When you use SSH to connect to an EC2 instance, the client checks the permissions on your private key file (.pem).
On Linux/macOS, this is enforced with chmod 400 (file is only readable by the owner).
On Windows with OpenSSH, the same check is enforced via NTFS file permissions (ACLs).
If the file is accessible to other groups like Authenticated Users, Users, or Everyone, SSH will refuse to use it and you’ll see:
The core concept
A private key must be owned by you and only readable by you.
On Windows, this is controlled by ACLs (Access Control Lists), not chmod.
To fix the issue, you must take ownership of the file and restrict its ACLs so only your account (plus SYSTEM/Administrators) can read it.
Step 1: Take ownership
If you downloaded or copied the file from another system, ownership may not match your account.
takeown /F "D:\3-tier-web-arch\nfs-key.pem"
Step 2: Remove inheritance
Prevent the file from inheriting broad permissions from the folder.
icacls "D:\3-tier-web-arch\nfs-key.pem" /inheritance:r
Step 3: Remove broad groups
Remove default Windows groups that make the file accessible to others
icacls "D:\3-tier-web-arch\nfs-key.pem" /remove:g "Authenticated Users" "Users" "Everyone"
Step 4: Grant only necessary access
Give your account read permission, and (optionally) keep SYSTEM and Administrators with full control
icacls "D:\3-tier-web-arch\nfs-key.pem" /grant "DESKTOP-ABCD\Amanda:(R)"
icacls "D:\3-tier-web-arch\nfs-key.pem" /grant "NT AUTHORITY\SYSTEM:(F)" "BUILTIN\Administrators:(F)"
or
If you want to do this in one clean command
icacls "D:\3-tier-web-arch\nfs-key.pem" /inheritance:r /grant:r `
"DESKTOP-ABCD\Amanda:(R)" "NT AUTHORITY\SYSTEM:(F)" "BUILTIN\Administrators:(F)"
Step 5: Verify
icacls "D:\3-tier-web-arch\nfs-key.pem"
Expected output
DESKTOP-ABCD\Amanda:(R)
BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)
Step 6:Connect to EC2
Now you can connect
ssh -i "D:\3-tier-web-arch\nfs-key.pem" ec2-user@
Best practice is to Store keys in ~.ssh
For convenience, place the key in your .ssh folder
mkdir "$env:USERPROFILE.ssh" -Force
copy "D:\3-tier-web-arch\nfs-key.pem" "$env:USERPROFILE.ssh\nfs-key.pem"
Then create a config file (~/.ssh/config) so you can connect with just
ssh my-ec2
SSH enforces strict private key security. On Windows, that means taking ownership of the PEM file and restricting its ACLs so only you (and optionally SYSTEM/Administrators) can read it. This is the Windows equivalent of chmod 400 on Linux.
Top comments (0)