I created and customized a Windows EC2 instance. I gave the Administrator account for this instance a custom password. Before creating an EMI from it, I used the EC2Config service to generate a new random password for the Administrator account. The AMI was created successfully. I was able to launch a new instance, decrypt the password, RDP into it. The new instance works fine.
My issue is I am unable to login to the original custom EC2 instance from which I created the AMI. I have tried the decrypted password, as well as the custom password I had originally set. This doesn't seem to be an RDP issue, as neither Powershell Remoting is working (PS Remoting was working before creating the AMI).
Can't the original instance be used again after creating an AMI from it?
ps: I don't have another user account on the original instance. Next time I will remember to create a second Admin account.
This seems to be the expected behaviour. This has more to do with Sysprep than with AWS. The EC2ConfigService even warns us about it - "Sysprep doesn't support retaining the Admin account password for Win Server 2008 onwards". Running Sysprep wipes out the password from the original instance. The recommended way is to create a separate user account with admin privileges and use that to login and manage the system.
RDP is disabled after sysprep.
You have to mount the ebs boot volume on a different server and use ec2Savior program to renable the RDP service in the registry, reattach to your server, and boot.
Related
This might be a rather simple question, but is it possible to log into an EC2 Windows Server instance over RDP, using an IAM user's credentials, or am I stuck using the password from the KeyPair?
The only way to do that would be to have IAM identity center setup with SSM Fleet manager.
From the documentation:
Fleet Manager integrates with IAM Identity Center so you can connect to your instances without providing additional credentials.
Otherwise, you have to specify either username/password or a the .pem file:
When connecting to your instance, you can use Windows credentials or the Amazon EC2 key pair (.pem file) associated with the instance for authentication.
EC2 instance access over RDP steps as below:
In aws ec2 service site with your IAM login.
screenshot reference
Select your windows server in EC2 instance list. let respective EC2 instance in running state. note then only "Connect" button will be active.
Select connect button. In the new window select 'RDP client' > select the 'Get Password'.
In 'Get password Window', import the pem which was associated with respective windows served in EC2 service. select 'Decrypt password'.
Copy the password, keep pasted in txt file for your future use.
Run 'mstsc' for remote desktop and type the public DNS address (which you can get it from above step 3 window) and login as .\Administrator and use the copied password for login.
Pre requisite steps to edited in EC2 windows instance:
Start the Windows Registry editor (type regedit in the "Start > Run" dialog)
Navigate to: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "LimitBlankPasswordUse"=dword:00000001 3. Change LimitBlankPasswordUse to 0 (zero) to enable the use of blank passwords, 1 to prevent blank passwords over the network.
this solution considered as alternate.
we have a Windows EC2 instance created. We have a need to remote desktop into the instance occasionally to execute a PowerShell script that updates Microsoft's Power BI Gateway. This is all implemented in a sandbox environment. We're looking at steps/actions to implement in a production environment. From research, I have found that we need to have a different key pair for each user. I think this makes sense. But, the logistics of implementing this is beyond my knowledge. I have some basic questions that perhaps can help steer me in the right direction:
How do I generate a key pair for each user? Where would these be maintained? How do I assign the key pair by user? Do I need to create a new user in the IAM console?
Is there a way to rotate the key pairs?
An instance can only have a single key pair associated with it at a time. Does this mean that after each use, I should detach my key pair and the next user needs to attach their key pair? This all seems very manual.
This is the first I've had to deal with virtual servers and security management of said server. But, it seems that AWS would offer a service that automates this process?
Thank you.
Use AWS Systems Manager Run Command to automate common admin tasks across your EC2 instances.
When a Windows Amazon EC2 instance is launched, a random Administrator password is generated.
This password is then encrypted using the keypair selected when the instance is launched. You can access it via "Get Windows Password", and supplying the keypair.
Once you login, you are welcome to change the Administrator password or connect the instance to Active Directory.
You can also create additional Windows logins for your other users.
So, your choice is to either "share" a login for whoever needs to run the script, or give them each their own Windows login and their own password.
I also like #jarmod's idea of using the Systems Manager Run Command to execute a script without logging in!
When I am trying to retrieve password for one EC2 instance from key pair, I am getting the below error, please help me how to retrieve the password.
Password is not available.
This instance was launched from a custom AMI, or the default password has changed. A password cannot be retrieved for this instance. If you have forgotten your password, you can reset it using the Amazon EC2 configuration service.
You have several options to change the password so that you can regain access to your Windows instance. This third method is now the recommended method - using AWS Systems Manager. Note: AWS Systems Manager can take a bit of time to understand. Once you do, you will have many new powerful commands.
Run a command to change the Windows password. This document will show you how to use Instance User Data. You will want to run a Windows command net user Administrator newpassword. Setup the script and then reboot the instance. The command runs on reboot.
Resetting the Windows Administrator Password Using EC2Launch
Reset Passwords and SSH Keys on Amazon EC2 Instances
I'm very new to AWS. I've just started a new job where I've been passed on all the credentials from the guy I've taken over from. So I have root access to the AWS console account, but with the former employees user name and password. He's also set me up with ssh credentials for the EC2 instance.
My problem however is he didn't give me admin privileges for the EC2 instance. So when I SSH in and try to upload code changes I get permission denied. Is there some way I can change my privileges through the AWS console? Coming from Digital Ocean so I'm completely at a loss here on what way to go about it.
AWS credentials control the management of AWS resources, such as the launching of EC2 instances. They aren't relevant at the OS level on a Linux (or Windows) instance. You may need to use sudo to elevate your privileges on a Linux instance.
Just a few things could work here :
Since you have all the credentials passed from the guy, it should include the key-pair for the instances. So if you have that, you could ssh using it like,
ssh -i "my-key-pair" ec2-user#ec2xxxxx.xxxx.compute.amazonaws.com
The default user, either 'ec2-user' or 'ubuntu', it has sudo privileges by default. Run following after logging in,
sudo -i
You could then edit sudoers file to make necessary permissions.
You could take an ami of the current running instance and launch a copy. While launching, create a new key-pair. Rest action can be same as in Plan 1.
I have launched a linux server on AWS, there is another developer and i want him to work on the server, but i don't want to give .pem file to him, what should i do?
he should be able to connect to server via a console and deploy files and configure on http server. when the jobs done i want to take his priviliges back.
Thanks for your interest.
You should add his public ssh key to /home/ubuntu/.ssh/authorized_keys and that's basically it.
He will be able to login via SSH using corresponding private key.
This have nothing to do with AMI though.
There is a solution here, new user and a new key/pair for that user can be created on server machine. new user can access to server with the new key.
Another anwers about same topic is here