Amazon Elastic Compute Cloud

(1)

Amazon Elastic Compute Cloud

User Guide for Windows Instances

(2)

Amazon Elastic Compute Cloud: User Guide for Windows Instances

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What is Amazon EC2?

Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, conﬁgure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traﬃc.

For more information about cloud computing, see What is cloud computing?

Features of Amazon EC2

Amazon EC2 provides the following features:

• Virtual computing environments, known as instances

• Preconﬁgured templates for your instances, known as Amazon Machine Images (AMIs), that package the bits you need for your server (including the operating system and additional software)

• Various conﬁgurations of CPU, memory, storage, and networking capacity for your instances, known as instance types

• Secure login information for your instances using key pairs (AWS stores the public key, and you store the private key in a secure place)

• Storage volumes for temporary data that's deleted when you stop, hibernate, or terminate your instance, known as instance store volumes

• Persistent storage volumes for your data using Amazon Elastic Block Store (Amazon EBS), known as Amazon EBS volumes

• Multiple physical locations for your resources, such as instances and Amazon EBS volumes, known as Regions and Availability Zones

• A ﬁrewall that enables you to specify the protocols, ports, and source IP ranges that can reach your instances using security groups

• Static IPv4 addresses for dynamic cloud computing, known as Elastic IP addresses

• Metadata, known as tags, that you can create and assign to your Amazon EC2 resources

• Virtual networks you can create that are logically isolated from the rest of the AWS Cloud, and that you can optionally connect to your own network, known as virtual private clouds (VPCs)

For more information about the features of Amazon EC2, see the Amazon EC2 product page.

Amazon EC2 enables you to run any compatible Windows-based solution on our high-performance, reliable, cost-eﬀective, cloud computing platform. For more information, see Windows Server on AWS.

For more information about running your website on AWS, see Web Hosting.

How to get started with Amazon EC2

First, you need to get set up to use Amazon EC2. After you are set up, you are ready to complete the Get Started tutorial for Amazon EC2. Whenever you need more information about an Amazon EC2 feature, you can read the technical documentation.

(14)

Get up and running

• Set up to use Amazon EC2 (p. 5)

• Tutorial: Get started with Amazon EC2 Windows instances (p. 9)

Basics

• Amazon EC2 Windows instances (p. 166)

• Instance types (p. 169)

• Tags (p. 1663)

Networking and security

• Key pairs (p. 1276)

• Security groups (p. 1284)

• Elastic IP addresses (p. 1070)

• Virtual private clouds (p. 1139)

Storage

• Amazon EBS (p. 1308)

• Instance store (p. 1584)

Working with Windows instances

• AWS Systems Manager Run Command in the AWS Systems Manager User Guide

If you have questions about whether AWS is right for you, contact AWS Sales. If you have technical questions about Amazon EC2, use the Amazon EC2 forum.

Related services

You can provision Amazon EC2 resources, such as instances and volumes, directly using Amazon EC2.

You can also provision Amazon EC2 resources using other services in AWS. For more information, see the following documentation:

• Amazon EC2 Auto Scaling User Guide

• AWS CloudFormation User Guide

• AWS Elastic Beanstalk Developer Guide

• AWS OpsWorks User Guide

To automatically distribute incoming application traﬃc across multiple instances, use Elastic Load Balancing. For more information, see the Elastic Load Balancing User Guide.

To get a managed relational database in the cloud, use Amazon Relational Database Service (Amazon RDS) to launch a database instance. Although you can set up a database on an EC2 instance, Amazon RDS oﬀers the advantage of handling your database management tasks, such as patching the software, backing up, and storing the backups. For more information, see the Amazon Relational Database Service Developer Guide.

(15)

Access Amazon EC2

To make it easier to manage Docker containers on a cluster of EC2 instances, use Amazon Elastic Container Service (Amazon ECS). For more information, see the Amazon Elastic Container Service Developer Guide or the Amazon Elastic Container Service User Guide for AWS Fargate.

To monitor basic statistics for your instances and Amazon EBS volumes, use Amazon CloudWatch. For more information, see the Amazon CloudWatch User Guide.

To detect potentially unauthorized or malicious use of your EC2 instances, use Amazon GuardDuty. For more information see the Amazon GuardDuty User Guide.

Access Amazon EC2

Amazon EC2 provides a web-based user interface, the Amazon EC2 console. If you've signed up for an AWS account, you can access the Amazon EC2 console by signing into the AWS Management Console and selecting EC2 from the console home page.

If you prefer to use a command line interface, you have the following options:

AWS Command Line Interface (CLI)

Provides commands for a broad set of AWS products, and is supported on Windows, Mac, and Linux.

To get started, see AWS Command Line Interface User Guide. For more information about the commands for Amazon EC2, see ec2 in the AWS CLI Command Reference.

AWS Tools for Windows PowerShell

Provides commands for a broad set of AWS products for those who script in the PowerShell environment. To get started, see the AWS Tools for Windows PowerShell User Guide. For more information about the cmdlets for Amazon EC2, see the AWS Tools for PowerShell Cmdlet Reference.

Amazon EC2 supports creating resources using AWS CloudFormation. You create a template, in JSON or YAML, that describes your AWS resources, and AWS CloudFormation provisions and conﬁgures those resources for you. You can reuse your CloudFormation templates to provision the same resources multiple times, whether in the same Region and account or in multiple Regions and accounts. For more information about the resource types and properties for Amazon EC2, see EC2 resource type reference in the AWS CloudFormation User Guide.

Amazon EC2 provides a Query API. These requests are HTTP or HTTPS requests that use the HTTP verbs GET or POST and a Query parameter named Action. For more information about the API actions for Amazon EC2, see Actions in the Amazon EC2 API Reference.

If you prefer to build applications using language-speciﬁc APIs instead of submitting a request over HTTP or HTTPS, AWS provides libraries, sample code, tutorials, and other resources for software

developers. These libraries provide basic functions that automate tasks such as cryptographically signing your requests, retrying requests, and handling error responses, making it is easier for you to get started.

For more information, see Tools to Build on AWS.

Pricing for Amazon EC2

When you sign up for AWS, you can get started with Amazon EC2 for free using the AWS Free Tier.

Amazon EC2 provides the following purchasing options for instances:

(16)

On-Demand Instances

Pay for the instances that you use by the hour, with no long-term commitments or upfront payments.

Savings Plans

You can reduce your Amazon EC2 costs by making a commitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3 years.

Reserved Instances

You can reduce your Amazon EC2 costs by making a commitment to a speciﬁc instance conﬁguration, including instance type and Region, for a term of 1 or 3 years.

Spot Instances

Request unused EC2 instances, which can reduce your Amazon EC2 costs signiﬁcantly.

For a complete list of charges and prices for Amazon EC2, see Amazon EC2 pricing.

When calculating the cost of a provisioned environment, remember to include incidental costs such as snapshot storage for EBS volumes. To calculate the cost of a sample provisioned environment, see Cloud Economics Center.

To see your bill, go to the Billing and Cost Management Dashboard in the AWS Billing and Cost Management console. Your bill contains links to usage reports that provide details about your bill. To learn more about AWS account billing, see AWS Billing and Cost Management User Guide.

If you have questions concerning AWS billing, accounts, and events, contact AWS Support.

For an overview of Trusted Advisor, a service that helps you optimize the costs, security, and performance of your AWS environment, see AWS Trusted Advisor.

PCI DSS compliance

Amazon EC2 supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS). For more information about PCI DSS, including how to request a copy of the AWS PCI Compliance Package, see PCI DSS Level 1.

(17)

Sign up for AWS

Set up to use Amazon EC2

Complete the tasks in this section to get set up for launching an Amazon EC2 instance for the ﬁrst time:

1.Sign up for AWS (p. 5) 2.Create a key pair (p. 5) 3.Create a security group (p. 6)

When you are ﬁnished, you will be ready for the Amazon EC2 Getting started (p. 9) tutorial.

Sign up for AWS

When you sign up for Amazon Web Services, your AWS account is automatically signed up for all services in AWS, including Amazon EC2. You are charged only for the services that you use.

With Amazon EC2, you pay only for what you use. If you are a new AWS customer, you can get started with Amazon EC2 for free. For more information, see AWS Free Tier.

If you have an AWS account already, skip to the next task. If you don't have an AWS account, use the following procedure to create one.

To create an AWS account

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

Part of the sign-up procedure involves receiving a phone call and entering a veriﬁcation code on the phone keypad.

Create a key pair

AWS uses public-key cryptography to secure the login information for your instance. You specify the name of the key pair when you launch your instance, then provide the private key to obtain the administrator password for your Windows instance so you can log in using RDP.

If you haven't created a key pair already, you can create one by using the Amazon EC2 console. Note that if you plan to launch instances in multiple Regions, you'll need to create a key pair in each Region. For more information about Regions, see Regions and Zones (p. 1011).

To create your key pair

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. In the navigation pane, choose Key Pairs.

3. Choose Create key pair.

(18)

4. For Name, enter a descriptive name for the key pair. Amazon EC2 associates the public key with the name that you specify as the key name. A key name can include up to 255 ASCII characters. It can’t include leading or trailing spaces.

5. For Key pair type, choose either RSA or ED25519. Note that ED25519 keys are not supported for Windows instances.

6. For Private key ﬁle format, choose the format in which to save the private key. To save the private key in a format that can be used with OpenSSH, choose pem. To save the private key in a format that can be used with PuTTY, choose ppk.

If you chose ED25519 in the previous step, the Private key ﬁle format options do not appear, and the private key format defaults to pem.

7. Choose Create key pair.

8. The private key file is automatically downloaded by your browser. The base file name is the name you specified as the name of your key pair, and the file name extension is determined by the file format you chose. Save the private key file in a safe place.

Important

This is the only chance for you to save the private key ﬁle.

For more information, see Amazon EC2 key pairs and Windows instances (p. 1276).

Create a security group

Security groups act as a ﬁrewall for associated instances, controlling both inbound and outbound traﬃc at the instance level. You must add rules to a security group that enable you to connect to your instance from your IP address using RDP. You can also add rules that allow inbound and outbound HTTP and HTTPS access from anywhere.

Note that if you plan to launch instances in multiple Regions, you'll need to create a security group in each Region. For more information about Regions, see Regions and Zones (p. 1011).

Prerequisites

You'll need the public IPv4 address of your local computer. The security group editor in the Amazon EC2 console can automatically detect the public IPv4 address for you. Alternatively, you can use the search phrase "what is my IP address" in an Internet browser, or use the following service: Check IP. If you are connecting through an Internet service provider (ISP) or from behind a ﬁrewall without a static IP address, you need to ﬁnd out the range of IP addresses used by client computers.

You can create a custom security group using one of the following methods.

New console

To create a security group with least privilege

2. From the top navigation bar, select a Region for the security group. Security groups are speciﬁc to a Region, so you should select the same Region in which you created your key pair.

3. In the left navigation pane, choose Security Groups.

4. Choose Create security group.

5. For Basic details, do the following:

a. Enter a name for the new security group and a description. Use a name that is easy for you to remember, such as your user name, followed by _SG_, plus the Region name. For example, me_SG_uswest2.

(19)

Create a security group

b. In the VPC list, select your default VPC for the Region.

6. For Inbound rules, create rules that allow specific traffic to reach your instance. For example, use the following rules for a web server that accepts HTTP and HTTPS traffic. For more examples, see Security group rules for different use cases (p. 1299).

a. Choose Add rule. For Type, choose HTTP. For Source, choose Anywhere.

b. Choose Add rule. For Type, choose HTTPS. For Source, choose Anywhere.

c. Choose Add rule. For Type, choose RDP. For Source, do one of the following:

• Choose My IP to automatically add the public IPv4 address of your local computer.

• Choose Custom and specify the public IPv4 address of your computer or network in CIDR notation. To specify an individual IP address in CIDR notation, add the routing suﬃx /32, for example, 203.0.113.25/32. If your company or your router allocates addresses from a range, specify the entire range, such as 203.0.113.0/24.

Warning

For security reasons, do not choose Anywhere for Source with a rule for RDP. This would allow access to your instance from all IP addresses on the internet. This is acceptable for a short time in a test environment, but it is unsafe for production environments.

7. For Outbound rules, keep the default rule, which allows all outbound traﬃc.

Old console

To create a security group with least privilege

2. In the left navigation pane, choose Security Groups.

3. Choose Create Security Group.

4. Enter a name for the new security group and a description. Use a name that is easy for you to remember, such as your user name, followed by _SG_, plus the Region name. For example, me_SG_uswest2.

5. In the VPC list, select your default VPC for the Region.

6. On the Inbound rules tab, create the following rules (choose Add rule for each new rule):

• Choose HTTP from the Type list, and make sure that Source is set to Anywhere (0.0.0.0/0).

• Choose HTTPS from the Type list, and make sure that Source is set to Anywhere (0.0.0.0/0).

• Choose RDP from the Type list. In the Source box, choose My IP to automatically populate the ﬁeld with the public IPv4 address of your local computer. Alternatively, choose Custom and specify the public IPv4 address of your computer or network in CIDR notation. To specify an individual IP address in CIDR notation, add the routing suﬃx /32, for example, 203.0.113.25/32. If your company allocates addresses from a range, specify the entire range, such as 203.0.113.0/24.

Warning

For security reasons, do not allow RDP access from all IP addresses to your instance.

This is acceptable for a short time in a test environment, but it is unsafe for production environments.

7. On the Outbound rules tab, keep the default rule, which allows all outbound traﬃc.

(20)

Command line

To create a security group with least privilege

Use one of the following commands:

• create-security-group (AWS CLI)

• New-EC2SecurityGroup (AWS Tools for Windows PowerShell)

For more information, see Amazon EC2 security groups for Windows instances (p. 1284).

(21)

Overview

Tutorial: Get started with Amazon EC2 Windows instances

Use this tutorial to get started with Amazon Elastic Compute Cloud (Amazon EC2). You'll learn how to launch, connect to, and use a Windows instance. An instance is a virtual server in the AWS Cloud. With Amazon EC2, you can set up and conﬁgure the operating system and applications that run on your instance.

When you sign up for AWS, you can get started with Amazon EC2 using the AWS Free Tier. If you created your AWS account less than 12 months ago, and have not already exceeded the free tier benefits for Amazon EC2, it will not cost you anything to complete this tutorial, because we help you select options that are within the free tier benefits. Otherwise, you'll incur the standard Amazon EC2 usage fees from the time that you launch the instance until you terminate the instance (which is the final task of this tutorial), even if it remains idle.

Contents

• Overview (p. 9)

• Prerequisites (p. 10)

• Step 1: Launch an instance (p. 10)

• Step 2: Connect to your instance (p. 11)

• Step 3: Clean up your instance (p. 17)

• Next steps (p. 17)

Overview

The instance is an Amazon EBS-backed instance (meaning that the root volume is an EBS volume).

You can either specify the Availability Zone in which your instance runs, or let Amazon EC2 select an Availability Zone for you. You can think of an Availability Zone as an isolated data center.

When you launch your instance, you secure it by specifying a key pair (to prove your identity) and a security group (which acts as a virtual firewall to control ingoing and outgoing traffic). When you connect to your instance, you must specify the private key of the key pair that you specified when launching your instance.

(22)

Prerequisites

Before you begin, be sure that you've completed the steps in Set up to use Amazon EC2 (p. 5).

Step 1: Launch an instance

You can launch a Windows instance using the AWS Management Console as described in the following procedure. This tutorial is intended to help you launch your ﬁrst instance quickly, so it doesn't cover all possible options. For more information about the advanced options, see Launch an instance using the Launch Instance Wizard (p. 461). For information about other ways to launch your instance, see Launch your instance (p. 459).

To launch an instance

2. From the console dashboard, choose Launch Instance.

3. The Choose an Amazon Machine Image (AMI) page displays a list of basic conﬁgurations, called Amazon Machine Images (AMIs), that serve as templates for your instance. Select the AMI for Windows Server 2016 Base or later. Notice that these AMIs are marked "Free tier eligible."

4. On the Choose an Instance Type page, you can select the hardware conﬁguration of your instance.

Select the t2.micro instance type, which is selected by default. The t2.micro instance type is eligible for the free tier. In Regions where t2.micro is unavailable, you can use a t3.micro instance under the free tier. For more information, see AWS Free Tier.

5. On the Choose an Instance Type page, choose Review and Launch to let the wizard complete the other conﬁguration settings for you.

6. On the Review Instance Launch page, under Security Groups, you'll see that the wizard created and selected a security group for you. You can use this security group, or alternatively you can select the security group that you created when getting set up using the following steps:

a. Choose Edit security groups.

b. On the Conﬁgure Security Group page, ensure that Select an existing security group is selected.

(23)

Step 2: Connect to your instance

c. Select your security group from the list of existing security groups, and then choose Review and Launch.

7. On the Review Instance Launch page, choose Launch.

8. When prompted for a key pair, select Choose an existing key pair, then select the key pair that you created when getting set up. Note that you must select an RSA key. ED25519 keys are not supported for Windows instances.

Warning

Don't select Proceed without a key pair. If you launch your instance without a key pair, then you can't connect to it.

When you are ready, select the acknowledgement check box, and then choose Launch Instances.

9. A conﬁrmation page lets you know that your instance is launching. Choose View Instances to close the conﬁrmation page and return to the console.

10. On the Instances screen, you can view the status of the launch. It takes a short time for an instance to launch. When you launch an instance, its initial state is pending. After the instance starts, its state changes to running and it receives a public DNS name. (If the Public IPv4 DNS column is hidden, choose the settings icon ( ) in the top-right corner, toggle on Public IPv4 DNS, and choose Conﬁrm.

11. It can take a few minutes for the instance to be ready so that you can connect to it. Check that your instance has passed its status checks; you can view this information in the Status check column.

Step 2: Connect to your instance

To connect to a Windows instance, you must retrieve the initial administrator password and then enter this password when you connect to your instance using Remote Desktop. It takes a few minutes after instance launch before this password is available.

The name of the administrator account depends on the language of the operating system. For example, for English, it's Administrator, for French it's Administrateur, and for Portuguese it's Administrador. For more information, see Localized Names for Administrator Account in Windows in the Microsoft TechNet Wiki.

If you've joined your instance to a domain, you can connect to your instance using domain credentials you've deﬁned in AWS Directory Service. On the Remote Desktop login screen, instead of using the local computer name and the generated password, use the fully-qualiﬁed user name for the administrator (for example, corp.example.com\Admin), and the password for this account.

If you receive an error while attempting to connect to your instance, see Remote Desktop can't connect to the remote computer (p. 1694).

New console

To connect to your Windows instance using an RDP client

2. In the navigation pane, select Instances. Select the instance and then choose Connect.

3. On the Connect to instance page, choose the RDP client tab, and then choose Get password.

(24)

4. Choose Browse and navigate to the private key (.pem) file you created when you launched the instance. Select the file and choose Open to copy the entire contents of the file to this window.

5. Choose Decrypt Password. The console displays the default administrator password for the instance under Password, replacing the Get password link shown previously. Save the password in a safe place. This password is required to connect to the instance.

(25)

6. Choose Download remote desktop file. Your browser prompts you to either open or save the RDP shortcut file. When you have finished downloading the file, choose Cancel to return to the Instances page.

• If you opened the RDP ﬁle, you'll see the Remote Desktop Connection dialog box.

• If you saved the RDP ﬁle, navigate to your downloads directory, and open the RDP ﬁle to display the dialog box.

7. You may get a warning that the publisher of the remote connection is unknown. Choose Connect to continue to connect to your instance.

(26)

8. The administrator account is chosen by default. Copy and paste the password that you saved previously.

Tip

If you receive a "Password Failed" error, try entering the password manually. Copying and pasting content can corrupt it.

9. Due to the nature of self-signed certificates, you may get a warning that the security certificate could not be authenticated. Use the following steps to verify the identity of the remote computer, or simply choose Yes (Windows) or Continue (Mac OS X) if you trust the certificate.

(27)

a. If you are using Remote Desktop Connection on a Windows computer, choose View certiﬁcate. If you are using Microsoft Remote Desktop on a Mac, choose Show Certiﬁcate.

b. Choose the Details tab, and scroll down to Thumbprint (Windows) or SHA1 Fingerprints (Mac OS X). This is the unique identiﬁer for the remote computer's security certiﬁcate.

c. In the Amazon EC2 console, select the instance, choose Actions, Monitor and troubleshoot, Get system log.

d. In the system log output, look for RDPCERTIFICATE-THUMBPRINT. If this value matches the thumbprint or fingerprint of the certificate, you have verified the identity of the remote computer.

e. If you are using Remote Desktop Connection on a Windows computer, return to the Certiﬁcate dialog box and choose OK. If you are using Microsoft Remote Desktop on a Mac, return to the Verify Certiﬁcate and choose Continue.

f. [Windows] Choose Yes in the Remote Desktop Connection window to connect to your instance.

[Mac OS X] Log in as prompted, using the default administrator account and the default administrator password that you recorded or copied previously. Note that you might need to switch spaces to see the login screen. For more information, see Add spaces and switch between them.

(28)

Old console

To connect to your Windows instance using an RDP client

1. In the Amazon EC2 console, select the instance, and then choose Connect.

2. In the Connect To Your Instance dialog box, choose Get Password (it will take a few minutes after the instance is launched before the password is available).

3. Choose Browse and navigate to the private key (.pem) file you created when you launched the instance. Select the file and choose Open to copy the entire contents of the file into the Contents field.

4. Choose Decrypt Password. The console displays the default administrator password for the instance in the Connect To Your Instance dialog box, replacing the link to Get Password shown previously with the actual password.

5. Record the default administrator password, or copy it to the clipboard. You need this password to connect to the instance.

6. Choose Download Remote Desktop File. Your browser prompts you to either open or save the .rdp file. Either option is fine. When you have finished, you can choose Close to dismiss the Connect To Your Instance dialog box.

• If you opened the .rdp ﬁle, you'll see the Remote Desktop Connection dialog box.

• If you saved the .rdp ﬁle, navigate to your downloads directory, and open the .rdp ﬁle to display the dialog box.

7. You may get a warning that the publisher of the remote connection is unknown. You can continue to connect to your instance.

8. When prompted, log in to the instance, using the administrator account for the operating system and the password that you recorded or copied previously. If your Remote Desktop Connection already has an administrator account set up, you might have to choose the Use another account option and type the user name and password manually.

Note

Sometimes copying and pasting content can corrupt data. If you encounter a "Password Failed" error when you log in, try typing in the password manually.

9. Due to the nature of self-signed certificates, you may get a warning that the security certificate could not be authenticated. Use the following steps to verify the identity of the remote computer, or simply choose Yes or Continue to continue if you trust the certificate.

a. If you are using Remote Desktop Connection from a Windows PC, choose View certiﬁcate.

If you are using Microsoft Remote Desktop on a Mac, choose Show Certiﬁcate.

b. Choose the Details tab, and scroll down to the Thumbprint entry on a Windows PC, or the SHA1 Fingerprints entry on a Mac. This is the unique identiﬁer for the remote computer's security certiﬁcate.

c. In the Amazon EC2 console, select the instance, choose Actions, and then choose Get System Log.

d. In the system log output, look for an entry labeled RDPCERTIFICATE-THUMBPRINT. If this value matches the thumbprint or fingerprint of the certificate, you have verified the identity of the remote computer.

e. If you are using Remote Desktop Connection from a Windows PC, return to the Certiﬁcate dialog box and choose OK. If you are using Microsoft Remote Desktop on a Mac, return to the Verify Certiﬁcate and choose Continue.

f. [Windows] Choose Yes in the Remote Desktop Connection window to connect to your instance.

[Mac OS] Log in as prompted, using the default administrator account and the default administrator password that you recorded or copied previously. Note that you might

(29)

Step 3: Clean up your instance

need to switch spaces to see the login screen. For more information about spaces, see support.apple.com/en-us/HT204100.

g. If you receive an error while attempting to connect to your instance, see Remote Desktop can't connect to the remote computer (p. 1694).

Step 3: Clean up your instance

After you've ﬁnished with the instance that you created for this tutorial, you should clean up by terminating the instance. If you want to do more with this instance before you clean up, see Next steps (p. 17).

Important

Terminating an instance eﬀectively deletes it; you can't reconnect to an instance after you've terminated it.

If you launched an instance that is not within the AWS Free Tier, you'll stop incurring charges for that instance as soon as the instance status changes to shutting down or terminated. To keep your instance for later, but not incur charges, you can stop the instance now and then start it again later. For more information, see Stop and start your instance (p. 505).

To terminate your instance

1. In the navigation pane, choose Instances. In the list of instances, select the instance.

2. Choose Instance state, Terminate instance.

3. Choose Terminate when prompted for conﬁrmation.

Amazon EC2 shuts down and terminates your instance. After your instance is terminated, it remains visible on the console for a short while, and then the entry is automatically deleted. You cannot remove the terminated instance from the console display yourself.

Next steps

After you start your instance, you might want to try some of the following exercises:

• Learn how to remotely manage your EC2 instance using Run Command. For more information, see AWS Systems Manager Run Command in the AWS Systems Manager User Guide.

• Conﬁgure a CloudWatch alarm to notify you if your usage exceeds the Free Tier. For more information, see Tracking your AWS Free Tier usage in the AWS Billing and Cost Management User Guide.

• Add an EBS volume. For more information, see Create an Amazon EBS volume (p. 1332) and Attach an Amazon EBS volume to an instance (p. 1336).

(30)

Best practices for Windows on Amazon EC2

This list of practices will help you get the best results from running Windows on Amazon EC2.

Update Windows drivers

Maintain the latest drivers on all Windows EC2 instances to ensure the latest issue ﬁxes and performance enhancements are applied across your ﬂeet. Depending on your instance type, you should update AWS PV, ENA, and NVMe drivers.

• Leverage Trusted Advisor to keep Amazon EC2 Windows up to date with AWS-provided Windows drivers.

• Use SNS topics to receive updates for new driver releases.

• Use the AWS Systems Manager SSM document AWSSupport-UpgradeWindowsAWSDrivers to easily apply the updates across your instances.

Launch new instances with the latest Windows AMIs

AWS releases new Windows AMIs each month, which contain the latest OS patches, drivers, and launch agents. You should leverage the latest AMI when you launch new instances or when you build your own custom images.

• To build with the latest available AMIs, see Query for the Latest Windows AMI Using Systems Manager Parameter Store.

Test system/application performance before migration

Migrating enterprise applications to AWS can involve many variables and conﬁgurations. Always performance test the EC2 solution to ensure that:

• Instance types are properly conﬁgured, including instance size, enhanced networking, and tenancy (shared or dedicated).

• Instance topology is appropriate for the workload and leverages high-performance features when necessary (dedicated tenancy, placement groups, instance store volumes, bare metal).

Update launch agents

Update to the latest EC2Launch v2 (Windows Server 2008 and later) agent to ensure that the latest issue ﬁxes are applied across your ﬂeet. To update, see the instructions at Install the latest version ofEC2Launch v2.

If you want to continue to use the EC2Config (Windows Server 2012 R2 and earlier) or EC2Launch (Windows Server 2016 and later) agents, ensure that the latest issue fixes are applied across your fleet.

• For EC2Conﬁg update instructions, see Installing the Latest Version of EC2Conﬁg.

• For EC2Launch update instructions, see Installing the Latest Version of EC2Launch.

(31)

Security

When securing Windows instances, we recommend that you implement Active Directory Domain Services to enable a scalable, secure, and manageable infrastructure for distributed locations. Additionally, after launching instances through the AWS Console or using an Amazon EC2 provisioning tool, such as AWS CloudFormation, it is good practice to utilize native OS features, such as Microsoft Windows PowerShell DSC to maintain conﬁguration state in the event that conﬁguration drift occurs.

Windows instances in AWS should adhere to the following high-level best practices:

• Least Access: Grant access only to systems and locations that are trusted and expected. This applies to all Microsoft products such as Active Directory, Microsoft business productivity servers, and infrastructure services such as Remote Desktop Services, reverse proxy servers, IIS web servers, etc.

Use AWS capabilities such as Amazon EC2 instance security groups, network access control lists (ACLs), and Amazon VPC public/private subnets to layer security across multiple locations in an architecture.

Within a Windows instance, customers can use Windows Firewall to further layer a defense-in-depth strategy within their deployment. Install only the OS components and applications that are necessary for the system to function as designed. Conﬁgure infrastructure services such as IIS to run under service accounts or to use features such as application pool identities to access resources locally and remotely across your infrastructure.

• Least Privilege: Determine the minimum set of privileges that instances and accounts need in order to perform their functions. Restrict these servers and users to only allow these deﬁned permissions. Use techniques such as Role Based Access Controls to reduce the surface area of administrative accounts and create the most limited roles to accomplish a task. Use OS features such as Encrypting File System (EFS) within NTFS to encrypt sensitive data at rest and control application and user access to it.

• Configuration Management: Create a baseline server configuration that incorporates up-to-date security patches and host-based protection suites that include anti-virus, anti-malware, intrusion detection/prevention, and file integrity monitoring. Assess each server against the current recorded baseline to identify and flag any deviations. Ensure each server is configured to generate and securely store appropriate log and audit data. For more information about updating your Windows instance, see Update your Windows instance.

• Change Management: Create processes to control changes to server conﬁguration baselines and work toward fully automated change processes. Also, leverage Just Enough Administration (JEA) with Windows PowerShell DSC to limit administrative access to the minimum required functions.

• Audit Logs: Audit access and all changes to Amazon EC2 instances to verify server integrity and ensure only authorized changes are made. Leverage features such as Enhanced Logging for IIS to enhance default logging capabilities. AWS capabilities such as VPC Flow Logs and AWS CloudTrail are also available to audit network access, including allowed/denied requests and API calls, respectively.

Storage

• Use separate Amazon EBS volumes for the operating system versus your data. Ensure that the volume with your data persists after instance termination. For more information, see Preserve Amazon EBS volumes on instance termination (p. 526).

• Use the instance store available for your instance to store temporary data. Remember that the data stored in instance store is deleted when you stop, hibernate, or terminate your instance. If you use instance store for database storage, ensure that you have a cluster with a replication factor that ensures fault tolerance.

• Encrypt EBS volumes and snapshots. For more information, see Amazon EBS encryption (p. 1516).

Resource management

• Use instance metadata and custom resource tags to track and identify your AWS resources. For more information, see Instance metadata and user data (p. 669) and Tag your Amazon EC2 resources (p. 1663).

(32)

• View your current limits for Amazon EC2. Plan to request any limit increases in advance of the time that you'll need them. For more information, see Amazon EC2 service quotas (p. 1677).

Backup and recovery

• Regularly back up your EBS volumes using Amazon EBS snapshots (p. 1362), and create an Amazon Machine Image (AMI) (p. 21) from your instance to save the conﬁguration as a template for

launching future instances.

• Deploy critical components of your application across multiple Availability Zones, and replicate your data appropriately.

• Design your applications to handle dynamic IP addressing when your instance restarts. For more information, see Amazon EC2 instance IP addressing (p. 1026).

• Monitor and respond to events. For more information, see Monitor Amazon EC2 (p. 938).

• Ensure that you are prepared to handle failover. For a basic solution, you can manually attach a network interface or Elastic IP address to a replacement instance. For more information, see Elastic network interfaces (p. 1079). For an automated solution, you can use Amazon EC2 Auto Scaling. For more information, see the Amazon EC2 Auto Scaling User Guide.

• Regularly test the process of recovering your instances and Amazon EBS volumes if they fail.

Networking

• Set the time-to-live (TTL) value for your applications to 255, for IPv4 and IPv6. If you use a smaller value, there is a risk that the TTL will expire while application traﬃc is in transit, causing reachability issues for your instances.

(33)

Boot modes

Amazon Machine Images (AMI)

An Amazon Machine Image (AMI) provides the information required to launch an instance. You must specify an AMI when you launch an instance. You can launch multiple instances from a single AMI when you need multiple instances with the same configuration. You can use different AMIs to launch instances when you need instances with different configurations.

An AMI includes the following:

• One or more Amazon Elastic Block Store (Amazon EBS) snapshots, or, for instance-store-backed AMIs, a template for the root volume of the instance (for example, an operating system, an application server, and applications).

• Launch permissions that control which AWS accounts can use the AMI to launch instances.

• A block device mapping that speciﬁes the volumes to attach to the instance when it's launched.

Contents

• Boot modes (p. 21)

• AWS Windows AMIs (p. 28)

• Find a Windows AMI (p. 93)

• Shared AMIs (p. 98)

• Paid AMIs (p. 114)

• AMI lifecycle (p. 118)

• Use encryption with EBS-backed AMIs (p. 157)

• Understand AMI billing information (p. 161)

Boot modes

When a computer boots, the ﬁrst software that it runs is responsible for initializing the platform and providing an interface for the operating system to perform platform-speciﬁc operations.

Default boot modes

In EC2, two variants of the boot mode software are supported: Legacy BIOS and Uniﬁed Extensible Firmware Interface (UEFI). By default, Intel and AMD instance types run on Legacy BIOS, and Graviton instance types run on UEFI.

Running Intel and AMD instances types on UEFI

Most Intel and AMD instance types can run on both UEFI and Legacy BIOS. To use UEFI, you must select an AMI with the boot mode parameter set to ueﬁ, and the operating system contained in the AMI must be conﬁgured to support UEFI.

Purpose of the AMI boot mode parameter

The AMI boot mode parameter signals to EC2 which boot mode to use when launching an instance.

When the boot mode parameter is set to ueﬁ, EC2 attempts to launch the instance on UEFI. If the operating system is not conﬁgured to support UEFI, the instance launch might be unsuccessful.

Warning

Setting the boot mode parameter does not automatically configure the operating system for the specified boot mode. The configuration is specific to the operating system. For the configuration instructions, see the manual for your operating system.

(34)

Possible boot mode parameter on an AMI

The AMI boot mode parameter is optional. An AMI can have one of the following boot mode parameter values: ueﬁ or legacy-bios. Some AMIs do not have a boot mode parameter. For AMIs with no boot mode parameter, the instances launched from these AMIs use the default value of the instance type—ueﬁ on Graviton, and legacy-bios on all Intel and AMD instance types.

Topics

• Considerations (p. 22)

• Requirements for launching an instance with UEFI (p. 22)

• Determine the boot mode parameter of an AMI (p. 22)

• Determine the supported boot modes of an instance type (p. 23)

• Determine the boot mode of an instance (p. 24)

• Determine the boot mode of the OS (p. 25)

• Set the boot mode of an AMI (p. 25)

• UEFI variables (p. 27)

Considerations

• Default boot modes:

• Intel and AMD instance types: Legacy BIOS

• Graviton instance types: UEFI

• Intel and AMD instance types that support UEFI, in addition to Legacy BIOS:

• Virtualized: C5, C5a, C5ad, C5d, C5n, D3, D3en, G4, I3en, M5, M5a, M5ad, M5d, M5dn, M5n, M5zn, M6i, R5, R5a, R5ad, R5b, R5d, R5dn, R5n, T3, T3a, and z1d

• UEFI Secure Boot is currently not supported.

Requirements for launching an instance with UEFI

To launch an instance in UEFI mode, you must select an instance type that supports UEFI, and conﬁgure the AMI and the OS for UEFI, as follows:

• Instance type – When launching an instance, you must select an instance type that supports UEFI. For more information, see Determine the supported boot modes of an instance type (p. 23).

• AMI – When launching an instance, you must select an AMI that is conﬁgured for UEFI. The AMI must be conﬁgured as follows:

• OS – The operating system contained in the AMI must be conﬁgured to use UEFI; otherwise, the instance launch will fail. For more information, see Determine the boot mode of the OS (p. 25).

• AMI boot mode parameter – The boot mode parameter of the AMI must be set to uefi. For more information, see Determine the boot mode parameter of an AMI (p. 22).

AWS does not provide AMIs that are already conﬁgured to support UEFI. You must conﬁgure the AMI (p. 25), import the AMI through VM Import/Export, or import the AMI through CloudEndure.

Determine the boot mode parameter of an AMI

The AMI boot mode parameter is optional. An AMI can have one of the following boot mode parameter values: ueﬁ and legacy-bios.

Amazon Elastic Compute Cloud

Amazon Elastic Compute Cloud

User Guide for Windows Instances

Amazon Elastic Compute Cloud: User Guide for Windows Instances

Table of Contents

What is Amazon EC2?

Features of Amazon EC2

How to get started with Amazon EC2

Get up and running

Basics

Networking and security

Storage

Working with Windows instances

Related services

Access Amazon EC2

Pricing for Amazon EC2

PCI DSS compliance

Set up to use Amazon EC2

Sign up for AWS

To create an AWS account

Create a key pair

To create your key pair

Important

Create a security group

To create a security group with least privilege

Warning

To create a security group with least privilege

Warning

To create a security group with least privilege

Tutorial: Get started with Amazon EC2 Windows instances

Related tutorials

Overview

Prerequisites

Step 1: Launch an instance

To launch an instance

Warning

Step 2: Connect to your instance

To connect to your Windows instance using an RDP client

Tip

To connect to your Windows instance using an RDP client

Note

Step 3: Clean up your instance

Important

To terminate your instance

Next steps

Best practices for Windows on Amazon EC2

Update Windows drivers

Launch new instances with the latest Windows AMIs

Test system/application performance before migration

Update launch agents

Security

Storage

Resource management

Backup and recovery

Networking

Amazon Machine Images (AMI)

Boot modes

Warning

Considerations

Requirements for launching an instance with UEFI

Determine the boot mode parameter of an AMI