In this blog post , We will learn how to Securely Access Windows EC2 Instances using Session manager.

What is Session Manager?

Session Manager is a fully managed AWS Systems manager capability which will help us to manage EC2 instances through an interactive one-click browser-based shell.

Using Session Manager we can start a session with an instance in the AWS account.

Once the session is started , We can run powershell commands as usual.

It provides secure and auditable instance management without the need to open inbound ports , maintain bastion hosts or SSH keys.

Note: No need to allow port 3389 in the Security group

Supported Operating Systems

Session Manager supports most of the Linux operating systems.

Session manager supports Windows Server 2008 R2 – Windows Server 2019.

Prerequisites

Before connecting to Windows EC2 instances using Session Manager we need to complete the below steps.

  • Amazon SSM agent should be installed on the Windows EC2 Instances.
  • Create an IAM Role with the required permissions
  • Attach IAM Role with the Instance
  • Connect to Instance using Session Manager

Creating IAM Role

The EC2 instances should have necessary permission in order to connect to Windows instances using Systems Manager Session manager.

Lets go ahead and create an IAM Role.

Login to IAM console. In the navigation pane , Choose Roles

Session Manager

Click Create role ,

For Select type of trusted entity , Choose AWS service

Session Manager

For Choose a use case , Select EC2 and click Next: Permissions

Session Manager

Search for core and then choose AmazonSSMManagedInstanceCore

Session Manager

Click Next: Tags , You can tag the role.

Click Next: Review , Provide a name for the IAM role and then click Create role

Session Manager

Attaching IAM Role with EC2 Instance

Once the IAM role with the required permission are created , We need to attach the IAM role with the EC2 Instances.

Login to EC2 management console.

In the navigation pane , Choose Instances

Select the instance , Under Actions , Hover to Instance Settings and then select Attach/Replace IAM Role

Session Manager

For IAM role* , From the drop down , Choose the IAM role which you have created.

Session Manager

and then click Apply

Verification

We have successfully completed 2 minimum requirements such as Installing SSM agent and Attaching IAM role with EC2 Instance.

To verify this , Login to Systems Manager console.

In the navigation pane , Under Instance & Nodes , Select Session Manager

Session Manager

You will see this page , Click Start Session

Session Manager

Under Target instances , You should see the EC2 Instances listed here.

Connecting Windows Instances using Session Manager

METHOD 1:

To connect Windows EC2 Instances , Select the instance and then click Start Session

It will open a browser bases shell in the new tab.

You will be logged in as ssm-user.

Securely Access Windows EC2 Instances

If you go back to Systems manager console , You can find all the sessions created for an EC2 instance by an IAM user.

METHOD 2:

We can also connect with EC2 instance using Session Manager from EC2 management console.

Go to EC2 console , From the list of instances Select the instance.

Click Connect , For Connection method , Select Session Manager

Securely Access Windows EC2 Instances

You should not see any errors below , If the instance didnt pass 2 minimum requirements (ssm agent and IAM role) ,It shows an error.

After selecting Session Manager , You should get a response as shown below.

Securely Access Windows EC2 Instances

and click Connect.

It should open a browser based shell where you can powershell commands as usual.

This image has an empty alt attribute; its file name is Screenshot-from-2020-07-02-17-21-44.png

As the Powershell terminal wont be very comfortable working all the time , Lets go ahead and see how we can securely RDP into windows EC2 instance without allowing inbound for port 3389.

RDP into Windows Instance – Securely

Here is the typical way of creating and connecting with Windows EC2 instances using RDP. Check this article

In order to achieve secure connection with the Windows instances through RDP , We will remove inbound rules for port 3389 from the Security group of the EC2 instance.

As you can see here the security group of the Windows EC2 instance doesn’t have any ports allowed.

Securely Access Windows EC2 Instances

Now If you select the instance and click Connect , You can see that we can no longer RDP into the EC2 instance.

Securely Access Windows EC2 Instances

In this case , We will use the Session Manager’s Port forwarding features to securely connect to the Instance.

Here We have two requirements , You should install AWS CLI on the Local system you’re using and also we should install session manager plugin.

  • Also We should install Session Manager Plugin on the local system

Installing Session Manager Plugin on Ubuntu

Download the session manager plugin .deb package from he below link.

curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" -o "session-manager-plugin.deb"

Once the package is downloaded , Run the below command to install the plugin.

sudo dpkg -i session-manager-plugin.deb

To verify whether is package is installed , run the below command.

session-manager-plugin

We should get the below response.

Securely Access Windows EC2 Instances

Installing Session Manager Plugin on Windows

Session manager plugin for windows operating systems can be downloaded from the below link.

https://s3.amazonaws.com/session-manager-downloads/plugin/latest/windows/SessionManagerPluginSetup.exe

Once the package is downloaded , Execute the .exe installer and following the installation instructions to let the plugin to be installed in the default directory.

Now We have met all the minimum requirements.

Run the below command to create tunneling.

On Ubuntu & Windows:

aws ssm start-session --target instanceid --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["3389"],"localPortNumber":["9999"]}' --region regionname

Dont forget to replace instanceid and regionname with the actual values.

You should get a response as shown below.

Securely Access Windows EC2 Instances

We have successfully established tunneling using the session maager plugin.

Lets RDP into Windows EC2 instance , Note: We havn’t allowed any ports for RDP in the security group of the instance.

For testing , I am using Remmina RDP client to connect with windows EC2 instance.

For server , You should use localhost and the localportnumber which you have used while creating tunnel.

Securely Access Windows EC2 Instances

Save and Connect , You should be successfully RDP into the Windows EC2 Instance as an Administrator.

Note: If you fail to install session manager plugin in the Local system , Then while creating tunnel , You will face the below error.

An error occurred (TargetNotConnected) when calling the StartSession operation: i-08d82319d4987773c is not connected.
Securely Access Windows EC2 Instances

Conclusion

We have successfully implemented a strategy to RDP into Windows EC2 instance in a more secure way without the need of allowing ports , SSH keys.

Hope you find it helpful.

Please do check out my other articles.