AWS Windows SSM Port Forwarding, too easy

AWS Windows SSM Port Forwarding, too easy

Table of Contents

👋 Hey there!

Recently, I had to configure some Windows boxes for a project and was reminded of how simple it was to access them without needing a Bastion host by using SSM port forwarding. 🙌

In this post, I will guide you through the steps to get it up and running. So, let’s get started! 🚀

Setup

iam

As with all AWS, iam is at the heart of granting our instance access to authorise communication with the SSM Endpoint. For this, there is an AWS Managed iam Policy named AmazonSSMManagedInstanceCore.

NOTE: The previous policy named AmazonEC2RoleforSSM has been depreciated in favour of this new one, as it contained far more permissions than required for basic SSM functionality. Make sure you update your instance profiles!

👍 Reviewing the permissions overview, it’s clear that the policy is well-targeted and adheres to the principle of least privilege access.

SSM Endpoint

Our instance needs to be able to communicate on port 443 to the regional SSM endpoint. This can be via a NAT gateway or private endpoint in a private subnet or directly out in a public subnet.

NOTE: For 🔒 security of anything worthy, please create the setup using 🔒 private subnets and appropriate restrictions.

AWS CLI

The final piece is the following command, replacing the target with your instance ID.

aws ssm start-session --target "i-012345a01abd123ab" --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=4489,portNumber=3389"

👉 This will create a tunnel using the SSM Agent on the Windows instance via the Systems Manager Endpoint to the local laptop. This tunnel will pass traffic from port 4489 on the local laptop to port 3389 on the Windows instance.

NOTE The command will output the SessionId and port opened. The command will need to stay running for the duration of the session.

![[Pasted image 20231120220650.png]]

Now, using an RDP client pointing to localhost:4489, the connection is forwarded up to port 3389 on the Windows instance, giving us the experience you would get connecting directly to the Windows Instance.

Hit connect and voila!

Summary

The above is a great way to get RDP connectivity quickly but also a long term solution that can be integrated with audit and logging to ensure that all connections are tracked and authorised properly. Best of all the removal of costly bastion hosts that need patching.

Hope someone else finds this useful.

Cheers!

Tags :
Share :

Related Posts

Bootstrap Terraform on AWS

Bootstrap Terraform on AWS

The Challenge Terraform is a great product for managing infrastructure on AWS however many people start by creating an iam user and sharing access keys into configuration files. This is really bad from a security aspect as these often get checked into version control and even worse in a public repo.

Read More
Supercharge Your AWS CloudWatch Metrics with Lambda Powertools

Supercharge Your AWS CloudWatch Metrics with Lambda Powertools

In this post, I’ll show you how easy it is to publish custom metrics into AWS CloudWatch using AWS Lambda Powertools and the Cloudwatch EMU Specification

Read More
github-actions in CodeBuild

github-actions in CodeBuild

This month AWS released support for github-actions in CodeBuild. https://aws.amazon.com/about-aws/whats-new/2023/07/aws-codebuild-github-actions

Read More