- Configure Windows instances to be accessed via SSM Session Manager
- Environment
- CloudFormation template files
- Template file points
- Architecting
- Create a CloudFormation stack and check the resources in the stack
- Confirm the password of the administrator account for RDP connection
- Behavior check 1: Accessing the instance via remote desktop connection
- Behavior check 2: Using SSM Session Manager to access the instance via PowerShell connection
- Using SSM Session Manager for tunneled access with a remote desktop connection
- Summary
Configure Windows instances to be accessed via SSM Session Manager
We will check a configuration that accesses a Windows instance via SSM Session Manager.
Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI. You can use Session Manager to start a session with an instance in your account. After the session is started, you can run bash commands as you would through any other connection type.
Connect to your Linux instance using Session Manager
Accessing an instance using SSM Session Manager has various advantages over the common SSH access. One of the most notable points is that it eliminates the need to open ports for remote access, and it also eliminates the need for a stepping stone server.
Leaving inbound SSH ports and remote PowerShell ports open on your managed nodes greatly increases the risk of entities running unauthorized or malicious commands on the managed nodes. Session Manager helps you improve your security posture by letting you close these inbound ports, freeing you from managing SSH keys and certificates, bastion hosts, and jump boxes.
AWS Systems Manager Session Manager
This time, we will check the following two patterns of access to the EC2 instance.
- Access via SSH * Pattern 1
- Access via SSM Session Manager * Pattern 2
In the case of access with SSM Session Manager, there are two more patterns.
- CLI access with PowerShell
- Tunneling access with SSM Session Manager and remote desktop connection
This page is intended for Windows instances, but for information on how to access Linux instances via Session Manager, please refer to the following page.
Environment
CloudFormation template files
We will build the above configuration using CloudFormation.
Place the CloudFormation template at the following URL.
Template file points
In terms of configuration, it is almost the same as the Linux version, so please check there.
The only difference is that the inbound communication allowed by instance 1 is RDP (3389/tcp), not SSH.
The instance we will create this time is based on Windows Server 2019, but since the SSM agent is installed by default, there is no need to take any special action.
AWS Systems Manager Agent (SSM Agent) is preinstalled, by default, on the following Amazon Machine Images (AMIs):
Installing and configuring SSM Agent on EC2 instances for Windows Server
Windows Server 2008-2012 R2 AMIs published in November 2016 or later
Windows Server 2016 and 2019
Architecting
Using CloudFormation, we will build this environment and check its actual behavior.
This time, we will proceed with the following conditions.
- Bucket name and folder name: awstut-bucket/fa-007
- CloudFormation stack name: fa-007
Create a CloudFormation stack and check the resources in the stack
Create a CloudFormation stack.
For more information on how to create stacks and check each stack, please refer to the following page.
After checking the resources for each stack, the following information is available for the main resources created this time.
- ID of Instance 1: i-02c150dd6e9b0a456
- ID of instance 2: i-06440942b19c01cc6
Check the details of instance 1 for additional information.
$ aws ec2 describe-instances \
--instance-ids i-02c150dd6e9b0a456
Code language: Bash (bash)I checked the public DNS name of instance 1, and this time it was “ec2-54-248-20-39.ap-northeast-1.compute.amazonaws.com”.
Confirm the password of the administrator account for RDP connection
To make a remote desktop connection, you need to confirm the initial password set for the administrator account.
The administrator account name depends on your language, but it is usually “Administrator”.
The name of the administrator account depends on the language of the operating system. For example, for English, it’s Administrator, for French it’s Administrateur, and for Portuguese it’s Administrador.
Connect to your Windows instance using RDP
There are two ways to check the Administrator’s password. We will check them in order.
Confirm the RDP password from the AWS Management Console
After logging in to the AWS Management Console, access the page for the target EC2 instance.
Press “Connect” at the top.
Select the “RDP Client” tab, and then click “Get Password”.
Paste the private key of the key pair associated with the instance into the text area and press “Decrypt Password”.
The character string in the “Password” field is the password for Administrator.
Verifying the RDP password from the AWS CLI
You can get the password by specifying the instance ID and the private key of the key pair.
$ aws ec2 get-password-data \
--instance-id i-02c150dd6e9b0a456 \
--priv-launch-key MyKeyPair.pem
{
"InstanceId": "i-02c150dd6e9b0a456",
"PasswordData": "XXXXXXXXXXXXXXXXXXXXXX",
"Timestamp": "2021-10-27T07:46:31+00:00"
}
Code language: Bash (bash)The value of “PasswordData” is the password for Administrator.
Behavior check 1: Accessing the instance via remote desktop connection
Now that we are ready, let’s check the actual behavior.
First, let’s check how to access the instance via a remote desktop connection.
Start the remote desktop client and initiate the access.
The image above shows the Windows Remote Desktop application for MacOS. Add a new access point, enter the public DNS name or IP address of the instance you want to access in the “PC name” field, and then click “Add”.
Enter “Administrator” in the “Username” field and the password you have just confirmed in the “Password” field, then click “Continue”.
After a short wait, the desktop screen will appear.
I was able to successfully access the instance through a remote desktop connection.
Behavior check 2: Using SSM Session Manager to access the instance via PowerShell connection
The next step is to access the instance using SSM Session Manager.
As mentioned earlier, there are two patterns of access using the SSM Session Manager, but we will check the PowerShell connection first.
Use the AWS CLI to access the instance.
$ aws ssm start-session \
--target i-06440942b19c01cc6
Starting session with SessionId: root-07a25a576dc266a07
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>
Code language: Bash (bash)The PowerShell interpreter mode is now displayed, allowing you to manipulate the instance using PowerShell commands.
Thus, by using the SSM Session Manager, we were able to access the instance through a PowerShell connection.
Using SSM Session Manager for tunneled access with a remote desktop connection
Finally, we will check another access method of SSM Session Manager, tunneling access to the instance through a remote desktop connection.
First, execute the following command on the client side to perform tunneling access to the instance.
% aws ssm start-session \
--target i-06440942b19c01cc6 \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber=3389, localPortNumber=13389"
Starting session with SessionId: root-07afa4c0f225a1c3a
Port 13389 opened for sessionId root-07afa4c0f225a1c3a.
Waiting for connections...
Code language: Bash (bash)The content of the command is to listen on port 13389 of the client terminal and forward to port 3389 of the SSM Session Manager.
When you are ready, start the client remote desktop client.
The flow is the same as before, but the value of “PC name” should be “localhost:13389”.
After entering the instance’s user name and password, wait for a while and the instance’s desktop screen will appear.
Thus, even with SSM Session Manager, I was able to access the instance via remote desktop connection by configuring tunneling access.
Summary
We have checked how to access a Windows-type EC2 instance.
There are two main types of access methods: remote desktop connection or using SSM Session Manager.
There are also two more types of the latter: PowerShell connection and remote desktop connection with tunneled access.
