How To Recover A Locked Out AWS EC2 Instance By Detaching The EBS Volume?
Getting locked out of your AWS EC2 instance feels stressful. You try to connect, and the terminal just hangs or throws a permission error. Maybe you lost your SSH key.
Maybe you edited a config file and broke access. Maybe a firewall rule shut the door. Whatever the cause, your server is still running, and your data is still safe. You have not lost anything yet.
This guide shows you a proven rescue method. You detach the EBS volume, fix it on a helper instance, and reattach it. Follow along, and you will be back inside your server soon.
In a Nutshell:
- Your data stays safe. Detaching an EBS volume does not delete your files. The volume keeps every byte of data until you choose to wipe it. Always create a snapshot first as a backup.
- The core method is simple. You stop the broken instance, detach its root EBS volume, attach that volume to a healthy rescue instance, fix the problem, then move the volume back. This works for most lockout cases.
- The rescue instance must match. Launch your rescue instance in the same Availability Zone as the original. EBS volumes cannot attach across zones, so this step matters a lot.
- Several causes lock you out. Common reasons include a lost SSH key, a broken
sshd_configfile, wrong file permissions, a bad firewall rule, or a full disk. The volume method fixes most of these. - Easier options may exist. Tools like EC2 Serial Console, Systems Manager, and user data scripts can sometimes recover access without detaching anything. Check these before the manual route.
- Prevention beats recovery. Set up backup keys, use Systems Manager Session Manager, and test changes carefully. These habits stop most lockouts before they happen.
What Causes An EC2 Instance Lockout
Before you fix the problem, you should understand what locked you out. A lockout means you cannot connect to your server, even though it runs fine.
The most common cause is a lost or deleted SSH private key. Without that key, SSH refuses your login. Another frequent cause is a broken sshd_config file. One wrong line, and the SSH service stops working.
Other reasons include strict firewall rules that block port 22, wrong permissions on the .ssh folder, or a full root disk that freezes the system. Sometimes a security group change blocks your IP address.
Knowing the cause helps you pick the right fix. The EBS volume method works for almost all of these, because you edit the disk directly from outside the locked server.
Why The EBS Volume Detach Method Works
The detach method works because of how AWS stores your data. Your EC2 instance keeps its operating system and files on an EBS volume. This volume acts like a portable hard drive. You can unplug it from one instance and plug it into another. The data travels with the volume.
When you are locked out, the problem usually lives inside the operating system, not in the hardware. So you move the disk to a working server, edit the broken file or add a new key, then move it back.
The locked server never needs to accept your login during the fix. This is the big advantage. You bypass the lock entirely. You work on the disk as a second drive, like opening a patient’s file rather than waking the patient.
Step One: Create A Snapshot Backup First
Never start a recovery without a backup. A snapshot is a point in time copy of your EBS volume. If something goes wrong during the fix, you can restore the volume from this snapshot. This step costs little and saves you from disaster.
Open the EC2 console. Go to the Volumes section under Elastic Block Store. Find the root volume of your locked instance. Right click it, choose Actions, then select Create snapshot. Give it a clear name like rescue backup before fix. Wait for the snapshot status to show Completed.
This may take a few minutes for large volumes. Do not skip this step, even if you feel confident. A backup turns a risky operation into a safe one. You can always roll back if the edits fail.
Step Two: Stop The Locked EC2 Instance
You must stop the broken instance before you detach its volume. You cannot detach a root volume while the instance runs. Stopping the instance shuts down the operating system cleanly and frees the disk.
Go to the Instances page in the EC2 console. Select your locked instance. Click Instance state, then choose Stop instance. Confirm the action. Wait until the state shows Stopped.
Important: Note down the volume ID and the device name now. You will find these under the Storage tab of the instance details.
The device name is usually /dev/xvda or /dev/sda1. Write these details down. You need them later when you reattach the volume. Also remember that stopping an instance changes its public IP address unless you use an Elastic IP.
Pros: Stopping is safe and keeps all data. Cons: Your service goes offline during the fix, and the public IP may change.
Step Three: Detach The Root EBS Volume
Now you remove the volume from the stopped instance. Detaching breaks the link between the disk and the locked server. Your data stays fully intact on the volume.
Go to the Volumes section. Find the root volume you noted earlier. Select it, click Actions, then choose Detach volume. Confirm the action. The volume status will change to available.
Sometimes a volume gets stuck and will not detach. In that case, wait a few minutes and try again. If it still sticks, you can use Force detach, but use this only as a last resort because it can risk data on a running system.
Since your instance is already stopped, force detach is safer here. Once the status reads available, the volume is ready to attach somewhere else.
Step Four: Launch A Rescue Instance In The Same Zone
You need a healthy server to work on the disk. This is your rescue instance, sometimes called a helper or bastion host. It must run an operating system you can log into, with a key you actually own.
The most important rule is the Availability Zone. Your rescue instance must launch in the exact same zone as your original volume. For example, if your volume sits in us-east-1a, your rescue instance must also live in us-east-1a. EBS volumes cannot cross zones.
Launch a small instance like a t2.micro or t3.micro to save money. Pick a standard Amazon Linux or Ubuntu image. Make sure you have the SSH key for this rescue instance. Confirm you can connect to it before you attach the broken volume. A rescue instance you cannot reach helps no one.
Step Five: Attach The Volume To The Rescue Instance
Now you plug the broken volume into your healthy rescue server. You attach it as a secondary volume, not as the root. This keeps the rescue instance booting from its own healthy disk.
Go to the Volumes section. Select your detached volume, which shows available. Click Actions, then choose Attach volume. Pick your rescue instance from the list. For the device name, AWS suggests something like /dev/sdf. Accept this or use the suggested value.
Click Attach. The volume status changes to in use. Linux often renames the device internally, so /dev/sdf may appear as /dev/xvdf inside the system. Do not worry about this. You will find the real name in the next step using a simple command. The volume now sits ready inside your rescue server, waiting for you to mount it.
Step Six: Mount The Volume And Inspect It
Connect to your rescue instance using SSH. Now you mount the attached volume so you can read and edit its files. First, list all block devices to find your volume.
Run this command:
sudo lsblk -f
You will see your root device and the attached volume, often as xvdf with a partition like xvdf1. Next, create a folder and mount the partition:
sudo mkdir /mnt/rescue
sudo mount /dev/xvdf1 /mnt/rescue
Replace /dev/xvdf1 with your actual partition name. Now you can browse the locked server’s file system inside /mnt/rescue. Your old root folder lives at /mnt/rescue. From here you reach the SSH config, the user home folders, and any broken files. If the mount fails, the file system may use a different label, so check the lsblk -f output again.
Step Seven: Fix A Lost Or Broken SSH Key
If a lost key locked you out, this is where you fix it. You add a new public key to the authorized_keys file on the mounted volume. First, create a new key pair in the EC2 console and copy its public key.
Navigate to the user’s SSH folder. For Ubuntu, the default user is ubuntu. For Amazon Linux, it is ec2-user. Run:
sudo nano /mnt/rescue/home/ubuntu/.ssh/authorized_keys
Paste your new public key on a fresh line. The key starts with ssh-rsa. Save and close the file. Now fix the permissions, because SSH rejects loose permissions:
sudo chown -R 1000:1000 /mnt/rescue/home/ubuntu/.ssh
sudo chmod 700 /mnt/rescue/home/ubuntu/.ssh
sudo chmod 600 /mnt/rescue/home/ubuntu/.ssh/authorized_keys
Correct ownership matters as much as the key itself. Wrong permissions are a hidden cause of many lockouts.
Step Eight: Fix A Broken SSH Config Or Firewall
Sometimes the key is fine, but a config edit broke SSH. A single wrong line in sshd_config can block every login. You can fix this file directly on the mounted volume.
Open the config file from your rescue instance:
sudo nano /mnt/rescue/etc/ssh/sshd_config
Look for lines you recently changed. Common mistakes include PasswordAuthentication no when you needed yes, or a wrong Port number, or a broken AllowUsers line. Set the values back to safe defaults. For SSH key login, make sure PubkeyAuthentication yes is present.
If a host based firewall like ufw or iptables blocked you, check those rule files too. Save your changes. Remember that AWS Security Groups are separate. A Security Group lives in the AWS console, not on the disk. If a Security Group blocks port 22, you fix that in the console after you reattach the volume.
Step Nine: Unmount, Detach, And Reattach The Volume
With your fix done, you reverse the whole process. First, unmount the volume cleanly so no data corrupts. Run this on your rescue instance:
sudo umount /mnt/rescue
If it says the device is busy, make sure you are not inside the /mnt/rescue folder. Move out with cd ~ and try again. Next, go to the EC2 console Volumes section. Detach the volume from the rescue instance. Wait for the status to show available.
Now attach the volume back to your original instance. This time you must use the original root device name. That is the name you wrote down earlier, usually /dev/xvda or /dev/sda1.
Using the wrong device name stops the instance from booting. Select the volume, choose Attach volume, pick your original instance, and type the exact root device name. Confirm the action.
Step Ten: Start Your Original Instance And Verify
Now you bring your server back to life. Start the original instance from the EC2 console. Select it, click Instance state, then choose Start instance. Wait until the state shows Running and the status checks pass.
Try to connect using your new key:
ssh -i "new-key.pem" ubuntu@your-instance-ip
Remember the public IP may have changed unless you use an Elastic IP. If the login works, you fixed the lockout. If it still fails, check the system log under Actions, then Monitor and troubleshoot, then Get system log. This log shows boot errors and cloud init messages.
Pros of this full method: It works for almost any lockout cause and keeps all data. Cons: It needs several manual steps and brief downtime, so a small mistake can mean repeating the process.
Alternative Methods That Avoid Detaching The Volume
The detach method always works, but it takes effort. Some faster options can recover access without touching the volume. These suit specific situations.
The EC2 Serial Console lets you log in through a direct console on Nitro based instances. You do not need to stop the instance for this method. You can fix config files right inside the running system.
The user data script method lets you inject a new key on the next boot, using a cloud config block in the instance settings. AWS Systems Manager offers the AWSSupport-ResetAccess runbook, which generates a new key pair for managed nodes automatically.
Pros: These methods are faster and often need no downtime. Cons: They require prerequisites, such as Serial Console access, cloud init support, or an installed SSM agent. If these tools are not set up beforehand, the volume method remains your reliable fallback.
How To Prevent Future EC2 Lockouts
Recovery teaches a lesson, so build habits that stop lockouts. The best fix is the one you never need. Start by storing your SSH keys in a safe, backed up location. Keep a second authorized key as a spare, so one lost key does not lock you out.
Install and configure AWS Systems Manager Session Manager. This lets you connect through the browser without SSH or open ports. It works even when SSH breaks. Always test config changes carefully. Before you edit sshd_config, keep an open second session so you can undo a mistake.
Use Elastic IP addresses so your IP stays the same after restarts. Set up regular EBS snapshots through a lifecycle policy. Automated backups give you a safety net every day. Finally, enable the EC2 Serial Console in advance. These small steps turn a future panic into a quick, calm fix.
Frequently Asked Questions
Will I lose my data when I detach the EBS volume?
No, you will not lose any data. Detaching simply unplugs the disk from the instance. All your files stay on the volume exactly as they were. The data only disappears if you delete the volume or format it. Always create a snapshot first for extra safety, so you can restore everything if a fix goes wrong.
Why must the rescue instance be in the same Availability Zone?
EBS volumes are tied to a single Availability Zone. A volume in us-east-1a can only attach to an instance in us-east-1a. AWS does not allow volumes to cross zones directly. If your rescue instance sits in a different zone, the attach option will not show your volume. Check the zone of your original volume first, then launch your rescue instance to match it.
What if the volume will not detach from the instance?
First, make sure the instance is fully stopped. A running instance often refuses to release its root volume. Wait a few minutes, then try again. If the volume still sticks, use the Force detach option in the console. Since your instance is already stopped, force detach is safe here. In rare cases, you may need to wait for a stuck state to clear on the AWS side.
Can I recover access without stopping my instance?
Yes, in some cases. The EC2 Serial Console and Systems Manager Session Manager work on running instances. These let you log in and fix files without a restart. The user data method, however, needs a stop and start to run. The volume detach method also needs the instance stopped. So if uptime matters most, set up Serial Console or SSM before trouble strikes.
How do I know the right device name to reattach the root volume?
Check the instance details before you detach anything. Open the Storage tab and note the root device name. It is usually /dev/xvda or /dev/sda1. Write this down clearly. When you reattach the volume to the original instance, you must type this exact name. Using the wrong root device name stops the instance from booting properly, so this small detail matters a lot.
Is the EBS volume method the same for Windows EC2 instances?
The idea is the same, but the steps differ inside the disk. You still stop the instance, detach the volume, and attach it to a Windows rescue instance. Instead of editing SSH keys, you reset the Windows admin password using a tool like EC2Rescue. Linux uses the authorized_keys file, while Windows uses a password reset process. The detach and reattach steps in the console stay identical for both systems.
Hi, I’m Minnie Cole, the creator of The Output Lab — a space where I share my passion for all things tech. I spend my days exploring the latest gadgets, devices, and electronics on Amazon, putting them through real-world testing so you don’t have to.
