How to secure an AWS EC2 instance when the SSH key is compromised or lost

Question

I'm essentially an AWS noob.

I had a developer set up an EC2 instance with load balancer to host a node.js-based API. He has now moved on from the company but he still have the private key to log in, if he wanted to. I want to change the keys.

From what I have read, I need to relaunch the instance to get a new key pair. However, if I do this will I lose all the node packages, and other SW that has been installed on the current instance? What will happen with the load balancer? Do I need to need to update my DNS info to point to the new IP?

(Once situated, this time around I will create multiple key pairs for the devs to use.)

Thanks, Steve

EDIT: Yes, I do have the private key and can do everything I need to. I just want to make sure HE no longer has access.

Answer 1

1. Take an AMI of the current instance for backup purposes. This will reboot the instance but it will keep the existing IP. You do not need to remove it from your ELB. You may need this AMI if you you cannot connect back in after changing the key.

2. Login as the (root) user, with the existing key.

3. From the shell, run the following commands:

4. $ ssh-keygen -t rsa -b 2048 -f user - this generates a new key pair

5. $ sudo su - - if needed, to switch to the root account & to its working directory

6. $ cp /home/ubuntu/.ssh/authorized_keys /home/ubuntu/.ssh/authorized_keys.bak - backup the existing public key in the authorized_keys file

7. $ mv user.pub /home/ubuntu/.ssh/authorized_keys - this overwrites the existing public key in the authorized_keys file

(alternatively you could open the authorized_keys file in a text editor, remove the old public key yourself, and append your new public key)

8. $ chmod 600 /home/ubuntu/.ssh/authorized_keys - Change permissions on the file

9. Copy the private key (file called user) generated from the $ ssh-keygen command to your local machine and delete it from the instance.

10. Connect to the instance with the new private key to confirm. IMPORTANT: Keep the existing ssh session open and create a new session with the new key.

If you have any problems on step 10 you still have access to the existing session to troubleshoot.

As for cleanup make sure and remove the old key pair from the AWS console, and invalidate any credentials IF(!) they are not required for the existing services to run. If you granted the developer root access to your AWS console, you should reset those credentials.

NOTE: These steps assume an Ubuntu installation. If you are using any other Linux type, replace \ubuntu with the correct AWS username:

Amazon Linux: ec2-user  
Ubuntu  ubuntu
Debian  admin
RHEL 6.4 ec2-user   
RHEL 6.3 root

Answer 2

So, I have resolved this issue myself, and I'm posting what I did in case it helps anyone else.

1. On my local machine I made a new 2048 bit RSA key pair (a new pair can also be generated on AWS)
2. Import the new public key in the Amazon console.
3. Create an AMI of the running instance.
4. Launch an new (ubuntu linux) instance of that AMI, and point it to the newly uploaded public key for login.
5. Once the instance is up, update Load Balancer, or DNS entries to point to the new instance, as appropriate.
6. Start whatever software the server is intended to run.

Answer 3

You can create a new Key Pair without creating a new EC2 instance http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair

It still looks like you need to launch a new instance of EC2 (which creates a new key), but if you use the same volume(s) or snapshots to create duplicate volumes you shouldn't have to reload any Software. https://forums.aws.amazon.com/message.jspa?messageID=245314

As for DNS, I would point it to the load balancer, that way you can add/remove servers from the pool without DNS changes. Otherwise, assign an Elastic IP to the server, that way you can move the Elastic IP to the next server without changing DNS each time. Moving Elastic is instant, where DNS takes time to replicate to rough the network. Hope that helps.