By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I use the AWSSupport-TroubleshootRDP runbook to troubleshoot RDP-related issues on a target managed Windows instance?

4 minute read
0

I want to use AWSSupport-TroubleshootRDP runbook by Automation, a capability of AWS Systems Manager, to view or modify common Remote Desktop Protocol (RDP) settings on my target Amazon Elastic Compute Cloud (Amazon EC2) Windows instance.

Short description

The AWSSupport-TroubleshootRDP runbook troubleshoots RDP issues and modifies common settings on the target instance, such as the RDP port, Network Layer Authentication (NLA), and Windows firewall profiles. By default, the runbook reads and outputs the values of the settings.

Note: Before you use this runbook, review the changes to the RDP settings, RDP service, and Windows firewall profiles.

Resolution

Prerequisites

Before you start the runbook, make sure that the target EC2 instance has an AWS Identity and Access Management (IAM) role with the AmazonSSMManagedInstanceCore Amazon managed policy attached. And, verify that your IAM user or role has the following permissions:

Online remediation

  • ssm:DescribeInstanceInformation
  • ssm:StartAutomationExecution
  • ssm:SendCommand
  • ssm:GetAutomationExecution

Offline remediation

  • ssm:DescribeInstanceInformation
  • ssm:StartAutomationExecution
  • ec2:DescribeInstances
  • ssm:GetAutomationExecution

Note: If you choose the AllowOffline option, then this runbook calls the AWSSupport-ExecuteEC2Rescue runbook to perform offline remediation. In addition to the preceding permissions, the user who starts the runbook must have the AmazonSSMAutomationRole IAM managed policy attached with the following details:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Action": [
                "lambda:InvokeFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction"
            ],
            "Resource": "arn:aws:lambda:*:An-AWS-Account-ID:function:AWSSupport-EC2Rescue-*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::awssupport-ssm.*/*.template",
                "arn:aws:s3:::awssupport-ssm.*/*.zip"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:CreateRole",
                "iam:CreateInstanceProfile",
                "iam:GetRole",
                "iam:GetInstanceProfile",
                "iam:PutRolePolicy",
                "iam:DetachRolePolicy",
                "iam:AttachRolePolicy",
                "iam:PassRole",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DeleteInstanceProfile"
            ],
            "Resource": [
                "arn:aws:iam::An-AWS-Account-ID:role/AWSSupport-EC2Rescue-*",
                "arn:aws:iam::An-AWS-Account-ID:instance-profile/AWSSupport-EC2Rescue-*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "lambda:CreateFunction",
                "ec2:CreateVpc",
                "ec2:ModifyVpcAttribute",
                "ec2:DeleteVpc",
                "ec2:CreateInternetGateway",
                "ec2:AttachInternetGateway",
                "ec2:DetachInternetGateway",
                "ec2:DeleteInternetGateway",
                "ec2:CreateSubnet",
                "ec2:DeleteSubnet",
                "ec2:CreateRoute",
                "ec2:DeleteRoute",
                "ec2:CreateRouteTable",
                "ec2:AssociateRouteTable",
                "ec2:DisassociateRouteTable",
                "ec2:DeleteRouteTable",
                "ec2:CreateVpcEndpoint",
                "ec2:DeleteVpcEndpoints",
                "ec2:ModifyVpcEndpoint",
                "ec2:Describe*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

For more information, see the following documentation:

Run the Systems Manager runbook

  1. Open the AWS Systems Manager console.
  2. In the navigation pane, choose Documents.
  3. In the search bar, enter AWSSupport-TroubleshootRDP.
  4. Select the AWSSupport-TroubleshootRDP document.
  5. Choose Execute automation.
  6. For the input parameters, enter the following:
    • InstanceId (required): Enter the ID of the Windows managed instance that you want to troubleshoot RDP settings for.

    • AutomationAssumeRole (optional): Choose the IAM role for this runbook from the dropdown list. If a role isn't specified, then Automation uses the permissions of the user who runs this document.

    • Action (optional): Choose the value for this parameter from the dropdown list:
      CheckAll: Read the values of the settings without modifying them.
      FixAll: Restore the RDP default settings and turn off the Windows Firewall.
      Custom: Use values from other optional input parameters to manage the settings.

    • AllowOffline (optional): If online troubleshooting fails, or the instance isn't a managed instance, then choose True to perform an offline RDP remediation.
      Note: For offline remediation, Automation stops the instance and creates an Amazon Machine Image (AMI). Data that's stored in instance store volumes are lost when the instance is stopped. Also, the static public IPv4 address that Amazon EC2 automatically assigned to the instance on launch or start changes after the stop and start. To retain a public IPv4 address that doesn't change when the instance is stopped, use an Elastic IP address. For more information, see What happens when you stop an instance.

    • Firewall (optional): Check or turn off the Windows firewall for all profiles.

    • RDPServiceAction (optional): Perform actions, such as start, restart, and force-restart, on the RDP service.

    • RDPServiceStartupType (optional): Check or set the RDP service to automatically start when Windows boots.

    • RDPPortAction (optional): Check the current port that's used for RDP connections, or change back the RDP port to 3389 and restart the service.

    • NLASettingAction (optional): Check or turn off NLA.

    • RemoteConnections (optional): Check or allow remote connections.

    • SubnetId (optional): Offline only. Enter the subnet ID for the EC2Rescue instance that's used to perform offline troubleshooting. If a subnet ID is specified, then Automation creates a new virtual private cloud (VPC).
      Note: The subnet must be in the same Availability Zone as the InstanceId and allow access to SSM endpoints.

    • S3BucketName (optional): Offline only. Enter the Amazon Simple Storage Service (Amazon S3) bucket name in your account where you want to upload the troubleshooting logs. Make sure that the bucket policy doesn't grant unnecessary read or write permissions to parties that don't need access to the collected logs.

  7. Choose Execute.

To see detailed results after the automation completes, review the Outputs section.

Related information

Run an automation

Setting up Automation

Systems Manager Automation runbook reference

AWS OFFICIAL
AWS OFFICIALUpdated a year ago
1 Comment

The instructions for setting up prerequisites are written in an indirect way INCOMPREHENSIBLE to non-AWS staff. WHAT STEPS ARE THE AWS CUSTOMER SUPPOSED TO DO IN WHAT ORDER, OMIT NOTHING?

replied a year ago