Voiced by Amazon Polly |
Introduction
Securing and streamlining remote access to instances in today’s dynamic cloud computing environment is paramount.
One tool that stands out in achieving this goal is AWS Session Manager, a powerful feature within AWS Systems Manager. This innovative solution redefines how you connect to your Windows and Linux instances in the cloud, ensuring enhanced security and unmatched convenience.</div
In this comprehensive guide, we will explore the world of AWS Session Manager, specifically focusing on its application to Windows instances residing in private subnets. This approach takes the concept of secure instance access to a new level.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Prerequisites
To proceed with this guide, it is assumed that you have the following prerequisites in place:
- A Windows instance is running in the private subnet.
- The SSM agent is already installed on your Windows instance. If it is not installed, follow this link for instructions on installing the SSM agent.
- AWS CLI is configured on your local computer.
- AWS Session manager plugin Installed on your local computer.
Step-by-Step Guide
Step 1: Setting Up Permissions for SSM Access Role
- Begin by creating an AWS IAM role specifically for the AWS Systems Manager.
- In the ‘Trusted entity type’ section, choose ‘AWS service.’
- In the ‘Service or use case’ section, select ‘EC2’ and proceed to the next step.
- In the ‘Add permissions’ tab, select the ‘AmazonSSMManagedInstanceCore’ policy and proceed to the next step.
- Provide a descriptive name for the role and finalize the creation by clicking on ‘Create Role.’
Step 2: Associating the AWS IAM Role with Your Amazon EC2 Instance
- Navigate to the Amazon EC2 instance dashboard and locate the specific instance you want to associate with the AWS IAM role.
- Click on the ‘Actions’ button and choose ‘Security,’ followed by ‘Modify IAM Role.’
- Select the role you previously created for AWS Systems Manager and proceed to update the AWS IAM role for the instance.
Step 3: Creating a Custom Windows User
Note: If you want to access your Windows instance with the Default Administrator user and Password, skip this section.
- Access the AWS Systems Manager Service.
- Navigate to the Session Manager section.
- Click on “Start Session.”
- Verify that your instance is listed in the Session Manager interface.
- When your instance appears in the Session Manager, you can proceed and gain shell access using Session Manager.
- Create a custom user in Windows using PowerShell.
- Set a password to be stored in a variable. After entering the below command, type your password.
1 |
$Password = Read-Host -AsSecureString |
- Use the stored password to create a user with the username “Custom”
1 |
New-LocalUser -Name "Custom" -Password $Password -FullName "Custom User" -Description "Custom User Account" |
- Add the user “Custom” to the Remote Desktop Users group
1 |
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "Custom" |
Step 4: Secure Windows GUI Access: No RDP Port
To establish the port forwarding session and access your Windows GUI securely, follow these steps:
- Open the Command Prompt and follow the steps.
- Initiate the port forwarding session with the following command. Replace <instance-id> with the remote instance’s ID in AWS and <region> with the region where the instance resides:
1 |
aws ssm start-session --target <instance-id> --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=54231,portNumber=3389" --region <region> |
If the command executes successfully, a connection will be established.
- Launch the Remote Desktop Connection application on your local computer.
- In the RDC application, expand the options and fill in the following information:
- Computer: localhost:54231 (as defined in the previous command).
- User Name: Custom (the user you created using the session manager).
- Note – Sometimes, giving a normally entering username does not work properly, so you can try putting “.\” in front of the username Ex –
.\Custom
- Click on the “Connect” button and provide the password for your user when prompted.
- Following these steps, you can access your Windows GUI securely without needing an open RDP port. If everything works as expected, you can consider removing the RDP port from the security group for added security.
Conclusion
We have explored the power and versatility of AWS Session Manager, a tool that revolutionizes secure Windows instance access in private subnets. By eliminating the need for open RDP ports and simplifying the access process, Session Manager has become an indispensable asset for modern cloud practitioners.
Through carefully crafted steps, we’ve demonstrated how to configure Session Manager, set up custom users, and initiate secure GUI access via port forwarding. Following these steps, you can enhance security, streamline your workflow, and ensure controlled access to your Windows instances without exposing them to potential security risks.
As cloud environments evolve, embracing innovative solutions like AWS Session Manager becomes crucial. This tool aligns with best security practices and empowers you to manage your resources more efficiently.
Drop a query if you have any questions regarding AWS Session Manager and we will get back to you quickly.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.
FAQs
1. What is AWS Session Manager, and why should I use it for Windows instance access?
ANS: – AWS Session Manager is a component of AWS Systems Manager that offers secure, controlled, and efficient access to Windows and Linux instances without opening ports. It enhances security by eliminating the need for exposing RDP ports while simplifying access management.
2. What are the prerequisites for using AWS Session Manager?
ANS: – Prerequisites include configuring the AWS CLI and Session Manager Plugin on your local computer and installing the SSM agent on your Windows instance.
3. Do I need to install the Session Manager Plugin on my local computer?
ANS: – Yes, installing the AWS Session Manager Plugin on your local computer is a crucial step. This plugin simplifies the initiation and management of sessions, enhancing the user experience when using AWS Session Manager.
WRITTEN BY Naman Jain
Naman works as a Research Intern at CloudThat. With a deep passion for Cloud Technology, Naman is committed to staying at the forefront of advancements in the field. Throughout his time at CloudThat, Naman has demonstrated a keen understanding of cloud computing and security, leveraging his knowledge to help clients optimize their cloud infrastructure and protect their data. His expertise in AWS Cloud and security has made him an invaluable team member, and he is constantly learning and refining his skills to stay up to date with the latest trends and technologies.
Comments