AWS Security ChangesHomeSearch

AWS res documentation change

Service: res · 2025-09-28 · Documentation low

File: res/archive/release-minus-2/ug/res-troubleshooting-issue-runbooks.md

Summary

Modified UI navigation path for session limit configuration

Security assessment

Interface path change for operational configuration without security impact

Diff

diff --git a/res/archive/release-minus-2/ug/res-troubleshooting-issue-runbooks.md b/res/archive/release-minus-2/ug/res-troubleshooting-issue-runbooks.md
index 68252c5a2..d7c4c3cb8 100644
--- a//res/archive/release-minus-2/ug/res-troubleshooting-issue-runbooks.md
+++ b//res/archive/release-minus-2/ug/res-troubleshooting-issue-runbooks.md
@@ -68,0 +69,4 @@ The following section contains issues that may occur, how to detect them, and su
+    * Login account for Windows Virtual Desktop is set to Administrator
+
+    * Certificate expires when using external resource CertificateRenewalNode
+
@@ -177 +181 @@ The following section contains issues that may occur, how to detect them, and su
-  4. If SSO is already configured in the environment, re-configure SSO with the same inputs as you used initially from the **General Settings** > **Identity Provider** > **Single Sign On** > **Status** > **Edit** button in the RES web portal.
+  4. If SSO is already configured in the environment, re-configure SSO with the same inputs as you used initially from the **Environment Management** > **Identity management** > **Single Sign-On** > **Status** > **Edit** button in the RES web portal.
@@ -575 +579 @@ If a user receives the error "User not found" when they try to log in to the RES
-This section applies to RES 2024.10 and earlier. For RES 2024.12 and later see [How to manually run the sync (release 2024.12 and later)](./active-directory-sync.html#active-directory-sync-manually). 
+This section applies to RES 2024.10 and earlier. For RES 2024.12 and later see [How to manually run the sync (release 2024.12 and 2024.12.01)](./active-directory-sync.html#active-directory-sync-manually). For RES 2025.03 and later see [How to manually start or stop the sync (release 2025.03 and later)](./active-directory-sync.html#active-directory-sync-start-stop). 
@@ -808,0 +813,4 @@ If both Healthy and Unhealthy entries are 0, that indicates a potential network
+  * Login account for Windows Virtual Desktop is set to Administrator
+
+  * Certificate expires when using external resource CertificateRenewalNode
+
@@ -821,0 +830,79 @@ If both Healthy and Unhealthy entries are 0, that indicates a potential network
+........................
+
+### Login account for Windows Virtual Desktop is set to Administrator
+
+If you're able to launch a Windows Virtual Desktop in the RES web portal but its login account is set to Administrator when you connect, your Windows VDI may not have joined the Active Directory successfully.
+
+To verify, connect to the Windows instance from the Amazon EC2 console and check the bootstrap logs under `C:\Users\Administrator\RES\Bootstrap\virtual-desktop-host-windows\`. An error message starting with `[Join AD] authorization failed:` indicates that the instance failed to join the AD. Check the Cluster Manager logs in CloudWatch under the log group name ``<res-environment-name>`/cluster-manager` for more details about the failure:
+
+  * `Insufficient permissions to modify computer account`
+
+    * This error indicates that your Service Account doesn't have the proper permissions to add computers to the AD. Check the [Set up a Service Account for Microsoft Active Directory](./prerequisites.html#service-account-ms-ad) section for the permissions required by the Service Account. 
+
+  * `Invalid Credentials`
+
+    * Your Service Account credentials in AD have expired or you provided incorrect credentials. To check or update your Service Account credentials, access the secret that stores the password in the [Secrets Manager console](https://console.aws.amazon.com/secretsmanager/listsecrets). Make sure that the ARN of this secret is correct in the **Service Account Credentials Secret ARN** field under **Active Directory Domain** in the **Identity Management** page of your RES environment.
+
+
+
+
+........................
+
+### Certificate expires when using external resource CertificateRenewalNode
+
+If you deployed the [External Resources recipe](./create-external-resources.html) and encounter an error that states `"The connection has been closed. Transport error"` while you connect to Linux VDIs, the most probable cause is an expired certificate that is not being automatically refreshed due to an incorrect pip installation path on Linux. Certificates expire after 3 months.
+
+The Amazon CloudWatch log group ``<envname>`/vdc/dcv-connection-gateway` may log the connection attempt error with messages similar to the following:
+    
+    
+    | 2024-07-29T21:46:02.651Z | Jul 29 21:46:01.702  WARN HTTP:Splicer Connection{id=341 client_address="x.x.x.x:50682"}: Error in connection task: TLS handshake error: received fatal alert: CertificateUnknown | redacted:/res-demo/vdc/dcv-connection-gateway | dcv-connection-gateway_10.3.146.195 |
+    | 2024-07-29T21:46:02.651Z | Jul 29 21:46:01.702  WARN HTTP:Splicer Connection{id=341 client_address="x.x.x.x:50682"}: Certificate error: AlertReceived(CertificateUnknown) | redacted:/res-demo/vdc/dcv-connection-gateway | dcv-connection-gateway_10.3.146.195 | 
+
+###### To resolve the issue:
+
+  1. In your AWS account, go to [EC2](https://console.aws.amazon.com/ec2). If there is an instance named `*-CertificateRenewalNode-*` , terminate the instance.
+
+  2. Go to [Lambda](https://console.aws.amazon.com/lambda). You should see a Lambda function named `*-CertificateRenewalLambda-*` , check the Lambda code for something similar to the following:
+    
+        export HOME=/tmp/home
+    mkdir -p $HOME
+    
+    cd /tmp
+    wget https://bootstrap.pypa.io/pip/3.7/get-pip.py 
+    python3 ./get-pip.py
+    pip3 install boto3
+    eval $(python3 -c "from botocore.credentials import InstanceMetadataProvider, InstanceMetadataFetcher; provider = InstanceMetadataProvider(iam_role_fetcher=InstanceMetadataFetcher(timeout=1000, num_attempts=2)); c = provider.load().get_frozen_credentials(); print(f'export AWS_ACCESS_KEY_ID={c.access_key}'); print(f'export AWS_SECRET_ACCESS_KEY={c.secret_key}'); print(f'export AWS_SESSION_TOKEN={c.token}')")
+    
+    mkdir certificates
+    cd certificates
+    git clone https://github.com/Neilpang/acme.sh.git
+    cd acme.sh 
+
+  3. Find the latest external resource Certs stack template [ here](https://github.com/aws-samples/aws-hpc-recipes/blob/main/recipes/security/public_certs/assets/main.yaml). Find the Lambda code in the template: **Resources** → **CertificateRenewalLambda** → **Properties** → **Code**. You might find something similar to the following:
+    
+        sudo yum install -y wget
+    export HOME=/tmp/home
+    mkdir -p $HOME
+    cd /tmp
+    wget https://bootstrap.pypa.io/pip/3.7/get-pip.py
+    mkdir -p pip
+    python3 ./get-pip.py --target $PWD/pip
+    $PWD/pip/bin/pip3 install boto3
+    eval $(python3 -c "from botocore.credentials import InstanceMetadataProvider, InstanceMetadataFetcher; provider = InstanceMetadataProvider(iam_role_fetcher=InstanceMetadataFetcher(timeout=1000, num_attempts=2)); c = provider.load().get_frozen_credentials(); print(f'export AWS_ACCESS_KEY_ID={c.access_key}'); print(f'export AWS_SECRET_ACCESS_KEY={c.secret_key}'); print(f'export AWS_SESSION_TOKEN={c.token}')")
+    
+    mkdir certificates
+    cd certificates
+    VERSION=3.1.0
+    wget https://github.com/acmesh-official/acme.sh/archive/refs/tags/$VERSION.tar.gz -O acme-$VERSION.tar.gz
+    tar -xvf acme-$VERSION.tar.gz
+    cd acme.sh-$VERSION 
+
+  4. Replace the section from Step 2 in the `*-CertificateRenewalLambda-* ` Lambda function with the code from Step 3. Select **Deploy** and wait for the code change to take effect. 
+
+  5. To manually trigger the Lambda function, go to the **Test** tab and then select **Test**. No additional input is required. This should create a certificate EC2 instance that updates the Certificate and PrivateKey secrets in Secret Manager.
+
+  6. Terminate the existing dcv-gateway instance: ``<env-name>`-vdc-gateway` and wait for the auto scaling group to automatically deploy a new one.
+
+
+
+
@@ -840,3 +927 @@ The default limit for the number of virtual desktops that a user can launch is 5
-  * Select the **Server** tab.
-
-  * In the **DCV Session** panel, click on the edit icon on the right.
+  * Select the **General** tab.
@@ -844 +929 @@ The default limit for the number of virtual desktops that a user can launch is 5
-  * Change the value in **Allowed Sessions Per User** to the desired new value.
+  * Select the edit icon to the right of the **Default Allowed Sessions Per User Per Project** and change the value to the desired new value.