A Guide to Securely Access Windows Instance GUI in Private Subnet with AWS Session Manager

Introduction

Securing and streamlining remote access to instances in today’s dynamic cloud computing environment is paramount.

Prerequisites

To proceed with this guide, it is assumed that you have the following prerequisites in place:

• A Windows instance is running in the private subnet.
• The SSM agent is already installed on your Windows instance. If it is not installed, follow this link for instructions on installing the SSM agent.
• AWS CLI is configured on your local computer.
• AWS Session manager plugin Installed on your local computer.

Step-by-Step Guide

Step 1:  Setting Up Permissions for SSM Access Role

• Begin by creating an AWS IAM role specifically for the AWS Systems Manager.

• In the ‘Trusted entity type’ section, choose ‘AWS service.’
• In the ‘Service or use case’ section, select ‘EC2’ and proceed to the next step.
• In the ‘Add permissions’ tab, select the ‘AmazonSSMManagedInstanceCore’ policy and proceed to the next step.

• Provide a descriptive name for the role and finalize the creation by clicking on ‘Create Role.’

Step 2:  Associating the AWS IAM Role with Your Amazon EC2 Instance

• Navigate to the Amazon EC2 instance dashboard and locate the specific instance you want to associate with the AWS IAM role.
• Click on the ‘Actions’ button and choose ‘Security,’ followed by ‘Modify IAM Role.’

• Select the role you previously created for AWS Systems Manager and proceed to update the AWS IAM role for the instance.

Step 3:  Creating a Custom Windows User

Note: If you want to access your Windows instance with the Default Administrator user and Password, skip this section.

• Access the AWS Systems Manager Service.
• Navigate to the Session Manager section.
• Click on “Start Session.”
• Verify that your instance is listed in the Session Manager interface.

• When your instance appears in the Session Manager, you can proceed and gain shell access using Session Manager.
• Create a custom user in Windows using PowerShell.
• Set a password to be stored in a variable. After entering the below command, type your password.

• Use the stored password to create a user with the username “Custom”

• Add the user “Custom” to the Remote Desktop Users group

Step 4: Secure Windows GUI Access: No RDP Port

To establish the port forwarding session and access your Windows GUI securely, follow these steps:

• Open the Command Prompt and follow the steps.
• Initiate the port forwarding session with the following command. Replace <instance-id> with the remote instance’s ID in AWS and <region> with the region where the instance resides:

If the command executes successfully, a connection will be established.

• Launch the Remote Desktop Connection application on your local computer.
• In the RDC application, expand the options and fill in the following information:
• Computer: localhost:54231 (as defined in the previous command).
• User Name: Custom (the user you created using the session manager).
• Note – Sometimes, giving a normally entering username does not work properly, so you can try putting “.\” in front of the username Ex – .\Custom
• Click on the “Connect” button and provide the password for your user when prompted.

• Following these steps, you can access your Windows GUI securely without needing an open RDP port. If everything works as expected, you can consider removing the RDP port from the security group for added security.

Conclusion

We have explored the power and versatility of AWS Session Manager, a tool that revolutionizes secure Windows instance access in private subnets. By eliminating the need for open RDP ports and simplifying the access process, Session Manager has become an indispensable asset for modern cloud practitioners.

Through carefully crafted steps, we’ve demonstrated how to configure Session Manager, set up custom users, and initiate secure GUI access via port forwarding. Following these steps, you can enhance security, streamline your workflow, and ensure controlled access to your Windows instances without exposing them to potential security risks.

As cloud environments evolve, embracing innovative solutions like AWS Session Manager becomes crucial. This tool aligns with best security practices and empowers you to manage your resources more efficiently.

Drop a query if you have any questions regarding AWS Session Manager and we will get back to you quickly.

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, AWS EKS Service Delivery Partner, and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.