Keypairs are used to grant access to Amazon EC2 instances. They are public/private keypairs, typically randomly generated by EC2 but existing keypairs (or more specifically, the public half of the keypair) can be imported into EC2.
They are used as follows:
- Windows: When starting Windows from a standard Windows AMI, a utility called Ec2Config randomly generates an Administrator password, encrypts it using the public half of the keypair, and passes it back through the System Log. Users must decrypt it using their private key. They can then login to Windows.
- Linux: When starting Linux from a standard Linux AMI, the public half of the keypair is copied to
.ssh/authorized_keys. Users can login via ssh by providing their private key.
(The reference to a 'standard' AMI is intentional -- AMIs created by other people will not necessarily have these utilities installed.)
In both situations, it is advisable that users then modify their instance to use their normal security standards. For example, Windows users should change the Administrator password or, preferably, attach the instance to an Active Directory domain. Linux users should create additional users and install their standard keypairs.
There should be no continuing need to use keypairs after the initial launch of the EC2 instance. Users should be using their own passwords/keypairs. It is not good practice to keep using the same password/keypair as initially created when the instance is launched.
To answer your question...
The keypair on an instance will not change (and in fact cannot change). The name of the keypair is listed as a property of the instance, so the keypair used can be identified.
However, Windows users can change the Administrator password and Linux users can replace the contents of the .ssh/authorized_keys file. Therefore, the password/keypair used to login to an instance might change, but the keypair listed against the instance (used during the first boot) does not change.
