Step-by-Step Guide: Connect to Windows EC2 Instances with Maximum Security & Minimal Hassle

Table of Contents

Introduction

If you work with Windows in AWS, you must already have a preferred way of connecting to your instances. Whether you launch all your instances in public subnets & RDP to their public IPs, or simply prefer PowerShell over RDP, this article will show you how to use AWS Systems Manager to securely connect to your Windows EC2 instances, without making them public on the internet or even opening up the RDP port in your firewalls.

If you’re already using Systems Manager, stay tuned until the end to see how to use a Systems Manager capability to use any desktop RDP client of your choice with your Windows EC2 instances, instead of always relying on the in-browser RDP/PowerShell experience!

AWS Systems Manager for Windows

AWS Systems Manager for Windows is a powerful tool that enables IT administrators to manage and automate Windows Server instances in the AWS cloud and on-premises environments. This service provides a unified user interface that simplifies management tasks such as patching, configuration, and maintenance of Windows instances. With AWS Systems Manager for Windows, administrators can easily manage large-scale Windows deployments and maintain compliance with security policies, while also reducing operational overhead and costs. This service supports hybrid environments, allowing administrators to manage both AWS resources and on-premises infrastructure from a single console. Overall, AWS Systems Manager for Windows provides a comprehensive set of tools that simplify the management and maintenance of Windows instances, making it an essential service for any enterprise IT team.

Why Use SSM?

Security is one of the biggest reasons to use SSM with Windows. With SSM, your Windows EC2 instances can stay in private subnets & don’t need RDP ports open in their firewalls.

This article focuses on SSM-based ways to connect to Windows. Without SSM, you would:

  • Either launch all your Windows EC2 instances in public subnets & RDP to their public IPs directly.
  • Or launch instances in private subnets & use a bastion host to connect to them.

With SSM, all you need is the latest SSM agent installed on your machines & a few other prerequisites satisfied like an instance profile (IAM role) with SSM permissions. You can then use any of the following techniques to connect to your instances.

Connect to PowerShell

If all you need is a PowerShell prompt on the target instance, follow this procedure.

Open the instance in the AWS console & click Connect:

This opens up a PowerShell session with “ssm-user”.

RDP Connection via Browser

To open an RDP connection to the instance in your browser, follow this procedure.

Open the instance in the AWS console & click Connect:

Switch to the “RDP client” tab & use Fleet Manager:

Use either user credentials or key pair to connect:

After connecting, use the Fullscreen button to go fullscreen:

Use Actions menu > Renew session when you’re close to the session timeout.

RDP from Desktop RDP Client

To connect to an RDP session using a desktop RDP client, follow this procedure on your laptop.

aws ssm start-session --target INSTANCE-ID \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber=3389,localPortNumber=33389"

Connect to the forwarded port using the RDP client:

Conclusion

And there you have it! I hope you learned something new today: new ways to manage Windows instances while still maintaining secure connectivity. By the way, the Fleet Manager & Port Forwarding techniques described above, also work well with any Active Directory (domain) user that has RDP permissions on the target instances, so you’re not limited to local (Administrator) users.

Resources

AWS Systems ManagerΒ Fleet Manager

Enable RDP Through Session Manager

About the Author ✍🏻

Harish KM is a Principal DevOps Engineer at QloudX & a top-ranked AWS Ambassador since 2020. πŸ‘¨πŸ»β€πŸ’»

With over a decade of industry experience as everything from a full-stack engineer to a cloud architect, Harish has built many world-class solutions for clients around the world! πŸ‘·πŸ»β€β™‚οΈ

With over 20 certifications in cloud (AWS, Azure, GCP), containers (Kubernetes, Docker) & DevOps (Terraform, Ansible, Jenkins), Harish is an expert in a multitude of technologies. πŸ“š

These days, his focus is on the fascinating world of DevOps & how it can transform the way we do things! πŸš€

Leave a Reply

Your email address will not be published. Required fields are marked *