Deleting a Key Pair for AWS EC2 Instance with EBS
EC2 key pairs, which appear on AWS console panel, are only used to initialize EC2 instances, granting you initial access to them with the provided key pair. Thus, deleting them on AWS console panel won't make a difference on existing instances. See AWS Doc.
To prevent the use of the old private key, you need to to edit the .ssh/authorized_keys file on your remote EC2 instance, removing the corresponding entry, which is the public key of your EC2 key pair.
Remember to add your new public key to authrozied_keys file, and test it before removing the old one, or you may be locked out of your EC2 instance.
To issue a new key pair, use ssh-keygen command on your local Linux machine, it's an interactive program when calling without arguments.
And use ssh-copy-id to automatically apply your new key to your instance.
nhuff717
Updated on September 18, 2022Comments
-
nhuff717 almost 2 years
I have an AWS EC2 Instance using EBS and I want to stop the use of the current private key, and use a new one. As I understand it, merely deleting the key pair on the AWS Console just deletes the public key and does not prevent access to the instance using the (old) private key via SSH.
I attempted a workaround (detailed here) but I realized this doesn't prevent the use of the old private key.
Is there any way to keep using this instance and prevent the use of the old private key and issue a new one, without having to create a new instance and re-install everything? Can you go into Linux and SSH and manually delete support for specific keys?
I can provide details about the instance configuration as needed.
-
nhuff717 almost 10 yearsI will check in again once I look at that file and folder, but first do I need to do anything in
/etc/sshas well? -
pallxk almost 10 yearsIf you cannot usessh-copy-id, you may also add your public key manully in.ssh/authorized_keysfile on your server. Just copy the content of your.pubkey file into a seperate line of that file. -
nhuff717 almost 10 yearsGreat, so just to verify the steps (I am not a sys admin): 1. Generate the new key locally using
ssh-keygen. 2. Add the contents of the.pubfile to a new line of the.ssh/authorized_keysfile on the EC2 Instance. 3. Verify that the newly add key works by usingssh -i new-key-file.pem user@ip. Does this sound right? -
pallxk almost 10 yearsExactly. And delete your old public key entry, if you do not want it, in
.ssh/authorized_keysfile after all the operations you mentioned succeed. -
Utsav Gupta over 4 years"As far as I know, EC2 key pairs, which appear on AWS console panel, are only used to initialize EC2 instances, granting you initial access to them with the provided key pair. Thus, deleting them on AWS console panel won't make a difference on existing instances."-This information is not correct please check the link:aws.amazon.com/premiumsupport/knowledge-center/… -
pallxk over 4 years@UtsavGupta EC2 key pairs and AWS access key are two different things. One for EC2 and the other for AWS Account. See docs.aws.amazon.com/AWSEC2/latest/UserGuide/…
-
Utsav Gupta over 4 years@pallxk thanks for clarifying, I am still confused, What is meant by AWS access keys here for AWS account here?