IAM Requirements: Custom Policies

PreviousSecurity Group NextIAM Requirements: Role and EC2 instance profile

Last updated 5 months ago

IAM Requirements: Custom Policies

WorkSpaces Manager requires an IAM Instance Role to be associated with the EC2 instance(s), along with custom policies to enable access to other AWS services. The necessary policies should be created and attached to both the role and the EC2 Instance Profile.

If using the from Nuvens' public site, the Security Group, Policies, Role, and EC2 Instance Profile will be created together as part of the automated deployment process.

Although you can name these policies based on your internal naming conventions, we recommend using the following names for better clarity and organization:

WSMCloudwatchPolicy: Grants access to AWS CloudWatch for monitoring and managing logs and metrics.
WSMCostExplorerPolicy: Provides access to AWS Cost Explorer to retrieve cost and usage reports.
WSMEC2Policy: Allows management and interaction with EC2 instances and related resources.
WSMEUCPolicy: Facilitates the management of Amazon WorkSpaces and other End-User Computing (EUC) services.
WSMPricingPolicy: Enables retrieval of pricing information from the AWS Pricing API.
WSMS3Policy: Grants access to S3 buckets used by WorkSpaces Manager, such as for storage and backups.
WSMSecretsPolicy: Allows retrieval of data from Secrets Manager for database connections.

The JSON definitions for these policies are available in our GitLab repositories and can be accessed in both Terraform and CloudFormation template formats.

For example, in Terraform, the policy might be structured as follows:

resource "aws_iam_policy" "WSMCloudwatchPolicy" {
  name        = "WSMCloudwatchPolicy"
  description = "IAM policy for WorkSpaces Manager to access CloudWatch"
  
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:DescribeAlarmHistory",
        "cloudwatch:DescribeAlarmsForMetric",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:Describe*",
        "cloudwatch:GetDashboard",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:GetMetricWidgetImage",
        "cloudwatch:ListMetrics",
        "logs:GetLogEvents",
        "logs:FilterLogEvents",
        "logs:GetLogGroupFields",
        "logs:GetQueryResults",
        "logs:GetLogDelivery",
        "logs:GetLogRecord",
        "logs:StartQuery",
        "logs:StopQuery",
        "logs:TestMetricFilter"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

PreviousSecurity Group NextIAM Requirements: Role and EC2 instance profile

Last updated 5 months ago

If using the from Nuvens' public site, the Security Group, Policies, Role, and EC2 Instance Profile will be created together as part of the automated deployment process.

Although you can name these policies based on your internal naming conventions, we recommend using the following names for better clarity and organization:

WSMCloudwatchPolicy: Grants access to AWS CloudWatch for monitoring and managing logs and metrics.
WSMCostExplorerPolicy: Provides access to AWS Cost Explorer to retrieve cost and usage reports.
WSMEC2Policy: Allows management and interaction with EC2 instances and related resources.
WSMEUCPolicy: Facilitates the management of Amazon WorkSpaces and other End-User Computing (EUC) services.
WSMPricingPolicy: Enables retrieval of pricing information from the AWS Pricing API.
WSMS3Policy: Grants access to S3 buckets used by WorkSpaces Manager, such as for storage and backups.
WSMSecretsPolicy: Allows retrieval of data from Secrets Manager for database connections.

The JSON definitions for these policies are available in our GitLab repositories and can be accessed in both Terraform and CloudFormation template formats.

For example, in Terraform, the policy might be structured as follows:

resource "aws_iam_policy" "WSMCloudwatchPolicy" {
  name        = "WSMCloudwatchPolicy"
  description = "IAM policy for WorkSpaces Manager to access CloudWatch"
  
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:DescribeAlarmHistory",
        "cloudwatch:DescribeAlarmsForMetric",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:Describe*",
        "cloudwatch:GetDashboard",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:GetMetricWidgetImage",
        "cloudwatch:ListMetrics",
        "logs:GetLogEvents",
        "logs:FilterLogEvents",
        "logs:GetLogGroupFields",
        "logs:GetQueryResults",
        "logs:GetLogDelivery",
        "logs:GetLogRecord",
        "logs:StartQuery",
        "logs:StopQuery",
        "logs:TestMetricFilter"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

For all the JSON raw code related to the IAM policies, please refer to . This appendix contains the complete policy configurations needed for WorkSpaces Manager, including those for CloudWatch, Cost Explorer, EC2, EUC, Pricing, and S3. You can find the full code in both Terraform and CloudFormation formats in the corresponding sections.