Connect using Remote Desktop - AWS Systems Manager

Connect using Remote Desktop

You can use Fleet Manager, a capability of AWS Systems Manager, to connect to your Windows Server 2012R2 and later instances using the Remote Desktop Protocol (RDP). These Remote Desktop sessions powered by NICE DCV provide secure connections to your instances directly from your browser. With Fleet Manager, you can connect a maximum of four instances per browser window. Currently, Fleet Manager supports only English language inputs. Though you can connect to instances with Fleet Manager using RDP without opening any inbound ports, Fleet Manager only supports operating system configurations that use the default RDP port 3389 at this time. If you've changed the value of the listening port for RDP on your instance, Fleet Manager fails to establish the connection. When connecting to your instance, you can use Windows credentials or the Amazon EC2 key pair (.pem file) associated with the instance for authentication. For information about Amazon EC2 key pairs, see Amazon EC2 key pairs and Linux instances and Amazon EC2 key pairs and Windows instances in the Amazon EC2 User Guide for Linux Instances and Amazon EC2 User Guide for Windows Instances.

Alternatively, if you're authenticated to the AWS Management Console using AWS IAM Identity Center (successor to AWS Single Sign-On), Fleet Manager integrates with IAM Identity Center so you can connect to your instances without providing additional credentials. Fleet Manager supports IAM Identity Center authenticated RDP connections in the same AWS Region where you enabled IAM Identity Center and user names can be a maximum of 16 characters. For IAM Identity Center authenticated RDP connections, Fleet Manager creates a local user on the instance that persists after the connection ends. IAM Identity Center authenticated RDP connections are not supported for nodes that are Microsoft Active Directory domain controllers.


Note the following important details.

  • To use Fleet Manager with RDP, you must have SSM Agent version or higher running on your instances. For information about how to determine the version number running on an instance, see Checking the SSM Agent version number. For information about manually installing or automatically updating SSM Agent, see Working with SSM Agent.

  • Fleet Manager RDP connections have a maximum session duration of 60 minutes. When that duration is reached, Fleet Manager disconnects the session. You can reconnect to the same session by using your credentials. Alternatively, you can select Renew session before the session ends to restart the duration timer.

  • Fleet Manager RDP connections have an idle session timeout of 10 minutes. When that duration is reached, Fleet Manager disconnects the session. You can reconnect to the same session by using your credentials.

  • If you're connecting to a Windows Server 2022 instance, you might need to install version 2.2.2 or later of the PSReadLine module to ensure keyboard functionality while using PowerShell. The following is an example command.

    Install-Module ` -Name PSReadLine ` -Repository PSGallery ` -MinimumVersion 2.2.2

Because Fleet Manager uses Session Manager to connect to Windows instances using RDP, you must complete the prerequisites for Session Manager before using this feature. Session Manager is a capability of AWS Systems Manager. Session preferences in the AWS account and AWS Region are applied when connecting to your instances using RDP. For information about setting up Session Manager, see Setting up Session Manager.

In addition to the required AWS Identity and Access Management (IAM) permissions for Systems Manager and Session Manager, the user or role you use to access the console must allow the following actions:

  • ssm-guiconnect:CancelConnection

  • ssm-guiconnect:GetConnection

  • ssm-guiconnect:StartConnection

The following are example IAM policies for connecting to instances using RDP with Fleet Manager. Replace each example resource placeholder with your own information.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "EC2", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:GetPasswordData" ], "Resource": "*" }, { "Sid": "SSM", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetInventorySchema" ], "Resource": "*" }, { "Sid": "TerminateSession", "Effect": "Allow", "Action": [ "ssm:TerminateSession" ], "Resource": "*", "Condition": { "StringLike": { "ssm:resourceTag/aws:ssmmessages:session-id": [ "${aws:userid}" ] } } }, { "Sid": "SSMStartSession", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws:ec2:*:account-id:instance/*", "arn:aws:ssm:*:account-id:managed-instance/*", "arn:aws:ssm:*::document/AWS-StartPortForwardingSession" ], "Condition": { "BoolIfExists": { "ssm:SessionDocumentAccessCheck": "true" } } }, { "Sid": "GuiConnect", "Effect": "Allow", "Action": [ "ssm-guiconnect:CancelConnection", "ssm-guiconnect:GetConnection", "ssm-guiconnect:StartConnection" ], "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EC2", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:GetPasswordData" ], "Resource": "*" }, { "Sid": "SSM", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetInventorySchema" ], "Resource": "*" }, { "Sid": "SSMStartSession", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws:ssm:*::document/AWS-StartPortForwardingSession" ], "Condition": { "BoolIfExists": { "ssm:SessionDocumentAccessCheck": "true" } } }, { "Sid": "AccessTaggedInstances", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws:ec2:*:account-id:instance/*", "arn:aws:ssm:*:account-id:managed-instance/*" ], "Condition": { "StringLike": { "ssm:resourceTag/tag key": [ "tag value" ] } } }, { "Sid": "GuiConnect", "Effect": "Allow", "Action": [ "ssm-guiconnect:CancelConnection", "ssm-guiconnect:GetConnection", "ssm-guiconnect:StartConnection" ], "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SSO", "Effect": "Allow", "Action": [ "sso:ListDirectoryAssociations*", "identitystore:DescribeUser" ], "Resource": "*" }, { "Sid": "EC2", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:GetPasswordData" ], "Resource": "*" }, { "Sid": "SSM", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetInventorySchema" ], "Resource": "*" }, { "Sid": "TerminateSession", "Effect": "Allow", "Action": [ "ssm:TerminateSession" ], "Resource": "*", "Condition": { "StringLike": { "ssm:resourceTag/aws:ssmmessages:session-id": [ "${aws:userName}" ] } } }, { "Sid": "SSMStartSession", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ssm:*:*:managed-instance/*", "arn:aws:ssm:*:*:document/AWS-StartPortForwardingSession" ], "Condition": { "BoolIfExists": { "ssm:SessionDocumentAccessCheck": "true" } } }, { "Sid": "SSMSendCommand", "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ssm:*:*:managed-instance/*", "arn:aws:ssm:*:*:document/AWSSSO-CreateSSOUser" ], "Condition": { "BoolIfExists": { "ssm:SessionDocumentAccessCheck": "true" } } }, { "Sid": "GuiConnect", "Effect": "Allow", "Action": [ "ssm-guiconnect:CancelConnection", "ssm-guiconnect:GetConnection", "ssm-guiconnect:StartConnection" ], "Resource": "*" } ] }

To connect to instances using RDP with Fleet Manager

  1. Open the AWS Systems Manager console at

  2. In the navigation pane, choose Fleet Manager.


    If the AWS Systems Manager home page opens first, choose the menu icon ( ) to open the navigation pane, and then choose Fleet Manager in the navigation pane.

  3. Choose the button next to the instance that you want to connect to using RDP.

  4. In the Node actions menu, choose Connect with Remote Desktop.

  5. Choose your preferred Authentication type. If you choose User credentials, enter the user name and password for the Windows user account that you want to use when connecting to the instance. If you choose Key pair, choose the Browse local machine option to browse your local machine and choose the PEM key associated with your instance, or copy and paste the contents into the empty field after choosing the Paste key pair content option.

  6. Select Connect.