• https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-best-practices.html

First initiate a tunnel using the AWS SSM command:

$ aws ssm start-session \
      --target <i-ec2instanceid> \
      --document-name AWS-StartPortForwardingSession \
      --parameters "localPortNumber=55678,portNumber=3389"

Microsoft Remote Desktop Client can then be used to open a connection to localhost:55678. The username is Administrator, and the password can be decrypted using the private key that the instance was deployed with.

$ aws ec2 get-password-data \
      --instance-id <i-ec2instanceid> \
      --priv-launch-key yourprivatekey.pem | jq -r .PasswordData

See AwsSSM for information about the AWS IAM instance profile policy requirements to support initiation of an SSM forwarding session.

• https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-prereqs.html
• https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up.html
• https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html