Amazon AWS

AWS EC2 Windows RDP Security

Most likely you are working with some form of cloud infrastructure these days. This could be in Amazon AWS, Google GCP, or Microsoft Azure. I had a question from a team I was working with not tool long ago about Windows RDP security in Amazon AWS EC2 instance. The assumption was made that a security group could allow 3389 to the world due to the fact that a “key pair” was used in conjunction with the Windows Server RDP connection. However, I want to explore some of the misconceptions with how the Amazon AWS RDP session works when provisioning a Windows host in your Amazon AWS EC2 instance.

How Windows EC2 instances use the AWS key pairs

The way that Windows EC2 instances make use of the key pairs is a bit different for security purposes and connectivity than Linux instances. How so? When you spin up an Amazon AWS EC2 Windows instance, AWS sets a default password for the administrator account on the Windows host.

The AWS key pair is only used to view this default password. Once you have the password you can save the password off in clear text in your password manager or other means and use this password to connect via RDP to the AWS Windows EC2 instance.

Additionally, this means that you do not have to physically have possession of the key pair to connect to the Windows instance unlike you do for establishing an SSH connection to a Linux EC2 instance.

AWS EC2 Windows RDP Security

Let’s walkthrough what it looks like to configure your AWS EC2 Windows instance and establish an RDP connection. I am not posting all screenshots here related to creating a Windows instance such as instance size, storage, etc. However, starting in step 6. Configuring Security Group you see the default configuration of security groups to allow all connections to port 3389.

New aws ec2 windows instance default security group configuration
New aws ec2 windows instance default security group configuration

You will see an information warning of sorts noting that your security group configuration is allowing connections from the outside world.

Warning about allowing all external connectivity to your windows aws ec2 instance
Warning about allowing all external connectivity to your windows aws ec2 instance

The next step is where confusion can set in among those creating their first Windows AWS EC2 instance. After you select to launch the instance, you will be prompted to select an existing key pair or create a new key pair. Many may assume the ability to connect to your Windows instance will be determined by this key.

Selecting an existing aws key pair or creating a new one during windows aws ec2 launch
Selecting an existing aws key pair or creating a new one during windows aws ec2 launch

After generating or selecting an existing AWS key pair and launching the instance, once it is running, you can right-click and select Connect to connect to your new AWS EC2 Windows instance.

Selecting to connect to the aws ec2 windows instance
Selecting to connect to the aws ec2 windows instance

When you select to Connect, you will see the Connect to instance screen. Here you have a couple of options. You can download your remote desktop file and also click the Get password link to see the password for the default administrator local account on the AWS EC2 Windows instance.

Decrypting the default administrator password with the aws ec2 key pair
Decrypting the default administrator password with the aws ec2 key pair

Once you click the Get password link, you will choose the key pair you downloaded from Step 7. The private key will be displayed. You can then click the Decrypt password button.

Decrypting and displaying the default administrator password
Decrypting and displaying the default administrator password

Once you click the Decrypt Password button, you will see the password displayed in clear text under the Password section.

The aws ec2 windows instance default password is decrypted and displayed in clear text
The aws ec2 windows instance default password is decrypted and displayed in clear text

Again, this may create some confusion or misconceptions in the role the key pair plays in the ability to connect to the AWS EC2 Windows instance. Unlike Linux EC2 instances where you have to have the private key to make an SSH connection, the key pair is only used to view the password, not make a connection. As you can select below, I can connect directly to the IP address of my Windows AWS EC2 instance and use the password that is displayed in clear text and connect to the instance without any question about the key pair.

You can connect to the aws ec2 windows instance using the password without the key pair
You can connect to the aws ec2 windows instance using the password without the key pair

Importance of understanding the key pair role with AWS EC2 Windows instances

Why is this important to understand how the key pair is used? Many can get the false sense of security with Windows AWS EC2 instances that their Windows RDP ports are more secure running in AWS since they require a key pair. However, as shown, this is simply used to decrypt the initial default administrator password that is automatically configured by AWS. What’s more, you can change the default password to something that is less secure.

Amazon details that process here: Set the password for a Windows instance – Amazon Elastic Compute Cloud. It is still very important to keep in mind AWS EC2 Windows RDP Security when configuring and using Windows AWS EC2 instances. This includes scoping down who has access to the Windows instance by means of the AWS Security Group in addition to other means.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.