One way to allow one EC2 instance to connect to another is to set an ingress rule on the target EC2 instance that lets it accept traffic from the source EC2 instance's security group. Here's a Python function that uses Boto3 to do this:
import boto3
ec2 = boto3.resource('ec2')
def allow_security_group_ingress(target_security_group_id, source_security_group_name):
try:
ec2.SecurityGroup(target_security_group_id).authorize_ingress(
SourceSecurityGroupName=source_security_group_name)
logger.info("Added rule to group %s to allow traffic from instances in "
"group %s.", target_security_group_id, source_security_group_name)
except ClientError:
logger.exception("Couldn't add rule to group %s to allow traffic from "
"instances in %s.",
target_security_group_id, source_security_group_name)
raise
After you've set this, put the private key of the key pair on the source instance and use it when you SSH from the source instance:
ssh -i {key_file_name} ec2-user@{private_ip_address_of_target_instance}
There's a full Python example that shows how to do this on GitHub /awsdocs/aws-doc-sdk-examples.