How do I replace a lost key pair for my EC2 Windows instance?

Resolution

To replace a lost key pair, you can use the AWSSupport-ResetAccess Automation runbook. Or, create an Amazon Machine Image (AMI), and then launch a new instance.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Use the AWSSupport-ResetAccess Automation runbook

To use the AWSSupport-ResetAccess Automation runbook to replace a lost key pair or local administrator password, see Reset passwords and SSH keys on EC2 instances.

Create an AMI, and launch a new instance

When you use EC2Config, EC2Launch, or EC2Lanuch v2 to reset a lost password, use the key pair to retrieve the administrator password. If you lost the key pair, then create an Amazon Machine Image (AMI) of your instance. Launch the new instance, and then use the instance launch wizard to select a new key pair.

Complete the following steps:

1. Create a new key pair, and then save the private key file. You can use the Amazon EC2 console, AWS CLI, or AWS Tools for PowerShell to create the key pair.
   Note: To give the new key pair the same name as the lost key pair, you must first delete the lost key pair.
2. Open the Amazon EC2 console.
3. In the navigation pane, choose Instances, and then choose your instance.
4. On the Details tab, note the Instance type, VPC ID, Subnet ID, Security groups, and IAM role for the instance.
5. Stop your instance.
   Important: If an instance has an instance store volume, then the volume loses its data when the instance is stopped. If the instance shutdown behavior is set to Terminate, then the instance terminates when it's stopped.
6. Select your instance.
7. Choose Actions, choose Image and templates, and then choose Create Image. Enter the following information:
   For Image name, enter a name.
   (Optional) For Image description, enter a description.
8. Choose Create Image, and then choose Close.
9. In the navigation pane, choose AMIs. When the Status is Available, continue to the next step.
10. Select the AMI, and then choose Launch instance from AMI.
11. Use the launch instance wizard to launch the instance. Be sure to choose the same Instance type, VPC ID, Subnet ID, Security groups, and IAM role as the instance that you want to replace. Also, make sure to select a new key pair.
12. (Optional) If the original instance has an associated Elastic IP address, then associate the Elastic IP address with the new instance.
13. (Optional) If any Amazon Elastic Block Store (Amazon EBS) volumes aren't captured when you create your AMI, then detach the volume and attach it to the new instance.
    Note: When you detach the volume, you don't need to unmount the volume because the original instance is already in the Stopped state.
14. Reset the administrator password. Use EC2Config for Windows Server 2012 R2 or earlier. Use EC2Launch for Windows Server 2016 or later. If you use a supported Windows AMI that includes EC2Launch v2, then use EC2Launch v2.
15. (Optional) You can terminate the stopped instance that has the lost key pair. Also, after you launch the new instance, you can delete the AMI.
    Note: If you store AMIs, then you might incur additional costs. If you no longer need the AMI, then delete the AMI.

Related information

Amazon EC2 key pairs and Amazon EC2 Instances

Tutorial: Get started with Amazon EC2 Windows instances