LogoLogo
  • Welcome to WorkSpaces Manager
  • Overview
    • Change Log
      • Stable
      • Beta
    • Portal Requirements
      • Software Requirements
      • Hardware Requirements
    • Installation Prerequisites
      • Active Directory Service Account
      • Amazon WorkSpaces Cost Optimizer
      • CloudWatch Log Group & Eventbridge Rule
      • Port Requirements
      • AWS Service Endpoints
    • Installation Procedure
      • Subscribe to WorkSpaces Manager License Key
      • Request a License Key
      • Subscribe to WorkSpaces Manager Appliance
      • Deploy WorkSpaces Manager Appliance via CloudFormation
      • Configure WorkSpaces Manager
    • Upgrade Procedures
      • From Version 5
      • WSM Update Tool
      • Latest Version Updates
    • Alternate deployment options
      • Install manually on EC2
      • Deployment from Shared AMI
        • Security Group
        • IAM Requirements: Custom Policies
        • IAM Requirements: Role and EC2 instance profile
        • Shared AMI (Amazon Machine Image)
      • Create AMI via Packer
      • Deploy an RDS Database via Terraform
    • WorkSpaces Performance Monitor Agent
    • High Availability (HA)
    • Appendices
      • Administrator Active Directory Permissions
      • SES Configuration
      • HTTPS/TLS Encryption
      • Friendly Portal URL Address
      • GPO and values for WorkSpaces Performance Monitor Agent
      • GPO and value for Disconnection after idle time
      • IAM Policies in JSON format
      • AWS CLI v2
      • LDAP (Active Directory) Troubleshooting for WSM
      • RDS Database Options
Powered by GitBook
On this page
  1. Overview
  2. Appendices

IAM Policies in JSON format

If you cannot use Terraform automation, you can also use different method for the custom policies.

If Terraform automation is not an option, you can still use your preferred method to create the custom policies. This could include using the AWS Management Console, AWS CLI, or other Infrastructure-as-Code (IaC) tools like CloudFormation to manually create and configure the necessary policies for your WorkSpaces Manager environment.

Here is the JSON snippet for the custom policy "WSMCloudwatchPolicy":

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": [
    "cloudwatch:Describe*",
    "cloudwatch:GetDashboard",
    "cloudwatch:GetMetricData",
    "cloudwatch:GetMetricStatistics",
    "cloudwatch:GetMetricWidgetImage",
    "cloudwatch:ListMetrics",
    "kms:DescribeKey",
    "kms:ListKeys",
    "kms:ListAliases",
    "logs:FilterLogEvents",
    "logs:GetLogEvents",
    "logs:GetLogGroupFields",
    "logs:GetQueryResults",
    "logs:GetLogDelivery",
    "logs:GetLogRecord",
    "logs:StartQuery",
    "logs:StopQuery",
    "logs:TestMetricFilter"
    ],
   "Resource": "*",
   "Effect": "Allow"
  }
 ]
}

This policy grants permissions to interact with CloudWatch and CloudWatch Logs, allowing the WorkSpaces Manager to record and retrieve necessary metrics and logs. You can apply this policy through your preferred method, whether it's the AWS Management Console, CLI, or automation tools.

Here is the JSON snippet for the custom policy "WSMCostExplorerPolicy":

{
 "Version": "2012-10-17",
  "Statement": [
   {
    "Action": "ce:*",
    "Resource": "*",
    "Effect": "Allow"
   }
  ]
}

This policy grants the necessary permissions for WorkSpaces Manager to access Cost Explorer and retrieve cost and usage data, as well as reservation and savings plan information. You can apply this policy using the AWS Management Console, CLI, or any automation tools like Terraform or CloudFormation.

Here is the JSON snippet for the custom policy "WSMEC2Policy":

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": "ec2:Describe*",
   "Resource": "*",
   "Effect": "Allow"
  },
  {
   "Action": "elasticloadbalancing:Describe*",
   "Resource": "*",
   "Effect": "Allow"
  },
  {
   "Action": "autoscaling:Describe*",
   "Resource": "*",
   "Effect": "Allow"
  }
 ]
}

This policy allows WorkSpaces Manager to manage EC2 instances, including actions like starting, stopping, rebooting, terminating, and describing instances and tags. You can use this policy in the AWS Management Console, CLI, or automation tools such as Terraform or CloudFormation.

Here is the JSON snippet for the custom policy "WSMEUCPolicy":

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": [
    "appstream:*",
    "ds:*",
    "workspaces:*"
   ],
   "Resource": "*",
   "Effect": "Allow"
  }
 ]
}

This policy provides WorkSpaces Manager with the permissions needed to interact with Amazon WorkSpaces, including describing, creating, terminating, and managing WorkSpaces and their tags. You can apply this policy using the AWS Management Console, CLI, or tools like Terraform or CloudFormation.

Here is the JSON snippet for the custom policy "WSMPricingPolicy":

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": "pricing:*",
   "Resource": "*",
   "Effect": "Allow"
  }
 ]
}

This policy grants WorkSpaces Manager permission to retrieve pricing information using the AWS Pricing API. You can apply this policy using the AWS Management Console, CLI, or automation tools like Terraform or CloudFormation.

Here is the JSON snippet for the custom policy "WSMS3Policy":

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": [
    "s3:GetLifecycleConfiguration",
    "s3:GetBucketTagging",
    "s3:GetInventoryConfiguration",
    "s3:GetObjectVersionTagging",
    "s3:ListBucketVersions",
    "s3:GetBucketLogging",
    "s3:ListBucket",
    "s3:GetAccelerateConfiguration",
    "s3:GetBucketPolicy",
    "s3:GetObjectVersionTorrent",
    "s3:GetObjectAcl",
    "s3:GetEncryptionConfiguration",
    "s3:GetBucketRequestPayment",
    "s3:GetObjectVersionAcl",
    "s3:GetObjectTagging",
    "s3:GetMetricsConfiguration",
    "s3:GetBucketPublicAccessBlock",
    "s3:GetBucketPolicyStatus",
    "s3:ListBucketMultipartUploads",
    "s3:GetBucketWebsite",
    "s3:GetBucketVersioning",
    "s3:GetBucketAcl",
    "s3:GetBucketNotification",
    "s3:GetReplicationConfiguration",
    "s3:ListMultipartUploadParts",
    "s3:GetObject",
    "s3:GetObjectTorrent",
    "s3:GetBucketCORS",
    "s3:GetAnalyticsConfiguration",
    "s3:GetObjectVersionForReplication",
    "s3:GetBucketLocation",
    "s3:GetObjectVersion"
   ],
   "Resource": [
    "arn:aws:s3:::workspacescostoptimizer-costoptimizerbucket*/*"
   ],
   "Effect": "Allow"
  },
  {
   "Action": [
    "s3:GetAccountPublicAccessBlock",
    "s3:ListAllMyBuckets"
    ],
   "Resource": "*",
   "Effect": "Allow"
   }
  ]
}

This policy grants WorkSpaces Manager permission to interact with Amazon S3, including listing, getting, putting, and deleting objects in the specified S3 bucket. You can apply this policy via the AWS Management Console, CLI, or tools like Terraform or CloudFormation.

PreviousGPO and value for Disconnection after idle timeNextAWS CLI v2

Last updated 6 months ago