Using AWS Session Manager to connect to Windows Instance without an RDP port
Overview
- Session Manager is part of an AWS Systems Manager service that is an “interactive shell that allows us to have more controlled and secure access to Windows and Linux Instances without opening”
Goal of this Document
- Gain exposure to the SSM service and learn the steps to access an instance without the use of an open port in the security group.
Requirements
This walk-through assumes that you have the following setup already:
- A windows instance running on a public subnet and has an RDP port open (initially)
- AWS CLI configured on your local computer (Windows OS)
Summary of the walkthrough
- Install SSM Agent inside your AWS EC2 Windows instance
- Attach a role to the instance to have permissions to SSM
- Console into the Windows instance through Session Manager and add a new user to the RemoteDesktopUsers group
- Download the session manager plugin on your local computer and use the port forwarding session to connect your instance in AWS
Step 1: Connect to your instance using RDP to install SSM Agent (initially)
RDP into the instance by highlighting the instance and click on Connect
Select RDP Client
Download the Remote Desktop File and use the Key File that you used to create the instance to get the password
Click on the Remote Desktop File and use the password to login to the remote instance
After logging in, open PowerShell to copy and paste the following commands
Here, we are installing AmazonSSMAgent into our instances adding this program to our path
Command #1:Invoke-WebRequest `
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/windows_amd64/AmazonSSMAgentSetup.exe `
-OutFile $env:USERPROFILE\Desktop\SSMAgent_latest.exeCommand #2:Start-Process `
-FilePath $env:USERPROFILE\Desktop\SSMAgent_latest.exe `
-ArgumentList "/S"Command #3:rm -Force $env:USERPROFILE\Desktop\SSMAgent_latest.exeCommand #4:Restart-Service AmazonSSMAgent
Step 2: Attach a role to the instance
Click on your instance -> Actions -> Security -> Modify IAM Role
Choose the AWS managed role “AmazonSSMRoleForInstancesQuickSetup” and click on Save
To verify that you have everything set up correctly to connect using Session Manager:
Head to AWS Systems Manager Service -> Session Manager -> Click on Start Session
If your instance shows up here, you are ready to gain shell access to an instance using Session Manager
This is what it looks like when a session is started
Step 3: Add a user to RDP group inside the windows instance
In your Windows Session — Add a user to the RDP group
Copy and paste the commands into the session
Command #1 [Set a password to be stored in a variable]
$Password = Read-Host -AsSecureStringCommand #2 [Use the stored password to Create user with username "Sai"]
New-LocalUser "Sai" -Password $PasswordCommand #3 [Add user "Sai" to Remote Desktop Users group]
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "Sai"
Step 4: Start a port forwarding session to connect using RDP without the port being open to the EC2
Open PowerShell on your local computer
- Download the Session Manager Plugin on your local computer, and run the application
https://s3.amazonaws.com/session-manager-downloads/plugin/latest/windows/SessionManagerPluginSetup.exe
- Verify in a new PowerShell window that Session Manager is installed successfully by typing in “session-manager-plugin”
- Start the port forwarding session using the following command. Replace the <instance-id> with the remote instance in AWS and <region> with the region the instance is residing in.
aws ssm start-session --target <instance-id> --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=54231,portNumber=3389" --region <region>
If everything goes well, a connection should be open
Open Remote Desktop Connection application on your local computer
Expand the options inside the RDC application and fill in the following information:
- Computer: localhost:54231(defined in the previous command)
- User Name: Sai (user-created previously using the session manager)
Click on Connect, and type in the password for your user
You should be able to do this without the RDP port now. Feel free to remove it from the security group and try connecting again.
Helpful Articles
- https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-win.html
- https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-launch-managed-instance.html
- https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
- https://www.youtube.com/watch?v=nt6NTWQ-h6o&ab_channel=AmazonWebServices