Create a key pair for your Amazon EC2 instance
You can use Amazon EC2 to create your key pairs, or you can use a third-party tool to create your key pairs, and then import them to Amazon EC2.
Amazon EC2 supports 2048-bit SSH-2 RSA keys for Linux and Windows instances. Amazon EC2 also supports ED25519 keys for Linux instances.
For instructions on how to connect to your instance after you have created a key pair, see Connect to your Linux instance using SSH and Connect to your Windows instance using RDP.
Contents
Create a key pair using Amazon EC2
When you create a key pair using Amazon EC2, the public key is stored in Amazon EC2, and you store the private key.
You can create up to 5,000 key pairs per Region. To request an increase, create a support case. For more information, see Creating a support case in the Amazon Web Services Support User Guide.
Create a key pair using Amazon CloudFormation
When you create a new key pair using Amazon CloudFormation, the private key is saved to Amazon Systems Manager Parameter Store. The parameter name has the following format:
/ec2/keypair/key_pair_id
For more information, see Amazon Systems Manager Parameter Store in the Amazon Systems Manager User Guide.
To create a key pair using Amazon CloudFormation
-
Specify the AWS::EC2::KeyPair resource in your template.
Resources: NewKeyPair: Type: 'AWS::EC2::KeyPair' Properties: KeyName: new-key-pair
-
Use the describe-key-pairs command as follows to get the ID of the key pair.
aws ec2 describe-key-pairs --filters Name=key-name,Values=
new-key-pair
--query KeyPairs[*].KeyPairId --output textThe following is example output.
key-05abb699beEXAMPLE
-
Use the get-parameter command as follows to get the parameter for your key and save the key material in a
.pem
file.aws ssm get-parameter --name /ec2/keypair/
key-05abb699beEXAMPLE
--with-decryption --query Parameter.Value --output text >new-key-pair.pem
Required IAM permissions
To enable Amazon CloudFormation to manage Parameter Store parameters on your behalf, the IAM role assumed by Amazon CloudFormation or your user must have the following permissions:
-
ssm:PutParameter
– Grants permission to create a parameter for the private key material. -
ssm:DeleteParameter
– Grants permission to delete the parameter that stored the private key material. This permission is required whether the key pair was imported or created by Amazon CloudFormation.
When Amazon CloudFormation deletes a key pair that was created or imported by a stack, it performs a
permissions check to determine whether you have permission to delete parameters, even though
Amazon CloudFormation creates a parameter only when it creates a key pair, not when it imports a key pair.
Amazon CloudFormation tests for the required permission using a fabricated parameter name that does not
match any parameter in your account. Therefore, you might see a fabricated parameter name in
the AccessDeniedException
error message.
Create a key pair using a third-party tool and import the public key to Amazon EC2
Instead of using Amazon EC2 to create a key pair, you can create an RSA or ED25519 key pair by using a third-party tool and then import the public key to Amazon EC2.
Requirements for key pairs
-
Supported types:
-
(Linux and Windows) RSA
-
(Linux only) ED25519
Note
ED25519 keys are not supported for Windows instances.
-
Amazon EC2 does not accept DSA keys.
-
-
Supported formats:
-
OpenSSH public key format (for Linux, the format in
~/.ssh/authorized_keys
) -
(Linux only) If you connect using SSH while using the EC2 Instance Connect API, the SSH2 format is also supported.
-
SSH private key file format must be PEM or PPK
-
(RSA only) Base64 encoded DER format
-
(RSA only) SSH public key file format as specified in RFC 4716
-
-
Supported lengths:
-
1024, 2048, and 4096.
-
(Linux only) If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096.
-
To create a key pair using a third-party tool
-
Generate a key pair with a third-party tool of your choice. For example, you can use ssh-keygen (a tool provided with the standard OpenSSH installation). Alternatively, Java, Ruby, Python, and many other programming languages provide standard libraries that you can use to create a key pair.
Important
The private key must be in the PEM or PPK format. For example, use
ssh-keygen -m PEM
to generate the OpenSSH key in the PEM format. -
Save the public key to a local file. For example,
~/.ssh/my-key-pair.pub
(Linux, macOS) orC:\keys\my-key-pair.pub
(Windows). The file name extension for this file is not important. -
Save the private key to a local file that has the
.pem
or.ppk
extension. For example,~/.ssh/my-key-pair.pem
or~/.ssh/my-key-pair.ppk
(Linux, macOS) orC:\keys\my-key-pair.pem
orC:\keys\my-key-pair.ppk
(Windows). The file extension is important because, depending on the tool you use to connect to your instance, you'll need a specific file format. OpenSSH requires a.pem
file, while PuTTY requires a.ppk
file.Important
Save the private key file in a safe place. You'll need to provide the name of your public key when you launch an instance, and the corresponding private key each time you connect to the instance.
After you have created the key pair, use one of the following methods to import your public key to Amazon EC2.