Identity and access management for WorkSpaces Instances

By default, IAM users don't have permissions for WorkSpaces Instances resources and operations. To allow IAM users to manage WorkSpaces resources Instances, you must create an IAM policy that explicitly grants them permissions, and attach the policy to the IAM users or groups that require those permissions.

To provide access, add permissions to your users, groups, or roles:

• Users and groups in AWS IAM Identity Center:

  Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center User Guide.

• Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in Create a role for a third-party identity provider (federation) in the IAM User Guide.

• IAM users:

  • Create a role that your user can assume. Follow the instructions in Create a role for an IAM user in the IAM User Guide.

  • (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.

Following are additional resources for IAM:

• For more information about IAM policies, see Policies and Permissions in the IAM User Guide guide.

• For more information about IAM, see Identity and Access Management (IAM) and the IAM User Guide.

• For more information about WorkSpaces Instances specific resources, actions, and condition context keys for use in IAM permission policies, see Actions, Resources, and Condition Keys for Amazon WorkSpaces Managed Instances in the IAM User Guide.

• For a tool that helps you create IAM policies, see the AWS Policy Generator. You can also use the IAM Policy Simulator to test whether a policy would allow or deny a specific request to AWS.

Amazon WorkSpaces Instances example policies

The following example shows policy statements that you could use to grant access to perform WorkSpaces Instances tasks.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "workspaces-instances:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus"
                "ec2:StopInstances",
                "ec2:StartInstances",
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ec2:DeleteVolume",
                "ec2:CreateVolume",
                "ec2:AttachVolume",
                "ec2:DetachVolume"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:CalledVia": "workspaces-instances.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*"
        }
    ]
}

Note

In place of *, grant permissions to the specific KMS key that you are using.

If you are using the Amazon WorkSpaces Console, you will also need to add the following permissions:

iam:GetRole
iam:CreateServiceLinkedRole

Note

If you have already onboarded using Amazon WorkSpaces Console, iam:CreateServiceLinkedRole is optional.

Additional permissions may be required for specific partner requirements. For more information on partner permissions, refer to your partner specific guides.

Specify WorkSpaces resources in an IAM policy

To specify an WorkSpaces Instances resource in the Resource element of the policy statement, use the Amazon Resource Name (ARN) of the resource. You control access to your WorkSpaces Instances resources by either allowing or denying permissions to use the API actions that are specified in the Action element of your IAM policy statement. WorkSpaces Instances defines ARNs for WorkSpaces Instances, bundles, IP groups, and directories.

WorkSpaces Instances Instance ARN

A WorkSpaces Instances ARN has the syntax shown in the following example.

arn:aws:workspaces-instances:region:account_id:workspaceinstance/workspace_instance_identifier

region

The Region that the WorkSpaces Instance is in (for example, us-east-1).

account_id

The ID of the AWS account, with no hyphens (for example, 123456789012).

workspace_instance_identifier

The ID of the WorkSpaces Instance (for example, "Resource": "arn:aws:workspaces-instances:region:account_id:workspaceinstance/workspace_instance_identifier").

You can use the * wildcard to specify all WorkSpaces Instances that belong to a specific account in a specific Region.