How do I replace a lost key pair for my EC2 Windows instance when using EC2Config or EC2Launch to reset the administrator password?

Last updated: 2020-06-29

I'm trying to reset a lost password using EC2Config or EC2Launch, but I lost the private key file for the key pair that I use to launch my Amazon Elastic Compute Cloud (Amazon EC2) Windows instance. How can I replace or change the key pair on an EC2 Windows instance?

Short description

To replace a lost key pair, you can use the AWS Systems Manager AWSSupport-ResetAccess Automation document. Or, you can create an Amazon Machine Image (AMI) of the existing instance, launch a new instance, and then select a new key pair.


Use the AWSSupport-ResetAccess Automation document

You can use the Systems Manager AWSSupport-ResetAccess Automation document to replace a lost key pair, or to replace a lost local Administrator password. For instructions, see Walkthrough: Reset passwords and SSH keys on EC2 instances.

Create an AMI and launch a new instance

When you use EC2Config or EC2Launch to reset a lost password, you must use its key pair to retrieve the administrator password. If you've lost the key pair, you can create an AMI of the existing instance, and then launch a new instance. You can then select a new key pair by following the instance launch wizard. Follow these steps:

  1. Create a new key pair and save the private key file. You can create a key pair using the console, AWS Command Line Interface (AWS CLI), or AWS Tools for Windows PowerShell. For more information, see Create a key pair using Amazon EC2.
    Note: To give the new key pair the same name as the lost key pair, you must first delete the lost key pair.
  2. From the Amazon EC2 console, choose Instances from the navigation pane.
  3. Select your instance. From the Description tab, take note of the Instance type, VPC ID, Subnet ID, Security groups, and IAM role for the instance.
  4. Stop your instance.
    Warning: If this instance has an instance store volume, any data on it is lost when the instance is stopped. If the instance shutdown behavior is set to Terminate, the instance terminates when it is stopped.
  5. Select your instance. For Actions, choose Image, Create Image. For Image name, enter a name.
    (Optional) For Image description, enter a description.
  6. Choose Create Image, and then choose Close.
  7. Choose AMIs from the navigation pane. If the Status is pending, the AMI is still being created. When the Status is available, continue to the next step.
  8. Select the AMI, and then choose Launch.
  9. Complete the wizard. Be sure to select the same Instance type, VPC ID, Subnet ID, Security groups, and IAM role as the instance that you are replacing.
    For Select a key pair, choose the new key pair.
  10. (Optional) If the original instance has an associated Elastic IP address, reassociate the Elastic IP address to the new instance.
  11. (Optional) If any EBS volumes aren't captured during the AMI creation, detach the volume, and then attach the volume to the new instance.
    Note: When you detach the volume, you can skip the step to unmount the volume, because the original instance is already in stopped state.
  12. Now that the private key file is replaced, you can reset the administrator password. Use EC2Config for Windows Server 2012 R2 and earlier. Use EC2Launch for Windows Server 2016 and later.
  13. (Optional) To clean up, you can terminate the stopped instance for which the key pair is lost.