---
myst:
html_meta:
"description lang=en": "Kasm Workspaces auto-scaling Windows in AWS."
"keywords": "Kasm, Compute, Server, Configuration, RDP, Windows, Microsoft, AWS"
"property=og:locale": "en_US"
---
```{title} AWS
```
#### AWS
```{important}
The following instructions utilize the AWS CLI as a convenience, you can use the AWS Web Console to obtain the required information.
```
The next step in the AutoScale Configuration is the VM Provider Details page.
1. Select **AWS** from the Provider Drop Down.
2. Provide a name for your configuration.
3. Enter the **AWS Access Key ID** and the **AWS Secret Access Key**, follow this guide to create a AWS IAM user and credentials. Alternatively, if the value `{IAM}` is used for **AWS Access Key ID**, the system will utilize an instance attached IAM role to authenticate to the AWS API. The service will query the local metadata service on the host of the Webapp role to authenticate.
4. Enter the **AWS Region**. For a list of available regions, use the following AWS CLI command, use the value `RegionName` field
```bash
aws account list-regions
```
5. Enter the **EC2 AMI Id**. You can find the latest AMI Id for an Image by going to the AWS Web Console and creating a new EC2 Instance. After you select an image, the AMI ID will be shown the web console. There is no need to actually create the EC2 instance. Alternatively, you can use the AWS CLI, the following is an example that lists AMIs filtering by name and sorting so that the lastest version is on the top of the list.
```bash
aws ec2 describe-images --filter "Name=name,Values=Windows_Server-2022-English-Full-Base*" --query "sort_by(Images, &CreationDate)" | jq -r '.[] | [.Name, .ImageId] | @tsv'
Windows_Server-2022-English-Full-Base-2023.01.11 ami-085d15593174f2582
Windows_Server-2022-English-Full-Base-2023.01.19 ami-03cf1a25c0360a382
Windows_Server-2022-English-Full-Base-2023.02.15 ami-0c2b0d3fb02824d92
Windows_Server-2022-English-Full-Base-2023.03.15 ami-0e38fa17744b2f6a5
Windows_Server-2022-English-Full-Base-2023.04.12 ami-0bde1eb2c18cb2abe
```
**Example:** ami-085d15593174f2582
6. Enter the desired **EC2 Instance Type**, check the [AWS Instance Types](https://aws.amazon.com/ec2/instance-types/) page for a full list. Use the `Instance Size` referenced in AWS's documentation. Not all instance types are available in all regions. A Windows server will likely require a non-bursting instance type with at least 4GB of RAM, see the minimum system requirements for the version of Windows you are using.
**Example:** c5.xlarge
7. Enter the maximum number of instances. Kasm will not provision more VMs once this maximum number is reached.
**Example:** 5
8. Enter a list of **EC2 Security Group IDs** in JSON format. The security groups listed will be applied to the VM. From the AWS Web Console, you can navigate to EC2->Security Groups, use the `Security group ID` column from the table. The following AWS CLI command can be used to display a list of security groups.
```bash
aws ec2 describe-security-groups --query "SecurityGroups[*].[GroupName,GroupId,Description]" --output text
```
**Example:** ```[ "sg-fdfd9a504533e9df9" ]```
9. Enter the target **EC2 Subnet ID**. From the AWS Web Console, you can navigate to VPC->Subnets, use the `Subnet ID` column's value for the target subnet. The following AWS CLI command can be used to display a list of subnets.
```bash
aws ec2 describe-subnets --query "Subnets[*].[SubnetId,VpcId,CidrBlock,AvailabilityZone]" --output text
```
**Example:** subnet-24582b68
10. Enter an **EBS Volume Size** in Gigabytes, it must the same size or larger than the source AMI.
**Example:** 128
11. Enter an **EBS Volume Type**. The following values are supported.
- gp2 (recommended)
- st1
- standard
**Example:** gp2
12. Enter an **EC2 IAM** role to be applied to your VM. Enter a space to bypass this requirement. An IAM Role allows the EC2 instance to access AWS resources. [This example](https://www.wellarchitectedlabs.com/cost/200_labs/200_aws_resource_optimization/2_create_iamrole/) uses an IAM role to allow the EC2 instance to send logs to CloudWatch.
**Example:** MyCustomRoleName
13. Enter any additional **EC2 Custom Tags** to add to the instance.
**Example:** ```{ "department": "engineering" }```
14. Enter an EC2 Startup Script. For Windows it is a PowerShell script that is wrapped in XML. The following example is maintained on this [open-source project](https://github.com/kasmtech/workspaces-autoscale-startup-scripts/blob/develop/latest/windows_vms/aws_local_account.txt).
This example creates a local user account with the **Connection Username** and **Connection Password** specified on the previous page. This is only relevant if you are using static credentials and will not work [Active Directory](../authentication.md) integration.
```powershell
$pass = ConvertTo-SecureString -String "{connection_password}" -AsPlainText -Force
New-LocalUser -Name {connection_username} -Description 'Programatically generated Kasm user account' -Password $pass -PasswordNeverExpires -AccountNeverExpires | Add-LocalGroupMember -Group administrators | Add-LocalGroupMember -Group "Remote Desktop Users"
Start-Service -Name "Audiosrv"
```
This example installs the [Kasm Desktop Service](../windows_service.md) and registers it with the deployment. With this service installed, Kasm can [manage local Windows user accounts](../authentication.md#single-sign-on-with-dynamic-local-accounts) automatically.
```powershell
New-EventLog -LogName Application -Source kasm_startup_script
Write-EventLog -LogName "Application" -Source "kasm_startup_script" -EventID 1000 -EntryType Information -Message "Downloading Windows Service"
# Download and install the Kasm Service
Invoke-Webrequest -URI https://kasm-static-content.s3.amazonaws.com/kasm_windows_service_installer_x86_64_1.1.2b3f26b.exe -OutFile C:\Users\Public\Downloads\kasm_service_installer.exe
Write-EventLog -LogName "Application" -Source "kasm_startup_script" -EventID 1000 -EntryType Information -Message "Installing Windows Service"
C:\Users\Public\Downloads\kasm_service_installer.exe /S
for ($i = 1; $i -le 20; $i++) {{
Start-Sleep -s 3
$service = Get-Service -Name W32Time -ErrorAction SilentlyContinue
if ($service.Length -gt 0 -And (Test-Path -Path "C:\Users\Public\Downloads\kasm_service_installer.exe" -PathType Leaf)) {{
# Register the Kasm Service with the deployment
Write-EventLog -LogName "Application" -Source "kasm_startup_script" -EventID 1000 -EntryType Information -Message "Registering the Desktop Service with the Kasm deployment at {upstream_auth_address}"
net stop kasm
cd "C:\Program Files\Kasm"
.\agent.exe --register-host {upstream_auth_address} --register-port 443 --server-id {server_id} --register-token {registration_token}
if ($?) {{
net start kasm
Start-Service -Name "Audiosrv"
Write-EventLog -LogName "Application" -Source "kasm_startup_script" -EventID 1000 -EntryType Information -Message "Successfully installed and registered agent"
Exit 0
}} else {{
Write-EventLog -LogName "Application" -Source "kasm_startup_script" -EventID 1000 -EntryType Error -Message "Registration of Agent failed: Check log output of kasm_service in EventViewer"
Exit 1
}}
}} else {{
Write-EventLog -LogName "Application" -Source "kasm_startup_script" -EventID 1000 -EntryType Information -Message "Service not found, trying again..."
}}
}}
Write-EventLog -LogName "Application" -Source "kasm_startup_script" -EventID 1000 -EntryType Error -Message "Timed out waiting for Kasm Desktop Service to be registered."
Exit 1
```
15. The **Retrieve Windows VM Password from AWS** option allows Kasm to retrieve the random password generated by AWS for the administrator account. If this checkbox is checked and the **Connection Password** field on the previous page is left empty, Kasm will use the SSH key (covered next) to retrieve and decrypt the password. The password will then be used by users connecting to the server. You do not need to check this box if using the example script in step 14 or if you are using SSO with Active Directory integration.
16. Click the Upload New Key Pair button, paste in an RSA PEM formatted private SSH Key and optionally provide a passphrase for the key.
17. Click Finish
It can take a minute or two for the first server to show up in the Servers list for the Pool and a few minutes for the server to become accessible. You can see all servers by going to Compute->Servers in the Kasm Admin Dashboard. You can see only the Servers in the Pool you created for AWS by going to Compute->Pools and selected Edit on the desired Pool.
Next [create a Workspace](../auto_scaled_servers.md#workspace) to allow access to the Servers in this Pool.
AWS IAM User
Kasm uses programmatic access keys to manage resources. These programmatic access keys are associated with an IAM user. Follow this process to create a user with minimal permissions and no access to the AWS Web Console.
1. Create an AWS IAM User for Kasm.
- In the AWS Web Console, navigate to IAM->Users.
- Click Add User.
- Provide a User name. **Example:** kasm-auto-scaling
- On the permissions options page, click Attach Policies Directly
- Search for AmazonEC2FullAccess, check the box next to it and Click Next
- On the final page click Create User
2. Create AWS Access Keys for the Kasm User in AWS.
- In the AWS Web Console, navigate to IAM->Users.
- Find the user created in step 3 and click the username to edit.
- Click the Security Credentials Tab.
- Scroll down to Access Keys and click Create Access Keys.
- On the next screen select Third Party Service
- Check the box indicating you understand the recommendation and click Next.
- Optionally add tags on the next step and then click Create access key.
- On the final screen you will be shown the Access Key and Secret access key. This will be the only opportunity you will have to get the secret access key. Save both of them in a secure place.