How do I replace a lost key pair for my EC2 Windows instance when using EC2Config or EC2Launch to reset the administrator password?

Last updated: 2022-10-05

I'm trying to reset a lost password using EC2Config or EC2Launch, but I lost the private key file for the key pair that I use to launch my Amazon Elastic Compute Cloud (Amazon EC2) Windows instance. How can I replace or change the key pair on an EC2 Windows instance?

Short description

To replace a lost key pair, you can use the AWS Systems Manager AWSSupport-ResetAccess Automation document. Or, you can create an Amazon Machine Image (AMI) of the existing instance, launch a new instance, and then select a new key pair.


Use the AWSSupport-ResetAccess Automation document

You can use the Systems Manager AWSSupport-ResetAccess Automation document to replace a lost key pair, or to replace a lost local Administrator password. For instructions, see Reset passwords and SSH keys on EC2 instances.

Create an AMI and launch a new instance

When you use EC2Config or EC2Launch to reset a lost password, you must use its key pair to retrieve the administrator password. If you've lost the key pair, you can create an AMI of the existing instance, and then launch a new instance. You can then select a new key pair by following the instance launch wizard. Follow these steps:

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

  1. Create a new key pair, and then save the private key file in a safe place. You can create a key pair using the console, the AWS CLI, or AWS Tools for Windows PowerShell.
    Note: To give the new key pair the same name as the lost key pair, you must first delete the lost key pair.
  2. From the Amazon EC2 console, choose Instances from the navigation pane.
  3. Select your instance. From the Description tab, note the Instance type, VPC ID, Subnet ID, Security groups, and IAM role for the instance.
  4. Stop your instance. Warning: If this instance has an instance store volume, any data on it is lost when the instance is stopped. If the instance shutdown behavior is set to Terminate, the instance terminates when it is stopped.
  5. Select your instance. For Actions, choose Image, Create Image.
    For Image name, enter a name.
    (Optional) For Image description, enter a description.
  6. Choose Create Image, and then choose Close.
  7. Choose AMIs from the navigation pane. If the Status is pending, the AMI is still being created. When the Status is available, continue to the next step.
  8. Select the AMI, and then choose Launch.
  9. Complete the wizard. Be sure to select the same Instance type, VPC ID, Subnet ID, Security groups, and IAM role as the instance that you are replacing.
    For Select a key pair, choose the new key pair.
  10. (Optional) If the original instance has an associated Elastic IP address, reassociate the Elastic IP address to the new instance.
  11. (Optional) If any Amazon Elastic Block Store (Amazon EBS) volumes aren't captured during the AMI creation, detach the volume. Then, attach the volume to the new instance.
    Note: When you detach the volume, you can skip the step to unmount the volume, because the original instance is already in stopped state.
  12. Now that the private key file is replaced, you can reset the administrator password. Use EC2Config for Windows Server 2012 R2 and earlier. Use EC2Launch for Windows Server 2016 and later.
  13. (Optional) To clean up, you can terminate the stopped instance for which the key pair is lost. You can also delete the AMI after successfully launching the new instance.
    Note: Storing AMIs can incur costs. If you no longer need the AMI, delete the AMI.