Author: Dean Suzuki (Last Updated: 4/1/20)
You have used Session Manager to obtain a remote, interactive PowerShell terminal access to EC2 instances. Customers have asked for the capability to also establish Remote Desktop Protocol (RDP) remote access into EC2 instances. AWS released this feature in August 2019 (see here and here for more information). In this lab, you will get hands-on experience enabling this capability.
This feature solves the challenge where you need to allow your administrators the ability to RDP into Windows EC2 instances, but there is no bastion host/RDP gateway. Session Manager with Port Forwarding allows you to use Session Manager to connect to the EC2 instances with RDP. The Session Manager documentation for this feature can be found here.
The first step is to load some software on your local machine. You will need the following components:
Session Manager Plugin for the AWS CLI
Download and install the AWS CLI. Instructions can be found here.
Download and install the Session Manager Plugin for the AWS CLI. Instructions can be found here.
Verify that the Session Manager Plugin was installed correctly by following the steps here.
To access AWS services using the AWS CLI, you need to configure your AWS CLI with credentials so that when you make AWS CLI calls, the CLI will pass along your credentials to the AWS services. The AWS CLI uses credentials called the AWS secret key and secret access key. It is very important to secure these values since they provide access into AWS services. A common exploit that occurs when people have unknowingly posted these values in their code to Github. Don’t do this. Guard your access key and secret access key as you would your username and password.
You will create a demo user for this lab.
For User name, enter a user name (e.g. johndoe) and check the box for Programmatic access. Press Next.
Select Attach existing policies directly. Enter Admin into the filter box and select AdministratorAccess. Note in actual production usage, you would create very granular policies and control which instances a person can access. See the following documentation for how to create more granular access. Press Next.
On the Tags screen, press Next.
On the next screen, press Create user button.
On the next screen, click the Download .csv button to download a csv file containing your access key and secret access key. Press Close.
Now that you have a secret key and secret access key, configure the AWS CLI to use those credentials.
Now, commands that you type using the AWS CLI will use the access key/secret access key to authenticate into AWS and use the permissions assigned to the user with these values.
In order for Session Manager to support RDP port forwarding into EC2 instances, the EC2 instance must be a System Manager Managed Instance. This means that the System Manager agent must be installed on the EC2 instance. An IAM role must also be assigned to the EC2 instance that grants access to System Manager. System Manager has a policy called AmazonSSMManagedInstanceCore that must be added to the IAM role. In this lab, these steps have already been done. However, I wanted to highlight these steps if you wanted to implement them into your own environment. More detailed instructions can be found here.
You will next create a local user account on WEB01 and add that user to the local administrators group on the server. You will use this account later to do the RDP login.
In the session manager window, run the following PowerShell commands:
b. $password = read-host –assecurestring
c. Enter a password and press enter.
d. New-localuser “johndoe” –Password $password
f. Add-localgroupmember –Group “Administrators” –Member “johndoe”
In the previous steps, you used Session Manager PowerShell access to create a local user and add that user to the local administrators group.
Now you will use Session Manager to RDP into the WEB01 instance. To establish a RDP session into an EC2 instance, you will need the instance id of the EC2 instance.
Enter the following command and replace the instance-id with your instance id.
aws ssm start-session --target instance-id --document-name AWS-StartPortForwardingSession --parameters portNumber="3389",localPortNumber="56789"
5. Now, open your RDP client and for the computer, enter localhost:56789. The previous command is mapping the local port 56789 to 3389 on the WEB01 instance. 6. Select More choices and then Use a different account.
- Then, enter for the user name: .\johndoe - Then, enter the password for the user you created. - Press **Ok** and **Connect**.
7. Congratulations! You should be logged into the WEB01 server.