Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon的托管策略 WorkSpaces
与自己编写策略相比,使用Amazon托管策略可以更轻松地向用户、群组和角色添加权限。创建仅为团队提供所需权限的 IAM 客户托管策略需要时间和专业知识。使用Amazon托管策略快速入门。这些政策涵盖常见用例,可在您的Amazon账户中使用。有关Amazon托管策略的更多信息,请参阅 IAM 用户指南中的Amazon托管策略。
Amazon服务维护和更新Amazon托管策略。您无法更改Amazon托管策略中的权限。服务偶尔可能会向Amazon托管策略添加其他权限以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。当推出新功能或有新操作可用时,服务最有可能更新Amazon托管策略。服务不会从Amazon托管策略中移除权限,因此策略更新不会破坏您的现有权限。
此外,还Amazon支持跨多个服务的工作职能的托管策略。例如,ReadOnlyAccessAmazon托管策略提供对所有Amazon服务和资源的只读访问权限。当服务启动新特征时,Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 Amazon 托管式策略。
Amazon托管策略: AmazonWorkSpacesAdmin
该政策允许访问Amazon的 WorkSpaces 管理操作。它提供以下权限:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonWorkSpacesAdmin",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ListAliases",
"kms:ListKeys",
"workspaces:CreateTags",
"workspaces:CreateWorkspaceImage",
"workspaces:CreateWorkspaces",
"workspaces:CreateWorkspacesPool",
"workspaces:CreateStandbyWorkspaces",
"workspaces:DeleteTags",
"workspaces:DeregisterWorkspaceDirectory",
"workspaces:DescribeTags",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspacesPools",
"workspaces:DescribeWorkspacesPoolSessions",
"workspaces:DescribeWorkspacesConnectionStatus",
"workspaces:ModifyCertificateBasedAuthProperties",
"workspaces:ModifySamlProperties",
"workspaces:ModifyStreamingProperties",
"workspaces:ModifyWorkspaceCreationProperties",
"workspaces:ModifyWorkspaceProperties",
"workspaces:RebootWorkspaces",
"workspaces:RebuildWorkspaces",
"workspaces:RegisterWorkspaceDirectory",
"workspaces:RestoreWorkspace",
"workspaces:StartWorkspaces",
"workspaces:StartWorkspacesPool",
"workspaces:StopWorkspaces",
"workspaces:StopWorkspacesPool",
"workspaces:TerminateWorkspaces",
"workspaces:TerminateWorkspacesPool",
"workspaces:TerminateWorkspacesPoolSession",
"workspaces:UpdateWorkspacesPool"
],
"Resource": "*"
}
]
}
Amazon托管策略: AmazonWorkspacesPCAAccess
此托管策略允许访问您Amazon账户中的 Certifice Manager 私有证书颁发机构(私有 CA)资源,以进行基于证书的身份验证。Amazon它包含在 AmazonWorkSpacesPCAAccess 角色中,并提供以下权限:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm-pca:IssueCertificate",
"acm-pca:GetCertificate",
"acm-pca:DescribeCertificateAuthority"
],
"Resource": "arn:*:acm-pca:*:*:*",
"Condition": {
"StringLike": {
"aws:ResourceTag/euc-private-ca": "*"
}
}
}
]
}
Amazon托管策略: AmazonWorkSpacesSelfServiceAccess
该政策允许用户访问 Amazon WorkSpaces 服务,以执行由用户发起的 WorkSpaces 自助操作。它包含在 workspaces_DefaultRole 角色中,它提供以下权限:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"workspaces:RebootWorkspaces",
"workspaces:RebuildWorkspaces",
"workspaces:ModifyWorkspaceProperties"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Amazon托管策略: AmazonWorkSpacesServiceAccess
本政策允许客户账户访问亚马逊 WorkSpaces 服务,以启动 WorkSpace。它包含在 workspaces_DefaultRole 角色中,它提供以下权限:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Amazon托管策略: AmazonWorkSpacesPoolServiceAccess
“ WorkSpaces 池” 功能不适用于北京和宁夏区域。
此策略用于 workspaces_DefaultRole,它 WorkSpaces 用于访问客户Amazon账户中必需的 Pools 资源。 WorkSpaces 有关更多信息,请参阅 创建工作空间_ 角色 DefaultRole 。它提供以下权限:
- CommercialAmazon Web Services 区域
-
以下政策 JSON 适用于广告Amazon Web Services 区域。
JSON
- JSON
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ProvisioningWorkSpacesPoolPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"s3:ListAllMyBuckets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "WorkSpacesPoolS3Permissions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:DeleteObjectVersion",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:PutEncryptionConfiguration"
],
"Resource": [
"arn:aws:s3:::wspool-logs-*",
"arn:aws:s3:::wspool-app-settings-*",
"arn:aws:s3:::wspool-home-folder-*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
- Amazon GovCloud (US) Regions
-
以下策略 JSON 适用于商业 Amazon GovCloud (US) Regions。
JSON
- JSON
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ProvisioningWorkSpacesPoolPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"s3:ListAllMyBuckets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "WorkSpacesPoolS3Permissions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:DeleteObjectVersion",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:PutEncryptionConfiguration"
],
"Resource": [
"arn:aws-us-gov:s3:::wspool-logs-*",
"arn:aws-us-gov:s3:::wspool-app-settings-*",
"arn:aws-us-gov:s3:::wspool-home-folder-*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
WorkSpaces Amazon托管策略的更新
查看 WorkSpaces 自该服务开始跟踪这些更改以来Amazon托管策略更新的详细信息。