Why are two keypairs both allowing access to my EC2 instance based on a custom AMI?

Question

I created an EBS-backed AMI from an Canonical Ubuntu Mavrick instance that was running with a keypair called us-west-01.pem

Then I started another instance using that AMI and at startup, assigned a new keypair to it called us-west-01.pem. However, when I tried to scp some data to the instance, I was able to get authenticated using us-west-01.pem:

scp -i /.ec2/us-west-01.pem -r /somepath/* ubuntu@myDnsValue:/somepath/

It also works with the correct us-west-02 key. I tried with another key, and it failed. The only explanation would be that the key used at the time of preparing the AMI is still accepted. How can I remove this so as to secure each instance with its own key?

Thanks in advance.

Answer 1

Depending on how you create the AMI (bundle or using rsync), you can remove or omit $HOME/.ssh/authorized_keys for the user ubuntu and root.