How can I connect to my Amazon EC2 instance if I lost my SSH key pair after its initial launch?

Last updated: 2020-09-10

I want to connect to my Amazon Elastic Compute Cloud (Amazon EC2) instance but have lost the SSH key pair. How can I connect to the instance?

Resolution

Warning: Before starting this procedure, be aware of the following:

  • This procedure requires that you stop and start your EC2 instance. Be aware that data in instance store volumes will be lost. For more information, see Determining the root device type of your instance. Be sure that you back up any data that you want to keep on the instance store volume.
  • Stopping and restarting the instance changes the public IP address of your instance. It's a best practice to use an Elastic IP address instead of a public IP address when routing external traffic to your instance.

Method 1: Enter user-data

1.    Create a new key pair.

2.    If you create the private key in the Amazon EC2 console, retrieve the public key for the key pair.

3.    Open the Amazon EC2 console.

4.    Stop your instance.

5.    Choose Actions, Instance Settings, and then choose View/Change User Data.

6.    Copy the following script into the View/Change User Data dialog box:

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [users-groups, once]
users:
  - name: username
    ssh-authorized-keys: 
    - PublicKeypair

Replace username with your user name, such as ec2-user. You can enter the default user name, or enter a custom user name, if one was previously set up for the instance. For a list of default user names, see General prerequisites for connecting to your instance.

Replace PublicKeypair with the public key retrieved in step 2. Be sure to enter the entire public key, starting with ssh-rsa.

7.    Choose Save.

8.    Start your instance.

9.    After the cloud-init phase is complete, validate that the public key was replaced.

Important: Because the script contains a key pair, remove the script from the User Data field.

10.    Stop your instance.

11.    Choose Actions, Instance Settings, and then choose View/Change User Data.

12.    Delete all the text in the View/Change User Data dialog box, and then choose Save.

13.    Start your instance.

Note: If your instance is Amazon Linux 2 2.0.20190618 or later, you can use EC2 Instance Connect to connect to the instance.

Method 2: Use AWS Systems Manager

If your unreachable instance is listed in AWS Systems Manager as a managed instance, you can use the AWSSupport-ResetAccess document to recover from a lost key pair scenario. This Automation document uses the EC2Rescue for Linux tool on the specified EC2 instance to automatically generate and add a new SSH (Public/Private) key pair.

The new SSH private key for your instance is encrypted and saved in the AWS Systems Manager Parameter Store. The parameter name is /ec2rl/openssh/instance_id/key. Create a new .pem file with this parameter's value as its content and use it to connect back to your unreachable instance.

Note: The Automation workflow creates a backup, password-enabled Amazon Machine Image (AMI). The new AMI is not automatically deleted and remains in your account.

To locate these AMIs:

1.    Open the Amazon EC2 console, and then choose AMIs.

2.    Enter the Automation execution ID in the search field.


Did this article help?


Do you need billing or technical support?