AWS managed policies for WorkSpaces Web
To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services may occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services don't remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple
services. For example, the ReadOnlyAccess AWS managed policy
provides read-only access to all AWS services and resources. When a service launches a new
feature, AWS adds read-only permissions for new operations and resources. For a list and
descriptions of job function policies, see AWS managed policies for
job functions in the IAM User Guide.
AWS managed policy: AmazonWorkSpacesWebServiceRolePolicy
You can't attach the AmazonWorkSpacesWebServiceRolePolicy policy to your
IAM entities. This policy is attached to a service-linked role that allows WorkSpaces Web
to perform actions on your behalf. For more information, see Using service-linked roles for
WorkSpaces Web.
This policy grants administrative permissions that allow access to AWS services and resources used or managed by Amazon WorkSpaces Web.
Permissions details
This policy includes the following permissions:
-
WorkSpaces Web– Allows access to AWS services and resources used or managed by Amazon WorkSpaces Web. -
ec2– Allows principals to describe VPCs, subnets, and availability zones; create, tag, describe, and delete network interfaces; associate or disassociate an address; and describe route tables, security groups, and VPC endpoints. -
CloudWatch– Allows principals to put metric data. -
Kinesis- Allows principals to describe a summary of Kinesis data streams and put records into Kinesis data streams for user access logging. For more information, see Set up user access logging.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeAvailabilityZones", "ec2:DescribeNetworkInterfaces", "ec2:AssociateAddress", "ec2:DisassociateAddress", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcEndpoints" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": "arn:aws:ec2:*:*:network-interface/*", "Condition": { "StringEquals": { "aws:RequestTag/WorkSpacesWebManaged": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:network-interface/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateNetworkInterface" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "WorkSpacesWebManaged" ] } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteNetworkInterface" ], "Resource": "arn:aws:ec2:*:*:network-interface/*", "Condition": { "StringEquals": { "aws:ResourceTag/WorkSpacesWebManaged": "true" } } }, { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": [ "AWS/WorkSpacesWeb", "AWS/Usage" ] } } }, { "Effect": "Allow", "Action": [ "kinesis:PutRecord", "kinesis:PutRecords", "kinesis:DescribeStreamSummary" ], "Resource": "arn:aws:kinesis:*:*:stream/amazon-workspaces-web-*" } ] }
AWS managed policy: AmazonWorkSpacesWebReadOnly
You can attach the AmazonWorkSpacesWebReadOnly policy to your IAM
identities.
This policy grants read-only permissions that allow access to WorkSpaces Web and its
dependencies through the AWS Management Console, SDK, and
CLI. This policy does
not include the permissions necessary to interact with portals using
IAM_Identity_Center as the authentication type. To get these permissions,
combine this policy with AWSSSOReadOnly.
Permissions details
This policy includes the following permissions.
-
WorkSpaces Web– Provides read-only access to Amazon WorkSpaces Web and its dependencies through the AWS Management Console, SDK, and CLI. -
ec2– Allows principals to describe VPCs, subnets, and security groups. This is used in the AWS Management Console in WorkSpaces Web to show you your VPCs, subnets, and security groups that are available foruse with the service. -
Kinesis- Allows principals to list Kinesis data streams. This is used in the AWS Management Console in WorkSpaces Web to show you Kinesis data streams that are available for use with the service.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "workspaces-web:GetBrowserSettings", "workspaces-web:GetIdentityProvider", "workspaces-web:GetNetworkSettings", "workspaces-web:GetPortal", "workspaces-web:GetPortalServiceProviderMetadata", "workspaces-web:GetTrustStore", "workspaces-web:GetTrustStoreCertificate", "workspaces-web:GetUserSettings", "workspaces-web:GetUserAccessLoggingSettings", "workspaces-web:ListBrowserSettings", "workspaces-web:ListIdentityProviders", "workspaces-web:ListNetworkSettings", "workspaces-web:ListPortals", "workspaces-web:ListTagsForResource", "workspaces-web:ListTrustStoreCertificates", "workspaces-web:ListTrustStores", "workspaces-web:ListUserSettings", "workspaces-web:ListUserAccessLoggingSettings" ], "Resource": "arn:aws:workspaces-web:*:*:*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "kinesis:ListStreams" ], "Resource": "*" } ] }
WorkSpaces Web updates to AWS managed policies
View details about updates to AWS managed policies for WorkSpaces Web since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Document history for the Amazon WorkSpaces Web User Guide page.
| Change | Description | Date |
|---|---|---|
|
AmazonWorkSpacesWebServiceRolePolicy – Updated policy |
WorkSpaces Web updated the policy to restrict CreateNetworkInterface to tag with aws:RequestTag/WorkSpacesWebManaged: true and act on subnet and security group resources, as well as restrict DeleteNetworkInterface to ENIs tagged with aws:ResourceTag/WorkSpacesWebManaged: true. | December 15, 2022 |
|
AmazonWorkSpacesWebReadOnly – Updated policy |
WorkSpaces Web updated the policy to include read permissions for user access logging and list Kinesis data streams. For more information, see Set up user access logging. |
November 2, 2022 |
|
AmazonWorkSpacesWebServiceRolePolicy – Updated policy |
WorkSpaces Web updated the policy to describe a summary of Kinesis data streams and put records into Kinesis data streams for user access logging. For more information, see Set up user access logging. |
October 17, 2022 |
|
AmazonWorkSpacesWebServiceRolePolicy – Updated policy |
WorkSpaces Web updated the policy to create tags during ENI creation. |
September 6, 2022 |
|
AmazonWorkSpacesWebServiceRolePolicy – Updated policy |
WorkSpaces Web updated the policy to add the AWS/Usage namespace to the PutMetricData API permissions. |
April 6, 2022 |
|
AmazonWorkSpacesWebReadOnly – New policy |
WorkSpaces Web added a new policy to provide read-only access to Amazon WorkSpaces Web and its dependencies through the AWS Management Console, SDK, and CLI. |
November 30, 2021 |
|
AmazonWorkSpacesWebServiceRolePolicy – New policy |
WorkSpaces Web added a new policy to allow access to AWS services and resources used or managed by Amazon WorkSpaces Web. |
November 30, 2021 |
|
WorkSpaces Web started tracking changes |
WorkSpaces Web started tracking changes for its AWS managed policies. |
November 30, 2021 |
