Step 1. Set up the scripting environment

To start, install the CLI components. Refer to the AWS documentation for the latest commands, locations of packages and dependencies needed to install the AWS CLI in Linux, Apple macOS and Windows operating systems.

Next, users should configure appropriate permissions in the environment where they will execute CLI commands. For the AWS CLI, AWS credentials are stored in the $HOME/.aws/credentials file. Including AWS credentials in environment variables or in the command itself creates security vulnerabilities. Instead, configure those credentials in a local file. If running commands from an EC2 instance, configure an AWSIdentity and Access Management (IAM) instance profile to avoid internal credential configuration.

To follow this tutorial, the IAM user configured in the credentials file needs sufficient permissions to start EC2 instances and write permissions related to EC2. For example, the user must be able to create AWS security groups and Elastic Block Storage (EBS) volumes. Attach the AmazonEC2FullAccess IAM policy to the user to ensure they can complete the steps required.

The AWS Region is an essential parameter to configure in the CLI. Use the file $HOME/.aws/config. Specify a region by setting the AWS_REGION environment variable or passing the parameter –region in the AWS CLI.

Step 2. Establish minimum parameters for the EC2 instance

You need the following parameters to launch an EC2 instance:

• Amazon Machine Image (AMI) ID. This launches the instance.
• EC2 instance type. Ensure that the selected instance type is compatible with the AMI ID.
• VPC and subnet IDs. The instance launches from these.
• Security group ID. Users must assign one to the instance. For newly created security groups, users should assign an ID before they launch the EC2 instance.
• EC2 key pair name. Without it, users cannot useSecure Shell to connect to the EC2 instance or access it through Windows Remote Desktop.

Use the AMI Catalog screen in the EC2 Console to select an available AMI for a particular region. Filter available AMIs by parameters such as OS, architecture, AWS Marketplace publisher, pricing model and private AMIs. Note any relevant AMI IDs that will be useful to work with the AWS CLI. This can help to avoid revisiting this page each time a user launches a new EC2 instance.

This tutorial assumes certain aspects of the EC2 configuration already exist. It does not cover how to create a new VPC or subnet, security group, or EC2 key pair.

To create the EC2 instance in the AWS CLI with the minimum recommended set of parameters, use the following commands:

aws ec2 run-instances \

--image-id <ami-id> \

--instance-type <instance-type> \

--subnet-id <subnet-id> \

--security-group-ids <security-group-id> <security-group-id> … \

--key-name <ec2-key-pair-name>

Step 3. Configure the instance with additional important parameters

The CLI command that launches an EC2 instance has 40 different parameters. In addition to the bare minimum parameters, consider specifying the following to enhance security, tailor the EC2 instance to the application, increase reliability and achieve other goals:

• BlockDeviceMappings. The default root volume value for a standard Amazon Linux 2023 AMI is a gp3 8 GiB volume. For a Windows AMI it is a 30 GiB gp2. These capacities might not be enough for the intended application. Custom AMIs have a default EBS volume allocation as well. Use theBlockDeviceMappings parameter to allocate more EBS space than provided in the AMI by default.
• Monitoring. For enhanced monitoring, use the Monitoring parameter. It provides metric data in one-minute intervals, instead of the default five minutes. Shorter intervals enable faster response to health events and more efficient troubleshooting when analyzing metrics.
• UserData. If the EC2 instance should start some processes at launch, use the UserData parameter to set them up. For example, an instance can start application-specific processes for Apache or Nginx, or update application configuration files. This parameter enables flexibility and automation in the EC2 instance launch process.
• DisableApiTermination. If the EC2 instance will store critical data or perform a critical task, set this parameter to true to prevent accidental termination through the AWS Console or the CLI.
• IamInstanceProfile. Assigning an IAM instance profile is a security best practice when you create a new EC2 instance. It eliminates the need to configure AWS credentials in files or environment variables inside the instance. Configure this parameter at instance launch.
• TagSpecifications. Applying tags to AWS resources is a best practice for managing infrastructure in the long term. This parameter tags the EC2 instance appropriately. At a minimum, set the Name tag to make it easy to find the EC2 instance in the Console.
• LaunchTemplate. Launch templates standardize the launch of EC2 instances by preconfiguring the AMI, instance type, volume configuration, security groups and other parameters. If launch templates are already configured for the AWS deployment, set this parameter to simplify configuration tasks for instance launch through the CLI.
• Count. The Count parameter specifies how many EC2 instances will launch.
• associatePublicIpAddress |noAssociatePublicIpAddress. AWS users can select this flag depending on whether the new instance or instances will use a public IP address. Subnets have a default configuration to disable or enable association with a public IP. For security reasons, some EC2 instances should not have a public IP address. In other use cases, it is required.

Ernesto Marquez is the owner and project director at Concurrency Labs, where he helps startups launch and grow their applications on AWS. He enjoys building serverless architectures, building data analytics solutions, implementing automation and helping customers cut their AWS costs.

Editor's note: This article was updated to reflect changes in the best practices for using the CLI to create an EC2 instance.