How to Restrict Permissions for Your PEM Key on Windows and Connect to Your EC2 Instance Securely

How to Restrict Permissions for Your PEM Key on Windows and Connect to Your EC2 Instance Securely

When connecting to an AWS EC2 instance, you need a private key file for authentication. AWS provides this key in the PEM (Privacy Enhanced Mail) format, commonly used with OpenSSH on Linux, macOS, and even Windows 10/11. If you're using PuTTY on Windows, you'll need to convert the PEM file to a PPK (PuTTY Private Key) format. Working with PuTTY or having a key in PPK format? Check out my blog particularly to SSH using PuTTY. Here’s the link.

Linux users typically secure their PEM keys using the chmod 400 command. However, Windows handles file permissions differently. This blog will guide you through securing your PEM file using Windows tools like the icacls command, ensuring it's ready for secure use. We’ll also cover how to connect to your EC2 instance.

Why Do We Need to Secure the PEM File?

The PEM file is your private key, providing access to your server. AWS requires it to have strict permissions for security reasons. If the permissions are too open, SSH connections might fail with an error like:

UNPROTECTED PRIVATE KEY FILE!  
Permissions for 'your-key.pem' are too open.

Step 1: Use Windows 10/11 Built-in OpenSSH

Starting with Windows 10 (April 2018 update), OpenSSH is installed by default. This means you don’t need third-party tools like PuTTY unless you prefer them. To verify:

  1. Open Command Prompt (CMD) or PowerShell.

  2. Run:

     ssh
    

    If you see the SSH usage guide, you’re good to go!

Step 2: Secure the PEM File Using icacls

Windows uses icacls to manage file permissions. Here’s how you can secure your PEM file:

1. Navigate to the PEM File Location

  • Open Command Prompt:

    • Press Win + R, type cmd, and hit Enter.
  • Use the cd command to navigate to the folder containing your PEM file:

      cd path\to\your\key\file
    

2. Remove Inherited Permissions

Run this command to remove any permissions inherited from parent directories:

icacls "your-key.pem" /inheritance:r

3. Grant Read-Only Permission to Your User

Assign yourself read-only permissions:

icacls "your-key.pem" /grant:r "%username%":R

4. Remove Permissions for Other Users (Optional)

For stricter security, remove access for all other users:

icacls "your-key.pem" /remove *S-1-1-0

Note: The SID *S-1-1-0 refers to "Everyone" on the system.

5. Verify Permissions

To confirm the changes, run:

icacls "your-key.pem"

Step 3: Connect to Your EC2 Instance

Once the permissions are set, you can connect to your EC2 instance using OpenSSH.

  1. Open Command Prompt or PowerShell.

  2. Run the SSH command:

     ssh -i "your-key.pem" ec2-user@<your-ec2-public-ip>
    
    • Replace ec2-user with the appropriate username (e.g., ubuntu for Ubuntu, ec2-user for Amazon Linux).

    • Replace <your-ec2-public-ip> with your EC2 instance’s public IP address or DNS name.

Troubleshooting Tips

  • SSH Error: Ensure the .pem file is in the correct location with proper permissions.

  • Connection Timeout: Verify your EC2 instance’s security group allows SSH (port 22) access from your IP.

  • Invalid Username: Check the default username for your EC2 instance’s OS.

Conclusion

Windows users can now confidently secure their PEM keys and connect to their EC2 instances without switching to Linux or Mac. Whether you use OpenSSH or PuTTY, the process is straightforward with the right tools and steps.

Have questions or ran into issues? Drop a comment below, I’d love to help!