Remotely Open/Close Firewall Ports in EC2 Managed Instance using PowerShell Scripts
In this blog, I am going to explain how to push a PowerShell Script to your managed EC2 instance remotely.
This blog assumes you have a basic understanding of AWS EC2 instances and AWS Systems Manager. In addition, it would be nice if you would have some prior experience with PowerShell scripting.
Before we proceed, let us go over some of the basics.
What is PowerShell Script/Scripting?
Windows PowerShell is a command-line shell and scripting language designed especially for system administration. Windows PowerShell commands, called cmdlets, let you manage the computers from the command line.
Windows PowerShell providers let you access data stores, such as the Registry and Certificate Store, as easily as you access the file system.
In addition, Windows PowerShell has a rich expression parser and a fully developed scripting language. So in simple words, you can complete all the tasks that you do with GUI and much more. Windows PowerShell Scripting is a fully developed scripting language and has a rich expression parser
For AWS EC2 managed instance and YAML scripting, I will explain as we go along.
So, let us start….
Creating the PowerShell Script
In this case, we will be working with Firewall Ports and we will learn how to create and remove a rule to open and close firewall ports in a single instance.
Here we will be dealing with ports 8090 & 8091.
Steps :
1. Press ‘WINDOWS’ button and type ‘PowerShell’, you will be able to see multiple options with ISE and x64/x86 bit. We will be working with Windows PowerShell 64 bit.
2. Right-click on Windows PowerShell and select RUN AS ADMINISTRATOR.
You will be greeted with this window :
Next, we need to write our script which we will push to our managed instance remotely.
Scripts –
To open port 8090
netsh advfirewall firewall add rule name=”Open Port 8090" dir=in action=allow protocol=TCP localport=8090To open port 8091
netsh advfirewall firewall add rule name=”Open Port 8091" dir=in action=allow protocol=TCP localport=8091To close port 8090
netsh advfirewall firewall delete rule name=”Open Port 8090" protocol=tcp localport=8090To close port 8091
netsh advfirewall firewall delete rule name=”Open Port 8091" protocol=tcp localport=8091Now that we are done with our PowerShell Scripts, let us move on to the interesting part.
We need to go to the AWS Management Console :
https://aws.amazon.com/console/
Log in and proceed to Services dropdown menu and type EC2 in the search bar
OR
Select EC2 from Compute section
1. Proceed to the left side menu and select Instances from Instance sub-menu.
2. Click Launch Instance.
Note: In our case, we are using Microsoft Windows Server 2016 Base.
3. Proceed with the subsequent steps and when you are done click LAUNCH INSTANCE.
When your instance is up and running, select your instance and click CONNECT on top.
4. Open Remote Desktop Connection and connect to your EC2 instance by using credentials for Public DNS, Username and Password.
5. Once you have successfully logged into your instance, you need to install SSM Agent on to your instance.
To manually download and install the latest version of SSM Agent
- Log in to your instance by using, for example, Remote Desktop or Windows PowerShell.
- Download the latest version of SSM Agent to your instance using the below URL:
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/windows_amd64/AmazonSSMAgentSetup.exe
3. Run the downloaded AmazonSSMAgentSetup.exe file to install SSM Agent.
4. Start or restart SSM Agent by sending the following command in PowerShell:
Restart-Service AmazonSSMAgentOur job here is done.
Now let us move to the final phase.
**Go back to the AWS console and search for SSM in the search bar.
This should lead you to the Systems Manager Page.
On the left side menu, under Shared Resources, you will find Documents.
Click on Documents and select Owned By Me from the top.
This section shows the documents owned by you if you have created them previously or otherwise.
Note: If you are following this blog then chances are that you are new to this concept, in that case, follow the rest of the blog.
Now follow the steps:
1. Click Create Document.
2. Specify a NAME to your document.
3. Under Document type — select COMMAND DOCUMENT since we are going to use it with the RUN Command.
4. Next, under Content, select YAML, since we are going to follow this format in this blog.
5. Under RUN COMMAND, you need to provide the PowerShell Script that we had previously prepared.**
6. Apart from the above-mentioned changes, you can make other necessary changes to your document but they are optional.
7. Next click Create document.
You will find a confirmation message for successful document creation.
- * You need to follow the above steps to create 4 separate documents since we will run each one of these separately.
Next, visit Instances & Nodes on the left side Menu and select RUN command.
On the Search bar simply left click once and you will be seeing some options as shown below:
Select Owner and then select owned by me:
Your created document should be visible down.
Select your document and scroll down to choose your instance.
You can select your instance either by:
· Using tags that you might have mentioned while creating your instance, or
· Manually selecting your resources.
Once you choose manually, you will be seeing the running instances, select your instance and proceed.
Under Output Options, you can disable ‘Enable writing to an S3 bucket’.
Click RUN.
Congratulations! You just ran your first PowerShell Script remotely using SSM Document in your managed EC2 Windows Server 2016 instance.
In order to verify, you can log in to your instance (running) and open windows firewall.
Windows Firewall > Advanced Settings > Inbound Rules
Voila!
Conclusion
So that’s how we can automate opening/closing ports using AWS SSM documents for Windows Instances. Hope this blog helps you with your work and if you have any doubts, feel free to post them in the comments section below and I will get back to you.
