AWS, Cloud Computing

4 Mins Read

A Guide to Securely Access Windows Instance GUI in Private Subnet with AWS Session Manager

Voiced by Amazon Polly


Securing and streamlining remote access to instances in today’s dynamic cloud computing environment is paramount.

One tool that stands out in achieving this goal is AWS Session Manager, a powerful feature within AWS Systems Manager. This innovative solution redefines how you connect to your Windows and Linux instances in the cloud, ensuring enhanced security and unmatched convenience.</div

In this comprehensive guide, we will explore the world of AWS Session Manager, specifically focusing on its application to Windows instances residing in private subnets. This approach takes the concept of secure instance access to a new level.


To proceed with this guide, it is assumed that you have the following prerequisites in place:

  • A Windows instance is running in the private subnet.
  • The SSM agent is already installed on your Windows instance. If it is not installed, follow this link for instructions on installing the SSM agent.
  • AWS CLI is configured on your local computer.
  • AWS Session manager plugin Installed on your local computer.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Step-by-Step Guide

Step 1:  Setting Up Permissions for SSM Access Role

  • Begin by creating an AWS IAM role specifically for the AWS Systems Manager.


  • In the ‘Trusted entity type’ section, choose ‘AWS service.’
  • In the ‘Service or use case’ section, select ‘EC2’ and proceed to the next step.
  • In the ‘Add permissions’ tab, select the ‘AmazonSSMManagedInstanceCore’ policy and proceed to the next step.


  • Provide a descriptive name for the role and finalize the creation by clicking on ‘Create Role.’

Step 2:  Associating the AWS IAM Role with Your Amazon EC2 Instance

  • Navigate to the Amazon EC2 instance dashboard and locate the specific instance you want to associate with the AWS IAM role.
  • Click on the ‘Actions’ button and choose ‘Security,’ followed by ‘Modify IAM Role.’


  • Select the role you previously created for AWS Systems Manager and proceed to update the AWS IAM role for the instance.

Step 3:  Creating a Custom Windows User

Note: If you want to access your Windows instance with the Default Administrator user and Password, skip this section.

  • Access the AWS Systems Manager Service.
  • Navigate to the Session Manager section.
  • Click on “Start Session.”
  • Verify that your instance is listed in the Session Manager interface.


  • When your instance appears in the Session Manager, you can proceed and gain shell access using Session Manager.
  • Create a custom user in Windows using PowerShell.
  • Set a password to be stored in a variable. After entering the below command, type your password.
  • Use the stored password to create a user with the username “Custom”
  • Add the user “Custom” to the Remote Desktop Users group


Step 4: Secure Windows GUI Access: No RDP Port

To establish the port forwarding session and access your Windows GUI securely, follow these steps:

  • Open the Command Prompt and follow the steps.
  • Initiate the port forwarding session with the following command. Replace <instance-id> with the remote instance’s ID in AWS and <region> with the region where the instance resides:

If the command executes successfully, a connection will be established.


  • Launch the Remote Desktop Connection application on your local computer.
  • In the RDC application, expand the options and fill in the following information:
  • Computer: localhost:54231 (as defined in the previous command).
  • User Name: Custom (the user you created using the session manager).
  • Note – Sometimes, giving a normally entering username does not work properly, so you can try putting “.\” in front of the username Ex – .\Custom
  • Click on the “Connect” button and provide the password for your user when prompted.


  • Following these steps, you can access your Windows GUI securely without needing an open RDP port. If everything works as expected, you can consider removing the RDP port from the security group for added security.



We have explored the power and versatility of AWS Session Manager, a tool that revolutionizes secure Windows instance access in private subnets. By eliminating the need for open RDP ports and simplifying the access process, Session Manager has become an indispensable asset for modern cloud practitioners.

Through carefully crafted steps, we’ve demonstrated how to configure Session Manager, set up custom users, and initiate secure GUI access via port forwarding. Following these steps, you can enhance security, streamline your workflow, and ensure controlled access to your Windows instances without exposing them to potential security risks.

As cloud environments evolve, embracing innovative solutions like AWS Session Manager becomes crucial. This tool aligns with best security practices and empowers you to manage your resources more efficiently.

Drop a query if you have any questions regarding AWS Session Manager and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, AWS EKS Service Delivery Partner, and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.


1. What is AWS Session Manager, and why should I use it for Windows instance access?

ANS: – AWS Session Manager is a component of AWS Systems Manager that offers secure, controlled, and efficient access to Windows and Linux instances without opening ports. It enhances security by eliminating the need for exposing RDP ports while simplifying access management.

2. What are the prerequisites for using AWS Session Manager?

ANS: – Prerequisites include configuring the AWS CLI and Session Manager Plugin on your local computer and installing the SSM agent on your Windows instance.

3. Do I need to install the Session Manager Plugin on my local computer?

ANS: – Yes, installing the AWS Session Manager Plugin on your local computer is a crucial step. This plugin simplifies the initiation and management of sessions, enhancing the user experience when using AWS Session Manager.


Naman works as a Research Intern at CloudThat. With a deep passion for Cloud Technology, Naman is committed to staying at the forefront of advancements in the field. Throughout his time at CloudThat, Naman has demonstrated a keen understanding of cloud computing and security, leveraging his knowledge to help clients optimize their cloud infrastructure and protect their data. His expertise in AWS Cloud and security has made him an invaluable team member, and he is constantly learning and refining his skills to stay up to date with the latest trends and technologies.



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!