Bird
Raised Fist0
AWScloud~10 mins

Key pairs for SSH access in AWS - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - Key pairs for SSH access
Create Key Pair
AWS stores Public Key
User downloads Private Key
Launch EC2 Instance with Key Pair
User connects via SSH using Private Key
EC2 verifies Public Key
SSH Access Granted or Denied
This flow shows how AWS key pairs are created, stored, and used to securely connect to EC2 instances via SSH.
Execution Sample
AWS
aws ec2 create-key-pair --key-name MyKey --query 'KeyMaterial' --output text > MyKey.pem
chmod 400 MyKey.pem
ssh -i MyKey.pem ec2-user@ec2-instance-ip
Create a key pair in AWS and use the private key to SSH into an EC2 instance.
Process Table
StepActionAWS StateUser ActionResult
1Create key pair named 'MyKey'Public key saved in AWSPrivate key file downloadedKey pair ready for use
2Launch EC2 instance with 'MyKey'Instance stores public key for SSHWait for instance to startInstance ready for SSH
3User runs SSH command with private keyInstance receives SSH requestSSH client sends private keyInstance checks public key match
4Instance verifies key pair matchPublic key matches private keyConnection establishedSSH access granted
5If keys don't matchPublic key does not matchConnection attemptSSH access denied
💡 SSH access ends when key verification succeeds or fails.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4Final
Public Key (AWS)NoneStoredStoredStoredCheckedVerified or Rejected
Private Key (User)NoneDownloadedHeldUsed in SSHSent to InstanceUsed for Access
EC2 Instance StateStoppedStoppedRunning with KeyRunningRunningRunning
SSH ConnectionNoneNoneNoneAttemptedEstablished or DeniedEnded
Key Moments - 3 Insights
Why does AWS only store the public key and not the private key?
AWS stores only the public key for security reasons; the private key is kept only by the user to ensure only they can access the instance, as shown in execution_table step 1.
What happens if the private key used in SSH does not match the public key on the instance?
The instance denies SSH access because the keys don't match, as seen in execution_table step 5 where SSH access is denied.
Can you connect to an EC2 instance without the private key?
No, because the private key is required to prove your identity; without it, the instance will reject the connection (execution_table step 5).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, at which step does the user download the private key?
AStep 3
BStep 1
CStep 2
DStep 4
💡 Hint
Check the 'User Action' column in execution_table step 1.
According to variable_tracker, what is the state of the EC2 instance after step 2?
ARunning with Key
BStopped
CRunning without Key
DTerminated
💡 Hint
Look at the 'EC2 Instance State' row after 'After Step 2' column.
If the private key is lost, what will happen during SSH connection according to execution_table?
ASSH access granted
BAWS regenerates the private key
CSSH access denied
DConnection succeeds without key
💡 Hint
Refer to execution_table step 5 where keys don't match.
Concept Snapshot
Key pairs are two linked keys: public (stored by AWS) and private (kept by user).
AWS uses the public key on EC2 instances to verify SSH connections.
Users connect via SSH using the private key file.
Private key must be kept safe; losing it means losing access.
AWS never stores the private key for security.
SSH access depends on matching key pairs.
Full Transcript
This visual execution shows how AWS key pairs enable secure SSH access to EC2 instances. First, a key pair is created; AWS stores the public key, and the user downloads the private key. When launching an EC2 instance, the public key is installed on it. To connect, the user uses the private key with SSH. The instance verifies the private key matches the stored public key. If they match, SSH access is granted; otherwise, it is denied. The private key must be kept safe by the user because AWS does not store it. Losing the private key means losing SSH access to the instance.

Practice

(1/5)
1. What is the main purpose of a key pair in AWS for SSH access?
easy
A. To store server data securely
B. To securely connect to a server without using a password
C. To create a backup of the server
D. To monitor server performance

Solution

  1. Step 1: Understand SSH access

    SSH uses keys to allow secure login without passwords.

  2. Step 2: Role of key pairs in AWS

    A key pair provides a private key for the user and a public key for the server to verify identity.

  3. Final Answer:

    To securely connect to a server without using a password -> Option B

  4. Quick Check:

    Key pairs enable passwordless secure login [OK]
Hint: Key pairs replace passwords for secure server login [OK]
Common Mistakes:
  • Thinking key pairs store server data
  • Confusing key pairs with backups
  • Assuming key pairs monitor performance
2. Which AWS CLI command correctly creates a new key pair named MyKey and saves the private key to a file?
easy
A. aws ec2 create-key-pair --key-name MyKey --query 'KeyMaterial' --output text > MyKey.pem
B. aws ec2 create-key-pair MyKey > MyKey.pem
C. aws ec2 generate-key-pair --name MyKey > MyKey.pem
D. aws ec2 new-key --key-name MyKey > MyKey.pem

Solution

  1. Step 1: Identify correct AWS CLI syntax

    The correct command uses create-key-pair with --key-name and outputs the private key material.

  2. Step 2: Confirm output redirection

    The private key is saved by redirecting the output to a file with > MyKey.pem.

  3. Final Answer:

    aws ec2 create-key-pair --key-name MyKey --query 'KeyMaterial' --output text > MyKey.pem -> Option A

  4. Quick Check:

    Correct AWS CLI syntax for key pair creation [OK]
Hint: Use create-key-pair with --query 'KeyMaterial' to save private key [OK]
Common Mistakes:
  • Using wrong command like generate-key-pair
  • Omitting --query to extract key material
  • Not redirecting output to save private key
3. You launched an EC2 instance with key pair MyKey. Which command will you use to connect to it if the instance's public IP is 54.12.34.56 and your private key file is MyKey.pem?
medium
A. ssh ec2-user@54.12.34.56 -i MyKey.pem
B. ssh -key MyKey.pem ec2-user@54.12.34.56
C. ssh -p MyKey.pem ec2-user@54.12.34.56
D. ssh -i MyKey.pem ec2-user@54.12.34.56

Solution

  1. Step 1: Understand SSH command syntax for key usage

    The -i option specifies the private key file for authentication.

  2. Step 2: Confirm correct order of arguments

    The correct syntax is ssh -i private_key user@host. ssh -i MyKey.pem ec2-user@54.12.34.56 matches this exactly.

  3. Final Answer:

    ssh -i MyKey.pem ec2-user@54.12.34.56 -> Option D

  4. Quick Check:

    SSH uses -i to specify private key file [OK]
Hint: Use ssh -i private_key user@ip to connect [OK]
Common Mistakes:
  • Using -key or -p instead of -i
  • Placing -i after user@host
  • Omitting the private key option
4. You tried to connect to your EC2 instance using SSH but got a permission denied error. Which of these is the most likely cause?
medium
A. The private key file has incorrect permissions (too open)
B. The instance is stopped
C. The key pair was deleted from AWS
D. The instance has no public IP

Solution

  1. Step 1: Check SSH private key file permissions

    SSH requires private key files to have strict permissions (e.g., 400). Too open permissions cause denial.

  2. Step 2: Understand other options

    While stopped instances or no public IP prevent connection, the error message differs. Deleted key pairs do not affect existing instances.

  3. Final Answer:

    The private key file has incorrect permissions (too open) -> Option A

  4. Quick Check:

    Private key file permissions cause SSH denial [OK]
Hint: Set private key file permission to 400 or stricter [OK]
Common Mistakes:
  • Ignoring file permission errors
  • Assuming instance state causes permission denied
  • Confusing deleted key pairs with connection errors
5. You lost your private key file for an EC2 instance launched with key pair OldKey. What is the best way to regain SSH access without stopping the instance?
hard
A. Use the AWS console to download the lost private key again
B. Delete the instance and launch a new one with a new key pair
C. Create a new key pair, then update the instance's authorized keys by connecting through Systems Manager or another user
D. Generate a new private key file with the same key name in AWS

Solution

  1. Step 1: Understand private key loss impact

    Private keys cannot be recovered or downloaded again from AWS once lost.

  2. Step 2: Regain access without stopping instance

    Use AWS Systems Manager or another user with access to add a new public key from a new key pair to the instance's authorized keys.

  3. Final Answer:

    Create a new key pair, then update the instance's authorized keys by connecting through Systems Manager or another user -> Option C

  4. Quick Check:

    Lost private key requires new key and authorized keys update [OK]
Hint: Use Systems Manager to add new key without stopping instance [OK]
Common Mistakes:
  • Trying to download lost private key again
  • Assuming new key pair with same name works
  • Deleting instance unnecessarily