diff --git a/builder/amazon/instance/builder.go b/builder/amazon/instance/builder.go
index 06af0acc6..3ed464291 100644
--- a/builder/amazon/instance/builder.go
+++ b/builder/amazon/instance/builder.go
@@ -324,6 +324,7 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack
 			SecurityGroupFilter:    b.config.SecurityGroupFilter,
 			SecurityGroupIds:       b.config.SecurityGroupIds,
 			TemporarySGSourceCidrs: b.config.TemporarySGSourceCidrs,
+			SkipSSHRuleCreation:    b.config.SSMAgentEnabled(),
 		},
 		&awscommon.StepIamInstanceProfile{
 			IamInstanceProfile:                        b.config.IamInstanceProfile,
@@ -337,13 +338,28 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack
 			Timeout:   b.config.WindowsPasswordTimeout,
 			BuildName: b.config.PackerBuildName,
 		},
+		&awscommon.StepCreateSSMTunnel{
+			AWSSession:      session,
+			DstPort:         b.config.Comm.Port(),
+			SSMAgentEnabled: b.config.SSMAgentEnabled(),
+		},
 		&communicator.StepConnect{
+			// StepConnect is provided settings for WinRM and SSH, but
+			// the communicator will ultimately determine which port to use.
 			Config: &b.config.RunConfig.Comm,
 			Host: awscommon.SSHHost(
 				ec2conn,
 				b.config.SSHInterface,
 				b.config.Comm.Host(),
 			),
+			SSHPort: awscommon.Port(
+				b.config.SSHInterface,
+				b.config.Comm.Port(),
+			),
+			WinRMPort: awscommon.Port(
+				b.config.SSHInterface,
+				b.config.Comm.Port(),
+			),
 			SSHConfig: b.config.RunConfig.Comm.SSHConfigFunc(),
 		},
 		&common.StepProvision{},