Amazon managed policies for WorkSpaces
Using Amazon managed policies makes adding permissions to users, groups, and roles easier than writing policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. Use Amazon managed policies to get started quickly. These policies cover common use cases and are available in your Amazon account. For more information about Amazon managed policies, see Amazon managed policies in the IAM User Guide.
Amazon services maintain and update Amazon managed policies. You can't change the permissions in Amazon managed policies. Services may occasionally add additional permissions to an Amazon managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an Amazon managed policy when a new feature is launched or when new operations become available. Services don't remove permissions from an Amazon managed policy, so policy updates won't break your existing permissions.
Additionally, Amazon supports managed policies for job functions that span multiple
services. For example, the ReadOnlyAccess
Amazon managed policy provides
read-only access to all Amazon services and resources. When a service launches a new feature,
Amazon adds read-only permissions for new operations and resources. For a list and
descriptions of job function policies, see Amazon managed policies for
job functions in the IAM User Guide.
Amazon managed policy: AmazonWorkSpacesAdmin
This policy provides access to Amazon WorkSpaces administrative actions. It provides the following permissions:
-
workspaces
- Allows access to perform administrative actions on WorkSpaces Personal and WorkSpaces Pools resources. -
kms
- Allows access to list and describe KMS keys, as well as list aliases.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AmazonWorkSpacesAdmin", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys", "workspaces:CreateTags", "workspaces:CreateWorkspaceImage", "workspaces:CreateWorkspaces", "workspaces:CreateWorkspacesPool", "workspaces:CreateStandbyWorkspaces", "workspaces:DeleteTags", "workspaces:DeregisterWorkspaceDirectory", "workspaces:DescribeTags", "workspaces:DescribeWorkspaceBundles", "workspaces:DescribeWorkspaceDirectories", "workspaces:DescribeWorkspaces", "workspaces:DescribeWorkspacesPools", "workspaces:DescribeWorkspacesPoolSessions", "workspaces:DescribeWorkspacesConnectionStatus", "workspaces:ModifyCertificateBasedAuthProperties", "workspaces:ModifySamlProperties", "workspaces:ModifyStreamingProperties", "workspaces:ModifyWorkspaceCreationProperties", "workspaces:ModifyWorkspaceProperties", "workspaces:RebootWorkspaces", "workspaces:RebuildWorkspaces", "workspaces:RegisterWorkspaceDirectory", "workspaces:RestoreWorkspace", "workspaces:StartWorkspaces", "workspaces:StartWorkspacesPool", "workspaces:StopWorkspaces", "workspaces:StopWorkspacesPool", "workspaces:TerminateWorkspaces", "workspaces:TerminateWorkspacesPool", "workspaces:TerminateWorkspacesPoolSession", "workspaces:UpdateWorkspacesPool" ], "Resource": "*" } ] }
Amazon managed policy: AmazonWorkspacesPCAAccess
This managed policy provides access to Amazon Certificate Manager Private Certificate Authority (Private CA) resources in your Amazon account for certificate-based authentication. It is included in the AmazonWorkSpacesPCAAccess role, and it provides the following permissions:
-
acm-pca
- Allows access to Amazon Private CA to manage certificate-based authentication.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm-pca:IssueCertificate", "acm-pca:GetCertificate", "acm-pca:DescribeCertificateAuthority" ], "Resource": "arn:*:acm-pca:*:*:*", "Condition": { "StringLike": { "aws:ResourceTag/euc-private-ca": "*" } } } ] }
Amazon managed policy: AmazonWorkSpacesSelfServiceAccess
This policy provides access to the Amazon WorkSpaces service to perform WorkSpaces self-service
actions initiated by a user. It is included in the workspaces_DefaultRole
role, and it provides the following permissions:
-
workspaces
- Allows access to self-service WorkSpaces management capabilities for users.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "workspaces:RebootWorkspaces", "workspaces:RebuildWorkspaces", "workspaces:ModifyWorkspaceProperties" ], "Effect": "Allow", "Resource": "*" } ] }
Amazon managed policy: AmazonWorkSpacesServiceAccess
This policy provides customer account access to the Amazon WorkSpaces service for launching a
WorkSpace. It is included in the workspaces_DefaultRole
role, and it
provides the following permissions:
-
ec2
- Allows access to manage Amazon EC2 resources associated with a WorkSpace, such as network interfaces.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces" ], "Effect": "Allow", "Resource": "*" } ] }
Amazon managed policy: AmazonWorkSpacesPoolServiceAccess
This policy is used in the workspaces_DefaultRole, which WorkSpaces uses to access required resources in the customer Amazon account for WorkSpaces Pools. For more information see Create the workspaces_DefaultRole Role. It provides the following permissions:
-
ec2
- Allows access to manage Amazon EC2 resources associated with a WorkSpaces Pool, such as VPCs, subnets, availability zones, security groups, and route tables. -
s3
- Allows access to perform actions on Amazon S3 buckets required for logs, application settings, and the Home Folder feature.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ProvisioningWorkSpacesPoolPermissions", "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeAvailabilityZones", "ec2:DescribeSecurityGroups", "ec2:DescribeRouteTables", "s3:ListAllMyBuckets" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "WorkSpacesPoolS3Permissions", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetObjectVersion", "s3:DeleteObjectVersion", "s3:GetBucketPolicy", "s3:PutBucketPolicy", "s3:PutEncryptionConfiguration" ], "Resource": [ "arn:aws:s3:::wspool-logs-*", "arn:aws:s3:::wspool-app-settings-*", "arn:aws:s3:::wspool-home-folder-*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }
WorkSpaces updates to Amazon managed policies
View details about updates to Amazon managed policies for WorkSpaces since this service began tracking these changes.
Change | Description | Date |
---|---|---|
Amazon managed policy: AmazonWorkSpacesPoolServiceAccess - Added new policy | WorkSpaces added a new managed policy to grant permission to view Amazon EC2 VPCs and related resources, and to view and manage Amazon S3 buckets for WorkSpaces Pools. | June 24, 2024 |
Amazon managed policy: AmazonWorkSpacesAdmin - Updated policy | WorkSpaces added several actions for WorkSpaces Pools to the Amazon WorkSpacesAdmin managed policy, granting admins access to manage WorkSpace Pool resources. | June 24, 2024 |
Amazon managed policy: AmazonWorkSpacesAdmin - Updated policy | WorkSpaces added the workspaces:RestoreWorkspace action to
the Amazon WorkSpacesAdmin managed policy, granting admins access to restore
WorkSpaces. |
June 25, 2023 |
Amazon managed policy: AmazonWorkspacesPCAAccess - Added new policy | WorkSpaces added a new managed policy to grant acm-pca
permission to manage Amazon Private CA to manage certificate-based
authentication. |
November 18, 2022 |
WorkSpaces started tracking changes | WorkSpaces started tracking changes for its WorkSpaces managed policies. | March 1, 2021 |