The options are available based on the IP addresses assigned to your instance. If an option is greyed out, your instance does not have an IP address of that type assigned to it.
1. For **EC2 Instance Connect Endpoint**, choose the ID of the EC2 Instance Connect Endpoint.
**Note**
The EC2 Instance Connect Endpoint must be compatible with the IP address you chose in the previous step. If your endpoint IP address type is dual-stack, then it can work for both IPv4 and IPv6 addresses. For more information, see [Create an EC2 Instance Connect Endpoint](create-ec2-instance-connect-endpoints.md).
1. For **Username**, if the AMI that you used to launch the instance uses a username other than `ec2-user`, enter the correct username.
1. For **Max tunnel duration (seconds)**, enter the maximum allowed duration for the SSH connection.
The duration must comply with any `maxTunnelDuration` condition specified in the IAM policy. If you don't have access to the IAM policy, contact your administrator.
1. Choose **Connect**. This opens a terminal window for your instance.
## Connect to your Linux instance using SSH
You can use SSH to connect to your Linux instance, and use the `open-tunnel` command to establish a private tunnel. You can use `open-tunnel` in single connection or multi-connection mode. You can specify your instance ID, a private IPv4 address, or an IPv6 address.
For information about using the AWS CLI to connect to your instance using SSH, see [Connect using the AWS CLI](ec2-instance-connect-methods.md#connect-linux-inst-eic-cli-ssh).
The following examples use [OpenSSH](https://www.openssh.com/). You can use any other SSH client that supports a proxy mode.
### Single connection
**To allow only a single connection to an instance using SSH and the `open-tunnel` command**
Use `ssh` and the [https://docs.aws.amazon.com/cli/latest/reference/ec2-instance-connect/open-tunnel.html](https://docs.aws.amazon.com/cli/latest/reference/ec2-instance-connect/open-tunnel.html) AWS CLI command as follows. The `-o` proxy command encloses the `open-tunnel` command that creates the private tunnel to the instance.
```
ssh -i my-key-pair.pem ec2-user@i-1234567890abcdef0 \
-o ProxyCommand='aws ec2-instance-connect open-tunnel --instance-id i-1234567890abcdef0'
```
For:
+ `-i` – Specify the key pair that was used to launch the instance.
+ `ec2-user@i-1234567890abcdef0` – Specify the username of the AMI that was used to launch the instance, and the instance ID. For instances with an IPv6 address, you must specify the IPv6 address instead of the instance ID.
+ `--instance-id` – Specify the ID of the instance to connect to. Alternatively, specify `%h`, which extracts the instance ID from the user. For instances with an IPv6 address, replace `--instance-id i-1234567890abcdef0` with `--private-ip-address 2001:db8::1234:5678:1.2.3.4`.
### Multi-connection
To allow multiple connections to an instance, first run the [https://docs.aws.amazon.com/cli/latest/reference/ec2-instance-connect/open-tunnel.html](https://docs.aws.amazon.com/cli/latest/reference/ec2-instance-connect/open-tunnel.html) AWS CLI command to start listening for new TCP connections, and then use `ssh` to create a new TCP connection and a private tunnel to your instance.
**To allow multiple connections to your instance using SSH and the `open-tunnel` command**
1. Run the following command to start listening for new TCP connections on the specified port on your local machine.
```
aws ec2-instance-connect open-tunnel \
--instance-id i-1234567890abcdef0 \
--local-port 8888
```
Expected output:
```
Listening for connections on port 8888.
```
1. In a *new terminal window*, run the following `ssh` command to create a new TCP connection and a private tunnel to your instance.
```
ssh -i my-key-pair.pem ec2-user@localhost -p 8888
```
Expected output – In the *first* terminal window, you'll see the following:
```
[1] Accepted new tcp connection, opening websocket tunnel.
```
You might also see the following:
```
[1] Closing tcp connection.
```
## Connect to your Linux instance with its instance ID using the AWS CLI
If you only know your instance ID, you can use the [ec2-instance-connect ssh](https://docs.aws.amazon.com/cli/latest/reference/ec2-instance-connect/ssh.html) AWS CLI command to connect to your instance using an SSH client. For more information, see [Connect using the AWS CLI](ec2-instance-connect-methods.md#connect-linux-inst-eic-cli-ssh).
**Prerequisites**
+ Install AWS CLI version 2 and configure it using your credentials. For more information, see [Install or update to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [Configure the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) in the *AWS Command Line Interface User Guide*.
+ Alternatively, open AWS CloudShell and run AWS CLI commands in its pre-authenticated shell.
**To connect to an instance using the instance ID and an EC2 Instance Connect Endpoint**
If you only know the instance ID, use the [ec2-instance-connect ssh](https://docs.aws.amazon.com/cli/latest/reference/ec2-instance-connect/ssh.html) CLI command, and specify the `ssh` command, the instance ID, and the `--connection-type` parameter with the `eice` value to use an EC2 Instance Connect Endpoint. If the instance only has an IPv6 address, you must also include the `--instance-ip` parameter with the IPv6 address.
+ If the instance has a private IPv4 address (it can also have an IPv6 address) use the following command and parameters:
```
aws ec2-instance-connect ssh \
--instance-id i-1234567890example \
--os-user ec2-user \
--connection-type eice
```
+ If the instance only has an IPv6 address, include the `--instance-ip` parameter with the IPv6 address:
```
aws ec2-instance-connect ssh \
--instance-id i-1234567890example \
--instance-ip 2001:db8::1234:5678:1.2.3.4 \
--os-user ec2-user \
--connection-type eice
```
**Tip**
If you get an error, make sure that you're using AWS CLI version 2. The `ssh` parameter is only available in AWS CLI version 2. For more information, see [About AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html#welcome-versions-v2) in the *AWS Command Line Interface User Guide*.
## Connect to your Windows instance using RDP
You can use Remote Desktop Protocol (RDP) over EC2 Instance Connect Endpoint to connect to a Windows instance without a public IPv4 address or public DNS name.
**To connect to your Windows instance using an RDP client**
1. Complete Steps 1 – 8 in [Connect to your Windows instance using RDP](connect-rdp.md). After downloading the RDP desktop file at Step 8, you'll get an **Unable to connect** message, which is to be expected because your instance does not have a public IP address.
1. Run the following command to establish a private tunnel to the VPC in which the instance is located. `--remote-port` must be `3389` because RDP uses port 3389 by default.
```
aws ec2-instance-connect open-tunnel \
--instance-id i-1234567890abcdef0 \
--remote-port 3389 \
--local-port any-port
```
1. In your **Downloads** folder, find the RDP desktop file that you downloaded, and drag it onto the RDP client window.
1. Right-click the RDP desktop file and choose **Edit**.
1. In the **Edit PC** window, for **PC name** (the instance to connect to), enter `localhost:local-port`, where `local-port` uses the same value as you specified in Step 2, and then choose **Save**.
Note that the following screenshot of the **Edit PC** window is from Microsoft Remote Desktop on a Mac. If you are using a Windows client, the window might be different.
![\[The RDP client with the example "localhost:5555" in the PC name field.\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/images/ec2-instance-connect-endpoint-rdp.png)
1. In the RDP client, right-click the PC (that you just configured) and choose **Connect** to connect to your instance.
1. At the prompt, enter the decrypted password for the administrator account.
## Troubleshoot
Use the following information to help diagnose and fix issues that you might encounter when using EC2 Instance Connect Endpoint to connect an instance.
### Can't connect to your instance
The following are common reasons why you might not be able to connect to your instance.
+ Security groups – Check the security groups assigned to the EC2 Instance Connect Endpoint and your instance. For more information about the required security group rules, see [Security groups for EC2 Instance Connect Endpoint](eice-security-groups.md).
+ Instance state – Verify that your instance is in the `running` state.
+ Key pair – If the command you're using to connect requires a private key, verify that your instance has a public key and that you have the corresponding private key.
+ IAM permissions – Verify that you have the required IAM permissions. For more information, see [Grant permissions to use EC2 Instance Connect Endpoint](permissions-for-ec2-instance-connect-endpoint.md).
For more troubleshooting tips for Linux instances, see [Troubleshoot issues connecting to your Amazon EC2 Linux instance](TroubleshootingInstancesConnecting.md). For troubleshooting tips for Windows instances, see [Troubleshoot issues connecting to your Amazon EC2 Windows instance](troubleshoot-connect-windows-instance.md).
### ErrorCode: AccessDeniedException
If you receive an `AccessDeniedException` error, and the `maxTunnelDuration` condition is specified in the IAM policy, be sure to specify the `--max-tunnel-duration` parameter when connecting to an instance. For more information about this parameter, see [https://docs.aws.amazon.com/cli/latest/reference/ec2-instance-connect/open-tunnel.html](https://docs.aws.amazon.com/cli/latest/reference/ec2-instance-connect/open-tunnel.html) in the *AWS CLI Command Reference*.
# Log connections established over EC2 Instance Connect Endpoint
You can log resource operations and audit connections established over the EC2 Instance Connect Endpoint with AWS CloudTrail logs.
For more information about using AWS CloudTrail with Amazon EC2, see [Log Amazon EC2 API calls using AWS CloudTrail](monitor-with-cloudtrail.md).
## Log EC2 Instance Connect Endpoint API calls with AWS CloudTrail
EC2 Instance Connect Endpoint resource operations are logged to CloudTrail as management events. When the following API calls are made, the activity is recorded as a CloudTrail event in **Event history**:
+ `CreateInstanceConnectEndpoint`
+ `DescribeInstanceConnectEndpoints`
+ `DeleteInstanceConnectEndpoint`
You can view, search, and download recent events in your AWS account. For more information, see [Viewing events with CloudTrail Event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html) in the *AWS CloudTrail User Guide*.
## Use AWS CloudTrail to audit users who connect to an instance using EC2 Instance Connect Endpoint
Connection attempts to instances via EC2 Instance Connect Endpoint are logged in CloudTrail in **Event history**. When a connection to an instance is initiated through an EC2 Instance Connect Endpoint, the connection is logged as a CloudTrail management event with the `eventName` of `OpenTunnel`.
You can create Amazon EventBridge rules that route the CloudTrail event to a target. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html).
The following is an example of an `OpenTunnel` management event that was logged in CloudTrail.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "ABCDEFGONGNOMOOCB6XYTQEXAMPLE",
"arn": "arn:aws:iam::1234567890120:user/IAM-friendly-name",
"accountId": "123456789012",
"accessKeyId": "ABCDEFGUKZHNAW4OSN2AEXAMPLE",
"userName": "IAM-friendly-name"
},
"eventTime": "2023-04-11T23:50:40Z",
"eventSource": "ec2-instance-connect.amazonaws.com",
"eventName": "OpenTunnel",
"awsRegion": "us-east-1",
"sourceIPAddress": "1.2.3.4",
"userAgent": "aws-cli/1.15.61 Python/2.7.10 Darwin/16.7.0 botocore/1.10.60",
"requestParameters": {
"instanceConnectEndpointId": "eici-0123456789EXAMPLE",
"maxTunnelDuration": "3600",
"remotePort": "22",
"privateIpAddress": "10.0.1.1"
},
"responseElements": null,
"requestID": "98deb2c6-3b3a-437c-a680-03c4207b6650",
"eventID": "bbba272c-8777-43ad-91f6-c4ab1c7f96fd",
"readOnly": false,
"resources": [{
"accountId": "123456789012",
"type": "AWS::EC2::InstanceConnectEndpoint",
"ARN": "arn:aws:ec2:us-east-1:123456789012:instance-connect-endpoint/eici-0123456789EXAMPLE"
}],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
# Service-linked role for EC2 Instance Connect Endpoint
Amazon EC2 uses AWS Identity and Access Management (IAM) [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to Amazon EC2. Service-linked roles are predefined by Amazon EC2 and include all the permissions that Amazon EC2 requires to call other AWS services on your behalf. For more information, see [Service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html) in the *IAM User Guide*.
## Service-linked role permissions for EC2 Instance Connect Endpoint
Amazon EC2 uses **AWSServiceRoleForEC2InstanceConnect** to create and manage network interfaces in your account that are required by EC2 Instance Connect Endpoint.
The **AWSServiceRoleForEC2InstanceConnect** service-linked role trusts the following service to assume the role:
+ `ec2-instance-connect.amazonaws.com`
The **AWSServiceRoleForEC2InstanceConnect** service-linked role uses the following managed policy:
+ **Ec2InstanceConnectEndpoint**
To view the permissions for the managed policy, see [Ec2InstanceConnectEndpoint](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/Ec2InstanceConnectEndpoint.html) in the *AWS Managed Policy Reference*.
## Create a service-linked role for EC2 Instance Connect Endpoint
You don't need to manually create this service-linked role. When you create an EC2 Instance Connect Endpoint, Amazon EC2 creates the service-linked role for you.
## Edit a service-linked role for EC2 Instance Connect Endpoint
EC2 Instance Connect Endpoint doesn't allow you to edit the **AWSServiceRoleForEC2InstanceConnect** service-linked role.
## Delete a service-linked role for EC2 Instance Connect Endpoint
If you no longer need to use EC2 Instance Connect Endpoint, we recommend that you delete the **AWSServiceRoleForEC2InstanceConnect** service-linked role.
You must delete all EC2 Instance Connect Endpoint resources before you can delete the service-linked role.
To delete the service-linked role, see [Delete a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#id_roles_manage_delete-slr) in the *IAM User Guide*.
You must configure permissions to allow an IAM entity (a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html#service-linked-role-permissions) in the *IAM User Guide*.
# Quotas for EC2 Instance Connect Endpoint
Your AWS account has default quotas, formerly referred to as limits, for each AWS service. Unless otherwise noted, each quota is Region-specific.
Your AWS account has the following quotas related to EC2 Instance Connect Endpoint.
| Name | Default | Adjustable |
| --- | --- | --- |
| Maximum number of EC2 Instance Connect Endpoints per AWS account per AWS Region | 5 | No |
| Maximum number of EC2 Instance Connect Endpoints per VPC | 1 | No |
| Maximum number of EC2 Instance Connect Endpoints per subnet | 1 | No |
| Maximum number of concurrent connections per EC2 Instance Connect Endpoint | 20 | No |