Access When Lost Keypair

Access to EC2 Instance when Lost Key pair


To change the key pair, create an AMI of the existing instance, and then launch a new instance. You can then select a new key pair by following the instance launch wizard. Follow these steps:

Warning:
Before starting this procedure, be aware of the following:

  • Stopping and restarting the instance erases any data on instance store volumes. Be sure that you back up any data on the instance store volume that you want to keep.
  • Stopping and restarting the instance changes the public IP address of your instance. It’s a best practice to use an Elastic IP address instead of a public IP address when routing external traffic to your instance.
  1. Go to EC2 Management Console, then select Key Pairs under Network & Security section from navigation panel.

Keypair Dashboard

  1. Create a new key pair.

Create a new Keypair

  1. If you create the private key in the Amazon EC2 console, retrieve the public key for the key pair.

Successfully Create a new Keypair

  1. To retrieve public key from keypair, you can use PuTTYGen to load the keypair and record/copy the public key for next step usage.

Retrieve Public Key

  1. Open the Amazon EC2 console.
  2. Stop your instance.

Stop Instance

  1. Choose Actions > Instance Settings > View/Change User Data.

Change Instance User Data

  1. Copy the following script into the View/Change User Data dialog box:
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [users-groups, once]
users:
  - name: ```username```
    ssh-authorized-keys: 
    - ```PublicKeypair```
  • Replace username with your user name, such as ec2-user. You can enter the default user name, or enter a custom username, if one was previously set up for the instance.
  • Replace PublicKeypair with the public key retrieved in Step 4. Be sure to enter the entire public key, starting with ssh-rsa.
    Example in this lab:
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCk1OSmXY52TPJAgjuL8gv8ekQBqKqR6JxGJTBsdS4hKwA5GvRB8yAqftiOPObylCvAf5sZSA2ual2RgZksDDNUBmcnO2Eg9D1G2he01UhG39cEjTns2X/R/No3yIaeytYXh+qu0QciR9sJy6jvx6Mbn3BgWn44sjjw9tEE8zj9p9qYZ2MSVK5QRYOjkPzjy9eOwo3UtMODIj9+uaGw6imLjfgdMOB3OkSqPlMW0fCl2xYcq5BrPKXJTGjU3k5kXe/7zKA+Tiy4IS7BUgVYWg0zSQncbiyzgO8tgsTZI8IDUAmycYCxNlw1X6W7BaUDWw/6AYkOc0w882UIm8OrCgyR
  1. Choose Save.

Change Instance User Data

  1. Start your instance.

Start Instance

  1. After the cloud-init phase is complete, validate that the public key was replaced.

Important: Because the script contains a key pair, remove the script from the User Data field.

  1. Stop your instance.
  2. Choose Actions > Instance Settings > View/Change User Data.
  3. Delete all the text in the View/Change User Data dialog box, and then choose Save.
  4. Start your instance again.
  5. Now, we can start connecting to your instance with the new Keypair.

Connecting to Instance with new Keypair

Note: If your instance is Amazon Linux 2 2.0.20190618 or later, you can use EC2 Instance Connect to connect to the instance.