How-To

Managing Amazon EC2 Key Pairs From the Command Line

Brien Posey shows how to access EC2 virtual machine instances through the use of key pairs via the AWS CLI or PowerShell.

• By Brien Posey
• 11/30/2020

Amazon controls access to EC2 virtual machine (VM) instances through the use of key pairs. When you create a new VM instance, you are required to associate a key pair with it, as shown in Figure 1. You must be in direct possession of an instance's private key in order to acquire the instance's password and log into the instance.

While you could conceivably create a single key pair and use it indefinitely for all of your EC2 instances, doing so poses a security risk. After all, anyone who is in possession of the private key could conceivably gain administrative access to all of your VM instances. That being the case, organizations often leverage a key management policy that is designed to make their VM instances more secure. For example, some organizations tie the key creation and management process to the VM instance type. An organization might, for instance, have one key for web servers, another key for database servers and so on.

There are a wide variety of key management strategies that could potentially be used to enhance the security of an organization's VM instances. However, these strategies could potentially require a large number of keys to be created.

As you can see in Figure 2, the EC2 dashboard includes an interface that you can use to create key pairs. Even so, using the dashboard might not be the best option if you need to create numerous keys. In that type of situation, it is probably going to be more efficient to create the key pairs through the Amazon Command Line Interface (AWS CLI)

Before you will be able to use Windows PowerShell from the command line, you will need to download and install the AWS Command Line Interface. Amazon makes versions of the AWS CLI interface for Windows, Linux and Mac. You can download AWS CLI from: https://aws.amazon.com/cli/.

Generating a key pair from the command line is a relatively straightforward process. Even so, there are several pieces of information that you will need to provide. Here is an example command supplied by Amazon:

aws ec2 create-key-pair --key-name MyKeyPair --query 'KeyMaterial' --output text > MyKeyPair.pem

The first portion of this command simply tells the command line environment to run the Create Key Pair utility that is associated with AWS EC2. As you can see, there are three parameters that are used in conjunction with this command. Thankfully, these parameters are really simple to use.

The first of the parameters is the key name. The key name is exactly what it sounds like -- a friendly name used to identify the key. Generally speaking, you can use any key name that you want, so long as the name is not already in use. Key names can be up to 255 characters in length and are made up of ASCII characters. Key names cannot include leading or trailing spaces, but if you are creating keys from the command line, the process will likely be less problematic if you simply avoid the use of spaces altogether.

The second parameter that you will need to supply is the Query parameter. The reason why the Query parameter is required is because you can only retrieve a private key at the time that the corresponding key pair is created. The Query parameter acquires the data that is needed in order to generate the private key file. Incidentally, the Query should always be set to "KeyMaterial."

The third required parameter is the output text. As you can see in the sample command, the output text is redirected (via the greater than sign) to a PEM file. You will simply need to choose a path and filename for this file.

In case you are wondering, you can create a key pair from PowerShell as well, assuming that you have installed the AWS Tools for PowerShell. The syntax used when creating a key pair from PowerShell is nearly identical to what I just showed you. The difference is that the greater than sign (after output text) is replaced by a pipe symbol. PowerShell's Out-File cmdlet is then used to write the data to a PEM file. It is worth noting, however, that if you choose to create a key pair through PowerShell, then you will need to use the Encoding switch in conjunction with the Out-File cmdlet to set the encoding to ASCII. Otherwise, the PEM file that you create will be unusable. You can see what the PowerShell key pair creation process looks like in Figure 3.

One last bit of advice that I want to pass along is that the key files that you create are specific to a particular region. As such, you will need to make sure that the command line environment is pointed to the correct region before you create a key file. If you need help changing the region, then be sure to check out my recent post on "Working With AWS Regions in Windows PowerShell."