Updated: June 2025

Overview

This post is the second part of a 6-post series with step-by-step procedures that I use to setup a simple WordPress website on AWS. In this post, some basic security improvements are made to the AWS instance.

Note: The original version for this series was written in 2016 with EC2 servers running Ubuntu 16.04. This series has been completely updated in mid 2025. An example website, Seattle Hobbies, will be used throughout this series. The development of the Seattle Hobbies website assumes a simple low-maintenance website with low visitor count with no auto-scaling or redundancy. As such, implementation and configuration are easy. I will most likely seek the support of professional web-dev experts if I want to establish a sophisticated website that handles commerce or significant traffic with lots of site visitors.

Adding an Alternate User for SSH:

Note: Logged into AWS

If not logged in, then log into AWS SSH as ubuntu (default user) via a command line interface (e.g., terminal on the Mac or PuTTY on Windows) as described in Part 1.

Create a second user (replace user2 with your username of choice) and create the account password for user2 that will be used with sudo commands. Just hit return on all the info requests (i.e., full name, room number, work phone, home phone, other).

Copy to Clipboard

Add the new user to the admin group:

Copy to Clipboard
Add the new users to the sudo group by editing the ‘sudoers’ file:
Copy to Clipboard
Use the arrow keys to locate the right place in the file and add the following line in the ‘User privilege specification’ section. Then, ctrl-x, y to save, and return to save.
Copy to Clipboard
Since SSH access to an EC2 instance uses keys, keys need to be created for user2. Both the public and private keys will be created on EC2 and securely copied to the local computer that is being used to access this AWS instance via SSH. Switch to the new user2 account from the Ubuntu account and change to the user2 home directory:
Copy to Clipboard
Create a .ssh directory and modify its permissions:
Copy to Clipboard
Change to the .ssh directory and create a default (RSA 2048) key pair:
Copy to Clipboard
A filename will be requested for the key file. It should be something like: ‘id_user2’. Press the return key when prompted about the passphrase. Enter the following command to list these two files and their file properties:
Copy to Clipboard
Two files were created id_user2 (private key) and id_user2.pub (public key). Copy the public key to an ‘authorized_keys’ file since this is a new user and ‘authorized_keys’ shouldn’t exist yet:
Copy to Clipboard
Clean up the permissions on these files:
Copy to Clipboard
Before the files can be copied to the local computer that is being used to access the AWS instance via SSH, we need to do some prep work on the AWS instance to allow access to these files from our local computer. Create a temporary directory, copy the key files (for downloading), and modify permissions:
Copy to Clipboard
Setup user2 in the ssh config file:
Copy to Clipboard

Either change the AllowUsers line or add it:

Copy to Clipboard
Then, ctrl-x, y to save, and return to save.

Restart the ssh service:

Copy to Clipboard
Exit out of AWS remote terminal using ‘exit’ commands (once to exit from user2, second time to exit from Ubuntu and close the AWS SSH connection).

Note: Logged out of AWS

Note: Logged into Local Computer

Now, the keys need to be downloaded to the local machine to access the AWS instance via SSH as user2. The process is different depending on whether your local computer is a Mac or Windows PC.

Other keys may have been previously stored in the .ssh directory on the local Mac computer. The following command will check if any previous key files exist:
Copy to Clipboard
If the ‘authorized_keys’ file already exists in the .ssh folder on the local machine, it must be renamed (‘authorized-keys-old’) prior to the download. Otherwise, it will be overwritten. From within the .ssh directory:
Copy to Clipboard
Download the 3 key files from the \tmp2 folder on EC2 using the Elastic IP address (e.g., 44.247.136.248) for this AWS instance. Note: The following scp command assumes the default macOS zsh.
Copy to Clipboard
Add the old keys from ‘authorized_keys_old’ into the ‘authorized-keys’ file that was just downloaded:
Copy to Clipboard
Change the permissions on the ‘id_user2’ and ‘id_user2.pub’ files:
Copy to Clipboard
A ‘config’ file is used to configure ssh access. Create this file with the following command:
Copy to Clipboard
Now add the following lines to the file, customizing each entry, as applicable.. Then, ctrl-x, y to save, and return to save.
Copy to Clipboard
Test the new connection to the AWS instance as user2 from the terminal window on the MBP (e.g., seattlehobbies.com):
Copy to Clipboard

Downloading the key files from AWS to a Windows PC is accomplished with PSFTP which is one of the software programs that was created during the installation process with PuTTY. Start PSFTP. For PSFTP to access the AWS instance as ‘ubuntu’, we can use the same saved session from PuTTY. Enter the following command replacing the name of your saved session if it is different from the example:
Copy to Clipboard
We need to coordinate directories (or folders) on both AWS instance and the local Windows PC before the transfer of the two key files.
Change the directory on AWS to ‘/tmp2’:
Copy to Clipboard
Change the local directory on the Windows PC (replacing as appropriate):
Copy to Clipboard
To download the two key files, enter the following commands:
Copy to Clipboard
As before, the private key ‘id_user2’ needs to be converted to a ‘*.ppk‘. Here are the steps:

  • Generate a compatible private key file: The private key file ‘id_user2‘ needs to be converted to a ‘*.ppk‘ by PuTTYgen. Start PuTTYgen. Set the ‘Type of key to generate:‘ to RSA and the ‘Number of bits in a generated key:‘ to 2048. Then, click on ‘Load‘ to load the recently downloaded private key file. Since the file type we are looking for has no file suffix, select ‘All Files (*.*)‘ so that it will be visible. Then, go to the ‘Downloads’ folder and select ‘id_user2‘ and click ‘OK‘ on the displayed notice. Click ‘Save private key‘ and click ‘Yes‘ to confirm saving without a passphrase key. Then, save the ‘id_user2.ppk‘ in the same folder as the ‘id_user2‘ file. Close ‘PuTTYgen‘ software program.

Now, let’s configure PuTTY to access AWS as user2:

  • Configure settings: Start PuTTY. In the left pane, select ‘Connection -> SSH -> Auth‘. Click on ‘Browse‘ and select the ‘id_user2.ppk‘ as shown in the following screenshot.

  • Then, in the left pane, select ‘Session‘. In the right pane, confirm or select ‘SSH‘, port is 22, and type in the ‘user2@‘ followed by the ‘Elastic IP‘ associated with this instance. At this point, type in a name for ‘Saved Sessions‘ (e.g., windows aws user2) and click ‘Save‘ as shown in the following screenshot.

  • Now for the final step. To access the instance via SSH using PuTTY, load a saved session and click on ‘Open‘ (may need to confirm ‘yes’ on initial login using this IP address). A successful login screen to the AWS instance from PuTTY will look similar to the following snapshot. Note that the user is now user2 and not ubuntu

  • Type ‘exit’ to quit the SSH connection to AWS which will also close PuTTY.

Note: Logged into AWS

If the connection to AWS as user2 is successful, then remove files from /tmp2 and the folder itself:

Copy to Clipboard

Removing Ubuntu login access:

It is a good practice from a security perspective, to remove SSH access for Ubuntu default user (root) logins.
Log in as user2 to edit the sshd_config file:

Copy to Clipboard
Remove ubuntu from the line:
Copy to Clipboard
Modify, if needed, the following line:
Copy to Clipboard
Then, ctrl-x, type y, and return to save.
Restart the ssh service:
Copy to Clipboard

Updates to Ubuntu:

With a new instance, it is time to apply any updates to Ubuntu 24.04 that may be needed. Follow the steps in A Collection of AWS EC2 Ubuntu Tips, Section: Updates to Ubuntu.

That’s it. Linux Ubuntu instance is established and running, alternate user is established, keys have been created, and Ubuntu updates have been applied.