AWS, Cloud Computing

4 Mins Read

A Guide to Recover Windows EC2 Instance if PEM File is Lost

Voiced by Amazon Polly


The Remote Desktop Protocol (RDP) is used by Remote Desktop to connect to and access your instance like a desktop computer in front of you (local computer). It is accessible on most of Windows’s platforms as well as Mac OS.

The private key or the key pair is used to decrypt and using the decrypted password we can RDP to an Instance.

AWS Systems Manager is a set of tools that can assist you in managing the infrastructure and services that are hosted on the AWS Cloud. A System Manager makes it easier to manage applications, and resources to speed up the process of identifying and fixing operational issues. This aids in the safe, flexible management of your AWS resources.

AWS Key Management Service (KMS) gives you centralized control over the cryptographic keys used to protect your data. As a result of the service’s integration with other AWS services, you can more easily encrypt the data you keep there and manage who has access to the keys needed to decrypt it. 

 Scalable computing power is offered by Amazon Elastic Compute Cloud (Amazon EC2) in the Amazon Web Services (AWS) Cloud. By using Amazon EC2, you can develop and deploy apps more quickly because you won’t need to make an upfront hardware investment. 


  • In windows server SSM is supported for Windows Server 2016, 2019, and 2022.
  • An instance that has the IAM policy AmazonSSMManagedInstanceCore attached.
  • All the services should be in the same region.

Helping organizations transform their IT infrastructure with top-notch Cloud Computing services

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Step-by-Step Guide to RDP into the EC2 using AWS SSM

Step 1: Try to RDP into EC2 using the RDP client and you will receive this error.


Step 2: Create AMI of the Instance.

  • Go to EC2 dashboard -> In EC2 mark the check box of the required EC2 -> Action -> Image and templates -> Create Image.



Step 3: Create IAM Role

  • In the search bar type IAM and enter.
  • Select roles on the left blade and in the IAM dashboard select create roles and select AWS service
  • Under common use case select EC2 and click next
  • In Add permission select permission policy AmazonSSMManagedInstanceCore and click next. Review and create the role.



Step 4: Create EC2 using AMI and attach the IAM role created.

  • Search for AMI in the search bar.
  • Launch an instance from AMI

* In Ec2 Configuration

* Advance setting

*IAM instance profile

*Select the IAM role created.

  • Create a new key pair or select any existing Key pair and Launch the Instance.



Step 5: Open SSM and change the password.

  • Search for session manager in the search bar.
  • In session manager in the left blade under Node management

*Session manager


  • In General preference click on Edit

* Enable the check box for KMS encryption and create a new KMS key.

  • While creating the KMS key make sure KMS will be in the same region as other services à Key type symmetric

*Key usage encrypt and decrypt

*Keep default values in step2 and step3.

  • In Define key usage permission enable on the IAM role created for SSM and create Key.
  • Session manager preferences

* Edit and choose the KMS and save.

  • Click session manager on the left blade

*Fleet manager.

  • In Fleet manager select required instance

*node actions

*reset password.

  • Enter the username and reset the password

*A CLI will pop out.

  • Inside CLI change the password and re-enter to confirm.







Step 6: RDP to the instance.

  • In EC2 instance

*Click on the required Instance and connect

*Download the RDP file and enter the password to RDP to the server.


When we accidentally lose or Delete the PEM file, we can’t decrypt the password and without a password, we can’t RDP to the server. Similarly, we need to make sure to use the same PEM file for EC2 and EC2 created by AMI. If we change the PEM file, then we can’t decrypt the PEM file and we can’t RDP to the server. To overcome this, we will use the AWS session manager, using this we can reset the password and RDP to the server without Decrypting the PEM file.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding EC2 instance and I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.


1. Does windows server 2008 support SSM?

ANS: – Yes, but as of January 14, 2020, Windows Server 2008 is no longer supported features or security updates from Microsoft.

2. Does SSM works on both Windows and Linux server?

ANS: – Yes, SSM works on both Windows and Linux server.

3. Is KMS essential in session management?

ANS: – Yes, and KMS created should be in the same region as EC2 instances are located.

WRITTEN BY H S Yashas Gowda

Yashas Gowda works as a Research Associate at CloudThat. He has good hands-on experience working on Azure and AWS services. He is interested to learn new technologies and tries to implement them.



    Click to Comment