1. Answers
  2. How To Setup Windows EC2 For RDP Access Via SSM?

How to Setup Windows EC2 for RDP Access via SSM?

Introduction

In this guide, we will set up a Windows EC2 instance on AWS for Remote Desktop Protocol (RDP) access via AWS Systems Manager (SSM) using Pulumi in TypeScript. This solution leverages several key AWS services, including Amazon EC2, AWS Systems Manager, and IAM roles. By the end of this guide, you will have a Windows EC2 instance that you can access securely using RDP through SSM, eliminating the need to open RDP ports to the internet.

Step-by-Step Explanation

Step 1: Create an IAM Role for SSM

We will create an IAM role that allows the EC2 instance to communicate with the SSM service. This role will have the necessary policies attached to it.

Step 2: Create a Security Group

Next, we will create a security group that allows inbound RDP traffic from your IP address. This security group will be associated with the EC2 instance.

Step 3: Launch a Windows EC2 Instance

We will launch a Windows EC2 instance with the IAM role and security group created in the previous steps. The instance will be configured to use the SSM agent for RDP access.

Step 4: Configure SSM Session Manager

Finally, we will configure SSM Session Manager to establish an RDP connection to the Windows EC2 instance. This involves setting up the necessary SSM documents and permissions.

Key Points

  • IAM Role: The IAM role allows the EC2 instance to communicate with SSM.
  • Security Group: The security group controls inbound RDP traffic.
  • SSM Agent: The SSM agent on the EC2 instance enables secure RDP access without opening RDP ports to the internet.
  • Session Manager: SSM Session Manager is used to establish the RDP connection.

Conclusion

By following this guide, you have successfully set up a Windows EC2 instance for RDP access via SSM using Pulumi in TypeScript. This solution enhances security by eliminating the need to expose RDP ports to the internet and leverages AWS Systems Manager for secure and managed access.

Full Code Example

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an IAM Role for SSM
const ssmRole = new aws.iam.Role("ssmRole", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Action: "sts:AssumeRole",
                Principal: {
                    Service: "ec2.amazonaws.com",
                },
                Effect: "Allow",
                Sid: ""
            }
        ]
    })
});

// Attach the AmazonSSMManagedInstanceCore policy to the role
const ssmRolePolicyAttachment = new aws.iam.RolePolicyAttachment("ssmRolePolicyAttachment", {
    role: ssmRole.name,
    policyArn: "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
});

// Create a Security Group for RDP
const rdpSecurityGroup = new aws.ec2.SecurityGroup("rdpSecurityGroup", {
    description: "Allow RDP traffic",
    ingress: [
        {
            protocol: "tcp",
            fromPort: 3389,
            toPort: 3389,
            cidrBlocks: ["0.0.0.0/0"], // Replace with your IP range for better security
        }
    ],
    egress: [
        {
            protocol: "-1",
            fromPort: 0,
            toPort: 0,
            cidrBlocks: ["0.0.0.0/0"],
        }
    ]
});

// Launch a Windows EC2 Instance
const ec2Instance = new aws.ec2.Instance("windowsInstance", {
    ami: "ami-0c55b159cbfafe1f0", // Replace with your preferred Windows AMI
    instanceType: "t2.micro",
    securityGroups: [rdpSecurityGroup.name],
    iamInstanceProfile: ssmRole.name,
    keyName: "your-key-pair-name", // Replace with your key pair name
    tags: {
        Name: "WindowsInstance",
    },
});

// Create an SSM Document for RDP access
const ssmDocument = new aws.ssm.Document("rdpSessionDocument", {
    documentType: "Session",
    content: JSON.stringify({
        schemaVersion: "1.0",
        description: "SSM Session Manager for RDP",
        sessionType: "Standard_Stream",
        inputs: {
            ssm: {
                documentName: "AWS-StartPortForwardingSession",
                parameters: {
                    portNumber: "3389",
                    localPortNumber: "3389"
                }
            }
        }
    })
});

export const instanceId = ec2Instance.id;
export const instancePublicIp = ec2Instance.publicIp;
export const instancePrivateIp = ec2Instance.privateIp;

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up