Sign In to the Console
Amazon WorkSpaces
Administration Guide

AWS Documentation » Amazon WorkSpaces » Administration Guide » Networking, Access, and Security for Amazon WorkSpaces » Control Access to Amazon WorkSpaces Resources

Control Access to Amazon WorkSpaces Resources

By default, IAM users don't have permissions for Amazon WorkSpaces resources and operations. To allow IAM users to manage Amazon WorkSpaces resources, you must create an IAM policy that explicitly grants them permissions, and attach the policy to the IAM users or groups that require those permissions. For more information about IAM policies, see Permissions and Policies in the IAM User Guide guide.

Amazon WorkSpaces also creates an IAM role to allow the Amazon WorkSpaces service access to required resources.

For more information about IAM, see Identity and Access Management (IAM) and the IAM User Guide.

Example 1: Perform all Amazon WorkSpaces tasks

The following policy statement grants an IAM user permission to perform all Amazon WorkSpaces tasks, including creating and managing directories, as well as running the quick setup procedure.

Note that although Amazon WorkSpaces fully supports the Action and Resource elements when using the API and command-line tools, you must set them both to "*" in order to use the Amazon WorkSpaces console successfully. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "workspaces:*",
        "ds:*",
        "iam:PassRole", 
        "iam:GetRole", 
        "iam:CreateRole", 
        "iam:PutRolePolicy", 
        "kms:ListAliases",
        "kms:ListKeys",
        "ec2:CreateVpc", 
        "ec2:CreateSubnet", 
        "ec2:CreateNetworkInterface", 
        "ec2:CreateInternetGateway", 
        "ec2:CreateRouteTable", 
        "ec2:CreateRoute", 
        "ec2:CreateTags", 
        "ec2:CreateSecurityGroup", 
        "ec2:DescribeInternetGateways", 
        "ec2:DescribeRouteTables", 
        "ec2:DescribeVpcs", 
        "ec2:DescribeSubnets", 
        "ec2:DescribeNetworkInterfaces", 
        "ec2:DescribeAvailabilityZones", 
        "ec2:AttachInternetGateway", 
        "ec2:AssociateRouteTable", 
        "ec2:AuthorizeSecurityGroupEgress", 
        "ec2:AuthorizeSecurityGroupIngress", 
        "ec2:DeleteSecurityGroup", 
        "ec2:DeleteNetworkInterface", 
        "ec2:RevokeSecurityGroupEgress", 
        "ec2:RevokeSecurityGroupIngress",
        "workdocs:RegisterDirectory",
        "workdocs:DeregisterDirectory",
        "workdocs:AddUserToGroup",
        "workdocs:RemoveUserFromGroup"
      ],
      "Resource": "*"
    }
  ]
}

Example 2: Perform WorkSpace-specific tasks

The following policy statement grants an IAM user permission to perform WorkSpace-specific tasks, such as launching and removing WorkSpaces. In the policy statement, the ds:* action grants broad permissions — full control over all Directory Services objects in the account. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "workspaces:*",
        "ds:*"
        "iam:PutRolePolicy"
      ],
      "Resource": "*"
    }
  ]
}

To also grant the user the ability to enable Amazon WorkDocs for users within Amazon WorkSpaces, add the workdocs operations shown here: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "workspaces:*",
        "ds:*",
        "workdocs:AddUserToGroup",
        "workdocs:RemoveUserFromGroup"
      ],
      "Resource": "*"
    }
  ]
}

To also grant the user the ability to use the Launch WorkSpaces wizard, add the kms operations shown here: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "workspaces:*",
        "ds:*",
        "workdocs:AddUserToGroup",
        "workdocs:RemoveUserFromGroup",
        "kms:ListAliases",
        "kms:ListKeys"
      ],
      "Resource": "*"
    }
  ]
}

Specifying Amazon WorkSpaces Resources in an IAM Policy

To specify an Amazon WorkSpaces resource in the Resource element of the policy statement, you need to use the Amazon Resource Name (ARN) of the resource. You control access to your Amazon WorkSpaces resources by either allowing or denying permissions to use the API actions specified in the Action element of your IAM policy statement. Amazon WorkSpaces defines ARNs for WorkSpaces, bundles, IP groups, and directories.

WorkSpace ARN

A WorkSpace ARN has the following syntax:

arn:aws:workspaces:region:account_id:workspace/workspace_identifier
region

The region that the WorkSpace is in (for example, us-east-2).

account_id

The ID of the AWS account, with no hyphens (for example, 123456789012).

workspace_identifier

The ID of the WorkSpace (for example, ws-0123456789).

The following is the format of the Resource element of a policy statement that identifies a specific WorkSpace: 

"Resource": "arn:aws:workspaces:region:account_id:workspace/workspace_identifier"

You can use the * wildcard to specify all WorkSpaces that belong to a specific account in a specific region.

Bundle ARN

A bundle ARN has the following syntax:

arn:aws:workspaces:region:account_id:workspacebundle/bundle_identifier
region

The region that the WorkSpace is in (for example, us-east-2).

account_id

The ID of the AWS account, with no hyphens (for example, 123456789012).

bundle_identifier

The ID of the WorkSpace bundle (for example, wsb-0123456789).

The following is the format of the Resource element of a policy statement that identifies a specific bundle: 

"Resource": "arn:aws:workspaces:region:account_id:workspacebundle/bundle_identifier"

You can use the * wildcard to specify all bundles that belong to a specific account in a specific region.

IP Group ARN

An IP group ARN has the following syntax:

arn:aws:workspaces:region:account_id:workspaceipgroup/ipgroup_identifier
region

The region that the WorkSpace is in (for example, us-east-2).

account_id

The ID of the AWS account, with no hyphens (for example, 123456789012).

ipgroup_identifier

The ID of the IP group (for example, wsipg-a1bcd2efg).

The following is the format of the Resource element of a policy statement that identifies a specific IP group: 

"Resource": "arn:aws:workspaces:region:account_id:workspaceipgroup/ipgroup_identifier"

You can use the * wildcard to specify all IP groups that belong to a specific account in a specific region.

Directory ARN

A directory ARN has the following syntax:

arn:aws:workspaces:region:account_id:directory/directory_identifier
region

The region that the WorkSpace is in (for example, us-east-2).

account_id

The ID of the AWS account, with no hyphens (for example, 123456789012).

directory_identifier

The ID of the directory (for example, d-12345a67b8).

The following is the format of the Resource element of a policy statement that identifies a specific directory: 

"Resource": "arn:aws:workspaces:region:account_id:directory/directory_identifier"

You can use the * wildcard to specify all directories that belong to a specific account in a specific region.

API Actions with No Support for Resource-Level Permissions

You can't specify a resource ARN with the following API actions:

  • AssociateIpGroups

  • CreateIpGroup

  • CreateTags

  • DeleteTags

  • DeleteWorkspaceImage

  • DescribeAccount

  • DescribeAccountModifications

  • DescribeTags

  • DescribeWorkspaceDirectories

  • DescribeWorkspaceImages

  • DescribeWorkspaces

  • DescribeWorkspacesConnectionStatus

  • DisassociateIpGroups

  • ImportWorkspaceImage

  • ListAvailableManagementCidrRanges

  • ModifyAccount

For API actions that don't support resource-level permissions, you must specify the following resource statement: 

"Resource": "*"