Use of "Proceed without key pair" in EC2 instance creation?
The option Proceed without key pair
is used when:
- When the
sshd
in your AMI is configured to use password based authentication and no ssh key is needed to access the machine sshd
can accept some otherusername/key
combination- If an unauthorized user gains access to AWS dashboard or metadata, he/she can get the name of the keypair and if he/she has access to the keypair, can ssh into the instance. With no keypair listed and another known key baked in the AMI, this security concern is addressed
- Windows: Admin password (for which private key is required to decrypt) is not needed because some other user is an admin
- Caution: If you launch an instance with no keypair and don't have any of the above mentined ways to access the instance, you have to relaunch the instance with a keypair.
"Proceed without key pair" could, for example, be used for instances created from an AMI where the username and password are already known by the party creating the instance.
Keypairs are commonly used to generate login credentials on AMIs where agents to generate credentials have been installed. These are on most all AMIs that AWS themselves maintain. The default behavior for AWS maintained AMIs is a bit different depending on OS:
- Linux: You supply the private part of the keypair when SSHing into the EC2 instance. The username is different depending on the flavor of linux you're using, see here for more details.
- Windows: the EC2Config agent generates a password for the default "Administrator" windows user during bootup that are available via the AWS Console or CLI if you as the end user can supply the private part of the keypair.
Further Reading:
- AWS Documentation - Keypairs
- AWS Documentation - Accessing Instances
- AWS Documentation - Troubleshooting connecting to instances