How to Terminate EC2 Instances and Replace Key Pairs in AWS: A Developer’s Guide


2 views

When working with AWS EC2, you'll notice there's no "delete" option - only "terminate". This is because:

  • Termination permanently removes the instance and its storage (except for EBS volumes marked for preservation)
  • The action is irreversible once initiated
  • Terminated instances remain visible in your console for a short period before being completely removed

To terminate an EC2 instance through the AWS Console:

  1. Navigate to EC2 Dashboard > Instances
  2. Select the instance(s) you want to terminate
  3. Click "Instance State" > "Terminate instance"
  4. Confirm the termination when prompted

Using AWS CLI:

aws ec2 terminate-instances --instance-ids i-1234567890abcdef0

When you've lost access to your original key pair but need to configure existing instances:

Method 1: Stop Instance and Modify User Data

  1. Stop the instance (can't modify while running)
  2. Navigate to instance > Actions > Instance Settings > Edit User Data
  3. Add a script to create new SSH keys:
#!/bin/bash
mkdir -p /home/ubuntu/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EA... your_new_public_key" >> /home/ubuntu/.ssh/authorized_keys
chmod 700 /home/ubuntu/.ssh
chmod 600 /home/ubuntu/.ssh/authorized_keys

Method 2: Attach New Volume with Correct Keys

  1. Create a new volume with your desired key configuration
  2. Stop the problem instance
  3. Detach its root volume and attach your new volume
  4. Start the instance and verify access
  • Always store key pairs securely (AWS doesn't keep private keys)
  • Consider using AWS Systems Manager Session Manager for keyless access
  • Implement IAM roles instead of long-term credentials when possible
  • Use AWS Secrets Manager for rotating credentials

Instance won't terminate: Check for termination protection in Instance Settings.

Connection refused after key replacement: Verify security group rules allow SSH (port 22).

Metadata service unavailable: Ensure instance has proper IAM permissions for metadata access.

When you need to permanently remove an EC2 instance, AWS uses the term "terminate" rather than "delete." This is because termination involves a complete deprovisioning process:

  • The instance is shut down
  • Attached EBS volumes are deleted (unless configured otherwise)
  • All associated resources are released

To terminate an instance via AWS CLI:

aws ec2 terminate-instances --instance-ids i-1234567890abcdef0

For the AWS Management Console:

  1. Navigate to EC2 Dashboard
  2. Select "Instances" in the left menu
  3. Check the instance you want to terminate
  4. Click "Instance State" > "Terminate instance"

Common situations requiring key pair changes:

  • Lost original key pair
  • Security rotation requirements
  • Provisioning access for new team members

The simplest approach when you can rebuild:

aws ec2 run-instances \
    --image-id ami-0abcdef1234567890 \
    --instance-type t2.micro \
    --key-name MyNewKeyPair

For instances you need to preserve:

  1. Stop the instance (cannot be running)
  2. Detach the root volume
  3. Launch temporary instance with new key pair
  4. Attach original volume to temporary instance
  5. Modify authorized_keys file
  6. Reattach volume to original instance

For production environments with many instances:

#!/bin/bash
# Sample rotation script
INSTANCE_ID="i-1234567890abcdef0"
NEW_KEY="MyNewKeyPair"

aws ec2 stop-instances --instance-ids $INSTANCE_ID
aws ec2 wait instance-stopped --instance-ids $INSTANCE_ID
# Additional steps for volume attachment/modification
aws ec2 start-instances --instance-ids $INSTANCE_ID
  • Always backup keys in secure location
  • Use AWS Systems Manager Session Manager as keyless alternative
  • Implement regular key rotation policies
  • Consider EC2 Instance Connect for temporary access

Instance not terminating: Check IAM permissions for ec2:TerminateInstances

Connection refused after key change: Verify the new public key was properly added to ~/.ssh/authorized_keys