AWS managed policies for WorkSpaces Secure Browser - Amazon WorkSpaces Secure Browser

AWS managed policies for WorkSpaces Secure Browser

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services may occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services don't remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

AWS managed policy: AmazonWorkSpacesWebServiceRolePolicy

You can't attach the AmazonWorkSpacesWebServiceRolePolicy policy to your IAM entities. This policy is attached to a service-linked role that allows WorkSpaces Secure Browser to perform actions on your behalf. For more information, see Using service-linked roles for WorkSpaces Secure Browser.

This policy grants administrative permissions that allow access to AWS services and resources used or managed by WorkSpaces Secure Browser.

Permissions details

This policy includes the following permissions:

  • workspaces-web – Allows access to AWS services and resources used or managed by WorkSpaces Secure Browser.

  • ec2 – Allows principals to describe VPCs, subnets, and availability zones; create, tag, describe, and delete network interfaces; associate or disassociate an address; and describe route tables, security groups, and VPC endpoints.

  • CloudWatch – Allows principals to put metric data.

  • Kinesis - Allows principals to describe a summary of Kinesis data streams and put records into Kinesis data streams for user access logging. For more information, see Set up user access logging.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeAvailabilityZones", "ec2:DescribeNetworkInterfaces", "ec2:AssociateAddress", "ec2:DisassociateAddress", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcEndpoints" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": "arn:aws:ec2:*:*:network-interface/*", "Condition": { "StringEquals": { "aws:RequestTag/WorkSpacesWebManaged": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:network-interface/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateNetworkInterface" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "WorkSpacesWebManaged" ] } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteNetworkInterface" ], "Resource": "arn:aws:ec2:*:*:network-interface/*", "Condition": { "StringEquals": { "aws:ResourceTag/WorkSpacesWebManaged": "true" } } }, { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": [ "AWS/WorkSpacesWeb", "AWS/Usage" ] } } }, { "Effect": "Allow", "Action": [ "kinesis:PutRecord", "kinesis:PutRecords", "kinesis:DescribeStreamSummary" ], "Resource": "arn:aws:kinesis:*:*:stream/amazon-workspaces-web-*" } ] }

AWS managed policy: AmazonWorkSpacesSecureBrowserReadOnly

You can attach the AmazonWorkSpacesSecureBrowserReadOnly policy to your IAM identities.

This policy grants read-only permissions that allow access to WorkSpaces Secure Browser and its dependencies through the AWS Management Console, SDK, and CLI. This policy does not include the permissions necessary to interact with portals using IAM_Identity_Center as the authentication type. To get these permissions, combine this policy with AWSSSOReadOnly.

Permissions details

This policy includes the following permissions.

  • workspaces-web – Provides read-only access to WorkSpaces Secure Browser and its dependencies through the AWS Management Console, SDK, and CLI.

  • ec2 – Allows principals to describe VPCs, subnets, and security groups. This is used in the AWS Management Console in WorkSpaces Secure Browser to show you your VPCs, subnets, and security groups that are available foruse with the service.

  • Kinesis - Allows principals to list Kinesis data streams. This is used in the AWS Management Console in WorkSpaces Secure Browser to show you Kinesis data streams that are available for use with the service.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "workspaces-web:GetBrowserSettings", "workspaces-web:GetIdentityProvider", "workspaces-web:GetNetworkSettings", "workspaces-web:GetPortal", "workspaces-web:GetPortalServiceProviderMetadata", "workspaces-web:GetTrustStore", "workspaces-web:GetTrustStoreCertificate", "workspaces-web:GetUserSettings", "workspaces-web:GetUserAccessLoggingSettings", "workspaces-web:ListBrowserSettings", "workspaces-web:ListIdentityProviders", "workspaces-web:ListNetworkSettings", "workspaces-web:ListPortals", "workspaces-web:ListTagsForResource", "workspaces-web:ListTrustStoreCertificates", "workspaces-web:ListTrustStores", "workspaces-web:ListUserSettings", "workspaces-web:ListUserAccessLoggingSettings" ], "Resource": "arn:aws:workspaces-web:*:*:*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "kinesis:ListStreams" ], "Resource": "*" } ] }

AWS managed policy: AmazonWorkSpacesWebReadOnly

You can attach the AmazonWorkSpacesWebReadOnly policy to your IAM identities.

This policy grants read-only permissions that allow access to WorkSpaces Secure Browser and its dependencies through the AWS Management Console, SDK, and CLI. This policy does not include the permissions necessary to interact with portals using IAM_Identity_Center as the authentication type. To get these permissions, combine this policy with AWSSSOReadOnly.

Note

If you are currently using this policy, switch to the new AmazonWorkSpacesSecureBrowserReadOnly policy.

Permissions details

This policy includes the following permissions.

  • workspaces-web – Provides read-only access to WorkSpaces Secure Browser and its dependencies through the AWS Management Console, SDK, and CLI.

  • ec2 – Allows principals to describe VPCs, subnets, and security groups. This is used in the AWS Management Console in WorkSpaces Secure Browser to show you your VPCs, subnets, and security groups that are available foruse with the service.

  • Kinesis - Allows principals to list Kinesis data streams. This is used in the AWS Management Console in WorkSpaces Secure Browser to show you Kinesis data streams that are available for use with the service.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "workspaces-web:GetBrowserSettings", "workspaces-web:GetIdentityProvider", "workspaces-web:GetNetworkSettings", "workspaces-web:GetPortal", "workspaces-web:GetPortalServiceProviderMetadata", "workspaces-web:GetTrustStore", "workspaces-web:GetTrustStoreCertificate", "workspaces-web:GetUserSettings", "workspaces-web:GetUserAccessLoggingSettings", "workspaces-web:ListBrowserSettings", "workspaces-web:ListIdentityProviders", "workspaces-web:ListNetworkSettings", "workspaces-web:ListPortals", "workspaces-web:ListTagsForResource", "workspaces-web:ListTrustStoreCertificates", "workspaces-web:ListTrustStores", "workspaces-web:ListUserSettings", "workspaces-web:ListUserAccessLoggingSettings" ], "Resource": "arn:aws:workspaces-web:*:*:*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "kinesis:ListStreams" ], "Resource": "*" } ] }

WorkSpaces Secure Browser updates to AWS managed policies

View details about updates to AWS managed policies for WorkSpaces Secure Browser since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Document history for the Amazon WorkSpaces Secure Browser Administration Guide page.

Change Description Date

AmazonWorkSpacesSecureBrowserReadOnly – New policy

WorkSpaces Secure Browser added a new policy to provide read-only access to WorkSpaces Secure Browser and its dependencies through the AWS Management Console, SDK, and CLI.

June 24, 2024

AmazonWorkSpacesWebServiceRolePolicy – Updated policy

WorkSpaces Secure Browser updated the policy to restrict CreateNetworkInterface to tag with aws:RequestTag/WorkSpacesWebManaged: true and act on subnet and security group resources, as well as restrict DeleteNetworkInterface to ENIs tagged with aws:ResourceTag/WorkSpacesWebManaged: true. December 15, 2022
AmazonWorkSpacesWebReadOnly – Updated policy

WorkSpaces Secure Browser updated the policy to include read permissions for user access logging and list Kinesis data streams. For more information, see Set up user access logging.

November 2, 2022

AmazonWorkSpacesWebServiceRolePolicy – Updated policy

WorkSpaces Secure Browser updated the policy to describe a summary of Kinesis data streams and put records into Kinesis data streams for user access logging. For more information, see Set up user access logging.

October 17, 2022

AmazonWorkSpacesWebServiceRolePolicy – Updated policy

WorkSpaces Secure Browser updated the policy to create tags during ENI creation.

September 6, 2022

AmazonWorkSpacesWebServiceRolePolicy – Updated policy

WorkSpaces Secure Browser updated the policy to add the AWS/Usage namespace to the PutMetricData API permissions.

April 6, 2022

AmazonWorkSpacesWebReadOnly – New policy

WorkSpaces Secure Browser added a new policy to provide read-only access to WorkSpaces Secure Browser and its dependencies through the AWS Management Console, SDK, and CLI.

November 30, 2021

AmazonWorkSpacesWebServiceRolePolicy – New policy

WorkSpaces Secure Browser added a new policy to allow access to AWS services and resources used or managed by WorkSpaces Secure Browser.

November 30, 2021

WorkSpaces Secure Browser started tracking changes

WorkSpaces Secure Browser started tracking changes for its AWS managed policies.

November 30, 2021