0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

EC2のWin2025へRDP接続

Last updated at Posted at 2025-03-06

SSM経由で直接RDPポートを開かず接続する。

AWSTemplateFormatVersion: "2010-09-09"
Description: "Deploy Windows Server 2025 on EC2 with AWS Systems Manager (SSM) for remote access"

Resources:
  # IAM Role for SSM
  SSMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "SSMRole-${AWS::StackName}"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

  # Instance Profile for SSM
  InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
        - !Ref SSMRole

  # キーペアの作成
  KeyPair:
    Type: AWS::EC2::KeyPair
    Properties:
      KeyName: !Sub "${AWS::StackName}-key"

  # セキュリティグループ (完全クローズ: SSH, RDP 不要)
  EC2SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "No inbound access, managed by SSM"
      VpcId: !Ref VPC

  # Windows Server 2025 の EC2 インスタンス
  WindowsInstance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3.large
      IamInstanceProfile: !Ref InstanceProfile
      KeyName: !Ref KeyPair # キーペアを追加
      ImageId: !Sub "{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2025-Japanese-Full-Base:1}}"
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: 0
          SubnetId: !Ref PublicSubnet
          GroupSet:
            - !Ref EC2SecurityGroup
      BlockDeviceMappings:
        - DeviceName: "/dev/sda1" # ルートボリューム
          Ebs:
            VolumeType: gp3
            VolumeSize: 128
            Iops: 3000
            DeleteOnTermination: true
      Tags:
        - Key: Name
          Value: "Windows2025-Instance"

  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: "10.0.0.0/16"
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: "Windows2025-VPC"

  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: "10.0.1.0/24"
      MapPublicIpOnLaunch: true
      AvailabilityZone: "us-west-2a"
      Tags:
        - Key: Name
          Value: "PublicSubnet"

  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: "Windows2025-IGW"

  # IGW を VPC にアタッチする
  InternetGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway

  # ルートテーブル
  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: "PublicRouteTable"

  # ルート (IGW のアタッチ後に正しく関連付け)
  Route:
    Type: AWS::EC2::Route
    DependsOn: InternetGatewayAttachment # 依存関係を追加
    Properties:
      RouteTableId: !Ref RouteTable
      DestinationCidrBlock: "0.0.0.0/0"
      GatewayId: !Ref InternetGateway

  # サブネットにルートテーブルを関連付け
  RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref RouteTable

Outputs:
  InstanceID:
    Description: "EC2 instance ID for Session Manager"
    Value: !Ref WindowsInstance

  KeyPairName:
    Description: "The name of the created Key Pair"
    Value: !Ref KeyPair

接続方法

  • Fleet Managerで接続する場合(に必要なキーペア)
aws ec2 describe-key-pairs --filters Name=key-name,Values=win2025-key --query KeyPairs[*].KeyPairId --output text

aws ssm get-parameter --name /ec2/keypair/出力されたキー名 --with-decryption --query Parameter.Value --output text > Windows2025-Key.pem
  • SSM 経由でポートフォワード
aws ssm start-session --target <EC2_INSTANCE_ID> --document-name AWS-StartPortForwardingSession --parameters "portNumber=3389,localPortNumber=13389"

RDP クライアントで localhost:13389 に接続する。

EC2 の管理者 (Administrator) パスワードの取得方法

Windows Server の EC2 インスタンスでは、デフォルトの Administrator のパスワードは EC2 のキーペアを使って復号 する必要があります。

  • AWS マネジメントコンソールで取得する場合
    AWS マネジメントコンソールにログイン
    EC2 インスタンスのページを開く
    対象の Windows Server 2025 インスタンスを選択
    「アクション」 → 「Windows パスワードの取得」
    作成したキーペア (Windows2025-Key-xxxx.pem) をアップロード
    パスワードが表示される

  • AWS CLI で取得する場合
aws ec2 get-password-data --instance-id <インスタンスID> --priv-launch-key Windows2025-Key.pem

NoSSM

AWSTemplateFormatVersion: "2010-09-09"
Description: "Deploy Windows Server 2025 on EC2 with RDP access (no SSM)"

Resources:
  # ----------------------------------------------------
  # VPCおよびインターネットアクセス関連リソース
  # ----------------------------------------------------
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: "10.0.0.0/16"
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: "Windows2025-VPC"

  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: "10.0.1.0/24"
      MapPublicIpOnLaunch: true
      AvailabilityZone: "us-west-2a"
      Tags:
        - Key: Name
          Value: "PublicSubnet"

  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: "Windows2025-IGW"

  InternetGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway

  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: "PublicRouteTable"

  Route:
    Type: AWS::EC2::Route
    DependsOn: InternetGatewayAttachment
    Properties:
      RouteTableId: !Ref RouteTable
      DestinationCidrBlock: "0.0.0.0/0"
      GatewayId: !Ref InternetGateway

  RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref RouteTable

  # ----------------------------------------------------
  # キーペア
  # ----------------------------------------------------
  KeyPair:
    Type: AWS::EC2::KeyPair
    Properties:
      KeyName: !Sub "${AWS::StackName}-key"

  # ----------------------------------------------------
  # セキュリティグループ (RDP 接続を許可)
  # ----------------------------------------------------
  EC2SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Allow RDP from anywhere"
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3389
          ToPort: 3389
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0

  # ----------------------------------------------------
  # Windows Server 2025 の EC2 インスタンス (RDP 接続)
  # ----------------------------------------------------
  WindowsInstance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3.large
      # IAMインスタンスプロファイルを削除 (SSM を使わないため)
      KeyName: !Ref KeyPair
      ImageId: !Sub "{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2025-Japanese-Full-Base:1}}"
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: 0
          SubnetId: !Ref PublicSubnet
          GroupSet:
            - !Ref EC2SecurityGroup
      BlockDeviceMappings:
        - DeviceName: "/dev/sda1"
          Ebs:
            VolumeType: gp3
            VolumeSize: 128
            Iops: 3000
            DeleteOnTermination: true
      Tags:
        - Key: Name
          Value: "Windows2025-Instance-RDP"

Outputs:
  InstanceID:
    Description: "EC2 instance ID for RDP"
    Value: !Ref WindowsInstance

  KeyPairName:
    Description: "The name of the created Key Pair"
    Value: !Ref KeyPair

NoSSM&S3

AWSTemplateFormatVersion: "2010-09-09"
Description: "Deploy Windows Server 2025 on EC2 with RDP access (no SSM) + S3FullAccess"

Resources:
  # ----------------------------------------------------
  # VPCおよびインターネットアクセス関連リソース
  # ----------------------------------------------------
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: "10.0.0.0/16"
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: "Windows2025-VPC"

  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: "10.0.1.0/24"
      MapPublicIpOnLaunch: true
      AvailabilityZone: "us-west-2a"
      Tags:
        - Key: Name
          Value: "PublicSubnet"

  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: "Windows2025-IGW"

  InternetGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway

  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: "PublicRouteTable"

  Route:
    Type: AWS::EC2::Route
    DependsOn: InternetGatewayAttachment
    Properties:
      RouteTableId: !Ref RouteTable
      DestinationCidrBlock: "0.0.0.0/0"
      GatewayId: !Ref InternetGateway

  RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref RouteTable

  # ----------------------------------------------------
  # キーペア
  # ----------------------------------------------------
  KeyPair:
    Type: AWS::EC2::KeyPair
    Properties:
      KeyName: !Sub "${AWS::StackName}-key"

  # ----------------------------------------------------
  # セキュリティグループ (RDP 接続許可)
  # ----------------------------------------------------
  EC2SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Allow RDP from my IP"
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3389
          ToPort: 3389
          # 必要に応じて自分のグローバルIPに置き換えてください (例: 203.0.113.25/32)
          CidrIp: "0.0.0.0/0"
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: "0.0.0.0/0"

  # ----------------------------------------------------
  # IAM Role (EC2用) + S3FullAccess
  # ----------------------------------------------------
  EC2Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonS3FullAccess

  EC2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
        - !Ref EC2Role

  # ----------------------------------------------------
  # Windows Server 2025 の EC2 インスタンス (RDP 接続)
  # ----------------------------------------------------
  WindowsInstance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3.large
      KeyName: !Ref KeyPair
      ImageId: !Sub "{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2025-Japanese-Full-Base:1}}"
      IamInstanceProfile: !Ref EC2InstanceProfile
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: 0
          SubnetId: !Ref PublicSubnet
          GroupSet:
            - !Ref EC2SecurityGroup
      BlockDeviceMappings:
        - DeviceName: "/dev/sda1"
          Ebs:
            VolumeType: gp3
            VolumeSize: 128
            Iops: 3000
            DeleteOnTermination: true
      Tags:
        - Key: Name
          Value: "Windows2025-Instance-RDP"

Outputs:
  InstanceID:
    Description: "EC2 instance ID for RDP"
    Value: !Ref WindowsInstance

  KeyPairName:
    Description: "The name of the created Key Pair"
    Value: !Ref KeyPair

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?