Using AWS Systems Manager to regain access to an EC2 machine

Using AWS Systems Manager to regain access to an EC2 machine

The other last night I received a call from a co-worker who added a Windows firewall rule to a production AWS EC2 machine running Server 2016. Soon after he couldn’t access the server via RDP nor were any of the IIS sites loading.

Of course a snapshot was not created prior to the change, because “It worked in Test”.

At first I thought we might be up a creek and restoring from an older backup. But, then I remembered AWS Systems Manager and the ability to send commands to an AWS EC2 machine via the AWS console.

Below are the quick steps I took to disable the Windows Firewall using AWS Systems Manager to regain access into the EC2 machine.

How to use AWS Systems Manager to send PowerShell commands to an EC2 machine

  1. First you need to create a new IAM Role.
    aws iam ec2 role
  2. Next attach the AmazonEC2RoleforSSM policy to the role.
    aws iam ssm role
  3. Then name your new IAM role.
    aws iam create role
  4. Now in your EC2 Dashboard, select the EC2 and go to Actions > Instance Settings > Attach/Replace IAM Role.
    aws attach role to ec2
  5. Select your new IAM role and click on Apply.
    aws add role to ec2
  6. In the left menu, scroll down to “Run Command” under Systems Manager Services and click on Run a command.
    aws run command
  7. From the Command document list select AWS-RunPowerShellScript.
    aws runpowershellscript
  8. Next select your instance you want to run the PowerShell script on.
    aws select instance
  9. Finally, enter your desired PowerShell script. In this case I want to disable the Windows Firewall so I used the following code, then click on Run.
    Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

Within just a few seconds the AWS console showed the command ran successfully and we were able to get back into the EC2 machine.

As for what caused the issue in the first place, the firewall rule was mistakenly entered to block ALL ports instead of the single port that was desired and thus why RDP and the IIS pages both stopped working.

Leave a Reply