Replacing EC2 private keys

As a standard security practice, we want to periodically recycle the private keys that we use to connect to our EC2 instances.  The problem is that Amazon Web Services doesn’t make it easy to swap out the private key that you used to start the EC2 instance, without shutting it down and starting a new one.

The documentation on the web is fairly light and scattered and I finally figured it out so I wanted to share how I got it to work.

  1. From the AWS console, create your new private key.  Let’s say it’s called ‘newkey.pem’
  2. On each server that you want to be able to connect to with this new key, ssh into it.  We do this as user jamesbond so we connect like
    ssh -i oldkey.pem jamesbond@ec2...
  3. Once on the server, cd to the .ssh folder of the user you connected with cd /home/jamesbond/.ssh
  4. Edit the authorized_keys file and add a line for the newkey.pem’s public key
    1. The way I got the public key was to launch a new EC2 instance with newkey.pem and then look in the authorized_keys on the newly launched server, and then copy it.  There must be an easier way.
  5. Save the file; quit and exit out of the ssh session so you’re back on your local terminal
  6. Test ssh’ing into the server using newkey.pem
  7. If it works, then you can edit authorized_keys and delete the rows of keys you no longer want to be able to use to access this server.
    1. If it does not work, make sure that the authorized_keys file that you are editing is for the user you are connecting as, such as jamesbond@ec2.. would be editing in /home/jamesbond.  I got tripped up here for a bit because I was editing /home/root/.ssh/authorized_keys