New user sign up using AWS Builder ID
New user sign up using AWS Builder ID is currently unavailable on re:Post. To sign up, please use the AWS Management Console instead.
How do I reset the password for my EC2 Mac instance?
I don't know the password for my Amazon Elastic Compute Cloud (Amazon EC2) Mac instance, and I need to reset the password. Or, I need to reset the password for ec2-user.
Short description
If an EC2 Mac instance user doesn't know the password for an ec2-user that uses a secure token, then you might encounter issues. To reset a forgotten password for a user with a secure token, you must also be a user that has a secure token.
When you set the first user password in a EC2 Mac instance, a secure token is issued to the user by default. To issue a secure token for the ec2-user user, you must set the password for ec2-user first. For more information, see Use secure token, bootstrap token, and volume ownership in deployments on the Apple website. Because of its complexity, it's not a best practice to use another secure token user to update the password for the ec2-user.
Instead, create a rescue instance as a non-secure token user. Then, attach the original instance's root volume as a secondary volume on the rescue instance and migrate your data.
Resolution
Complete the following steps:
-
Create a snapshot of the root Amazon Elastic Block Store (Amazon EBS) volume of your EC2 Mac instance.
-
Create an Amazon EBS volume from the root volume snapshot in the same Availability Zone as the new instance.
-
Attach the EBS volume as a secondary volume to the new instance.
-
Use SSH to open the new instance, and then attach the secondary volume to the instance.
-
To list all the physical disks, partitions, Apple File System (APFS) containers, and volumes on the new instance, run the following command:
diskutil list
Example output:
diskutil list /dev/disk0 (internal, physical): #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *251.0 GB disk0 1: Apple_APFS_ISC Container disk1 524.3 MB disk0s1 2: Apple_APFS Container disk3 245.1 GB disk0s2 3: Apple_APFS_Recovery Container disk2 5.4 GB disk0s3 /dev/disk3 (synthesized): #: TYPE NAME SIZE IDENTIFIER 0: APFS Container Scheme - +245.1 GB disk3 Physical Store disk0s2 1: APFS Volume InternalDisk 10.3 GB disk3s1 2: APFS Volume Preboot 5.3 GB disk3s2 3: APFS Volume Recovery 919.3 MB disk3s3 4: APFS Volume Data 779.2 MB disk3s5 5: APFS Volume VM 20.5 KB disk3s6 /dev/disk4 (external, physical): #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *107.4 GB disk4 1: EFI EFI 209.7 MB disk4s1 2: Apple_APFS Container disk5 107.2 GB disk4s2 /dev/disk5 (synthesized): #: TYPE NAME SIZE IDENTIFIER 0: APFS Container Scheme - +107.2 GB disk5 Physical Store disk4s2 1: APFS Volume Macintosh HD - Data 4.8 GB disk5s1 2: APFS Volume Macintosh HD 9.3 GB disk5s2 3: APFS Snapshot com.apple.os.update-... 9.3 GB disk5s2s1 4: APFS Volume Preboot 5.4 GB disk5s3 5: APFS Volume Recovery 754.6 MB disk5s4 6: APFS Volume VM 20.5 KB disk5s5 /dev/disk6 (external, physical): #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *107.4 GB disk6 1: EFI EFI 209.7 MB disk6s1 2: Apple_APFS Container disk7 107.2 GB disk6s2 /dev/disk7 (synthesized): #: TYPE NAME SIZE IDENTIFIER 0: APFS Container Scheme - +107.2 GB disk7 Physical Store disk6s2 1: APFS Volume Macintosh HD - Data 9.4 GB disk7s1 2: APFS Volume Macintosh HD 9.3 GB disk7s2 3: APFS Volume Preboot 5.4 GB disk7s3 4: APFS Volume Recovery 754.6 MB disk7s4 5: APFS Volume VM 20.5 KB disk7s5
Note: Replace dev/disk7 with the name of your secondary volume.
-
To verify that you correctly identified the secondary volume, run the following command:
diskutil info disk7
Note: Replace dev/disk7 with the name of your secondary volume.
For the secondary volume, the Device/Media Name value must be Amazon Elastic Block Store.
Example output:$ diskutil info disk7 | Grep Device Device Identifier: disk7 Device Node: /dev/disk7 Device / Media Name: Amazon Elastic Block Store Device Block Size: 4096 Bytes Device Location: External
-
To mount the secondary volume on the operating system (OS), run the following command:
$ sudo diskutil mount /dev/disk7s1
Note: Replace dev/disk7 with the name of your secondary volume
-
To verify that the disk is mounted, run the df -h command:
df -h Filesystem Size Used Avail Capacity iused ifree %iused Mounted on /dev/disk5s2s1 100Gi 8.7Gi 81Gi 10% 356840 846823560 0% / devfs 228Ki 228Ki 0Bi 100% 788 0 100% /dev /dev/disk5s5 100Gi 20Ki 81Gi 1% 0 846823560 0% /System/Volumes/VM /dev/disk5s3 100Gi 5.0Gi 81Gi 6% 941 846823560 0% /System/Volumes/Preboot /dev/disk1s2 500Mi 6.0Mi 392Mi 2% 1 4010720 0% /System/Volumes/xarts /dev/disk1s1 500Mi 52Mi 392Mi 12% 53 4010720 0% /System/Volumes/iSCPreboot /dev/disk1s3 500Mi 636Ki 392Mi 1% 51 4010720 0% /System/Volumes/Hardware /dev/disk5s1 100Gi 4.5Gi 81Gi 6% 160213 846823560 0% /System/Volumes/Data /dev/disk3s4 228Gi 108Ki 212Gi 1% 17 2223298800 0% /private/tmp/tmp-mount-K1ov0m map auto_home 0Bi 0Bi 0Bi 100% 0 0 100% /System/Volumes/Data/home /dev/disk7s1 100Gi 8.8Gi 77Gi 11% 204661 802361480 0% /Volumes/Macintosh HD - Data
Note: Replace dev/disk7 with the name of your secondary volume.
-
Run the following command to open the mount point directory to access the volume's data:
cd /Volumes/Macintosh\ HD\ -\ Data
Note: Replace /Volumes/Macintosh/HD - Data with your mount point directory file path.
-
To copy the data from the secondary volume to the root volume of your new instance, run the following rsync command:
brew install rsync
-
Run the following commands so that the secure token isn't activated for the ec2-user in the future:
sudo dscl . -append /Users/ec2-user AuthenticationAuthority ";DisabledTags;SecureToken"
sudo /usr/bin/dscl . -passwd /Users/ec2-user
If you receive errors when you run the preceding passwd command, then run the following command:
sudo passwd ec2-user
Note: Replace ec2-user with your Amazon EC2 username.
-
To verify that the user doesn't have a secure token, run the following command:
sysadminctl -secureTokenStatus ec2-user
Note: Replace ec2-user with your Amazon EC2 username.
-
To show all users, run the following command:
for user in $(ls /Users); do echo $user; sysadminctl -secureTokenStatus $user; doneUse secure token, bootstrap token, and volume ownership in deployments

Relevant content
- asked 8 months agolg...
- asked a year agolg...
- asked a year agolg...
- asked a year agolg...
- asked 3 years agolg...
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago