Solving the Issue of Lost Access Key Pair

Solving the Issue of Lost Access Key Pair

The key pair is essential for encrypting and decrypting credentials for the EC2 virtual server.

In the event of losing the key pair, follow these steps to reset the key pair using the AWS Systems Manager service.

Request:

  • The EC2 instance requires Internet access to communicate with the AWS Systems Manager through either a public or NAT address.
  • Alternatively, the EC2 instance can utilize a VPC Endpoint to connect to the AWS Systems Manager.

  1. To enable AWS Systems Manager to manage tasks on the EC2 instance, verify the status of the SSM agent within the EC2 interface:

    • Go to Instances.
    • Select the recently created EC2 Windows-instance using the Microsoft Windows Server 2022 AMI.
    • Click Connect.

    Connect

    1.1. If the SSM agent is active and authorized, the Session Manager section will display a bold Connect option (proceed to step 2). If not, assign a suitable role (with SSM permissions) to the EC2 instance.

    SSM agent

    For pre-installed OS with SSM agent, refer to this link.

    1.2. To assign roles with SSM permissions to EC2, navigate to the IAM interface:

    • Go to Roles.
    • Click Create role.

    Create role

    1.3. In the Select trusted entity interface:

    • Choose AWS service.
    • Select EC2.
    • Click Next.

    Select trusted entity

    1.4. In the Permissions policies section:

    • Type: AmazonSSMFullAccess, then press Enter.
    • Check the box for AmazonSSMFullAccess.
    • Click Next.

    Permissions policies

    1.5. Proceed to:

    • In the Role name field, enter: Windows-instance.
    • Scroll to the bottom of the page and click Create role.

    Create role

    1.6. In the EC2 interface:

    • Go to Instances.
    • Select the EC2 Windows-instance.
    • Choose Actions -> Security -> Modify IAM role.

    Modify IAM role

    1.7. In the Modify IAM role interface:

    • In the IAM role section, select the role you created: Windows-instance.
    • Click Update IAM role.

    Update IAM role

  2. In the AWS Systems Manager interface:

    • Choose Run Command.
    • Select Run a Command.

    Run Command

  3. In the AWS Systems Manager interface:

    • Type: AWSSupport-RunEC2RescueForWindowsTool.
    • Select AWSSupport-RunEC2RescueForWindowsTool.
    • Scroll down, in the Target selection section, choose Choose instances manually.
    • Select EC2 Windows-instance (If EC2 is not listed, wait for SSM agent to connect to AWS Systems Manager).
    • Uncheck Enable an S3 bucket.
    • Click Run.

    Run Command

  4. Wait for about 1 minute until the Status changes from In Progress to Success.

    Status

  5. In the AWS Systems Manager interface:

    • Select Parameter Store.
    • Under the My parameters section, select /EC2Rescue/Passwords/i-0d411e2b0f028181a, corresponding to the recently reset key pair EC2 instance.

    Parameter Store

  6. Under Value, click Show to reveal the new password for the EC2 instance.

    Show password

  7. Copy this password for the next step of logging into the EC2 instance.

    Copy password

  8. In the EC2 interface:

    • Go to Instances.
    • Select the EC2 - Windows-instance.
    • Click Connect.

    Connect

  9. In the Connect to instance interface:

    • Choose RDP client.
    • Select Connect using RDP client.
    • Click Download remote desktop file.

    RDP client

  10. Once downloaded, open the remote desktop file.

Open RDP

  1. In the Remote Desktop Connection screen, paste the password copied from step 6, then click OK and Yes to proceed.

Remote Desktop Connection

  1. Verify the connection; the public IP should appear on the Desktop screen, corresponding to the EC2 instance’s Public IP in the console.

Public IP

  1. Congratulations! You have successfully logged into the EC2 instance with the Windows OS by resetting the password.