# IAM Requirements: Custom Policies

WorkSpaces Manager requires an **IAM Instance Role** to be associated with the EC2 instance(s), along with custom policies to enable access to other AWS services. The necessary policies should be created and attached to both the role and the EC2 Instance Profile.

{% hint style="warning" %}
If using the [Git Repo for Terraform](https://gitlab.com/nuvens-public/iam-role-terraform) from Nuvens' public site, the **Security Group**, **Policies**, **Role**, and **EC2 Instance Profile** will be created together as part of the automated deployment process.
{% endhint %}

Although you can name these policies based on your internal naming conventions, we recommend using the following names for better clarity and organization:

* **WSMCloudwatchPolicy**: Grants access to AWS CloudWatch for monitoring and managing logs and metrics.
* **WSMCostExplorerPolicy**: Provides access to AWS Cost Explorer to retrieve cost and usage reports.
* **WSMEC2Policy**: Allows management and interaction with EC2 instances and related resources.
* **WSMEUCPolicy**: Facilitates the management of Amazon WorkSpaces and other End-User Computing (EUC) services.
* **WSMPricingPolicy**: Enables retrieval of pricing information from the AWS Pricing API.
* **WSMS3Policy**: Grants access to S3 buckets used by WorkSpaces Manager, such as for storage and backups.
* **WSMSecretsPolicy**: Allows retrieval of data from Secrets Manager for database connections.
* **WSMParameterStorePolicy**: Enables access to Parameter Store for managing parameters on the Load Balancer sessions.

The JSON definitions for these policies are available in our GitLab repositories and can be accessed in both **Terraform** and **CloudFormation** template formats.

{% embed url="<https://gitlab.com/nuvens-public/iam-role-terraform>" %}

For example, in **Terraform**, the policy might be structured as follows:

```json
resource "aws_iam_policy" "WSMCloudwatchPolicy" {
  name        = "WSMCloudwatchPolicy"
  description = "IAM policy for WorkSpaces Manager to access CloudWatch"
  
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:DescribeAlarmHistory",
        "cloudwatch:DescribeAlarmsForMetric",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:Describe*",
        "cloudwatch:GetDashboard",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:GetMetricWidgetImage",
        "cloudwatch:ListMetrics",
        "logs:GetLogEvents",
        "logs:FilterLogEvents",
        "logs:GetLogGroupFields",
        "logs:GetQueryResults",
        "logs:GetLogDelivery",
        "logs:GetLogRecord",
        "logs:StartQuery",
        "logs:StopQuery",
        "logs:TestMetricFilter"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}
```

For all the JSON raw code related to the IAM policies, please refer to [this appendix](/install/appendices/iam-policies-in-json-format.md). This appendix contains the complete policy configurations needed for WorkSpaces Manager, including those for CloudWatch, Cost Explorer, EC2, EUC, Pricing, and S3. You can find the full code in both **Terraform** and **CloudFormation** formats in the corresponding sections.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.nuvens.cloud/install/alternate-deployment-options/deployment-from-shared-ami/iam-requirements-custom-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.