303 — SSH and Key Pairs

Intermediate

Create an EC2 key pair, chmod 400 the .pem file, launch a t2.micro with an SSH-only security group, SSH in, query IMDSv2 metadata, and clean up — all from the CLI.

Learning Objectives

1
Explain how EC2 key pairs work: AWS injects the public key at launch and you hold the private key
2
Create a key pair, save the .pem file, and apply the required permissions
3
Launch a t2.micro instance with a minimal SSH-only security group
4
Connect to the running instance over SSH and confirm the remote environment
5
Run basic diagnostic commands on the remote instance
6
Understand the key-loss recovery path without demonstrating it
7
Terminate the instance and clean up the key pair and security group
Step 1

Understand how EC2 key pairs work

Before creating anything, review the key pair model that AWS uses. Understanding why the process works this way helps you debug connection problems and make correct security decisions.

Commands to Run

aws ec2 describe-key-pairs \
  --query "KeyPairs[*].{Name:KeyName,Type:KeyType,Created:CreateTime}" \
  --output table

What This Does

When you create an EC2 key pair, AWS generates a public/private RSA or ED25519 key pair and gives you the private key once — it is never stored by AWS again.

When an instance launches, cloud-init reads the public key from the AWS metadata service and writes it to /home/ec2-user/.ssh/authorized_keys before the instance becomes reachable.

SSH then uses standard public-key authentication: your private key proves your identity without sending a password over the network.

The describe-key-pairs command lists the key pairs currently registered in this region.

If devops-lab-key still exists from Lesson 301, you will see it here.

Expected Outcome

A table listing any existing key pairs in the region:
---------------------------------------------------------------------
|                     DescribeKeyPairs                              |
+--------------------+----------+-----------------------------------+
| Created            | Name     | Type                              |
+--------------------+----------+-----------------------------------+
| 2026-05-23T...     | devops-lab-key | rsa                         |
+--------------------+----------+-----------------------------------+

If no key pairs exist, the table is empty — that is fine.

Lesson 303 creates its own key pair named devops-ssh-lab.

Pro Tips

  • 1
    AWS stores only the public key fingerprint after key creation — it never stores or can retrieve your private key. If you lose the .pem file, you must create a new key pair.
  • 2
    Key pairs are region-specific. A key pair created in us-east-1 cannot be used to launch instances in eu-west-1 unless you import the public key into that region.
  • 3
    RSA (2048-bit) and ED25519 are both supported. ED25519 is faster and produces shorter keys; RSA has broader client compatibility.

Common Mistakes to Avoid

  • āš ļøAttempting to reuse devops-lab-key from Lesson 301 for this lesson — the module outline creates devops-ssh-lab here to practice the full creation workflow. Lesson 303 uses its own key pair.
  • āš ļøAssuming AWS can regenerate a lost private key — it cannot. The private key is delivered once at creation time and must be saved locally.
Was this step helpful?

All Steps (0 / 13 completed)