AWS Instance Key Login Mechanism

When creating an EC2 instance, AWS generates a key file that is required to log in to the instance via SSH. You can use the AWSSupport-ResetAccess document to automatically re-enable local administrator password generation on Amazon EC2 Windows instances, and to generate a new SSH key on Amazon EC2 Linux instances.

How It Works

The process of troubleshooting an instance using Automation and AWSSupport-ResetAccess works as follows:

1. You specify the instance ID and run the Automation workflow.
2. The system creates a temporary VPC and then runs a series of Lambda functions to configure it.
3. The system identifies a subnet in your temporary VPC within the same Availability Zone as your original instance.
4. The system launches a temporary SSM-enabled helper instance.
5. The system stops your original instance and creates a backup, then attaches the original root volume to the helper instance.
6. The system uses Run Command to run EC2Rescue on the helper instance. On Windows, EC2Rescue enables password generation for the local administrator using EC2Config or EC2Launch on the attached original root volume. On Linux, EC2Rescue generates and injects a new SSH key and saves the private key encrypted to Parameter Store. After completion, EC2Rescue re-attaches the root volume back to the original instance.
7. The system creates a new Amazon Machine Image (AMI) from your instance with password generation now enabled. You can use this AMI to create a new EC2 instance and associate a new key pair as needed.
8. The system restarts your original instance and terminates the temporary instance, temporary VPC, and Lambda functions created at the start of the automation.
9. Windows: Your instance generates a new password, which you can decode from the EC2 console using the current key pair assigned to the instance.

Linux: You can connect to the instance via SSH using the SSH key stored in Systems Manager Parameter Store at the path /ec2rl/openssh/instance_id/key.

Resetting an EC2 (Linux) Key Using AWSSupport-ResetAccess

Step 1: Create a Role Using CloudFormation

Create the required IAM role in CloudFormation. Copy the Value from the Output — this is the ARN for the subsequent AssumeRole.

Step 2: Open AWSSupport-ResetAccess

In the AWS Systems Manager console, find the AWSSupport-ResetAccess automation document and open it.

Step 3: Enter Parameters

• InstanceID: Specify the ID of the instance you cannot access.
• EC2RescueInstanceType: Specify the instance type for the EC2Rescue instance. The default is t2.small.
• SubnetId: Specify a subnet from an existing VPC in the same Availability Zone as your specified instance.
• AssumeRole: The AssumeRole ARN copied from the CloudFormation console.

Step 4: Execute the Automation

Click Execute and wait for the automation process to complete.

Step 5: Check the Results

Once the console shows successful execution, go to Parameter Store. The key at path /ec2rl/openssh/instance_id/key is the key to connect to your server — use it to SSH into the instance.

Back to Tech Blog