Managing Windows Instances with Turbot


Turbot utilizes AWS Simple Server Manager (SSM) to bootstrap Windows instances, which then enables Turbot to manage patching, send commands, and run Ansible playbooks on the instances.


  • The instance should be launched using the turbot SSH key.
  • The instance type should be t2.medium or higher, as smaller instance types struggle to run remote management.

Security Group Configurations

The instance must allow the following network access in its security groups:


Protocol(s) Port(s) Source Purpose
TCP 5986 Intranet PowerShell Remoting


Protocol(s) Port(s) Destination Purpose
TCP 80 Internet SSM communication
TCP 443 Internet SSM communication

Note: The default security group will usually include the egress settings by default.

Note: Port 5986 must be open to the Turbot Master VPC CIDR

Policy Settings

The following policies must be set as specified below:

  • AWS > EC2 > Bootstrap Windows Instance = Enabled
  • AWS > EC2 > Instance Has Default EC2 Instance Profile Attached = Enforce: Attach default EC2 instance profile if no instance profile is attached
  • AWS > IAM > EC2 Role Has Turbot Default Instance Policies = Enforce: Attach Turbot default instance policies
  • AWS > IAM > Turbot EC2 Instance Role = Enforce: Manage role
  • AWS > SSM > Enabled = Enabled
  • AWS > SSM > Turbot EC2 Instance Role Permissions = Enabled or Enabled if AWS > SSM > Enabled
  • Windows > Turbot User Password Rotation = Enforce: [x] day

Network Diagram:

Like many things in the cloud, there are a variety of different possible configurations. The diagram below is one such method of utilizing public and private subnets:


Things to note:

  • A custom role can be used, but it must have the permission AmazonSSMServiceRolePolicy attached.
  • Turbot can automatically configure all necessary routes for the Peering Connection if utilizing certain Turbot policies. Refer to this article for more information.
  • Turbot will run all Windows stacks at the same time. If an instance is launched without the proper role, all related configuration stacks will fail. Attach the appropriate role to the instance before attempting to run any Turbot Windows stack.
  • Once the instance is listed in Systems Manager -> Managed Instances, the bootstrapping stacks must be ran in the following order. These controls can be found by searching the related title plus the AWS instance ID:
    • Bootstrap Windows
    • Turbot password rotation
    • Windows environment
    • Turbot Windows Users
Was this article helpful?
0 out of 0 found this helpful