Thursday, July 28, 2011

Replace a lost Key Pair an existing AWS EC2 Instance uses

By Semir H.

This tutorial will show you how to use a new Key Pair with an existing Linux instance.

If you find this tutorial useful, please consider making a donation to support future work like this:

Thank you :)


You have an existing EBS (root device) based Instance with data on it that needs to be saved. The original Key Pair has been lost so you can’t log into the Linux Instance. You need to get to the data on the virtual machine.


We’ll clone the running Instance and re-deploy it but with a new Key Pair. We can either use a pre-made Pair or create a Pair while we’re re-deploying. My example uses Ubuntu but should apply to other flavours as well.

Creating an Image:

Log into your Amazon Web Services (AWS) Management Console, go to Amazon EC2, pick the Region where the Instance in question is running and click on the Instances link. Right click on the Instance in question and select “Create Image (EBS AMI)” from the resulting menu.

Give it a Image Name and a Description and click on “Create This Image” button. Example:

The process will now begin.  Close the notification window.

Once the AMI is created (won’t take long) you should see it in the "Images" - "AMIs" part of your Amazon EC2 AWS Management Console. Please make sure you are still in the correct Region. Example:

Creating new Instance out of the new AMI:

Go to Images AMIs, locate your recently created AMI, right-click on it and select “Launch Instance” from the resulting menu.

Follow the prompts to finish creating the Instance (see my previous post) but make sure you select the correct Key Pair (one you create earlier, not the lost one) in the “Create Key Pair” section. Example:

All other settings should be the same as for the original Instance.
After a little bit of time your new Instance should be up and running.
Here’s an example below. Please note the different Key Pairs.

You can now connect to it, using your new private key, and confirm that all your data is still there.
Once you confirm no data is missing you can stop the old Instance and eventuality terminate it (after making absolutely sure you will never need anything from it).

Cleaning Up:

You can now de-register the AMI (unless you want to use later again).

You should also go to EBS - Snapshots and delete the Snapshot of the disk that was created when the AMI was made (unless you intend to use it for something in the future).


  1. Thanks! Was locked out of my instance due to a lost key pair until I came across your guide. Simple and easy to understand, was back up and running in 10 minutes!

  2. Thank you!!!! you saved me hours of research. However, when you create the new Instance, the username for SSH login is: ec2-user.

    I spent some time looking for it.

  3. ec2-user is for amazon's own linux instances
    I think all ubuntu ones, by cannonical, still use ubuntu as the username

  4. this tutorial saved me hours of googling! thanks!!!

  5. Cheers mate! Definitely the easiest way to recover of all the alternatives I've found on Google

  6. Hi,
    How about in windows.
    I got stop my 10 instances to prevent additional charges but when i start again my instances it change the IP and i think also the data inside are nothing.

  7. Thank you this was very useful for me. Saved my day :)

  8. BIG THANK YOU! That really really really help! :)