Ctrl K

Adding a New SSH Key to EC2

Add a new key pair to a running EC2 instance without losing existing access: key creation in AWS, local setup, public key extraction, and authorized_keys update.

Use this when you need a new SSH key on an existing EC2 instance. For example, when setting up access from a new machine or in a missing key case. You will need existing access to the instance (via EC2 Instance Connect or another active key) to add the new one. This worflow assumes both the local environment and ec2 are running on linux

1. Create a key pair in AWS

  • AWS Console -> EC2 -> Key Pairs -> Create key pair
  • Choose a clear name and PEM format
  • Download the .pem file (AWS only provides this once)

2. Move the .pem to ~/.ssh on your machine

mkdir -p ~/.ssh
chmod 700 ~/.ssh
mv ~/Downloads/your-new-key.pem ~/.ssh/
chmod 400 ~/.ssh/your-new-key.pem

3. Extract the public key from the .pem

ssh-keygen -y -f ~/.ssh/your-new-key.pem

This prints a single public key line starting with ssh-rsa or ssh-ed25519. Copy the entire line including the prefix.

4. Add the public key to the EC2 instance

Connect to the instance via EC2 Instance Connect or any existing key, then edit authorized_keys:

mkdir -p ~/.ssh
chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys
  • Keep existing key lines
  • Paste the new public key as a new line
  • Each key must be on its own single line
chmod 600 ~/.ssh/authorized_keys

5. Test the connection

# Ubuntu AMI
ssh -i ~/.ssh/your-new-key.pem ubuntu@YOUR_EC2_PUBLIC_IP

# Amazon Linux AMI
ssh -i ~/.ssh/your-new-key.pem ec2-user@YOUR_EC2_PUBLIC_IP