AWS Windows SSM Port Forwarding, too easy

AWS Windows SSM Port Forwarding, too easy


2 min read

๐Ÿ‘‹ Hey there!

Recently, I had to configure some Windows boxes for a project and was reminded of how simple it was to access them without needing a Bastion host by using SSM port forwarding. ๐Ÿ™Œ

In this post, I will guide you through the steps to get it up and running. So, let's get started! ๐Ÿš€



As with all AWS, IAM is at the heart of granting our instance access to authorise communication with the SSM Endpoint. For this, there is an AWS Managed IAM Policy named AmazonSSMManagedInstanceCore.

NOTE: The previous policy named AmazonEC2RoleforSSM has been depreciated in favour of this new one, as it contained far more permissions than required for basic SSM functionality. Make sure you update your instance profiles!

SSM Components

๐Ÿ‘ Reviewing the permissions overview, it's clear that the policy is well-targeted and adheres to the principle of least privilege access.

SSM Permissions

SSM Endpoint

Our instance needs to be able to communicate on port 443 to the regional SSM endpoint. This can be via a NAT gateway or private endpoint in a private subnet or directly out in a public subnet.

SSM Endpoint VPC

NOTE: For ๐Ÿ”’ security of anything worthy, please create the setup using ๐Ÿ”’ private subnets and appropriate restrictions.


The final piece is the following command, replacing the target with your instance ID.

aws ssm start-session --target "i-012345a01abd123ab" --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=4489,portNumber=3389"

๐Ÿ‘‰ This will create a tunnel using the SSM Agent on the Windows instance via the Systems Manager Endpoint to the local laptop. This tunnel will pass traffic from port 4489 on the local laptop to port 3389 on the Windows instance.

NOTE The command will output the SessionId and port opened. The command will need to stay running for the duration of the session.

![[Pasted image 20231120220650.png]]

SSM Tunnel

Now, using an RDP client pointing to localhost:4489, the connection is forwarded up to port 3389 on the Windows instance, giving us the experience you would get connecting directly to the Windows Instance.

RDP Client

Hit connect and voila!

Windows Desktop


The above is a great way to get RDP connectivity quickly but also a long term solution that can be integrated with audit and logging to ensure that all connections are tracked and authorised properly. Best of all the removal of costly bastion hosts that need patching.

Hope someone else finds this useful.


Did you find this article valuable?

Support Stephen Jones by becoming a sponsor. Any amount is appreciated!