IAM Requirements: Custom Policies

WorkSpaces Manager requires an IAM Instance Role to be associated with the EC2 instance(s), along with custom policies to enable access to other AWS services. The necessary policies should be created and attached to both the role and the EC2 Instance Profile.

If using the Git Repo for Terraform from Nuvens' public site, the Security Group, Policies, Role, and EC2 Instance Profile will be created together as part of the automated deployment process.

While you can name these policies according to your internal naming conventions, we recommend using the following names for clarity:

WSMCloudwatchPolicy: For accessing AWS CloudWatch to monitor and manage logs and metrics.
WSMCostExplorerPolicy: For accessing AWS Cost Explorer to retrieve cost and usage reports.
WSMEC2Policy: For managing and interacting with EC2 instances and related resources.
WSMEUCPolicy: For managing Amazon WorkSpaces and other EUC (End-User Computing) services.
WSMPricingPolicy: For retrieving pricing information from the AWS Pricing API.
WSMS3Policy: For accessing S3 buckets used by WorkSpaces Manager, such as for storage and backups.

The JSON code for each of the policies can be found in our GitLab repositories, available in both Terraform and CloudFormation template formats.

For example, in Terraform, the policy might be structured as follows:

resource "aws_iam_policy" "WSMCloudwatchPolicy" {
  name        = "WSMCloudwatchPolicy"
  description = "IAM policy for WorkSpaces Manager to access CloudWatch"
  
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:DescribeAlarmHistory",
        "cloudwatch:DescribeAlarmsForMetric",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:Describe*",
        "cloudwatch:GetDashboard",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:GetMetricWidgetImage",
        "cloudwatch:ListMetrics",
        "logs:GetLogEvents",
        "logs:FilterLogEvents",
        "logs:GetLogGroupFields",
        "logs:GetQueryResults",
        "logs:GetLogDelivery",
        "logs:GetLogRecord",
        "logs:StartQuery",
        "logs:StopQuery",
        "logs:TestMetricFilter"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

For all the JSON raw code related to the IAM policies, please refer to this appendix. This appendix contains the complete policy configurations needed for WorkSpaces Manager, including those for CloudWatch, Cost Explorer, EC2, EUC, Pricing, and S3. You can find the full code in both Terraform and CloudFormation formats in the corresponding sections.

PreviousSecurity Group NextIAM Requirements: Role and EC2 instance profile

Last updated 1 month ago

resource "aws_iam_policy" "WSMCloudwatchPolicy" { name = "WSMCloudwatchPolicy" description = "IAM policy for WorkSpaces Manager to access CloudWatch" policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:DescribeAlarms", "cloudwatch:Describe*", "cloudwatch:GetDashboard", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:GetMetricWidgetImage", "cloudwatch:ListMetrics", "logs:GetLogEvents", "logs:FilterLogEvents", "logs:GetLogGroupFields", "logs:GetQueryResults", "logs:GetLogDelivery", "logs:GetLogRecord", "logs:StartQuery", "logs:StopQuery", "logs:TestMetricFilter" ], "Resource": "*" } ] } EOF }