AWS_EN

Accessing Windows instance via SSM Session Manager

スポンサーリンク
Accessing Windows instance vis SSM Session Manager with Cloudformation AWS_EN
スポンサーリンク
スポンサーリンク

Configure Windows instances to be accessed via SSM Session Manager

We will check a configuration that accesses a Windows instance via SSM Session Manager.

Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI. You can use Session Manager to start a session with an instance in your account. After the session is started, you can run bash commands as you would through any other connection type.

Connect to your Linux instance using Session Manager

Accessing an instance using SSM Session Manager has various advantages over the common SSH access. One of the most notable points is that it eliminates the need to open ports for remote access, and it also eliminates the need for a stepping stone server.

Leaving inbound SSH ports and remote PowerShell ports open on your managed nodes greatly increases the risk of entities running unauthorized or malicious commands on the managed nodes. Session Manager helps you improve your security posture by letting you close these inbound ports, freeing you from managing SSH keys and certificates, bastion hosts, and jump boxes.

AWS Systems Manager Session Manager

This time, we will check the following two patterns of access to the EC2 instance.

  1. Access via SSH * Pattern 1
  2. Access via SSM Session Manager * Pattern 2

In the case of access with SSM Session Manager, there are two more patterns.

  1. CLI access with PowerShell
  2. Tunneling access with SSM Session Manager and remote desktop connection

This page is intended for Windows instances, but for information on how to access Linux instances via Session Manager, please refer to the following page.

Environment

Diagram of accessing Windows instance via SSM Session Manager

CloudFormation template files

We will build the above configuration using CloudFormation.

Place the CloudFormation template at the following URL.

awstut-fa/007 at main · awstut-an-r/awstut-fa
Contribute to awstut-an-r/awstut-fa development by creating an account on GitHub.

Template file points

In terms of configuration, it is almost the same as the Linux version, so please check there.

The only difference is that the inbound communication allowed by instance 1 is RDP (3389/tcp), not SSH.

The instance we will create this time is based on Windows Server 2019, but since the SSM agent is installed by default, there is no need to take any special action.

AWS Systems Manager Agent (SSM Agent) is preinstalled, by default, on the following Amazon Machine Images (AMIs):
Windows Server 2008-2012 R2 AMIs published in November 2016 or later
Windows Server 2016 and 2019

Installing and configuring SSM Agent on EC2 instances for Windows Server

Architecting

Using CloudFormation, we will build this environment and check its actual behavior.

This time, we will proceed with the following conditions.

  • Bucket name and folder name: awstut-bucket/fa-007
  • CloudFormation stack name: fa-007

Create a CloudFormation stack and check the resources in the stack

Create a CloudFormation stack.

For more information on how to create stacks and check each stack, please refer to the following page.

After checking the resources for each stack, the following information is available for the main resources created this time.

  • ID of Instance 1: i-02c150dd6e9b0a456
  • ID of instance 2: i-06440942b19c01cc6

Check the details of instance 1 for additional information.

$ aws ec2 describe-instances \
--instance-ids i-02c150dd6e9b0a456
Code language: Bash (bash)

I checked the public DNS name of instance 1, and this time it was “ec2-54-248-20-39.ap-northeast-1.compute.amazonaws.com”.

Confirm the password of the administrator account for RDP connection

To make a remote desktop connection, you need to confirm the initial password set for the administrator account.

The administrator account name depends on your language, but it is usually “Administrator”.

The name of the administrator account depends on the language of the operating system. For example, for English, it’s Administrator, for French it’s Administrateur, and for Portuguese it’s Administrador.

Connect to your Windows instance using RDP

There are two ways to check the Administrator’s password. We will check them in order.

Confirm the RDP password from the AWS Management Console

After logging in to the AWS Management Console, access the page for the target EC2 instance.

Get the password for RDP from the AWS Management Console 1.

Press “Connect” at the top.

Get the password for RDP from the AWS Management Console 2.

Select the “RDP Client” tab, and then click “Get Password”.

Get the password for RDP from the AWS Management Console 3.

Paste the private key of the key pair associated with the instance into the text area and press “Decrypt Password”.

Get the password for RDP from the AWS Management Console 4.

The character string in the “Password” field is the password for Administrator.

Verifying the RDP password from the AWS CLI

You can get the password by specifying the instance ID and the private key of the key pair.

$ aws ec2 get-password-data \
--instance-id i-02c150dd6e9b0a456 \
--priv-launch-key MyKeyPair.pem
{
    "InstanceId": "i-02c150dd6e9b0a456",
    "PasswordData": "XXXXXXXXXXXXXXXXXXXXXX",
    "Timestamp": "2021-10-27T07:46:31+00:00"
}
Code language: Bash (bash)

The value of “PasswordData” is the password for Administrator.

Behavior check 1: Accessing the instance via remote desktop connection

Now that we are ready, let’s check the actual behavior.

First, let’s check how to access the instance via a remote desktop connection.

Start the remote desktop client and initiate the access.

Accessing a Windows instance via RDP 1.

The image above shows the Windows Remote Desktop application for MacOS. Add a new access point, enter the public DNS name or IP address of the instance you want to access in the “PC name” field, and then click “Add”.

Enter “Administrator” in the “Username” field and the password you have just confirmed in the “Password” field, then click “Continue”.

Accessing a Windows instance via RDP 2.

After a short wait, the desktop screen will appear.

Accessing a Windows instance via RDP 3.

I was able to successfully access the instance through a remote desktop connection.

Behavior check 2: Using SSM Session Manager to access the instance via PowerShell connection

The next step is to access the instance using SSM Session Manager.

As mentioned earlier, there are two patterns of access using the SSM Session Manager, but we will check the PowerShell connection first.

Use the AWS CLI to access the instance.

$ aws ssm start-session \
--target i-06440942b19c01cc6
Starting session with SessionId: root-07a25a576dc266a07
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>
Code language: Bash (bash)

The PowerShell interpreter mode is now displayed, allowing you to manipulate the instance using PowerShell commands.

Thus, by using the SSM Session Manager, we were able to access the instance through a PowerShell connection.

Using SSM Session Manager for tunneled access with a remote desktop connection

Finally, we will check another access method of SSM Session Manager, tunneling access to the instance through a remote desktop connection.

First, execute the following command on the client side to perform tunneling access to the instance.

% aws ssm start-session \
--target i-06440942b19c01cc6 \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber=3389, localPortNumber=13389"

Starting session with SessionId: root-07afa4c0f225a1c3a
Port 13389 opened for sessionId root-07afa4c0f225a1c3a.
Waiting for connections...
Code language: Bash (bash)

The content of the command is to listen on port 13389 of the client terminal and forward to port 3389 of the SSM Session Manager.

When you are ready, start the client remote desktop client.

Tunneling with SSM to access WIndows instance via RDP 1.

The flow is the same as before, but the value of “PC name” should be “localhost:13389”.

After entering the instance’s user name and password, wait for a while and the instance’s desktop screen will appear.

Tunneling with SSM to access WIndows instance via RDP 2.

Thus, even with SSM Session Manager, I was able to access the instance via remote desktop connection by configuring tunneling access.

Summary

We have checked how to access a Windows-type EC2 instance.

There are two main types of access methods: remote desktop connection or using SSM Session Manager.

There are also two more types of the latter: PowerShell connection and remote desktop connection with tunneled access.

タイトルとURLをコピーしました