Using AWS Session Manager to connect to Windows Instance without an RDP port

Sai Dilip

Published in

Sai Ops

4 min readJan 1, 2022

Photo by Christina @ wocintechchat.com on Unsplash

Overview

Session Manager is part of an AWS Systems Manager service that is an “interactive shell that allows us to have more controlled and secure access to Windows and Linux Instances without opening”

Goal of this Document

Gain exposure to the SSM service and learn the steps to access an instance without the use of an open port in the security group.

Requirements

This walk-through assumes that you have the following setup already:

A windows instance running on a public subnet and has an RDP port open (initially)
AWS CLI configured on your local computer (Windows OS)

Summary of the walkthrough

Install SSM Agent inside your AWS EC2 Windows instance
Attach a role to the instance to have permissions to SSM
Console into the Windows instance through Session Manager and add a new user to the RemoteDesktopUsers group
Download the session manager plugin on your local computer and use the port forwarding session to connect your instance in AWS

Step 1: Connect to your instance using RDP to install SSM Agent (initially)

RDP into the instance by highlighting the instance and click on Connect

Select RDP Client

Download the Remote Desktop File and use the Key File that you used to create the instance to get the password

Click on the Remote Desktop File and use the password to login to the remote instance

After logging in, open PowerShell to copy and paste the following commands

Here, we are installing AmazonSSMAgent into our instances adding this program to our path

Command #1:Invoke-WebRequest `
    https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/windows_amd64/AmazonSSMAgentSetup.exe `
    -OutFile $env:USERPROFILE\Desktop\SSMAgent_latest.exeCommand #2:Start-Process `
    -FilePath $env:USERPROFILE\Desktop\SSMAgent_latest.exe `
    -ArgumentList "/S"Command #3:rm -Force $env:USERPROFILE\Desktop\SSMAgent_latest.exeCommand #4:Restart-Service AmazonSSMAgent

Step 2: Attach a role to the instance

Click on your instance -> Actions -> Security -> Modify IAM Role

Choose the AWS managed role “AmazonSSMRoleForInstancesQuickSetup” and click on Save

To verify that you have everything set up correctly to connect using Session Manager:

Head to AWS Systems Manager Service -> Session Manager -> Click on Start Session

If your instance shows up here, you are ready to gain shell access to an instance using Session Manager

This is what it looks like when a session is started

Step 3: Add a user to RDP group inside the windows instance

In your Windows Session — Add a user to the RDP group

Copy and paste the commands into the session

Command #1 [Set a password to be stored in a variable]
$Password = Read-Host -AsSecureStringCommand #2 [Use the stored password to Create user with username "Sai"]
New-LocalUser "Sai" -Password $PasswordCommand #3 [Add user "Sai" to Remote Desktop Users group]
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "Sai"

Step 4: Start a port forwarding session to connect using RDP without the port being open to the EC2

Open PowerShell on your local computer

Download the Session Manager Plugin on your local computer, and run the application

https://s3.amazonaws.com/session-manager-downloads/plugin/latest/windows/SessionManagerPluginSetup.exe

Verify in a new PowerShell window that Session Manager is installed successfully by typing in “session-manager-plugin”

Start the port forwarding session using the following command. Replace the <instance-id> with the remote instance in AWS and <region> with the region the instance is residing in.

aws ssm start-session --target <instance-id> --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=54231,portNumber=3389" --region <region>