Connect to an Amazon EC2 instance when the SSH key pair is lost (2024)

Table of Contents
Short description Resolution Enter user data Use Systems Manager Use Amazon EC2 Instance Connect Use the EC2 serial console Related information FAQs

I want to connect to my Amazon Elastic Compute Cloud (Amazon EC2) instance, but I lost the SSH key pair.

Short description

To connect to an EC2 instance when you lose your SSH key pair, use one of the following methods:

  • Enter user data to create a new key pair. This method requires you to stop and start your instance.
  • For instances that are managed nodes, use AWS Systems Manager to recover your key pair. This method requires you to stop and start your instance.
  • For instances that are Amazon Linux version 2 2.0.20190618 and later or Amazon Linux 2023, use Amazon EC2 Instance Connect. This method requires you to stop and start your instance.
  • If you can reach your instance and you have access to the EC2 serial console, the use the serial console. This method doesn't require you to stop and start your instance

Important:

  • If your instance is store backed or has instance store volumes that contain data, then the data is lost when you stop the instance. For more information, see Root volumes for your Amazon EC2 instances. Be sure that you back up data that you want to keep on the instance store volume.
  • When you stop and restart the instance, the instance changes its public IP address. When you route external traffic to your instance, it's a best practice to use an Elastic IP address instead of a public IP address.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

See Also
How to Connect to AWS EC2 Instance by Using PuTTY Without Using .pem File?Secure Private Connectivity using EC2 Instance Connect EndpointHow to Fix the SSH “Connection Refused” Error {Causes & Solutions}How to Securely Connect to AWS EC2 without SSH Keys

Enter user data

Complete the following steps:

  1. Create a new key pair.
  2. If you create the private key on the Amazon EC2 console, then retrieve the public key for the key pair.
  3. Open the Amazon EC2 console.
  4. Stop your instance.
  5. Choose Actions, and then choose Instance settings.
  6. Choose Edit user data, and then enter the following script:
    Content-Type: multipart/mixed; boundary="//"MIME-Version: 1.0--//Content-Type: text/cloud-config; charset="us-ascii"MIME-Version: 1.0Content-Transfer-Encoding: 7bitContent-Disposition: attachment; filename="cloud-config.txt"#cloud-configcloud_final_modules:- [users-groups, once]users: - name: username ssh-authorized-keys: - PublicKeypair
    Note: Replace username with either the default username or a previously created custom username. Replace PublicKeypair with the public key. When you enter the entire public key, start with ssh-rsa.
  7. Choose Save.
  8. Start your instance.
  9. In the instance console output, confirm that the cloud-init phase is complete. If required, then use SSH to connect to your instance to confirm that the public key is replaced.
    Important: Because the command contains a key pair, remove the command from the User Data field.
  10. Stop your instance.
  11. Choose Actions, and then choose Instance settings.
  12. Choose Edit user data, and then delete the text.
  13. Choose Save.
  14. Start your instance.

Use Systems Manager

To recover an instance that's a managed node in Systems Manager see, use the AWSSupport-ResetAccess runbook to recover the key pair. AWSSupport-ResetAccess uses the EC2Rescue to automatically generate and add a new SSH key pair on the instance.

The new SSH private key for your instance is encrypted and saved in Parameter Store, a capability of AWS Systems Manager, as /ec2rl/openssh/instance_id/key.

To get the private SSH key from Parameter Store, run the get-parameters command:

See Also
4 ways to connect to your EC2 instance

$ aws ssm get-parameters --names "/ec2rl/openssh/instance_id/key" --with-decryption --output json --query "Parameters[0].Value" | sed 's:\\n:\n:g; s:^"::; s:"$::' > key-pair-name

Note: Replace instance_id with your instance ID and key-pair-name with your key pair's name

Then, create a new .pem file with the parameter's value as the content, and use the .pem file to reconnect to your unreachable instance. To convert the private key to a .pem file, run the following command:

$ ssh-keygen -f key-pair-name -e -m pem > key-pair-name.pem

Note: Replace key-pair-name with your key pair's name.

The automation runbook creates a backup, password-activated Amazon Machine Image (AMI). The new AMI isn't automatically deleted and remains in your AWS account.

To locate the AMIs, complete the following steps:

  1. Open the Amazon EC2 console.
  2. Choose AMIs.
  3. Enter the Automation ID in the search field.

Use Amazon EC2 Instance Connect

To connect to an Amazon Linux version 2 2.0.20190618 or later see, Connect using EC2 Instance Connect.

Use the EC2 serial console

If you have access to the EC2 serial console for Linux, then you can use the console to troubleshoot supported Nitro-based instance types. For more information see, Configure access to the EC2 serial console.

Related information

Run commands when you launch an EC2 instance with user data input

AWS Systems Manager Automation

Connect to an Amazon EC2 instance when the SSH key pair is lost (2024)

FAQs

How do I login to an EC2 instance when my key pair is lost? ›

To connect to an EC2 instance when you lose your SSH key pair, use one of the following methods:
  1. Enter user data to create a new key pair. ...
  2. For instances that are managed nodes, use AWS Systems Manager to recover your key pair. ...
  3. For instances that are Amazon Linux version 2 2.0.

Read On
How to connect to AWS EC2 without SSH? ›

To connect to an AWS EC2 instance without using SSH keys and instead leveraging AWS Systems Manager (SSM), you can use the AWS Systems Manager Session Manager feature. Session Manager provides a secure and auditable way to access your instances without the need for SSH keys.

Discover More Details
How do you login to AWS EC2 instances using key pair SSH? ›

Step-by-Step Guide to Connect to EC2 Instance Using SSH
  1. Step 1: Retrieve Your Instance Information. First, log in to your AWS Management Console and navigate to the EC2 dashboard. ...
  2. Step 2: Set Permissions for Your Key File. ...
  3. Step 3: Connect Using SSH. ...
  4. Step 4: Verify the Connection.
Nov 15, 2023

Continue Reading
How do I regain access to my EC2 instance? ›

Here are the steps to gain access:
  1. Stop broken instance.
  2. Detach broken instance root volume.
  3. Start new instance that you can login to.
  4. Attach broken instance volume to new instance.
  5. Mount the broken instance volume at the OS level.
  6. Fix/undo the configuration on the broken instance volume.
Dec 8, 2022

See Details
How will you recover a lost PEM key? ›

once you've lost or misplaced a PEM key in AWS, there's no direct way to retrieve or recover it from AWS itself. This is by design to maintain the security of your instances. The private key is meant to remain confidential, and AWS does not store or keep copies of user-generated keys for security reasons.

Find Out More
Can you connect an EC2 without a PEM key? ›

Connecting to an AWS EC2 instance without a PEM file requires exploring an alternative authentication method: using a password instead of a secure key pair. AWS EC2 instances are cloud-based virtual server that are usually accessed via SSH with a PEM file for further protection.

Tell Me More
How to reset EC2 SSH key? ›

Create a new key pair.
  1. Download the private key (my-key. pem).
  2. Run: ssh-keygen -y -f my-key.pem > my-key.pub.
  3. Copy the content of my-key. pub.
  4. By following these steps, you can generate a new SSH key pair and obtain the public key for updating SSH keys on your EC2 instances.
Feb 26, 2024

Show Me More
How to change SSH key pair in EC2? ›

Change ssh key-pair of Running EC2 Instance
  1. Create a new key pair from AWS Console.
  2. Generate Public key from newly created key pair ( Private Key ).
  3. Paste the generated public key ( from Step 2 ) in ~/. ...
  4. Delete the existing key from ~/.ssh/authorized_keys of Server.
  5. Perform ssh using new key.
Aug 19, 2014

Explore More
Can I create a new key pair for EC2 instance? ›

Open Key Pairs page

Once you log in to your AWS account you will see the AWS Management Console. On the left top side, click on the Service drop Menu to select EC2. As you are on the ec2 Dashboard, scroll down and from the left side select “Key Pairs” and then click on the “Create Key Pair“.

Continue Reading
How to access AWS EC2 instance without key pair? ›

Let's dive in:
  1. Prerequisites. * Security group with only 22 ports allowed for Linux EC2 or 3389 if Windows EC2 instance. * EC2 instance. ...
  2. Create a VPC endpoint. This VPC endpoint has to be created in the VPC where the EC2 instance resides. ...
  3. Connecting the instance using the VPC endpoint. Navigate to the AWS EC2 console.
Dec 15, 2023

Show Me More

How to recover key pair in AWS? ›

Recovering or Replacing a Key Pair in AWS EC2: A Step-by-Step...
  1. Step 1: Create an EC2 Instance Named “Original”
  2. Step 2: Launch a Temporary EC2 Instance with the New Key Pair.
  3. Step 3: Stop the Instance with the Lost Key Pair and Detach Its Volume.
  4. Step 4: Attach the Detached Volume to the Temporary Instance.
Jun 20, 2023

Read The Full Story
How to login to EC2 without password? ›

Lets get into the steps how you can create new user, add key file, and make passwordless login to you aws ec2 server.
  1. Create new user. ...
  2. Log in as a new user. ...
  3. Create public-private key files. ...
  4. Add user to sudo group. ...
  5. Restart SSH service to load new keys. ...
  6. Making user passwordless to use sudo.
Jun 9, 2020

See Details
How do I log into my EC2 instance console? ›

Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  1. Choose Instances In the navigation pane.
  2. Select the instance and choose Connect.
  3. Choose EC2 Instance Connect.
  4. Verify the user name and choose Connect to open a terminal window.
Jan 19, 2024

Get More Info Here
How do I create a new key pair for an existing EC2 instance? ›

Open Key Pairs page

Once you log in to your AWS account you will see the AWS Management Console. On the left top side, click on the Service drop Menu to select EC2. As you are on the ec2 Dashboard, scroll down and from the left side select “Key Pairs” and then click on the “Create Key Pair“.

Continue Reading
Can we download key pair from AWS again? ›

You can view, copy, and download the public key from an asymmetric KMS key pair by using the AWS Management Console or the AWS KMS API.

View More
Top Articles
Is Mint's Premium Subscription Worth It?
Fiscal Service Announces New Savings Bonds Rates, Series I to Earn 4.30%, Series EE to Earn 2.50% — TreasuryDirect
Srtc Tifton Ga
Genesis Parsippany
Moon Stone Pokemon Heart Gold
Time in Baltimore, Maryland, United States now
Froedtert Billing Phone Number
Blackstone Launchpad Ucf
DEA closing 2 offices in China even as the agency struggles to stem flow of fentanyl chemicals
414-290-5379
Assets | HIVO Support
Best Fare Finder Avanti
Bowlero (BOWL) Earnings Date and Reports 2024
Guidewheel lands $9M Series A-1 for SaaS that boosts manufacturing and trims carbon emissions | TechCrunch
Who called you from +19192464227 (9192464227): 5 reviews
Hanger Clinic/Billpay
Aldine Isd Pay Scale 23-24
Unity - Manual: Scene view navigation
Daylight Matt And Kim Lyrics
The Pretty Kitty Tanglewood
Pinellas Fire Active Calls
Terry Bradshaw | Biography, Stats, & Facts
Hood County Buy Sell And Trade
Project Reeducation Gamcore
Sam's Club Gas Price Hilliard
Jesus Revolution Showtimes Near Regal Stonecrest
Craigslist List Albuquerque: Your Ultimate Guide to Buying, Selling, and Finding Everything - First Republic Craigslist
Cable Cove Whale Watching
TJ Maxx‘s Top 12 Competitors: An Expert Analysis - Marketing Scoop
What Is Opm1 Treas 310 Deposit
A Plus Nails Stewartville Mn
Does Circle K Sell Elf Bars
De beste uitvaartdiensten die goede rituele diensten aanbieden voor de laatste rituelen
Craigslist Org Sf
Darrell Waltrip Off Road Center
Truckers Report Forums
Eleceed Mangaowl
Barber Gym Quantico Hours
Rs3 Bis Perks
Uvalde Topic
Cocaine Bear Showtimes Near Cinemark Hollywood Movies 20
Divinity: Original Sin II - How to Use the Conjurer Class
Strange World Showtimes Near Century Stadium 25 And Xd
Southwest Airlines Departures Atlanta
Conan Exiles Tiger Cub Best Food
Gt500 Forums
Beds From Rent-A-Center
The Hardest Quests in Old School RuneScape (Ranked) – FandomSpot
Southwind Village, Southend Village, Southwood Village, Supervision Of Alcohol Sales In Church And Village Halls
Stone Eater Bike Park
Latest Posts
Mary Reibey – The Woman on the Twenty Dollar Note – U3A Wagga Wagga
DNS hijacker | Malwarebytes Labs
Article information

Author: Ray Christiansen

Last Updated:

Views: 5760

Rating: 4.9 / 5 (69 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Ray Christiansen

Birthday: 1998-05-04

Address: Apt. 814 34339 Sauer Islands, Hirtheville, GA 02446-8771

Phone: +337636892828

Job: Lead Hospitality Designer

Hobby: Urban exploration, Tai chi, Lockpicking, Fashion, Gunsmithing, Pottery, Geocaching

Introduction: My name is Ray Christiansen, I am a fair, good, cute, gentle, vast, glamorous, excited person who loves writing and wants to share my knowledge and understanding with you.