Amazon AppStream
Developer Guide

This documentation is for an older version of Amazon AppStream. For information about the latest version, see the Amazon AppStream 2.0 Developer Guide.

Building an Amazon AppStream Streaming Application

An application to stream is the heart of your product. In order to be streamed, your application needs to make initialization calls to let Amazon AppStream know that it's ready to accept client sessions, and to have the proper interfaces implemented that Amazon AppStream can call into to connect to client sessions and stream content. You do this using the header and library files provided in the Amazon AppStream SDK. The following sections describe the modifications necessary for streaming and how to add this functionality to an application.

Throughout the discussion, we'll reference code excerpts from a sample application provided in the <SDK_dir>\examples_src directory of the Amazon AppStream SDK. You can download the SDK from the links in Downloads.

Security considerations

Using IAM to Control Access to Amazon AppStream Resources

Amazon AppStream integrates with AWS Identity and Access Management (IAM), which allows you to control access to Amazon AppStream.

For general information about IAM, go to:

You can give IAM users of your AWS account access to all Amazon AppStream operations or to a subset of them. The following is the list of Amazon AppStream operations that can be made available to IAM users.

appstream:GetApiRoot appstream:GetApplications appstream:GetApplication appstream:GetApplicationStatus appstream:GetApplicationErrors appstream:GetApplicationError appstream:CreateApplication appstream:UpdateApplication appstream:DeleteApplication appstream:UpdateApplicationState appstream:GetSessions appstream:GetSession appstream:GetSessionStatus appstream:CreateSession appstream:UpdateSessionState

Example IAM User Policies for Amazon AppStream

By default, IAM users have no access to Amazon AppStream or to the resources that it uses. If you want IAM users to be able to work with Amazon AppStream, for example, in the AWS Management Console, you must grant them permissions.

This section shows simple policies for controlling access to Amazon AppStream. To use these policies, you create an IAM user and attach one of these policies to the user or to the IAM group that the user belongs to.

Giving users access to DynamoDB and a specific set of AppStream API calls

The following policy lets users access DynamoDB.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1394569913000", "Effect": "Allow", "Action": [ "dynamodb:*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1394569933000", "Effect": "Allow", "Action": [ "appstream:CreateSession", "appstream:GetApiRoot", "appstream:GetApplication", "appstream:GetApplications", "appstream:GetApplicationStatus", "appstream:GetSession", "appstream:GetSessions", "appstream:GetSessionStatus", "appstream:UpdateSessionState" ], "Resource": [ "*" ] } ] }
Giving IAM users broad access to Amazon AppStream

The following policy lets users perform any Amazon AppStream action.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:*" ], "Resource": ["*"] } ] }
Giving users permission to modify applications and sessions

The following policy grants users the permission to create, update, and delete applications and sessions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:Create*", "appstream:Update*", "appstream:Delete*" ], "Resource": ["*"] } ] }
Giving users permission to modify applications

The following policy grants users the permission to deploy applications on Amazon AppStream and to update or delete those applications.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:CreateApplication", "appstream:UpdateApplication*", "appstream:DeleteApplication" ], "Resource": ["*"] } ] }
Giving users read-only access to Amazon AppStream

The following policy grants users read-only access to Amazon AppStream.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:Get*" ], "Resource": ["*"] } ] }

Security Best Practices

AWS has several features to help you keep your assets secure.


Versioning offers an additional level of protection by providing a means of recovery when customers accidentally overwrite or delete objects. This allows you to easily recover from unintended user actions and application failures. You can also use versioning for data retention and archiving. For more information, see Amazon Simple Storage Service FAQs and the Amazon Simple Storage Service Developer Guide.

Multi-Factor Authentication

AWS multi-factor authentication (MFA) is an additional layer of security that offers enhanced control over your AWS account settings and the management of the AWS resources to which the account has subscribed. When you enable this opt-in feature, you need to provide a six-digit single-use code in addition to your user name and password before access is granted. You get this single use code from an authentication device or a special application on a mobile phone that you keep in your physical possession.

This feature is called multi-factor authentication because two factors are checked before access is granted to your account: you need to provide both your AWS email ID and password (the first factor: something you know) and the particular code from your authentication device (the second factor: something you have). You can enable multi-factor authentication for your AWS account as well as for the users you have created under your AWS account using IAM.

It's easy to obtain an authentication device from a participating third-party provider. You can also download and install appropriate software on your mobile phone, then set it up for use via the AWS website. For more information, see AWS Multi-Factor Authentication.

Key Rotation

You should keep your AWS passwords and access keys safe for the same reasons it is important to change your password frequently. AWS recommends that you rotate your access keys and certificates on a regular basis. To let you do this without potential impact to the availability of your applications, AWS supports multiple concurrent access keys and certificates. With this feature, you can regularly rotate keys and certificates into and out of operation without any downtime to your application. This can help to mitigate risk from lost or compromised access keys or certificates. You can use the IAM APIs to rotate the access keys of your AWS account as well as for users created under your AWS account. For more information, see AWS Security Credentials.

Use A Strong Password For Remote Management

Use a strong password with remote management services such as SSH and VNC to restrict access to your instances. If you do not configure a strong password with these remote management services, malicious users could access your instances.

Restrict Access to Your Streaming Application

Restrict your security groups to allow connections only from ports required to support the necessary services. The following are suggested ports to allow incoming connections:

  • SSH—port 22

  • STX—port 80

  • STX TCP—port 5900

  • STX UDP—ports 9070-9080

For additional protection, restrict access to incoming traffic to a group of IP addresses.

On this page: