A Guide to Recover Windows EC2 Instance if PEM File is Lost

Introduction

The Remote Desktop Protocol (RDP) is used by Remote Desktop to connect to and access your instance like a desktop computer in front of you (local computer). It is accessible on most of Windows’s platforms as well as Mac OS.

The private key or the key pair is used to decrypt and using the decrypted password we can RDP to an Instance.

AWS Systems Manager is a set of tools that can assist you in managing the infrastructure and services that are hosted on the AWS Cloud. A System Manager makes it easier to manage applications, and resources to speed up the process of identifying and fixing operational issues. This aids in the safe, flexible management of your AWS resources.

AWS Key Management Service (KMS) gives you centralized control over the cryptographic keys used to protect your data. As a result of the service’s integration with other AWS services, you can more easily encrypt the data you keep there and manage who has access to the keys needed to decrypt it. 

 Scalable computing power is offered by Amazon Elastic Compute Cloud (Amazon EC2) in the Amazon Web Services (AWS) Cloud. By using Amazon EC2, you can develop and deploy apps more quickly because you won’t need to make an upfront hardware investment. 

Prerequisites

• In windows server SSM is supported for Windows Server 2016, 2019, and 2022.
• An instance that has the IAM policy AmazonSSMManagedInstanceCore attached.
• All the services should be in the same region.

Step-by-Step Guide to RDP into the EC2 using AWS SSM

Step 1: Try to RDP into EC2 using the RDP client and you will receive this error.

Step 2: Create AMI of the Instance.

• Go to EC2 dashboard -> In EC2 mark the check box of the required EC2 -> Action -> Image and templates -> Create Image.

Step 3: Create IAM Role

• In the search bar type IAM and enter.
• Select roles on the left blade and in the IAM dashboard select create roles and select AWS service
• Under common use case select EC2 and click next
• In Add permission select permission policy AmazonSSMManagedInstanceCore and click next. Review and create the role.

Step 4: Create EC2 using AMI and attach the IAM role created.

• Search for AMI in the search bar.
• Launch an instance from AMI

* In Ec2 Configuration

* Advance setting

*IAM instance profile

*Select the IAM role created.

• Create a new key pair or select any existing Key pair and Launch the Instance.

Step 5: Open SSM and change the password.

• Search for session manager in the search bar.
• In session manager in the left blade under Node management

*Session manager

*Preferences.

• In General preference click on Edit

* Enable the check box for KMS encryption and create a new KMS key.

• While creating the KMS key make sure KMS will be in the same region as other services à Key type symmetric

*Key usage encrypt and decrypt

*Keep default values in step2 and step3.

• In Define key usage permission enable on the IAM role created for SSM and create Key.
• Session manager preferences

* Edit and choose the KMS and save.

• Click session manager on the left blade

*Fleet manager.

• In Fleet manager select required instance

*node actions

*reset password.

• Enter the username and reset the password

*A CLI will pop out.

• Inside CLI change the password and re-enter to confirm.

Step 6: RDP to the instance.

• In EC2 instance

*Click on the required Instance and connect

*Download the RDP file and enter the password to RDP to the server.

Conclusion

When we accidentally lose or Delete the PEM file, we can’t decrypt the password and without a password, we can’t RDP to the server. Similarly, we need to make sure to use the same PEM file for EC2 and EC2 created by AMI. If we change the PEM file, then we can’t decrypt the PEM file and we can’t RDP to the server. To overcome this, we will use the AWS session manager, using this we can reset the password and RDP to the server without Decrypting the PEM file.

About CloudThat