Amazon Elastic Compute Cloud
User Guide for Linux Instances
AMIs
• Restrict access by only allowing trusted hosts or networks to access ports on your instance. For example,
you can restrict SSH access by restricting incoming traffic on port 22. For more information, see Amazon
EC2 Security Groups for Linux Instances (p. 418).
• Review the rules in your security groups regularly, and ensure that you apply the principle of least
privilege—only open up permissions that you require. You can also create different security groups to
deal with instances that have different security requirements. Consider creating a bastion security group
that allows external logins, and keep the remainder of your instances in a group that does not allow
external logins.
• Disable password-based logins for instances launched from your AMI. Passwords can be found or
cracked, and are a security risk. For more information, see Disable Password-Based Remote Logins for
Root (p. 84). For more information about sharing AMIs safely, see Shared AMIs (p. 78).
Stopping, Starting, and Terminating Instances
Stopping an instance
When an instance is stopped, the instance performs a normal shutdown, and then transitions to a stopped
state. All of its Amazon EBS volumes remain attached, and you can start the instance again at a later time.
You are not charged for additional instance hours while the instance is in a stopped state. A full instance
hour will be charged for every transition from a stopped state to a running state, even if this happens
multiple times within a single hour. If the instance type was changed while the instance was stopped, you
will be charged the rate for the new instance type after the instance is started. All of the associated Amazon
EBS usage of your instance, including root device usage, is billed using typical Amazon EBS prices.
When an instance is in a stopped state, you can attach or detach Amazon EBS volumes. You can also
create an AMI from the instance, and you can change the kernel, RAM disk, and instance type.
Terminating an instance
When an instance is terminated, the instance performs a normal shutdown, then the attached Amazon EBS
volumes are deleted unless the volume's deleteOnTermination attribute is set to false. The instance itself
is also deleted, and you can't start the instance again at a later time.
To prevent accidental termination, you can disable instance termination. If you do so, ensure
that the disableApiTermination attribute is set to true for the instance. To control the behavior
of an instance shutdown, such as shutdown -h in Linux or shutdown in Windows, set the
instanceInitiatedShutdownBehavior instance attribute to stop or terminate as desired. Instances with
Amazon EBS volumes for the root device default to stop, and instances with instance-store root devices
are always terminated as the result of an instance shutdown.
For more information, see Instance Lifecycle (p. 285).
AMIs
Amazon Web Services (AWS) publishes many Amazon Machine Images (AMIs) that contain common
software configurations for public use. In addition, members of the AWS developer community have
published their own custom AMIs. You can also create your own custom AMI or AMIs; doing so enables
you to quickly and easily start new instances that have everything you need. For example, if your
application is a website or a web service, your AMI could include a web server, the associated static
content, and the code for the dynamic pages. As a result, after you launch an instance from this AMI, your
web server starts, and your application is ready to accept requests.
All AMIs are categorized as either backed by Amazon EBS, which means that the root device for an
instance launched from the AMI is an Amazon EBS volume, or backed by instance store, which means that
the root device for an instance launched from the AMI is an instance store volume created from a template
stored in Amazon S3.
6