How can I reset the administrator password on an EC2 Windows instance?
I want to reset the administrator password on my Amazon Elastic Compute Cloud (Amazon EC2) Windows instance.
Resolution
You can use AWS Systems Manager or EC2Rescue for Windows Server to reset the administrator password on your EC2 Windows instance.
Systems Manager Run Command AWSSupport-RunEC2RescueForWindowsTool (online method)
Prerequisites:
- You must configure Systems Manager for your AWS account, and then install the Systems Manager agent on the instance. For more information, see Setting up AWS Systems Manager.
- The instance must have internet access (for Systems Manager) using a public IP address or NAT.
-or-
The instance must use an Amazon Virtual Private Cloud (Amazon VPC) endpoint configured for Systems Manager.
For more information, see AWS PrivateLink concepts.
To reset the administrator password with Systems Manager using the Run Command, use the following steps:
1. Attach the following policy to the AWS Identity and Access Management (IAM) role associated with the instance to write the encrypted password to Parameter Store:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:PutParameter" ], "Resource": [ "arn:aws:ssm:*:*:parameter/EC2Rescue/Passwords/i-*" ] } ] }
2. Open the AWS Systems Manager console, and then choose Run Command from the navigation pane.
3. Choose Run a Command.
4. For Command document, choose AWSSupport-RunEC2RescueForWindowsTool.
5. For Command parameters, verify that Command is set to ResetAccess.
6. For Targets, choose Choose instances manually, and then select your instance.
7. Choose Run.
8. In the Targets and outputs section, select the Instance ID for your instance.
9. Choose View output for instructions on how to retrieve the new password.
10. After you regain access to your instance, it's a best practice to rotate the password and then delete the parameter from Parameter Store.
For more information, see Use EC2Rescue for Windows Server with Systems Manager Run Command.
Reset passwords on managed nodes (online method)
You can reset the password for any user on a managed node of an Amazon EC2 instance.
For detailed instructions, see Reset a password on a managed node. Be sure to confirm you meet all the prerequisites before using this method.
1. Open the Systems Manager console.
2. In the left hand navigation pane, choose Fleet Manager.
3. Select the node that needs a new password.
4. In the Instance actions menu, choose Reset password.
5. For User name, enter the name of the user for which you're changing the password. This can be any user name that has an account on the node.
6. Choose Submit.
7. Follow the prompts in the Enter new password command window to specify the new password.
Systems Manager Automation AWSSupport-ResetAccess (offline method)
Warning: Before you run the automation, be aware of the following:
- If you're not using an Elastic IP address, then the public IP address is released when you stop the instance.
- If this instance has an instance store volume, then any data on it is lost when the instance stops.
- If the instance shutdown behavior is set to Terminate, then the instance terminates when it stops.
- If the instance is part of an Auto Scaling group, first detach the instance from the Auto Scaling Group. Then, after you stop and start the instance, attach the instance back to the Auto Scaling group.
For more information, see Stop and start your instance.
AWSSupport-ResetAccess is a Systems Manager Automation document that automates EC2Rescue offline password reset using AWS CloudFormation and AWS Lambda functions. The automation document performs the following operations:
- Creates an instance to assist with recovery in your Availability Zone.
- Attaches and detaches Amazon Elastic Block Store (Amazon EBS) volumes.
- Runs the EC2Rescue utility.
- Creates an Amazon VPC for EC2Rescue that's isolated from your environment.
- Creates a backup AMI of the instance.
You can use the AWSSupport-ResetAccess document in the following scenarios:
- You lost your EC2 key pair. Now, you want to create a password-enabled AMI from your EC2 instance to launch a new instance with an existing key pair.
- You lost your local administrator password. Now you want to generate a new password that you can decrypt with the current EC2 key pair.
Important: You can't use the AWSSupport-ResetAccess document with encrypted root EBS volumes.
1. Open the Systems Manager console, and then choose Automation from the navigation pane.
2. Choose Execute automation.
3. For Automation document, choose AWSSupport-ResetAccess, and then choose Next.
4. For Input parameters, enter the InstanceID of your EC2 instance.
5. Choose Execute.
6. Wait until the state changes to Success. This can take up to 25 minutes.
Note: On the Execution detail page, view Executed steps to monitor the progress. Expand Outputs to view the output of the automation. To return to this page, open the Systems Manager console, and then choose Automation from the navigation pane. Select the running automation, and then choose View details.
7. Use your existing key pair to decode the newly generated password from the EC2 console. For more information, see How do I retrieve my Windows administrator password after launching an instance?
If you lost your EC2 key pair
1. Stop your instance.
Warning: Before you stop an instance, be aware of the following:
- If you're not using an Elastic IP address, then the public IP address releases when you stop the instance.
- If this instance has an instance store volume, then any data on it is lost when the instance stops.
- If the instance shutdown behavior is set to Terminate, then the instance terminates when it stops.
- If the instance is part of an Auto Scaling group, then first detach the instance from the Auto Scaling Group. Then, after you stop and start the instance, attach the instance back to the Auto Scaling group.
For more information, see Stop and start your instance.
2. Open the Amazon EC2 console, and then choose AMIs.
3. Search for your instance ID.
4. Select the AMI named AWSSupport-EC2Rescue-Post-Script-Backup-i-xxxxxxxxx_Date, and then choose Launch.
5. Follow the Launch Wizard to specify the configuration of your instance, and then select a key pair that you own.
6. Verify that you can connect to the new instance and that your applications are working as expected before terminating the other instance.
EC2Rescue (offline or online method)
To reset the administrator password at the next instance boot using EC2Rescue, do the following:
1. Create a temporary helper instance that's in the same Availability Zone as the instance that you want to reset the password for. Or, you can use an instance with RDP access that's in the same Availability Zone.
2. Take a snapshot or create an AMI backup of the instance that needs the password reset.
3. Stop the instance that needs the password reset.
4. Detach the root volume from the instance that needs the password reset.
5. Attach the root volume that was detached in step 4 onto the temporary helper instance from step 1.
6. Download EC2Rescue and extract the zip file by running the EC2Rescue executable.
7. Run the EC2Rescue utility. Choose Offline Instance and select the root EBS volume that you attached to the temporary helper instance.
8. Choose Diagnose and Rescue. In Detect possible issues, select the Ec2SetPassword check box, and then choose Next.
9. Complete the EC2Rescue launch wizard and then attach the root EBS volume back to the original instance to verify the new password.
For more information, see How can I use EC2Rescue to troubleshoot issues with my Amazon EC2 Windows instance?
Related information
Identity and access management for Amazon EC2
Troubleshoot EC2 Windows instances
Use EC2Rescue for Windows Server
Related videos
Relevant content
- asked a year agolg...
- asked a year agolg...
- Accepted Answerasked 2 years agolg...
- asked a year agolg...
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 3 months ago