The Systems Manager (SSM) streamlines managing Windows instances in AWS. If you’ve ever forgotten the password for your Windows EC2 instance, SSM offers a secure and efficient way to reset it without additional tools or manual intervention.
Objective & Business Requirement
In a production environment, losing access to a Windows EC2 instance due to an unknown or non-working password can cause significant downtime. Instead of taking a backup, creating a new instance, and reconfiguring the environment—which is time-consuming and impacts business operations—we leverage AWS Systems Manager (SSM) to efficiently recover access without disruption.
- Recovery Process
- Prerequisites
- Configuration Overview
- Best Practices
- Conclusion
Prerequisites
Before you start, ensure the following prerequisites are met:
- SSM Agent Installed: The SSM agent must be installed and run on the Windows instance. AWS provides pre-configured AMIs with the agent installed.
- IAM Role Attached: Attach an IAM role to your instance with the necessary permissions. The policy should include:
- AmazonSSMManagedInstanceCore
- AmazonSSMFullAccess (or custom permissions to allow session management and run commands).
- Instance Managed by SSM: The instance must be registered as a managed instance in Systems Manager.
Configuration Overview
Follow this procedure if all you need is a PowerShell prompt on the target instance.
1. Log in to the AWS Management Console
- Navigate to the EC2 service in the AWS Management Console.
- Open the instance in the AWS console & click Connect.
- This opens a PowerShell session with “ssm-user”.
2. Verify the Active Users
Run Commands to Reset the Password
With the session active, follow these steps to reset the password:
- Run the following PowerShell command to list the local users: get-localuser
- Identify the username for which you need to reset the password.
- Reset the password using the following command:
Replace <username> with the actual username and <password> with your new password.
net user Username password
3. Validate the New Password
- Use Remote Desktop Protocol (RDP) to log into the Windows instance using the updated credentials.
- To open an RDP connection to the instance in your browser, follow this procedure.
- Open the instance in the AWS console & click Connect:
- Switch to the “RDP client” tab & use Fleet Manager:
- Able to access the server using “RDP client,” Please refer to the below screenshot.
Best Practices
- Strong Password Policy: Ensure the new password adheres to your organization’s password policy for security.
- Audit Logs: Use AWS CloudTrail to monitor who initiated the SSM session and track changes made.
- Restrict Access: Limit who can access SSM and manage your instances by defining strict IAM policies.
Troubleshooting Tips for Password Recovery
- SSM Agent Issues: If the instance isn’t listed in SSM, verify that the SSM agent is installed and running.
- IAM Role Misconfigurations: Ensure the IAM role attached to the instance has the correct permissions.
- Session Manager Setup: If using the CLI, confirm that the Session Manager plugin is installed and correctly configured on your local machine.
Conclusion
AWS Systems Manager is a powerful tool that simplifies Windows password recovery and enhances the overall management and security of your instances. By leveraging SSM, you can avoid downtime, maintain access to critical instances, and adhere to AWS best practices for operational efficiency.
