Windows EC2 Instance 忘記密碼如何重置

這個(gè)問題搞了我2天時(shí)間，所以要好好記錄一下。對(duì)于Windows Server 2012之前和Server 2016之后的處理方式是不一樣的，我在誤打誤撞中，用了2012的方法解決了2016的問題， 因?yàn)槲也恢劳浢艽a的EC2是2016版本。
而且Windows的這類問題（忘記key pair和密碼）的處理方式比Linux的要復(fù)雜。

1. 關(guān)閉該instance， 這個(gè)instance tag標(biāo)記為original-instance

2. 到Volume處找到該instance的volume，然后Detach

3. 刪除舊Key

4. 創(chuàng)建一個(gè)新的EC2 Instance，tag標(biāo)記為new-instance
   

5. 新Instance要跟有問題的在同一個(gè)區(qū)域，例如us-east-1a，不然無法加載volume

6. Launch，然后弄一個(gè)跟之前（已經(jīng)丟失忘記的key）一樣的key名字，并下載保存key

以下這步很關(guān)鍵，之前的嘗試我都弄錯(cuò)了

7. 把忘記密碼的instance創(chuàng)建Image

8. 然后在IMAGES -- > AMI中查看進(jìn)度，需要幾分鐘時(shí)間，完成后點(diǎn)Launch，這個(gè)步驟跟新建instance類似，為跟那個(gè)新建的instance區(qū)分開來，我們把這個(gè)instance命名為 image-instance

9. 創(chuàng)建好后關(guān)閉此Instance，然后把image-instance的volume掛載到new-instance上

10. 登入new-instance，并下載工具：https://s3.amazonaws.com/ec2rescue/windows/EC2Rescue_latest.zip （這個(gè)工具僅適用于2016及其后版本的 Windows Server）

另外我之前看文檔說可以通過修改Ec2Config service來實(shí)現(xiàn)密碼修改，后來摸索后才發(fā)現(xiàn)這在2012及之前的版本才可以，而我的忘記密碼的服務(wù)器是2016版本，這也是我奇怪之前沒有在路徑下看到C:\Program Files\Amazon\Ec2ConfigService這個(gè)文件夾了，所以我從2012上copy了一個(gè)到這個(gè)路徑，同時(shí)修改了config.xml文件，把EC2Password改為Enabled，不知道跟這個(gè)有沒關(guān)系，權(quán)且記錄在案。

11. 然后把這個(gè)volume在new-instance上offline，并從Volume上Deattach掉，然后重新掛回image-instance，注意要把Device設(shè)為 /dev/sda1，這樣才是C盤

12. 獲取image-instance的密碼

13. 導(dǎo)入保存的key文件獲取密碼，（剛開始的時(shí)候是失敗的，提示無法獲取密碼，驗(yàn)證不對(duì)，在此我又糾結(jié)了幾個(gè)小時(shí)，在這個(gè)3個(gè)instance之前互相切換掛載，后來就可以獲得密碼了，不知哪里弄對(duì)了）

14. 然后再關(guān)閉這個(gè)image-instance, 把這個(gè)volume掛載回orignal-instance為C盤，啟動(dòng)，這樣就用新的key獲取新的密碼

參考文檔
適用于server 2012及其前版本：https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ResettingAdminPassword_EC2Config.html

適用于server 2016及其后版本：https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ResettingAdminPassword_EC2Launch.html

這個(gè)提到要完全按照步驟來，我也是受這個(gè)啟發(fā)，重新看文檔才發(fā)現(xiàn)我沒有l(wèi)aunch image，而是搞了launch new instance，這點(diǎn)很關(guān)鍵。https://stackoverflow.com/questions/50686939/resetting-administrator-password-for-aws-ec2-windows-server-2012-instance

后來收到AWS Support發(fā)來的郵件支持信息，不過我的問題已經(jīng)自己解決，所以沒有使用他們的方法，記錄如下：
對(duì)于server 2016

1. In the Amazon IAM Console (https://console.aws.amazon.com/iam/), in the navigation pane, choose Roles, Create new role.

2. Choose Amazon EC2 Role for Simple Systems Manager, and then choose Select.

3. Under Policy Name, check AmazonEC2RoleforSSM, Next Step, enter a Role name that is meaningful to you and choose Create Role.

4. Open the Amazon EC2 console, https://console.aws.amazon.com/ec2/ and choose the appropriate region.

5. Select the affected instance, choose Actions, Instance Settings, Attach/Replace IAM role. This would attach the IAM role you just created to your instance.

6. From EC2 console select, "Run Command" and "Run a command" option.

7. Select "AWS-RunPowershellScript" from Command document

8. In Select Targets, Select the instance you want to reset password for. Should the instance not be populated in the list, please wait for some time so that the changes can be propagated.

9. Under Commands, run the following command while replacing "new_password" with your password.

   net user Administrator new_password

10. Click Run in the lower right, leaving all the settings at default.

Following the successful completion of the run command, you should now be able to log in with that local administrator password you just keyed in under step 9. Once you've regained access to the instance, change the password to a more permanent value by running the command from step 9 again in command prompt of the instance.

Another procedure you can follow to reset the password on the instance is to use the AWSSupport-ResetAccess Automation document from the Systems Manager console. This document is useful if you have lost your EC2 key pair and want to create a password-enabled AMI from your EC2 instance, so you can launch a new instance with an existing key pair. To perform this, you can follow the steps given on the link under the section headed "Systems Manager Automation AWSSupport-ResetAccess (Offline Method)":

[+] https://aws.amazon.com/premiumsupport/knowledge-center/reset-admin-password/