How to Recover lost Windows EC2 instance Key Pair

Table of Contents


  • There is a concept of key pair in AWS & key pairs are generally used when we want to launch any type of EC2 instance. So what is a key pair?
  • A key pair, consisting of a public key and a private key, is a set of security credentials that you use to prove your identity when connecting to an Amazon EC2 instance. Amazon EC2 stores the public key on your instance, and you store the private key.
  • We store private keys (.pem or. PPK format)  in a safe location to further ssh into Linux instances or RDP into windows instances. If the key pair is lost ( i.e. private key ) there is no way to recover it. However, there can still be a way to connect to instances for which you’ve lost the private key.

In this article, we will discuss how to connect to EC2 instances if the key pair is lost. The following steps will guide you through how to regain access to the windows EC2 instance.

Create AMI Image

1: Select your instance. For Actions, choose Image and templates, Create an Image

2. For Image Name, enter a Name & For Image Descriptions, enter a Description & then choose to Create Image

3. Choose AMIs from the navigation pane. If the Status is pending, the AMI is still being created. When the Status is available, continue to the next step

4. Now stop your original windows EC2 instance in which your key pair is lost

IAM Roles

Windows EC2 instances will require permission to connect to the AWS Systems Manager (SSM) agent as we move further, so we need to create a role that will give permission to the EC2 instance to access SSM. We will set up the IAM role first.

1. Go to IAM service & from the navigation pane choose Roles & choose trusted entity as AWS service with service as EC2

2. Now add permission, search for SSM and select the below role: AmazonSSMManagedInstanceCore. This is the policy for the EC2 role to enable Systems Manager core functionality. This policy grants the following permissions:

Launch Instance From AMI

Now we will launch the instance from AMI which we have previously created for our windows EC2 instance.

1. Choose AMI from the navigation pane, select the AMI which we have previously created & then click on Launch instance from AMI

2. Complete the Wizard. Be sure to select the same Instance type, VPC ID, Subnet ID, and Security groups

3. Now you need to create a new key pair & then Select the new key pair in the key-pair name

4. Make sure you attached the IAM Role in Advanced details of EC2 instance which we have created previously for SSM

5. Review it & then Launch the Instance.

6. Now when you again connect to the new AMI created instance, after waiting for a few minutes you will see the following messages, even if you have created a new key pair

This is because we cannot decrypt the password from our new key pair, it needs to have the password of the old key pair but we have lost the old key pair so we cannot decrypt the password and connect to the instance. So we need a way to connect to the new instance that we have created from AMI.

So here SSM would be a great service to solve the above problem. You might be thinking how SSM would be useful here.

Configure the Systems Manager (SSM) with the Session manager & Fleet Manager

AWS Systems Manager is a collection of capabilities to help you manage your applications and infrastructure running in the AWS Cloud. It automates tasks across your AWS resources and centralizes operational data across your AWS resources. It can create logical groups of resources such as applications or production versus development environments.

1. Go to System Manager service. In the navigation panel select Fleet Manager and you should see the windows instance of AMI under managed nodes because we have installed the SSM agent (instance profile) into the EC2 instance

Before moving ahead, we will define the Session Manager.

What is a Session Manager?

Session Manager is a fully managed AWS Systems Manager capability. With Session Manager, you can manage your Windows, Linux instances, and on-premises servers and virtual machines (VMs) without the need to open inbound ports, maintain bastion hosts or manage SSH keys.

2. Now in the navigation panel select Session Manager and Click Preferences, then click Edit in General Preferences

3. In General Preferences enable KMS encryption & create a new key

AWS Key Management Service (KMS)

AWS Key Management Service (KMS) enables you to easily encrypt your data. It provides a highly available key storage management for you to encrypt data within your own applications and control the encryption of stored data across AWS services.

4. Configure Key by leaving settings to default

5. Give the alias name of the key

6. Give the key permission for the SSM role which we created earlier

7. Review it & create KMS key, now in KMS key choose the alias name which we created & save it

8. In Fleet Manager select the instance, Click on Node Actions & select Reset Password

9. Enter the User Name as Administrator

10. You can see that now the session is encrypted by the KMS key. Enter the new password to complete the command successfully

11. Now go back to EC2 & connect the instance using RDP, copy the public DNS & paste it into Remote Desktop Connection, enter the user name as Administrator & password as what we have set during reset password in SSM

12. You will now be successfully able to connect to Windows EC2 instance that we have created from AMI

13. Terminate the original windows instance which is in the stopped state


In this way, by creating the AMI of the original windows instance we can create the new windows instance by attaching a new key pair & IAM instance profile of SSM. Then through the SSM session manager, we can create the KMS encryption key to encrypt our session & finally reset the password of the new windows instance.

About the Author ✍🏻

Varshil Desai is a DevOps Engineer at QloudX with 4 AWS certifications & 1 Azure certifications.

His main work is in Devops technology where he builds automated & quick solutions for the clients.

With only 1 year of industry experience, Varshil has already made his mark with amazing solutions in the cloud using Devops automation tools, while he also likes to explore in AI/ML technology.

One Reply to “How to Recover lost Windows EC2 instance Key Pair”

  1. Dipak Shinde says:

    Excellent! Easy to understand and follow! Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *