By using AWS re:Post, you agree to the Terms of Use

Replace root keypair for ec2 instance

0

Hello There,

my question is:

How do I replace the root (default) keypair for my ec2 instance, in my ec2 dashboard?

I know how to add (delete) public ssh keys in the .ssh/authorized_keys file on the machine (linux), but I want to completely replace my root keypair, ALSO in my ec2 dashboard.

Goal is, to make it impossible to login with the old root keypair onto the machine (neither from ssh client nore ec2 instance connect), and only with the new one.

I found it impossible to replace my ec2 root keypair in my ec2 dashboard; and even if I delete its public ssh key in the authorized_keys file, I am still able to connect ...

If not with ssh cient, so at least with ec2 instance connect, which clearly uses the old root keypair.

Seems to me, as if the default keypair is binned to the ec2 instance.

So, there must be a solution to this. Otherwise it means that you cannot replace the default root keypair for your ec2 instance.

Thanks for an answer. Andy

2 Answers
1

Hi,

It is unclear to me what you mean by "root keypair", but perhaps you'll find the information you need in the following documentation:

I hope this helps!

Kind regards, Marilyn AWS

answered 3 days ago
profile picture
EXPERT
reviewed 3 days ago
  • Thanks. I mean the default keypair, which you give your instance, when you start it for the first time. You can see the keypair name in the ec2 instance settings.

    You can use it to ssh into your machine with username root / or ec2-user.

    I don't know how to replace this one keypair.

    Although I deleted public keys for both, root user & ec2-user, I still can login to my machine from my ec2 dashboard (ec2 instance connect) - with both, root or ec2-user. How is this actually possible? It shouldn't be, right?

    I would like to be able to replace that keypair, which is binned to my ec2 instance, and delete it.

    There seems to be no solution for this.

    You guys from aws need to think about how users may replace that default (beginner) keypair with another one.

  • Hi Andy,

    The public key is stored in two different places:

    • In Amazon EC2
    • On the instance

    If you want to get rid of the key pair on your instance, you must delete it from the instance. The documentation at this link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/replacing-key-pair.html explains how to do it.

    On the page linked above, we say this:

    When you launch an instance, you are prompted for a key pair. If you specify a key pair at launch, when your instance boots for the first time, the public key material is placed on your Linux instance in an entry within ~/.ssh/authorized_keys.

    To delete the public key from the instance, you need to edit ~/.ssh/authorized_keys and delete the public key in that file. The steps for how to do this are in the page linked above.

    Kind regards, Marilyn

0

Thanks Marilyn.

As for my purpose, I found the solution. I replace public keys for root & for ec2-user on my instance; afterwards no one can login into my server using the old private key.

  1. However, although I deleted these public keys, I am still able to login to my instance via ec2 instance connect.
  • How is this possible?! (I thought ec2 uses the private key for this; as it seems it may uses a different approach and I can login to my machine without usage of any keypairs from ec2 dashboard?)
  1. The 'old' (default/beginner) keypair is still being shown as default keypair in my ec2 instance dashboard. - I don't know how to replace that here.

My wish would be, that there is a way to delete this old key, and replace it. Also in the ec2 dashboard.

[And that even via ec2 instance connect, I won't be able to login to my machine anymore, once I deleted the old public key / replaced keypair.]

It is a strange feeling, that I am still able to connect to my instance via ec2 instance connect, although I have deleted the public key (for my beginner/default instance keypair) on the machine.

Thank you, God bless, Andy

answered a day ago
  • Hi Andy,

    I'm sorry this is so confusing! Hopefully the information below will clear things up. I'll have to post multiple comments due to the restriction of number of characters allowed in a comment.

    1. However, although I deleted these public keys, I am still able to login to my instance via ec2 instance connect.

    How is this possible?! (I thought ec2 uses the private key for this; as it seems it may uses a different approach and I can login to my machine without usage of any keypairs from ec2 dashboard?)

    Answer: This is how EC2 Instance Connect works: When you connect to an instance using EC2 Instance Connect, the EC2 Instance Connect API pushes a one-time-use SSH public key to the instance metadata where it remains for 60 seconds. An IAM policy attached to your IAM user authorizes your IAM user to push the public key to the instance metadata. The SSH daemon uses AuthorizedKeysCommand and AuthorizedKeysCommandUser, which are configured when EC2 Instance Connect is installed, to look up the public key from the instance metadata for authentication, and connects you to the instance.

    You can find more information about EC2 Instance Connect at this link: https://docs.aws.amazon.com/en_us/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html

    EC2 Instance Connect is not using your key pairs that you created and uploaded to Amazon EC2 or which you created by using Amazon EC2. EC2 Instance Connect creates its own one-time use keys. The IAM policy will restrict who can connect to the instance with EC2 Instance Connect.

    1. The 'old' (default/beginner) keypair is still being shown as default keypair in my ec2 instance dashboard. - I don't know how to replace that here.

    Answer: The EC2 instance dashboard continues to display which key pair was specified at launch, even if you delete that key pair. We mention that here in the doc: https://docs.aws.amazon.com/en_us/AWSEC2/latest/UserGuide/describe-keys.html#identify-key-pair-specified-at-launch. Please see the note in the blue box that calls this out.

  • My wish would be, that there is a way to delete this old key, and replace it. Also in the ec2 dashboard.

    Answer: The EC2 dashboard just shows what key was specified at launch. If you've subsequently deleted the key from the instance, you won't be able to connect to the instance using that key. I'm sorry that this is confusing.

  • It is a strange feeling, that I am still able to connect to my instance via ec2 instance connect, although I have deleted the public key (for my beginner/default instance keypair) on the machine.

    Please read the documentation about EC2 Instance Connect at this link: https://docs.aws.amazon.com/en_us/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html

    You can allow who can access an instance by creating an IAM policy and attaching that IAM policy to any user who should connect to your instance.

    I hope this helps! It's a lot of info to take in, but hopefully by reading the documentation carefully, you'll get the information you need.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions