Staff Pick
Recovering Access: A Guide for Lost EC2 Key Pair in Linux
In this blog post I have mentioned 5 methods to regain access to your Ec2 Linux instance if you have lost your Key Pair. The motivation behind writing this blog post is when my interns approached me and asked me remediation after they lost their ec2 key pair. To discover all the 5 remediations, go and read the entire blog.
Published May 1, 2024
Last Modified May 6, 2024
Imagine this: You've just finished building the coolest project on your EC2 instance in the AWS cloud. You close your laptop for a well-deserved break, only to return to a horrifying realization – your precious key pair, serving as the virtual guardian of your cloud infrastructure, has vanished without a trace. Panic starts to rise like a server overload. But fear not, for this isn't the end.
We've all been there – the sinking feeling when you realize you've misplaced a crucial key pair for your EC2 instance. Don't panic! While a lost key pair can be a roadblock, regaining access to your Linux instance is definitely possible. This blog dives into the technical aspects of recovering from a lost EC2 key pair, exploring various methods and their considerations.
EC2 key pairs are the cornerstone of secure SSH access to your Linux instances. They function as a public-private key combination, where the public key resides on the instance and the private key is held locally by you. When you attempt an SSH connection, the keys work together for authentication. During instance launch, you must specify a key pair, especially for SSH connections. You can use the same key pair across instances or different pairs depending on security needs. Upon instance boot, the specified public key is placed in ~/.ssh/authorized_keys. To log in via SSH, you must provide the corresponding private key.
Now, we have understood what EC2 Key Pairs are. Let’s see how to regain access to your EC2 instances if you lose your Key Pair. There are many methods, and I am going to discuss a few of them in this blog.
While using the method of EC2 User Data for regaining access, you must follow few steps:
- Create a new key pair and then copy the public key. Now if you can see in the above diagram, the key that is circle in EC2 instance is the old key and the new public key is in square
- Now you must stop the instance and update the EC2 User Data. And if you are using the cloud-config format for the EC2 user data which is shown in the above diagram, it will run at every start of your EC2 instance.
- In your user data you have to add a name and a SSH authorized keys as shown in the above diagram. Which means that the next time when EC2 instance starts it will look up the EC2 user data and create a new username and add a SSH authorized key.
- And then once you're done with this one-time setup of EC2 User Data, you can just delete it so that's the EC2 instance doesn't write a new key every time it boots up.
NOTE: This method only adds authorized keys. It does not delete or override any existing public keys.
- Implement Systems Manager on your EC2 instance by installing the SSM agent and configuring the appropriate IAM Role.
- Access the Systems Manager Console to initiate automation tasks like AWSSupport-ResetAccess, which generates new key pairs (public and private) and automatically stores the private key in the Parameter Store.
- Retrieve the private key from the Parameter Store, delete the entry from Parameter Store for security purposes, and use it to SSH onto your instance. This method is applicable for both Linux and Windows environments.
Note: Ensure the SSM agent is properly installed with the correct IAM Role on your EC2 instance to facilitate secure storage and access of keys within the Parameter Store.
- This method involves leveraging the EC2 Instance Connect Service to establish temporary connections to your EC2 instances.
- To use this service, ensure that your instance is equipped with the Instance Connect agent, which comes pre-installed on Amazon Linux 2 or Ubuntu 16 and later versions.
- Launch the EC2 Instance Connect Service to initiate SSH connections to your instance. Then, update the SSH authorized keys file by adding a new SSH public key for secure access.
- With the updated SSH keys in place, you can seamlessly connect to your EC2 instance directly from your own computer, streamlining the process for efficient management.
- Utilize the EC2 Serial Console as an alternative when facing network connectivity issues with Nitro-based EC2 instances.
- Beforehand, ensure the EC2 Serial Console is enabled at the account level.
- Connect to the Serial Console and update the SSH authorized key file with the new public key via terminal access.
- Address any network connectivity problems alongside implementing the Serial Console solution.
- Prepare the New Key Pair: Create a new key pair (private and public key) to access the instance.
- Swap the EBS Volume: Stop the original EC2 instance. Detach the EBS root volume from the original instance. Launch a new EC2 instance. Attach the detached EBS volume (containing the authorized keys file) to the new instance.
- Modify Authorized Keys: Connect to the new instance (using the newly created key pair) and edit the authorized_keys file on the attached EBS volume (the original instance's root volume). Add the public key from your lost key pair to this file.
- Reconnect and Access: Detach the EBS volume from the new instance. Reattach the EBS volume to the original EC2 instance. Start the original EC2 instance. You should now be able to SSH into the original instance using your lost key pair's private key. Detach the EBS root volume from the original instance. Launch a new EC2 instance. Attach the detached EBS volume (containing the authorized keys file) to the new instance.
· Security First: Always prioritize security when dealing with key pairs. Never share your private key and consider using strong passphrases for additional protection.
· Backups are Key: Regularly backing up your instances, including user data scripts, ensures a smoother recovery process in case of emergencies.
Losing access to your EC2 instance due to a lost key pair can be a stressful situation, but it's not the end of the world. By following the steps outlined in this blog, you can recover access to your instance and resume normal operations swiftly. Remember to implement best practices for key pair management to minimize the risk of such incidents in the future. Don’t forget making a mistake is alright if you learn from it. Do not repeat your mistake. If you do, this blog is always there to help you 😊
Stay tuned for next blog post on “Recovering Access: A Guide for Lost EC2 Password in Windows”