Controlling Access to Amazon WAM Resources - Amazon WorkSpaces Application Manager

Controlling Access to Amazon WAM Resources

Amazon WAM must have permission to perform certain actions on your behalf. You can grant this access using IAM roles.

By default, IAM users don't have permission to access Amazon WAM resources. To allow an IAM user to perform actions on Amazon WAM resources, you must create a policy that grants the user permission to access Amazon WAM.

For more information about configuring WorkSpaces to meet your security and compliance objectives, see Security in WorkSpaces.

Create the Application Packaging Role

This IAM role allows the Amazon WAM packaging instance to access your application package catalog. If you have not already done so, create the AmazonWamAppPackaging role using the following steps.

To create an IAM role to access your Amazon WAM application catalog

  1. Open the IAM console at

  2. In the navigation pane, choose Roles and then choose Create role.

  3. On the Select type of trusted entity page, select EC2, and then choose Next: Permissions.

  4. On the Attach permissions policies page, select the check box for the AmazonWorkSpacesApplicationManagerAdminAccess policy and then choose Next: Tags.

  5. (Optional) Add tags to the role, and then choose Next: Review.

  6. On the Review page, type AmazonWamAppPackaging as the name of the role, and then choose Create role.


    You must specify AmazonWamAppPackaging as the name of the role or packaging and validation applications can't access your packages.

Create the AWS Marketplace Access Role

This IAM role allows Amazon WAM to access the AWS Marketplace on your behalf. The first time you log in to the Amazon WAM console, you are prompted to create a role with the name AmazonWamMarketplace_Default_Role. You must allow this role to be created.

The following is the IAM policy for the AmazonWamMarketplace_Default_Role role.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "catalog-admin:Describe*", "catalog-admin:Get*", "catalog-admin:Search*", "catalog-admin:List*", "catalog-admin:CreateListing", "catalog-admin:UpdateListing", "catalog-admin:DeleteListing", "catalog-user:SimulateView*", "catalog-user:SimulateGet*", "catalog-user:SimulateBrowse*" ], "Resource": "*" } ] }

This role trusts the service to assume it. The following is the trust policy document.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" } ] }

If you're using AWS Organizations to manage policies for your AWS account, include the following policy within the AmazonWamMarketplace_Default_Role role:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1541731687000", "Effect": "Allow", "Action": [ "ec2:AcceptReservedInstancesExchangeQuote", "wam:*", "catalog-admin:*", "catalog-user:*" ], "Resource": [ "*" ] } ] }

(Optional) Grant an IAM User Access to Amazon WAM

The following IAM policy allows an IAM user or group of users to administer Amazon WAM.


The catalog-admin:Search* action will allow a user to select an Amazon WAM subscription plan. For more information, see Pricing and Plans.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "catalog-admin:*", "ds:*", "iam:ListAttachedRolePolicies", "iam:ListRoles", "iam:CreateRole", "iam:PutRolePolicy" ], "Resource": "*" } ] }

For more information about embedding a policy in a user or group, see Working with Inline Policies in the IAM User Guide.