Introduction

Locking yourself out of SSH access in an Amazon Web Services (AWS) EC2 instance is a common mistake among system administrators, especially when working with firewall configurations like Uncomplicated Firewall (UFW). This can be a concerning situation given the importance of SSH in managing and configuring instances. However, there is a systematic approach to resolving this issue and regaining access without causing data loss.

Understanding UFW

Uncomplicated Firewall (UFW) is a frontend to `iptables` and is designed to simplify the process of managing a firewall server. It is specifically geared to allow uncomplicated, easy deployments in network security. UFW uses a command-line interface for managing firewall rules and is popular among systems running Ubuntu.

How UFW Interacts with SSH

SSH runs on port 22 by default. When UFW is enabled, all incoming connections are blocked unless a rule explicitly allows them. You might inadvertently lock yourself out if you forget to allow SSH before enabling UFW.

Example of Locking Yourself Out

1. Initial SSH Access:
   • Navigate to the EC2 dashboard.
   • Select the locked-out instance.
   • Choose Instance State > Stop.
   • Go to Volumes under the EC2 section.
   • Find the root volume (commonly `/dev/xvda`).
   • Detach the volume.
   • Launch a new temporary instance in the same Availability Zone.
   • Attach the detached volume to this instance as a non-root volume (e.g., `/dev/xvdf`).
   • SSH into the rescue instance.
   • Mount the volume:
   • Allow SSH:
   • Unmount the volume.
   • Detach and reattach the volume to the original instance as the root volume.
   • Start your original instance and ensure SSH access is restored.

• Ensure that the IAM role attached to your instance has permissions for SSM.
• The instance must be in a VPC and security group that allows SSM access.
  • Go to AWS Systems Manager > Run Command.
  • Select `AWS-RunShellScript`.
  • Choose target instance(s).