diff --git a/ansible/roles/ssl_cert/tasks/main.yaml b/ansible/roles/ssl_cert/tasks/main.yaml
index 7458957241b92e18fa39a724090dfd77a1087ba9..aa562aa448b7a62554bc8e9ae27d6eac2b916c04 100644
--- a/ansible/roles/ssl_cert/tasks/main.yaml
+++ b/ansible/roles/ssl_cert/tasks/main.yaml
@@ -15,6 +15,17 @@
     - "{{ ssl_cert_file }}"
     - "{{ ssl_cert_chain_file }}"
 
+- name: Change cert files permissions
+  ansible.builtin.file:
+    path: "{{ ssl_cert_file_location }}/{{ item }}"
+    owner: root
+    group: root
+    mode: '0600'
+  when: ssl_cert_s3_bucket | length > 0 and item | length > 0
+  loop:
+    - "{{ ssl_cert_file }}"
+    - "{{ ssl_cert_chain_file }}"
+
 - name: Download SSL key from S3
   aws_s3:
     mode: get
@@ -28,6 +39,14 @@
     ansible_python_interpreter: /usr/bin/python3
   when: ssl_cert_s3_bucket | length > 0 and ssl_cert_key | length > 0
 
+- name: Change key file permissions
+  ansible.builtin.file:
+    path: "{{ ssl_cert_key_location }}/{{ ssl_cert_key }}"
+    owner: root
+    group: root
+    mode: '0400'
+  when: ssl_cert_s3_bucket | length > 0 and ssl_cert_key | length > 0
+
 - name: Update SSL in Apache config
   ansible.builtin.replace:
     path: "{{ ssl_apache_config }}"