Why are two keypairs both allowing access to my EC2 instance based on a custom AMI?

I created an EBS-backed AMI from an Canonical Ubuntu Mavrick instance that was running with a keypair called us-west-01.pem

Then 开发者_JAVA百科I started another instance using that AMI and at startup, assigned a new keypair to it called us-west-01.pem. However, when I tried to scp some data to the instance, I was able to get authenticated using us-west-01.pem:

scp -i /.ec2/us-west-01.pem -r /somepath/* ubuntu@myDnsValue:/somepath/

It also works with the correct us-west-02 key. I tried with another key, and it failed. The only explanation would be that the key used at the time of preparing the AMI is still accepted. How can I remove this so as to secure each instance with its own key?

Thanks in advance.

Depending on how you create the AMI (bundle or using rsync), you can remove or omit $HOME/.ssh/authorized_keys for the user ubuntu and root.