How to SSH Into AWS EC2 From Windows

To SSH into an AWS EC2 instance from Windows, you need a few things ready first: the public IP or public DNS of the instance, the correct private key file, the right default username for the AMI, and a security group that allows inbound SSH on port 22.

Most connection problems are not really SSH client problems. They usually come from the wrong username, a blocked security group, the wrong key file, or trying to connect to an instance that does not have a public address.

AWS does not use the same SSH username for every image. The username depends on the operating system or image family running on the instance. If the username is wrong, SSH can fail even when the key is correct.

These are common defaults: Ubuntu usually uses ubuntu, Amazon Linux often uses ec2-user, Debian often uses admin, and CentOS may use centos. Always confirm the AMI family before assuming the username.

Modern Windows systems usually include OpenSSH already, which means you can often use the PEM file directly without converting it. This is the simplest path if you are comfortable in PowerShell or Windows Terminal.

Open a terminal, go to the folder where the PEM file is stored, and run the SSH command using the correct username and instance address.

If you prefer PuTTY, you will usually need the private key in PPK format instead of PEM. That means you first convert the PEM file with PuTTYgen and then attach the resulting PPK file inside the PuTTY SSH auth settings.

This is a common setup for Windows users who already work with PuTTY instead of the built-in OpenSSH client.

If SSH times out instead of failing immediately, check the EC2 security group. The instance must allow inbound SSH on port 22 from your current IP address or from a broader range if that is truly necessary.

For safety, AWS users often allow port 22 only from their own current IP instead of opening it to the whole internet.

When connecting from Windows over the internet, you need the public address of the EC2 instance, not the private internal address. In the AWS console, look at the instance details and copy either the public IPv4 address or the public IPv4 DNS name.

If the instance has no public address and is inside a private subnet, you will need another access method such as a bastion host, VPN, or Systems Manager Session Manager.

The most common EC2 SSH issues are predictable. Permission denied usually means the username or key is wrong. A timeout usually means the security group, route, or public address is wrong. If PuTTY rejects the key, check whether the key was converted properly from PEM to PPK.

When troubleshooting, always verify four things in order: instance running state, public address, security group port 22 rule, and correct username and key.

Below are common PowerShell or terminal commands depending on the Linux image you launched on AWS. Replace the key filename and the public IP with your own values.

If you are using PowerShell OpenSSH, you usually do not need to convert the PEM file at all. But if your workflow depends on PuTTY, then converting PEM to PPK is the normal step.

That is why the PEM to PPK guide pairs naturally with this article: OpenSSH users can stay with PEM, while PuTTY users typically need PPK.

After the first successful login, update the server, confirm your SSH configuration, and make sure you know how you will manage deployments and access later. If the server is for production, do not treat the first connection as the finish line.

It is also wise to document which key belongs to which server so you do not mix staging, development, and production access later.