Login
October 19, 2023|
Voiced by Amazon Polly |
Introduction
Securing and streamlining remote access to instances in today’s dynamic cloud computing environment is paramount.
One tool that stands out in achieving this goal is AWS Session Manager, a powerful feature within AWS Systems Manager. This innovative solution redefines how you connect to your Windows and Linux instances in the cloud, ensuring enhanced security and unmatched convenience.</div
In this comprehensive guide, we will explore the world of AWS Session Manager, specifically focusing on its application to Windows instances residing in private subnets. This approach takes the concept of secure instance access to a new level.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Prerequisites
To proceed with this guide, it is assumed that you have the following prerequisites in place:
- A Windows instance is running in the private subnet.
- The SSM agent is already installed on your Windows instance. If it is not installed, follow this link for instructions on installing the SSM agent.
- AWS CLI is configured on your local computer.
- AWS Session manager plugin Installed on your local computer.
Step-by-Step Guide
Step 1: Setting Up Permissions for SSM Access Role
- Begin by creating an AWS IAM role specifically for the AWS Systems Manager.
- In the ‘Trusted entity type’ section, choose ‘AWS service.’
- In the ‘Service or use case’ section, select ‘EC2’ and proceed to the next step.
- In the ‘Add permissions’ tab, select the ‘AmazonSSMManagedInstanceCore’ policy and proceed to the next step.
- Provide a descriptive name for the role and finalize the creation by clicking on ‘Create Role.’
Step 2: Associating the AWS IAM Role with Your Amazon EC2 Instance
- Navigate to the Amazon EC2 instance dashboard and locate the specific instance you want to associate with the AWS IAM role.
- Click on the ‘Actions’ button and choose ‘Security,’ followed by ‘Modify IAM Role.’
- Select the role you previously created for AWS Systems Manager and proceed to update the AWS IAM role for the instance.
Step 3: Creating a Custom Windows User
Note: If you want to access your Windows instance with the Default Administrator user and Password, skip this section.
- Access the AWS Systems Manager Service.
- Navigate to the Session Manager section.
- Click on “Start Session.”
- Verify that your instance is listed in the Session Manager interface.
- When your instance appears in the Session Manager, you can proceed and gain shell access using Session Manager.
- Create a custom user in Windows using PowerShell.
- Set a password to be stored in a variable. After entering the below command, type your password.
|
1 |
$Password = Read-Host -AsSecureString |
- Use the stored password to create a user with the username “Custom”
|
1 |
New-LocalUser -Name "Custom" -Password $Password -FullName "Custom User" -Description "Custom User Account" |
- Add the user “Custom” to the Remote Desktop Users group
|
1 |
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "Custom" |
Step 4: Secure Windows GUI Access: No RDP Port
To establish the port forwarding session and access your Windows GUI securely, follow these steps:
- Open the Command Prompt and follow the steps.
- Initiate the port forwarding session with the following command. Replace <instance-id> with the remote instance’s ID in AWS and <region> with the region where the instance resides:
|
1 |
aws ssm start-session --target <instance-id> --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=54231,portNumber=3389" --region <region> |
If the command executes successfully, a connection will be established.
- Launch the Remote Desktop Connection application on your local computer.
- In the RDC application, expand the options and fill in the following information:
- Computer: localhost:54231 (as defined in the previous command).
- User Name: Custom (the user you created using the session manager).
- Note – Sometimes, giving a normally entering username does not work properly, so you can try putting “.\” in front of the username Ex –
.\Custom - Click on the “Connect” button and provide the password for your user when prompted.
- Following these steps, you can access your Windows GUI securely without needing an open RDP port. If everything works as expected, you can consider removing the RDP port from the security group for added security.
Conclusion
We have explored the power and versatility of AWS Session Manager, a tool that revolutionizes secure Windows instance access in private subnets. By eliminating the need for open RDP ports and simplifying the access process, Session Manager has become an indispensable asset for modern cloud practitioners.
Through carefully crafted steps, we’ve demonstrated how to configure Session Manager, set up custom users, and initiate secure GUI access via port forwarding. Following these steps, you can enhance security, streamline your workflow, and ensure controlled access to your Windows instances without exposing them to potential security risks.
As cloud environments evolve, embracing innovative solutions like AWS Session Manager becomes crucial. This tool aligns with best security practices and empowers you to manage your resources more efficiently.
Drop a query if you have any questions regarding AWS Session Manager and we will get back to you quickly.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.
FAQs
1. What is AWS Session Manager, and why should I use it for Windows instance access?
ANS: – AWS Session Manager is a component of AWS Systems Manager that offers secure, controlled, and efficient access to Windows and Linux instances without opening ports. It enhances security by eliminating the need for exposing RDP ports while simplifying access management.
2. What are the prerequisites for using AWS Session Manager?
ANS: – Prerequisites include configuring the AWS CLI and Session Manager Plugin on your local computer and installing the SSM agent on your Windows instance.
3. Do I need to install the Session Manager Plugin on my local computer?
ANS: – Yes, installing the AWS Session Manager Plugin on your local computer is a crucial step. This plugin simplifies the initiation and management of sessions, enhancing the user experience when using AWS Session Manager.
WRITTEN BY Naman Jain
Naman Jain is currently working as a Research Associate with expertise in AWS Cloud, primarily focusing on security and cloud migration. He is actively involved in designing and managing secure AWS environments, implementing best practices in AWS IAM, access control, and data protection. His work includes planning and executing end-to-end migration strategies for clients, with a strong emphasis on maintaining compliance and ensuring operational continuity.
PREV
Comments