My EC2 instance supports connections from clients via the Remote Desktop Protocol (RDP). By default, the remote desktop protocol authenticates requests with a valid username and password combination. How can I configure RDP connectivity to my Linux EC2 instance without opening additional ports on the Security Group or the Network ACL resource currently associated with my EC2 Linux instance?

By default, the Windows Remote Desktop Protocol (RDP) requires username/password authentication for client connection requests. Although you can edit the rules of the security group and/or network ACL resource associated with an EC2 instance to allow RDP client access to TCP port 3389, doing so is not recommended because this increases the potential attack surface for the instance. To help keep the potential attack surface as small as possible, it is a best practice to use SSH tunneling or Port forwarding of RDP requests when accessing your EC2 instance from an RDP client.

Use one of the methods described here to establish an RDP connection from your Windows computer to an EC2 Linux instance. The first two methods describe local port forwarding of RDP using SSH, allowing you to make an RDP connection to your EC2 Linux instance over port 22 (or other port that you use for SSH). If you use local port forwarding of RDP using SSH, you do not need to open port 3389 for the security group and/or network ACL resource associated with a Linux EC2 instance to connect to the instance from an RDP client.

Note: These steps assume that you have already prepared your EC2 Linux instance for remote desktop access. See the Related Information section of this article for links to articles that describe how to configure an EC2 Linux instance for remote desktop access. Amazon Linux does not support remote desktop access.

Option 1: Configure Windows PuTTY for local port forwarding of RDP using SSH

Windows PuTTY is a widely used ssh client program for Windows that provides remote secure terminal access to Linux. You can download PuTTY from http://www.putty.org. For more information about using PuTTY from Windows to connect to your EC2 instance, see Connecting to Your Linux Instance from Windows Using PuTTY. Verify that you can use PuTTY to connect to your EC2 Linux instance with SSH before you configure local port forwarding of RDP using SSH.

After you have configured PuTTY to connect to your instance with SSH, initiate an SSH connection from Windows to your EC2 Linux instance and complete these steps to set up local port forwarding of RDP using SSH:

1.    Run the ifconfig command to determine the internal IP address associated with the instance. The internal IP address is typically assigned to the eth0 interface and displayed as inet addr:xxx.xxx.xxx.xxx; for example:

eth0     link encap:Ethernet HWaddr 0b:3c:4b:5c:6d:7e
         inet addr:10.0.0.55  Bcast:10.0.0.255  Mask:255.255.255.0

2.    Right-click the title bar and choose Change Settings to display the PuTTY Reconfiguration dialog box.

3.    On the left side of the PuTTY Reconfiguration dialog box, expand the Connection category, expand the SSH category, and choose Tunnels. You should now see a dialog box with the title "Options controlling SSH port forwarding".

4.    Under Add new forwarded port: and to the right of Source port enter the value of any valid unassigned port number; for example, 3388. For a list of port numbers and indication of whether they are currently assigned, see the IANA Service Name and Transport Protocol Port Number Registry.

5.    To the right of Destination, enter the internal IP address of the EC2 Instance followed by :3389; for example, 10.0.0.55:3389.

6.    Choose Add. You should now have a single entry listed under forwarded ports.

7.    Scroll to the top-left side of the PuTTY Configuration dialog box and either enter a new name and choose Save or select an existing name from the list of Saved Sessions and choose Apply.

8.    Launch the Remote Desktop client (mstsc.exe). Next to Computer: specify the IP address 127.0.0.1 followed by a colon (:) followed by the value of the unused port number you designated previously; for example, 127.0.0.1:3388.

9.    Choose Connect to initiate a remote desktop connection to the EC2 instance. When you connect to 127.0.0.1:3388, your connection is forwarded to the internal address of your instance, over port 3389. You should be presented with a login screen that allows you to log in to your instance with a user name and password created previously for an instance of this Linux distribution.

Option 2: Configure local port forwarding of RDP using SSH with Bash on Ubuntu on Windows

This method is in some ways more difficult, but only because the Windows Subsystem for Linux (WSL) is not yet available for all versions of Windows. If you are able to install the Windows Subsystem for Linux and Bash on Ubuntu on Windows, you will likely find that using WSL with Bash greatly simplifies the process of configuring local port forwarding of RDP using SSH as compared to using Windows PuTTY. To determine if your version of Windows supports the installation of WSL and Bash, see the Windows Subsystem for Linux Documentation.

If you can install the Windows Subsystem for Linux and Bash on Ubuntu on Windows, follow these steps to configure local port forwarding of RDP using SSH:

1.    Sign in to the Amazon EC2 console and select a running EC2 Linux instance that you want to connect to with Remote Desktop (RDP).

2.    Choose Connect at the top of the EC2 console to display options for connecting to your instance. Because you will use ssh with Bash on Ubuntu on Windows to initiate a connection to your instance, ensure that your Ubuntu instance can access your private key (*.pem file) and modify the syntax specified in the Example so that it will provide port forwarding.

For example, the following command-line arguments represent what the Example syntax that is displayed might look like:

ssh -i "mytestcert.pem" ubuntu@ec2-192-168-5-55.us-west-2.compute.amazonaws.com

3.    Modify this example so that the -i is preceded with -L 3388:localhost:3389.
Note: You can use any valid unassigned port number as described at the IANA Service Name and Transport Protocol Port Number Registry in place of 3388, but you also need to use the same port number when you use the Windows Remote Desktop client to connect to your EC2 Linux instance.

ssh -L 3388:locahost:3389 -i "mytestcert.pem" ubuntu@ec2-192-168-5-55.us-west-2.compute.amazonaws.com

4.    Launch Bash on Ubuntu on Windows and run the modified ssh command.

  1. Launch the Windows Remote client (mstsc.exe).
  2. Next to Computer: specify IP address 127.0.0.1 followed by a colon (:) followed by the value of the unused port number you designated previously; for example, 127.0.0.1:3388.
    Note: This port number should match the port number that you used when you first connected to your EC2 instance with SSH.
  3. Choose Connect to initiate a remote desktop connection to the EC2 instance. When you connect to 127.0.0.1:3388, your connection is forwarded to the internal address of your instance, over port 3389. You should be presented with a login screen that allows you to log in to your instance with a user name and password created previously for an instance of this Linux distribution.

Option 3: Use RDP to connect to your EC2 Linux instance without configuring local port forwarding of RDP using SSH

If you are unable to configure local port forwarding of RDP using SSH, you can still use the Windows Remote Desktop client to connect to EC2 Linux instances that support Remote Desktop:

Because you are exposing an entry point to your instance that is accessible for username/password authentication, you might also consider renaming the default user account for the instance (such as ec2-user or ubuntu) to something less obvious.  


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-09-29