Skip to content

Upload Windows 10 AMI to AWS

P4T12ICK edited this page Jan 29, 2020 · 4 revisions

Inspired by: https://gist.github.com/peterforgacs/abebc777fcd6f4b67c07b2283cd31777

Downloading the image

Download the windows image you want.

AWS vmimport supported versions: Microsoft Windows 10 (Professional, Enterprise, Education) (US English) (64-bit only)

So Home wont work.

You can download the trial Enterprise trial here: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise

Creating the virtual machine

  • Use virtualbox to create a new virtual machine, make sure that it uses the VHD format (The OS is 20 gigabyte).
  • Install the Windows 10 image onto it.
  • Make sure to set a username password on the administrator account otherwise cannot connect trough remote desktop.
  • Create an adminstrator user with the name admin and the password admin
  • Change the ethernet connection profile to private
  • Add firewall rules for winrm:
netsh advfirewall firewall add rule name="WinRM 5985" protocol=TCP dir=in localport=5985 action=allow
netsh advfirewall firewall add rule name="WinRM 5986" protocol=TCP dir=in localport=5986 action=allow
  • Configure winrm
winrm quickconfig -q
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="300"}'
winrm set winrm/config '@{MaxTimeoutms="1800000"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'

Create an S3 bucket

The bucketname must be unique.

aws s3 mb s3://ami-windows10

Upload image to s3

Move to the folder you store the virtual machine file and upload the virtual image to the s3 bucket.

cd myvmfolder
aws s3 cp windows10.vhd s3://ami-windows10 

Configuration files

Create a trust policy in the file trust-policy.json

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": { "Service": "vmie.amazonaws.com" },
         "Action": "sts:AssumeRole",
         "Condition": {
            "StringEquals":{
               "sts:Externalid": "vmimport"
            }
         }
      }
   ]
}

Create a vmimport role and add vim import/export access to it.

aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json

Create a file named role-policy.json replace the !!REPLACEME!! to the bucketname you are using.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource": [
            "arn:aws:s3:::!!REPLACEME!!"
         ]
      },
      {
         "Effect": "Allow",
         "Action": [
            "s3:GetObject"
         ],
         "Resource": [
            "arn:aws:s3:::!!REPLACEME!!/*"
         ]
      },
      {
         "Effect": "Allow",
         "Action":[
            "ec2:ModifySnapshotAttribute",
            "ec2:CopySnapshot",
            "ec2:RegisterImage",
            "ec2:Describe*"
         ],
         "Resource": "*"
      }
   ]
}

Add the policy to the vmimport role.

aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json

Create a configuration file on your computer called containers.json. Replace bucketname and myimage.vhd with your bucket and image name.

[{ "Description": "Windows 10 Base Install", "Format": "vhd", "UserBucket": { "S3Bucket": "ami-windows10", "S3Key": "windows10.vhd" } }]

Create EC2 AMI from S3 VHD image

aws ec2 import-image --description "Windows 10" --disk-containers file://containers.json --region eu-central-1

This may take a while you can check on the status of the import.

aws ec2 describe-import-image-tasks --region eu-central-1

When the import status is completed you can head to the EC2 console and select the correct region.

Update the Attack Range Configuration

  • Add the ami name into attack_range.conf to the option windows_client_os, e.g. windows_client_os = import-ami-0e5a092cc20dbb992