Amazon EC2 Basics: Instances, Pricing, and Security
When you need a server to run applications on AWS, EC2 is typically your first choice. EC2 has many configuration options that can be overwhelming at first, so let's walk through the basics of Amazon EC2.
What is Amazon EC2?
EC2 (Elastic Compute Cloud) is a service that lets you launch virtual servers in the cloud. In EC2, these virtual servers are called instances. You can spin up instances with the specs you need, when you need them — but you'll want to use cost-saving options and avoid accidentally exposing instances to the internet.
What is Amazon EC2? - Amazon Elastic Compute Cloud
Use Amazon EC2 for scalable computing capacity in the AWS Cloud so you can develop and deploy applic...
docs.aws.amazon.comPricing
EC2 pricing is pay-as-you-go — you're charged only for what you actually use. The main factors are the instance type you choose and how many hours it runs. When an instance is stopped, you're not charged for the instance itself, but storage (EBS) charges continue.
Pricing
There are three ways to pay for Amazon EC2 instances: On-Demand, Savings Plans, and Amazon EC2 Spot ...
aws.amazon.com
Instance Types
Instance types are organized into families based on use case. Even instances with the same specs (e.g., 2 vCPU, 8 GB) can differ significantly in price depending on the family. Picking the right family for your workload is the first step in cost optimization.
Instance Types
aws.amazon.com
| Family | Use Case | Example | Price (US East, N. Virginia) |
|---|---|---|---|
| t4g | Burstable general-purpose / development | t4g.large (2vCPU, 8GB) | USD 0.0672/hr |
| m7i | General-purpose / production | m7i.large (2vCPU, 8GB) | USD 0.1008/hr |
| c7i | Compute-optimized / batch processing | c7i.large (2vCPU, 4GB) | USD 0.0893/hr |
| r7i | Memory-optimized / DB / cache | r7i.large (2vCPU, 16GB) | USD 0.1323/hr |
t4g is a burstable instance type that accumulates CPU credits during low-usage periods and delivers higher performance on demand. It's well-suited for development environments or applications with variable load. For production workloads requiring consistent performance, go with m7i.
Security
EC2 security risks are real — if an instance is compromised from the outside, there's a risk of the server being taken over. Use EC2 security groups to allow only necessary traffic, and manage SSH key pairs carefully. Disable password authentication and use SSH key-based authentication only.
Infrastructure security in Amazon EC2 - Amazon Elastic Compute Cloud
Learn how Amazon Elastic Compute Cloud isolates service traffic.
docs.aws.amazon.comAmazon EC2 security groups for your EC2 instances - Amazon Elastic Compute Cloud
Use security groups and security group rules as a firewall to control traffic to and from your EC2 i...
docs.aws.amazon.comUse security groups to control access to your instances. Configure rules to allow only the minimum necessary network traffic — for example, only traffic from your corporate network address range, or only traffic using a specific protocol like HTTPS.
Trying EC2 with the AWS CLI
Let's try EC2 using the AWS CLI and see what happens when you run each command. Resources will be created in the region configured in your AWS CLI profile.
Creating a Key Pair
Create a key pair for SSH access to your instance. Save the private key locally and set permissions so only the owner can read it.
❯ aws ec2 create-key-pair --key-name exrecord-key --query 'KeyMaterial' --output text > ~/.ssh/exrecord-key.pem
❯ chmod 400 ~/.ssh/exrecord-key.pem
Verify the key pair was created:
❯ aws ec2 describe-key-pairs --key-name exrecord-key
{
"KeyPairs": [
{
"KeyPairId": "key-123456789012",
"KeyType": "rsa",
"Tags": [],
"CreateTime": "2026-04-13T10:14:14.561000+00:00",
"KeyName": "exrecord-key",
"KeyFingerprint": "ae:13:16:b7:01:71:11:4f:78:60:0e:75:aa:87:af:25:b1:1a:36:3b"
}
]
}
Creating a Security Group
Create a security group and allow SSH access only from your home IP. You can find your public IP with curl -4 ifconfig.me. If you need to connect from other locations, add those IP addresses as well.
❯ aws ec2 create-security-group --group-name exrecord-sg --description "exrecord security group"
{
"GroupId": "sg-0a1b2c3d4e5f67890",
"SecurityGroupArn": "arn:aws:ec2:us-east-1:123456789012:security-group/sg-0a1b2c3d4e5f67890"
}
❯ aws ec2 authorize-security-group-ingress \
--group-id sg-0a1b2c3d4e5f67890 \
--protocol tcp \
--port 22 \
--cidr 203.0.113.1/32
{
"Return": true,
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0a1b2c3d4e5f67890",
"GroupId": "sg-0a1b2c3d4e5f67890",
"GroupOwnerId": "123456789012",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv4": "203.0.113.1/32",
"SecurityGroupRuleArn": "arn:aws:ec2:us-east-1:123456789012:security-group-rule/sgr-0a1b2c3d4e5f67890"
}
]
}
Launching an Instance
Get the AMI ID for Amazon Linux 2023 and launch an instance. An AMI (Amazon Machine Image) is a template that defines the OS and software configuration for your instance. If you don't have a preference for a specific OS, Amazon Linux 2023 — maintained by AWS — is a great choice since security patches are applied quickly. Since t4g uses AWS Graviton (ARM-based) processors, specify arm64 as the architecture.
❯ aws ec2 describe-images \
--owners amazon \
--filters "Name=name,Values=al2023-ami-2023*" "Name=architecture,Values=arm64" \
--query 'sort_by(Images, &CreationDate)[-1].ImageId' \
--output text
ami-0ceb31eb57b9abaa8
❯ aws ec2 run-instances \
--image-id ami-0ceb31eb57b9abaa8 \
--instance-type t4g.micro \
--key-name exrecord-key \
--security-group-ids sg-0a1b2c3d4e5f67890 \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=exrecord-instance}]' \
--query 'Instances[0].InstanceId' \
--output text
i-0a1b2c3d4e5f67890
Wait for the instance to reach the running state:
❯ aws ec2 wait instance-running --instance-ids i-0a1b2c3d4e5f67890
❯ aws ec2 describe-instances \
--instance-ids i-0a1b2c3d4e5f67890 \
--query 'Reservations[0].Instances[0].{State:State.Name,PublicIP:PublicIpAddress}' \
--output table
------------------------------
| DescribeInstances |
+----------------+-----------+
| PublicIP | State |
+----------------+-----------+
| 203.0.113.2 | running |
+----------------+-----------+
Connecting via SSH
Use the public IP address to connect via SSH. The default user for Amazon Linux 2023 is ec2-user.
❯ ssh -i ~/.ssh/exrecord-key.pem ec2-user@203.0.113.2
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Mon Apr 13 15:53:13 2026 from 203.0.113.1
[ec2-user@ip-172-31-xx-xx ~]$
Terminating the Instance
Delete instances you no longer need. Even when an instance is stopped, EBS storage charges continue — so terminate rather than stop when you're done. Key pairs and security groups remain after termination, but they don't incur charges on their own.
❯ aws ec2 terminate-instances --instance-ids i-0a1b2c3d4e5f67890
{
"TerminatingInstances": [
{
"InstanceId": "i-0a1b2c3d4e5f67890",
"CurrentState": {
"Code": 32,
"Name": "shutting-down"
},
"PreviousState": {
"Code": 16,
"Name": "running"
}
}
]
}
Summary
We covered what EC2 is and how to use it. EC2 is something you'll almost certainly rely on when working with AWS, so keep these key points in mind:
- Allow only the minimum necessary traffic through security groups
- Use SSH key authentication and manage key pairs carefully
- Choose an instance type that matches your workload to optimize costs
- Stop or terminate instances you're not using
Following these practices will help you run EC2 safely and cost-effectively.