docs.aws.amazon.com
Open in
urlscan Pro
13.35.58.67
Public Scan
URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html
Submission: On September 01 via api from US — Scanned from DE
Submission: On September 01 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
SELECT YOUR COOKIE PREFERENCES We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can click “Customize cookies” to decline performance cookies. If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To continue without accepting these cookies, click “Continue without accepting.” To make more detailed choices or learn more, click “Customize cookies.” Accept all cookiesContinue without acceptingCustomize cookies CUSTOMIZE COOKIE PREFERENCES We use cookies and similar tools (collectively, "cookies") for the following purposes. ESSENTIAL Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms. PERFORMANCE Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes. Allow performance category Allowed FUNCTIONAL Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly. Allow functional category Allowed ADVERTISING Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising. Allow advertising category Allowed Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by clicking Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice. CancelSave preferences UNABLE TO SAVE COOKIE PREFERENCES We will only store essential cookies at this time, because we were unable to save your cookie preferences. If you want to change your cookie preferences, try again later using the link in the AWS console footer, or contact support if the problem persists. Dismiss Contact Us English Create an AWS Account 1. AWS 2. ... 3. Documentation 4. Amazon EC2 5. User Guide Feedback Preferences AMAZON ELASTIC COMPUTE CLOUD USER GUIDE Recently added to this guide PREVIEW * Disconnect from the EC2 Serial Console 21. August 2024 * Reference for Amazon EC2 instance configuration parameters 16. August 2024 * Cancel a Capacity Reservation Fleet 16. August 2024 * View all -------------------------------------------------------------------------------- * What is Amazon EC2? * Get started tutorial * Best practices * Amazon Machine Images * AMI characteristics * Determine the AMI root device type * Find an AMI * Paid AMIs in the AWS Marketplace * Find a paid AMI * Purchase a paid AMI * Retrieve the product code * Use paid support * Manage your subscriptions * AMI lifecycle * Create an AMI * Create an instance store-backed AMI * Set up the AMI tools * AMI tools reference * Convert your instance store-backed AMI * Create an AMI using Windows Sysprep * Copy an AMI * Permissions * How AMI copy works * Store and restore an AMI * How AMI store and restore works * Create a store image task * Check when an AMI was last used * Deprecate an AMI * Disable an AMI * Deregister an AMI * Protect an AMI from deregistration * Boot modes * Requirements for UEFI boot mode * AMI boot mode parameter * Instance type boot mode * Instance boot mode * Operating system boot mode * Set AMI boot mode * UEFI variables * UEFI Secure Boot * How UEFI Secure Boot works * Launch an instance with UEFI Secure Boot * Verify if an instance is enabled for UEFI Secure Boot * Create a Linux AMI with custom keys * Create the AWS binary blob * AMI encryption * Shared AMIs * Find shared AMIs * Prepare to use shared AMIs for Linux * Make your AMI public * Understand block public access * Manage the block public access setting for AMIs * Shared AMI use with organizations and OUs * Get the ARN of an organization or organizational unit * Allow organizations and OUs to use a KMS key * Manage AMI sharing with an organization or OU * Share an AMI with specific AWS accounts * Cancel having an AMI shared with your account * Recommendations for creating shared Linux AMIs * Monitor AMI events * Understand AMI billing * AMI billing fields * Find AMI billing information * Verify AMI charges on your bill * AMI quotas * Instances * Instance types * Find an instance type * EC2 instance type finder * Compute Optimizer recommendations * Instance type changes * Compatibility * Change the instance type * Migrate to a new instance type * Troubleshoot * Burstable performance instances * Key concepts * Unlimited mode * Concepts * Examples * Standard mode * Concepts * Examples * Work with burstable performance instances * Monitor your CPU credits * GPU instances * Activate NVIDIA GRID Virtual Applications * Optimize GPU settings * Set up dual 4K displays on G4ad * Get started with P5 instances * Mac instances * Launch a Mac instance * Connect to your Mac instance * Update operating system and software * Increase size of EBS volume * Stop or terminate Mac instance * Find supported macOS versions * Subscribe to macOS AMI notifications * Retrieve macOS AMI IDs * macOS AMIs release notes * EBS optimization * Get maximum EBS performance * Find EBS-optimized instance types * Enable EBS optimization * CPU options * Rules for specifying CPU options for an Amazon EC2 instance * Supported CPU options * Specify CPU options * View CPU options * AMD SEV-SNP * Check AMD SEV-SNP support on Amazon EC2 instances * Attestation with AMD SEV-SNP * Processor state control * Billing and purchasing options * On-Demand Instances * Reserved Instances * Regional and zonal Reserved Instances (scope) * Types of Reserved Instances (offering classes) * How Reserved Instance discounts are applied * Use your Reserved Instances * How billing works with Reserved Instances * Buy Reserved Instances * Sell Reserved Instances * Modify Reserved Instances * Exchange Convertible Reserved Instances * Reserved Instance quotas * Spot Instances * Best practices * How Spot Instances work * View pricing history * View savings * Create a Spot Instance request * Example launch specifications * Get the status of a Spot Instance request * State changes for a Spot request * Tag Spot Instance requests * Cancel a Spot Instance request * Manage your Spot Instances * Spot Instance interruptions * Interruption behavior * Prepare for interruptions * Initiate an interruption * Spot Instance interruption notices * Find interrupted Spot Instances * Determine whether Amazon EC2 terminated a Spot Instance * Billing * Rebalance recommendations * Spot placement score * How Spot placement score works * Required permissions * Calculate the Spot placement score * Spot Instance data feed * Service-linked role for Spot Instance requests * Spot Instance quotas * Dedicated Hosts * Pricing and billing * Instance capacity configurations * Burstable instances on Dedicated Hosts * Bring your own licenses * Auto-placement and affinity * Allocate a Dedicated Host * Launch instances on a Dedicated Host * Launch instances into a host resource group * Modify Dedicated Host auto-placement * Modify supported instance types * Modify tenancy and affinity for an instance * Release Dedicated Host * Cross-account sharing * Share a Dedicated Host * Unshare a Dedicated Host * View shared Dedicated Hosts * Dedicated Hosts on Outposts * Allocate Dedicated Host on Outpost * Host recovery * How host recovery works * Manage host recovery * View host recovery setting * Manually recovery unsupported instances * Host maintenance * How host maintenance works * Configure host maintenance * Monitor Dedicated Hosts * Track configuration changes * Dedicated Instances * Launch Dedicated Instances into VPC * Change the tenancy of an instance * Change the tenancy of a VPC * Capacity Reservations * On-Demand Capacity Reservations * Pricing and billing * Create a Capacity Reservation * View the state of a Capacity Reservation * Launch instances into Capacity Reservation * Modify Capacity Reservation * Modify instance Capacity Reservation settings * Move capacity * Split off available capacity * Cancel a Capacity Reservation * Capacity Reservation groups * Create a group * Add Capacity Reservation to group * Remove Capacity Reservation from group * Delete group * Create Capacity Reservations in cluster placement groups * Capacity Reservations in Local Zones * Capacity Reservations in Wavelength Zones * Capacity Reservations on AWS Outposts * Shared Capacity Reservations * Share a Capacity Reservation * Stop sharing a Capacity Reservation * Capacity Reservation Fleets * Concepts and planning * Create * View * Modify * Cancel * Example configurations * Using service-linked roles * Monitor with CloudWatch metrics * Monitor using EventBridge * Utilization notifications * Capacity Blocks for ML * Pricing and billing * Work with Capacity Blocks * Find and purchase * Launch instances into Capacity Blocks * View * Monitor using EventBridge * Logging API calls with CloudTrail * Launch templates * Restrictions * Permissions * Control launching instances * Create * Modify (manage versions) * Delete * Launch an instance * Instance parameter reference * Launch using the launch instance wizard * Launch using a launch template * Launch from an existing instance * Launch from an AWS Marketplace AMI * Connect to your instance * Connect to your Linux instance using SSH * Connect using an SSH client * Connect using PuTTY * Transfer files using SCP * Manage Linux system users * Connect to your Windows instance using RDP * Connect using an RDP client * Connect using Fleet Manager * Transfer files using RDP * Connect using Session Manager * Connect using EC2 Instance Connect * Tutorial * Prerequisites * Permissions * Install EC2 Instance Connect * Connect using EC2 Instance Connect * Uninstall EC2 Instance Connect * Connect using EC2 Instance Connect Endpoint * Permissions * Security groups * Create an EC2 Instance Connect Endpoint * Connect to an instance * Log connections * Delete an EC2 Instance Connect Endpoint * Service-linked role * Quotas * Instance state changes * Stop and start * How it works * Enable stop protection * Hibernate * How it works * Prerequisites * Configure a Linux AMI to support hibernation * Enable instance hibernation * Disable KASLR on an instance (Ubuntu only) * Hibernate an instance * Start a hibernated instance * Troubleshoot * Reboot * Terminate * How it works * Enable termination protection * Change the instance initiated shutdown behavior * Preserve data when an instance is terminated * Retire * Instance resiliency * CloudWatch action based recovery * Simplified automatic recovery * Instance metadata * Access instance metadata * IMDS * Limit access to IMDS * Configure IMDS options * For new instances * For existing instances * Run commands at launch * Example: AMI launch index value * Detect whether a host is an EC2 instance * Instance identity documents * Retrieve the instance identity document * Verify instance identity document * Public certificates * Clock synchronization * Use the local Amazon Time Sync Service * Use the public Amazon Time Sync Service * Compare timestamps for your Linux instances * Change the time zone of your instance * Manage device drivers * AMD drivers * NVIDIA drivers * Install the ENA driver on Windows * ENA Windows driver releases * Windows PV drivers * Upgrade PV drivers * Troubleshoot PV drivers * AWS Windows NVMe drivers * NVMe Windows driver releases * Configure Windows instances * Windows launch agents * Configure DNS Suffix * Subscribe to SNS notifications * Migrate to EC2Launch v2 * Windows Service administration * EC2Launch v2 * Install EC2Launch v2 * Configure EC2Launch v2 * Task definitions * Troubleshoot EC2Launch v2 * Version histories * EC2Launch * Install EC2Launch * Configure EC2Launch * Version history * EC2Config service * Install EC2Config * Configure proxy settings * Set EC2Config service properties * Troubleshoot EC2Config * Version history * EC2 Fast Launch for Windows * EC2 Fast Launch prerequisites * Configure EC2 Fast Launch settings * View EC2 Fast Launch AMIs * Manage resource costs * Monitor EC2 Fast Launch * Service-linked role * Change the Windows Administrator password * Add Windows System components * Install WSL on Windows * Upgrade Windows instances * Perform an in-place upgrade * Perform an automated upgrade * Migrate to a current generation instance type * Troubleshoot an upgrade * Tutorial: Connect EC2 instance to RDS database * Option 1: Automatically connect using EC2 console * Option 2: Automatically connect using RDS console * Option 3: Manually connect * Fleets * Which fleet method to use? * Configuration options * Request types * EC2 Fleet 'instant' type * Spending limit * Attribute-based instance type selection * Instance weighting * Allocation strategies * Capacity Rebalancing * Capacity Reservations * Work with EC2 Fleet * EC2 Fleet request states * Create an EC2 Fleet * Tag an EC2 Fleet * Describe an EC2 Fleet * Modify an EC2 Fleet * Delete an EC2 Fleet * Work with Spot Fleet * Spot Fleet request states * Create a Spot Fleet * Tag a Spot Fleet * Describe a Spot Fleet * Modify a Spot Fleet request * Cancel (delete) a Spot Fleet request * Automatic scaling for Spot Fleet * IAM permissions * Target tracking scaling * Step scaling * Scheduled scaling * Monitor your fleet * Monitor your fleet using CloudWatch * Monitor your fleet using EventBridge * Tutorials * Tutorial: Configure EC2 Fleet to use instance weighting * Tutorial: Configure EC2 Fleet to use On-Demand Instances as the primary capacity * Tutorial: Configure EC2 Fleet to launch On-Demand Instances using targeted Capacity Reservations * Tutorial: Configure your EC2 Fleet to launch instances into Capacity Blocks * Example CLI configurations for EC2 Fleet * Example CLI configurations Spot Fleet * Fleet quotas * Networking * Regions and Zones * Instance IP addressing * IPv4 addresses * IPv6 addresses * Multiple IP addresses * Multiple IPv4 addresses on Windows * Instance hostname types * Change resource based naming options * Bring your own IP addresses * Prerequisites * Onboard your address range * Use your address range * Elastic IP addresses * Associate an Elastic IP address * Transfer an Elastic IP address * Release an Elastic IP address * Use reverse DNS for email applications * Network interfaces * IP addresses per network interface * Create a network interface * Manage IP addresses * Modify network interface attributes * Multiple network interfaces * Requester-managed network interfaces * Prefix delegation * Manage prefixes * Delete a network interface * Network bandwidth * Enhanced networking * Elastic Network Adapter (ENA) * ENA Express * Review instance settings * Configure instance settings * Intel 82599 VF * Monitor network performance * Troubleshoot ENA on Linux * Troubleshoot ENA on Windows * Improve network latency on Linux * Nitro performance considerations * Optimize network performance on Windows * Elastic Fabric Adapter * EFA on accelerated instances * Get started with EFA and MPI * Get started with EFA and NCCL * Create and attach an EFA * Detach and delete an EFA * Monitor an EFA * Verify the EFA installer * Instance topology * How it works * Prerequisites * Examples * Placement groups * Placement strategies * Create a placement group * Change instance placement * Delete a placement group * Share a placement group * Placement groups on AWS Outposts * Network MTU * Set the MTU for your instances * Virtual private clouds * Security * Data protection * Infrastructure security * Resilience * Compliance validation * Identity and access management * Identity-based policies * Example policies for the API * Example policies for the console * AWS managed policies * IAM roles * Retrieve security credentials * Permissions to attach a role to an instance * Attach a role to an instance * Update management * Best practices for Windows instances * Key pairs * Create a key pair * Tag a key pair * Describe your key pairs * Delete your key pair * Add or replace a public key on your Linux instance * Verify the fingerprint * Security groups * Create a security group * Change security groups for your instance * Delete a security group * Connection tracking * Security group rules for different use cases * NitroTPM * Requirements * Enable a Linux AMI for NitroTPM * Verify that an AMI is enabled for NitroTPM * Enable or stop using NitroTPM * Verify that an instance is enabled for NitroTPM * Retrieve the public endorsement key * Credential Guard for Windows instances * AWS PrivateLink * Storage * Amazon EBS * EBS volume limits * Amazon EC2 instance store * Data persistence * Instance store limits * SSD instance store volumes * Add instance store volumes * Add instance store volumes to an AMI * Add instance store volumes to an instance * Make instance store volumes available for use * Enable swap volume for M1 and C1 instances * Initialize instance store volumes * Root volumes * Keep root volume after instance termination * Replace a root volume * Device names for volumes * Block device mappings * Add block device mapping to AMI * Add block device mapping to instance * How volumes are attached and mapped for Windows instances * Map NVME disks to volumes * Map non-NVME disks to volumes * Torn write prevention * Supported block sizes * Requirements * Check instance support * Configure workload * Windows VSS EBS snapshots * VSS prerequisites * IAM permissions * VSS components * Create VSS snapshots * Use Systems Manager command documents * Troubleshoot VSS snapshots * Restore EBS volumes * Version history * Object storage, file storage, and file caching * Amazon S3 * Amazon EFS * Amazon FSx * Amazon File Cache * Manage resources * Select a Region for your resources * Find your resources * Amazon EC2 Global View * Tag your resources * Tag resource permissions * Add and remove tags * Filter resources by tag * View tags using instance metadata * Service quotas * Monitor resources * Monitor the status of your instances * Status checks * View status checks * Create status check alarms * State change events * Create alarm for instance state changes * Scheduled events * Recommended actions for scheduled events * View scheduled events * Customize scheduled event notifications * Reschedule scheduled events * Create custom event windows * Monitor your instances using CloudWatch * Instance alarms * Manage detailed monitoring * CloudWatch metrics * Install and configure the CloudWatch agent * Statistics for metrics * Get statistics for a specific instance * Aggregate statistics across instances * Aggregate statistics by Auto Scaling group * Aggregate statistics by AMI * View monitoring graphs * Create an alarm * Create alarms that stop, terminate, reboot, or recover an instance * Amazon CloudWatch alarm action scenarios * Automate using EventBridge * Log API calls using CloudTrail * Monitor .NET and SQL Server applications * Track your Free Tier usage * Troubleshoot * Instance launch issues * Instance stop issues * Instance termination issues * Unreachable instances * Common screenshots for Windows instances * Linux instance SSH issues * Linux instance failed status checks * Linux instance boots from wrong volume * Windows instance RDP issues * Windows instance start issues * Windows instance issues * Reset Windows administrator password * Reset password using EC2Launch v2 * Reset password using EC2Launch * Reset password using EC2Config * Troubleshoot Sysprep issues * EC2Rescue for Linux instances * Install EC2Rescue * Run EC2Rescue commands * Develop EC2Rescue modules * EC2Rescue for Windows instances * Troubleshoot using EC2Rescue GUI * Troubleshoot using EC2Rescue CLI * Troubleshoot using EC2Rescue and Systems Manager * EC2 Serial Console * Prerequisites * Configure access to the EC2 Serial Console * Connect to the EC2 Serial Console * Disconnect from the EC2 Serial Console * Troubleshoot your instance using the EC2 Serial Console * Send diagnostic interrupts * Document history Create a key pair for your Amazon EC2 instance - Amazon Elastic Compute Cloud AWSDocumentationAmazon EC2User Guide Create a key pair using Amazon EC2Create a key pair using AWS CloudFormationImport a public key to Amazon EC2 CREATE A KEY PAIR FOR YOUR AMAZON EC2 INSTANCE PDFRSS You can use Amazon EC2 to create your key pairs, or you can use a third-party tool to create your key pairs, and then import them to Amazon EC2. Amazon EC2 supports 2048-bit SSH-2 RSA keys for Linux and Windows instances. Amazon EC2 also supports ED25519 keys for Linux instances. For steps to connect to your Linux instance using SSH after you have created a key pair, see Connect to your Linux instance using SSH. For steps to connect to your Windows instance using RDP after you have created a key pair, see Connect to your Windows instance using RDP. CONTENTS * Create a key pair using Amazon EC2 * Create a key pair using AWS CloudFormation * Create a key pair using a third-party tool and import the public key to Amazon EC2 CREATE A KEY PAIR USING AMAZON EC2 When you create a key pair using Amazon EC2, the public key is stored in Amazon EC2, and you store the private key. You can create up to 5,000 key pairs per Region. To request an increase, create a support case. For more information, see Creating a support case in the AWS Support User Guide. Console TO CREATE A KEY PAIR USING AMAZON EC2 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, under Network & Security, choose Key Pairs. 3. Choose Create key pair. 4. For Name, enter a descriptive name for the key pair. Amazon EC2 associates the public key with the name that you specify as the key name. A key name can include up to 255 ASCII characters. It can’t include leading or trailing spaces. 5. Select a key pair type appropriate for your operating system: (Linux instances) For Key pair type, choose either RSA or ED25519. (Windows instances) For Key pair type, choose RSA. ED25519 keys are not supported for Windows instances. 6. For Private key file format, choose the format in which to save the private key. To save the private key in a format that can be used with OpenSSH, choose pem. To save the private key in a format that can be used with PuTTY, choose ppk. 7. To add a tag to the public key, choose Add tag, and enter the key and value for the tag. Repeat for each tag. 8. Choose Create key pair. 9. The private key file is automatically downloaded by your browser. The base file name is the name that you specified as the name of your key pair, and the file name extension is determined by the file format that you chose. Save the private key file in a safe place. IMPORTANT This is the only chance for you to save the private key file. 10. If you plan to use an SSH client on a macOS or Linux computer to connect to your Linux instance, use the following command to set the permissions of your private key file so that only you can read it. chmod 400 key-pair-name.pem If you do not set these permissions, then you cannot connect to your instance using this key pair. For more information, see Error: Unprotected private key file. AWS CLI TO CREATE A KEY PAIR USING AMAZON EC2 1. Use the create-key-pair command as follows to generate the key pair and to save the private key to a .pem file. For --key-name, specify a name for the public key. The name can be up to 255 ASCII characters. For --key-type, specify either rsa or ed25519. If you do not include the --key-type parameter, an rsa key is created by default. Note that ED25519 keys are not supported for Windows instances. For --key-format, specify either pem or ppk. If you do not include the --key-format parameter, a pem file is created by default. --query "KeyMaterial" prints the private key material to the output. --output text > my-key-pair.pem saves the private key material in a file with the specified extension. The extension can be either .pem or .ppk. The private key can have a name that's different from the public key name, but for ease of use, use the same name. aws ec2 create-key-pair \ --key-name my-key-pair \ --key-type rsa \ --key-format pem \ --query "KeyMaterial" \ --output text > my-key-pair.pem 2. If you plan to use an SSH client on a macOS or Linux computer to connect to your Linux instance, use the following command to set the permissions of your private key file so that only you can read it. chmod 400 key-pair-name.pem If you do not set these permissions, then you cannot connect to your instance using this key pair. For more information, see Error: Unprotected private key file. PowerShell TO CREATE A KEY PAIR USING AMAZON EC2 Use the New-EC2KeyPair AWS Tools for Windows PowerShell command as follows to generate the key and save it to a .pem or .ppk file. For -KeyName, specify a name for the public key. The name can be up to 255 ASCII characters. For -KeyType, specify either rsa or ed25519. If you do not include the -KeyType parameter, an rsa key is created by default. Note that ED25519 keys are not supported for Windows instances. For -KeyFormat, specify either pem or ppk. If you do not include the -KeyFormat parameter, a pem file is created by default. KeyMaterial prints the private key material to the output. Out-File -Encoding ascii -FilePath C:\path\my-key-pair.pem saves the private key material in a file with the the specified extension. The extension can be .pem or .ppk. The private key can have a name that's different from the public key name, but for ease of use, use the same name. PS C:\> (New-EC2KeyPair -KeyName "my-key-pair" -KeyType "rsa" -KeyFormat "pem").KeyMaterial | Out-File -Encoding ascii -FilePath C:\path\my-key-pair.pem anchoranchoranchor * Console * AWS CLI * PowerShell TO CREATE A KEY PAIR USING AMAZON EC2 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, under Network & Security, choose Key Pairs. 3. Choose Create key pair. 4. For Name, enter a descriptive name for the key pair. Amazon EC2 associates the public key with the name that you specify as the key name. A key name can include up to 255 ASCII characters. It can’t include leading or trailing spaces. 5. Select a key pair type appropriate for your operating system: (Linux instances) For Key pair type, choose either RSA or ED25519. (Windows instances) For Key pair type, choose RSA. ED25519 keys are not supported for Windows instances. 6. For Private key file format, choose the format in which to save the private key. To save the private key in a format that can be used with OpenSSH, choose pem. To save the private key in a format that can be used with PuTTY, choose ppk. 7. To add a tag to the public key, choose Add tag, and enter the key and value for the tag. Repeat for each tag. 8. Choose Create key pair. 9. The private key file is automatically downloaded by your browser. The base file name is the name that you specified as the name of your key pair, and the file name extension is determined by the file format that you chose. Save the private key file in a safe place. IMPORTANT This is the only chance for you to save the private key file. 10. If you plan to use an SSH client on a macOS or Linux computer to connect to your Linux instance, use the following command to set the permissions of your private key file so that only you can read it. chmod 400 key-pair-name.pem If you do not set these permissions, then you cannot connect to your instance using this key pair. For more information, see Error: Unprotected private key file. CREATE A KEY PAIR USING AWS CLOUDFORMATION When you create a new key pair using AWS CloudFormation, the private key is saved to AWS Systems Manager Parameter Store. The parameter name has the following format: /ec2/keypair/key_pair_id For more information, see AWS Systems Manager Parameter Store in the AWS Systems Manager User Guide. TO CREATE A KEY PAIR USING AWS CLOUDFORMATION 1. Specify the AWS::EC2::KeyPair resource in your template. Resources: NewKeyPair: Type: 'AWS::EC2::KeyPair' Properties: KeyName: new-key-pair 2. Use the describe-key-pairs command as follows to get the ID of the key pair. aws ec2 describe-key-pairs --filters Name=key-name,Values=new-key-pair --query KeyPairs[*].KeyPairId --output text The following is example output. key-05abb699beEXAMPLE 3. Use the get-parameter command as follows to get the parameter for your key and save the key material in a .pem file. aws ssm get-parameter --name /ec2/keypair/key-05abb699beEXAMPLE --with-decryption --query Parameter.Value --output text > new-key-pair.pem REQUIRED IAM PERMISSIONS To enable AWS CloudFormation to manage Parameter Store parameters on your behalf, the IAM role assumed by AWS CloudFormation or your user must have the following permissions: * ssm:PutParameter – Grants permission to create a parameter for the private key material. * ssm:DeleteParameter – Grants permission to delete the parameter that stored the private key material. This permission is required whether the key pair was imported or created by AWS CloudFormation. When AWS CloudFormation deletes a key pair that was created or imported by a stack, it performs a permissions check to determine whether you have permission to delete parameters, even though AWS CloudFormation creates a parameter only when it creates a key pair, not when it imports a key pair. AWS CloudFormation tests for the required permission using a fabricated parameter name that does not match any parameter in your account. Therefore, you might see a fabricated parameter name in the AccessDeniedException error message. CREATE A KEY PAIR USING A THIRD-PARTY TOOL AND IMPORT THE PUBLIC KEY TO AMAZON EC2 Instead of using Amazon EC2 to create a key pair, you can create an RSA or ED25519 key pair by using a third-party tool, and then import the public key to Amazon EC2. REQUIREMENTS FOR KEY PAIRS * Supported types: RSA and ED25519. Amazon EC2 does not accept DSA keys. * Supported formats: * OpenSSH public key format (the format in ~/.ssh/authorized_keys). If you connect using SSH while using the EC2 Instance Connect API, the SSH2 format is also supported. * SSH private key file format must be PEM or PPK * (RSA only) Base64 encoded DER format * (RSA only) SSH public key file format as specified in RFC 4716 * Supported lengths: 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096. TO CREATE A KEY PAIR USING A THIRD-PARTY TOOL 1. Generate a key pair with a third-party tool of your choice. For example, you can use ssh-keygen (a tool provided with the standard OpenSSH installation). Alternatively, Java, Ruby, Python, and many other programming languages provide standard libraries that you can use to create an RSA or ED25519 key pair. IMPORTANT The private key must be in the PEM or PPK format. For example, use ssh-keygen -m PEM to generate the OpenSSH key in the PEM format. 2. Save the public key to a local file. For example, ~/.ssh/my-key-pair.pub. The file name extension for this file is not important. 3. Save the private key to a local file that has the .pem or .ppk extension. For example, ~/.ssh/my-key-pair.pem or ~/.ssh/my-key-pair.ppk. IMPORTANT Save the private key file in a safe place. You'll need to provide the name of your public key when you launch an instance, and the corresponding private key each time you connect to the instance. LINUX INSTANCES Instead of using Amazon EC2 to create a key pair, you can create an RSA or ED25519 key pair by using a third-party tool, and then import the public key to Amazon EC2. REQUIREMENTS FOR KEY PAIRS * Supported types: RSA and ED25519. Amazon EC2 does not accept DSA keys. * Supported formats: * OpenSSH public key format (the format in ~/.ssh/authorized_keys). If you connect using SSH while using the EC2 Instance Connect API, the SSH2 format is also supported. * SSH private key file format must be PEM or PPK * (RSA only) Base64 encoded DER format * (RSA only) SSH public key file format as specified in RFC 4716 * Supported lengths: 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096. TO CREATE A KEY PAIR USING A THIRD-PARTY TOOL 1. Generate a key pair with a third-party tool of your choice. For example, you can use ssh-keygen (a tool provided with the standard OpenSSH installation). Alternatively, Java, Ruby, Python, and many other programming languages provide standard libraries that you can use to create an RSA or ED25519 key pair. IMPORTANT The private key must be in the PEM or PPK format. For example, use ssh-keygen -m PEM to generate the OpenSSH key in the PEM format. 2. Save the public key to a local file. For example, ~/.ssh/my-key-pair.pub. The file name extension for this file is not important. 3. Save the private key to a local file that has the .pem or .ppk extension. For example, ~/.ssh/my-key-pair.pem or ~/.ssh/my-key-pair.ppk. IMPORTANT Save the private key file in a safe place. You'll need to provide the name of your public key when you launch an instance, and the corresponding private key each time you connect to the instance. Instead of using Amazon EC2 to create your key pair, you can create an RSA key pair by using a third-party tool, and then import the public key to Amazon EC2. REQUIREMENTS FOR KEY PAIRS * Supported types: RSA. Amazon EC2 does not accept DSA keys. NOTE ED25519 keys are not supported for Windows instances. * Supported formats: * OpenSSH public key format * SSH private key file format must be PEM or PPK * (RSA only) Base64 encoded DER format * (RSA only) SSH public key file format as specified in RFC 4716 * Supported lengths: 1024, 2048, and 4096. TO CREATE A KEY PAIR USING A THIRD-PARTY TOOL 1. Generate a key pair with a third-party tool of your choice. For example, you can use ssh-keygen (a tool provided with the standard OpenSSH installation). Alternatively, Java, Ruby, Python, and many other programming languages provide standard libraries that you can use to create an RSA key pair. IMPORTANT The private key must be in the PEM or PPK format. For example, use ssh-keygen -m PEM to generate the OpenSSH key in the PEM format. 2. Save the public key to a local file. For example, C:\keys\my-key-pair.pub. The file name extension for this file is not important. 3. Save the private key to a local file that has the .pem or .ppk extension. For example, C:\keys\my-key-pair.pem or C:\keys\my-key-pair.ppk. The file name extension for this file is important because only .pem files can be selected when connecting to your Windows instance from the EC2 console. IMPORTANT Save the private key file in a safe place. You'll need to provide the name of your public key when you launch an instance, and the corresponding private key each time you connect to the instance. WINDOWS INSTANCES Instead of using Amazon EC2 to create your key pair, you can create an RSA key pair by using a third-party tool, and then import the public key to Amazon EC2. REQUIREMENTS FOR KEY PAIRS * Supported types: RSA. Amazon EC2 does not accept DSA keys. NOTE ED25519 keys are not supported for Windows instances. * Supported formats: * OpenSSH public key format * SSH private key file format must be PEM or PPK * (RSA only) Base64 encoded DER format * (RSA only) SSH public key file format as specified in RFC 4716 * Supported lengths: 1024, 2048, and 4096. TO CREATE A KEY PAIR USING A THIRD-PARTY TOOL 1. Generate a key pair with a third-party tool of your choice. For example, you can use ssh-keygen (a tool provided with the standard OpenSSH installation). Alternatively, Java, Ruby, Python, and many other programming languages provide standard libraries that you can use to create an RSA key pair. IMPORTANT The private key must be in the PEM or PPK format. For example, use ssh-keygen -m PEM to generate the OpenSSH key in the PEM format. 2. Save the public key to a local file. For example, C:\keys\my-key-pair.pub. The file name extension for this file is not important. 3. Save the private key to a local file that has the .pem or .ppk extension. For example, C:\keys\my-key-pair.pem or C:\keys\my-key-pair.ppk. The file name extension for this file is important because only .pem files can be selected when connecting to your Windows instance from the EC2 console. IMPORTANT Save the private key file in a safe place. You'll need to provide the name of your public key when you launch an instance, and the corresponding private key each time you connect to the instance. After you have created the key pair, use one of the following methods to import your public key to Amazon EC2. Console TO IMPORT THE PUBLIC KEY TO AMAZON EC2 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, choose Key Pairs. 3. Choose Import key pair. 4. For Name, enter a descriptive name for the public key. The name can include up to 255 ASCII characters. It can’t include leading or trailing spaces. NOTE When you connect to your instance from the EC2 console, the console suggests this name for the name of your private key file. 5. Either choose Browse to navigate to and select your public key, or paste the contents of your public key into the Public key contents field. 6. Choose Import key pair. 7. Verify that the public key that you imported appears in the list of key pairs. AWS CLI TO IMPORT THE PUBLIC KEY TO AMAZON EC2 Use the import-key-pair AWS CLI command. TO VERIFY THAT THE KEY PAIR WAS IMPORTED SUCCESSFULLY Use the describe-key-pairs AWS CLI command. PowerShell TO IMPORT THE PUBLIC KEY TO AMAZON EC2 Use the Import-EC2KeyPair AWS Tools for Windows PowerShell command. TO VERIFY THAT THE KEY PAIR WAS IMPORTED SUCCESSFULLY Use the Get-EC2KeyPair AWS Tools for Windows PowerShell command. anchoranchoranchor * Console * AWS CLI * PowerShell TO IMPORT THE PUBLIC KEY TO AMAZON EC2 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, choose Key Pairs. 3. Choose Import key pair. 4. For Name, enter a descriptive name for the public key. The name can include up to 255 ASCII characters. It can’t include leading or trailing spaces. NOTE When you connect to your instance from the EC2 console, the console suggests this name for the name of your private key file. 5. Either choose Browse to navigate to and select your public key, or paste the contents of your public key into the Public key contents field. 6. Choose Import key pair. 7. Verify that the public key that you imported appears in the list of key pairs. Javascript is disabled or is unavailable in your browser. To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. Document Conventions Key pairs Tag a key pair Did this page help you? - Yes Thanks for letting us know we're doing a good job! If you've got a moment, please tell us what we did right so we can do more of it. Did this page help you? - No Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. -------------------------------------------------------------------------------- VIEW RELATED PAGES PREVIEW * * 1 * 2 * 3 * AWSCloudFormation › UserGuide AWS::EC2::KeyPair 31. August 2024 Lightsail › userguide Transfer files securely to Lightsail Linux instances with SFTP 30. August 2024 DISCOVER HIGHLY RATED PAGES PREVIEW * * 1 * 2 * 3 * 4 * 5 * 6 * AWSEC2 › UserGuide What is Amazon EC2? 30. August 2024 AWSEC2 › UserGuide Regions and Zones 30. August 2024 DID THIS PAGE HELP YOU? Yes No Provide feedback NEXT TOPIC: Tag a key pair PREVIOUS TOPIC: Key pairs NEED HELP? * Try AWS re:Post * Connect with an AWS IQ expert PrivacySite termsCookie preferences © 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. ON THIS PAGE * Create a key pair using Amazon EC2 * Create a key pair using AWS CloudFormation * Import a public key to Amazon EC2 RECENTLY ADDED TO THIS GUIDE Find new pages added to this guide in the last 30 days. * Disconnect from the EC2 Serial Console 21. August 2024 * Reference for Amazon EC2 instance configuration parameters 16. August 2024 * Cancel a Capacity Reservation Fleet 16. August 2024 * Manage detailed monitoring for your EC2 instances 16. August 2024 * Maximize network bandwidth on accelerated computing instances with EFA 15. August 2024 * Tag Spot Instance requests 14. August 2024 * Manage your Spot Instances 14. August 2024 * Service-linked role for Spot Instance requests 14. August 2024 * Cancel a Spot Instance request 14. August 2024 * Move capacity between Capacity Reservations 14. August 2024