Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

AWS Logo
Menu
Automate Security: Lock Down Microsoft Windows Remote Access with AWS Systems Manager State Manager

Automate Security: Lock Down Microsoft Windows Remote Access with AWS Systems Manager State Manager

This blog post explores how to use AWS Systems Manager State Manager to enforce remote access security policies on Microsoft Windows EC2 instances by automatically blocking RDP and SSH. It demonstrates how to create custom SSM Documents, configure State Manager associations, and leverage AWS resource tags for continuous policy enforcement.

Greg Vinton
Amazon Employee
Published Feb 11, 2025
Last Modified Mar 3, 2025

Introduction

Maintaining a consistent security posture across compute fleets, whether they are in the cloud or on-premises, goes beyond point-in-time remediation. While Infrastructure as Code (IaC) establishes initial secure configurations, the challenge lies in maintaining that state against configuration drift and unauthorised changes in dynamic workloads.
AWS Systems Manager (SSM) State Manager addresses this through declarative configuration management. By leveraging State Manager and AWS Systems Manager Automation Documents (SSM Documents), you can implement a solution that programmatically enforces remote access security policies across Amazon EC2 and hybrid workloads.
In this blog post, I'll show you how to use State Manager to automatically disable SSH and RDP access across your Microsoft Windows EC2 fleet. We'll create custom automation documents, configure State Manager associations with targeted instance selection, and implement automated enforcement of remote access policies using resource tags and AWS Organizations.
While the idea of this blog post is to show you how you can use State Manager to implement declarative configurations, the real reason for the post is to get you thinking about how you can leverage SSM and State Manager to automate some configurations you have in your environment today.
As you go through this post, make sure to write down some of your own ideas that you could leverage this same design.

Solution Overview

This solution leverages AWS Systems Manager State Manager to enforce remote access security policies across Microsoft Windows EC2 instances. In this blog we will simply get State Manager to configure a Windows Firewall Rule to block both RDP and SSH.
  • You might ask, 'Why don't we just block RDP using AWS Security Groups? Well, you should and can, but the idea here is that we are creating a declarative policy on the instance itself. If an administrator decided they wanted to RDP into the server, created a Security Policy that allowed 0.0.0.0/0, and also removed the Windows Firewall rule blocking RDP access, they could now log in to the instance.
  • With State Manager in place, at the next scheduled association (default is every 20 minutes), a new Windows Firewall rule would be recreated to block RDP access. With this design in place, even if the security group with 0.0.0.0/0 was accidentally left open, external users or bad actors would not be able to RDP to the server.
State Manager uses custom SSM Documents to define the desired state configuration and applies State Manager associations for continuous enforcement. Targeting is managed using AWS Resource Groups and instance tags, ensuring flexibility in selecting workloads.
Image not found
High Level Design
State enforcement follows this workflow:
  1. Custom SSM Document – Defines the automation logic to disable SSH/RDP via Windows
  2. Create a State Manager Association – Binds the document to targeted instances, executing on a defined schedule.
  3. Instance Targeting – Uses AWS tags or dynamic instance selection to apply policies selectively.
By using declarative configuration management, this approach eliminates configuration drift, ensuring security policies are continuously enforced across your environment.
With remote SSH/RDP access blocked, administrators can securely access their workloads using AWS Systems Manager Fleet Manager, which provides secure access through the AWS Console or CLI without requiring inbound ports. I'll also show you how to access your instances via Fleet Manager in this blog as well.

Prerequisites

AWS Systems Manager Agent (SSM Agent) is preinstalled, by default, on the Amazon Machine Images (AMIs) for Windows Server that are provided by AWS. Support is provided for the following operating system (OS) versions.

Walkthrough

Create an SSM Document

The first step is to create an SSM Document. Documents define the actions that AWS Systems Manager performs on your resources.
  1. Navigate to the SSM Console Page .
  2. Select Documents from the left-hand menu.
Image not found
  1. Select Create Document, Command, or Session
Image not found
  1. Give the document a unique name that you can reference later (I have used DisableRDPandSSH), Document Type can be left as Command.
Image not found
  1. In the Content section, enter in your PowerShell script. I have used the following script, please check that this meets your requirements. Click Create new version.
Note: If you wanted to completely disable RDP/SSH, you could even stop the Remote Desktop Service via a registry change. Also, this is a great place to start brainstorming about what other use cases you could create documents for.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
"schemaVersion": "2.2",
"description": "Block RDP (3389) and SSH (22) via Windows Firewall using AWS Systems Manager",
"mainSteps": [
{
"action": "aws:runPowerShellScript",
"name": "BlockRDPandSSH",
"inputs": {
"runCommand": [
"# Block RDP (port 3389) in Windows Firewall (Persistent)",
"New-NetFirewallRule -DisplayName 'Block RDP' -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Block",
"# Block SSH (port 22) in Windows Firewall (Persistent)",
"New-NetFirewallRule -DisplayName 'Block SSH' -Direction Inbound -Protocol TCP -LocalPort 22 -Action Block"
]
}
}
]
}

Create a State Manager Association

In this section we are going to create a State Manager Association. An association defines the state you want to apply to a set of targets. An association includes three components: a document that defines the state, target(s), and a schedule. You can also specify runtime parameters.
  1. Navigate to the SSM Console Page .
  2. Select State Manager.
Image not found
  1. Select Create Association.
Image not found
  1. Give the Association a Name, I have used DisableRDPandSSH
  2. Select the Document that you created in the previous section, if you have created multiple versions of the document you can choose the version you would like to run, or just select the default.
Image not found
  1. Select a Target Selection. I have selected an individual instance, but if you are using tags, resource groups, or want to apply this to all your instances, you can select the method that meets your requirements.
Image not found
  1. Finally, set a schedule that meets your requirements. I have left the schedule as the default CRON schedule builder, which applies the association every 30 minutes. Select Create Association
Image not found
 

Test Connectivity

In this section, we will test that the target machine no longer expects RDP connections. Once we have tested this, we will then make sure we can connect to the machine via Fleet Manager. I have already configured the security group to allow RDP connectivity from my IP to the target machine.
  1. RDP to the Target Machine. As expected, this fails due to the State Manager configuration.
Image not found
  1. Navigate back to the SSM Console Page .
  2. Select Fleet Manager from the menu
Image not found
  1. Once in Fleet Manager, find and select an instance to which you have applied the State Manager association
  2. Select Node Actions > Connect > Connect with Remote Desktop
Image not found
  1. Input your user credentials (this can be either local or domain credentials if the instance is part of a domain)
Image not found
  1. Success! You should now be connected to your selected instance.
Image not found

Conclusion

In this blog post, we've demonstrated how AWS Systems Manager State Manager can be used to enforce remote access security policies on Microsoft Windows EC2 instances. By leveraging custom SSM Documents and State Manager associations, we created a declarative configuration that continuously blocks RDP and SSH access, reducing the risk of unauthorised access—even if security groups are misconfigured.
This approach ensures security policies remain in place, mitigating the impact of human error or configuration drift. By targeting instances dynamically using AWS tags and resource groups, you can scale this solution across your environment while maintaining flexibility.
Beyond this specific use case, the principles covered here apply to a variety of automation scenarios. Whether it’s enforcing compliance policies, configuring system settings, or automating operational tasks, AWS Systems Manager provides a powerful way to manage and secure your workloads at scale.
As you reflect on this post, consider what other configurations in your environment could benefit from declarative enforcement. How else might you use State Manager to enhance security, compliance, or operational efficiency? The possibilities are vast, and this is just the beginning.
 

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Comments

Log in to comment