Connecting to a Windows Server managed instance using Remote Desktop - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connecting to a Windows Server managed instance using Remote Desktop

You can use Fleet Manager, a capability of Amazon Systems Manager, to connect to your Windows Server Amazon Elastic Compute Cloud (Amazon EC2) instances using the Remote Desktop Protocol (RDP). Fleet Manager Remote Desktop, which is powered by NICE DCV, provides you with secure connectivity to your Windows Server instances directly from the Systems Manager console. You can have up to four simultaneous connections in a single browser window.

Currently, you can only use Remote Desktop with instances that are running Windows Server 2012 RTM or higher. Remote Desktop supports only English language inputs.


Fleet Manager Remote Desktop is a console-only service and doesn't support command-line connections to your managed instances. To connect to a Windows Server managed instance through a shell, you can use Session Manager, another capability of Amazon Systems Manager. For more information, see Amazon Systems Manager Session Manager.

For information about configuring Amazon Identity and Access Management (IAM) permissions to allow your instances to interact with Systems Manager, see Configure instance permissions for Systems Manager.

Setting up your environment

Before using Remote Desktop, verify that your environment meets the following requirements:

  • Managed node configuration

    Make sure that your Amazon EC2 instances are configured as managed nodes in Systems Manager.

  • SSM Agent minimum version

    Verify that nodes are running SSM Agent version or higher. For information about how to check which agent version is running on a node, see Checking the SSM Agent version number. For information about installing or updating SSM Agent, see Working with SSM Agent.

  • RDP port configuration

    To accept remote connections, the Remote Desktop Services service on your Windows Server nodes must use default RDP port 3389. This is the default configuration on Amazon Machine Images (AMIs) provided by Amazon. You are not explicitly required to open any inbound ports to use Remote Desktop.

  • PSReadLine module version for keyboard functionality

    To ensure that your keyboard functions properly in PowerShell, verify that nodes running Windows Server 2022 have PSReadLine module version 2.2.2 or higher installed. If they are running an older version, you can install the required version using the following command.

    Install-Module ` -Name PSReadLine ` -Repository PSGallery `-MinimumVersion 2.2.2
  • Session Manager configuration

    Before you can use Remote Desktop, you must complete the prerequisites for Session Manager setup. When you connect to an instance using Remote Desktop, any session preferences defined for your Amazon Web Services account and Amazon Web Services Region are applied. For more information, see Setting up Session Manager.


    If you log Session Manager activity using Amazon Simple Storage Service (Amazon S3), then your Remote Desktop connections will generate the following error in bucket_name/Port/stderr. This error is expected behavior and can be safely ignored.

    Setting up data channel with id SESSION_ID failed: failed to create websocket for datachannel with error: CreateDataChannel failed with no output or error: createDataChannel request failed: unexpected response from the service <BadRequest>
    <ClientErrorMessage>Session is already terminated</ClientErrorMessage>

Configuring IAM permissions for Remote Desktop

In addition to the required IAM permissions for Systems Manager and Session Manager, the user or role you use to access the console must allow the following actions:

  • ssm-guiconnect:CancelConnection

  • ssm-guiconnect:GetConnection

  • ssm-guiconnect:StartConnection

The following are example IAM policies that you can attach to a user or role to allow different types of interaction with Remote Desktop. Replace each example resource placeholder with your own information.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "EC2", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:GetPasswordData" ], "Resource": "*" }, { "Sid": "SSM", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetInventorySchema" ], "Resource": "*" }, { "Sid": "TerminateSession", "Effect": "Allow", "Action": [ "ssm:TerminateSession" ], "Resource": "*", "Condition": { "StringLike": { "ssm:resourceTag/aws:ssmmessages:session-id": [ "${aws:userid}" ] } } }, { "Sid": "SSMStartSession", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws-cn:ec2:*:account-id:instance/*", "arn:aws-cn:ssm:*:account-id:managed-instance/*", "arn:aws-cn:ssm:*::document/AWS-StartPortForwardingSession" ], "Condition": { "BoolIfExists": { "ssm:SessionDocumentAccessCheck": "true" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "" } } }, { "Sid": "GuiConnect", "Effect": "Allow", "Action": [ "ssm-guiconnect:CancelConnection", "ssm-guiconnect:GetConnection", "ssm-guiconnect:StartConnection" ], "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EC2", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:GetPasswordData" ], "Resource": "*" }, { "Sid": "SSM", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetInventorySchema" ], "Resource": "*" }, { "Sid": "SSMStartSession", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws-cn:ssm:*::document/AWS-StartPortForwardingSession" ], "Condition": { "BoolIfExists": { "ssm:SessionDocumentAccessCheck": "true" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "" } } }, { "Sid": "AccessTaggedInstances", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws-cn:ec2:*:account-id:instance/*", "arn:aws-cn:ssm:*:account-id:managed-instance/*" ], "Condition": { "StringLike": { "ssm:resourceTag/tag key": [ "tag value" ] } } }, { "Sid": "GuiConnect", "Effect": "Allow", "Action": [ "ssm-guiconnect:CancelConnection", "ssm-guiconnect:GetConnection", "ssm-guiconnect:StartConnection" ], "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SSO", "Effect": "Allow", "Action": [ "sso:ListDirectoryAssociations*", "identitystore:DescribeUser" ], "Resource": "*" }, { "Sid": "EC2", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:GetPasswordData" ], "Resource": "*" }, { "Sid": "SSM", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetInventorySchema" ], "Resource": "*" }, { "Sid": "TerminateSession", "Effect": "Allow", "Action": [ "ssm:TerminateSession" ], "Resource": "*", "Condition": { "StringLike": { "ssm:resourceTag/aws:ssmmessages:session-id": [ "${aws:userName}" ] } } }, { "Sid": "SSMStartSession", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws-cn:ec2:*:*:instance/*", "arn:aws-cn:ssm:*:*:managed-instance/*", "arn:aws-cn:ssm:*:*:document/AWS-StartPortForwardingSession" ], "Condition": { "BoolIfExists": { "ssm:SessionDocumentAccessCheck": "true" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "" } } }, { "Sid": "SSMSendCommand", "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws-cn:ec2:*:*:instance/*", "arn:aws-cn:ssm:*:*:managed-instance/*", "arn:aws-cn:ssm:*:*:document/AWSSSO-CreateSSOUser" ], "Condition": { "BoolIfExists": { "ssm:SessionDocumentAccessCheck": "true" } } }, { "Sid": "GuiConnect", "Effect": "Allow", "Action": [ "ssm-guiconnect:CancelConnection", "ssm-guiconnect:GetConnection", "ssm-guiconnect:StartConnection" ], "Resource": "*" } ] }

Authenticating Remote Desktop connections

When establishing a remote connection, you can authenticate using Windows credentials or the Amazon EC2 key pair (.pem file) that is associated with the instance. For information about using key pairs, see Amazon EC2 key pairs and Windows instances in the Amazon EC2 User Guide for Windows Instances.

Alternatively, if you're authenticated to the Amazon Web Services Management Console using Amazon IAM Identity Center, you can connect to your instances without providing additional credentials. For an example of a policy to allow remote connection authentication using IAM Identity Center, see Configuring IAM permissions for Remote Desktop.

Before you begin

Note the following conditions for using IAM Identity Center authentication before you begin connecting using Remote Desktop.

  • Remote Desktop supports IAM Identity Center authentication for nodes in the same Amazon Web Services Region where you enabled IAM Identity Center.

  • Remote Desktop supports IAM Identity Center user names of up to 16 characters.

  • Remote Desktop supports IAM Identity Center user names consisting of alphanumeric characters and the following special characters: . - _


    Connections won't succeed for IAM Identity Center user names that contain the following characters: + = , @.

    IAM Identity Center supports these characters in user names, but Fleet Manager RDP connections do not.

  • When a connection is authenticated using IAM Identity Center, Remote Desktop creates a local Windows user in the instance’s Local Administrators group. This user persists after the remote connection has ended.

  • Remote Desktop does not allow IAM Identity Center authentication for nodes that are Microsoft Active Directory domain controllers.

  • Although Remote Desktop allows you to use IAM Identity Center authentication for nodes joined to an Active Directory domain, we do not recommend doing so. This authentication method grants administrative permissions to users which might override more restrictive permissions granted by the domain.

Supported Regions for IAM Identity Center authentication

Remote Desktop connections using IAM Identity Center authentication are supported in the following Amazon Web Services Regions:

  • US East (Ohio) (us-east-2)

  • US East (N. Virginia) (us-east-1)

  • US West (N. California) (us-west-1)

  • US West (Oregon) (us-west-2)

  • Africa (Cape Town) (af-south-1)

  • Asia Pacific (Hong Kong) (ap-east-1)

  • Asia Pacific (Mumbai) (ap-south-1)

  • Asia Pacific (Tokyo) (ap-northeast-1)

  • Asia Pacific (Seoul) (ap-northeast-2)

  • Asia Pacific (Osaka) (ap-northeast-3)

  • Asia Pacific (Singapore) (ap-southeast-1)

  • Asia Pacific (Sydney) (ap-southeast-2)

  • Asia Pacific (Jakarta) (ap-southeast-3)

  • Canada (Central) (ca-central-1)

  • Europe (Frankfurt) (eu-central-1)

  • Europe (Stockholm) (eu-north-1)

  • Europe (Ireland) (eu-west-1)

  • Europe (London) (eu-west-2)

  • Europe (Paris) (eu-west-3)

  • Israel (Tel Aviv) (il-central-1)

  • South America (São Paulo) (sa-east-1)

  • Europe (Milan) (eu-south-1)

  • Middle East (Bahrain) (me-south-1)

  • Amazon GovCloud (US-East) (us-gov-east-1)

  • Amazon GovCloud (US-West) (us-gov-west-1)

Remote connection duration and concurrency

The following conditions apply to active Remote Desktop connections:

  • Connection duration

    By default, a Remote Desktop connection is disconnected after 60 minutes. To prevent a connection from being disconnected, you can choose Renew session before being disconnected to reset the duration timer.

  • Connection timeout

    A Remote Desktop connection disconnects after it has been idle for more than 10 minutes.

  • Concurrent connections

    By default, you can have a maximum of 5 active Remote Desktop connections at one time for the same Amazon Web Services account and Amazon Web Services Region. To request a service quota increase of up to 25 concurrent connections, see Requesting a quota increase in the Service Quotas User Guide.

Connect to a managed node using Remote Desktop

Browser copy/paste support for text

Using the Google Chrome and Microsoft Edge browsers, you can copy and paste text from a managed node to your local machine, and from your local machine to a managed node that you are connected to.

Using the Mozilla Firefox browser, you can copy and paste text from a managed node to your local machine only. Copying from your local machine to the managed node is not supported.

To connect to a managed node using Fleet Manager Remote Desktop
  1. Open the Amazon Systems Manager console at

  2. In the navigation pane, choose Fleet Manager.


    If the Amazon Systems Manager home page opens first, choose the menu icon ( 
    The menu icon
  ) to open the navigation pane, and then choose Fleet Manager in the navigation pane.

  3. Choose the node that you want to connect to. You can select either the check box or the node name.

  4. On the Node actions menu, choose Connect with Remote Desktop.

  5. Choose your preferred Authentication type. If you choose User credentials, enter the user name and password for a Windows user account on the node that you're connecting to. If you choose Key pair, you can provide authentication using one of the following methods:

    1. Choose Browse local machine if you want to select the PEM key associated with your instance from your local file system.

      - or -

    2. Choose Paste key pair content if you want to copy the contents of the PEM file and paste them in to the provided field.

  6. Select Connect.

  7. To choose your preferred display resolution, in the Actions menu, choose Resolutions, and then select from the following:

    • Adapt Automatically

    • 1920 x 1080

    • 1400 x 900

    • 1366 x 768

    • 800 x 600

    The Adapt Automatically option sets the resolution based on your detected screen size.