Prerequisites - AWS License Manager

Prerequisites

The following prerequisites must be implemented in your environment before you can create user-based subscriptions.

  • You must allow License Manager to create a service-linked role in order to onboard your AWS account for user-based subscriptions. A prompt will appear once in the User-based subscriptions section of the License Manager console in which you can agree to give License Manager permission to create the required service-linked role. After you grant permission to License Manager, you can choose Create, to create the service-linked role. For more information, see Using service-linked roles for AWS License Manager.

  • You must have an AWS Managed Microsoft AD directory created. AWS Managed Microsoft AD directories that have been shared aren't supported. For more information on creating an AWS Managed Microsoft AD directory, see AWS Managed Microsoft AD prerequisites and Create your AWS Managed Microsoft AD directory in the AWS Directory Service User Guide.

  • You must associate users with your AWS Managed Microsoft AD directory, or with a self-managed Active Directory, to utilize the user-based subscriptions.

  • Outbound internet access from the instances providing user-based subscriptions, or VPC endpoints, must be configured for your instances to communicate with AWS Systems Manager. For more information, see Setting up Systems Manager for EC2 instances in the AWS Systems Manager User Guide.

  • License Manager creates two network interfaces which use the default security group of the VPC where your AWS Managed Microsoft AD is provisioned. These interfaces are used for required service functionality with your directory. Ensure that your default security group allows outbound traffic to each domain controller's network interface IPv4 address, or the security group used by the domain controllers. For more information, see Step 1: Configure your AWS Directory Service for Microsoft Active Directory and virtual private cloud (VPC) and What gets created in the AWS Directory Service Administration Guide.

    Once the provisioning process is complete, you can associate a different security group to the interfaces created by License Manager. The security group you select must also allow the required traffic to each domain controller's network interface IPv4 address or security group. For more information, see Work with security groups in the Amazon Virtual Private Cloud User Guide.

  • You must configure DNS forwarding for any additional VPCs to the AWS Managed Microsoft AD that you register for user-based subscriptions. You can use Amazon Route 53 or another DNS service for DNS forwarding. For more information, see the blog post Integrating your Directory Service’s DNS resolution with Amazon Route 53 Resolvers.

  • If you subscribe to Microsoft Office with user-based subscriptions, you must:

    • Enable DNS hostnames and DNS resolution for your VPC. For more information, see View and update DNS attributes for your VPC.

    • Ensure that the instances launched to provide user-based subscriptions with Microsoft Office have a route to the subnet where the VPC endpoints are provisioned.

    • Identify or create a security group for your VPC endpoints that permits inbound TCP port 1688 connectivity. This security group will be specified when you configure your virtual private cloud settings. For more information, see Work with security groups. License Manager will associate this security group to the VPC endpoints it creates on your behalf while configuring the VPC. For more information about VPC endpoints, see Access an AWS service using an interface VPC endpoint in the AWS PrivateLink Guide.

    • Identify or create a security group for the instances launched to provide used-based subscriptions that permits inbound TCP port 3389 connectivity from your approved connection sources. The security group should also permit outbound TCP port 1688 connectivity to reach the VPC endpoints. For more information, see Work with security groups.

      If you are getting ready to use user-based subscriptions for the first time, complete the prerequisites listed and see Getting started with user-based subscriptions. If you are already set up for user-based subscriptions, and would like to add these products to your AWS Managed Microsoft AD and configure your VPC for Microsoft Office products, complete the prerequisites listed, and see Modifying directory settings for user-based subscriptions.

  • You must have an instance profile role attached to instances providing the user-based subscription products that allows for the resource to be managed by AWS Systems Manager. For more information, see Create an IAM instance profile for Systems Manager in the AWS Systems Manager User Guide.

    Warning

    Instances that provide user-based subscriptions must be managed by AWS Systems Manager in order to have a healthy status. Additionally, your instances must be able to activate their user-based subscription licensing and remain in compliance after license activation. License Manager will attempt to recover unhealthy instances, but instances that are not able to be return to a healthy status will be terminated. For troubleshooting information on keeping your instances managed by Systems Manager, and instance compliance, see the Troubleshooting user-based subscriptions section of this guide.

  • To create user-based subscriptions, your user or role must have the following permissions:

    • ec2:CreateNetworkInterface

    • ec2:DeleteNetworkInterface

    • ec2:DescribeNetworkInterfaces

    • ec2:CreateNetworkInterfacePermission

    • ec2:DescribeSubnets

    • ds:DescribeDirectories

    • ds:AuthorizeApplication

    • ds:UnauthorizeApplication

    • ds:GetAuthorizedApplicationDetails

    • ds:DescribeDomainControllers

  • To create user-based subscriptions for Microsoft Office products, your user or role must also have these additional permissions:

    • ec2:CreateVpcEndpoint

    • ec2:DeleteVpcEndpoints

    • ec2:DescribeVpcEndpoints

    • ec2:ModifyVpcEndpoint

    • ec2:DescribeSecurityGroups