How do I reset the administrator password on an EC2 Windows instance?

Resolution

Systems Manager Run Command AWSSupport-RunEC2RescueForWindowsTool (online method)

Prerequisites:

• You must configure AWS Systems Manager, and then install the Systems Manager agent on the instance. For more information, see Setting up AWS Systems Manager.
• The instance must have internet access and use a public IP address or NAT gateway.
  -or-
  The instance must use an Amazon Virtual Private Cloud (Amazon VPC) endpoint configured for Systems Manager.
  For more information, see AWS PrivateLink concepts.

To use Systems Manager Run Command to reset the administrator password, complete the following steps:

1. Attach the following policy to the AWS Identity and Access Management (IAM) role associated with the instance:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "ssm:PutParameter"
               ],
               "Resource": [
                   "arn:aws:ssm:*:*:parameter/EC2Rescue/Passwords/i-*"
               ]
           }
       ]
   }
   

   This policy writes the encrypted password to Parameter Store.

2. Open the Systems Manager console.

3. In the navigation pane, choose Run Command.

4. Choose Run a Command.

5. For Command document, choose AWSSupport-RunEC2RescueForWindowsTool.

6. For Command parameters, verify that Command is set to ResetAccess.

7. For Targets, choose Choose instances manually, and then select your instance.

8. Choose Run.

9. In the Targets and outputs section, select the Instance ID for your instance.

10. Choose View output for instructions on how to retrieve the new password.

Note: After you regain access to your instance, it's a best practice to rotate the password and then delete the parameter from Parameter Store.

For more information, see Troubleshoot impaired Windows instance with EC2Rescue and Systems Manager.

Systems Manager Automation with AWSSupport-ResetAccess (offline method)

Important: Before you run the automation, review the following information:

• If you don't use an Elastic IP address, then the public IP address is released when you stop the instance.
• If the instance has an instance store volume, then any data on it is lost when the instance stops.
• If the instance shutdown behavior is set to Terminate, then the instance terminates when it stops.
• If the instance is part of an Auto Scaling group, then first detach the instance from the Auto Scaling group. Then, after you stop and start the instance, attach the instance back to the Auto Scaling group.

AWSSupport-ResetAccess is a Systems Manager Automation document that uses AWS CloudFormation and AWS Lambda functions to automate EC2Rescue offline password reset. The automation document performs the following operations:

• Creates an instance to assist with recovery in your Availability Zone.
• Attaches and detaches Amazon Elastic Block Store (Amazon EBS) volumes.
• Runs the EC2Rescue tool.
• Creates an Amazon VPC for EC2Rescue that's isolated from your environment.
• Creates a backup Amazon Machine Image (AMI) of the instance.

You can use the AWSSupport-ResetAccess document in the following scenarios:

• You lost your Amazon EC2 key pair. You want to create a password-activated AMI from your EC2 instance to launch a new instance with an existing key pair.
• You lost your local administrator password. You want to generate a new password that you can decrypt with the current Amazon EC2 key pair.

Important: You can't use the AWSSupport-ResetAccess document with encrypted root Amazon EBS volumes.
To use AWSSupport-ResetAccess to reset your password, complete the following steps:

1. Open the Systems Manager console.
2. In the navigation pane, choose Automation.
3. Choose Execute automation.
4. For Automation document, choose AWSSupport-ResetAccess, and then choose Next.
5. For Input parameters, enter the InstanceID of your EC2 instance.
6. Choose Execute.
7. Wait until the state changes to Success. This can take up to 25 minutes.
   Note: On the Execution detail page, view Executed steps to monitor the progress. Expand Outputs to view the output of the automation. To return to this page, open the Systems Manager console, and then choose Automation from the navigation pane. Select the running automation, and then choose View details.
8. Use your existing key pair to decode the newly generated password from the Amazon EC2 console. For more information, see How do I retrieve my Windows administrator password after I launch an EC2 instance?

Lost Amazon EC2 key pair

If you lose your Amazon EC2 key pair, then complete the following steps:

1. Stop your instance.
2. Open the Amazon EC2 console, and then choose AMIs.
3. Search for your instance ID.
4. Select the AMI named AWSSupport-EC2Rescue-Post-Script-Backup-i-#########_Date, and then choose Launch.
5. Follow the launch wizard to specify the configuration of your instance, and then select a key pair that you own.
6. Verify that you can connect to the new instance and that your applications work as expected before you terminate the other instance.

EC2Rescue (offline or online method)

To use EC2Rescue to reset the administrator password at the next instance boot, complete the following steps:

1. Create a temporary helper instance that's in the same Availability Zone as the instance that you want to reset the password for. Or, you can use an instance with Remote Desktop Protocol (RDP) access that's in the same Availability Zone.
2. Take a snapshot or create an AMI backup of the instance that needs the password reset.
3. Stop the instance that needs the password reset.
4. Detach the root volume from the instance that needs the password reset.
5. Attach the root volume from step 4 to the temporary helper instance from step 1.
6. Download EC2Rescue and extract the zip file by running the EC2Rescue executable.
7. Run the EC2Rescue tool. Choose Offline Instance, and then select the root EBS volume that you attached to the temporary helper instance.
8. Choose Diagnose and Rescue. In Detect possible issues, select the Ec2SetPassword check box, and then choose Next.
9. Complete the EC2Rescue launch wizard. Then, attach the root EBS volume back to the original instance to verify the new password.

For more information, see How do I use EC2Rescue to troubleshoot issues in my Amazon EC2 Windows instance?

Managed nodes (online method)

You can reset the password for any user on a managed node of an EC2 instance. Make sure to confirm that you meet all the prerequisites before you use this option:

1. Open the Systems Manager console.

2. In the navigation pane, choose Fleet Manager.

3. Select the node that needs a new password.

4. In the Node actions menu, select Node Settings. Then, choose Reset Node User Password.
   Note: Encryption is mandatory to use the Reset Password feature. Configure the AWS Key Management Service (AWS KMS) key on the Session Manager Preferences page.

5. Attach the following policy to the IAM role associated with the instance to do the decryption:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "AllowKMSDecrypt",
               "Effect": "Allow",
               "Action": [
                   "kms:Decrypt"
               ],
               "Resource": "arn:aws:kms:REGION:AccountID:key/KeyId"
           }
       ]
   }

   The instance profile or IAM role attached to the instance must have the kms:Decrypt permission for the key that you specified when you configured the encryption for Session Manager.

6. For User name, select a username from the list or enter the name of the user that you want to change the password for. This can be any username that has an account on the node.

7. Choose Submit.

8. Follow the prompts in the Enter new password command window to specify the new password.

Related information

Identity and access management for Amazon EC2

Troubleshoot issues with Amazon EC2 Windows instances

Troubleshoot impaired Amazon EC2 Windows instance using EC2Rescue

Run the EC2Rescue tool on unreachable instances