本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# AWS 受管政策：AmazonWorkSpacesWebServiceRolePolicy
<a name="security-iam-awsmanpol-AmazonWorkSpacesWebServiceRolePolicy"></a>









您無法將 `AmazonWorkSpacesWebServiceRolePolicy` 政策附加至 IAM 實體。此政策會連接到服務連結角色，允許 WorkSpaces 安全瀏覽器代表您執行動作。如需詳細資訊，請參閱[使用 Amazon WorkSpaces 安全瀏覽器的服務連結角色](using-service-linked-roles.md)。



此政策授予管理許可，允許存取 WorkSpaces 安全瀏覽器使用或管理 AWS 的服務和資源。



**許可詳細資訊**

此政策包含以下許可：




+ `workspaces-web` – 允許存取 WorkSpaces 安全瀏覽器使用或管理 AWS 的服務和資源。
+ `ec2` – 允許主體描述 VPC、子網路和可用區域；建立、標記、描述和刪除網路介面；關聯或取消關聯地址；以及描述路由表、安全群組和 VPC 端點。
+ `CloudWatch` – 允許主體放置指標資料。
+ `Kinesis` - 允許主體描述 Kinesis 資料串流的摘要，並將紀錄放入 Kinesis 資料串流中以供使用者存取日誌記錄。如需詳細資訊，請參閱[在 Amazon WorkSpaces 安全瀏覽器中設定使用者活動記錄](user-logging.md)。



```
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeNetworkInterfaces",
                "ec2:AssociateAddress",
                "ec2:DisassociateAddress",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVpcEndpoints"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:security-group/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface"
            ],
            "Resource": "arn:aws:ec2:*:*:network-interface/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/WorkSpacesWebManaged": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": "arn:aws:ec2:*:*:network-interface/*",
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "CreateNetworkInterface"
                },
                "ForAllValues:StringEquals": {
                    "aws:TagKeys": [
                        "WorkSpacesWebManaged"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": "arn:aws:ec2:*:*:network-interface/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/WorkSpacesWebManaged": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": [
                        "AWS/WorkSpacesWeb",
                        "AWS/Usage"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:PutRecord",
                "kinesis:PutRecords",
                "kinesis:DescribeStreamSummary"
            ],
            "Resource": "arn:aws:kinesis:*:*:stream/amazon-workspaces-web-*"
        }
    ]
}
```