docs.aws.amazon.com Open in urlscan Pro
13.35.58.67  Public Scan

URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html
Submission: On September 01 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies


CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.


ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.




PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed


FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed


ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.

CancelSave preferences




UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss


Contact Us
English



Create an AWS Account
 1. AWS
 2. ...
    
    
 3. Documentation
 4. Amazon EC2
 5. User Guide

Feedback
Preferences


AMAZON ELASTIC COMPUTE CLOUD


USER GUIDE

Recently added to this guide
PREVIEW


 * Disconnect from the EC2 Serial Console
   21. August 2024
 * Reference for Amazon EC2 instance configuration parameters
   16. August 2024
 * Cancel a Capacity Reservation Fleet
   16. August 2024
 * View all

--------------------------------------------------------------------------------

 * What is Amazon EC2?
 * Get started tutorial
 * Best practices
 * Amazon Machine Images
    * AMI characteristics
       * Determine the AMI root device type
   
    * Find an AMI
    * Paid AMIs in the AWS Marketplace
       * Find a paid AMI
       * Purchase a paid AMI
       * Retrieve the product code
       * Use paid support
       * Manage your subscriptions
   
    * AMI lifecycle
       * Create an AMI
       * Create an instance store-backed AMI
          * Set up the AMI tools
          * AMI tools reference
          * Convert your instance store-backed AMI
      
       * Create an AMI using Windows Sysprep
       * Copy an AMI
          * Permissions
          * How AMI copy works
      
       * Store and restore an AMI
          * How AMI store and restore works
          * Create a store image task
      
       * Check when an AMI was last used
       * Deprecate an AMI
       * Disable an AMI
       * Deregister an AMI
          * Protect an AMI from deregistration
   
    * Boot modes
       * Requirements for UEFI boot mode
       * AMI boot mode parameter
       * Instance type boot mode
       * Instance boot mode
       * Operating system boot mode
       * Set AMI boot mode
       * UEFI variables
       * UEFI Secure Boot
          * How UEFI Secure Boot works
          * Launch an instance with UEFI Secure Boot
          * Verify if an instance is enabled for UEFI Secure Boot
          * Create a Linux AMI with custom keys
          * Create the AWS binary blob
   
    * AMI encryption
    * Shared AMIs
       * Find shared AMIs
       * Prepare to use shared AMIs for Linux
       * Make your AMI public
       * Understand block public access
          * Manage the block public access setting for AMIs
      
       * Shared AMI use with organizations and OUs
          * Get the ARN of an organization or organizational unit
          * Allow organizations and OUs to use a KMS key
          * Manage AMI sharing with an organization or OU
      
       * Share an AMI with specific AWS accounts
       * Cancel having an AMI shared with your account
       * Recommendations for creating shared Linux AMIs
   
    * Monitor AMI events
    * Understand AMI billing
       * AMI billing fields
       * Find AMI billing information
       * Verify AMI charges on your bill
   
    * AMI quotas

 * Instances
    * Instance types
       * Find an instance type
       * EC2 instance type finder
       * Compute Optimizer recommendations
       * Instance type changes
          * Compatibility
          * Change the instance type
          * Migrate to a new instance type
          * Troubleshoot
      
       * Burstable performance instances
          * Key concepts
          * Unlimited mode
             * Concepts
             * Examples
         
          * Standard mode
             * Concepts
             * Examples
         
          * Work with burstable performance instances
          * Monitor your CPU credits
      
       * GPU instances
          * Activate NVIDIA GRID Virtual Applications
          * Optimize GPU settings
          * Set up dual 4K displays on G4ad
          * Get started with P5 instances
      
       * Mac instances
          * Launch a Mac instance
          * Connect to your Mac instance
          * Update operating system and software
          * Increase size of EBS volume
          * Stop or terminate Mac instance
          * Find supported macOS versions
          * Subscribe to macOS AMI notifications
          * Retrieve macOS AMI IDs
          * macOS AMIs release notes
      
       * EBS optimization
          * Get maximum EBS performance
          * Find EBS-optimized instance types
          * Enable EBS optimization
      
       * CPU options
          * Rules for specifying CPU options for an Amazon EC2 instance
          * Supported CPU options
          * Specify CPU options
          * View CPU options
      
       * AMD SEV-SNP
          * Check AMD SEV-SNP support on Amazon EC2 instances
          * Attestation with AMD SEV-SNP
      
       * Processor state control
   
    * Billing and purchasing options
       * On-Demand Instances
       * Reserved Instances
          * Regional and zonal Reserved Instances (scope)
          * Types of Reserved Instances (offering classes)
          * How Reserved Instance discounts are applied
          * Use your Reserved Instances
          * How billing works with Reserved Instances
          * Buy Reserved Instances
          * Sell Reserved Instances
          * Modify Reserved Instances
          * Exchange Convertible Reserved Instances
          * Reserved Instance quotas
      
       * Spot Instances
          * Best practices
          * How Spot Instances work
          * View pricing history
          * View savings
          * Create a Spot Instance request
             * Example launch specifications
         
          * Get the status of a Spot Instance request
             * State changes for a Spot request
         
          * Tag Spot Instance requests
          * Cancel a Spot Instance request
          * Manage your Spot Instances
          * Spot Instance interruptions
             * Interruption behavior
             * Prepare for interruptions
             * Initiate an interruption
             * Spot Instance interruption notices
             * Find interrupted Spot Instances
             * Determine whether Amazon EC2 terminated a Spot Instance
             * Billing
         
          * Rebalance recommendations
          * Spot placement score
             * How Spot placement score works
             * Required permissions
             * Calculate the Spot placement score
         
          * Spot Instance data feed
          * Service-linked role for Spot Instance requests
          * Spot Instance quotas
      
       * Dedicated Hosts
          * Pricing and billing
          * Instance capacity configurations
          * Burstable instances on Dedicated Hosts
          * Bring your own licenses
          * Auto-placement and affinity
          * Allocate a Dedicated Host
          * Launch instances on a Dedicated Host
          * Launch instances into a host resource group
          * Modify Dedicated Host auto-placement
          * Modify supported instance types
          * Modify tenancy and affinity for an instance
          * Release Dedicated Host
          * Cross-account sharing
             * Share a Dedicated Host
             * Unshare a Dedicated Host
             * View shared Dedicated Hosts
         
          * Dedicated Hosts on Outposts
             * Allocate Dedicated Host on Outpost
         
          * Host recovery
             * How host recovery works
             * Manage host recovery
             * View host recovery setting
             * Manually recovery unsupported instances
         
          * Host maintenance
             * How host maintenance works
             * Configure host maintenance
         
          * Monitor Dedicated Hosts
          * Track configuration changes
      
       * Dedicated Instances
          * Launch Dedicated Instances into VPC
          * Change the tenancy of an instance
          * Change the tenancy of a VPC
      
       * Capacity Reservations
          * On-Demand Capacity Reservations
             * Pricing and billing
             * Create a Capacity Reservation
             * View the state of a Capacity Reservation
             * Launch instances into Capacity Reservation
             * Modify Capacity Reservation
             * Modify instance Capacity Reservation settings
             * Move capacity
             * Split off available capacity
             * Cancel a Capacity Reservation
             * Capacity Reservation groups
                * Create a group
                * Add Capacity Reservation to group
                * Remove Capacity Reservation from group
                * Delete group
            
             * Create Capacity Reservations in cluster placement groups
             * Capacity Reservations in Local Zones
             * Capacity Reservations in Wavelength Zones
             * Capacity Reservations on AWS Outposts
             * Shared Capacity Reservations
                * Share a Capacity Reservation
                * Stop sharing a Capacity Reservation
            
             * Capacity Reservation Fleets
                * Concepts and planning
                * Create
                * View
                * Modify
                * Cancel
                * Example configurations
                * Using service-linked roles
            
             * Monitor with CloudWatch metrics
             * Monitor using EventBridge
             * Utilization notifications
         
          * Capacity Blocks for ML
             * Pricing and billing
             * Work with Capacity Blocks
                * Find and purchase
                * Launch instances into Capacity Blocks
                * View
            
             * Monitor using EventBridge
             * Logging API calls with CloudTrail
   
    * Launch templates
       * Restrictions
       * Permissions
       * Control launching instances
       * Create
       * Modify (manage versions)
       * Delete
   
    * Launch an instance
       * Instance parameter reference
       * Launch using the launch instance wizard
       * Launch using a launch template
       * Launch from an existing instance
       * Launch from an AWS Marketplace AMI
   
    * Connect to your instance
       * Connect to your Linux instance using SSH
          * Connect using an SSH client
          * Connect using PuTTY
          * Transfer files using SCP
          * Manage Linux system users
      
       * Connect to your Windows instance using RDP
          * Connect using an RDP client
          * Connect using Fleet Manager
          * Transfer files using RDP
      
       * Connect using Session Manager
       * Connect using EC2 Instance Connect
          * Tutorial
          * Prerequisites
          * Permissions
          * Install EC2 Instance Connect
          * Connect using EC2 Instance Connect
          * Uninstall EC2 Instance Connect
      
       * Connect using EC2 Instance Connect Endpoint
          * Permissions
          * Security groups
          * Create an EC2 Instance Connect Endpoint
          * Connect to an instance
          * Log connections
          * Delete an EC2 Instance Connect Endpoint
          * Service-linked role
          * Quotas
   
    * Instance state changes
       * Stop and start
          * How it works
          * Enable stop protection
      
       * Hibernate
          * How it works
          * Prerequisites
          * Configure a Linux AMI to support hibernation
          * Enable instance hibernation
          * Disable KASLR on an instance (Ubuntu only)
          * Hibernate an instance
          * Start a hibernated instance
          * Troubleshoot
      
       * Reboot
       * Terminate
          * How it works
          * Enable termination protection
          * Change the instance initiated shutdown behavior
          * Preserve data when an instance is terminated
      
       * Retire
       * Instance resiliency
          * CloudWatch action based recovery
          * Simplified automatic recovery
   
    * Instance metadata
       * Access instance metadata
          * IMDS
          * Limit access to IMDS
      
       * Configure IMDS options
          * For new instances
          * For existing instances
      
       * Run commands at launch
       * Example: AMI launch index value
   
    * Detect whether a host is an EC2 instance
    * Instance identity documents
       * Retrieve the instance identity document
       * Verify instance identity document
       * Public certificates
   
    * Clock synchronization
       * Use the local Amazon Time Sync Service
       * Use the public Amazon Time Sync Service
       * Compare timestamps for your Linux instances
       * Change the time zone of your instance
   
    * Manage device drivers
       * AMD drivers
       * NVIDIA drivers
       * Install the ENA driver on Windows
          * ENA Windows driver releases
      
       * Windows PV drivers
          * Upgrade PV drivers
          * Troubleshoot PV drivers
      
       * AWS Windows NVMe drivers
          * NVMe Windows driver releases
   
    * Configure Windows instances
       * Windows launch agents
          * Configure DNS Suffix
          * Subscribe to SNS notifications
          * Migrate to EC2Launch v2
          * Windows Service administration
          * EC2Launch v2
             * Install EC2Launch v2
             * Configure EC2Launch v2
             * Task definitions
             * Troubleshoot EC2Launch v2
             * Version histories
         
          * EC2Launch
             * Install EC2Launch
             * Configure EC2Launch
             * Version history
         
          * EC2Config service
             * Install EC2Config
             * Configure proxy settings
             * Set EC2Config service properties
             * Troubleshoot EC2Config
             * Version history
      
       * EC2 Fast Launch for Windows
          * EC2 Fast Launch prerequisites
          * Configure EC2 Fast Launch settings
          * View EC2 Fast Launch AMIs
          * Manage resource costs
          * Monitor EC2 Fast Launch
          * Service-linked role
      
       * Change the Windows Administrator password
       * Add Windows System components
       * Install WSL on Windows
   
    * Upgrade Windows instances
       * Perform an in-place upgrade
       * Perform an automated upgrade
       * Migrate to a current generation instance type
       * Troubleshoot an upgrade
   
    * Tutorial: Connect EC2 instance to RDS database
       * Option 1: Automatically connect using EC2 console
       * Option 2: Automatically connect using RDS console
       * Option 3: Manually connect

 * Fleets
    * Which fleet method to use?
    * Configuration options
       * Request types
          * EC2 Fleet 'instant' type
      
       * Spending limit
       * Attribute-based instance type selection
       * Instance weighting
       * Allocation strategies
       * Capacity Rebalancing
       * Capacity Reservations
   
    * Work with EC2 Fleet
       * EC2 Fleet request states
       * Create an EC2 Fleet
       * Tag an EC2 Fleet
       * Describe an EC2 Fleet
       * Modify an EC2 Fleet
       * Delete an EC2 Fleet
   
    * Work with Spot Fleet
       * Spot Fleet request states
       * Create a Spot Fleet
       * Tag a Spot Fleet
       * Describe a Spot Fleet
       * Modify a Spot Fleet request
       * Cancel (delete) a Spot Fleet request
       * Automatic scaling for Spot Fleet
          * IAM permissions
          * Target tracking scaling
          * Step scaling
          * Scheduled scaling
   
    * Monitor your fleet
       * Monitor your fleet using CloudWatch
       * Monitor your fleet using EventBridge
   
    * Tutorials
       * Tutorial: Configure EC2 Fleet to use instance weighting
       * Tutorial: Configure EC2 Fleet to use On-Demand Instances as the primary
         capacity
       * Tutorial: Configure EC2 Fleet to launch On-Demand Instances using
         targeted Capacity Reservations
       * Tutorial: Configure your EC2 Fleet to launch instances into Capacity
         Blocks
   
    * Example CLI configurations for EC2 Fleet
    * Example CLI configurations Spot Fleet
    * Fleet quotas

 * Networking
    * Regions and Zones
    * Instance IP addressing
       * IPv4 addresses
       * IPv6 addresses
       * Multiple IP addresses
       * Multiple IPv4 addresses on Windows
   
    * Instance hostname types
       * Change resource based naming options
   
    * Bring your own IP addresses
       * Prerequisites
       * Onboard your address range
       * Use your address range
   
    * Elastic IP addresses
       * Associate an Elastic IP address
       * Transfer an Elastic IP address
       * Release an Elastic IP address
       * Use reverse DNS for email applications
   
    * Network interfaces
       * IP addresses per network interface
       * Create a network interface
       * Manage IP addresses
       * Modify network interface attributes
       * Multiple network interfaces
       * Requester-managed network interfaces
       * Prefix delegation
          * Manage prefixes
      
       * Delete a network interface
   
    * Network bandwidth
    * Enhanced networking
       * Elastic Network Adapter (ENA)
       * ENA Express
          * Review instance settings
          * Configure instance settings
      
       * Intel 82599 VF
       * Monitor network performance
       * Troubleshoot ENA on Linux
       * Troubleshoot ENA on Windows
       * Improve network latency on Linux
       * Nitro performance considerations
       * Optimize network performance on Windows
   
    * Elastic Fabric Adapter
       * EFA on accelerated instances
       * Get started with EFA and MPI
       * Get started with EFA and NCCL
       * Create and attach an EFA
       * Detach and delete an EFA
       * Monitor an EFA
       * Verify the EFA installer
   
    * Instance topology
       * How it works
       * Prerequisites
       * Examples
   
    * Placement groups
       * Placement strategies
       * Create a placement group
       * Change instance placement
       * Delete a placement group
       * Share a placement group
       * Placement groups on AWS Outposts
   
    * Network MTU
       * Set the MTU for your instances
   
    * Virtual private clouds

 * Security
    * Data protection
    * Infrastructure security
    * Resilience
    * Compliance validation
    * Identity and access management
       * Identity-based policies
       * Example policies for the API
       * Example policies for the console
       * AWS managed policies
       * IAM roles
          * Retrieve security credentials
          * Permissions to attach a role to an instance
          * Attach a role to an instance
   
    * Update management
    * Best practices for Windows instances
    * Key pairs
       * Create a key pair
       * Tag a key pair
       * Describe your key pairs
       * Delete your key pair
       * Add or replace a public key on your Linux instance
       * Verify the fingerprint
   
    * Security groups
       * Create a security group
       * Change security groups for your instance
       * Delete a security group
       * Connection tracking
       * Security group rules for different use cases
   
    * NitroTPM
       * Requirements
       * Enable a Linux AMI for NitroTPM
       * Verify that an AMI is enabled for NitroTPM
       * Enable or stop using NitroTPM
       * Verify that an instance is enabled for NitroTPM
       * Retrieve the public endorsement key
   
    * Credential Guard for Windows instances
    * AWS PrivateLink

 * Storage
    * Amazon EBS
       * EBS volume limits
   
    * Amazon EC2 instance store
       * Data persistence
       * Instance store limits
       * SSD instance store volumes
       * Add instance store volumes
          * Add instance store volumes to an AMI
          * Add instance store volumes to an instance
          * Make instance store volumes available for use
      
       * Enable swap volume for M1 and C1 instances
       * Initialize instance store volumes
   
    * Root volumes
       * Keep root volume after instance termination
       * Replace a root volume
   
    * Device names for volumes
    * Block device mappings
       * Add block device mapping to AMI
       * Add block device mapping to instance
   
    * How volumes are attached and mapped for Windows instances
       * Map NVME disks to volumes
       * Map non-NVME disks to volumes
   
    * Torn write prevention
       * Supported block sizes
       * Requirements
       * Check instance support
       * Configure workload
   
    * Windows VSS EBS snapshots
       * VSS prerequisites
          * IAM permissions
          * VSS components
      
       * Create VSS snapshots
          * Use Systems Manager command documents
      
       * Troubleshoot VSS snapshots
       * Restore EBS volumes
       * Version history
   
    * Object storage, file storage, and file caching
       * Amazon S3
       * Amazon EFS
       * Amazon FSx
       * Amazon File Cache

 * Manage resources
    * Select a Region for your resources
    * Find your resources
    * Amazon EC2 Global View
    * Tag your resources
       * Tag resource permissions
       * Add and remove tags
       * Filter resources by tag
       * View tags using instance metadata
   
    * Service quotas

 * Monitor resources
    * Monitor the status of your instances
       * Status checks
          * View status checks
          * Create status check alarms
      
       * State change events
          * Create alarm for instance state changes
      
       * Scheduled events
          * Recommended actions for scheduled events
          * View scheduled events
          * Customize scheduled event notifications
          * Reschedule scheduled events
          * Create custom event windows
   
    * Monitor your instances using CloudWatch
       * Instance alarms
       * Manage detailed monitoring
       * CloudWatch metrics
       * Install and configure the CloudWatch agent
       * Statistics for metrics
          * Get statistics for a specific instance
          * Aggregate statistics across instances
          * Aggregate statistics by Auto Scaling group
          * Aggregate statistics by AMI
      
       * View monitoring graphs
       * Create an alarm
       * Create alarms that stop, terminate, reboot, or recover an instance
          * Amazon CloudWatch alarm action scenarios
   
    * Automate using EventBridge
    * Log API calls using CloudTrail
    * Monitor .NET and SQL Server applications
    * Track your Free Tier usage

 * Troubleshoot
    * Instance launch issues
    * Instance stop issues
    * Instance termination issues
    * Unreachable instances
       * Common screenshots for Windows instances
   
    * Linux instance SSH issues
    * Linux instance failed status checks
    * Linux instance boots from wrong volume
    * Windows instance RDP issues
    * Windows instance start issues
    * Windows instance issues
    * Reset Windows administrator password
       * Reset password using EC2Launch v2
       * Reset password using EC2Launch
       * Reset password using EC2Config
   
    * Troubleshoot Sysprep issues
    * EC2Rescue for Linux instances
       * Install EC2Rescue
       * Run EC2Rescue commands
       * Develop EC2Rescue modules
   
    * EC2Rescue for Windows instances
       * Troubleshoot using EC2Rescue GUI
       * Troubleshoot using EC2Rescue CLI
       * Troubleshoot using EC2Rescue and Systems Manager
   
    * EC2 Serial Console
       * Prerequisites
       * Configure access to the EC2 Serial Console
       * Connect to the EC2 Serial Console
       * Disconnect from the EC2 Serial Console
       * Troubleshoot your instance using the EC2 Serial Console
   
    * Send diagnostic interrupts

 * Document history

Create a key pair for your Amazon EC2 instance - Amazon Elastic Compute Cloud
AWSDocumentationAmazon EC2User Guide
Create a key pair using Amazon EC2Create a key pair using AWS
CloudFormationImport a public key to Amazon EC2


CREATE A KEY PAIR FOR YOUR AMAZON EC2 INSTANCE

PDFRSS

You can use Amazon EC2 to create your key pairs, or you can use a third-party
tool to create your key pairs, and then import them to Amazon EC2.

Amazon EC2 supports 2048-bit SSH-2 RSA keys for Linux and Windows instances.
Amazon EC2 also supports ED25519 keys for Linux instances.

For steps to connect to your Linux instance using SSH after you have created a
key pair, see Connect to your Linux instance using SSH.

For steps to connect to your Windows instance using RDP after you have created a
key pair, see Connect to your Windows instance using RDP.

CONTENTS

 * Create a key pair using Amazon EC2
 * Create a key pair using AWS CloudFormation
 * Create a key pair using a third-party tool and import the public key to
   Amazon EC2


CREATE A KEY PAIR USING AMAZON EC2


When you create a key pair using Amazon EC2, the public key is stored in Amazon
EC2, and you store the private key.

You can create up to 5,000 key pairs per Region. To request an increase, create
a support case. For more information, see Creating a support case in the AWS
Support User Guide.

Console

TO CREATE A KEY PAIR USING AMAZON EC2

 1.  Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

 2.  In the navigation pane, under Network & Security, choose Key Pairs.

 3.  Choose Create key pair.

 4.  For Name, enter a descriptive name for the key pair. Amazon EC2 associates
     the public key with the name that you specify as the key name. A key name
     can include up to 255 ASCII characters. It can’t include leading or
     trailing spaces.

 5.  Select a key pair type appropriate for your operating system:
     
     (Linux instances) For Key pair type, choose either RSA or ED25519.
     
     (Windows instances) For Key pair type, choose RSA. ED25519 keys are not
     supported for Windows instances.

 6.  For Private key file format, choose the format in which to save the private
     key. To save the private key in a format that can be used with OpenSSH,
     choose pem. To save the private key in a format that can be used with
     PuTTY, choose ppk.

 7.  To add a tag to the public key, choose Add tag, and enter the key and value
     for the tag. Repeat for each tag.

 8.  Choose Create key pair.

 9.  The private key file is automatically downloaded by your browser. The base
     file name is the name that you specified as the name of your key pair, and
     the file name extension is determined by the file format that you chose.
     Save the private key file in a safe place.
     
     IMPORTANT
     
     This is the only chance for you to save the private key file.

 10. If you plan to use an SSH client on a macOS or Linux computer to connect to
     your Linux instance, use the following command to set the permissions of
     your private key file so that only you can read it.
     
     chmod 400 key-pair-name.pem
     
     If you do not set these permissions, then you cannot connect to your
     instance using this key pair. For more information, see Error: Unprotected
     private key file.

AWS CLI

TO CREATE A KEY PAIR USING AMAZON EC2

 1. Use the create-key-pair command as follows to generate the key pair and to
    save the private key to a .pem file.
    
    For --key-name, specify a name for the public key. The name can be up to 255
    ASCII characters.
    
    For --key-type, specify either rsa or ed25519. If you do not include the
    --key-type parameter, an rsa key is created by default. Note that ED25519
    keys are not supported for Windows instances.
    
    For --key-format, specify either pem or ppk. If you do not include the
    --key-format parameter, a pem file is created by default.
    
    --query "KeyMaterial" prints the private key material to the output.
    
    --output text > my-key-pair.pem saves the private key material in a file
    with the specified extension. The extension can be either .pem or .ppk. The
    private key can have a name that's different from the public key name, but
    for ease of use, use the same name.
    
    aws ec2 create-key-pair \
        --key-name my-key-pair \
        --key-type rsa \
        --key-format pem \
        --query "KeyMaterial" \
        --output text > my-key-pair.pem

 2. If you plan to use an SSH client on a macOS or Linux computer to connect to
    your Linux instance, use the following command to set the permissions of
    your private key file so that only you can read it.
    
    chmod 400 key-pair-name.pem
    
    If you do not set these permissions, then you cannot connect to your
    instance using this key pair. For more information, see Error: Unprotected
    private key file.

PowerShell

TO CREATE A KEY PAIR USING AMAZON EC2

Use the New-EC2KeyPair AWS Tools for Windows PowerShell command as follows to
generate the key and save it to a .pem or .ppk file.

For -KeyName, specify a name for the public key. The name can be up to 255 ASCII
characters.

For -KeyType, specify either rsa or ed25519. If you do not include the -KeyType
parameter, an rsa key is created by default. Note that ED25519 keys are not
supported for Windows instances.

For -KeyFormat, specify either pem or ppk. If you do not include the -KeyFormat
parameter, a pem file is created by default.

KeyMaterial prints the private key material to the output.

Out-File -Encoding ascii -FilePath C:\path\my-key-pair.pem saves the private key
material in a file with the the specified extension. The extension can be .pem
or .ppk. The private key can have a name that's different from the public key
name, but for ease of use, use the same name.

PS C:\> (New-EC2KeyPair -KeyName "my-key-pair" -KeyType "rsa" -KeyFormat "pem").KeyMaterial | Out-File -Encoding ascii -FilePath C:\path\my-key-pair.pem

anchoranchoranchor
 * Console
 * AWS CLI
 * PowerShell

TO CREATE A KEY PAIR USING AMAZON EC2

 1.  Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

 2.  In the navigation pane, under Network & Security, choose Key Pairs.

 3.  Choose Create key pair.

 4.  For Name, enter a descriptive name for the key pair. Amazon EC2 associates
     the public key with the name that you specify as the key name. A key name
     can include up to 255 ASCII characters. It can’t include leading or
     trailing spaces.

 5.  Select a key pair type appropriate for your operating system:
     
     (Linux instances) For Key pair type, choose either RSA or ED25519.
     
     (Windows instances) For Key pair type, choose RSA. ED25519 keys are not
     supported for Windows instances.

 6.  For Private key file format, choose the format in which to save the private
     key. To save the private key in a format that can be used with OpenSSH,
     choose pem. To save the private key in a format that can be used with
     PuTTY, choose ppk.

 7.  To add a tag to the public key, choose Add tag, and enter the key and value
     for the tag. Repeat for each tag.

 8.  Choose Create key pair.

 9.  The private key file is automatically downloaded by your browser. The base
     file name is the name that you specified as the name of your key pair, and
     the file name extension is determined by the file format that you chose.
     Save the private key file in a safe place.
     
     IMPORTANT
     
     This is the only chance for you to save the private key file.

 10. If you plan to use an SSH client on a macOS or Linux computer to connect to
     your Linux instance, use the following command to set the permissions of
     your private key file so that only you can read it.
     
     chmod 400 key-pair-name.pem
     
     If you do not set these permissions, then you cannot connect to your
     instance using this key pair. For more information, see Error: Unprotected
     private key file.





CREATE A KEY PAIR USING AWS CLOUDFORMATION


When you create a new key pair using AWS CloudFormation, the private key is
saved to AWS Systems Manager Parameter Store. The parameter name has the
following format:

/ec2/keypair/key_pair_id

For more information, see AWS Systems Manager Parameter Store in the AWS Systems
Manager User Guide.

TO CREATE A KEY PAIR USING AWS CLOUDFORMATION

 1. Specify the AWS::EC2::KeyPair resource in your template.
    
    Resources:
      NewKeyPair:
        Type: 'AWS::EC2::KeyPair'
        Properties: 
          KeyName: new-key-pair

 2. Use the describe-key-pairs command as follows to get the ID of the key pair.
    
    aws ec2 describe-key-pairs --filters Name=key-name,Values=new-key-pair --query KeyPairs[*].KeyPairId --output text
    
    The following is example output.
    
    key-05abb699beEXAMPLE

 3. Use the get-parameter command as follows to get the parameter for your key
    and save the key material in a .pem file.
    
    aws ssm get-parameter --name /ec2/keypair/key-05abb699beEXAMPLE --with-decryption --query Parameter.Value --output text > new-key-pair.pem

REQUIRED IAM PERMISSIONS

To enable AWS CloudFormation to manage Parameter Store parameters on your
behalf, the IAM role assumed by AWS CloudFormation or your user must have the
following permissions:

 * ssm:PutParameter – Grants permission to create a parameter for the private
   key material.

 * ssm:DeleteParameter – Grants permission to delete the parameter that stored
   the private key material. This permission is required whether the key pair
   was imported or created by AWS CloudFormation.

When AWS CloudFormation deletes a key pair that was created or imported by a
stack, it performs a permissions check to determine whether you have permission
to delete parameters, even though AWS CloudFormation creates a parameter only
when it creates a key pair, not when it imports a key pair. AWS CloudFormation
tests for the required permission using a fabricated parameter name that does
not match any parameter in your account. Therefore, you might see a fabricated
parameter name in the AccessDeniedException error message.


CREATE A KEY PAIR USING A THIRD-PARTY TOOL AND IMPORT THE PUBLIC KEY TO AMAZON
EC2


Instead of using Amazon EC2 to create a key pair, you can create an RSA or
ED25519 key pair by using a third-party tool, and then import the public key to
Amazon EC2.

REQUIREMENTS FOR KEY PAIRS

 * Supported types: RSA and ED25519. Amazon EC2 does not accept DSA keys.

 * Supported formats:
   
    * OpenSSH public key format (the format in ~/.ssh/authorized_keys). If you
      connect using SSH while using the EC2 Instance Connect API, the SSH2
      format is also supported.
   
    * SSH private key file format must be PEM or PPK
   
    * (RSA only) Base64 encoded DER format
   
    * (RSA only) SSH public key file format as specified in RFC 4716

 * Supported lengths: 1024, 2048, and 4096. If you connect using SSH while using
   the EC2 Instance Connect API, the supported lengths are 2048 and 4096.

TO CREATE A KEY PAIR USING A THIRD-PARTY TOOL

 1. Generate a key pair with a third-party tool of your choice. For example, you
    can use ssh-keygen (a tool provided with the standard OpenSSH installation).
    Alternatively, Java, Ruby, Python, and many other programming languages
    provide standard libraries that you can use to create an RSA or ED25519 key
    pair.
    
    IMPORTANT
    
    The private key must be in the PEM or PPK format. For example, use
    ssh-keygen -m PEM to generate the OpenSSH key in the PEM format.

 2. Save the public key to a local file. For example, ~/.ssh/my-key-pair.pub.
    The file name extension for this file is not important.

 3. Save the private key to a local file that has the .pem or .ppk extension.
    For example, ~/.ssh/my-key-pair.pem or ~/.ssh/my-key-pair.ppk.
    
    IMPORTANT
    
    Save the private key file in a safe place. You'll need to provide the name
    of your public key when you launch an instance, and the corresponding
    private key each time you connect to the instance.


LINUX INSTANCES

Instead of using Amazon EC2 to create a key pair, you can create an RSA or
ED25519 key pair by using a third-party tool, and then import the public key to
Amazon EC2.

REQUIREMENTS FOR KEY PAIRS

 * Supported types: RSA and ED25519. Amazon EC2 does not accept DSA keys.

 * Supported formats:
   
    * OpenSSH public key format (the format in ~/.ssh/authorized_keys). If you
      connect using SSH while using the EC2 Instance Connect API, the SSH2
      format is also supported.
   
    * SSH private key file format must be PEM or PPK
   
    * (RSA only) Base64 encoded DER format
   
    * (RSA only) SSH public key file format as specified in RFC 4716

 * Supported lengths: 1024, 2048, and 4096. If you connect using SSH while using
   the EC2 Instance Connect API, the supported lengths are 2048 and 4096.

TO CREATE A KEY PAIR USING A THIRD-PARTY TOOL

 1. Generate a key pair with a third-party tool of your choice. For example, you
    can use ssh-keygen (a tool provided with the standard OpenSSH installation).
    Alternatively, Java, Ruby, Python, and many other programming languages
    provide standard libraries that you can use to create an RSA or ED25519 key
    pair.
    
    IMPORTANT
    
    The private key must be in the PEM or PPK format. For example, use
    ssh-keygen -m PEM to generate the OpenSSH key in the PEM format.

 2. Save the public key to a local file. For example, ~/.ssh/my-key-pair.pub.
    The file name extension for this file is not important.

 3. Save the private key to a local file that has the .pem or .ppk extension.
    For example, ~/.ssh/my-key-pair.pem or ~/.ssh/my-key-pair.ppk.
    
    IMPORTANT
    
    Save the private key file in a safe place. You'll need to provide the name
    of your public key when you launch an instance, and the corresponding
    private key each time you connect to the instance.

Instead of using Amazon EC2 to create your key pair, you can create an RSA key
pair by using a third-party tool, and then import the public key to Amazon EC2.

REQUIREMENTS FOR KEY PAIRS

 * Supported types: RSA. Amazon EC2 does not accept DSA keys.
   
   NOTE
   
   ED25519 keys are not supported for Windows instances.

 * Supported formats:
   
    * OpenSSH public key format
   
    * SSH private key file format must be PEM or PPK
   
    * (RSA only) Base64 encoded DER format
   
    * (RSA only) SSH public key file format as specified in RFC 4716

 * Supported lengths: 1024, 2048, and 4096.

TO CREATE A KEY PAIR USING A THIRD-PARTY TOOL

 1. Generate a key pair with a third-party tool of your choice. For example, you
    can use ssh-keygen (a tool provided with the standard OpenSSH installation).
    Alternatively, Java, Ruby, Python, and many other programming languages
    provide standard libraries that you can use to create an RSA key pair.
    
    IMPORTANT
    
    The private key must be in the PEM or PPK format. For example, use
    ssh-keygen -m PEM to generate the OpenSSH key in the PEM format.

 2. Save the public key to a local file. For example, C:\keys\my-key-pair.pub.
    The file name extension for this file is not important.

 3. Save the private key to a local file that has the .pem or .ppk extension.
    For example, C:\keys\my-key-pair.pem or C:\keys\my-key-pair.ppk. The file
    name extension for this file is important because only .pem files can be
    selected when connecting to your Windows instance from the EC2 console.
    
    IMPORTANT
    
    Save the private key file in a safe place. You'll need to provide the name
    of your public key when you launch an instance, and the corresponding
    private key each time you connect to the instance.


WINDOWS INSTANCES

Instead of using Amazon EC2 to create your key pair, you can create an RSA key
pair by using a third-party tool, and then import the public key to Amazon EC2.

REQUIREMENTS FOR KEY PAIRS

 * Supported types: RSA. Amazon EC2 does not accept DSA keys.
   
   NOTE
   
   ED25519 keys are not supported for Windows instances.

 * Supported formats:
   
    * OpenSSH public key format
   
    * SSH private key file format must be PEM or PPK
   
    * (RSA only) Base64 encoded DER format
   
    * (RSA only) SSH public key file format as specified in RFC 4716

 * Supported lengths: 1024, 2048, and 4096.

TO CREATE A KEY PAIR USING A THIRD-PARTY TOOL

 1. Generate a key pair with a third-party tool of your choice. For example, you
    can use ssh-keygen (a tool provided with the standard OpenSSH installation).
    Alternatively, Java, Ruby, Python, and many other programming languages
    provide standard libraries that you can use to create an RSA key pair.
    
    IMPORTANT
    
    The private key must be in the PEM or PPK format. For example, use
    ssh-keygen -m PEM to generate the OpenSSH key in the PEM format.

 2. Save the public key to a local file. For example, C:\keys\my-key-pair.pub.
    The file name extension for this file is not important.

 3. Save the private key to a local file that has the .pem or .ppk extension.
    For example, C:\keys\my-key-pair.pem or C:\keys\my-key-pair.ppk. The file
    name extension for this file is important because only .pem files can be
    selected when connecting to your Windows instance from the EC2 console.
    
    IMPORTANT
    
    Save the private key file in a safe place. You'll need to provide the name
    of your public key when you launch an instance, and the corresponding
    private key each time you connect to the instance.

After you have created the key pair, use one of the following methods to import
your public key to Amazon EC2.

Console

TO IMPORT THE PUBLIC KEY TO AMAZON EC2

 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

 2. In the navigation pane, choose Key Pairs.

 3. Choose Import key pair.

 4. For Name, enter a descriptive name for the public key. The name can include
    up to 255 ASCII characters. It can’t include leading or trailing spaces.
    
    NOTE
    
    When you connect to your instance from the EC2 console, the console suggests
    this name for the name of your private key file.

 5. Either choose Browse to navigate to and select your public key, or paste the
    contents of your public key into the Public key contents field.

 6. Choose Import key pair.

 7. Verify that the public key that you imported appears in the list of key
    pairs.

AWS CLI

TO IMPORT THE PUBLIC KEY TO AMAZON EC2

Use the import-key-pair AWS CLI command.

TO VERIFY THAT THE KEY PAIR WAS IMPORTED SUCCESSFULLY

Use the describe-key-pairs AWS CLI command.

PowerShell

TO IMPORT THE PUBLIC KEY TO AMAZON EC2

Use the Import-EC2KeyPair AWS Tools for Windows PowerShell command.

TO VERIFY THAT THE KEY PAIR WAS IMPORTED SUCCESSFULLY

Use the Get-EC2KeyPair AWS Tools for Windows PowerShell command.

anchoranchoranchor
 * Console
 * AWS CLI
 * PowerShell

TO IMPORT THE PUBLIC KEY TO AMAZON EC2

 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

 2. In the navigation pane, choose Key Pairs.

 3. Choose Import key pair.

 4. For Name, enter a descriptive name for the public key. The name can include
    up to 255 ASCII characters. It can’t include leading or trailing spaces.
    
    NOTE
    
    When you connect to your instance from the EC2 console, the console suggests
    this name for the name of your private key file.

 5. Either choose Browse to navigate to and select your public key, or paste the
    contents of your public key into the Public key contents field.

 6. Choose Import key pair.

 7. Verify that the public key that you imported appears in the list of key
    pairs.




Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
Key pairs
Tag a key pair
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.



Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.



--------------------------------------------------------------------------------


VIEW RELATED PAGES
PREVIEW


 * 
 * 1
 * 2
 * 3
 * 

AWSCloudFormation › UserGuide
AWS::EC2::KeyPair
31. August 2024
Lightsail › userguide
Transfer files securely to Lightsail Linux instances with SFTP
30. August 2024


DISCOVER HIGHLY RATED PAGES
PREVIEW


 * 
 * 1
 * 2
 * 3
 * 4
 * 5
 * 6
 * 

AWSEC2 › UserGuide
What is Amazon EC2?
30. August 2024
AWSEC2 › UserGuide
Regions and Zones
30. August 2024


DID THIS PAGE HELP YOU?

Yes
No
Provide feedback

NEXT TOPIC:

Tag a key pair

PREVIOUS TOPIC:

Key pairs

NEED HELP?

 * Try AWS re:Post 
 * Connect with an AWS IQ expert 

PrivacySite termsCookie preferences
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.


ON THIS PAGE

 * Create a key pair using Amazon EC2
 * Create a key pair using AWS CloudFormation
 * Import a public key to Amazon EC2








RECENTLY ADDED TO THIS GUIDE


Find new pages added to this guide in the last 30 days.
 * Disconnect from the EC2 Serial Console
   21. August 2024
 * Reference for Amazon EC2 instance configuration parameters
   16. August 2024
 * Cancel a Capacity Reservation Fleet
   16. August 2024
 * Manage detailed monitoring for your EC2 instances
   16. August 2024
 * Maximize network bandwidth on accelerated computing instances with EFA
   15. August 2024
 * Tag Spot Instance requests
   14. August 2024
 * Manage your Spot Instances
   14. August 2024
 * Service-linked role for Spot Instance requests
   14. August 2024
 * Cancel a Spot Instance request
   14. August 2024
 * Move capacity between Capacity Reservations
   14. August 2024