Accessing Windows instance via SSM Session Manager

TOC

Configure Windows instances to be accessed via SSM Session Manager

We will check a configuration that accesses a Windows instance via SSM Session Manager.

Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI. You can use Session Manager to start a session with an instance in your account. After the session is started, you can run bash commands as you would through any other connection type.

Connect to your Linux instance using Session Manager

Accessing an instance using SSM Session Manager has various advantages over the common SSH access. One of the most notable points is that it eliminates the need to open ports for remote access, and it also eliminates the need for a stepping stone server.

Leaving inbound SSH ports and remote PowerShell ports open on your managed nodes greatly increases the risk of entities running unauthorized or malicious commands on the managed nodes. Session Manager helps you improve your security posture by letting you close these inbound ports, freeing you from managing SSH keys and certificates, bastion hosts, and jump boxes.

AWS Systems Manager Session Manager

In this article, we will compare the access to a typical remote desktop (RDP) connection.
This page is intended for Windows instances.

あわせて読みたい
Accessing Linux instance via SSM Session Manager 【Configure Linux instances to be accessed via SSM Session Manager】 We will check a configuration in which an EC2 instance is accessed via SSM Session Manag...

Environment

Diagram of accessing Windows instance via SSM Session Manager

Create one subnet in the VPC.
A public subnet with access to the Internet.

Three Windows instances will be placed on each of these subnets.
The instance we are creating is Windows Server 2022.
Each of them will be configured with a public address.

These instances correspond to (1) or (2) in the Linux version.
The reason we only provide these two patterns is that this page focuses on checking the RDP connection and SSM Session Manager behavior on Windows.

CloudFormation template files

We will build the above configuration using CloudFormation.

Place the CloudFormation template at the following URL.

https://github.com/awstut-an-r/awstut-fa/tree/main/007

Scenario

The following three patterns are identified with respect to how to access Windows instances.

  1. RDP Connection
  2. SSM Session Manager connection (PowerShell)
  3. SSM Session Manager connection (RDP with port forwarding)

Template file points

This page focuses on how to access Windows instances using SSM Session Manager.

For basic information on SSM Session Manager, please refer to the following pages.

あわせて読みたい
Accessing Linux instance via SSM Session Manager 【Configure Linux instances to be accessed via SSM Session Manager】 We will check a configuration in which an EC2 instance is accessed via SSM Session Manag...

Security Group

One major difference between RDP and SSM Session Manager is the security group.
In the case of RDP, the port for the service (generally 3389/tcp) must be open.
In the case of SSM Session Manager, on the other hand, no such action is required.

The following table summarizes the inbound communications allowed by each instance in the security group.

InstanceMethodSecurity Group
Instance 1RDPAllow 3389/tcp
Instance 2SSM Session Manager
Instance 3SSM Session Manager

Instance 1: Security Group to allow RDP

Resources:
  InstanceSecurityGroup1:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: !Sub "${Prefix}-InstanceSecurityGroup1"
      GroupDescription: Allow SSH.
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: !Ref RDPPort
          ToPort: !Ref RDPPort
          CidrIp: 0.0.0.0/0
Code language: YAML (yaml)

There are two key points to consider for security groups.

The first is the port number. In this case, RDP (3389/tcp) will be used to access instance 1 to which this security group will be applied, so the same port is specified.

The second is the sender. This time, “0.0.0.0/0” is specified as the CIDR. By setting it this way, it means that access from all source addresses is allowed.

In summary, the above allows RDP connections from all addresses via the Internet.

Instances 2 and 3: No inbound communication occurs in SSM Session Manager

Resources:
  InstanceSecurityGroup2:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: !Sub "${Prefix}-InstanceSecurityGroup2"
      GroupDescription: Deny All.
      VpcId: !Ref VPC
Code language: YAML (yaml)

Security group to be applied to instances 2 and 3.
As you can clearly see by comparing with instance 1, it does not allow any inbound communication.
This means that all inbound communication is not allowed.

Without going into details, there is no inbound communication that should be allowed in order to run SSM Session Manager.
So create a security group that does not allow all inbound communication.

EC2

There are four key points in setting up an EC2 instance.

The first is the security group.
This was checked in the previous section and is omitted.

The second is an IAM role.
To use SSM Session Manager, we need to allow multiple SSM actions on the instance by associating an IAM role.
The required actions are summarized in the form of an AWS management policy (AmazonSSMMManagedInstanceCore), which you attach to the IAM role you create.

The third is the key pair.
If you use RDP, you need to set the key pair.

A key pair, consisting of a public key and a private key, is a set of security credentials that you use to prove your identity when connecting to an Amazon EC2 instance.

Amazon EC2 key pairs and Linux instances

Instance 1 will be accessed directly using RDP, and instance 3 will use SSM Session Manager’s port forwarding feature for RDP connections, so key pair settings are required for both instances.

Below is a table summarizing the settings for each instance.

InstanceMethodPolicies to attach to IAM rolesKey Pair
Instance 1RDPRequired
Instance 2SSM Session Manager(PowerShell)AWS Management Policy for SSM
Instance 3SSM Session Manager(Port Fowarding)AWS Management Policy for SSMRequired

Instance 1: Allow RDP with Key Pair and Security Group

Resources:
  Instance1:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !Ref ImageId
      InstanceType: !Ref InstanceType
      KeyName: !Ref KeyName
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: 0
          SubnetId: !Ref PublicSubnet
          GroupSet:
            - !Ref InstanceSecurityGroup1
Code language: YAML (yaml)

Set the key pair.
In this case, we are assuming that you are creating a key pair named “MyKeyPair”.
Please see the following page for more information on creating key pairs.

https://docs.aws.amazon.com/cli/latest/userguide/cli-services-ec2-keypairs.html

Use the security group for instance 1.
This allows RDP (3389/tcp) from the Internet.

Instance 2: Allow SSM Session Manager in IAM role

Resources:
  Instance2:
    Type: AWS::EC2::Instance
    Properties:
      IamInstanceProfile: !Ref InstanceProfile
      ImageId: !Ref ImageId
      InstanceType: !Ref InstanceType
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: 0
          SubnetId: !Ref PublicSubnet
          GroupSet:
            - !Ref InstanceSecurityGroup2
Code language: YAML (yaml)

The security group for instance 2 does not allow all inbound communication.

Associate an instance profile (IAM role) with the IamInstanceProfile property.
The IAM role to be associated this time is attached to the AWS management policy AmazonSSMManagedInstanceCore.
Attaching this will allow the actions required to run SSM Session Manager.

Another requirement for running SSM Session Manager is that the SSM agent must be installed on the instance.
However, Windows Server 2022 has the agent installed by default, so no special action is required.

AWS Systems Manager Agent (SSM Agent) is preinstalled, by default, on the Amazon Machine Images (AMIs) for Windows Server that are provided by AWS. Support is provided for the following operating system (OS) versions.

Windows Server 2008-2012 R2 AMIs published in November 2016 or later

Windows Server 2016, 2019, and 2022

Working with SSM Agent on EC2 instances for Windows Server

Instance 3: Key pair configuration is required for RDP using Port Forwarding in SSM Session Manager

Resources:
  Instance3:
    Type: AWS::EC2::Instance
    Properties:
      IamInstanceProfile: !Ref InstanceProfile
      ImageId: !Ref ImageId
      InstanceType: !Ref InstanceType
      KeyName: !Ref KeyName
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: 0
          SubnetId: !Ref PublicSubnet
          GroupSet:
            - !Ref InstanceSecurityGroup2
Code language: YAML (yaml)

Instance 3 also uses SSM Session Manager, so set up an instance profile and security group as for instance 2.

In addition, instance 3 will use SSM Session Manager port forwarding for RDP connections, so we will also set up the key pair.

Architecting

Using CloudFormation, we will build this environment and check its actual behavior.

This time, we will proceed with the following conditions.

  • Bucket name and folder name: awstut-bucket/fa-007
  • CloudFormation stack name: fa-007

Create a CloudFormation stack and check the resources in the stack

Create a CloudFormation stack.

For more information on how to create stacks and check each stack, please refer to the following page.

あわせて読みたい
CloudFormation’s nested stack 【How to build an environment with a nested CloudFormation stack】 Examine nested stacks in CloudFormation. CloudFormation allows you to nest stacks. Nested ...

Check each resource from the AWS Management Console.

Instance 1

Detail of EC2 01.

Indeed, a key pair is set.

Check the security groups applied to this instance.

Detail of EC2 02.

We can confirm that this is indeed what the RDP allows.

Instance 2

Detail of EC2 03.

You can see that the IAM role is set.

Check this IAM role.

Detail of EC2 04.

Indeed, the AWS management policy AmazonSSMManagedInstanceCore is attached to this IAM role.

Instance 3

Detail of EC2 05.

You can see that IAM roles and key pairs have been set up.

Operation Check

Instance 1: RDP connection

Access to instance 1 is via RDP.

Verify the password of the administrator account for RDP connections – AWS Management Console Edition

When making a remote desktop connection, the initial password set for the administrator account must be verified.

The administrator’s account name depends on the language, but is usually Administrator.

The default username for the Administrator account depends on the language of the operating system (OS) contained in the AMI. To ascertain the correct username, identify the language of your AMI’s OS, and then choose the corresponding username. For example, for an English OS, the username is Administrator, for a French OS it’s Administrateur, and for a Portuguese OS it’s Administrador.

Connect to your Windows instance

There are two ways to check the Administrator password. First, we will cover the method using the AWSManagement Console.

After logging in to the AWS Management Console, access the page for the target EC2 instance and click “Connect” at the top.

Detail of EC2 06.

Select the “RDP client” tab and click “Get password”.

Detail of EC2 07.

Paste the private key of the key pair associated with the instance into the text area and press “Decrypt Password”.

Detail of EC2 08.

The string in the “Password” field is the Administrator’s password.

Detail of EC2 09.
RDP connection to a Windows instance

Start the remote desktop client and initiate access.

Detail of EC2 10.

Specify the public IPv4 DNS name of instance 1 as the access destination. Specify Administrator as the user name and the password you have just confirmed as the password.

After a short wait, the desktop screen appears.

Detail of EC2 11.

Thus, we were able to make an RDP connection to the Windows instance.

Instance 2: SSM Session Manager – PowerShell version

SSM Session Manager is used to access instance 2.

Access the instance using the AWS CLI.

$ aws ssm start-session \
--target i-01d49aca0bee4c9f9

Starting session with SessionId: i-0548ccea730f12250-052fb1dfae9c09d3c
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

新機能と改善のために最新の PowerShell をインストールしてください!https://aka.ms/PSWindows

PS C:\Windows\system32>
Code language: PowerShell (powershell)

Thus, by using SSM Session Manager, we were able to access the instance through a PowerShell connection.

Instance 3: SSM Session Manager – Port Forwarding Edition

Finally, we will review another access method for SSM Session Manager, using port forwarding to connect to RDP.

Verify password for admin account for RDP connection – AWS CLI version

Prior confirmation of the password is also required for RDP connections using port forwarding.

Learn how to check your password using the AWS CLI.

$ aws ec2 get-password-data \
--instance-id i-003567b4fb82d02c3 \
--priv-launch-key MyKeyPair.pem
{
    "InstanceId": "i-003567b4fb82d02c3",
    "PasswordData": "W!M5-$@.TfA@-DCZx9A.AeS!-vusQUkI",
    "Timestamp": "2024-02-15T11:33:30+00:00"
}
Code language: Bash (bash)

The value of PasswordData is the password.

RDP connection to a Windows instance using port forwarding

First, port forwarding is performed on the client side.

% aws ssm start-session \
--target i-003567b4fb82d02c3 \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber=3389, localPortNumber=13389"

Starting session with SessionId: root-030641470dec64987
Port 13389 opened for sessionId root-030641470dec64987.
Waiting for connections...
Code language: Bash (bash)

The command is to listen on port 13389 of the client terminal and forward to port 3389 of SSM Session Manager.

Start the remote desktop client and initiate access.

Detail of EC2 12.

The flow is the same as before, but the “PC name” value should be “localhost:13389”.

After entering the instance’s user name and password, wait a moment and the instance’s desktop screen will appear.

Detail of EC2 13.

By configuring port forwarding in this way, we were able to access the instance even with an RDP connection using SSM Session Manager.

Summary

We have identified a way to access Windows-type EC2 instances.

In addition to a typical RDP connection, you can also use SSM Session Manager for access.
When using SSM Session Manager, you can choose between the PowerShell version and RDP connections using port forwarding.

Compared to RDP connections, using SSM Session Manager has the advantage of eliminating the need to open ports for remote access or to prepare a stepping stone server, etc. By using SSM Session Manager, the risk of unauthorized access to instances can be reduced, and it will also reduce the man-hours required to manage instances. SSM Session Manager can reduce the risk of unauthorized access to your instances, and it can also reduce the man-hours required to manage your instances.

TOC