Recovering access to AWS instance if the pem file is lost

So today we are going to cover the scenario of recovering access to an AWS instance if the .pem file for the instance is lost. Some of us might have faced this issue, if not all.

Suppose we have an instance whose .pem file is lost, destroyed, etc. We know that if an AWS instance is secured with .pem file then we can’t regenerate this .pem file from the AWS again.

We will be needing a new instance to recover the .pem file for our lost instance. Let’s call this new instance as helper instance and lost instance as recovery instance

Let’s jump to the steps -

1. Every instance has a volume attached to it which has all the user data. So we need to stop the recovery instance. This can be done either from the AWS management console or using AWS SDK through CLI. Make sure you don’t terminate your recovery instance.
2. Once the recovery instance is stopped. We will detach the volume attached to the recovery instance. Once detached, the volume will be available for use.
3. We now need to attach this volume to our helper instance. Since our helper instance already has a root volume (/dev/sda1), our newly attached volume will be secondary (/dev/xvdf1). One thing to keep a note of is our helper instance should be in the same availability zone of the lost instance, else the volume of the lost instance will not be able to attach to the helper instance.
4. Mount the new attached volume on the helper instance. We can do it by running this command.
   mount /dev/xvdf1 /mount
   This will mount our volume to /mount folder.
5. Now we need to copy the authorized_keys from our helper instance .ssh folder to the mounted .ssh folder. This will allow the .pem file of the helper instance to log in to the recovery instance.
   cp ~/.ssh/authorized_keys /mount/home/ubuntu/.ssh/
6. Unmount the attached volume from the helper instance.
   umount /mount
7. Detach the volume from the helper instance and reattach it to the recovery instance. Make sure you mount the volume at /dev/sda1 as the recovery instance does not have any root volume attached to it yet. So this instance has to be mounted at /dev/sda1.

8. Use the pem file of helper instance to log in to the recovery instance.

9. Stop and terminate the helper instance.

This will let you rest the log in access to the recovery instance.