InvalidKeyPair.NotFound
AWS InvalidKeyPair.NotFound (EC2 Invalid Key Pair Not Found) means the specified key pair does not exist in the selected region.
Last reviewed: February 6, 2026|Source-backed guidance under our editorial policy
Start Here
Use the closest compare guide, playbook, or adjacent error page to narrow the decision faster before you start changing production systems.
This page is part of the Error Reference library. Learn more about the project or report a correction.
What Does Invalid Key Pair Not Found Mean?
EC2 cannot find the referenced key pair in the current account-region scope, so instance launches or template-driven operations fail until key references are corrected.
Common Causes
- -Specified key pair name does not exist in target account-region.
- -Launch template references key pair deleted or renamed after template creation.
- -Cross-account automation assumes shared key pair availability where it is not imported.
- -Region switch occurs without corresponding key pair replication/creation.
How to Fix Invalid Key Pair Not Found
- 1Resolve key pair name from current regional inventory before launch calls.
- 2Verify caller account and region context with same credentials used for RunInstances.
- 3Update launch templates/ASGs to active key pair names present in that region.
- 4Create or import required key pairs in target regions before rollout.
Step-by-Step Diagnosis for Invalid Key Pair Not Found
- 1Capture key pair name, account, region, and request ID from failing launch path.
- 2Correlate key pair create/delete events with deployment timeline in CloudTrail.
- 3Diff launch template key references against live
DescribeKeyPairsoutput. - 4Validate cross-account/region bootstrap logic for key pair prerequisites.
Key Pair Visibility and Scope Checks
- -Verify key pair exists in target region and account (example: key exists in us-east-1 but launch runs in eu-west-1).
- -Inspect ownership and import lifecycle state (example: key removed during hardening job while template still references it).
Template Drift and Prerequisite Gates
- -Audit launch templates for stale key names after rotation (example: template version pinned to retired key pair).
- -Add pre-launch key existence checks in pipeline (example: fail deployment if required key pair missing in target region).
Seen in Production
Key pair rotation deletes a name still pinned in launch template versions
Frequency: common
Example: New template is not promoted, and scale-out keeps using a removed key pair name.
Fix: Promote updated launch template versions and validate key-pair existence before scale events.
Region expansion forgets to create matching key pair
Frequency: rare
Example: Launch automation reuses key name from primary region where pair exists, but target region is missing it.
Fix: Bootstrap key pair prerequisites per region before enabling launches.
Debugging Tools
- -EC2 DescribeKeyPairs
- -CloudTrail key-pair lifecycle events
- -Launch template key-name diff
- -Regional bootstrap validation reports
How to Verify the Fix
- -Run
DescribeKeyPairsin the target account-region and confirm the referenced key pair exists. - -Retry launch with the same template path and verify InvalidKeyPair.NotFound is gone.
- -Confirm launch templates now reference active key pair names in each region.
How to Prevent Recurrence
- -Manage key pair names through region-aware manifests consumed by provisioning workflows.
- -Add pre-launch checks that fail fast when required key pairs are missing in target regions.
- -Rotate key references atomically across launch templates and autoscaling groups.
Pro Tip
- -maintain per-region key pair manifests and validate launch templates against manifest at deploy time to prevent missing-key runtime failures.
Official References
Provider Context
This guidance is specific to AWS services. Always validate implementation details against official provider documentation before deploying to production.