How to get my EC2 instance password?

I have issues with default EC2 passwords for Windows Server 2016.

Don’t get me wrong, I like that they are 32-character ones. But they are not my 32-character ones. These are really random which makes it pointless to try and type.

Now, if you were like me and actually care about security, your passwords are also long but they make sense. Like “IreallyREALLYlikeUNICORNS!BUTonlyPINKones#”.

Awesome password, am I right? *high five*

So we need a nice way to grab the default admin password. And yet again, let’s keep away from the AWS console. I did say “a nice way”, after all.

How to get my EC2 instance password?

To do so, you would generally use Get-EC2PasswordData cmdlet. Pass the instance ID and PEM key as parameters and there’s your password. Since you like manual labor, you might just as well go to AWS console and get it from there.

To automate getting the first parameter we’ll simply cheat. We’ll get all of the instances and run through them all. For the second, we’ll need a folder path. Our keys are always in the same place. There’s no point moving them around. That would only add to wasted time, rather than any kind of security.

So let’s just run through it:

Default values. Get keys from $KeyFolder , list only instances created in the last $DaysOld days and set a default region as $Region .

We’ll capture all the instances:

and go through them.

What we need now is to figure out how old they are.

As you likely already know, $Instance.Instances.LaunchTime is useless for that. It will only tell you when was the instance last started, not created.

So what do we do? We get the time when primary instance ENI was created and attached. You can’t kill it nor detach it, so it’s as old as the instance. Well, you can kill it, so let’s make an effort and write an error if you were messing around.

If there’s more than one NIC, check which one has DeviceIndex 0. That’s the primary one. If there’s none, you ruined the instance and don’t care anyway, and in all other cases just get the AttachTime from the single one.

We’re formatting the timestamp here, too. It’s set to variable $TimeString so you can change it in one place. Default value is set to:

Now that we have the timestamp, let’s see if the instance was launched within one day, as we have set for default.

If so, continue. Grab the password:

If not, check if the instance is terminated but still present in the list, or password simply isn’t available for whatever reason.

Now let’s get the instance name:

And form our object to display:

Then we save the object to an array and repeat for next. All instances newer than the number of days we set will be spit out at the end in a nice little table.

Take a moment now and stare in awe at the product of your craftsmanship.

Marvel at the wonders of automation and let your gaze slowly fade to black.



You can change the output so it’s more in line with your needs or expectations. Or even set it to dump everything to a .csv file.

That’s not really the point as, ideally, you’re running this just to quickly get the password for your newly-launched instance. But what the hell. Knock yourself out 😀

Here how it looks in action:

Remember the part where I said I care about security? Well… that may or may not be the truth. Just don’t let anyone peek at your screen, alright? 😀

And here’s the code. Also available on

Leave a Comment