Practice Now
AWS
EC2
Keypair
Cloud Computing
Security

Add Keypair to existing EC2 instance

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Start PracticingLearn More

Introduction

Amazon Web Services (AWS) provides the Amazon Elastic Compute Cloud (EC2), which is a web service that offers scalable compute capacity. When you create an EC2 instance, you can associate it with a key pair that allows secure access to the instance. Over time, the need may arise to modify or add a key pair to an existing EC2 instance for maintenance, security, or operational reasons. In this article, we will explore the technical method to add a key pair to an existing EC2 instance.

Understanding Key Pairs

At its core, a key pair consists of a public key and a private key. When you launch an EC2 instance, AWS places the public key on your instance, and you are tasked with securely storing the private key. The private key allows you to securely SSH into the instance. Without the private key or an alternative method of access, you cannot manage the instance.

Challenges with Changing Key Pairs on EC2

Once an EC2 instance is launched, AWS does not provide a direct method to change or add a key pair. However, you can use several techniques to add a new key pair to an instance:

  1. Manually Add a New Public Key:
    • Connect to the instance using the existing key pair.
    • Manually add the new public key to the ~/.ssh/authorized_keys file.
  2. Use the EC2 Instance Connect Feature:
    • Temporarily allow EC2 Instance Connect, provided your instance supports it, to add a new key.
  3. Operating via AMI:
    • Create an Amazon Machine Image (AMI) from the instance.
    • Launch a new instance from the AMI with the new key pair.
    • Ensure this approach meets your operational needs and data integrity requirements.

Detailed Process to Add a Key Pair

Prerequisites

  • Access to an existing EC2 instance with the appropriate permissions.
  • An available SSH key pair or the ability to create one.
  • Ensure SSH and related ports are open in your security groups and network ACLs.

Process Overview

Step 1: Generate a New Key Pair

  1. Generate Locally Using ssh-keygen: Open your terminal and run:
bash
   ssh-keygen -t rsa -b 4096 -f ~/.ssh/my-new-key

This will create two files: my-new-key (private key) and my-new-key.pub (public key).

  1. Generate Using AWS CLI: Alternatively, use the AWS CLI to create a key pair:
bash
   aws ec2 create-key-pair --key-name MyNewKey --query 'KeyMaterial' --output text > MyNewKey.pem

Step 2: Add the New Public Key to the Existing Instance

  1. Login to the Instance: Utilize your current key pair to SSH into the instance:
bash
   ssh -i ~/.ssh/old-key.pem ec2-user@<instance-ip-address>
  1. Update the authorized_keys File:
    • Transfer the new public key to your instance, e.g., using scp:
bash
     scp -i ~/.ssh/old-key.pem ~/.ssh/my-new-key.pub ec2-user@<instance-ip-address>:~/
  • On the instance, append the new public key to &#126;/.ssh/authorized_keys:
bash
     cat ~/my-new-key.pub >> ~/.ssh/authorized_keys
  1. Set Correct Permissions: Ensure permissions are correctly configured:
bash
   chmod 700 ~/.ssh
   chmod 600 ~/.ssh/authorized_keys
  1. Verify Access: Disconnect and reconnect using the new key:
bash
   ssh -i ~/.ssh/my-new-key ec2-user@<instance-ip-address>

Table of Key Steps and Commands

StepsCommand/Action
Generate a New Key Pairssh-keygen -t rsa -b 4096 -f &#126;/.ssh/my-new-key
Alternative AWS CLI Key Genaws ec2 create-key-pair --key-name MyNewKey --query 'KeyMaterial' --output text > MyNewKey.pem
SSH to Instancessh -i &#126;/.ssh/old-key.pem ec2-user@<instance-ip-address>
Copy Public Key to Instancescp -i &#126;/.ssh/old-key.pem &#126;/.ssh/my-new-key.pub ec2-user@<instance-ip-address>:&#126;/
Append to authorized_keyscat &#126;/my-new-key.pub >> &#126;/.ssh/authorized_keys
Set Directory and File Permissionchmod 700 &#126;/.ssh && chmod 600 &#126;/.ssh/authorized_keys
Verify New Key Accessssh -i &#126;/.ssh/my-new-key ec2-user@<instance-ip-address>

Additional Considerations

Security Best Practices

  • Private Key Security: Always ensure the private key remains secure, with restricted permissions to prevent unauthorized access.
  • Key Rotation: Regularly update (rotate) your key pairs to minimize exposure in case of a security breach.
  • Documentation: Keep track of key usage and rotation processes in your operational documentation.

Alternate Authentication Methods

Consider implementing additional authentication methods, such as Multi-Factor Authentication (MFA), to enhance the security of your EC2 instance access.

Automating Key Management

For environments where frequent key changes are necessary, consider integrating automated solutions using AWS Systems Manager, Lambda functions, or third-party tools.

Conclusion

Adding a key pair to an existing EC2 instance requires a few careful steps and an understanding of secure SSH practices. By following the techniques outlined in this article, you can seamlessly manage SSH access to your EC2 instances while ensuring robust security management.

Course illustration
Course illustration
Codemia
© 2026 Codemia
Resources
Legal
Social
All Rights Reserved.