EC2 Key Pair Change

4
votes

I have seen several questions and answers about changing the EC2 key pair for a running instance. However I am a complete AWS newbie at this point and I can easily stop the running instance and restart it. That's not a problem in our situation.

Is it possible to stop a running EC2 instance and somehow change the key pair and then start it again on an EBS-backed instance? We are also using an elastic IP on this instance so I can't see any downside of stopping the instance and restarting, but most discussions of changing the key pair assume that restarting an instance is difficult.

I'm not an ops person, I'm trying to get up to speed after our recent EC2 person has left the company.

Thanks in advance!

4
amazon-web-servicesamazon-ec2

4 Answers

9
votes

No, you can't change the key pair for an instance using AWS management console. The only way to change the key is explained here: Change key pair for ec2 instance

In a nutshell, SSH key is a file, created in the EC2 instance by AWS during setup. Once the file is there, AWS is not touching it. It's only you who can work with it.

2
votes

You can create an AMI of your current instance and spin up a new instance with a different key pair using that AMI. You can then associate your elastic IP with the new instance. Is that what you're looking to do?

0
votes

You are sort of out of luck with regards to changing the key pair associated with the instance. What you can do, though, is one of the following:

  • Create a new account with equivalent privileges to the one associated with your key pair, and generate a key pair for that account. Disable the account you wish to deprecate (the one associated with the existing key pair), and delete it from your key pair list. WARNING: if you do what I just wrote in the wrong order, you are out of luck.
  • This should work. Emphasis on "should." I believe you can create an AMI image from your existing machine. Then you can just recreate it and associate it with a new key pair, then terminating your old one.

For future reference, best practice would be to have a common key file that is not accessible to everyone to create EC2 instances, then assign credentials for people to do work on them.

0
votes

I agree with @yegor256 on the best method here to change your keys. You can also visually inspect the authorized_keys file to ensure that only the correct keys are listed--especially when using someone else's AMI. Just be sure the file has the correct permissions or you could lock yourself out accidentally.