# Deploy the product **Note** This product uses [AWS CloudFormation templates and stacks ](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-concepts.html) to automate its deployment. The CloudFormation templates describe the AWS resources included in this product and their properties. The CloudFormation stack provisions the resources that are described in the templates. Before you launch the product, review the [cost](plan-your-deployment.md#plan-your-deployment-cost), [architecture](architecture-overview.md), [ network security](plan-your-deployment.md#plan-your-deployment-security), and other considerations discussed earlier in this guide. **Topics** + [ # Prerequisites ](prerequisites.md) + [ # Create external resources ](create-external-resources.md) + [ # Step 1: Launch the product ](launch-the-product.md) + [ # Step 2: Sign in for the first time ](first-sign-in.md) # Prerequisites **Topics** + [ ## Create an AWS account with an administrative user ](#aws-account) + [ ## Create an Amazon EC2 SSH key pair ](#create-ssh-key-pair) + [ ## Increase service quotas ](#increase-service-quotas) + [ ## Create a Cognito user pool (optional) ](#create-cognito-user-pool) + [ ## Create a custom domain (optional) ](#create-public-domain) + [ ## Create a domain (GovCloud only) ](#create-domain-govcloud) + [ ## Provide external resources ](#external-resources) + [ ## Configure LDAPS in your environment (optional) ](#configure-ldaps) + [ ## Set up a Service Account for Microsoft Active Directory ](#service-account-ms-ad) + [ ## Configure a private VPC (optional) ](#private-vpc) ## Create an AWS account with an administrative user You must have an AWS account with an administrative user: 1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup). 1. Follow the online instructions. Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad. When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks). ## Create an Amazon EC2 SSH key pair If you do not have an Amazon EC2 SSH key pair, you must create one. For more information, see [Create a key pair using Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html) in the *Amazon EC2 User Guide*. ## Increase service quotas As a best practice, [increase the service quotas](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html) for: + [ Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html) + Increase the Elastic IP address quota per NAT gateway from five to eight. + Increase the NAT gateways per Availability Zone from five to ten. + [ Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) + Increase the EC2-VPC Elastic IPs from five to ten. Your AWS account has default quotas for each AWS service. Unless otherwise noted, each quota is Region-specific. You can request increases for some quotas, and other quotas cannot be increased. For more information, see [Quotas for AWS services in this product](plan-your-deployment.md#quotas-for-aws-services-in-this-product). ## Create a Cognito user pool (optional) You have the option to import an existing Cognito User Pool for user and client authentication when you install RES. Otherwise, RES will create a new Cognito User Pool automatically. The pre-existing user pool must have the following sign-up custom attributes: | Name | Type | Min value/length | Max value/length | Mutable | | --- | --- | --- | --- | --- | | custom:aws\$1region | String | | | TRUE | | custom:cluster\$1name | String | | | TRUE | | custom:password\$1last\$1set | Number | | | TRUE | | custom:password\$1max\$1age | Number | | | TRUE | | custom:uid | Number | 2000200001 | 4294967294 | TRUE | ## Create a custom domain (optional) As a best practice, use a custom domain for the product for a user-friendly URL. You can provide a custom domain and *optionally* provide a certificate for it. There is a process in the External Resources stack to create a certificate for a custom domain which you provide. You can skip the steps here if you have a domain and want to use the certificate generation capabilities of the External Resources stack. Or, follow these steps to register a domain using Amazon Route 53 and import a certificate for the domain using AWS Certificate Manager. 1. Follow the directions to [register a domain](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html#register_new_console) with Route 53. You should receive a confirmation email. 1. Retrieve the hosted zone for your domain. Route 53 creates this automatically. 1. Open the Route 53 console. 1. Choose **Hosted zones** from the left navigation. 1. Open the hosted zone created for your domain name and copy the **Hosted zone ID**. 1. Open AWS Certificate Manager and follow these steps to [request a domain certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html). Ensure you are in the Region where you plan to deploy the solution. 1. Choose **List certificates** from the navigation, and find your certificate request. The request should be pending. 1. Choose your **Certificate ID** to open the request. 1. From the **Domains** section, choose **Create records in Route 53**. It will take approximately ten minutes for the request to process. 1. Once the certificate is issued, copy the **ARN** from the **Certificate status** section. ## Create a domain (GovCloud only) If you are deploying in an AWS GovCloud Region and you are using a custom domain for Research and Engineering Studio, you must complete these prerequisite steps. 1. Deploy the [ Certificate CloudFormation stack](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https://s3.amazonaws.com/aws-hpc-recipes/main/recipes/security/public_certs/assets/main.yaml) in the commercial-partition AWS Account where the public hosted domain was created. 1. From the **Certificate CloudFormation Outputs**, find and note the `CertificateARN` and `PrivateKeySecretARN`. 1. In the GovCloud partition account, create a secret with the value of the `CertificateARN` output. Note the new secret ARN and add two tags to the secret so `vdc-gateway` can access the secret value: 1. res:ModuleName = virtual-desktop-controller 1. res:EnvironmentName = [environment name] (This could be res-demo.) 1. In the GovCloud partition account, create a secret with the value of the `PrivateKeySecretARN` output. Note the new secret ARN and add two tags to the secret so `vdc-gateway` can access the secret value: 1. res:ModuleName = virtual-desktop-controller 1. res:EnvironmentName = [environment name] (This could be res-demo.) ## Provide external resources Research and Engineering Studio on AWS expects the following external resources to exist when it is deployed. + **Networking (VPC, Public Subnets, and Private Subnets)** This is where you will run the EC2 instances used to host the RES environment, the Active Directory (AD), and shared storage. + **Storage (Amazon EFS)** The storage volumes contain files and data needed for the virtual desktop infrastructure (VDI). + **Directory service (AWS Directory Service for Microsoft Active Directory) ** The directory service authenticates users to the RES environment. + **A secret that contains the Active Directory service account username and password formatted as a key-value pair (username, password)** Research and Engineering Studio accesses [secrets](secrets-management.md) that you provide, including the service account password, using [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html). **Warning** You must provide a valid email address for all Active Directory (AD) users whom you want to sync. **Tip** If you are deploying a demo environment and do not have these external resources available, you can use AWS High Performance Compute recipes to generate the external resources. See the following section, [Create external resources](create-external-resources.md), to deploy resources in your account. For demo deployments in an AWS GovCloud Region, you must complete the prerequisite steps in [Create a domain (GovCloud only)](#create-domain-govcloud). ## Configure LDAPS in your environment (optional) If you plan to use LDAPS communication in your environment, you must complete these steps to create and attach certificates to the AWS Managed Microsoft AD (AD) domain controller to provide communication between AD and RES. 1. Follow the steps provided in [How to enable server-side LDAPS for your AWS Managed Microsoft AD](https://aws.amazon.com/blogs/security/how-to-enable-ldaps-for-your-aws-microsoft-ad-directory/). You can skip this step if you have already enabled LDAPS. 1. After confirming that LDAPS is configured on the AD, export the AD certificate: 1. Go to your Active Directory server. 1. Open PowerShell as an administrator. 1. Run `certmgr.msc` to open the certificate list. 1. Open the certificate list by first opening the Trusted Root Certification Authorities and then Certificates. 1. Select and hold (or right-click) the certificate with the same name as your AD server and choose **All tasks** and then **Export**. 1. Select **Base-64 encoded X.509 (.CER)** and choose **Next**. 1. Select a directory and then choose **Next**. 1. Create a secret in AWS Secrets Manager: When creating your Secret in the Secrets Manager, choose **Other type of secrets** under **secret type** and paste your PEM encoded certificate in the **Plaintext** field. 1. Note the ARN created and input it as the `DomainTLSCertificateSecretARN` parameter in [Step 1: Launch the product](launch-the-product.md). ## Set up a Service Account for Microsoft Active Directory If you choose Microsoft Active Directory (AD) as the identity source for RES, you have a Service Account in your AD that allows for programmatic access. You must pass a secret with the Service Account's credentials as part of your RES installation. The secret must have the format shown here. ![\[Example username and password format\]](http://docs.aws.amazon.com/res/latest/ug/images/res-secret-value-example.png) Also note that the `username` field doesn't support NT-style logon names of the format `DOMAIN\username`. The Service Account is responsible for the following functions: + Sync users from the AD: RES must sync users from the AD to allow them to log in to the web portal. The syncing process uses the service account to query the AD using LDAP(s) to determine which users and groups are available. + Join the AD domain: this is an optional operation for Linux virtual desktops and infrastructure hosts where the instance joins the AD domain. In RES, this is controlled with the `DisableADJoin` parameter. This parameter is set to False by default, which means that Linux virtual desktops will attempt to join the AD domain in the default configuration. + Connect to the AD: Linux virtual desktops and infrastructure hosts will connect to the AD domain if they do not join it (`DisableADJoin` = True). For this functionality to work, the Service Account also needs read access for users and groups in the `UsersOU` and `GroupsOU`. The service account requires the following permissions: + To sync users and connect to AD → Read access for users and groups in the `UsersOU` and `GroupsOU`. + To join the AD domain → create `Computer` objects in the `ComputersOU`. The script at [ https://github.com/aws-samples/aws-hpc-recipes/blob/main/recipes/res/res\$1demo\$1env/assets/service\$1account.ps1](https://github.com/aws-samples/aws-hpc-recipes/blob/main/recipes/res/res_demo_env/assets/service_account.ps1) provides an example of how to grant proper Service Account permissions. You can modify it based on your own AD. ## Configure a private VPC (optional) Deploying Research and Engineering Studio in an isolated VPC offers enhanced security to meet your organization's compliance and governance requirements. However, the standard RES deployment relies on internet access for installing dependencies. To install RES in a private VPC, you will need to satisfy the following prerequisites: **Topics** + [ ### Prepare Amazon Machine Images (AMIs) ](#prep-ami) + [ ### Set up VPC endpoints ](#private-vpc-endpoints) + [ ### Connect to services without VPC endpoints ](#connect-services-without-endpoints) + [ ### Set private VPC deployment parameters ](#vpc-deployment-parameters) ### Prepare Amazon Machine Images (AMIs) 1. Download the dependencies at [ https://research-engineering-studio-us-east-1.s3.amazonaws.com/releases/latest/res-installation-scripts.tar.gz](https://research-engineering-studio-us-east-1.s3.amazonaws.com/releases/latest/res-installation-scripts.tar.gz). To deploy in an isolated VPC, the RES infrastructure requires the availability of dependencies without having public internet access. **Important** Replace **latest** in the download URI with with the exact version number (for example, **2025.06**) if your RES environment version is not the latest. 1. Create an IAM role with Amazon S3 read-only access and trusted identity as Amazon EC2. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. From **Roles**, choose **Create role**. 1. On the **Select trusted entity** page: + Under **Trusted entity type**, choose AWS service. + For **Use case** under **Service or use case**, choose **EC2** and choose **Next**. 1. On **Add permissions**, select the following permission policies and then choose **Next**: + AmazonS3ReadOnlyAccess + AmazonSSMManagedInstanceCore + EC2InstanceProfileForImageBuilder 1. Add a **Role name** and **Description**, and then choose **Create role**. 1. Create the EC2 image builder component: 1. Open the EC2 Image Builder console at [https://console.aws.amazon.com//imagebuilder](https://console.aws.amazon.com//imagebuilder). 1. Under **Saved resources**, choose **Components** and choose **Create component**. 1. On the **Create component** page, enter the following details: + For **Component type**, choose **Build**. + For **Component details** choose: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/res/latest/ug/prerequisites.html) 1. On the **Create component** page, choose **Define document content**. 1. Before entering the definition document content, you will need a file URI for the tar.gz file. Upload the tar.gz file provided by RES to an Amazon S3 bucket and copy the file's URI from the bucket properties. 1. Enter the following: **Note** `AddEnvironmentVariables` is optional, and you may remove it if you do not require custom environment variables in your infrastructure hosts. If you are setting up `http_proxy` and `https_proxy` environment variables, the `no_proxy` parameters are required to prevent the instance from using proxy to query localhost, instance metadata IP addresses, and the services that support VPC endpoints. ``` # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance # with the License. A copy of the License is located at # # http://www.apache.org/licenses/LICENSE-2.0 # # or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES # OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions # and limitations under the License. name: research-and-engineering-studio-infrastructure description: An RES EC2 Image Builder component to install required RES software dependencies for infrastructure hosts. schemaVersion: 1.0 parameters: - AWSRegion: type: string description: RES Environment AWS Region phases: - name: build steps: - name: DownloadRESInstallScripts action: S3Download onFailure: Abort maxAttempts: 3 inputs: - source: '' destination: '/root/bootstrap/res-installation-scripts/res-installation-scripts.tar.gz' - name: RunInstallScript action: ExecuteBash onFailure: Abort maxAttempts: 3 inputs: commands: - 'cd /root/bootstrap/res-installation-scripts' - 'tar -xf res-installation-scripts.tar.gz' - 'cd scripts/infrastructure-host' - '/bin/bash install.sh' - name: AddEnvironmentVariables action: ExecuteBash onFailure: Abort maxAttempts: 3 inputs: commands: - | echo -e " http_proxy=http://: https_proxy=http://: no_proxy=127.0.0.1,169.254.169.254,169.254.170.2,localhost,{{ AWSRegion }}.res,{{ AWSRegion }}.vpce.amazonaws.com,{{ AWSRegion }}.elb.amazonaws.com,s3.{{ AWSRegion }}.amazonaws.com,s3.dualstack.{{ AWSRegion }}.amazonaws.com,ec2.{{ AWSRegion }}.amazonaws.com,ec2.{{ AWSRegion }}.api.aws,ec2messages.{{ AWSRegion }}.amazonaws.com,ssm.{{ AWSRegion }}.amazonaws.com,ssmmessages.{{ AWSRegion }}.amazonaws.com,kms.{{ AWSRegion }}.amazonaws.com,secretsmanager.{{ AWSRegion }}.amazonaws.com,sqs.{{ AWSRegion }}.amazonaws.com,elasticloadbalancing.{{ AWSRegion }}.amazonaws.com,sns.{{ AWSRegion }}.amazonaws.com,logs.{{ AWSRegion }}.amazonaws.com,logs.{{ AWSRegion }}.api.aws,elasticfilesystem.{{ AWSRegion }}.amazonaws.com,fsx.{{ AWSRegion }}.amazonaws.com,dynamodb.{{ AWSRegion }}.amazonaws.com,api.ecr.{{ AWSRegion }}.amazonaws.com,.dkr.ecr.{{ AWSRegion }}.amazonaws.com,kinesis.{{ AWSRegion }}.amazonaws.com,.data-kinesis.{{ AWSRegion }}.amazonaws.com,.control-kinesis.{{ AWSRegion }}.amazonaws.com,events.{{ AWSRegion }}.amazonaws.com,cloudformation.{{ AWSRegion }}.amazonaws.com,sts.{{ AWSRegion }}.amazonaws.com,application-autoscaling.{{ AWSRegion }}.amazonaws.com,monitoring.{{ AWSRegion }}.amazonaws.com,ecs.{{ AWSRegion }}.amazonaws.com,.execute-api.{{ AWSRegion }}.amazonaws.com " >> /etc/environment launch template ``` 1. Choose **Create component**. 1. Create an Image Builder image recipe. 1. On the **Create recipe** page, enter the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/res/latest/ug/prerequisites.html) 1. Choose **Create recipe**. 1. Create Image Builder infrastructure configuration. 1. Under **Saved resources**, choose **Infrastructure configurations**. 1. Choose **Create infrastructure configuration**. 1. On the **Create infrastructure configuration** page, enter the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/res/latest/ug/prerequisites.html) 1. Choose **Create infrastructure configuration**. 1. Create a new EC2 Image Builder pipeline: 1. Go to **Image pipelines**, and choose **Create image pipeline**. 1. On the **Specify pipeline details** page, enter the following and choose **Next**: + Pipeline name and optional description + For **Build schedule**, set a schedule or choose **Manual** if you want to start the AMI baking process manually. 1. On the **Choose recipe** page, choose **Use existing recipe** and enter the **Recipe name** created previously. Choose **Next**. 1. On the **Define image process** page, select the default workflows and choose **Next**. 1. On the **Define infrastructure configuration** page, choose **Use existing infrastructure configuration** and enter the name of the previously created infrastructure configuration. Choose **Next**. 1. On the **Define distribution settings** page, consider the following for your selections: + The output image must reside in the same region as the deployed RES environment, so that RES can properly launch infrastructure host instances from it. Using service defaults, the output image will be created in the region where the EC2 Image Builder service is being used. + If you want to deploy RES in multiple regions, you can choose **Create a new distribution settings** and add more regions there. 1. Review your selections and choose **Create pipeline**. 1. Run the EC2 Image Builder pipeline: 1. From **Image pipelines**, find and select the pipeline you created. 1. Choose **Actions**, and select **Run pipeline**. The pipeline may take approximately 45 minutes to an hour to create an AMI image. 1. Note the AMI ID for the generated AMI and use it as the input for the InfrastructureHostAMI parameter in [Step 1: Launch the product](launch-the-product.md). ### Set up VPC endpoints To deploy RES and launch virtual desktops, AWS services require access to your private subnet. You must set up VPC endpoints to provide the required access, and you will need to repeat these steps for each endpoint. 1. If endpoints have not previously been configured, follow the instructions provided in [ Access an AWS service using an interface VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html). 1. Select one private subnet in each of the two availability zones. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/res/latest/ug/prerequisites.html) ### Connect to services without VPC endpoints To integrate with services that do not support VPC endpoints, you can set up a proxy server in a public subnet of your VPC. Follow these steps to create a proxy server with the minimum necessary access for a Research and Engineering Studio deployment using AWS Identity Center as your identity provider. 1. Launch a Linux instance in the public subnet of the VPC you will use for your RES deployment. + Linux family – Amazon Linux 2 or Amazon Linux 3 + Architecture – x86 + Instance type – t2.micro or higher + Security group – TCP on port 3128 from 0.0.0.0/0 1. Connect to the instance to set up a proxy server. 1. Open the http connection. 1. Allow connection to the following domains from all relevant subnets: + .amazonaws.com (for generic AWS services) + .amazoncognito.com (for Amazon Cognito) + .awsapps.com (for Identity Center) + .signin.aws (for Identity Center) + .amazonaws-us-gov.com (for Gov Cloud) 1. Deny all other connections. 1. Activate and start the proxy server. 1. Note the PORT on which the proxy server listens. 1. Configure your route table to allow access to the proxy server. 1. Go to your VPC console and identify the route tables for the subnets you will be using for Infrastructure Hosts and VDI hosts. 1. Edit route table to allow all incoming connections to go to the proxy server instance created in the previous steps. 1. Do this for route tables for all the subnets (without internet access) which you are going to use for Infrastructure/VDIs. 1. Modify the security group of the proxy server EC2 instance and make sure it allows inbound TCP connections on the PORT on which the proxy server is listening. ### Set private VPC deployment parameters In [Step 1: Launch the product](launch-the-product.md), you are expected to input certain parameters in the CloudFormation template. Be sure to set the following parameters as noted to successfully deploy into the private VPC you just configured. | Parameter | Input | | --- |--- | | InfrastructureHostAMI | Use the infrastructure AMI ID created in [Prepare Amazon Machine Images (AMIs)](#prep-ami). | | IsLoadBalancerInternetFacing | Set to false. | | LoadBalancerSubnets | Choose private subnets without internet access. | | InfrastructureHostSubnets | Choose private subnets without internet access. | | VdiSubnets | Choose private subnets without internet access. | | ClientIP | You can choose your VPC CIDR to allow access for all VPC IP addresses. | | HttpProxy | Example: http://10.1.2.3:123 | | HttpsProxy | Example: http://10.1.2.3:123 | | NoProxy | Example: 
127.0.0.1,169.254.169.254,169.254.170.2,localhost,us-east-1.res,us-east-1.vpce.amazonaws.com,us-east-1.elb.amazonaws.com,s3.us-east-1.amazonaws.com,s3.dualstack.us-east-1.amazonaws.com,ec2.us-east-1.amazonaws.com,ec2.us-east-1.api.aws,ec2messages.us-east-1.amazonaws.com,ssm.us-east-1.amazonaws.com,ssmmessages.us-east-1.amazonaws.com,kms.us-east-1.amazonaws.com,secretsmanager.us-east-1.amazonaws.com,sqs.us-east-1.amazonaws.com,elasticloadbalancing.us-east-1.amazonaws.com,sns.us-east-1.amazonaws.com,logs.us-east-1.amazonaws.com,logs.us-east-1.api.aws,elasticfilesystem.us-east-1.amazonaws.com,fsx.us-east-1.amazonaws.com,dynamodb.us-east-1.amazonaws.com,api.ecr.us-east-1.amazonaws.com,.dkr.ecr.us-east-1.amazonaws.com,kinesis.us-east-1.amazonaws.com,.data-kinesis.us-east-1.amazonaws.com,.control-kinesis.us-east-1.amazonaws.com,events.us-east-1.amazonaws.com,cloudformation.us-east-1.amazonaws.com,sts.us-east-1.amazonaws.com,application-autoscaling.us-east-1.amazonaws.com,monitoring.us-east-1.amazonaws.com,ecs.us-east-1.amazonaws.com,.execute-api.us-east-1.amazonaws.com
| # Create external resources This CloudFormation stack creates networking, storage, active directory, and domain certificates (if a PortalDomainName is provided). You must have these external resources available to deploy the product. You may [ download the recipes template](https://s3.amazonaws.com/aws-hpc-recipes/main/recipes/res/res_demo_env/assets/bi.yaml) before deployment. **Time to deploy:** Approximately 40-90 minutes 1. Sign in to the AWS Management Console and open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/). **Note** Make sure you are in your administrator account. 1. Launch [ the template](https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https%3A%2F%2Fs3.amazonaws.com%2Faws-hpc-recipes%2Fmain%2Frecipes%2Fres%2Fres_demo_env%2Fassets%2Fbi.yaml) in the console. If you are deploying in an AWS GovCloud Region, launch the template in your GovCloud partition account (for example, [ here](https://console.amazonaws-us-gov.com/cloudformation/home?region=us-gov-west-1#/stacks/quickcreate?templateURL=https://s3.amazonaws.com/aws-hpc-recipes/main/recipes/res/res_demo_env/assets/bi.yaml) for the AWS GovCloud (US-West) Region). 1. Enter the template parameters: **Important** Use different values for `AdminPassword` and `ServiceAccountPassword` to maintain proper security boundaries between these accounts. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/res/latest/ug/create-external-resources.html) 1. Acknowledge all checkboxes in **Capabilities**, and choose **Create stack**. # Step 1: Launch the product Follow the step-by-step instructions in this section to configure and deploy the product into your account. **Time to deploy:** Approximately 60 minutes You can [ download the CloudFormation template](https://research-engineering-studio-us-east-1.s3.amazonaws.com/releases/latest/ResearchAndEngineeringStudio.template.json) for this product before deploying it. If you are deploying in AWS GovCloud (US-West), use this [ template](https://research-engineering-studio-us-gov-west-1.s3.us-gov-west-1.amazonaws.com/releases/latest/ResearchAndEngineeringStudio.template.json). **res-stack** - Use this template to launch the product and all associated components. The default configuration deploys the RES main stack and authentication, frontend, and backend resources. **Note** AWS CloudFormation resources are created from AWS Cloud Development Kit (AWS CDK) (AWS CDK) constructs. The AWS CloudFormation template deploys Research and Engineering Studio on AWS in the AWS Cloud. You must meet the [prerequisites](prerequisites.md) before launching the stack. 1. Sign in to the AWS Management Console and open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/). 1. Launch the [ template ](https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https%3A%2F%2Fresearch-engineering-studio-us-east-1.s3.amazonaws.com%2Freleases%2Flatest%2FResearchAndEngineeringStudio.template.json). To deploy in AWS GovCloud (US-West), launch this [ template](https://console.amazonaws-us-gov.com/cloudformation/home?region=us-gov-west-1#/stacks/quickcreate?templateURL=https://research-engineering-studio-us-gov-west-1.s3.us-gov-west-1.amazonaws.com/releases/latest/ResearchAndEngineeringStudio.template.json). 1. The template launches in the US East (N. Virginia) Region by default. To launch the product in a different AWS Region, use the Region selector in the console navigation bar. **Note** This product uses the Amazon Cognito service, which is not currently available in all AWS Regions. You must launch this product in an AWS Region where Amazon Cognito is available. For the most current availability by Region, see the [AWS Regional Services List](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/). 1. Under **Parameters**, review the parameters for this product template and modify them as necessary. If you deployed the automated external resources, you can find these parameters in the **Outputs** tab of the external resources stack. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/res/latest/ug/launch-the-product.html) 1. Under **Configure stack options → Tags - *optional***, add the tags (key-value pairs) you want to apply to RES deployed resources. Tag key `Name` and `res:*` are preserved by RES and cannot be used as tag keys. 1. Choose **Create stack** to deploy the stack. You can view the status of the stack in the AWS CloudFormation console in the **Status** column. You receive a CREATE\$1COMPLETE status in approximately 60 minutes. **Important** You are responsible for patching your infrastructure/VDI hosts after deployment. # Step 2: Sign in for the first time After the product stack deploys in your account, you receive an email with your credentials. Use the URL to sign in to your account and configure the workspace for other users. ![\[First sign in email invitation\]](http://docs.aws.amazon.com/res/latest/ug/images/res-firstsignin.png) After you sign in for the first time, you can configure settings in the web portal to connect to the SSO provider. For post-deployment configuration information, see the [Configuration guide](configuration-guide.md). Note that `clusteradmin` is a break-glass account— you can use it to create projects and assign user or group membership to those projects; it cannot assign software stacks or deploy a desktop for itself.