👋 Hey there!
Recently, I had to configure some Windows boxes for a project and was reminded of how simple it was to access them without needing a Bastion host by using SSM port forwarding. 🙌
In this post, I will guide you through the steps to get it up and running. So, let's get started! 🚀
As with all AWS, IAM is at the heart of granting our instance access to authorise communication with the SSM Endpoint. For this, there is an AWS Managed IAM Policy named
NOTE: The previous policy named
AmazonEC2RoleforSSMhas been depreciated in favour of this new one, as it contained far more permissions than required for basic SSM functionality. Make sure you update your instance profiles!
👍 Reviewing the permissions overview, it's clear that the policy is well-targeted and adheres to the principle of least privilege access.
Our instance needs to be able to communicate on port 443 to the regional SSM endpoint. This can be via a NAT gateway or private endpoint in a private subnet or directly out in a public subnet.
NOTE: For 🔒 security of anything worthy, please create the setup using 🔒 private subnets and appropriate restrictions.
The final piece is the following command, replacing the target with your instance ID.
aws ssm start-session --target "i-012345a01abd123ab" --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=4489,portNumber=3389"
👉 This will create a tunnel using the SSM Agent on the Windows instance via the Systems Manager Endpoint to the local laptop. This tunnel will pass traffic from port 4489 on the local laptop to port 3389 on the Windows instance.
NOTE The command will output the SessionId and port opened. The command will need to stay running for the duration of the session.
Now, using an RDP client pointing to localhost:4489, the connection is forwarded up to port 3389 on the Windows instance, giving us the experience you would get connecting directly to the Windows Instance.
Hit connect and voila!
The above is a great way to get RDP connectivity quickly but also a long term solution that can be integrated with audit and logging to ensure that all connections are tracked and authorised properly. Best of all the removal of costly bastion hosts that need patching.
Hope someone else finds this useful.