WorkSpaces 的 AWS 托管策略
要向用户、组和角色添加权限,与自己编写策略相比,使用 AWS 托管策略更简单。创建仅为团队提供所需权限的 IAM 客户托管策略需要时间和专业知识。要快速入门,请使用 AWS 托管策略。这些策略涵盖常见应用场景,可在您的 AWS 账户中使用。有关 AWS 托管式策略的更多信息,请参阅《IAM 用户指南》中的 AWS 托管式策略。
AWS 服务负责维护和更新 AWS 托管式策略。您无法更改 AWS 托管式策略中的权限。服务可能偶尔会向 AWS 托管策略添加额外权限以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。当启动新功能或新操作可用时,服务最有可能会更新 AWS 托管策略。服务不会从 AWS 托管策略中删除权限,因此策略更新不会破坏您的现有权限。
此外,AWS 还支持跨多种服务的工作职能的托管策略。例如,ReadOnlyAccess AWS 托管式策略提供对所有 AWS 服务和资源的只读访问权限。当服务启动新特征时,AWS 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅《IAM 用户指南》中的适用于工作职能的 AWS 托管式策略。
AWS 托管策略:AmazonWorkSpacesAdmin
此策略提供访问 Amazon WorkSpaces 管理操作的权限。它提供以下权限:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonWorkSpacesAdmin",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ListAliases",
"kms:ListKeys",
"workspaces:CreateTags",
"workspaces:CreateWorkspaceImage",
"workspaces:CreateWorkspaces",
"workspaces:CreateWorkspacesPool",
"workspaces:CreateStandbyWorkspaces",
"workspaces:DeleteTags",
"workspaces:DeregisterWorkspaceDirectory",
"workspaces:DescribeTags",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspacesPools",
"workspaces:DescribeWorkspacesPoolSessions",
"workspaces:DescribeWorkspacesConnectionStatus",
"workspaces:ModifyCertificateBasedAuthProperties",
"workspaces:ModifySamlProperties",
"workspaces:ModifyStreamingProperties",
"workspaces:ModifyWorkspaceCreationProperties",
"workspaces:ModifyWorkspaceProperties",
"workspaces:RebootWorkspaces",
"workspaces:RebuildWorkspaces",
"workspaces:RegisterWorkspaceDirectory",
"workspaces:RestoreWorkspace",
"workspaces:StartWorkspaces",
"workspaces:StartWorkspacesPool",
"workspaces:StopWorkspaces",
"workspaces:StopWorkspacesPool",
"workspaces:TerminateWorkspaces",
"workspaces:TerminateWorkspacesPool",
"workspaces:TerminateWorkspacesPoolSession",
"workspaces:UpdateWorkspacesPool"
],
"Resource": "*"
}
]
}
AWS 托管策略:AmazonWorkSpaces PCAAccess
此托管策略提供对 AWS 账户中 AWS Certifice Manager Private Certificate Authority (Private CA) 资源的访问权限,以进行基于证书的身份验证。它包含在 AmazonWorkSpacesPCAAccess 角色中,它提供以下权限:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm-pca:IssueCertificate",
"acm-pca:GetCertificate",
"acm-pca:DescribeCertificateAuthority"
],
"Resource": "arn:*:acm-pca:*:*:*",
"Condition": {
"StringLike": {
"aws:ResourceTag/euc-private-ca": "*"
}
}
}
]
}
AWS 托管策略:AmazonWorkSpacesSelfServiceAccess
该策略提供对 Amazon WorkSpaces 服务的访问权限,以执行由用户发起的 WorkSpaces 自助操作。它包含在 workspaces_DefaultRole 角色中,它提供以下权限:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"workspaces:RebootWorkspaces",
"workspaces:RebuildWorkspaces",
"workspaces:ModifyWorkspaceProperties"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
AWS 托管策略:AmazonWorkSpacesServiceAccess
此策略为客户账户提供对 Amazon WorkSpaces 服务的访问权限,以启动 WorkSpace。它包含在 workspaces_DefaultRole 角色中,它提供以下权限:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
AWS 托管策略:AmazonWorkSpacesPoolServiceAccess
此策略用在 workspaces_DefaultRole 中,WorkSpaces 使用它来访问客户 AWS 账户中 WorkSpaces Pools 所需的资源。有关更多信息,请参阅 创建 workspaces_DefaultRole 角色。它提供以下权限:
- Commercial AWS 区域
-
以下策略 JSON 适用于商业 AWS 区域。
JSON
- JSON
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ProvisioningWorkSpacesPoolPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"s3:ListAllMyBuckets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "WorkSpacesPoolS3Permissions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:DeleteObjectVersion",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:PutEncryptionConfiguration"
],
"Resource": [
"arn:aws:s3:::wspool-logs-*",
"arn:aws:s3:::wspool-app-settings-*",
"arn:aws:s3:::wspool-home-folder-*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
- AWS GovCloud (US) Regions
-
以下策略 JSON 适用于商业 AWS GovCloud (US) Regions。
JSON
- JSON
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ProvisioningWorkSpacesPoolPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"s3:ListAllMyBuckets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "WorkSpacesPoolS3Permissions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:DeleteObjectVersion",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:PutEncryptionConfiguration"
],
"Resource": [
"arn:aws-us-gov:s3:::wspool-logs-*",
"arn:aws-us-gov:s3:::wspool-app-settings-*",
"arn:aws-us-gov:s3:::wspool-home-folder-*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
WorkSpaces AWS 托管策略更新
查看有关 WorkSpaces 的 AWS 托管策略更新的详细信息(从该服务开始跟踪这些更改开始)。
| 更改 |
描述 |
日期 |
| AWS 托管策略:AmazonWorkSpacesPoolServiceAccess - 添加了新策略 |
WorkSpaces 添加了一项新的托管策略,以授予以下权限:查看 Amazon EC2 VPC 和相关资源,以及查看和管理 WorkSpaces Pools 的 Amazon S3 存储桶。 |
2024 年 6 月 24 日 |
| AWS 托管策略:AmazonWorkSpacesAdmin - 更新的策略 |
WorkSpaces Pools 中的 WorkSpaces 在 Amazon WorkSpacesAdmin 托管策略中添加了几项操作,以授予管理员管理 WorkSpace 池资源的权限。 |
2024 年 6 月 24 日 |
| AWS 托管策略:AmazonWorkSpacesAdmin - 更新的策略 |
WorkSpaces 在 Amazon WorkSpacesAdmin 托管策略中添加了 workspaces:RestoreWorkspace 操作,以授予管理员恢复 WorkSpaces 的权限。 |
2023 年 6 月 25 日 |
| AWS 托管策略:AmazonWorkSpaces PCAAccess - 添加了新策略 |
WorkSpaces 添加了一个新的托管策略,以授予管理 AWS Private CA 的 acm-pca 权限,从而管理基于证书的身份验证。 |
2022 年 11 月 18 日 |
| WorkSpaces 已开启跟踪更改 |
WorkSpaces 开始为其 WorkSpaces 托管策略跟踪更改。 |
2021 年 3 月 1 日 |
