AdvLab2: Session Manager with Port Forwarding

Author: Dean Suzuki (Last Updated: 4/1/20)

Abstract

You have used Session Manager to obtain a remote, interactive PowerShell terminal access to EC2 instances. Customers have asked for the capability to also establish Remote Desktop Protocol (RDP) remote access into EC2 instances. AWS released this feature in August 2019 (see here and here for more information). In this lab, you will get hands-on experience enabling this capability.

This feature solves the challenge where you need to allow your administrators the ability to RDP into Windows EC2 instances, but there is no bastion host/RDP gateway. Session Manager with Port Forwarding allows you to use Session Manager to connect to the EC2 instances with RDP. The Session Manager documentation for this feature can be found here.

Prepare your machine

The first step is to load some software on your local machine. You will need the following components:

  • AWS CLI

  • Session Manager Plugin for the AWS CLI

  1. Download and install the AWS CLI. Instructions can be found here.

  2. Download and install the Session Manager Plugin for the AWS CLI. Instructions can be found here.

  3. Verify that the Session Manager Plugin was installed correctly by following the steps here.

Configure your AWS CLI

To access AWS services using the AWS CLI, you need to configure your AWS CLI with credentials so that when you make AWS CLI calls, the CLI will pass along your credentials to the AWS services. The AWS CLI uses credentials called the AWS secret key and secret access key. It is very important to secure these values since they provide access into AWS services. A common exploit that occurs when people have unknowingly posted these values in their code to Github. Don’t do this. Guard your access key and secret access key as you would your username and password.

You will create a demo user for this lab.

  1. Login to the AWS Management Console and go to IAM.
  2. Click Users on the left navigation. Click “Add User” button.
  3. For User name, enter a user name (e.g. johndoe) and check the box for Programmatic access. Press Next.

  4. Select Attach existing policies directly. Enter Admin into the filter box and select AdministratorAccess. Note in actual production usage, you would create very granular policies and control which instances a person can access. See the following documentation for how to create more granular access. Press Next.

  5. On the Tags screen, press Next.

  6. On the next screen, press Create user button.

  7. On the next screen, click the Download .csv button to download a csv file containing your access key and secret access key. Press Close.

Now that you have a secret key and secret access key, configure the AWS CLI to use those credentials.

  1. Open a command prompt window.
  2. Open the csv file that you downloaded earlier.
  3. Type aws configure and press Enter.
  4. For the secret key and secret access key prompts, paste in the appropriate values from the spreadsheet.
  5. For region, use us-east-1 or press enter if it is set as the default.
  6. For output format, press enter to accept the default.

Now, commands that you type using the AWS CLI will use the access key/secret access key to authenticate into AWS and use the permissions assigned to the user with these values.

Configure the EC2 instances

In order for Session Manager to support RDP port forwarding into EC2 instances, the EC2 instance must be a System Manager Managed Instance. This means that the System Manager agent must be installed on the EC2 instance. An IAM role must also be assigned to the EC2 instance that grants access to System Manager. System Manager has a policy called AmazonSSMManagedInstanceCore that must be added to the IAM role. In this lab, these steps have already been done. However, I wanted to highlight these steps if you wanted to implement them into your own environment. More detailed instructions can be found here.

You will next create a local user account on WEB01 and add that user to the local administrators group on the server. You will use this account later to do the RDP login.

  1. Open the AWS Management Console.
    • Navigate to the System Manager console.
    • Select Session Manager in the left navigation.
    • Select Start Session.
  2. Select the WEB01 instance and select Start session.
  3. In the session manager window, run the following PowerShell commands:

    a. Get-LocalUser

    b. $password = read-host –assecurestring

    c. Enter a password and press enter.

    d. New-localuser “johndoe” –Password $password

    e. Get-localuser

    f. Add-localgroupmember –Group “Administrators” –Member “johndoe”

In the previous steps, you used Session Manager PowerShell access to create a local user and add that user to the local administrators group.

Establish a Session Manager Port Forwarding session

Now you will use Session Manager to RDP into the WEB01 instance. To establish a RDP session into an EC2 instance, you will need the instance id of the EC2 instance.

  1. To get the instance id, open the AWS Management Console. Navigate to the System Manager console and go to Managed Instances on the left navigation.
  2. Copy the instance id of the WEB01 server to your clipboard.
  3. Go back to the command prompt window that you opened earlier or open a command prompt window.
  4. Enter the following command and replace the instance-id with your instance id.

    aws ssm start-session --target instance-id --document-name AWS-StartPortForwardingSession --parameters
    portNumber="3389",localPortNumber="56789"
    

5. Now, open your RDP client and for the computer, enter localhost:56789. The previous command is mapping the local port 56789 to 3389 on the WEB01 instance. 6. Select More choices and then Use a different account.

-   Then, enter for the user name: .\johndoe

-   Then, enter the password for the user you created.

-   Press **Ok** and **Connect**.

7. Congratulations! You should be logged into the WEB01 server.