Windows EC2 Instance 忘記密碼如何重置

這個問題搞了我2天時間，所以要好好記錄一下。對于Windows Server 2012之前和Server 2016之后的處理方式是不一樣的，我在誤打誤撞中，用了2012的方法解決了2016的問題， 因為我不知道忘記密碼的EC2是2016版本。
而且Windows的這類問題（忘記key pair和密碼）的處理方式比Linux的要復雜。

1. 關閉該instance， 這個instance tag標記為original-instance

2. 到Volume處找到該instance的volume，然后Detach

3. 刪除舊Key

4. 創建一個新的EC2 Instance，tag標記為new-instance
   

5. 新Instance要跟有問題的在同一個區域，例如us-east-1a，不然無法加載volume

6. Launch，然后弄一個跟之前（已經丟失忘記的key）一樣的key名字，并下載保存key

以下這步很關鍵，之前的嘗試我都弄錯了

7. 把忘記密碼的instance創建Image

8. 然后在IMAGES -- > AMI中查看進度，需要幾分鐘時間，完成后點Launch，這個步驟跟新建instance類似，為跟那個新建的instance區分開來，我們把這個instance命名為 image-instance

9. 創建好后關閉此Instance，然后把image-instance的volume掛載到new-instance上

10. 登入new-instance，并下載工具：https://s3.amazonaws.com/ec2rescue/windows/EC2Rescue_latest.zip （這個工具僅適用于2016及其后版本的 Windows Server）

另外我之前看文檔說可以通過修改Ec2Config service來實現密碼修改，后來摸索后才發現這在2012及之前的版本才可以，而我的忘記密碼的服務器是2016版本，這也是我奇怪之前沒有在路徑下看到C:\Program Files\Amazon\Ec2ConfigService這個文件夾了，所以我從2012上copy了一個到這個路徑，同時修改了config.xml文件，把EC2Password改為Enabled，不知道跟這個有沒關系，權且記錄在案。

11. 然后把這個volume在new-instance上offline，并從Volume上Deattach掉，然后重新掛回image-instance，注意要把Device設為 /dev/sda1，這樣才是C盤

12. 獲取image-instance的密碼

13. 導入保存的key文件獲取密碼，（剛開始的時候是失敗的，提示無法獲取密碼，驗證不對，在此我又糾結了幾個小時，在這個3個instance之前互相切換掛載，后來就可以獲得密碼了，不知哪里弄對了）

14. 然后再關閉這個image-instance, 把這個volume掛載回orignal-instance為C盤，啟動，這樣就用新的key獲取新的密碼

參考文檔
適用于server 2012及其前版本：https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ResettingAdminPassword_EC2Config.html

適用于server 2016及其后版本：https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ResettingAdminPassword_EC2Launch.html

這個提到要完全按照步驟來，我也是受這個啟發，重新看文檔才發現我沒有launch image，而是搞了launch new instance，這點很關鍵。https://stackoverflow.com/questions/50686939/resetting-administrator-password-for-aws-ec2-windows-server-2012-instance

后來收到AWS Support發來的郵件支持信息，不過我的問題已經自己解決，所以沒有使用他們的方法，記錄如下：
對于server 2016

1. In the Amazon IAM Console (https://console.aws.amazon.com/iam/), in the navigation pane, choose Roles, Create new role.

2. Choose Amazon EC2 Role for Simple Systems Manager, and then choose Select.

3. Under Policy Name, check AmazonEC2RoleforSSM, Next Step, enter a Role name that is meaningful to you and choose Create Role.

4. Open the Amazon EC2 console, https://console.aws.amazon.com/ec2/ and choose the appropriate region.

5. Select the affected instance, choose Actions, Instance Settings, Attach/Replace IAM role. This would attach the IAM role you just created to your instance.

6. From EC2 console select, "Run Command" and "Run a command" option.

7. Select "AWS-RunPowershellScript" from Command document

8. In Select Targets, Select the instance you want to reset password for. Should the instance not be populated in the list, please wait for some time so that the changes can be propagated.

9. Under Commands, run the following command while replacing "new_password" with your password.

   net user Administrator new_password

10. Click Run in the lower right, leaving all the settings at default.

Following the successful completion of the run command, you should now be able to log in with that local administrator password you just keyed in under step 9. Once you've regained access to the instance, change the password to a more permanent value by running the command from step 9 again in command prompt of the instance.

Another procedure you can follow to reset the password on the instance is to use the AWSSupport-ResetAccess Automation document from the Systems Manager console. This document is useful if you have lost your EC2 key pair and want to create a password-enabled AMI from your EC2 instance, so you can launch a new instance with an existing key pair. To perform this, you can follow the steps given on the link under the section headed "Systems Manager Automation AWSSupport-ResetAccess (Offline Method)":

[+] https://aws.amazon.com/premiumsupport/knowledge-center/reset-admin-password/