Wondering how to connect to Amazon EC2 instance if you lost SSH key pair? We can help you!

Here, at Bobcares, we often receive similar AWS queries from our customers as a part of our AWS Support Services.

Today, let’s see the methods and steps followed by our Support Engineers to connect the EC2 instance if we lost the SSH key pair.

 

Connect to Amazon EC2 instance if you lost SSH key pair

 
An SSH key pair is a combination of a public key and a private key. Amazon EC2 uses this set of key pairs to prove our identity when we connect to an EC2 instance. EC2 stores the public key on the instance, and we need to store the private key. The private key allows us to connect to the instance securely via SSH for Linux instances.

Now let’s see the methods followed by our Support Techs to connect the EC2 instance if we lost the SSH key pair:

1. By using the EC2 Serial Console.
2. Using AWS Systems Manager.
3. By entering user-data.
4. Using Amazon EC2 Instance Connect.

1. Using the EC2 Serial Console

 
We can use EC2 Serial Console to troubleshoot boot issues, network configuration, and SSH configuration issues. It can connect to our instance without a working network connection. We can connect to the serial console using the EC2 console or the AWS CLI.

We need to grant access to Serial Console at the account level before using it. By default, our IAM users do not have access to the serial console. So we must configure IAM policies to grant our IAM users the required access. At least one password-based user must be included for every instance using the serial console.

We can use the following methods if we haven’t configured access to the serial console.
 

2. Using AWS Systems Manager

 
We can retrieve the lost SSH key pair by using the AWSSupport-ResetAccess document if our instance is a managed instance in the AWS Systems Manager. The AWSSupport-ResetAccess automatically creates and adds a new key pair using the EC2 Rescue for Linux tool on the specified EC2 instance.

The new private key is encrypted and saved in the AWS Systems Manager Parameter Store. The parameter name is /ec2rl/openssh/instance_id/key. Then create a new .pem file with this parameter’s value as its content and we can use it to connect to the inaccessible instance.

Also note that the Automation workflow creates a backup, password-enabled Amazon Machine Image (AMI). The new AMI isn’t automatically deleted and remains in your account.

We can locate this Amazone Machine Image by:

1. Log in to the AWS management console and then open the Amazon EC2 console.

2. Select AMIs.

3. In the search option, enter the Automation ID.
 

3. Entering user-data

1. At first, create a new SSH key pair. If we create the private key in the Amazon EC2 console, then recover the public key for the key pair.

2. Then open the EC2 console and stop the instance.

3. Select Actions, Instance Settings, Edit user data.

4. Then copy the following data and add it to the Edit user data.

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [users-groups, once]
users:
- name: USERNAME
ssh-authorized-keys:
- PUBLICKEYPAIR

Here replace the USERNAME with our username and replace PUBLICKEYPAIR with the public key recovered in step 1.

5. Click Save to save all the changes and start the instance.

6. After the cloud-init phase is complete, validate that the public key was replaced.

7. Then stop the instance.

8. Select Actions, Instance Settings, Edit user data.

9. Remove the script from the User Data field as the script contains a key pair and click Save.

10. Finally start the instance.
 

4. Using Amazon EC2 Instance Connect

 
We can use  EC2 Instance Connect to connect to the instance if our instance is Amazon Linux 2 2.0.20190618 or later.

1. Log in to the AWS Management Console and open the Amazon EC2 console.

2. Select  Instances.

3. Then select the instance and click Connect.

4. Select EC2 Instance Connect.

5. Verify the user name and click Connect to open a terminal window.

Important points to be noted:

Methods 2, 3, and 4 require a stop and start of the instance. So be sure to be aware of the following points:

• The data will be lost while stoping the instance if our instance is instance store-backed or has instance store volumes containing data. So make sure to back up any data that want to keep on the instance store volume.
• Also, note that stopping and restarting the instance changes the public IP address of the instance. So it is always better to use an Elastic IP address instead of a public IP address when routing external traffic to the instance.

[Need help with more AWS queries? We’d be happy to assist]
 

Conclusion

 
To conclude, today we discussed the methods and steps followed by our Support Engineers to help our customers to connect to EC2 instance if they lost SSH key pair.