本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# AWS 托管策略： AmazonWorkSpacesWebServiceRolePolicy
<a name="security-iam-awsmanpol-AmazonWorkSpacesWebServiceRolePolicy"></a>









无法将 `AmazonWorkSpacesWebServiceRolePolicy` 策略附加到 IAM 实体。此策略附加到服务相关角色，该角色允许 WorkSpaces 安全浏览器代表您执行操作。有关更多信息，请参阅 [在 Amazon WorkSpaces 安全浏览器中使用服务相关角色](using-service-linked-roles.md)。



此策略授予管理权限，允许访问 WorkSpaces 安全浏览器使用或管理的 AWS 服务和资源。



**权限详细信息**

该策略包含以下权限：




+ `workspaces-web`— 允许访问 WorkSpaces 安全浏览器使用或管理的 AWS 服务和资源。
+ `ec2`— 允许委托人描述 VPCs、子网和可用区；创建、标记、描述和删除网络接口；关联或取消关联地址；以及描述路由表、安全组和 VPC 终端节点。
+ `CloudWatch` – 允许委托人放入指标数据。
+ `Kinesis` – 允许委托人描述 Kinesis 数据流的摘要，并将记录放入用户访问日志记录的 Kinesis 数据流中。有关更多信息，请参阅 [在 Amazon WorkSpaces 安全浏览器中设置用户活动记录](user-logging.md)。



```
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeNetworkInterfaces",
                "ec2:AssociateAddress",
                "ec2:DisassociateAddress",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVpcEndpoints"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:security-group/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface"
            ],
            "Resource": "arn:aws:ec2:*:*:network-interface/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/WorkSpacesWebManaged": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": "arn:aws:ec2:*:*:network-interface/*",
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "CreateNetworkInterface"
                },
                "ForAllValues:StringEquals": {
                    "aws:TagKeys": [
                        "WorkSpacesWebManaged"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": "arn:aws:ec2:*:*:network-interface/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/WorkSpacesWebManaged": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": [
                        "AWS/WorkSpacesWeb",
                        "AWS/Usage"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:PutRecord",
                "kinesis:PutRecords",
                "kinesis:DescribeStreamSummary"
            ],
            "Resource": "arn:aws:kinesis:*:*:stream/amazon-workspaces-web-*"
        }
    ]
}
```