SSM経由で直接RDPポートを開かず接続する。
AWSTemplateFormatVersion: "2010-09-09"
Description: "Deploy Windows Server 2025 on EC2 with AWS Systems Manager (SSM) for remote access"
Resources:
# IAM Role for SSM
SSMRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "SSMRole-${AWS::StackName}"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
# Instance Profile for SSM
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref SSMRole
# キーペアの作成
KeyPair:
Type: AWS::EC2::KeyPair
Properties:
KeyName: !Sub "${AWS::StackName}-key"
# セキュリティグループ (完全クローズ: SSH, RDP 不要)
EC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "No inbound access, managed by SSM"
VpcId: !Ref VPC
# Windows Server 2025 の EC2 インスタンス
WindowsInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.large
IamInstanceProfile: !Ref InstanceProfile
KeyName: !Ref KeyPair # キーペアを追加
ImageId: !Sub "{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2025-Japanese-Full-Base:1}}"
NetworkInterfaces:
- AssociatePublicIpAddress: true
DeviceIndex: 0
SubnetId: !Ref PublicSubnet
GroupSet:
- !Ref EC2SecurityGroup
BlockDeviceMappings:
- DeviceName: "/dev/sda1" # ルートボリューム
Ebs:
VolumeType: gp3
VolumeSize: 128
Iops: 3000
DeleteOnTermination: true
Tags:
- Key: Name
Value: "Windows2025-Instance"
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: "10.0.0.0/16"
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: "Windows2025-VPC"
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: "10.0.1.0/24"
MapPublicIpOnLaunch: true
AvailabilityZone: "us-west-2a"
Tags:
- Key: Name
Value: "PublicSubnet"
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: "Windows2025-IGW"
# IGW を VPC にアタッチする
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
# ルートテーブル
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: "PublicRouteTable"
# ルート (IGW のアタッチ後に正しく関連付け)
Route:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment # 依存関係を追加
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: "0.0.0.0/0"
GatewayId: !Ref InternetGateway
# サブネットにルートテーブルを関連付け
RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet
RouteTableId: !Ref RouteTable
Outputs:
InstanceID:
Description: "EC2 instance ID for Session Manager"
Value: !Ref WindowsInstance
KeyPairName:
Description: "The name of the created Key Pair"
Value: !Ref KeyPair
接続方法
- Fleet Managerで接続する場合(に必要なキーペア)
aws ec2 describe-key-pairs --filters Name=key-name,Values=win2025-key --query KeyPairs[*].KeyPairId --output text
aws ssm get-parameter --name /ec2/keypair/出力されたキー名 --with-decryption --query Parameter.Value --output text > Windows2025-Key.pem
- SSM 経由でポートフォワード
aws ssm start-session --target <EC2_INSTANCE_ID> --document-name AWS-StartPortForwardingSession --parameters "portNumber=3389,localPortNumber=13389"
RDP クライアントで localhost:13389 に接続する。
EC2 の管理者 (Administrator) パスワードの取得方法
Windows Server の EC2 インスタンスでは、デフォルトの Administrator のパスワードは EC2 のキーペアを使って復号 する必要があります。
- AWS マネジメントコンソールで取得する場合
AWS マネジメントコンソールにログイン
EC2 インスタンスのページを開く
対象の Windows Server 2025 インスタンスを選択
「アクション」 → 「Windows パスワードの取得」
作成したキーペア (Windows2025-Key-xxxx.pem) をアップロード
パスワードが表示される
- AWS CLI で取得する場合
aws ec2 get-password-data --instance-id <インスタンスID> --priv-launch-key Windows2025-Key.pem
NoSSM
AWSTemplateFormatVersion: "2010-09-09"
Description: "Deploy Windows Server 2025 on EC2 with RDP access (no SSM)"
Resources:
# ----------------------------------------------------
# VPCおよびインターネットアクセス関連リソース
# ----------------------------------------------------
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: "10.0.0.0/16"
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: "Windows2025-VPC"
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: "10.0.1.0/24"
MapPublicIpOnLaunch: true
AvailabilityZone: "us-west-2a"
Tags:
- Key: Name
Value: "PublicSubnet"
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: "Windows2025-IGW"
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: "PublicRouteTable"
Route:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: "0.0.0.0/0"
GatewayId: !Ref InternetGateway
RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet
RouteTableId: !Ref RouteTable
# ----------------------------------------------------
# キーペア
# ----------------------------------------------------
KeyPair:
Type: AWS::EC2::KeyPair
Properties:
KeyName: !Sub "${AWS::StackName}-key"
# ----------------------------------------------------
# セキュリティグループ (RDP 接続を許可)
# ----------------------------------------------------
EC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Allow RDP from anywhere"
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 3389
ToPort: 3389
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
# ----------------------------------------------------
# Windows Server 2025 の EC2 インスタンス (RDP 接続)
# ----------------------------------------------------
WindowsInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.large
# IAMインスタンスプロファイルを削除 (SSM を使わないため)
KeyName: !Ref KeyPair
ImageId: !Sub "{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2025-Japanese-Full-Base:1}}"
NetworkInterfaces:
- AssociatePublicIpAddress: true
DeviceIndex: 0
SubnetId: !Ref PublicSubnet
GroupSet:
- !Ref EC2SecurityGroup
BlockDeviceMappings:
- DeviceName: "/dev/sda1"
Ebs:
VolumeType: gp3
VolumeSize: 128
Iops: 3000
DeleteOnTermination: true
Tags:
- Key: Name
Value: "Windows2025-Instance-RDP"
Outputs:
InstanceID:
Description: "EC2 instance ID for RDP"
Value: !Ref WindowsInstance
KeyPairName:
Description: "The name of the created Key Pair"
Value: !Ref KeyPair
NoSSM&S3
AWSTemplateFormatVersion: "2010-09-09"
Description: "Deploy Windows Server 2025 on EC2 with RDP access (no SSM) + S3FullAccess"
Resources:
# ----------------------------------------------------
# VPCおよびインターネットアクセス関連リソース
# ----------------------------------------------------
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: "10.0.0.0/16"
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: "Windows2025-VPC"
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: "10.0.1.0/24"
MapPublicIpOnLaunch: true
AvailabilityZone: "us-west-2a"
Tags:
- Key: Name
Value: "PublicSubnet"
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: "Windows2025-IGW"
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: "PublicRouteTable"
Route:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: "0.0.0.0/0"
GatewayId: !Ref InternetGateway
RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet
RouteTableId: !Ref RouteTable
# ----------------------------------------------------
# キーペア
# ----------------------------------------------------
KeyPair:
Type: AWS::EC2::KeyPair
Properties:
KeyName: !Sub "${AWS::StackName}-key"
# ----------------------------------------------------
# セキュリティグループ (RDP 接続許可)
# ----------------------------------------------------
EC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Allow RDP from my IP"
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 3389
ToPort: 3389
# 必要に応じて自分のグローバルIPに置き換えてください (例: 203.0.113.25/32)
CidrIp: "0.0.0.0/0"
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: "0.0.0.0/0"
# ----------------------------------------------------
# IAM Role (EC2用) + S3FullAccess
# ----------------------------------------------------
EC2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
EC2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref EC2Role
# ----------------------------------------------------
# Windows Server 2025 の EC2 インスタンス (RDP 接続)
# ----------------------------------------------------
WindowsInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.large
KeyName: !Ref KeyPair
ImageId: !Sub "{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2025-Japanese-Full-Base:1}}"
IamInstanceProfile: !Ref EC2InstanceProfile
NetworkInterfaces:
- AssociatePublicIpAddress: true
DeviceIndex: 0
SubnetId: !Ref PublicSubnet
GroupSet:
- !Ref EC2SecurityGroup
BlockDeviceMappings:
- DeviceName: "/dev/sda1"
Ebs:
VolumeType: gp3
VolumeSize: 128
Iops: 3000
DeleteOnTermination: true
Tags:
- Key: Name
Value: "Windows2025-Instance-RDP"
Outputs:
InstanceID:
Description: "EC2 instance ID for RDP"
Value: !Ref WindowsInstance
KeyPairName:
Description: "The name of the created Key Pair"
Value: !Ref KeyPair