Amazon AppStream 2.0
- a fully managed, secure, application streaming service that allows you to stream desktop applications from AWS to any device running a web browser, without rewriting them.
You can easily add your existing desktop applications to AWS and instantly start streaming them to an HTML5 compatible browser
- Key Concepts
■Set up an AppStream 2.0 stack to start streaming apps to user browsers.
■An AppStream 2.0 stack consists of a fleet of streaming instances, user access policies, and storage configurations.
■The fleet in an AppStream 2.0 stack consists of streaming instances that can scale automatically based on demand.
■An AppStream 2.0 image contains applications to be streamed to users accessing an AppStream 2.0 stack.
■Install your apps and create an image by using an AppStream 2.0 image builder.
Getting Started with Amazon AppStream 2.0
- To stream your applications, Amazon AppStream 2.0 requires an environment consisting of a stack and at least one application image.
- Before you can stream your applications, you need to create a stack.
- You create a new stack from the sample stack template to simplify the creation.
- After you create a stack, each user needs an active URL for access.
Using an AppStream 2.0 Image Builder
- Before you can stream your applications, Amazon AppStream 2.0 requires at least one image that you create using an image builder.
- After that connect to the image builder that you created and launched, then install the applications to be included in the image.
- After that you can add applications (.exe), batch scripts (.bat), and application shortcuts (.lnk) to the image.
Persistent Storage with AppStream 2.0 Home Folders
- AppStream 2.0 offers persistent storage support for your end users with Home Folders.
- When this option is enabled for an AppStream 2.0 stack, end users of the stack are presented with a persistent storage folder in their AppStream 2.0 sessions.
- Data stored by the user in this folder is automatically backed up to an Amazon S3 bucket in your AWS account and is made available in subsequent sessions for that user.
Network Settings for Fleet and Image Builder Instances
- When creating an AppStream 2.0 fleet or image builder, you can provide Amazon VPC subnets.
- AppStream 2.0 sets up elastic network interfaces (ENI) to the subnets provided.
- This is so that AppStream 2.0 instances have access to your network resources or have access to public Internet through your VPC.
- Security groups that belong to your VPC allow you to control the network traffic between AppStream 2.0 streaming instances and VPC resources.
Enabling Single Sign-on Access to AppStream 2.0 Using SAML 2.0
- Amazon AppStream 2.0 supports identity federation to AppStream 2.0 stacks through Security Assertion Markup Language 2.0 (SAML 2.0).
- This feature offers your users the convenience of one-click access to their AppStream 2.0 applications using their existing identity credentials.
- You also have the security benefit of identity authentication by your identity provider. You can control which users have access to a particular AppStream 2.0 stack, using your existing identity provider.
Example Authentication Workflow
Controlling Access to Amazon AppStream 2.0
- IAM users don’t have permission to create or modify AppStream 2.0 resources, use Fleet Auto Scaling, or perform tasks using the AppStream 2.0 API.
- To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant permissions on specific resources and API actions, and then attach those policies to the IAM users or groups that require those permissions.
- While creating AppStream 2.0 resources, AppStream 2.0 makes API calls to other AWS services on behalf of the user.
- This authentication is accomplished by the service assuming specific IAM roles available in the user’s account.
- These IAM roles are created by the service when the user gets started with the service in an AWS region.
Amazon WorkSpaces Application Manager
- Amazon WAM offers a fast, flexible, and secure way for you to deploy and manage applications for Amazon WorkSpaces.
- It accelerates software deployment, updates, patching, and retirement by packaging Microsoft Windows desktop applications into virtual containers that run as though they are installed natively.
- You can deploy subscriptions to your Amazon WorkSpaces users from the AWS Marketplace, your line-of-business applications, or applications where you already own the licenses.
Process to Deploy Applications
Process to Assign an Application to User
Managing Your Amazon WAM Applications
- You can use Amazon WorkSpaces Application Manager (Amazon WAM) to deploy applications to the WorkSpaces that you created for your users.
- First, you add applications to your application catalog.
- Then you assign applications to the users.
- After you assign applications to users, they can connect to their WorkSpaces and install and use the applications.
Packaging and Validating Your Applications
- To create Amazon WAM applications of your own making, you must create the application package, and validate that the package installs and works correctly.
- This is accomplished using two special EC2 instances.
- You should launch an entirely new packaging instance for each application package that is created.
Controlling Access to Amazon WAM Resources
- Amazon WAM must have permission to perform certain actions on your behalf.
- You can grant this access using IAM roles.
- By default, IAM users don’t have permission to access Amazon WAM resources.
- To allow an IAM user to perform actions on Amazon WAM resources, you must create a policy that grants the user permission to access Amazon WAM.
- This IAM role allows the Amazon WAM packaging instance to access your application package catalog.