Fleet Manager is a service AWS Systems Manager provides to securely manage Amazon EC2 instances at scale. Cloud engineers can log in via remote desktop (RDP) to Amazon EC2 instances for Windows using Fleet Manager to perform troubleshooting or management tasks.
Previously, a set of configurations were required to access an Amazon EC2 instance for Windows using RDP. These were: (a) a security group with ingress on port# 3389 from the destination CIDR/IP address, (b) a public IP address for the Amazon EC2 instance, (c) a PEM file to decrypt the Administrator password, (d) an Internet Gateway, and (e) a route to 0.0.0.0/0 in the route table using the Internet Gateway.
Then, with Session Manager, accessing an Amazon EC2 for Windows instance was convenient. This option was more secure than the previous one because it did not require an ingress rule in the security group. However, this option did not present a GUI-based experience that Windows Administrators are familiar with.
Further on, with VPC Endpoint integration for Session Manager, the option was better because it did not require a public IP address associated with the Amazon EC2 instance, an Internet Gateway, or any route to 0.0.0.0/0. However, an ingress rule was required on port# 443. Like the previous option, it presented only a CLI-based experience.
Finally, with Fleet Manager integration, Cloud Engineers and Windows Administrators benefit from the security best practices of using Session Manager and VPC Endpoint with the familiar GUI-based experience.
In this note, I demonstrate how to configure the required AWS Cloud services to enable RDP access to an Amazon EC2 instance for Windows using Fleet Manager.
If you are interested and want to follow along, I have the code in my GitHub repository: ec2-userdata-terraform. Please ensure you are on the right git branch – enable-rdp-session-manager.
The following eight steps are required to create an Amazon EC2 instance for Windows with RDP access using Session Manager and VPC endpoint.
1. Create an Amazon VPC with enabled DNS hostnames and support
2. Create a security group with ingress on only port# 443 for the VPC Endpoint
3. Create VPC Endpoints for ssm, ec2messages, and ssmmessages
4. Create a security group for the Amazon EC2 instance to allow ingress from the VPC Endpoint security group
5. Create and attach an IAM policy to enable access to the Amazon EC2 instance
6. Create a Password for the Windows User
7. Create a User Data script to add a user to the Windows instance
8. Create an Amazon EC2 instance for Windows
I discussed four of these eight steps in detail in my previous note -create-an-amazon-ec2-instance-using-terraform-with-session-manager-access-using-vpc-endpoint. I’ll discuss the rest of the steps here.
5. Create and attach an IAM policy to enable access to the Amazon EC2 instance
In one of my previous notes, I demonstrated how to create and attach an IAM role to an Amazon EC2 instance using Terraform. If you are new to it, that note walks through the basics of the concept. Per AWS-Docs, the IAM role requires additional permissions to allow RDP access via Session Manager. The below image contains a section of the IAM policy statement.
Please note that there are other required permissions that you may access in the GitHub code repository → iamrole.tf.
After creating the aws_iam_policy, I attached that policy to the IAM role the Amazon EC2 instance assumed.
6. Create a Password for the Windows User
I created a random password using the random {} provider and stored that as an Amazon Systems Manager Parameter Store parameter.
7. Create a User Data script to add a user to the Windows instance
The User Data script adds a Windows User to the Amazon EC2 instance and then adds that user to the Administrators group using the PowerShell code below.
Please note that this is not the complete code and that you may access it in the GitHub code repository → user_data → user_data.tpl.
8. Create an Amazon EC2 instance for Windows
Finally, I created an Amazon EC2 instance with the configuration properties determined in the previous steps.
The iam_instance_profile property provides the Amazon EC2 instance with the IAM role and permissions to allow RDP access. The user_data property provides the PowerShell template file and passes the user password stored in the Systems Manager Parameter Store parameter.
Please note that no public IP address is associated with the Amazon EC2 instance.
After Terraform provisioned all the resources, I waited 5 minutes before connecting to the Amazon EC2 instance from the AWS Console. That was sufficient time for the Amazon EC2 instance user data script to create the Windows user.
As of July 2024, there are two ways to connect to the Amazon EC2 instance to use RDP. From the AWS Console, search for AWS Systems Manager → Node Management → Fleet Manager. Your Amazon EC2 instance must be listed here. Select the instance, and on the right-hand side, choose under Node actions → Connect → Connect with Remote Desktop.
From the User Data script, you can examine that the User name was User03. The Password value was stored as a Systems Manager Parameter Store parameter. I submitted both inputs and clicked on Connect.
And that is how you, too, can connect to an Amazon EC2 instance using RDP.
By leveraging AWS Fleet Manager, you can now securely RDP into your Amazon EC2 instances for Windows without needing a public IP address or complex network configurations. This approach offers the best of both worlds - the security of Session Manager and the familiar GUI-based experience that Windows Administrators are accustomed to. While the limitation of the 60-minute session is something to consider, there are potential workarounds you can explore. Please try this setup and let me know if you have any questions or feedback. Stay tuned for more cloud-related content, and remember to subscribe to my blog for the latest updates. Happy cloud computing!