AWS cloud environments
This article walks you through setting up your AWS account as a resource location you can use with Citrix Virtual Apps and Desktops. The resource location includes a basic set of components, ideal for a proof-of-concept, or other deployment that does not require resources spread over multiple availability zones. After you complete these tasks, you can install VDAs, provision machines, create machine catalogs, and create Delivery Groups.
When you complete the tasks in this article, your resource location includes the following components:
- A virtual private cloud (VPC) with public and private subnets inside a single availability zone.
- An instance that runs as both an Active Directory Domain Controller and DNS server, located in the private subnet of the VPC.
- An instance that acts as a bastion host in the public subnet of your VPC. This instance is used to initiate RDP connections to the instances in the private subnet for administration purposes. After you finish setting up your resource location, you can shut down this instance so it is no longer readily accessible. When you must manage other instances in the private subnet, such as VDA instances, you can restart the bastion host instance.
Limitation
From Citrix Virtual Apps and Desktops 2203 LTSR and later, MCS AWS plug-in makes DescribeInstanceTypes
AWS API call and if that succeeds, then MCS uses the inventory name created from the API response.
Therefore, when you upgrade from CVAD 1912 to 2203 or later, disable the DefineInstanceType
permission on AWS, and then update the existing catalog using Set-ProvScheme
command to match the AWS naming scheme. Then, add the DescribeInstanceType
permissions back after catalog update is complete and the service offering matches AWS naming scheme.
Task overview
Set up a virtual private cloud (VPC) with public and private subnets. When you complete this task, AWS deploys a NAT gateway with an Elastic IP address in the public subnet. This action enables instances in the private subnet to access the Internet. Instances in the public subnet are accessible to inbound public traffic while instances in the private subnet are not.
Configure security groups. Security groups act as virtual firewalls that control traffic for the instances in your VPC. You add rules to your security groups that allow instances in your public subnet to communicate with instances in your private subnet. You also associate these security groups with each instance in your VPC.
Create a DHCP options set. With an Amazon VPC, DHCP and DNS services are provided by default, which affects how you configure DNS on your Active Directory Domain Controller. Amazon’s DHCP cannot be disabled and Amazon’s DNS can be used only for public DNS resolution, not Active Directory name resolution. To specify the domain and name servers handed to instances through DHCP, create a DHCP options set. The set assigns the Active Directory domain suffix and specifies the DNS server for all instances in your VPC. To ensure Host (A) and Reverse Lookup (PTR) records are automatically registered when instances join the domain, you configure the network adapter properties for each instance you add to the private subnet.
Add a bastion host and Domain Controller to the VPC. Through the bastion host, you can log on to instances in the private subnet to set up the domain and join instances to the domain.
Task 1: Set up the VPC
- From the AWS management console, select VPC.
- From the VPC Dashboard, select Create VPC.
- Select VPC and more.
- Under NAT gateways ($), select In 1 AZ or 1 per AZ.
- Under DNS options, leave Enable DNS hostnames selected.
- Select Create VPC. AWS creates the public and private subnets, Internet gateway, route tables, and default security group.
Task 2: Configure security groups
This task creates and configures the following security groups for your VPC:
- A public security group to associate with the instances in your Public subnet.
- A private security group to associate with the instances in your Private subnet.
To create the security groups:
- In the VPC Dashboard, select Security Groups.
- Create a security group for the public security group. Select Create Security Group and enter a name tag and description for the group. In VPC, select the VPC you created earlier. Select Yes, Create.
Configure the Public security group
-
From the security group list, select the Public security group.
-
Select the Inbound Rules tab and select Edit to create the following rules:
Type Source ALL Traffic Select the Private security group. ALL Traffic Select the Public security group. ICMP 0.0.0.0/0 22 (SSH) 0.0.0.0/0 80 (HTTP) 0.0.0.0/0 443 (HTTPS) 0.0.0.0/0 1494 (ICA/HDX) 0.0.0.0/0 2598 (Session Reliability) 0.0.0.0/0 3389 (RDP) 0.0.0.0/0 -
When finished, select Save.
-
Select the Outbound Rules tab and select Edit to create the following rules:
Type Destination ALL Traffic Select the Private security group. ALL Traffic 0.0.0.0/0 ICMP 0.0.0.0/0 -
When finished, select Save.
Configure the private security group
-
From the security group list, select the Private security group.
-
If you have not setup traffic from the public security group, you must set TCP ports; select the Inbound Rules tab and select Edit to create the following rules:
Type Source ALL Traffic Select the Private security group. ALL Traffic Select the Public security group. ICMP Select the Public security group. TCP 53 (DNS) Select the Public security group. UDP 53 (DNS) Select the Public security group. 80 (HTTP) Select the Public security group. TCP 135 Select the Public security group. TCP 389 Select the Public security group. UDP 389 Select the Public security group. 443 (HTTPS) Select the Public security group. TCP 1494 (ICA/HDX) Select the Public security group. TCP 2598 (Session Reliability) Select the Public security group. 3389 (RDP) Select the Public security group. TCP 49152–65535 Select the Public security group. -
When finished, select Save.
-
Select the Outbound Rules tab and select Edit to create the following rules:
Type Destination ALL Traffic Select the Private security group. ALL Traffic 0.0.0.0/0 ICMP 0.0.0.0/0 UDP 53 (DNS) 0.0.0.0/0 -
When finished, select Save.
Task 3: Launch instances
Do the following steps to create two EC2 instances and decrypt the default Administrator password that Amazon generates:
- From the AWS management console, select EC2.
- From the EC2 Dashboard, select Launch Instance.
- Select a Windows Server machine image and instance type.
- On the Configure Instance Details page, enter a name for the instance and select the VPC you set up earlier.
-
In Subnet, make the following selections for each instance:
- Bastion host: Select the Public subnet
- Domain Controller: Select the Private subnet
-
In Auto-assign Public IP address, make the following selections for each instance:
- Bastion host: Select Enable.
- Domain Controller: Select Use default setting or Disable.
- In Network Interfaces, enter a primary IP address within the IP range of your private subnet for the Domain Controller.
- If necessary, on the Add Storage page, modify the disk size.
- On the Tag Instance page, enter a friendly name for each instance.
-
On the Configure Security Groups page, select Select an existing security group and then make the following selections for each instance:
- Bastion host: Select the Public security group.
- Domain Controller: Select the Private security group.
- Review your selections and then select Launch.
- Create a new key pair or select an existing one. If you create a new key pair, download your private key (.pem) file and keep it in a safe place. You must supply your private key when you acquire the default Administrator password for the instance.
- Select Launch Instances. select View Instances to display a list of your instances. Wait until the newly launched instance has passed all status checks before accessing it.
-
Acquire the default Administrator password for each instance:
- From the instance list, select the instance and then select Connect.
- Go to the RDP client tab, select Get Password, and upload your private key (
.pem
) file when prompted. - Select Decrypt Password to get the human readable password. AWS displays the default password.
-
Repeat the steps from step 2 until you have created two instances:
- One bastion host instance in your public subnet
- One instance in your private subnet that is for use as a Domain Controller.
Task 4: Create a DHCP options set
-
From the VPC Dashboard, select DHCP Options Sets.
-
Enter the following information:
- Name tag: Enter a friendly name for the set.
- Domain name: Enter the fully qualified domain name that you use when you configure the Domain Controller instance.
- Domain name servers: Enter the private IP address you assigned to the Domain Controller instance and the string AmazonProvidedDNS, separated by commas.
- NTP servers: Leave this field blank.
- NetBIOS name servers: Enter the private IP address of the Domain Controller instance.
- NetBIOS node type: Enter 2.
-
Select Yes, Create.
-
Associate the new set with your VPC:
- From the VPC Dashboard, select Your VPCs and then select the VPC you set up earlier.
- Select Actions > Edit DHCP Options Set.
- When prompted, select the new set you created and then select Save.
Task 5: Configure the instances
-
Using an RDP client, connect to the public IP address of the bastion host instance. When prompted, enter the credentials for the Administrator account.
-
From the bastion host instance, launch Remote Desktop Connection and connect to the private IP address of the instance you want to configure. When prompted, enter the Administrator credentials for the instance.
-
For all instances in the private subnet, configure the DNS settings:
- Select Start > Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings. Double-click the network connection displayed.
- Select Properties > Internet Protocol Version 4 (TCP/IPv4) > Properties.
-
Select Advanced > DNS. Ensure that the following settings are enabled and select OK:
- Register this connection’s addresses in DNS
- Use this connection’s DNS suffix in DNS registration
-
To configure the Domain Controller:
- Using Server Manager, add the Active Directory Domain Services role with all default features.
- Promote the instance to a Domain Controller. During promotion, enable DNS and use the domain name you specified when you created the DHCP options set. Restart the instance when prompted.
Create a connection
When you create a connection from Studio:
- You must provide the API key and secret key values. You can export the key file containing those values from AWS and then import them. You must also provide the region, availability zone, VPC name, subnet addresses, domain name, security group names, and credentials.
- The credentials file for the root AWS account (retrieved from the AWS console) is not formatted the same as credentials files downloaded for standard AWS users. Therefore, Citrix Virtual Apps and Desktops management cannot use the file to populate the API key and secret key fields. Ensure that you are using AWS Identity Access Management (IAM) credentials files.
Note:
After you create a connection, attempts to update the API key and secret key might fail. To resolve the issue, check your proxy server or firewall restrictions and ensure that the following address is contactable:
https://*.amazonaws.com
.
Host connection default values
When you create host connections in AWS cloud environments, the following default values are displayed:
Option | Absolute | Percentage |
---|---|---|
Simultaneous actions (all types) | 125 | 100 |
Maximum new actions per minute | 125 |
MCS supports 100 maximum concurrent provisioning operations by default.
Service endpoint URL
Standard zone service endpoint URL
When you use MCS, a new AWS connection is added with an API key and an API secret. With this information, along with the authenticated account, MCS queries AWS for the supported zones using the AWS DescribeRegions EC2 API call. The query is made using a generic EC2 Service Endpoint URL https://ec2.amazonaws.com/
. Use MCS to select the zone for the connection from the list of supported zones. The preferred AWS service endpoint URL is automatically selected for the zone. However, after you create the service endpoint URL, you can no longer set or modify the URL.
AWS tenancy
AWS provides the following tenancy options: shared tenancy (the default type) and dedicated tenancy. Shared tenancy means that multiple Amazon EC2 instances from different customers might reside on the same piece of physical hardware. Dedicated tenancy means that your EC2 instances run only on hardware with other instances that you have deployed. Other customers do not use the same piece of hardware.
You can use MCS to provision AWS dedicated hosts by using PowerShell.
Configure AWS dedicated host tenancy using PowerShell
You can create a catalog of machines with host tenancy defined through PowerShell.
An Amazon [EC2] dedicated host is a physical server with [EC2] instance capacity that is fully dedicated, allowing you to use existing per-socket, or per-VM software licenses.
Dedicated hosts have preset utilization based on instance type. For example, a single allocated dedicated host of C4 Large instance types is limited to running 16 instances. See the AWS site for more information.
The requirements for provisioning to AWS hosts include:
- An imported BYOL (bring your own license) image (AMI). With dedicated hosts, use and manage your existing licenses.
- An allocation of dedicated hosts with sufficient utilization to satisfy provisioning requests.
- enable auto-placement.
To provision to a dedicated host in AWS using PowerShell, use the New-ProvScheme cmdlet with the parameter TenancyType set to Host.
Refer to the Citrix Developer Documentation for more information.
AWS instance property capturing
When you create a catalog to provision machines using Machine Creation Services (MCS) in AWS, you select an AMI to represent the master/golden image of that catalog. From that AMI, MCS uses a snapshot of the disk. In previous releases, if you wanted roles or tags on your machines you would use the AWS console to set them individually. This functionality is enabled by default.
Tip:
To use AWS instance property capturing, you must have a VM associated with the AMI.
To improve this process, MCS reads properties from the instance from which the AMI was taken and applies the Identity Access Management (IAM) role and tags of the machine to the machines provisioned for a given catalog. When using this optional feature, the catalog creation process finds the selected AMI source instance, reading a limited set of properties. These properties are then stored in an AWS Launch Template, which is used to provision machines for that catalog. Any machine in the catalog inherits the captured instance properties.
Captured properties include:
- IAM roles – applied to provisioned instances.
- Tags - applied to provisioned instances, their disk, and NICs. These tags are applied to transient Citrix resources, including: S3 bucket and objects, volume and worker resources, and AMIs, snapshots, and launch templates.
Tip:
The tagging of transient Citrix resources is optional and is configurable using the custom property
AwsOperationalResourcesTagging
.
Capturing the AWS instance property
You can use this feature by specifying a custom property, AwsCaptureInstanceProperties
, when creating a provisioning scheme for an AWS hosting connection:
New-ProvScheme -CustomProperties “AwsCaptureInstanceProperties,true” …<standard provscheme parameters
Refer to the Citrix Developer Documentation for more information.
Applying AWS instance properties and tagging operational resources
When creating a catalog to provision machines in AWS by using MCS, you can control whether to apply the IAM role and tag properties to those machines. You can also control whether to apply machine tags to operational resources.
AWS operational resource tagging
An Amazon Machine Image (AMI) represents a type of virtual appliance used to create a virtual machine within the Amazon Cloud environment, commonly referred to as EC2. You use an AMI to deploy services that use the EC2 environment. When you create a catalog to provision machines using MCS for AWS, you select the AMI to act as the golden image for that catalog.
Important:
Creating catalogs by capturing an instance property and a launch template is required for using operational resource tagging.
To create an AWS catalog, you must first create an AMI for the instance you want to be the golden image. MCS reads the tags from that instance and incorporates them into the launch template. The launch template tags are then applied to all Citrix resources created in your AWS environment, including:
- Virtual Machines
- VM disks
- VM network interfaces
- S3 buckets
- S3 objects
- Launch templates
- AMIs
Tagging an operational resource
To use PowerShell to tag resources:
- Open a PowerShell window from the DDC host.
- Run the command
asnp citrix
to load Citrix-specific PowerShell modules.
To tag a resource for a provisioned VM, use the new custom property AwsOperationalResourcesTagging
. The syntax for this property is:
New-ProvScheme -CustomProperties “AwsCaptureInstanceProperties,true; AwsOperationalResourcesTagging,true” …<standard provscheme parameters>
Identify resources
Following are the tags that MCS adds to the resources on AWS. The tags in the table are represented as “key”:”value”.
Resource name | Tag |
---|---|
ID disk | “Name”: “VMName_IdentityDisk” |
“XdConfig”: “XdProvisioned=true” | |
“CitrixProvisioningSchemeId”: “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” | |
Image | “XdConfig”: “XdProvisioned=true” |
“CitrixProvisioningSchemeId”: “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” | |
NIC | “Description”: “XD Nic” |
“XdConfig”: “XdProvisioned=true” | |
“CitrixProvisioningSchemeId”: “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” | |
OS disk | “Name”: “VMName_rootDisk” |
“XdConfig”: “XdProvisioned=True” | |
“CitrixProvisioningSchemeId”: “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” | |
[when AwsCaptureInstanceProperties = true] “Citrix Resource”: “” | |
[when AwsCaptureInstanceProperties = true and AwsOperationalResourcesTagging = true] “CitrixOperationalResource”: “” | |
PrepVM | “Name”: “Preparation - CatalogName - xxxxxxxxxx” |
“XdConfig”: “XdProvisioned=true” | |
“CitrixProvisioningSchemeId”: “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” | |
[when AwsCaptureInstanceProperties = true] “Citrix Resource”: “” | |
[when AwsCaptureInstanceProperties = true and AwsOperationalResourcesTagging = true] “CitrixOperationalResource”: “” | |
Published snapshot | “XdConfig”: “XdProvisioned=true” |
If not a snapshot for Volume Worker AMI, then “CitrixProvisioningSchemeId”: “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” | |
Template | [when AwsCaptureInstanceProperties = true] “XdConfig”: “XdProvisioned=true” |
[when AwsCaptureInstanceProperties = true] “CitrixProvisioningSchemeId”: “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” | |
[when AwsCaptureInstanceProperties = true] “CitrixResource”: “” | |
[when AwsCaptureInstanceProperties = true and AwsOperationalResourcesTagging = true] “CitrixOperationalResource”: “” | |
VM in catalog | “XdConfig”: “XdProvisioned=true” |
“CitrixProvisioningSchemeId”: “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” | |
[when AwsCaptureInstanceProperties = true] “CitrixResource”: “” | |
[when AwsCaptureInstanceProperties = true] “aws:ec2launchtemplate:id”:“lt-xxxx” | |
[when AwsCaptureInstanceProperties = true] “aws:ec2launchtemplate:version”: “n” | |
[when AwsCaptureInstanceProperties = true and AwsOperationalResourcesTagging = true] “CitrixOperationalResource”: “” | |
Volume worker AMI | “XdConfig”: “XdProvisioned=true” |
Volume worker bootstraper | “Name”: “XenDesktop Temp” |
“XdConfig”: “XdProvisioned=true” | |
“CitrixProvisioningSchemeId”: “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” | |
[when AwsCaptureInstanceProperties = true and AwsOperationalResourcesTagging = true] “CitrixVolumeWorkerBootstrapper”: “” | |
Volume worker instance | “Name”: “Citrix.XD.Volumeworker-xxxx-xx-xx-xx-xxxx” |
“XdConfig”: “XdProvisioned=true” |
Defining IAM permissions
Use the information in this section to define IAM permissions for Citrix DaaS on AWS. Amazon’s IAM service permits accounts having multiple users, which can be further organized into groups. These users can possess different permissions to control their ability to perform operations associated with the account. For more information about IAM permissions, see IAM JSON policy reference.
To apply IAM permissions policy to a new group of users:
- Log into the AWS management console and select the IAM service from the drop-down list.
- Select Create a New Group of Users.
- Type a name for the new user group and select Continue.
- On the Permissions page, choose Custom Policy. Select Select.
- Type a name for the Permissions policy.
- In the Policy Document section, enter relevant permissions.
After entering the policy information, selectContinue to complete the group of users. Users in the group are granted permissions to perform only those actions that are required for Citrix DaaS.
Important:
Use the policy text provided in the example above to list the actions that a Citrix DaaS uses to perform actions within an AWS account without restricting those actions to specific resources. Citrix recommends that you use the example for testing purposes. For production environments, you might choose to add further restrictions on resources.
Adding IAM permissions
Set the permissions in the IAM section of the AWS Management Console:
- In the Summary panel, select the Permissions tab.
- Select Add permissions.
In the Add Permissions to screen, grant permissions:
Use the following as an example in the JSON tab:
Tip:
The noted JSON example might not include all the permissions for your environment. See How to Define Identity Access Management Permissions Running Citrix Virtual Apps and Desktops on AWS for more information.
About AWS permissions
This section contains the complete list of AWS permissions.
Note:
The iam:PassRole permission is needed only for role_based_auth.
Creating a host connection
A new host connection is added using the information obtained from AWS.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
"ec2:DescribeRegions",
"ec2:DescribeSnapshots",
"ec2:DescribeLaunchTemplates"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
<!--NeedCopy-->
Power management of VMs
Machine instances are powered on or off.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AttachVolume",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DetachVolume",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
<!--NeedCopy-->
Creating, updating, or deleting VMs
A machine catalog is created, updated, or deleted with VMs provisioned as AWS instances.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AttachVolume",
"ec2:AssociateIamInstanceProfile",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateImage",
"ec2:CreateLaunchTemplate",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
“ec2:DescribeIamInstanceProfileAssociations”,
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DetachVolume",
"ec2:DisassociateIamInstanceProfile",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketAcl",
"s3:PutBucketTagging",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectTagging"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::citrix*"
},
{
"Action": [
"ebs:StartSnapshot",
"ebs:GetSnapshotBlock",
"ebs:PutSnapshotBlock",
"ebs:CompleteSnapshot",
"ebs:ListSnapshotBlocks",
"ebs:ListChangedBlocks",
"ec2:CreateSnapshot"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
<!--NeedCopy-->
Note:
The EC2 section related to SecurityGroups is only needed if an Isolation Security Group must be created for the Preparation VM during catalog creation. Once this is done, these permissions are not required.
Direct disk upload and download
Direct disk upload eliminates the volume worker requirement for machine catalog provisioning, and instead uses public APIs provided by AWS. This functionality reduces the cost associated with extra storage accounts and the complexity for maintaining volume worker operations.
Following permissions must be added to the policy:
ebs:StartSnapshot
ebs:GetSnapshotBlock
ebs:PutSnapshotBlock
ebs:CompleteSnapshot
ebs:ListSnapshotBlocks
ebs:ListChangedBlocks
ec2:CreateSnapshot
ec2:DeleteSnapshot
ec2:DescribeLaunchTemplates
Important:
- You can add a new VM to existing machine catalogs without any volume worker operation such as volume worker AMI, and volume worker VM.
- If you delete an existing catalog that used volume worker before, all artifacts including volume worker related are deleted.
EBS encryption of created volumes
EBS can auto-encrypt newly created volumes if the AMI is encrypted, or EBS is configured to encrypt all new volumes. However, to implement the functionality, the following permissions must be included in the IAM policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlainText",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*"
}
]
}
<!--NeedCopy-->
Note:
The permissions can be limited to specific keys by including a Resource and Condition block at the discretion of the user. For example, KMS Permissions with Condition:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlainText",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": [
"arn:aws:kms:us-east-2:123456789012:key/abcd1234-a123-456d-a12b-a123b4cd56ef"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
<!--NeedCopy-->
The following key policy statement is the entire default key policy for KMS keys that is required to allow the account to use IAM policies to delegate permission for all actions (kms:*) on the KMS key.
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:",
"Resource": ""
}
<!--NeedCopy-->
For more information, see AWS Key Management Service official documentation.
IAM role-based authentication
The following permissions are added to support role-based authentication.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/*"
}
]
}
<!--NeedCopy-->
Minimal IAM permissions policy
The following JSON can be used for all currently supported features. You can create host connections, create, update, or delete VMs, and do power management using this policy. The policy can be applied to the users as explained in Defining IAM permissions sections or you can also use role-based authentication using role_based_auth security key and secret key.
Important:
To use role_based_auth, first configure the desired IAM role on all Delivery Controllers in our site. Using Web Studio, add the hosting connection and supply the role_based_auth for the authentication key and secret. A hosting connection with these settings then uses role-based authentication.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AttachVolume",
"ec2:AssociateIamInstanceProfile",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateImage",
"ec2:CreateLaunchTemplate",
"ec2:CreateNetworkInterface",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DeregisterImage",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DetachVolume",
"ec2:DisassociateIamInstanceProfile",
"ec2:RebootInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:GetObject",
"s3:PutBucketAcl",
"s3:PutObject",
"s3:PutBucketTagging",
"s3:PutObjectTagging"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::citrix*"
},
{
"Action": [
"ebs:StartSnapshot",
"ebs:GetSnapshotBlock",
"ebs:PutSnapshotBlock",
"ebs:CompleteSnapshot",
"ebs:ListSnapshotBlocks",
"ebs:ListChangedBlocks",
"ec2:CreateSnapshot"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlainText",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/*"
}
]
}
<!--NeedCopy-->
Note:
- The EC2 section related to SecurityGroups is only needed if an Isolation Security Group must be created for the Preparation VM during catalog creation. Once this is done, these permissions are not required.
- The KMS section is only required when using EBS volume encryption.
- The iam:PassRole permission section is needed only for role_based_auth.
- Specific resource-level permissions can be added instead of full access based on your requirements and environment. Refer to AWS documents Demystifying EC2 Resource-Level Permissions and Access management for AWS resources for more details.
More information
In this article
- Limitation
- Task overview
- Task 1: Set up the VPC
- Task 2: Configure security groups
- Task 3: Launch instances
- Task 4: Create a DHCP options set
- Task 5: Configure the instances
- Create a connection
- Service endpoint URL
- AWS tenancy
- AWS instance property capturing
- Applying AWS instance properties and tagging operational resources
- AWS operational resource tagging
- Defining IAM permissions
- Adding IAM permissions
- About AWS permissions
- More information