How to Restrict Permissions for Your PEM Key on Windows and Connect to Your EC2 Instance Securely
When connecting to an AWS EC2 instance, you need a private key file for authentication. AWS provides this key in the PEM (Privacy Enhanced Mail) format, commonly used with OpenSSH on Linux, macOS, and even Windows 10/11. If you're using PuTTY on Windows, you'll need to convert the PEM file to a PPK (PuTTY Private Key) format. Working with PuTTY or having a key in PPK format? Check out my blog particularly to SSH using PuTTY. Here’s the link.
Linux users typically secure their PEM keys using the chmod 400
command. However, Windows handles file permissions differently. This blog will guide you through securing your PEM file using Windows tools like the icacls
command, ensuring it's ready for secure use. We’ll also cover how to connect to your EC2 instance.
Why Do We Need to Secure the PEM File?
The PEM file is your private key, providing access to your server. AWS requires it to have strict permissions for security reasons. If the permissions are too open, SSH connections might fail with an error like:
UNPROTECTED PRIVATE KEY FILE!
Permissions for 'your-key.pem' are too open.
Step 1: Use Windows 10/11 Built-in OpenSSH
Starting with Windows 10 (April 2018 update), OpenSSH is installed by default. This means you don’t need third-party tools like PuTTY unless you prefer them. To verify:
Open Command Prompt (CMD) or PowerShell.
Run:
ssh
If you see the SSH usage guide, you’re good to go!
Step 2: Secure the PEM File Using icacls
Windows uses icacls
to manage file permissions. Here’s how you can secure your PEM file:
1. Navigate to the PEM File Location
Open Command Prompt:
- Press Win + R, type
cmd
, and hit Enter.
- Press Win + R, type
Use the
cd
command to navigate to the folder containing your PEM file:cd path\to\your\key\file
2. Remove Inherited Permissions
Run this command to remove any permissions inherited from parent directories:
icacls "your-key.pem" /inheritance:r
3. Grant Read-Only Permission to Your User
Assign yourself read-only permissions:
icacls "your-key.pem" /grant:r "%username%":R
4. Remove Permissions for Other Users (Optional)
For stricter security, remove access for all other users:
icacls "your-key.pem" /remove *S-1-1-0
Note: The SID *S-1-1-0 refers to "Everyone" on the system.
5. Verify Permissions
To confirm the changes, run:
icacls "your-key.pem"
Step 3: Connect to Your EC2 Instance
Once the permissions are set, you can connect to your EC2 instance using OpenSSH.
Open Command Prompt or PowerShell.
Run the SSH command:
ssh -i "your-key.pem" ec2-user@<your-ec2-public-ip>
Replace
ec2-user
with the appropriate username (e.g.,ubuntu
for Ubuntu,ec2-user
for Amazon Linux).Replace
<your-ec2-public-ip>
with your EC2 instance’s public IP address or DNS name.
Troubleshooting Tips
SSH Error: Ensure the
.pem
file is in the correct location with proper permissions.Connection Timeout: Verify your EC2 instance’s security group allows SSH (port 22) access from your IP.
Invalid Username: Check the default username for your EC2 instance’s OS.
Conclusion
Windows users can now confidently secure their PEM keys and connect to their EC2 instances without switching to Linux or Mac. Whether you use OpenSSH or PuTTY, the process is straightforward with the right tools and steps.
Have questions or ran into issues? Drop a comment below, I’d love to help!