How do I recover the windows EC2 instance if the PEM file is lost?

Introduction —

• Key pairs are generally used when we want to launch an EC2 instance. So what is a key pair?
• A key pair, consisting of a public key and a private key, is a set of security credentials that you use to prove your identity when connecting to an Amazon EC2 instance. Amazon EC2 stores the public key on your instance, and we store our private key.

We store private keys (.PEM format) in a safe location to further RDP into windows instances. If the key pair is lost there is no way to recover it. However, there can still be a way to connect to instances where you’ve lost your private key.

In this blog, we will discuss how to connect to EC2 instances if the key pair is lost. The following steps will guide you through how to retake access to the windows EC2 instance.

Step 1: Create AMI Image of EC2 Instance-

A. Select your instance. For Actions, choose Image and templates, Create an Image.

B. For Image Name, enter a Name & For Image Descriptions, enter a Description & then choose to Create Image.

C. Choose AMIs from the left navigation pane. When the Status is available, continue to the next step.

Step2: Create an IAM Role-

Windows EC2 instances will require permission to connect to the AWS Systems Manager (SSM) agent as we move forward, so we need to create a role that will give permission to the EC2 instance to access SSM. We will create and set up the IAM role first.

A. Go to IAM service & from the navigation pane choose Roles & choose trusted entity as AWS service with service as EC2.

B. Now add permission, search for SSM, and select the below role: AmazonSSMManagedInstanceCore. This is the policy for the EC2 role to enable Systems Manager core functionality.

C. Now stop your original windows EC2 instance in which your key pair is lost.

Step3: Launch Instance From AMI-

Now we will launch the instance from AMI that we have previously created for our windows EC2 instance.

A. Choose AMI from the navigation pane, select the AMI which we have previously created & then click on Launch instance from AMI.

B. Make sure we attached the IAM Role in Advanced details of the EC2 instance which we have created previously for SSM.

C. Review it & then Launch the Instance.

We cannot decrypt the password from our new key pair, it needs to have the password of the old key pair but we have lost the old key pair so we cannot decrypt the password and connect to the instance. So we need a way to connect to the new instance that we have created from AMI.

Step4: Configure the Systems Manager (SSM)-

A. Go to System Manager service. In the navigation panel, select Fleet Manager and you should see the windows instance of AMI that we have installed the SSM agent (instance profile) into the EC2 instance.

B. Now in the navigation panel select Session Manager and Click Preferences.

C. Configure Key by leaving settings to default.

D. Give the alias name of the key.

E. Give the key permission for the SSM role which we created earlier.

F. Review it & create KMS key, now in KMS key choose the alias name which we created & save it.

G. Go to Fleet Manager select the instance, Click on Node Actions & select Reset Password and Enter the User Name as Administrator.

H. You can see that now the session is encrypted by the KMS key. Enter the new password to complete the command successfully.

I. Now go back to EC2 & connect the instance using RDP, copy the public IP & paste it into RDP, and enter the user name as Administrator & password as what you have set during reset password in SSM.

Conclusion —

In this way, by creating the AMI of the original windows instance we can create the new windows instance by attaching a new key pair & IAM instance profile of SSM. Then through the SSM session manager, we can create the KMS encryption key to encrypt our session & reset the password of the new windows instance.

By : Naman Sharma, Cloud Engineer (Cloud.in)