A Guide to Securely Access Windows Instance GUI in Private Subnet with AWS Session Manager

Introduction

Securing and streamlining remote access to instances in today’s dynamic cloud computing environment is paramount.

One tool that stands out in achieving this goal is AWS Session Manager, a powerful feature within AWS Systems Manager. This innovative solution redefines how you connect to your Windows and Linux instances in the cloud, ensuring enhanced security and unmatched convenience.</div

In this comprehensive guide, we will explore the world of AWS Session Manager, specifically focusing on its application to Windows instances residing in private subnets. This approach takes the concept of secure instance access to a new level.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Prerequisites

To proceed with this guide, it is assumed that you have the following prerequisites in place:

A Windows instance is running in the private subnet.
The SSM agent is already installed on your Windows instance. If it is not installed, follow this link for instructions on installing the SSM agent.
AWS CLI is configured on your local computer.
AWS Session manager plugin Installed on your local computer.

Step-by-Step Guide

Step 1: Setting Up Permissions for SSM Access Role

Begin by creating an AWS IAM role specifically for the AWS Systems Manager.

step1

In the ‘Trusted entity type’ section, choose ‘AWS service.’
In the ‘Service or use case’ section, select ‘EC2’ and proceed to the next step.
In the ‘Add permissions’ tab, select the ‘AmazonSSMManagedInstanceCore’ policy and proceed to the next step.

step1b

Provide a descriptive name for the role and finalize the creation by clicking on ‘Create Role.’

Step 2: Associating the AWS IAM Role with Your Amazon EC2 Instance

Navigate to the Amazon EC2 instance dashboard and locate the specific instance you want to associate with the AWS IAM role.
Click on the ‘Actions’ button and choose ‘Security,’ followed by ‘Modify IAM Role.’

step2

Select the role you previously created for AWS Systems Manager and proceed to update the AWS IAM role for the instance.

Step 3: Creating a Custom Windows User

Note: If you want to access your Windows instance with the Default Administrator user and Password, skip this section.

Access the AWS Systems Manager Service.
Navigate to the Session Manager section.
Click on “Start Session.”
Verify that your instance is listed in the Session Manager interface.

step3

When your instance appears in the Session Manager, you can proceed and gain shell access using Session Manager.
Create a custom user in Windows using PowerShell.
Set a password to be stored in a variable. After entering the below command, type your password.

$Password = Read-Host -AsSecureString

1	$Password = Read-Host -AsSecureString

Use the stored password to create a user with the username “Custom”

New-LocalUser -Name "Custom" -Password $Password -FullName "Custom User" -Description "Custom User Account"

1	New-LocalUser -Name "Custom" -Password $Password -FullName "Custom User" -Description "Custom User Account"

Add the user “Custom” to the Remote Desktop Users group

Add-LocalGroupMember -Group "Remote Desktop Users" -Member "Custom"

1	Add-LocalGroupMember -Group "Remote Desktop Users" -Member "Custom"

step3b

Step 4: Secure Windows GUI Access: No RDP Port

To establish the port forwarding session and access your Windows GUI securely, follow these steps:

Open the Command Prompt and follow the steps.
Initiate the port forwarding session with the following command. Replace <instance-id> with the remote instance’s ID in AWS and <region> with the region where the instance resides:

aws ssm start-session --target <instance-id> --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=54231,portNumber=3389" --region <region>

1	aws ssm start-session --target <instance-id> --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=54231,portNumber=3389" --region <region>

If the command executes successfully, a connection will be established.

step4

Launch the Remote Desktop Connection application on your local computer.
In the RDC application, expand the options and fill in the following information:
Computer: localhost:54231 (as defined in the previous command).
User Name: Custom (the user you created using the session manager).
Note – Sometimes, giving a normally entering username does not work properly, so you can try putting “.\” in front of the username Ex – .\Custom
Click on the “Connect” button and provide the password for your user when prompted.

step4b

Following these steps, you can access your Windows GUI securely without needing an open RDP port. If everything works as expected, you can consider removing the RDP port from the security group for added security.

step4c

Conclusion

We have explored the power and versatility of AWS Session Manager, a tool that revolutionizes secure Windows instance access in private subnets. By eliminating the need for open RDP ports and simplifying the access process, Session Manager has become an indispensable asset for modern cloud practitioners.

Through carefully crafted steps, we’ve demonstrated how to configure Session Manager, set up custom users, and initiate secure GUI access via port forwarding. Following these steps, you can enhance security, streamline your workflow, and ensure controlled access to your Windows instances without exposing them to potential security risks.

As cloud environments evolve, embracing innovative solutions like AWS Session Manager becomes crucial. This tool aligns with best security practices and empowers you to manage your resources more efficiently.

Drop a query if you have any questions regarding AWS Session Manager and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

FAQs

1. What is AWS Session Manager, and why should I use it for Windows instance access?

ANS: – AWS Session Manager is a component of AWS Systems Manager that offers secure, controlled, and efficient access to Windows and Linux instances without opening ports. It enhances security by eliminating the need for exposing RDP ports while simplifying access management.

2. What are the prerequisites for using AWS Session Manager?

ANS: – Prerequisites include configuring the AWS CLI and Session Manager Plugin on your local computer and installing the SSM agent on your Windows instance.

3. Do I need to install the Session Manager Plugin on my local computer?

ANS: – Yes, installing the AWS Session Manager Plugin on your local computer is a crucial step. This plugin simplifies the initiation and management of sessions, enhancing the user experience when using AWS Session Manager.

WRITTEN BY Naman Jain

Naman works as a Research Intern at CloudThat. With a deep passion for Cloud Technology, Naman is committed to staying at the forefront of advancements in the field. Throughout his time at CloudThat, Naman has demonstrated a keen understanding of cloud computing and security, leveraging his knowledge to help clients optimize their cloud infrastructure and protect their data. His expertise in AWS Cloud and security has made him an invaluable team member, and he is constantly learning and refining his skills to stay up to date with the latest trends and technologies.