22

I lost the PEM key to the EC2 Instance. I followed all the following steps:

HOW TO ACCESS EC2 INSTANCE EVEN IF PEM FILE IS LOST

Accessing the EC2 instance even if you loose the pem file is rather easy.

  1. First, create a new instance by creating new access file, call it 'helper' instance with same region and VPC as of the lost pem file instance.

  2. Now stop the lost pem file instance. Remember not to terminate instance but to stop it.

  3. Go to EBS volumes, select the root volume of the lost pem file instance and detach.

  4. Now again select the detached volume and this time you have to attach this volume to helper instance which we created before. Since helper instance already has a root volume by default as /dev/sda1, the newly attached volume will be secondary(eg: /dev/sdf).

  5. Login to your helper instance with its pem file.

  6. Execute below commands:

    # mount /dev/xvdf1 /mnt
# cp /root/.ssh/authorized_keys /mnt/root/.ssh/
# umount /mnt

  7. Detach the secondary volume from helper instance.

  8. Again attach the volume back to our recovery instance. Start the instance. Terminate the helper instance.

Use helper instance pem file to log into recovery instance.

kenlukas
  • 3,616
  • 9
  • 25
  • 36
A K
  • 231
  • 1
  • 2
  • 3
  • 5
    What do you need help with? Which step did you get stuck at? EC2 instances have pem files which allow ssh, they also have a storage in Volumes which you can track by following the Instance ID and volume ID. These steps are to create a new EC2 with new pem file which you download, detach volume, attach it to new EC2 for which you have new pem and ssh into new EC2. Also if you encrypted your storage you might have tough luck. Saying please help or I followed all the steps does not help anyone identify what you need help with. I hope this helps you at least start at step 1. – devssh Sep 28 '18 at 17:47
  • I dont have the PEM file. I am not able to connect to the WP admin page of my website after I installed https plugin. So as to edit the wp-config file I need to access the files via Filezilla or Putty but without the PEM file the connection is not possible. The above steps are what I tried to access without the PEM file. – A K Sep 29 '18 at 13:47
  • 1
    This blog should help to ssh to EC2 even without our .pem file https://aws.amazon.com/premiumsupport/knowledge-center/user-data-replace-key-pair-ec2/ – Pratheek Reddy May 31 '22 at 15:32

4 Answers4

6

A few weeks ago AWS announced SSM Session Manager. This allows you to access (login) to your EC2 instances without requiring a key pair, password, open ports, etc. Both Windows and Linux are supported.

The latest AMIs do not have the latest version of the SSM agent. You will need to update that first, which you can also do via the SSM Console or via AWS CLI.

AWS Systems Manager Session Manager

Once you connect to your system, you can then correct any problems that you have. For example, you could create a new keypair in the AWS Console and then copy the public key to `~/.ssh/authorized_keys so that you can once again access your system via SSH.

For Windows systems, you can even change the Administrator password if it has been forgotten. This can be a lifesaver.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • how do I install SSM on the AMI? how do I connect and regenerate the SEM key? – A K Sep 30 '18 at 13:05
  • Did you read the documentation link that I included? For most AMIs the agent is already installed, you just need to update it. – John Hanley Sep 30 '18 at 16:39
  • If you need to connect to an instance via ssh, you can utilize my SSH ProxyCommand script. It temporary adds your public ssh key to target instance during connection to target instance. Then it will establish an ssh connection , tunneled through SSM Session manager. AWS SSM SSH ProxyComand -> https://gist.github.com/qoomon/fcf2c85194c55aee34b78ddcaa9e83a1 – qoomon Aug 25 '19 at 06:14
1

here are the steps to access EC2 instance on the fly after loss of key pair

  1. Create new instance in same region with new key pair and name it as TEST
  2. now connect to the new instance and copy the data from authorized_keys from .ssh directory (/.ssh/authorized_keys)
  3. go to the security group of lost pem file instance and allow ssh for EC2 instance connect (please check the ip range for specific region by command curl -s https://ip-ranges.amazonaws.com/ip-ranges.json| jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="EC2_INSTANCE_CONNECT") | .ip_prefix')
  4. Once you done with the security group changes connect to the lost file instance by EC2 instance connect
  5. Now open .ssh/authorized_keys and replace it by TEST instance authorized_keys
  6. you can now access your lost key file instance by new key pair
  7. terminate TEST instance and do changes in security group.

Take a note that this solution might expose port 22 of your instance for while.

Thank you.

prasad daghale
  • 11
  • 2
  • This solution uses **EC2 Instance Connect**, which is a web-based SSH console plus the ability to 'send' a temporary SSH Key to the instance. It works very well if the instance was launched from an Amazon Linux AMI, which has the necessary software installed. The complexity of Step 3 is due to the fact that the SSH connection will actually come via the EC2 Instance Connect service rather than your own computer. That step can be replaced by opening port 22 (SSH) to `0.0.0.0/0`, but it's not a great security practice so remove such a rule once you have regained access. – John Rotenstein Apr 16 '23 at 03:00
0

One option you can use is the AWS cli ec2-instance-connect ssh option that was added on version 2.12.0:

aws ec2-instance-connect ssh --instance-id "$BASTION_INSTANCE_ID" --connection-type direct

Internally it will create a temporary ssh key and will upload the public part to the instance.

lmiguelmh
  • 3,074
  • 1
  • 37
  • 53
-1

In my case auto-scaling group was enabled so it became easy to attach instance to new Key Pair, Here are the steps that I followed

  1. Created new Key pair under EC2 Dashboard -> Key Pairs (download the .pem file in this step)
  2. Go to Auto Scaling -> Launch Configurations
  3. Select required Launch Configuration and then copy launch configuration
  4. Here while reviewing launch configuration you can create a new key pair or you can select the existing key pair that is created at step 1
  5. Once new launch configuration is created go to the auto-scaling group
  6. Select the auto-scaling group then select new launch configuration from the dropdown
  7. Once this is done if you stop the auto-scaling group instance it will create a new one with the new launch configuration (with new key pair)
  8. List item
Nithya
  • 582
  • 8
  • 19