Citrix Virtual Apps and Desktops service

Amazon Web Services virtualization environments

This article walks you through setting up your Amazon Web Services (AWS) account as a resource location you can use with the Citrix Virtual Apps and Desktops service. The resource location includes a basic set of components, ideal for a proof-of-concept or other deployment that does not require resources spread over multiple availability zones. After you complete these tasks, you can install VDAs, provision machines, create machine catalogs, and create Delivery Groups.

When you complete the tasks in this article, your resource location includes the following components:

  • A virtual private cloud (VPC) with public and private subnets inside a single availability zone.
  • An instance that runs as both an Active Directory domain controller and DNS server, located in the private subnet of the VPC.
  • Two domain-joined instances on which the Citrix Cloud Connector is installed, located in the private subnet of the VPC.
  • An instance that acts as a bastion host, located in the public subnet of your VPC. This instance is used to initiate RDP connections to the instances in the private subnet for administration purposes. After you finish setting up your resource location, you can shut down this instance so it is no longer readily accessible. When you must manage other instances in the private subnet, such as VDA instances, you can restart the bastion host instance.

Task overview

Set up a virtual private cloud (VPC) with public and private subnets. When you complete this task, AWS deploys a NAT instance with an Elastic IP address in the public subnet. This enables instances in the private subnet to access the Internet. Instances in the public subnet are accessible to inbound public traffic while instances in the private subnet are not.

Configure security groups. Security groups act as virtual firewalls that control traffic for the instances in your VPC. You add rules to your security groups that allow instances in your public subnet to communicate with instances in your private subnet. You will also associate these security groups with each instance in your VPC.

Create a DHCP options set. With an Amazon VPC, DHCP and DNS services are provided by default, which affects how you configure DNS on your Active Directory domain controller. Amazon’s DHCP cannot be disabled and Amazon’s DNS can be used only for public DNS resolution, not Active Directory name resolution. To specify the domain and name servers that should be handed to instances via DHCP, you create a DHCP options set. The set assigns the Active Directory domain suffix and specifies the DNS server for all instances in your VPC. To ensure Host (A) and Reverse Lookup (PTR) records are automatically registered when instances join the domain, you configure the network adapter properties for each instance you add to the private subnet.

Add a bastion host, domain controller, and Citrix Cloud Connectors to the VPC. Through the bastion host, you can log on to instances in the private subnet to set up the domain, join instances to the domain, and install the Citrix Cloud Connector.

Task 1: Set up the VPC

  1. From the AWS management console, select VPC.
  2. From the VPC Dashboard, select Start VPC Wizard.
  3. Select VPC with Public and Private Subnets and then select Select.
  4. Enter a VPC name and change the IP CIDR block and Public and Private subnet IP ranges, if necessary.
  5. If a NAT gateway is selected, select Use a NAT Instance instead.
  6. For the NAT instance, specify the instance type and the key pair you want to use. The key pair enables you to securely connect to the instance later.
  7. In Enable DNS host names, leave Yes selected.
  8. Select Create VPC. AWS creates the public and private subnets, Internet gateway, route tables, and default security group. Also, a NAT instance is created and assigned an Elastic IP address.

Note:

Changing the name of an AWS Virtual Private Cloud (VPC) in the AWS console breaks the existing hosting unit in Citrix Cloud. When the hosting unit is broken, you cannot create catalogs or add machines to existing catalogs. From Known Issue: PMCS-7701

Task 2: Configure security groups

This task creates and configures the following security groups for your VPC:

  • A security group for the NAT instance.
  • A public security group, with which instances in your Public subnet will be associated.
  • A private security group, with which instances in your Private subnet will be associated.

To create the security groups

  1. From the VPC Dashboard, select Security Groups.
  2. Create a security group for the NAT instance. Select Create Security Group and enter a name tag and description for the group. In VPC, select the VPC you created earlier. Select Yes, Create.
  3. Repeat Step 2 to create a public security group and a private security group.

Configure the NAT security group

  1. From the security group list, select the NAT security group.

  2. Select the Inbound Rules tab and select Edit to create the following rules:

    Type Source
    ALL Traffic Select the Private security group.
    22 (SSH) 0.0.0.0/0
  3. When finished, select Save.

Configure the Public security group

  1. From the security group list, select the Public security group.

  2. Select the Inbound Rules tab and select Edit to create the following rules:

    Type Source
    ALL Traffic Select the Private security group.
    ALL Traffic Select the Public security group.
    ICMP 0.0.0.0/0
    22 (SSH) 0.0.0.0/0
    80 (HTTP) 0.0.0.0/0
    443 (HTTPS) 0.0.0.0/0
    1494 (ICA/HDX) 0.0.0.0/0
    2598 (Session Reliability) 0.0.0.0/0
    3389 (RDP) 0.0.0.0/0
  3. When finished, select Save.

  4. Select the Outbound Rules tab and select Edit to create the following rules:

    Type Destination
    ALL Traffic Select the Private security group.
    ALL Traffic 0.0.0.0/0
    ICMP 0.0.0.0/0
  5. When finished, select Save.

Configure the private security group

  1. From the security group list, select the Private security group.

  2. Select the Inbound Rules tab and select Edit to create the following rules:

    Type Source
    ALL Traffic Select the NAT security group.
    ALL Traffic Select the Private security group.
    ALL Traffic Select the Public security group.
    ICMP Select the Public security group.
    TCP 53 (DNS) Select the Public security group.
    UDP 53 (DNS) Select the Public security group.
    80 (HTTP) Select the Public security group.
    TCP 135 Select the Public security group.
    TCP 389 Select the Public security group.
    UDP 389 Select the Public security group.
    443 (HTTPS) Select the Public security group.
    TCP 1494 (ICA/HDX) Select the Public security group.
    TCP 2598 (Session Reliability) Select the Public security group.
    3389 (RDP) Select the Public security group.
    TCP 49152–65535 Select the Public security group.
  3. When finished, select Save.

  4. Select the Outbound Rules tab and select Edit to create the following rules:

    Type Destination
    ALL Traffic Select the Private security group.
    ALL Traffic 0.0.0.0/0
    ICMP 0.0.0.0/0
    UDP 53 (DNS) 0.0.0.0/0
  5. When finished, select Save.

Task 3: Associate the NAT instance with the NAT security group

  1. From the AWS management console, select EC2.
  2. From the EC2 Dashboard, select Instances.
  3. Select the NAT instance and then select Actions > Networking > Change Security Groups.
  4. Clear the default security group check box.
  5. Select the NAT security group you created earlier and then select Assign Security Groups.

Task 4: Launch instances

The following steps create four EC2 instances and decrypt the default Administrator password that Amazon generates.

  1. From the AWS management console, select EC2.

  2. From the EC2 Dashboard, select Launch Instance.

  3. Select a Windows Server machine image and instance type.

  4. On the Configure Instance Details page, enter a name for the instance and select the VPC you set up earlier.

  5. In Subnet, make the following selections for each instance:

    • Bastion host: Select the Public subnet.
    • Domain controller and Connectors: Select the Private subnet.
  6. In Auto-assign Public IP address, make the following selections for each instance:

    • Bastion host: Select Enable.
    • Domain controller and Connectors: Select Use default setting or Disable.
  7. In Network Interfaces, enter a primary IP address within the IP range of your private subnet for the domain controller and Cloud Connector instances.

  8. On the Add Storage page, modify the disk size, if necessary.

  9. On the Tag Instance page, enter a friendly name for each instance.

  10. On the Configure Security Groups page, select Select an existing security group and then make the following selections for each instance:

    • Bastion host: Select the Public security group.
    • Domain controller and Cloud Connectors: Select the Private security group.
  11. Review your selections and then select Launch.

  12. Create a new key pair or select an existing one. If you create a new key pair, download your private key (.pem) file and keep it in safe place. You must supply your private key when you acquire the default Administrator password for the instance.

  13. Select Launch Instances. select View Instances to display a list of your instances. Wait until the newly launched instance has passed all status checks before accessing it.

  14. Acquire the default Administrator password for each instance:

    1. From the instance list, select the instance and then select Connect.
    2. Select Get Password and supply your private key (.pem) file when prompted.
    3. Select Decrypt Password. AWS displays the default password.
  15. Repeat Steps 2–14 until you have created four instances: a bastion host instance in your public subnet and three instances in your private subnet that for use as a domain controller and two Cloud Connectors.

Task 5: Create a DHCP options set

  1. From the VPC Dashboard, select DHCP Options Sets.

  2. Enter the following information:

    • Name tag: Enter a friendly name for the set.
    • Domain name: Enter the fully qualified domain name you use when you configure the domain controller instance.
    • Domain name servers: Enter the private IP address you assigned to the domain controller instance and the string AmazonProvidedDNS, separated by commas.
    • NTP servers: Leave this field blank.
    • NetBIOS name servers: Enter the private IP address of the domain controller instance.
    • NetBIOS node type: Enter 2.
  3. Select Yes, Create.

  4. Associate the new set with your VPC:

    1. From the VPC Dashboard, select Your VPCs and then select the VPC you set up earlier.
    2. Select Actions > Edit DHCP Options Set.
    3. When prompted, select the new set you created and then select Save.

Task 6: Configure the instances

  1. Using an RDP client, connect to the public IP address of the bastion host instance. When prompted, enter the credentials for the Administrator account.

  2. From the bastion host instance, launch Remote Desktop Connection and connect to the private IP address of the instance you want to configure. When prompted, enter the Administrator credentials for the instance.

  3. For all instances in the private subnet, configure the DNS settings:

    1. Select Start > Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings. Double-click the network connection displayed.
    2. Select Properties, select Internet Protocol Version 4 (TCP/IPv4), and then select Properties.
    3. Select Advanced and then select the DNS tab. Ensure that the following settings are enabled and select OK:

      • Register this connection’s addresses in DNS
      • Use this connection’s DNS suffix in DNS registration
  4. To configure the domain controller:

    1. Using Server Manager, add the Active Directory Domain Services role with all default features.
    2. Promote the instance to a domain controller. During promotion, enable DNS and use the domain name you specified when you created the DHCP options set. Restart the instance when prompted.
  5. To configure the first Cloud Connector:

    1. Join the instance to the domain and restart when prompted. From the bastion host instance, reconnect to the instance using RDP.
    2. Sign in to Citrix Cloud. Select Resource Locations from the upper left menu.
    3. Download the Cloud Connector.
    4. When prompted, run the cwcconnector.exe file and supply your Citrix Cloud credentials. Follow the wizard.
    5. When finished, selectRefresh to display the Resource Locations page. When the Cloud Connector is registered, the instance appears on the page.
  6. Repeat Step 5 to configure the second Cloud Connector.

Create a connection

When you create a connection from the Full Configuration interface:

  • You must provide the API key and secret key values. You can export the key file containing those values from AWS and then import them. You must also provide the region, availability zone, VPC name, subnet addresses, domain name, security group names, and credentials.
  • The credentials file for the root AWS account (retrieved from the AWS console) is not formatted the same as credentials files downloaded for standard AWS users. Therefore, Citrix Virtual Apps and Desktops management cannot use the file to populate the API key and secret key fields. Ensure that you are using AWS Identity Access Management (IAM) credentials files.

Note:

After you create a connection, attempts to update the API key and secret key might fail. To resolve the issue, check your proxy server or firewall restrictions and ensure that the following address is contactable: https://*.amazonaws.com.

Service endpoint URL

Standard zone service endpoint URL

When you use MCS, a new AWS connection is added with an API key and an API secret. With this information, along with the authenticated account, MCS queries AWS for the supported zones using the AWS DescribeRegions EC2 API call. The query is made using a generic EC2 Service Endpoint URL https://ec2.amazonaws.com/. You can then use MCS to select the zone for the connection from the list of supported zones. The preferred AWS service endpoint URL is automatically selected for the zone. However, after you create the service endpoint URL, you can no longer set or modify the URL.

Non-standard service endpoint URL

There can be situations where you might not need the automatically chosen AWS Service Endpoint URL for the connection. For such cases, you can use Citrix Cloud SDK and PowerShell to create a connection with a non-standard service endpoint URL. For example, to create a connection using the service endpoint URL https://ec2.cn-north-1.amazonaws.com.cn:

  1. Set up the AWS hosted Cloud Connector and ensure that it has connectivity.
  2. Run the following PowerShell commands to see the list of Cloud Connectors.

     PS C:\> asnp citrix.*
     PS C:\> Get-XDAuthentication
     PS C:\> Get-ConfigEdgeServer
    <!--NeedCopy-->
    
  3. Find the ZoneUid from the newly created Cloud Connector and enter it into the following PowerShell commands. Replace the italicized items with the respective values.

    PS C:\> $hyp= New-Item -Path xdhyp:\Connections -ZoneUidZoneUid-Name“My New Connection”-ConnectionType "AWS" -HypervisorAddress @("https://ec2.cn-north-1.amazonaws.com.cn") -UserName“APIkey” -Password“APISecret” -Persist PS C:\> New-BrokerHypervisorConnection -HypHypervisorConnectionUid $hyp. HypervisorConnectionUid

  4. Refresh the Full Configuration > Hosting tab to verify that the EC2 connection has been created.
  5. Add a resource location using the new connection.

AWS tenancy

AWS provides the following tenancy options: shared tenancy (the default type) and dedicated tenancy. Shared tenancy means that multiple Amazon EC2 instances from different customers might reside on the same piece of physical hardware. Dedicated tenancy means that your EC2 instances run only on hardware with other instances that you have deployed. Other customers do not use the same piece of hardware.

You can use MCS to provision AWS dedicated hosts by using the Full Configuration interface or PowerShell.

Configure AWS dedicated host tenancy using the Full Configuration interface

When you use MCS to create a catalog to provision machines in AWS, the Machine Catalog Setup > Security page presents the following options:

  • Use shared hardware. This setting is suitable for most deployments. Multiple customers share pieces of hardware even though they do not interact with each other. Using shared hardware is the least expensive option for running your Amazon EC2 instances.

  • Use dedicated host. An Amazon EC2 dedicated host is a physical server with EC2 instance capacity that is fully dedicated, letting you use existing per-socket or per-VM software licenses. Dedicated hosts have preset utilization based on instance type. For example, a single allocated dedicated host of C4 Large instance types is limited to running 16 instances. See the AWS site for more information.

    The requirements for provisioning to AWS hosts include:

    • An imported BYOL (bring your own license) image (AMI). With dedicated hosts, use and manage your existing licenses.
    • An allocation of dedicated hosts with sufficient utilization to satisfy provisioning requests.
    • Enabling auto-placement.

    This setting is suitable for deployments with licensing restrictions or security requirements that need your use of a dedicated host. With a dedicated host, you own an entire physical host and are billed on an hourly basis. Owning that host lets you spin up as many EC2 instances as that host permits, without more charges.

    Alternatively, you can provision AWS dedicated hosts through PowerShell. To do that, use the New-ProvScheme cmdlet with the parameter TenancyType set to Host. See the Citrix Developer Documentation for more information.

  • Use dedicated instance. This setting is more suitable for deployments with specific security or compliance requirements. With a dedicated instance, you still enjoy the benefits of having a host separate from other AWS customers but you do not pay for the entire host. You do not need to worry about the capacity of the host but you are charged at a higher rate for the instances.

Configure AWS dedicated host tenancy using PowerShell

You can create a catalog of machines with host tenancy defined through PowerShell.

An Amazon [EC2] dedicated host is a physical server with [EC2] instance capacity that is fully dedicated, allowing you to use existing per-socket, or per-VM software licenses.

Dedicated hosts have preset utilization based on instance type. For example, a single allocated dedicated host of C4 Large instance types is limited to running 16 instances. See the AWS site for more information.

The requirements for provisioning to AWS hosts include:

  • An imported BYOL (bring your own license) image (AMI). With dedicated hosts, use and manage your existing licenses.
  • An allocation of dedicated hosts with sufficient utilization to satisfy provisioning requests.
  • enable auto-placement.

To provision to a dedicated host in AWS using PowerShell, use the New-ProvScheme cmdlet with the parameter TenancyType set to Host.

Refer to the Citrix Developer Documentation for more information.

AWS instance property capturing

When you create a catalog to provision machines using Machine Creation Services (MCS) in AWS, you select an AMI to represent the master/golden image of that catalog. From that AMI, MCS uses a snapshot of the disk. In previous releases, if you wanted roles and/or tags on your machines you would use the AWS console to set them individually. This functionality is enabled by default.

Tip:

To use AWS instance property capturing, you must have a VM associated with the AMI.

To improve this process, MCS reads properties from the instance from which the AMI was taken and applies the Identity Access Management (IAM) role and tags of the machine to the machines provisioned for a given catalog. When using this optional feature, the catalog creation process finds the selected AMI source instance, reading a limited set of properties. These properties are then stored in an AWS Launch Template, which is used to provision machines for that catalog. Any machine in the catalog inherits the captured instance properties.

Captured properties include:

  • IAM roles – applied to provisioned instances
  • Tags - applied to provisioned instances, their disk, and NICs. These tags are applied to transient Citrix resources, including: S3 bucket and objects, volume and worker resources, and AMIs, snapshots, and launch templates.

Tip:

The tagging of transient Citrix resources is optional and is configurable using the custom property AwsOperationalResourcesTagging.

Capturing the AWS instance property

You can use this feature by specifying a custom property, AwsCaptureInstanceProperties, when creating a provisioning scheme for an AWS hosting connection:

New-ProvScheme -CustomProperties “AwsCaptureInstanceProperties,true” …<standard provscheme parameters

Refer to the Citrix Developer Documentation for more information.

Applying AWS instance properties and tagging operational resources in the Full Configuration interface

When creating a catalog to provision machines in AWS by using MCS, you can control whether to apply the IAM role and tag properties to those machines. You can also control whether to apply machine tags to operational resources. You have the following two options:

AWS machine tags and template properties

  • Apply machine template properties to virtual machines
    • Controls whether to apply the IAM role and tag properties associated with the selected machine template to virtual machines in this catalog.
  • Apply machine tags to operational resources
    • Controls whether to apply machine tags to every item created in your AWS environment that facilitates provisioning of machines. Operational resources are created as byproducts of catalog creation. They include both temporary and persistent resources, such as preparation VM instance and AMI.

AWS operational resource tagging

An Amazon Machine Image (AMI) represents a type of virtual appliance used to create a virtual machine within the Amazon Cloud environment, commonly referred to as EC2. You use an AMI to deploy services that use the EC2 environment. When you create a catalog to provision machines using MCS for AWS, you select the AMI to act as the golden image for that catalog.

Important:

Creating catalogs by capturing an instance property and launch template is required for using operational resource tagging. For details, see the preceding section AWS instance property capturing.

To create an AWS catalog, you must first create an AMI for the instance you want to be the golden image. MCS reads the tags from that instance and incorporates them into the launch template. The launch template tags are then applied to all Citrix resources created in your AWS environment, including:

  • Virtual Machines
  • VM disks
  • VM network interfaces
  • S3 buckets
  • S3 objects
  • Launch templates
  • AMIs

Tagging an operational resource

To use PowerShell to tag resources:

  1. Open a PowerShell window from the DDC host.
  2. Run the command asnp citrix to load Citrix-specific PowerShell modules.

To tag a resource for a provisioned VM, use the new custom property AwsOperationalResourcesTagging. The syntax for this property is:

New-ProvScheme -CustomProperties “AwsCaptureInstanceProperties,true; AwsOperationalResourcesTagging,true” …<standard provscheme parameters>

Defining IAM permissions

Use the information in this section to define IAM permissions for the Citrix Virtual Apps and Desktops service on AWS. Amazon’s IAM service permits accounts having multiple users, which can be further organized into groups. These users can possess different permissions to control their ability to perform operations associated with the account. For more information about IAM permissions, see IAM JSON policy reference.

To apply IAM permissions policy to a new group of users:

  1. Log into the AWS management console and select the IAM service from the drop-down list.
  2. Select Create a New Group of Users.
  3. Type a name for the new user group and select Continue.
  4. On the Permissions page, choose Custom Policy. Select Select.
  5. Type a name for the Permissions policy.
  6. In the Policy Document section, enter relevant permissions.

After entering the policy information, selectContinue to complete the group of users. Users in the group are granted permissions to perform only those actions that are required for the Citrix Virtual Apps and Desktops service.

Important:

Use the policy text provided in the example above to list the actions that a Citrix Virtual Apps and Desktops service uses to perform actions within an AWS account without restricting those actions to specific resources. Citrix recommends that you use the example for testing purposes. For production environments, you might choose to add further restrictions on resources.

Adding IAM permissions

Set the permissions in the IAM section of the AWS Management Console:

  1. In the Summary panel, select the Permissions tab.
  2. Select Add permissions.

Identity and Access Management (IAM)

In the Add Permissions to screen, grant permissions:

Grant permissions for IAM policies

Use the following as an example in the JSON tab:

JSON example

Tip:

The noted JSON example might not include all the permissions for your environment. See How to Define Identity Access Management Permissions Running Citrix Virtual Apps and Desktops on Amazon Web Services for more information.

About AWS permissions

This section contains the complete list of AWS permissions.

Note:

The iam:PassRole permission is needed only for role_based_auth.

Creating a host connection

A new host connection is added using the information obtained from AWS.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
<!--NeedCopy-->

Power management of VMs

Machine instances are powered on or off.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:AttachVolume",
                "ec2:CreateVolume",
                "ec2:DeleteVolume",
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "ec2:DetachVolume",
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
<!--NeedCopy-->

Creating, updating, or deleting VMs

A machine catalog is created, updated, or deleted with VMs provisioned as AWS instances.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:AttachVolume",
                "ec2:CreateImage",
                "ec2:CreateLaunchTemplate",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DeleteVolume",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRegions",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcs",
                "ec2:DetachVolume",
                "ec2:RunInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:PutBucketTagging",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::citrix*"
        },
        {
            "Action": [
                "ebs:ListSnapshotBlocks",
                "ebs:GetSnapshotBlock",
                "ebs:PutSnapshotBlock",
                "ebs:CompleteSnapshot",
                "ebs:StartSnapshot"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
<!--NeedCopy-->

Note:

  • The EBS action is needed only when you are using direct disk upload.
  • The S3 section is not needed if you are using direct disk upload.

IAM role based authentication

The following permissions are added to support role based authentication.

{
     "Version": "2012-10-17",
     "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/*"
        }
    ]
}
<!--NeedCopy-->

Minimal IAM permissions policy

The following JSON must be used if you are using the Cloud Connector instance IAM policy. This can be implemented with the role_based_auth security key and secret or by assigning the role to an AWS user and using the user’s API key and secret. You can use this policy for all currently supported features. You can also create host connections, create, update, or delete VMs, and do power management using this policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:AttachVolume",
                "ec2:AssociateIamInstanceProfile",
                "ec2:CreateImage",
                "ec2:CreateLaunchTemplate",
                "ec2:CreateNetworkInterface",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DeleteLaunchTemplate",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteSnapshot",
                "ec2:DeleteTags",
                "ec2:DeleteVolume",
                "ec2:DeregisterImage",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRegions",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcs",
                "ec2:DetachVolume",
                "ec2:DisassociateIamInstanceProfile",
                "ec2:RebootInstances",
                "ec2:RunInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutBucketAcl",
                "s3:PutObject",
                "s3:PutBucketTagging",
                "s3:PutObjectTagging"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::citrix*"
        },
        {
            "Action": [
                "ebs:ListSnapshotBlocks",
                "ebs:GetSnapshotBlock",
                "ebs:PutSnapshotBlock",
                "ebs:CompleteSnapshot",
                "ebs:StartSnapshot"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/*"
        }
    ]
}
<!--NeedCopy-->

Note:

  • The EBS action is needed only when you are using direct disk upload.
  • The S3 section is not needed if you are using direct disk upload.
  • The iam:PassRole permission section is needed only for role_based_auth.

More information