IAM Policies in JSON format

If you cannot use Terraform automation, you can also use different method for the custom policies.

If Terraform automation is not an option, you can still use your preferred method to create the custom policies. This could include using the AWS Management Console, AWS CLI, or other Infrastructure-as-Code (IaC) tools like CloudFormation to manually create and configure the necessary policies for your WorkSpaces Manager environment.

Here is the JSON snippet for the custom policy "WSMCloudwatchPolicy":

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": [
    "cloudwatch:Describe*",
    "cloudwatch:GetDashboard",
    "cloudwatch:GetMetricData",
    "cloudwatch:GetMetricStatistics",
    "cloudwatch:GetMetricWidgetImage",
    "cloudwatch:ListMetrics",
    "kms:DescribeKey",
    "kms:ListKeys",
    "kms:ListAliases",
    "logs:FilterLogEvents",
    "logs:GetLogEvents",
    "logs:GetLogGroupFields",
    "logs:GetQueryResults",
    "logs:GetLogDelivery",
    "logs:GetLogRecord",
    "logs:StartQuery",
    "logs:StopQuery",
    "logs:TestMetricFilter"
    ],
   "Resource": "*",
   "Effect": "Allow"
  }
 ]
}

This policy grants permissions to interact with CloudWatch and CloudWatch Logs, allowing the WorkSpaces Manager to record and retrieve necessary metrics and logs. You can apply this policy through your preferred method, whether it's the AWS Management Console, CLI, or automation tools.

Here is the JSON snippet for the custom policy "WSMCostExplorerPolicy":

{
 "Version": "2012-10-17",
  "Statement": [
   {
    "Action": "ce:*",
    "Resource": "*",
    "Effect": "Allow"
   }
  ]
}

This policy grants the necessary permissions for WorkSpaces Manager to access Cost Explorer and retrieve cost and usage data, as well as reservation and savings plan information. You can apply this policy using the AWS Management Console, CLI, or any automation tools like Terraform or CloudFormation.

Here is the JSON snippet for the custom policy "WSMEC2Policy":

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": "ec2:Describe*",
   "Resource": "*",
   "Effect": "Allow"
  },
  {
   "Action": "elasticloadbalancing:Describe*",
   "Resource": "*",
   "Effect": "Allow"
  },
  {
   "Action": "autoscaling:Describe*",
   "Resource": "*",
   "Effect": "Allow"
  }
 ]
}

This policy allows WorkSpaces Manager to manage EC2 instances, including actions like starting, stopping, rebooting, terminating, and describing instances and tags. You can use this policy in the AWS Management Console, CLI, or automation tools such as Terraform or CloudFormation.

Here is the JSON snippet for the custom policy "WSMEUCPolicy":

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": [
    "appstream:*",
    "ds:*",
    "workspaces:*"
   ],
   "Resource": "*",
   "Effect": "Allow"
  }
 ]
}

This policy provides WorkSpaces Manager with the permissions needed to interact with Amazon WorkSpaces, including describing, creating, terminating, and managing WorkSpaces and their tags. You can apply this policy using the AWS Management Console, CLI, or tools like Terraform or CloudFormation.

Here is the JSON snippet for the custom policy "WSMPricingPolicy":

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": "pricing:*",
   "Resource": "*",
   "Effect": "Allow"
  }
 ]
}

This policy grants WorkSpaces Manager permission to retrieve pricing information using the AWS Pricing API. You can apply this policy using the AWS Management Console, CLI, or automation tools like Terraform or CloudFormation.

Here is the JSON snippet for the custom policy "WSMS3Policy":

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": [
    "s3:GetLifecycleConfiguration",
    "s3:GetBucketTagging",
    "s3:GetInventoryConfiguration",
    "s3:GetObjectVersionTagging",
    "s3:ListBucketVersions",
    "s3:GetBucketLogging",
    "s3:ListBucket",
    "s3:GetAccelerateConfiguration",
    "s3:GetBucketPolicy",
    "s3:GetObjectVersionTorrent",
    "s3:GetObjectAcl",
    "s3:GetEncryptionConfiguration",
    "s3:GetBucketRequestPayment",
    "s3:GetObjectVersionAcl",
    "s3:GetObjectTagging",
    "s3:GetMetricsConfiguration",
    "s3:GetBucketPublicAccessBlock",
    "s3:GetBucketPolicyStatus",
    "s3:ListBucketMultipartUploads",
    "s3:GetBucketWebsite",
    "s3:GetBucketVersioning",
    "s3:GetBucketAcl",
    "s3:GetBucketNotification",
    "s3:GetReplicationConfiguration",
    "s3:ListMultipartUploadParts",
    "s3:GetObject",
    "s3:GetObjectTorrent",
    "s3:GetBucketCORS",
    "s3:GetAnalyticsConfiguration",
    "s3:GetObjectVersionForReplication",
    "s3:GetBucketLocation",
    "s3:GetObjectVersion"
   ],
   "Resource": [
    "arn:aws:s3:::workspacescostoptimizer-costoptimizerbucket*/*"
   ],
   "Effect": "Allow"
  },
  {
   "Action": [
    "s3:GetAccountPublicAccessBlock",
    "s3:ListAllMyBuckets"
    ],
   "Resource": "*",
   "Effect": "Allow"
   }
  ]
}

This policy grants WorkSpaces Manager permission to interact with Amazon S3, including listing, getting, putting, and deleting objects in the specified S3 bucket. You can apply this policy via the AWS Management Console, CLI, or tools like Terraform or CloudFormation.

PreviousGPO and value for Disconnection after idle time

Last updated