Secure RDP to EC2 Private Instance Using AWS SSM

Published in

Globant

5 min readJan 6, 2022

Introduction

Traditionally, we require a bastion host for connecting EC2 private instances for secure connection or to reduce the surface of an attack, AWS recommends using a bastion host, also known as a jump host. Bastion is a special purpose EC2 instance designed to be the primary access point from the Internet and acts as a proxy to the other EC2 instances. To connect to your EC2 instance, you first Remote Desktop Protocol (RDP) into the bastion host and, from there, to the destination EC2 instance.

To remove the burden of a bastion host, AWS provides AWS Systems Manager (SSM) that allows you to securely connect to your EC2 instances, without the need to run and to operate your own bastion hosts and without the need to run SSH on your EC2 instances.

In this article, I’ll introduce the use of AWS SSM and tunnel RDP using the port forwarding feature of session manager to get access to the remote Windows instance.

The following sections are included in this article:

1- Prerequisites
2- AWS Systems Manager (SSM)
3- Create a Windows OS user
4- RDP to EC2 instance
5- Summary
6- References

1- Prerequisites

An EC2 instance with internet connectivity (via NAT gateway) or in a subnet that has VPC endpoints configured for SSM.
An IAM instance profile assigned to the instance that has the AmazonSSMManagedInstanceCore managed policy attached (or similar permissions).
SSM Agent installed and running on the instance.
AWS CLI installed and configured on your local machine.
The latest version of the Session Manager Plugin for the AWS CLI installed on your local machine.

2- AWS Systems Manager (SSM)

AWS Systems Manager Session Manager is a new interactive shell and CLI that helps to provide secure, access-controlled, and audited Windows and Linux EC2 instance management. Session Manager removes the need to open inbound ports, manage SSH keys, or use bastion hosts.

AWS SSM uses the Systems Manager Agent (SSM Agent) on the instance to initiate a connection between the instance and the host’s machine. The SSM Agent is pre-installed onto the Windows Server 2016/2019 AMIs. The article will show you how to securely use the SSM agent along with the Systems Manager API to use port forwarding via a tunnel to connect into your private Windows EC2 instance without running bastion hosts/jump boxes and without opening any inbound ports to the instance.

SSM Port Forwarding

You can tunnel Remote Desktop Protocol (RDP) using the port forwarding feature of session manager to get access to the remote Windows instance without opening an inbound port 3389 (default RDP port) on the remote instance.

With port forwarding, you can forward a port on a remote instance to a port on your local machine. This allows a user to forward the traditional Remote Desktop Protocol (RDP) port (3389/tcp) to an available port on their local machine (e.g., 55678/tcp). The user can then use any RDP client to connect to the forwarded port on their local machine to access the instance in AWS. This can be achieved using the below SSM command :

aws ssm start-session --target <instance-id> --document-name     AWS-StartPortForwardingSession --parameters “localPortNumber=55678,portNumber=3389”

3- Create a Windows OS user

You can skip this step of creating windows local users if your EC2 instance is joined to an Active Directory domain, this will be your Active Directory credentials. Follow the steps below to create a new Remote Desktop user in the windows instance:

A. Under Node Management in the AWS Systems Manager navigation menu, browse to the Session Manager console and start a session on the Windows instance.

B. Type the following commands to create a new user:

Input password as a secure string. Enter the below command which will prompt you for a password, then type a strong password and enter:

$Password = Read-Host -AsSecureString

Create a local user:

New-LocalUser "User01" -Password $Password

Add user to Remote Desktop Users group:

Add-LocalGroupMember -Group “Remote Desktop Users” -Member “User01”

Click Terminate to terminate the session or enter exit and select close.

4- RDP to EC2 instance

Follow the below steps for secure connection between RDP and the EC2 instance:

A. Browse to the EC2 Console and note the instance-id for the Windows instance.

B. Open a terminal on your local machine and type below command to start a session to the Windows instance.

aws ssm start-session --target <instance-id> --document-name     AWS-StartPortForwardingSession --parameters “localPortNumber=55678,portNumber=3389”

C. You should see a message indicating port 55678 has been opened for this session.

D. Open Microsoft Remote Desktop client and add a new remote desktop using the information below.

PC Name: localhost:55678.
User Account: Provide username and password created in the earlier step.

E. You should now be connected to be able to work on the remote instance over RDP.

Once you’ve completed your work on the EC2 instance, you can safely disconnect from the RDP session. You can then go to your terminal window and hit Ctrl+C to cancel the session manager command. This will close the connection to your EC2 instance and remove any forwarded ports from the instance on your local machine.

5- Summary

In this post, we saw how to use the AWS Session Manager to access a private EC2 instance without the need to add inbound rules to the instance’s security group, manage SSH keys and use another instance as a Bastion host. We also learned how to use Port Forwarding using Session Manager.