Use License Manager user-based subscriptions for supported software products - AWS License Manager
ConsiderationsUser-based subscription prerequisitesSupported software subscriptionsAdditional software

Use License Manager user-based subscriptions for supported software products

With user-based subscriptions in AWS License Manager, you can purchase fully-compliant licensed software subscriptions. Licenses are provided by Amazon and have a per-user subscription fee. Amazon EC2 provides pre-configured Amazon Machine Images (AMIs) with the supported software, along with license-included Windows Server licenses. These licenses can be used without long-term licensing commitments.

To use user-based subscriptions, you associate users from AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD), or from your self-managed (on-premises) domain, with EC2 instances providing the software. To make your licensed software available, you must create user-based subscriptions and associate them with instances launched from pre-configured AMIs. AWS Systems Manager will configure and harden the license-included instances you launch. Users must connect with Remote Desktop software to access the instances providing the software.

Each associated user and vCPU for the license-included instances incur charges. Amazon EC2 Reserved Instances and Savings Plan pricing models can help optimize your Amazon EC2 costs. For more information, see Reserved Instances in the Amazon Elastic Compute Cloud User Guide. User-based subscriptions are billed from the first half of the month to the end of the month.

Topics

Considerations for using user-based subscriptions in License Manager

The following considerations apply when using user-based subscriptions with License Manager:

  • The AWS Marketplace subscription for license-included Microsoft Remote Desktop Services (Win Remote Desktop Services SAL) has a per user per month fee, with no proration.

  • The AWS Marketplace subscription for license-included Microsoft Remote Desktop Services (Win Remote Desktop Services SAL) has a per user per month fee, with no proration.

  • Instances that provide user-based subscriptions support up to two active user sessions at a time by default. To enable more than two active user sessions, you can configure an Active Directory Group Policy Object (GPO), and set the Microsoft RDS licensing mode to Per User. For more information, see the prerequisites for Configure Active Directory GPO for more active remote user sessions.

  • When you create local users with administrator privileges on instances that provide user-based subscriptions, the instance health status might change to unhealthy. License Manager can terminate instances that are unhealthy for non-compliance. For more information, see Troubleshooting instance compliance.

  • When you configure your Active Directory with Microsoft Office products, your VPC must have VPC endpoints provisioned in at least one subnet. If you want to remove all VPC endpoint resources created by License Manager, you must remove any Active Directory that's configured from the License Manager settings. For more information, see Deregister an Active Directory from License Manager settings.

  • The tag key of AWSLicenseManager with the value of UserSubscriptions assigned by License Manager to your instances must not be altered or deleted.

  • For the service to function as expected the two network interfaces created for License Manager must not be altered or deleted.

  • The objects that License Manager creates in the AWS Managed Microsoft AD directory's AWS Reserved organizational unit (OU) must not be altered or deleted.

  • The instances deployed for user-based subscriptions must be managed nodes with AWS Systems Manager and joined to the same domain. For information on keeping your instances managed by Systems Manager, see the Troubleshoot user-based subscriptions in License Manager section of this guide.

  • To stop incurring subscription charges for a user, you must disassociate the user from all instances they are associated with. For more information, see Disassociate users from an instance that provides user-based subscriptions.

Prerequisites to create user-based subscriptions in License Manager

The following prerequisites must be implemented in your environment before you can create user-based subscriptions.

IAM roles and permissions

You must allow License Manager to create a service-linked role in order to onboard your AWS account for user-based subscriptions. In the License Manager console, a prompt appears in User-based subscriptions if the role hasn't been created yet. After you respond to the prompt and agree to allow License Manager to create the role, choose Create to continue. For more information, see Using service-linked roles for License Manager.

  • To create user-based subscriptions, your user or role must have the following permissions:

    • ec2:CreateNetworkInterface

    • ec2:DeleteNetworkInterface

    • ec2:DescribeNetworkInterfaces

    • ec2:CreateNetworkInterfacePermission

    • ec2:DescribeSubnets

    • ds:DescribeDirectories

    • ds:AuthorizeApplication

    • ds:UnauthorizeApplication

    • ds:GetAuthorizedApplicationDetails

    • ds:DescribeDomainControllers

  • To create user-based subscriptions for Microsoft Office products, your user or role must also have these additional permissions:

    • ec2:CreateVpcEndpoint

    • ec2:DeleteVpcEndpoints

    • ec2:DescribeVpcEndpoints

    • ec2:ModifyVpcEndpoint

    • ec2:DescribeSecurityGroups

Active Directory

To use License Manager user-based subscriptions, you must create an Active Directory (AD) that contains user information for the subscription product users. Depending on your configuration, you can use an AWS Managed Microsoft AD, or a self-managed AD.

If you use both AWS managed and self-managed Active directories, you must establish a two-way forest trust between the directories. For more information, see Tutorial: Create a trust relationship between your AWS Managed Microsoft AD and your self-managed Active Directory domain in the AWS Directory Service Administration Guide.

Note

Subnets that are configured for your directory must all be from the same VPC for your AWS account.

AWS managed Active Directories have the following restrictions.

  • Directories that are shared with you aren't supported.

  • Multi-factor authentication is not supported

For more information about creating an AWS Managed Microsoft AD directory, see AWS Managed Microsoft AD prerequisites and Create your AWS Managed Microsoft AD directory in the AWS Directory Service User Guide.

To associate users with AWS Managed Microsoft AD, you must provision users in your AWS Managed Microsoft AD directory. For more information, see Manage users and groups in AWS Managed Microsoft AD in the AWS Directory Service Administration Guide.

Security groups

Security groups control the network traffic that's allowed into and out of the resources on your network. To ensure that resources in your user-based subscription environment can communicate, your security groups must meet the following criteria.

Security group for VPC endpoints

Identify or create a security group that permits inbound TCP port 1688 connectivity. When you configure your VPC settings, you'll specify this security group. For more information, see Work with security groups.

License Manager associates this security group to the VPC endpoints it creates on your behalf while configuring the VPC. For more information about VPC endpoints, see Access an AWS service using an interface VPC endpoint in the AWS PrivateLink Guide.

Security group for Active Directory domain controllers

Ensure that the security group that you use for your AD domain controllers allows outbound traffic to each domain controller's network interface IPv4 address.

Security group for user-based subscription instances

Identify or create a security group that permits the following access to and from your instance. For more information, see Work with security groups.

  • Inbound TCP port 3389 connectivity from your approved connection sources.

  • Outbound TCP port 1688 connectivity to reach the VPC endpoints, and to communicate with AWS Systems Manager.

Network configuration

License Manager creates two network interfaces which use the default security group of the VPC where your AWS Managed Microsoft AD is provisioned. These interfaces are used for the service to interact with your directory. For more information, see Step 2: Register your Active Directory in License Manager and What gets created in the AWS Directory Service Administration Guide.

After the provisioning process is complete, you can associate a different security group to the interfaces created by License Manager.

DNS resolution

The Active Directory that you've registered for user-based subscriptions must be accessible from any VPCs and subnets that you've configured in License Manager settings. To ensure that Active Directory nodes are accessible, configure DNS resolution as follows:

Instances that provide user-based subscription products

For your user-based subscription instances to function as expected, you must meet the following prerequisites:

  • Set up a security group for your instances as described in Security groups.

  • Ensure that the instances launched to provide user-based subscriptions with Microsoft Office have a route to the subnet where the VPC endpoints are provisioned.

  • Instances that provide user-based subscriptions must be managed by AWS Systems Manager in order to have a healthy status. Additionally, your instances must be able to activate their user-based subscription licensing to remain in compliance after license activation.

    Note

    License Manager will attempt to recover unhealthy instances, but instances that are not able to be return to a healthy status will be terminated. For troubleshooting information on keeping your instances managed by Systems Manager, and instance compliance, see the Troubleshoot user-based subscriptions in License Manager section of this guide.

  • You must have an instance profile role attached to instances providing the user-based subscription products that allows for the resource to be managed by AWS Systems Manager. For more information, see Create an IAM instance profile for Systems Manager in the AWS Systems Manager User Guide.

  • You must Disassociate users from an instance prior to terminating the instance.

Microsoft Remote Desktop Services

The Microsoft Remote Desktop Services license server requires an administrative user that's defined in the associated Active Directory. That user must be able to perform the following tasks:

  • Create an OU under the Active Directory domain

  • Domain join instances (create Computer) inside of the OU that is created

  • Add a computer object to a Terminal servers group within the Active Directory domain

  • Have delegated control for user objects in the Active Directory domain to read and write Terminal Server license server, in order to generate license server reports.

To learn more about delegation, see Delegation of Control in Active Directory Domain Services.

Administrative credentials secret

License Manager uses AWS Secrets Manager to manage the credentials needed for user administration tasks on the Microsoft Remote Desktop Services license server. Before you can set up the license server, you must create a secret in Secrets Manager that contains the credentials for the user who performs user administration tasks on the license server. When you configure the license server settings, you must provide the ID of the secret that you created.

Note

This must be the same user that you've defined for RDS license server report generation.

To create a secret, follow detailed instructions on the Create an AWS Secrets Manager secret page in the Secrets Manager User Guide, with the following settings that are specific to License Manager.

Important

To use the secret, License Manager depends on the exact key names that are specified, and a secret name that begins with the following prefix license-manager-user-.

On the Choose secret type page:

  • Secret type – Choose Other type of secret.

  • Key/value pairs – Specify the following key pairs to store in the secret.

    Username

    • Key: username

    • Value: Administrator

    Password

    • Key: password

    • Value: The password

On the Configure secret page:

  • Secret name – Specify a name for your secret that begins with the prefix that License Manager uses to identify license server credential secrets. For example:

    license-manager-user-admin-credentials

These instructions assume that you are using the AWS Management Console to create your secret. The Secrets Manager User Guide also includes detailed instructions for other methods. For more information about Secrets Manager, see What Is Secrets Manager. For information specifically related to costs, see Pricing for AWS Secrets Manager in the Secrets Manager User Guide.

Supported software products for user-based subscriptions in License Manager

AWS License Manager supports user-based subscriptions for Microsoft Visual Studio, and Microsoft Office. Supported software utilization is tracked by License Manager. A single subscription to Windows Server Remote Desktop Services Subscriber Access License (RDS SAL) is required for each user to access a license-included instance that provides a user-based subscription product. For more information, see Get started with user-based subscriptions in License Manager.

Supported Windows operating system (OS) platforms

You can find Windows AMIs that include products covered by the RDS SAL license for the following Windows OS platforms:

  • Windows Server 2022

  • Windows Server 2019

  • Windows Server 2016

Supported software for user-based subscriptions

License Manager supports user-based licensing with the following software.

Microsoft Visual Studio

Microsoft Visual Studio is an integrated development environment (IDE) that enables developers to create, edit, debug, and publish applications. The provided Microsoft Visual Studio AMIs include the AWS Toolkit for .NET Refactoring and the AWS Toolkit for Visual Studio.

Supported editions

  • Visual Studio Professional 2022

  • Visual Studio Enterprise 2022

The following table details the software subscription names and their associated product value used for License Manager user-based subscription API operations.

Software subscription name Product value

Visual Studio Enterprise 2022

VISUAL_STUDIO_ENTERPRISE

Visual Studio Professional 2022

VISUAL_STUDIO_PROFESSIONAL

Microsoft Office

Microsoft Office is a collection of software developed by Microsoft for various productivity use cases including working with documents, spreadsheets, and slide show presentations.

Supported editions

  • Office LTSC Professional Plus 2021

The following table details the software subscription names and their associated product value used for License Manager user-based subscription API operations.

Software subscription name Product value

Office LTSC Professional Plus 2021

OFFICE_PROFESSIONAL_PLUS

Additional software

You can install additional software on your instances that aren't available as user-based subscriptions. Additional software installations aren't tracked by License Manager. These installations must be performed using the administrative account for your Active Directory. If you use an AWS Managed Microsoft AD, the administrative account (Admin) is created by default in your directory. For more information, see Admin account in the AWS Directory Service Administration Guide.

To install additional software with the Active Directory administrative account, you must:

  • Subscribe the administrative account to the product provided by the instance.

  • Associate the administrative account to the instance.

  • Connect to the instance using the administrative account to perform the installation.

For more information, see Get started with user-based subscriptions in License Manager.