本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWSWorkSpaces 的 受管政策
使用 AWS受管政策可讓您更輕鬆地將許可新增至使用者、群組和角色。建立 IAM 客戶受管政策需要時間和專業知識,而受管政策可為您的團隊提供其所需的許可。使用 AWS受管政策快速入門。這些政策涵蓋常見的使用案例,並且可在您的帳戶中使用AWS。如需 AWS受管政策的詳細資訊,請參閱《IAM 使用者指南》中的 AWS受管政策。
AWS服務會維護和更新 AWS受管政策。您無法變更 AWS受管政策中的許可。服務可能會偶爾將其他許可新增至 AWS受管政策,以支援新功能。此類型的更新會影響已連接政策的所有身分識別 (使用者、群組和角色)。當新功能啟動或新操作可用時,服務最有可能更新 AWS受管政策。服務不會從 AWS受管政策移除許可,因此政策更新不會破壞您現有的許可。
此外, AWS支援跨多個 服務之任務函數的受管政策。例如, ReadOnlyAccessAWS受管政策提供所有 AWS服務和資源的唯讀存取權。當服務啟動新功能時,AWS 會為新的操作和資源新增唯讀許可。如需任務職能政策的清單和說明,請參閱 IAM 使用者指南中有關任務職能的 AWS 受管政策。
AWS受管政策:AmazonWorkSpacesAdmin
此政策提供對 Amazon WorkSpaces 管理動作的存取許可。其可提供下列許可:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonWorkSpacesAdmin",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ListAliases",
"kms:ListKeys",
"workspaces:CreateTags",
"workspaces:CreateWorkspaceImage",
"workspaces:CreateWorkspaces",
"workspaces:CreateWorkspacesPool",
"workspaces:CreateStandbyWorkspaces",
"workspaces:DeleteTags",
"workspaces:DeregisterWorkspaceDirectory",
"workspaces:DescribeTags",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspacesPools",
"workspaces:DescribeWorkspacesPoolSessions",
"workspaces:DescribeWorkspacesConnectionStatus",
"workspaces:ModifyCertificateBasedAuthProperties",
"workspaces:ModifySamlProperties",
"workspaces:ModifyStreamingProperties",
"workspaces:ModifyWorkspaceCreationProperties",
"workspaces:ModifyWorkspaceProperties",
"workspaces:RebootWorkspaces",
"workspaces:RebuildWorkspaces",
"workspaces:RegisterWorkspaceDirectory",
"workspaces:RestoreWorkspace",
"workspaces:StartWorkspaces",
"workspaces:StartWorkspacesPool",
"workspaces:StopWorkspaces",
"workspaces:StopWorkspacesPool",
"workspaces:TerminateWorkspaces",
"workspaces:TerminateWorkspacesPool",
"workspaces:TerminateWorkspacesPoolSession",
"workspaces:UpdateWorkspacesPool"
],
"Resource": "*"
}
]
}
AWS受管政策:AmazonWorkspacesPCAAccess
此受管政策可讓您存取AWS帳戶中的 AWSCertificate Manager Private Certificate Authority (Private CA) 資源,以進行憑證型身分驗證。其包含在 AmazonWorkSpacesPCAAccess 角色中,並提供下列許可:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm-pca:IssueCertificate",
"acm-pca:GetCertificate",
"acm-pca:DescribeCertificateAuthority"
],
"Resource": "arn:*:acm-pca:*:*:*",
"Condition": {
"StringLike": {
"aws:ResourceTag/euc-private-ca": "*"
}
}
}
]
}
AWS受管政策:AmazonWorkSpacesSelfServiceAccess
此政策可供存取 Amazon WorkSpaces 服務,以執行使用者初始的 WorkSpaces 自助式動作。其包含在 workspaces_DefaultRole 角色中,並提供下列許可:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"workspaces:RebootWorkspaces",
"workspaces:RebuildWorkspaces",
"workspaces:ModifyWorkspaceProperties"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
AWS受管政策:AmazonWorkSpacesServiceAccess
此政策可供客戶帳戶存取 Amazon WorkSpaces 服務,以便啟動 WorkSpace。其包含在 workspaces_DefaultRole 角色中,並提供下列許可:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
AWS受管政策:AmazonWorkSpacesPoolServiceAccess
此政策用於 workspaces_DefaultRole,WorkSpaces 會使用此政策來存取 WorkSpaces 集區客戶AWS帳戶中的必要資源。如需更多資訊,請參閱建立 workspaces_DefaultRole 角色。其可提供下列許可:
- CommercialAWS 區域
-
下列政策 JSON 適用於商業AWS 區域。
JSON
- JSON
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ProvisioningWorkSpacesPoolPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"s3:ListAllMyBuckets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "WorkSpacesPoolS3Permissions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:DeleteObjectVersion",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:PutEncryptionConfiguration"
],
"Resource": [
"arn:aws:s3:::wspool-logs-*",
"arn:aws:s3:::wspool-app-settings-*",
"arn:aws:s3:::wspool-home-folder-*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
- AWS GovCloud (US) Regions
-
下列政策 JSON 適用於商業 AWS GovCloud (US) Regions。
JSON
- JSON
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ProvisioningWorkSpacesPoolPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"s3:ListAllMyBuckets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "WorkSpacesPoolS3Permissions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:DeleteObjectVersion",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:PutEncryptionConfiguration"
],
"Resource": [
"arn:aws-us-gov:s3:::wspool-logs-*",
"arn:aws-us-gov:s3:::wspool-app-settings-*",
"arn:aws-us-gov:s3:::wspool-home-folder-*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
AWS受管政策的 WorkSpaces 更新
檢視自此服務開始追蹤這些變更以來,WorkSpaces AWS受管政策更新的詳細資訊。
