How can I connect to my Amazon EC2 instance if I lost my SSH key pair after its initial launch?

5 minute read
1

I want to connect to my Amazon Elastic Compute Cloud (Amazon EC2) instance but have lost the SSH key pair.

Resolution

Important:

Methods 1, 2, and 3 require a stop and start of the instance. Be aware of the following:

  • If your instance is instance store-backed or has instance store volumes containing data, then the data is lost when you stop the instance. For more information, see Determine the root device type of your instance. Be sure that you back up any data that you want to keep on the instance store volume.
  • Stopping and restarting the instance changes the public IP address of your instance. It's a best practice to use an Elastic IP address instead of a public IP address when routing external traffic to your instance.

Method 1: Enter user-data

1.    Create a new key pair.

2.    If you create the private key in the Amazon EC2 console, then retrieve the public key for the key pair.

3.    Open the Amazon EC2 console.

4.    Stop your instance.

5.    Choose Actions, Instance settings, Edit user data.

6.    Copy the following script into the Edit user data dialog box:

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [users-groups, once]
users:
  - name: username
    ssh-authorized-keys: 
    - PublicKeypair

Replace username with your user name, such as ec2-user. You can enter the default user name, or enter a custom user name, if one was previously set up for the instance. For a list of default user names, see Get information about your instance.

Replace PublicKeypair with the public key retrieved in step 2. Be sure to enter the entire public key, starting with ssh-rsa.

7.    Choose Save.

8.    Start your instance.

9.    After the cloud-init phase is complete, validate that the public key was replaced.

Important: Because the script contains a key pair, remove the script from the User Data field.

10.    Stop your instance.

11.    Choose Actions, Instance Settings, Edit user data.

12.    Delete all the text in the Edit user data dialog box, and then choose Save.

13.    Start your instance.

Method 2: Use AWS Systems Manager

If your instance is a managed instance in AWS Systems Manager, then use the AWSSupport-ResetAccess document to recover your lost key pair. AWSSupportResetAccess automatically generates and adds a new SSH (public/private) key pair using the EC2 Rescue for Linux tool on the specified EC2 instance.

The new SSH private key for your instance is encrypted and saved in Parameter Store, a capability of AWS Systems Manager. The parameter name is /ec2rl/openssh/instance_id/key.

Use the following command to retrieve the private SSH key from Parameter Store:

$ aws ssm get-parameters --names "/ec2rl/openssh/instance_id/key" --with-decryption --output json --query  "Parameters[0].Value" | sed 's:\\n:\n:g; s:^"::; s:"$::' >  key-pair-name

Note: Be sure to replace instance_id with your instance ID, and replace key-pair-name with your key pair's name.

Then, create a new .pem file with this parameter's value as its content, and use it to connect back to your unreachable instance. Use the following command to convert the private key to a .pem file:

$ ssh-keygen -f key-pair-name -e -m pem > key-pair-name.pem

Note: Be sure to replace key-pair-name with your key pair's name.

The Automation workflow creates a backup, password-enabled Amazon Machine Image (AMI). The new AMI isn't automatically deleted and remains in your account.

To locate these AMIs:

1.    Open the Amazon EC2 console, and then choose AMIs.

2.    Enter the Automation execution ID in the search field.

Method 3: Use Amazon EC2 Instance Connect

If your instance is Amazon Linux 2 2.0.20190618 or later, including Amazon Linux 2023, then you can use EC2 Instance Connect to connect to the instance.

Method 4: Use the EC2 Serial Console

If you turned on EC2 Serial Console for Linux, then you can use it to troubleshoot supported Nitro-based instance types. The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without the need for a working network connection. You can access the serial console using the Amazon EC2 console or the AWS Command Line Interface (AWS CLI).

Before using the serial console, grant access to it at the account level. Then create AWS Identity and Access Management (IAM) policies granting access to your IAM users. Also, every instance using the serial console must include at least one password-based user. If your instance is unreachable and you haven’t configured access to the serial console, follow the instructions in Method 1, Method 2, or Method 3. For information on configuring the EC2 Serial Console for Linux, see Configure access to the EC2 Serial Console.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Related information

Run commands on your Linux instance at launch

AWS Systems Manager Automation

AWS OFFICIAL
AWS OFFICIALUpdated a year ago
2 Comments

as method1, how to do this ? 9. After the cloud-init phase is complete, validate that the public key was replaced.

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago