--- title: "I have Asked This SSH Question in Every AWS Interview — And Here’s the Catch" source: "https://aws.plainenglish.io/i-have-asked-this-ssh-question-in-every-aws-interview-and-heres-the-catch-ee2013a83e99" author: - "[[Rahul Sharma]]" published: 2024-09-16 created: 2024-10-29 description: "Learn how to troubleshoot SSH issues on AWS EC2 instances. Discover common mistakes and interview insights to ace your next AWS technical interview." tags: - "clippings" --- ## I have Asked This SSH Question in Every AWS Interview — And Here’s the Catch [ ![Rahul Sharma](https://miro.medium.com/v2/resize:fill:88:88/1*D7Cix-fP2e5BWg2J7QByeA@2x.jpeg) ](https://devopstory.com/?source=post_page---byline--ee2013a83e99--------------------------------) [ ![AWS in Plain English](https://miro.medium.com/v2/resize:fill:48:48/1*6EeD87OMwKk-u3ncwAOhog.png) ](https://aws.plainenglish.io/?source=post_page---byline--ee2013a83e99--------------------------------) ![SSH Question in Every AWS Interview](https://miro.medium.com/v2/resize:fit:700/1*sSIaYTyrm7UMRRMVssDw2g.png) Feature Image Created in Canva. When I interview people, I always ask questions about problems that people face in the real world. “**You are trying to SSH into an EC2 instance but it is failing.**” This is one of the questions I ask most often. How would you try to figure out what’s wrong?” It looks like a simple question, but it can tell you a lot about how much someone knows about cloud infrastructure, how they solve problems, and how much experience they have with AWS. Over the years, I have had the pleasure of interviewing many AWS engineers and system administrators, and the way they handle this question gives me insight into their level of expertise. In this blog, I will share the best practices for troubleshooting SSH connection issues on AWS EC2 instances, practices I look for in candidate’s answers. ## Security Groups: A Common Pitfall I Have Seen in Interviews In almost every interview where I ask this question, the first thing I expect a candidate to mention is **Security Groups**. Unfortunately, not everyone does. Many candidates immediately dive into complex network configurations or system-level settings, ==forgetting that AWS security groups act as firewalls that control== ==**inbound**== ==and== ==**outbound**== ==traffic.== ## What I Look For in a Candidate’s Answer: The best candidates know that the first thing to check is whether port 22 (SSH) is allowed in the security group associated with the instance. I can usually tell right away if someone is familiar with AWS EC2 by whether they ask, “**Is the security group allowing inbound SSH traffic?**” ## How to Check Security Group Settings: 1. **AWS Console** → EC2 → **Instances** → Select your instance. 2. **Description Tab** → **Security Groups** → Click to view. 3. Ensure inbound rules allow SSH (port 22) from your IP or IP range. ![Security Group Inbound Rule Configuration](https://miro.medium.com/v2/resize:fit:700/1*4l1ZHEM5ITj_V19Op2alzA.gif) Image Showing Security Group Inbound Rule Configuration ## Key Pair Permissions When I ask candidates this question, the ones who have worked with EC2 know that SSH keys are another frequent stumbling block. They will mention that one of the next steps is to verify that the SSH private key file has the correct permissions, a detail that many candidates overlook. ## What I Look For in a Candidate’s Answer: Experienced candidates will bring up the importance of the private key file’s permissions. They will know that if the key file is too permissive, the SSH connection will fail for security reasons. I always listen for them to mention the ***chmod*** command, which shows they have dealt with this issue in the real world. ## Step-by-Step: 1. **Command**: *chmod 400 your-key.pem* - This ensures the file is readable only by you, which SSH requires. 2\. **Connect** using the private key ``` ssh -i /path/to/your-key.pem ec2-user@your-ec2-public-ip ``` **Short story:** I remember one candidate who told me a story about how they would spend an hour troubleshooting a connection issue only to realise the permissions on their key file were too broad. It’s these small, easily overlooked steps that separate AWS beginners from those with hands-on experience. ## Confirm the Instance is Running It’s surprising to me that some candidates don’t even think to check to see if the EC2 instance is running. I have asked follow-up questions like, **“What state is the instance in?”** in a few interviews, and the candidate understood that checking the instance status is an important step that is often missed. ## What I Look For in a Candidate’s Answer: Good candidates will mention this fairly early in the process. If the instance is stopped or terminated, no amount of troubleshooting is going to make SSH work. ## How to Check Instance Status: 1. In the **AWS Console** → **EC2 Dashboard**, verify that your instance state is “running.” - If it’s in a **stopped** state, simply select the instance and click **Start Instance** from the **instance state** options. ## Network ACLs and Route Tables: Where True Experts Shine When a candidate starts talking about **Network ACLs** or **Route Tables**, I know I am dealing with someone who understands AWS networking. This step is where I can separate candidates with surface-level knowledge from those with deeper expertise. Network ACLs and route tables control traffic at the subnet and VPC levels, and misconfigurations here can prevent SSH traffic from reaching your instance. ## What I Look For in a Candidate’s Answer: I pay close attention to whether candidates ask questions about VPC-level settings. Specifically, they should mention that Network ACLs might block SSH traffic or that the route table could be incorrectly routing traffic away from the internet gateway. ## How to Troubleshoot: 1. **Network ACLs**: Ensure that both inbound and outbound rules allow traffic on port 22. **2\. Route Tables**: Verify that your instance’s subnet is correctly routed to an Internet Gateway for public instances or a NAT Gateway for private instances. ## Using EC2 Instance Connect: A Lifesaver When All Else Fails The candidates who stand out are those who know multiple ways to solve a problem. Some of the best engineers I have interviewed will mention AWS’s **EC2 Instance Connect** as an alternative when SSH troubleshooting fails. This service allows you to connect to your instance directly through the AWS Console, bypassing issues with keys or network settings. ## What I Look For in a Candidate’s Answer: Candidates who mention this as a last resort are typically those who have been in real troubleshooting situations. They know that EC2 Instance Connect can help them access the instance even when everything else seems to go wrong. ## How to Use EC2 Instance Connect: 1. Go to **EC2 Console** → **Instances** → Select the instance. 2. Click **Connect** and use the **EC2 Instance Connect** option. ![EC2 Connect](https://miro.medium.com/v2/resize:fit:700/1*Q6DzRcS0Ps0AhdB5jepGkw.gif) Image Showing EC2 Connect During one interview, a candidate told me how they once used EC2 Instance Connect to recover access to a critical server after accidentally locking themselves out by messing up the security group rules. It’s always a relief to hear when candidates know about this AWS feature and have used it in a crunch. ## Conclusion As an interviewer, I have found that the way candidates approach SSH troubleshooting on AWS EC2 can reveal a lot about their experience and problem-solving abilities. The steps I have outlined here are not just best practices, they are the kind of methods I look for when evaluating candidates. Whether they are checking security groups or diving deep into network settings, the ability to think methodically and work through problems is a key indicator of AWS expertise. If you are preparing for an interview or simply brushing up on your AWS skills, keep these steps in mind. And next time someone asks, “What would you do if SSH fails on an [EC2 instance](https://aws.amazon.com/ec2/?p=pm&c=mt&pd=ec2&z=4)?”, you will have the answer ready.