Introduction

Amazon EC2 (Elastic Compute Cloud) instances are a popular solution for deploying applications in the cloud due to their flexibility and scalability. One critical aspect of managing EC2 instances is ensuring secure access through SSH (Secure Shell) connections. This is usually accomplished by using key pairs: a public key that you upload to the instance and a private key that you keep secure and use to authenticate to the instance.

Sometimes, there may be a need to change the key pair associated with an EC2 instance, such as when a private key is lost or compromised. In this article, we will explore the process of changing a key pair for an EC2 instance and provide step-by-step instructions.

Prerequisites

Before proceeding, ensure that you have:

• Access to your AWS Management Console.
• IAM permissions to modify EC2 instances.
• The ability to connect to your EC2 instances using an existing key pair.

Step-by-Step Guide to Change Key Pair

Step 1: Generate a New Key Pair

1. Navigate to EC2 Dashboard:
   • Login to AWS Management Console.
   • Open the EC2 Dashboard.
2. Create a New Key Pair:
   • On the left navigation pane, select Key Pairs.
   • Click on Create Key Pair.
   • Provide a name for the key pair (e.g., new-key-pair).
   • Select the RSA or Ed25519 type based on preference.
   • Click Create.
   • The private key file (.pem) will be automatically downloaded to your default download location.

Step 2: Modify EC2 Instance

1. Stop the Instance (Optional but Recommended):
   • Navigate to Instances on the EC2 Dashboard.
   • Select the desired instance, click on Actions, choose Instance State, and then Stop.
2. Detach the Root Volume:
   • Under Actions, choose Instance Settings then Detach Volume.
   • Make a note of the volume ID for later use.
3. Launch a Temporary Instance:
   • Launch a temporary EC2 instance in the same availability zone (AZ) with the new key pair.
   • Use an Amazon Machine Image (AMI) that matches the original instance.

Step 3: Access and Modify the Root Volume

1. Attach the Root Volume:
   • From the left pane, select Volumes.
   • Find the detached volume using the noted volume ID, then click Attach Volume.
   • Attach it to the temporary instance.
2. Access the Temporary Instance:
   • Connect to the temporary instance via SSH.
3. Modify .ssh/authorized_keys:
   • Mount the attached volume if necessary (e.g., sudo mount /dev/xvdg1 /mnt).
   • Navigate to the .ssh directory: cd /mnt/home/ec2-user/.ssh.
   • Edit the authorized_keys file: sudo nano authorized_keys.
   • Add the public key from the new key pair. Save and exit the editor.

Step 4: Restore Configuration

1. Detach and Re-Attach Volume:
   • Detach the volume from the temporary instance and re-attach it to the original instance.
2. Start the Original Instance:
   • Navigate back to the Instances view.
   • Select the original instance, go to Actions, and choose Start.
3. Verify Access:
   • Use SSH to connect to the original instance using the new key pair:

   ssh -i /path/to/new-key-pair.pem ec2-user@{instance-public-dns}

Troubleshooting

If any issues arise during these steps, consider:

• Verifying that the correct permissions are set on the .pem file (chmod 400 new-key-pair.pem).
• Ensuring the public key is accurately placed and formatted in the authorized_keys.

Summary Table

Conclusion

Changing the key pair for an existing EC2 instance involves several steps but is vital for maintaining the security and integrity of your system. By following these instructions, you can ensure that your EC2 instance remains accessible while safeguarding sensitive access credentials. Regularly checking and updating your key pairs is a beneficial practice in distributed system management and cloud security.