AWS EC2 Key Pairs
Understand EC2 key pairs, how to create and use them with SSH, and what recovery options exist if a private key is lost.
EC2 key pairs are the traditional way to authenticate SSH access to Linux instances. AWS stores the public key, and you download or import the private key that proves you are allowed to sign in. When launching an instance, selecting a key pair injects the public key so the OS can trust your matching private key later.
In the console, AWS can generate a new key pair for you and prompt a one-time download of the private key file. Treat that file carefully. If someone else gets it, they may be able to log in wherever the matching public key is installed. Restrict file permissions locally and avoid sending it through chat, email, or source control.
| Item | Important detail |
|---|---|
| Public key | Stored by AWS or imported during setup |
| Private key | Kept by you and used during SSH login |
| File permissions | Should be restricted, often chmod 400 |
| Lost key | Requires a recovery approach, not a re-download |
If you lose the private key, AWS cannot re-download it for you. Recovery usually means using another access path such as AWS Systems Manager Session Manager, attaching the root volume to another instance, or rebuilding the instance from automation. That is one reason many teams prefer SSM-based access for day-to-day administration instead of relying only on SSH keys.
Key pairs are still useful for learning and for environments where SSH access is expected, but they should fit into a broader access strategy that includes least-privilege IAM, logging, and minimized exposure of port 22.
Pair this lesson with AWS EC2 Launch Instance so you understand exactly where the key pair is selected during launch.
chmod 400 demo-key.pem
ssh -i demo-key.pem ec2-user@203.0.113.10
aws ec2 describe-key-pairs --query 'KeyPairs[].KeyName' --output table
Operational note
Treat EC2 instances as managed infrastructure, not pets. Capture launch settings in infrastructure as code, keep bootstrap steps repeatable, and monitor CPU, memory, disk, and patch level from the start. That way replacing an instance is a routine operation instead of a risky manual repair exercise. Shared standards like this make future environments easier to launch, review, and support.
Key pair purpose
What is the private key in an EC2 key pair used for?
Lost key recovery
If you lose the downloaded private key for a generated EC2 key pair, what is true?