Why can't I connect to my EC2 Windows instance that was launched from a custom AMI?
Last updated: 2021-07-16
I'm receiving the error "Password is not available yet. Please wait at least 4 minutes after launching an instance before trying to retrieve the auto-generated password" when connecting to my newly launched Amazon Elastic Compute Cloud (Amazon EC2) Windows instance. I’ve waited longer than 4 minutes and still can’t connect. How do I fix this issue?
The default Administrator account password for EC2 Windows instances launched from a public Amazon Machine Image (AMI) is automatically generated by one of the following:
- EC2Launch service - Windows Server 2016 and after.
- EC2Config service - Windows Server 2012 R2 and before.
It's a best practice to change the Administrator password from its default value to your own password.
Instances launched from custom AMIs take the Administrator password from the source instance. If the default password for the Administrator account was changed in the source instance used to create the AMI, then the new instance takes the same password. Decrypting the password using a key pair file isn't possible, unless you configure EC2Launch or EC2Config to generate a new password on the next instance boot.
For information on resetting the Administrator password on instances with lost or expired passwords, see How can I reset the administrator password on an EC2 Windows instance?
Resetting the password allows you to recover access to the new instance. However, any other instance launched from that custom AMI will experience the same issue. To avoid this, configure the initialization tasks from EC2Launch or EC2Config to enable auto-generated passwords.
This procedure requires a stop and start of the instance. Be aware of the following:
- If your instance is instance store-backed or has instance store volumes containing data, then the data is lost when the instance is stopped. For more information, see Determine the root device type of your instance.
- If your instance is part of an Amazon EC2 Auto Scaling group, then stopping the instance might terminate it. Instances launched with Amazon EMR, AWS CloudFormation, AWS Elastic Beanstalk might be part of an AWS Auto Scaling group. Instance termination in this scenario depends on the instance scale-in protection settings for your Auto Scaling group. If your instance is part of an Auto Scaling group, temporarily remove it from the Auto Scaling group before starting the resolution steps.
- Stopping and starting the instance changes the public IP address of your instance. It's a best practice to use an Elastic IP address instead of a public IP address when routing external traffic to your instance.
For more information, see Overview: Stop and start your instance.
- Open the Amazon EC2 console, and then connect to the original Windows EC2 instance using Remote Desktop Protocol (RDP).
- From the Windows Start menu, do the following:
For Windows Server 2008 through Windows Server 2012 R2, open EC2ConfigService Settings, and then choose the Image tab.
For Windows Server 2016 or later, open EC2 Launch Settings.
- For Administrator Password, choose Random.
- Select Shutdown without Sysprep *.
- Select Yes.
- Open the Amazon EC2 console and then select Instances.
- Wait until the instance state changes to Stopped, and then choose your instance.
- Select Actions, Image, Create image.
For Image name, enter a name.
(Optional) For Image description, enter a description.
- Choose Create image.
All EC2 instances launched from this new AMI will be able to decrypt password using a key pair.
Note: Shutting down with Sysprep standardizes your AMI by removing unique information such as instance security identifiers (SID), computer name, and drivers. This allows you to launch multiple copies of your instances. For more information, see How can I use Sysprep to create and install custom reusable Windows AMIs?