This call requests a new private key from EC2. The response is then parsed using a JMESPath query, and the private key (in the KeyMaterial property) is saved to a new key file with the .pem extension. The public key is stored in the region so that it can be copied to new EC2 instances. You cannot copy keys from region to region, and you cannot retrieve the full key pair after initial creation.

Finally, we change the permissions on the key file so that it cannot be read by other users – this is required before SSH will allow you to use it.