Amazon AppStream 2.0
Developer Guide

Controlling Access to Amazon AppStream 2.0

By default, IAM users don't have permission to create or modify AppStream 2.0 resources, use Fleet Auto Scaling, or perform tasks using the AppStream 2.0 API. To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant permissions on specific resources and API actions, and then attach those policies to the IAM users or groups that require those permissions.

While creating AppStream 2.0 resources, AppStream 2.0 makes API calls to other AWS services on behalf of the user. This authentication is accomplished by the service assuming specific IAM roles available in the user's account. These IAM roles are created by the service when the user gets started with the service in an AWS region.

Using the IAM Service Role

The following service role is available for AppStream 2.0.


Allows AppStream 2.0 to create and manage AppStream 2.0 resources on the user's behalf. This role provides the permissions listed.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeAvailabilityZones", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:AssociateAddress", "ec2:DisassociateAddress", "ec2:DescribeRouteTables" ], "Resource": "*" } ] } Trust Relationship { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" } ] }

Using Identity Based Policies

AppStream 2.0 provides managed policies that you can attach to your IAM users and allow users to control your AppStream 2.0 resources or perform API actions through the AWS CLI, SDK, or console.


Provides full administrator access to AppStream 2.0.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:*" ], "Resource": "*" } ] }

Provides your IAM users with read-only access to AppStream 2.0 resources.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:Describe*", "appstream:List*", "appstream:Get*" ], "Resource": "*" } ] }

Application Auto Scaling IAM Role

Before you can use AppStream 2.0 Fleet Auto Scaling, Application Auto Scaling needs permissions to access Amazon CloudWatch alarms and AppStream 2.0 fleets. The service role ApplicationAutoscalingForAmazonAppStreamAccess is automatically added to your IAM roles when you use the AppStream 2.0 console. If you plan to use the AWS CLI instead, you must create the following role.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:UpdateFleet", "appstream:DescribeFleets" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": [ "*" ] } ] }
Trust Relationship
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" } ] }

Application Auto Scaling Required IAM Permissions

To use AppStream 2.0 Fleet Auto Scaling, the IAM user accessing fleet creation and settings must have appropriate permissions for the services that support scaling. AppStream 2.0 requires the following permissions:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:", "application-autoscaling:", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:DisableAlarmActions", "cloudwatch:DescribeAlarms", "cloudwatch:EnableAlarmActions", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm", "iam:passrole", "iam:ListRoles" ], "Resource": "*" } ] }