Follow the step-by-step instructions below to build a serverless backend. Click on each step number to expand the section.

  • Step 1. Create an IAM policy for a custom IAM role

    To grant permissions to handle backend requests for the End User Computing (EUC) dashboard, you create a custom IAM policy that grants the following permissions:

    •     AWS Application Auto Scaling
            o DescribeScalingActivities
    •     AppStream 2.0
            o DescribeFleets
            o DescribeImages
            o DescribeSessions
            o ExpireSession
            o ListAssociatedFleets
            o ListAssociatedStacks
    •     Amazon CloudWatch Logs
            o CreateLogGroup
            o CreateLogStream
            o PutLogEvents
    •     Amazon SES
            o SendEmail
    •     Amazon S3
            o DeleteObject
            o HeadBucket
            o ListAllMyBuckets
            o ListBucket
    •     WorkSpaces
            o DescribeWorkspaces
            o DescribeWorkspacesConnectionStatus
            o DescribeWorkspaceDirectories
            o RebootWorkspaces
            o RebuildWorkspaces
            o StartWorkspaces
            o StopWorkspaces

    Complete the following steps to create the custom IAM policy:

    1. Open the IAM console at
    2. In the navigation pane, choose Policies.
    3. If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.
    4. Choose Create policy.
    5. Choose the JSON tab.
    6. Copy and paste the following JSON policy into the policy document box.

        "Version": "2012-10-17",
        "Statement": [
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                "Resource": "*"
     7. When you’re done, choose Review policy.
     8. For Name, type the following name for your new policy: examplecorp_lambda_dashboard_policy.
     9. Choose Create policy.
  • Step 2. Create an IAM service role that lets Lambda functions call AWS services

    Lambda requires an IAM service role to allow the service to access resources in other services on your behalf. Complete the following steps to create an IAM service role and attach the policy that you created to this role.

    1. Open the IAM console at
    2. In the navigation pane, under Roles, choose Create role.
    3. For Select type of trusted entity, keep AWS service selected.
    4. Under Choose a use case, choose Lambda, and then choose Next: Permissions.
    5. In the Filter policies search box, enter examplecorp_lambda_dashboard_policy. When the policy appears in the list, select the check box next to the policy name.
    6. Choose Next: Tags. Although you can specify a tag for the policy, a tag isn’t required.
    7. Choose Next: Review.
    8. For Role name, enter examplecorp_lambda_dashboard_role.
    9. Choose Create role.

  • Step 3. Create a Lambda function

    Complete the following steps to create a Lambda function.

    Note: If your AppStream 2.0 fleets and WorkSpaces directories and instances are located in multiple Regions and you want to enable these Regions in the EUC dashboard, repeat these steps to create a Lambda function in each Region that you want to enable.

    1. Download the Example Corp. website assets from our repository to your local computer.
    2. Extract the file that you downloaded on your local computer.
    3. Open the Lambda console at
    4. Do one of the following:

      • If you haven’t created any Lambda functions, a Getting Started page displays. Under Getting Started, choose Create a function.
      • If you’ve already created a Lambda function, in the upper-right corner of the Functions page, choose Create a function.

    5. On the Create function page, keep Author from scratch selected.
    6. Under Basic information, do the following:

      • For Function name, enter examplecorp_lambda_dashboard_function.
      • For Runtime, choose Python 3.8.

    7. Under Permissions, choose the arrow icon next to Choose or create an execution role. Then do the following:

      • For Execution role, choose Use an existing role.
      • For Existing role, choose examplecorp_lambda_dashboard_role from the list.

    8. Choose Create function.
    9. Navigate to the location where you extracted files on your local computer in step 2 and open the file /Lambda/ in a text editor. Copy the contents of the file.
    10. In the Function code section, on the lambda_function tab, the placeholder code displays. Delete the placeholder code, and then paste the code that you copied in the previous step onto the tab.
    11. In the code, replace <origin-domain> with the CloudFront web distribution domain name URL from Module 1, Step 3. Create an Amazon CloudFront web distribution. The format is as follows:


      This website originates the request to API Gateway.

    12. In the upper-right corner of the page, choose Deploy, and then close the Lambda console.