Where should I keep this file for security? At the moment it is on my desktop - should I put it somewhere else?
The 'standard' location would be a .ssh directory in your $HOME. i.e.
/Users/$USER/.ssh/
You should protect this directory with permissions 700. You can setup a config file to automatically use the .pem, and set the username when sshing to EC2 instances.