AWS managed policies for Amazon WorkSpaces Thin Client
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
AWS managed policy: AmazonWorkSpacesThinClientReadOnlyAccess
You can attach the AmazonWorkSpacesThinClientReadOnlyAccess
policy to your IAM
identities. This policy grants full access permissions to the WorkSpaces Thin Client service and its
dependencies. For more information on this managed policy, see
AmazonWorkSpacesThinClientReadOnlyAccess in the AWS Managed Policy Reference guide.
Permissions details
This policy includes the following permissions.
-
thinclient
(WorkSpaces Thin Client) – Allows read-only access to all WorkSpaces Thin Client actions. -
workspaces
(WorkSpaces) – Allows permissions to describe WorkSpaces directories and connection aliases. This is used to check that your WorkSpaces resources are compatible with WorkSpaces Thin Client. It is also used to show these resources in the WorkSpaces Thin Client AWS console. -
workspaces-web
(WorkSpaces Secure Browser) – Allows permissions to describe WorkSpaces Secure Browser portals and user settings. This is used to check that your WorkSpaces Secure Browser resources are compatible with WorkSpaces Thin Client. It is also used to show these resources in the WorkSpaces Thin Client AWS console. -
appstream
(AppStream 2.0) – Allows permissions to describe AppStream 2.0 stacks. This is used to check that your AppStream 2.0 resources are compatible with WorkSpaces Thin Client. It is also used to show these resources in the WorkSpaces Thin Client AWS console.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowThinClientReadAccess", "Effect": "Allow", "Action": [ "thinclient:GetDevice", "thinclient:GetDeviceDetails", "thinclient:GetEnvironment", "thinclient:GetSoftwareSet", "thinclient:ListDevices", "thinclient:ListDeviceSessions", "thinclient:ListEnvironments", "thinclient:ListSoftwareSets", "thinclient:ListTagsForResource" ], "Resource": "*" }, { "Sid": "AllowWorkSpacesAccess", "Effect": "Allow", "Action": [ "workspaces:DescribeConnectionAliases", "workspaces:DescribeWorkspaceDirectories" ], "Resource": "*" }, { "Sid": "AllowWorkSpacesSecureBrowserAccess", "Effect": "Allow", "Action": [ "workspaces-web:GetPortal", "workspaces-web:GetUserSettings", "workspaces-web:ListPortals" ], "Resource": "*" }, { "Sid": "AllowAppStreamAccess", "Effect": "Allow", "Action": [ "appstream:DescribeStacks" ], "Resource": "*" } ] } }
AWS managed policy: AmazonWorkSpacesThinClientFullAccess
You can attach the AmazonWorkSpacesThinClientFullAccess
policy to your IAM
identities. This policy grants full access permissions to the WorkSpaces Thin Client service and its
dependencies. For more information on this managed policy, see
AmazonWorkSpacesThinClientFullAccess in the AWS Managed Policy Reference Guide.
Permissions details
This policy includes the following permissions:
-
thinclient
(WorkSpaces Thin Client) – Allows full access to all WorkSpaces Thin Client actions. -
workspaces
(WorkSpaces) – Allows permissions to describe WorkSpaces directories and connection aliases. This is used to check that your WorkSpaces resources are compatible with WorkSpaces Thin Client. It is also used to show these resources in the WorkSpaces Thin Client AWS console. -
workspaces-web
(WorkSpaces Secure Browser) – Allows permissions to describe WorkSpaces Secure Browser portals and user settings. This is used to check that your WorkSpaces Secure Browser resources are compatible with WorkSpaces Thin Client. It is also used to show these resources in the WorkSpaces Thin Client AWS console. -
appstream
(AppStream 2.0) – Allows permissions to describe AppStream 2.0 stacks. This is used to check that your AppStream 2.0 resources are compatible with WorkSpaces Thin Client. It is also used to show these resources in the WorkSpaces Thin Client AWS console.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowThinClientFullAccess", "Effect": "Allow", "Action": [ "thinclient:*" ], "Resource": "*" }, { "Sid": "AllowWorkSpacesAccess", "Effect": "Allow", "Action": [ "workspaces:DescribeConnectionAliases", "workspaces:DescribeWorkspaceDirectories" ], "Resource": "*" }, { "Sid": "AllowWorkSpacesSecureBrowserAccess", "Effect": "Allow", "Action": [ "workspaces-web:GetPortal", "workspaces-web:GetUserSettings", "workspaces-web:ListPortals" ], "Resource": "*" }, { "Sid": "AllowAppStreamAccess", "Effect": "Allow", "Action": [ "appstream:DescribeStacks" ], "Resource": "*" } ] } }
WorkSpaces Thin Client updates to AWS managed policies
Change | Description | Date |
---|---|---|
AmazonWorkSpacesThinClientReadOnlyAccess – Updated policy |
WorkSpaces Thin Client updated the policy to include limited read permissions for device details and WorkSpaces connection aliases. |
January 9th 2025 |
AmazonWorkSpacesThinClientFullAccess – Updated policy |
WorkSpaces Thin Client updated the policy to include limited read permissions for WorkSpaces connection aliases. |
January 9th 2025 |
AmazonWorkSpacesThinClientReadOnlyAccess – Updated policy |
WorkSpaces Thin Client updated the policy to include limited read permissions for AppStream 2.0, WorkSpaces Web and WorkSpaces. |
August 9th 2024 |
AmazonWorkSpacesThinClientFullAccess – New policy |
Provides full access to Amazon WorkSpaces Thin Client as well as limited access to required related services. |
August 9th 2024 |
AmazonWorkSpacesThinClientReadOnlyAccess – New policy |
Provides read-only access to Amazon WorkSpaces Thin Client and its dependencies. |
July 19th 2024 |
WorkSpaces Thin Client started tracking changes |
WorkSpaces Thin Client started tracking changes for its AWS managed policies. |
July 19th 2024 |