diff --git a/CMakeLists.txt b/CMakeLists.txt
index 451e7d87..66dc275f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -56,8 +56,11 @@ file(WRITE scripts/systemd/credentials-fetcher.service
   "Description=credentials-fetcher systemd service unit file.\n\n"
   "[Service]\n"
   "ExecStartPre=mkdir -p ${CF_KRB_DIR} ${CF_UNIX_DOMAIN_SOCKET_DIR} ${CF_LOGGING_DIR}\n"
-  "ExecStartPre=chmod 700 ${CF_KRB_DIR} ${CF_UNIX_DOMAIN_SOCKET_DIR} ${CF_LOGGING_DIR}\n"
+  "ExecStartPre=chgrp ec2-user /var/credentials-fetcher ${CF_KRB_DIR} ${CF_UNIX_DOMAIN_SOCKET_DIR} ${CF_LOGGING_DIR}\n"
+  "ExecStartPre=chmod 755 /var/credentials-fetcher ${CF_KRB_DIR} ${CF_UNIX_DOMAIN_SOCKET_DIR} ${CF_LOGGING_DIR}\n"
   "ExecStart=/usr/sbin/credentials-fetcherd\n"
+  "ExecStartPost=chgrp ec2-user /var/credentials-fetcher/socket/credentials_fetcher.sock\n"
+  "ExecStartPost=chmod 660 /var/credentials-fetcher/socket/credentials_fetcher.sock\n"
   "Environment=\"CREDENTIALS_FETCHERD_STARTED_BY_SYSTEMD=1\"\n"
   "Type=notify\n"
   "NotifyAccess=main\n"
diff --git a/scripts/systemd/credentials-fetcher.service b/scripts/systemd/credentials-fetcher.service
index 7698fae1..8bd4b14e 100644
--- a/scripts/systemd/credentials-fetcher.service
+++ b/scripts/systemd/credentials-fetcher.service
@@ -3,8 +3,11 @@ Description=credentials-fetcher systemd service unit file.
 
 [Service]
 ExecStartPre=mkdir -p /var/credentials-fetcher/krbdir /var/credentials-fetcher/socket /var/credentials-fetcher/logging
-ExecStartPre=chmod 700 /var/credentials-fetcher/krbdir /var/credentials-fetcher/socket /var/credentials-fetcher/logging
+ExecStartPre=chgrp ec2-user /var/credentials-fetcher /var/credentials-fetcher/krbdir /var/credentials-fetcher/socket /var/credentials-fetcher/logging
+ExecStartPre=chmod 755 /var/credentials-fetcher /var/credentials-fetcher/krbdir /var/credentials-fetcher/socket /var/credentials-fetcher/logging
 ExecStart=/usr/sbin/credentials-fetcherd
+ExecStartPost=chgrp ec2-user /var/credentials-fetcher/socket/credentials_fetcher.sock
+ExecStartPost=chmod 660 /var/credentials-fetcher/socket/credentials_fetcher.sock
 Environment="CREDENTIALS_FETCHERD_STARTED_BY_SYSTEMD=1"
 Type=notify
 NotifyAccess=main