將 Amazon S3 VPC 端點用於 WorkSpaces 應用程式功能 - Amazon WorkSpaces 應用程式

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

將 Amazon S3 VPC 端點用於 WorkSpaces 應用程式功能

當您在堆疊上啟用應用程式設定持續性或主資料夾時,WorkSpaces 應用程式會使用您為機群指定的 VPC 來提供對 Amazon Simple Storage Service (Amazon S3) 儲存貯體的存取。對於彈性機群,WorkSpaces 應用程式將使用 VPC 存取 Amazon S3 儲存貯體,其中包含指派給機群應用程式區塊的應用程式。若要啟用 WorkSpaces 應用程式存取私有 S3 端點,請將下列自訂政策連接至 Amazon S3 的 VPC 端點。如需有關私有 Amazon S3 端點的詳細資訊,請參閱《Amazon VPC 使用者指南》中的 VPC 端點Amazon S3 的端點

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "Allow-AppStream-to-access-S3-buckets",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:sts::111122223333:assumed-role/AmazonAppStreamServiceAccess/AppStream2.0"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetObjectVersion",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::appstream2-36fb080bb8-*",
                "arn:aws:s3:::appstream-app-settings-*",
                "arn:aws:s3:::appstream-logs-*"
            ]
        },
        {
            "Sid": "Allow-AppStream-ElasticFleetstoRetrieveObjects",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket-with-application-or-app-block-objects/*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalServiceName": "appstream.amazonaws.com"
                }
            }
        }
    ]
}