Locked Out of a Windows EC2 Instance? Fix It Quick.
It happens. Thankfully, with the use of Windows PowerShell for AWS, it's easy to get back into your instance.
Last week, I was working on a project that required me to set up several Windows-based EC2 instances. This particular project had a tight deadline, so I wasn't being as careful as I might normally would have been. In my haste to get the job done, I accidentally deleted the Windows firewall rule that allowed RDP connectivity to the instance, effectively locking myself out. Fortunately, there is sometimes a way to get back in.
The trick is to use PowerShell. In order to do so however, you will need to have previously enabled PowerShell remoting and turned on the listener for the instance. Without that, the instance will reject any attempted remote PowerShell session.
With that said, go ahead and open Windows PowerShell for AWS on your local computer. If you have not yet installed Windows PowerShell for AWS, you can download it here.
Before you go any further, I recommend doing a quick test to make sure that PowerShell is able to access your AWS account. One way of doing so is to enter this command:
When you enter this command, it should return a list of your EC2 instances, as shown in Figure 1. This confirms that PowerShell has downloaded the required AWS modules and that it is authenticated into your AWS environment.
Now that you have confirmed that PowerShell can access your AWS environment, the next step in the process is to establish a PowerShell session with the instance that you have been locked out of. To do so, begin by entering this command and when prompted, provide the credentials that you would normally use to log into the EC2 instance:
Now, enter this command:
Enter-PSSession -ComputerName <the public IP address associated with the instance> -Credential $Cred
At this point, there is a really good chance that you are going to receive an error message like the one shown in Figure 2.
The most common reason why this error occurs is because the instance that you are connecting to is not a trusted host. Simply put, if a remote computer (in this case, the EC2 instance) is not domain joined then it must be designated as a trusted host. Fortunately, this is something that you can do from your own computer, rather than the instance that you have been locked out of.
To designate the system as a trusted host, open an elevated Windows PowerShell for AWS window (you will need local admin rights) and enter this command:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value <the AWS instance's IP address>
Now try once again to establish a PowerShell session with the remote instance. Hopefully the session will be established, but there is a chance that you may experience a delay of about 30 seconds, followed by the error message shown in Figure 3.
This error is most likely related to the instance's security group configuration. Try editing your instance's security group rules and add TCP ports 5985 and 5986 to the inbound rules, as shown in Figure 4.
Now try the connection again. If the session is successfully established, you should see the PowerShell prompt change to reflect the instance's IP address, as shown in Figure 5.
Now the only thing that's left to do is to add a firewall rule that will allow an RDP session to be established with the instance. The command for doing so is:
New-NetFirewallRule -DisplayName “Allow RDP” -Direction Inbound -Action Allow -LocalPort 3389 -Protocol TCP
You can see what this command looks like in Figure 6.
Now that you have added the rule, you should have no trouble establishing an RDP session with the EC2 instance, although you may have to wait for a minute or two for the rule to take effect.
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.