Question

I have lost the private key of my EC2 instance. I looked for it in the AWS Management Console but couldn't find it, Any suggestions? 

Answer 1

I'm afraid it's not possible

When you launch an instance, you should specify the name of the key pair you plan to use to connect to the instance. If you don't specify the name of an existing key pair when you launch an instance, you won't be able to connect to the instance. When you connect to the instance, you must specify the private key that corresponds to the key pair you specified when you launched the instance. Amazon EC2 doesn't keep a copy of your private key; therefore, if you lose a private key, there is no way to recover it. If you lose the private key for an instance store-backed instance, you can't access the instance; you should terminate the instance and launch another instance using a new key pair. If you lose the private key for an EBS-backed Linux instance, you can regain access to your instance. For more information, see Connecting to Your Linux Instance if You Lose Your Private Key.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

Comments

How to logon to windows ec2 instance, when a private key is lost??

---

Hi.
An instance can only be associated with a key pair only at launch time (either to an existing key pair or by creating a new key pair). that means if you lose the key pair then you won't be able to generate another one for that already running instance or associate it with an already existing key pair. To urgently address your issue, you may try to do the following:-

1. From your AWS console stop the instance.
2. Create a snapshot of the instance.
3. Create a duplicate instance from the resulting snapshot and create a new Key Pair.

Once the instance is up and running, you would be able to log into the new instance using the new key pair. The new instance is identical in every aspect to the original instance and you can carry on your work from there. If you were using an elastic IP, then dissociate it from the old instance and associate it with the new instance and make sure to update DNS as well.

Answer 2

You can replace the new key using user data or systems manager.

Using User Data:

 1. Create a new key pair from the AWS EC2 Console
 2. Generate the Public Key from the downloaded key pair using below cmd:
    ssh-keygen -y -f <Key Pair name>.pem
 3. Stop the EC2 instance and edit the user data of the instance and pass the below script and start the Instance

        Content-Type: multipart/mixed; boundary="//"
        MIME-Version: 1.0

        --//
        Content-Type: text/cloud-config; charset="us-ascii"
        MIME-Version: 1.0
        Content-Transfer-Encoding: 7bit
        Content-Disposition: attachment; filename="cloud-config.txt"

        #cloud-config
        cloud_final_modules:
        - [users-groups, once]
        users:
         - name:ec2-user
           ssh-authorized-keys:
           - <**Paste the Public key here**>


    Now, You will be able to login to EC2 instance with the downloaded key pair.

Using Systems Manager:

 1. If the instance is a managed instance in AWS Systems Manager, you can use the AWSSupport-ResetAccess document to recover the lost key pair.
 2. Open the AWS Systems Manager console, select Automation in left navigation pane, click execute Automation. In automation document section select owned by Amazon. In the run book list, search for AWSSupport-ResetAccess
 3. In Execute automation document page, choose Simple execution. In document details section, verify Document version is set to Default. In the input parameter section, specify the Instance ID, Subnet ID and Instance type in parameter and execute.
 4. When Automation is finished, the new ssh private key is saved and encrypted in parameter store and the parameter store named as /ec2rl/openssh/<InstanceID>/key

You can refer the below link for more detailed steps:

https://cloudsolutionsonline.blogspot.com/2021/11/connect-to-linux-ec2-instance-if-ssh.html?m=1