Add or remove a public key on your instance - Amazon Elastic Compute Cloud

Add or remove a public key on your instance

If you lose a private key, you lose access to any instances that use the key pair. For more information about connecting to an instance using a different key pair than the one that you specified at launch, see I've lost my private key.

When you launch an instance, you can specify a key pair. If you specify a key pair at launch, when your instance boots for the first time, the public key material is placed on your Linux instance in an entry within ~/.ssh/authorized_keys.

You can change the key pair that is used to access the default system account of your instance by adding a new public key on the instance, or by replacing the public key (deleting the existing public key and adding a new one) on the instance. You can also remove all public keys from an instance. To add or replace a key pair, you must be able to connect to your instance.

You might add or replace a key pair for the following reasons:

  • If a user in your organization requires access to the system user using a separate key pair, you can add the public key to your instance.

  • If someone has a copy of the private key (.pem file) and you want to prevent them from connecting to your instance (for example, if they've left your organization), you can delete the public key on the instance and replace it with a new one.

  • If you create a Linux AMI from an instance, the public key material is copied from the instance to the AMI. If you launch an instance from the AMI, the new instance includes the public key from the original instance. To prevent someone who has the private key from connecting to the new instance, you can remove the public key from the original instance before creating the AMI.

Use the following procedures to modify the key pair for the default user, such as ec2-user. For information about adding users to your instance, see the documentation for the operating system on your instance.

To add or replace a key pair
  1. Create a new key pair using the Amazon EC2 console or a third-party tool.

  2. Retrieve the public key from your new key pair. For more information, see Retrieve the public key material.

  3. Connect to your instance using your existing private key.

  4. Using a text editor of your choice, open the .ssh/authorized_keys file on the instance. Paste the public key information from your new key pair underneath the existing public key information. Save the file.

  5. Disconnect from your instance, and test that you can connect to your instance using the new private key file.

  6. (Optional) If you're replacing an existing key pair, connect to your instance and delete the public key information for the original key pair from the .ssh/authorized_keys file.


If you're using an Auto Scaling group, ensure that the key pair you're replacing is not specified in your launch template or launch configuration. If Amazon EC2 Auto Scaling detects an unhealthy instance, it launches a replacement instance. However, the instance launch fails if the key pair cannot be found. For more information, see Launch templates in the Amazon EC2 Auto Scaling User Guide.

To remove a public key from an instance
  1. Connect to your instance.

  2. Using a text editor of your choice, open the .ssh/authorized_keys file on the instance. Delete the public key information, and then save the file.


After you remove all the public keys from an instance and disconnect from the instance, you can't connect to it again unless the AMI provides another way of logging in.