Back to Blogs
Blog Post
4 min read

🔑 What are Key Pairs in AWS?

A Key Pair in AWS = a way to log in securely to your EC2 instance (virtual server) without using a password.It’s basically:Public key → stays in AWS (...

Published on August 22, 2025

A Key Pair in AWS = a way to log in securely to your EC2 instance (virtual server) without using a password.

It’s basically:

  • Public key → stays in AWS (on your EC2 instance).

  • Private key → you download and keep safe (on your laptop).

👉 Together, they form a lock-and-key system using SSH (Secure Shell).

🔹 Why do we need Key Pairs?

Imagine your EC2 instance is a house:

  • AWS puts a lock (public key) on the door when you launch it.

  • You get the only key (private key .pem file) that can unlock that door.

  • Without that key, no one can enter — even AWS employees.

This avoids using weak username/password logins, making it much more secure.

🔹 How Key Pairs Work Step by Step

  1. You create/download a Key Pair in AWS (or upload your own public key).

    • File is usually my-key.pem.

    • You must keep it safe — AWS doesn’t let you download it again.

  2. You launch an EC2 instance and tell AWS:
    “Attach the public half of my-key to this machine.”

  3. AWS installs the public key inside the EC2 instance (~/.ssh/authorized_keys).

  4. To connect:

    ssh -i my-key.pem ec2-user@<EC2-IP>

    • SSH checks if your private key matches the server’s public key.

    • If yes → ✅ you get access.

    • If no → ❌ “Permission denied.”

🔹 Important Notes for You (as a backend dev)

  • Key pair = login access. If you lose the .pem, you cannot log in anymore (unless you create a new one & manually replace it).

  • .pem file must have the right permissions:

    chmod 400 my-key.pem

  • One EC2 instance can be accessed by multiple users if you add more public keys to it.

  • You can create different key pairs per environment:

    • dev-key.pem

    • staging-key.pem

    • prod-key.pem

🔹 Where Key Pairs are Used in AWS

  • EC2 → logging into your servers.

  • Lightsail → similar to EC2, uses key pairs too.

  • Cloud9 / ECS / EKS (indirectly) → when you want SSH-level access.

🔹 Analogy (to lock it in your brain 🧠)

  • Public Key = the lock on the EC2’s door (anyone can see it).

  • Private Key (.pem) = the only key that opens it (keep it secret).

  • If you lose it → you can’t enter your server again.

TL;DR:

  • AWS Key Pair = (Public Key in server + Private Key on your machine).

  • Used for SSH secure login instead of passwords.

.pem file is your golden ticket — don’t lose or share it.

🛠 Real-World Workflow with Key Pairs

1. Create a Key Pair in AWS

You can do this in AWS Console or AWS CLI.

👉 AWS Console:

  • Go to EC2 → Key Pairs → Create key pair.

  • Give it a name: my-key.

  • Choose file format:

    • .pem (for Linux/Mac, default).

    • .ppk (for Windows + PuTTY).

  • Download it — this is your private key file.

⚠️ AWS will not let you download it again. If lost → you must create a new one.

2. Launch an EC2 Instance with This Key Pair

  • While launching, under Key Pair (login), select my-key.

  • AWS automatically installs the public half of my-key inside your EC2.

3. Set Correct Permissions for the .pem File

On your local machine:

chmod 400 my-key.pem

This makes sure only you can read it (required for SSH).

4. Connect to the EC2 Instance via SSH

AWS will give you a public IP for your EC2, e.g., 54.210.xx.xx.

Run:

ssh -i my-key.pem ec2-user@54.210.xx.xx

  • -i my-key.pem → tells SSH which private key to use.

  • ec2-user → default username for Amazon Linux. (Ubuntu = ubuntu)

✅ If all is good → you’re inside your EC2.

5. Add a Teammate’s Key (Multiple Users)

Let’s say your teammate has their public key (teammate.pub).

On the EC2 instance:

cd ~/.ssh
nano authorized_keys

  • Paste your teammate’s public key on a new line.

  • Save & exit.

Now your teammate can log in with their own private key:

ssh -i teammate-key.pem ec2-user@54.210.xx.xx

6. (Optional) Generate a Key Pair Locally and Import to AWS

Instead of letting AWS generate the key, you can generate it on your machine:

ssh-keygen -t rsa -b 4096 -f my-local-key

This creates:

  • my-local-key (private key)

  • my-local-key.pub (public key)

Upload the .pub to AWS:

aws ec2 import-key-pair --key-name my-local-key --public-key-material file://my-local-key.pub

Now you can use my-local-key to log in.

🧠 Quick Recap

  • Key Pair = Public key (in EC2) + Private key (.pem on your machine).

  • You must have the private key to log in via SSH.

  • You can add multiple public keys to authorized_keys for team access.

  • Permissions matter → chmod 400 my-key.pem.