How to Authenticate AWS EC2 Instances Using PEM Key Pairs: A Secure SSH Guide for Developers


2 views

PEM (Privacy Enhanced Mail) files in AWS EC2 contain the private key portion of your SSH key pair. When you launch a Linux instance, AWS requires you to either:

  • Create a new key pair (generates a PEM file download)
  • Use an existing key pair you've previously created
  • Import your own public key

After downloading your PEM file from AWS Console:

# Move to standard SSH directory
mv ~/Downloads/your-key.pem ~/.ssh/


# Set correct permissions (critical for security)
chmod 400 ~/.ssh/your-key.pem

Basic SSH connection command:

ssh -i ~/.ssh/your-key.pem ec2-user@your-instance-public-dns

Common variations:

# For Ubuntu instances
ssh -i ~/.ssh/your-key.pem ubuntu@ec2-12-34-56-78.compute-1.amazonaws.com


# With verbose output for debugging
ssh -v -i ~/.ssh/your-key.pem ec2-user@your-instance-ip

Create or modify ~/.ssh/config for easier access:

Host my-ec2-instance
    HostName ec2-12-34-56-78.compute-1.amazonaws.com
    User ec2-user
    IdentityFile ~/.ssh/your-key.pem
    StrictHostKeyChecking no

Now simply use: ssh my-ec2-instance

Permission denied (publickey) - Usually means:

  • Incorrect permissions on PEM file (must be 400)
  • Wrong username (ec2-user for Amazon Linux, ubuntu for Ubuntu)
  • Key pair not properly associated with instance

Solution for Windows users:

# Using PuTTY
puttygen your-key.pem -O private -o your-key.ppk
# Then use the PPK file in PuTTY
  • Never share your PEM file
  • Regularly rotate key pairs (create new ones)
  • Consider using AWS Systems Manager Session Manager as alternative
  • Use SSH agent forwarding when appropriate

Example using PEM key in a deployment script:

#!/bin/bash
# Deploy script using PEM authentication
DEPLOY_KEY="/path/to/deploy-key.pem"
REMOTE_USER="ubuntu"
TARGET_SERVER="ec2-12-34-56-78.compute-1.amazonaws.com"


scp -i $DEPLOY_KEY ./deploy-artifact.tar.gz $REMOTE_USER@$TARGET_SERVER:/tmp/
ssh -i $DEPLOY_KEY $REMOTE_USER@$TARGET_SERVER "tar xzf /tmp/deploy-artifact.tar.gz -C /opt/app"

When you create or import an SSH key pair in AWS EC2, the system provides a PEM (Privacy Enhanced Mail) formatted private key file. This file serves as your cryptographic credential for secure shell access to Linux/Unix instances.

After downloading the PEM file from AWS Console (typically named like my-key-pair.pem), store it in your local ~/.ssh/ directory:

mv ~/Downloads/my-key-pair.pem ~/.ssh/
chmod 400 ~/.ssh/my-key-pair.pem

The chmod 400 command ensures only the owner can read the private key, which is a critical security requirement.

Use this command structure to connect:

ssh -i ~/.ssh/my-key-pair.pem ec2-user@ec2-12-34-56-78.compute-1.amazonaws.com

Note that the username (ec2-user) varies by AMI:

  • Amazon Linux: ec2-user
  • Ubuntu: ubuntu
  • RHEL: ec2-user or root
  • CentOS: centos

For frequent access, configure your ~/.ssh/config:

Host my-ec2-instance
  HostName ec2-12-34-56-78.compute-1.amazonaws.com
  User ec2-user
  IdentityFile ~/.ssh/my-key-pair.pem
  IdentitiesOnly yes

Then simply connect using the alias:

ssh my-ec2-instance

Permission denied (publickey) errors often stem from:

  • Incorrect file permissions (always use 400)
  • Wrong username for the AMI
  • Key pair not associated with the instance at launch

For debugging, add verbose flag:

ssh -vvv -i ~/.ssh/my-key-pair.pem ec2-user@host

Convert PEM to PPK format using PuTTYgen:

  1. Load the PEM file in PuTTYgen
  2. Save private key as PPK format
  3. Use Pageant or specify PPK file in PuTTY
  • Never share or commit PEM files to version control
  • Rotate key pairs periodically
  • Consider using AWS Systems Manager Session Manager as alternative
  • Use passphrase-protected keys when possible