Yep! you read it right. You can RDP into your instances using Systems Manager without opening any inbound ports. What is Systems Manager? AWS Systems Manager allows you to manage your applications, EC2, and on-prem resources in one place. It has a lot of features like inventory on your infra, patching, create maintenance windows, run automation jobs, and a lot more. But, In this article, I'll focus on Fleet Manager(one of System Manager's components) features that allow Instances RDP in a browser, access file system of nodes, manage processes and view live metrics of your systems. Systems Manager/Fleet Manager uses an SSM agent installed on the instances.

Summary

The solution will help you set up your EC2 instances in Systems Manager/Fleet manager and demonstrate how to manage those nodes in the portal.

Setup Steps

1. SSM agent

SSM agent is a core component of this solution, this allows EC2 instances to communicate with Systems Manager In most cases, SSM agent is preinstalled on Amazon-provided AMIs. If your instance doesn't have it installed. Download and Install. Click on the applicable link. Windows, Linux (select your distribution and download).

2. Open Outbound port

SSM agent needs to have 443 outbound port allowed on the security group attached to your instances.

In most cases, all outbound traffic is permitted. If not, follow the steps below.

• Go to EC2 Service --> Select your instance --> Switch to the Security tab
• Click on a security group to modify --> Click on outbound rules
• Click Edit outbound rules --> Click Add rule
• Select 'HTTPS' for type --> Anywhere-IPv4 for Destination --> Click Save rules

3. IAM role

This is very important, Fleet Manager wouldn't add the machine if the role isn't attached.

• Search IAM, click Roles in the left pane --> click on Create role
• Select AWS Service as Trusted entity type, EC2as Use case, and click Next
• Search and select AmazonSSMManagedInstanceCoreAWS managed policy and click Next
• Enter in role name - ssmRoleand click Create role

4. Apply tags (optional)

This step is optional. If you are manually going to attach the IAM role we created above. Ignore this. I have a python script that will use these tags if you want to attach the role at scale.

• Search AWS Resource Group, in the left pane --> select tag editor
• Select the region, and AWS::EC2::Instance resource type --> click on search resources.
• All the ec2 instances should prompt up at the bottom, select the instance you want to apply tag on --> click Manage tags of selected resources
• Click Add tag, enter in manageas Tag Key and ssmas Tag Value, click review and apply tag changes --> click on apply changes to all selected

5. Attach IAM role to instances.

I. Manually

• Go to EC2 Service --> Select your instance --> Click Actions
• Click Security --> Click Modify IAM role
• Search and Select ssmRole--> Click Update IAM role
• Repeat the steps above for other instances as well.

II. Python Script

If you have a lot of instances, try the script below. PreReq for the script:

• Python and boto3 module installed on your computer
• AWS CLI configured
• Tags applied above

import boto3
    client = boto3.client('ec2')
    response = client.describe_instances(
        Filters=[
            {
                'Name': 'tag:manage',
                'Values': [
                    'ssm',

                ] 
            },
        ],
    )
    instances = []
    length = len(response['Reservations'])
    for i in range(length):
        instanceID = response['Reservations'][i]['Instances'][0]['InstanceId']
        instances.append(instanceID)


    if not instances:
        print("No instance found")
    else:
        for i in instances:
            try:
                response = client.associate_iam_instance_profile(
                    IamInstanceProfile={
                        'Name': 'ssmRole',
                },
                InstanceId=i,
                )
            except:
                print(i + " has role attached already")
                pass

III. An instance has an IAM role attached?

Add a policy to that role

• Search IAM, click Roles in the left pane --> Search the role and click on it
• In the Permissions tab, click Add permissions --> Click Attach polices
• Search and select AmazonSSMManagedInstanceCoreAWS managed policy --> click Attach policies

6. Session Manager preferences (kinda optional)

We need to update some of the settings, so we could enable live monitoring in fleet manager and view running processes (we will cover these right after this). This step doesn't limit your ability to RDP and updates a file system, but it is required for monitoring.

• Go to System Manager services --> Under Node Management, click on Session Manager
• Switch to Preferences tab --> Click on Edit --> Under KMS encryption, EnableKMS encryption
• Select Select a KMS key --> Click Create new key --> Make sure you are in the correct region
• Leave Key type and key usage default --> Click Next
• Enter in Alias ssmKey--> Click Next
• Select your account as Key administrators --> Click Next
• Select ssmRolefor this account --> Click Next --> Click Finish

Using Fleet Manager

Go to System manager services --> Under Node Management, click on Fleet Manager All the instances that have the IAM role attached + SSM agent installed should be listed here.

Let's explore the features below.

RDP

Click on any of the instances --> Click Node actions --> Select Connect with Remote Desktop, You will need to have key pair accessible or a username/password to access the instance

View/Download Files without login

Click on any of the instances --> Click File System in the left pane.

Here you could create a directory or navigate the file system and download files you may need.

Performance Monitor

This allows you to view CPU utilization, memory usage, network traffic, and Disk Input/output. All in one place.

Process

This functionality of Fleet manager allows you to view processes on your machine. You could start a new process as long as you know the path where the process is located.

Users And Groups

Create or view groups and users that part of the machine

Windows Event logs

This is a very handy feature. You could view windows Logs right in the portal without logging in to the machine.

Windows registry

This is where you could modify your registry keys without needing to log in to the machine.

That's it! I wanted to share the powerful features of Fleet Manager. As a sysadmin, System Manager makes your life a lot easier. In the future, I'll be sharing other features of system manager as well where you essentially use system manager WSUS and get rid of your on-prem WSUS server.

Please note you could restrict what can or can't be allowed by updating the policy that is attached to the IAM role that is being used by your instance.

I have also uploaded a Youtube video on this topic, check it out if you want to see things in action.