# IAM Policies in JSON format {% hint style="warning" %} Updated 6th May 2026 {% endhint %} If Terraform automation is not an option, you can still use your preferred method to create the custom policies. This could include using the **AWS Management Console**, **AWS CLI**, or other Infrastructure-as-Code (IaC) tools like **CloudFormation** to create the required IAM policies can be created manually in the AWS Console and attached to the WorkSpaces Manager EC2 role. These policies provide the permissions required for WorkSpaces Manager to interact with AWS services used by the platform, including Amazon WorkSpaces, Directory Service, AppStream, tagging APIs, and KMS where encrypted WorkSpaces volumes are used. The JSON policy examples below can be copied directly into the AWS Console when creating the required customer-managed IAM policies. These policies are based on the WSM IAM policy and role deployment repository. We have defined a number of IAM Policies: 1. WSMCloudwatchPolicy to read from logs and alarms CloudWatch 2. WSMCostExplorerPolicy to access AWS Cost Explorer and Cost Optimizer features 3. WSMEC2Policy to read from EC2 Compute and manage some actions 4. WSMEUCPolicy to read from AppStream, Directory Services (AD Connectors also) and WorkSpaces services 5. WSMPricingPolicy to access AWS Pricing elements 6. WSMS3Policy to read from the Cost Optimizer Bucket 7. WSMSecretsPolicy to read from Secrets Manager 8. WSMSSMParameterStorePolicy to get data from Systems Manager Parameter Store Here is the JSON snippet for the custom policy **"WSMCloudwatchPolicy"**: {% tabs %} {% tab title="JSON" %} ```json { "Statement": [ { "Action": [ "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:DescribeAlarms", "cloudwatch:Describe*", "cloudwatch:GetDashboard", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:GetMetricWidgetImage", "cloudwatch:ListMetrics", "logs:GetLogEvents", "logs:FilterLogEvents", "logs:GetLogGroupFields", "logs:GetQueryResults", "logs:GetLogDelivery", "logs:GetLogRecord", "logs:StartQuery", "logs:StopQuery", "logs:TestMetricFilter" ], "Effect": "Allow", "Resource": "*", "Sid": "VisualEditor0" } ], "Version": "2012-10-17" } ``` {% endtab %} {% endtabs %} This policy grants permissions to interact with **CloudWatch Logs** and **CloudWatch Groups**, allowing the WorkSpaces Manager to record and retrieve necessary metrics and logs. You can apply this policy through your preferred method, whether it's the AWS Management Console, CLI, or automation tools. Here is the JSON snippet for the custom policy **"WSMCostExplorerPolicy"**: {% tabs %} {% tab title="JSON" %} ```json { "Statement": [ { "Action": [ "ce:*" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" } ``` {% endtab %} {% endtabs %} This policy grants the necessary permissions for WorkSpaces Manager to access **Cost Explorer** and retrieve cost and usage data, as well as reservation and savings plan information. You can apply this policy using the AWS Management Console, CLI, or any automation tools like Terraform or CloudFormation. Here is the JSON snippet for the custom policy **"WSMEC2Policy"**: {% tabs %} {% tab title="JSON" %} ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "ReadInfrastructure", "Effect": "Allow", "Action": [ "autoscaling:Describe*", "ec2:Describe*", "elasticloadbalancing:Describe*" ], "Resource": "*" }, { "Sid": "ManageTags", "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/WSM-Managed": "true" } } }, { "Sid": "PowerControl", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/WSM-Managed": "true" } } } ] } ``` {% endtab %} {% endtabs %} This policy allows WorkSpaces Manager to manage **EC2** instances, including actions like starting, stopping, rebooting, terminating, and describing instances and tags. You can use this policy in the AWS Management Console, CLI, or automation tools such as Terraform or CloudFormation. Here is the JSON snippet for the custom policy **"WSMEUCPolicy"**: {% tabs %} {% tab title="JSON" %} ```json { "Statement": [ { "Action": [ "appstream:*", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "kms:CreateGrant", "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:GenerateDataKey*", "kms:ListAliases", "kms:ListKeys", "kms:ReEncrypt*", "rds:DescribeDBInstances", "rds:DescribeEvents", "servicequotas:ListServiceQuotas", "tag:GetResources", "workspaces:*" ], "Effect": "Allow", "Resource": "*", "Sid": "VisualEditor0" } ], "Version": "2012-10-17" } ``` {% endtab %} {% endtabs %} This policy provides WorkSpaces Manager with the permissions needed to interact with **Amazon WorkSpaces**, including describing, creating, terminating, and managing WorkSpaces and their tags. You can apply this policy using the AWS Management Console, CLI, or tools like Terraform or CloudFormation. Here is the JSON snippet for the custom policy **"WSMPricingPolicy"**: {% tabs %} {% tab title="JSON" %} ```json { "Statement": [ { "Action": [ "pricing:*" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" } ``` {% endtab %} {% endtabs %} This policy grants WorkSpaces Manager permission to retrieve pricing information using the **AWS Pricing API**. You can apply this policy using the AWS Management Console, CLI, or automation tools like Terraform or CloudFormation. Here is the JSON snippet for the custom policy **"WSMS3Policy"**: {% tabs %} {% tab title="JSON" %} ```json { "Statement": [ { "Action": [ "s3:GetLifecycleConfiguration", "s3:GetBucketTagging", "s3:GetInventoryConfiguration", "s3:GetObjectVersionTagging", "s3:ListBucketVersions", "s3:GetBucketLogging", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketPolicy", "s3:GetObjectVersionTorrent", "s3:GetObjectAcl", "s3:GetEncryptionConfiguration", "s3:GetBucketRequestPayment", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetMetricsConfiguration", "s3:GetBucketPublicAccessBlock", "s3:GetBucketPolicyStatus", "s3:ListBucketMultipartUploads", "s3:GetBucketWebsite", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:GetBucketNotification", "s3:GetReplicationConfiguration", "s3:ListMultipartUploadParts", "s3:GetObject", "s3:GetObjectTorrent", "s3:GetBucketCORS", "s3:GetAnalyticsConfiguration", "s3:GetObjectVersionForReplication", "s3:GetBucketLocation", "s3:GetObjectVersion" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::workspacescostoptimizer-costoptimizerbucket*/*" ], "Sid": "VisualEditor0" }, { "Action": [ "s3:GetAccountPublicAccessBlock", "s3:ListAllMyBuckets" ], "Effect": "Allow", "Resource": "*", "Sid": "VisualEditor1" } ], "Version": "2012-10-17" } ``` {% endtab %} {% endtabs %} This policy grants WorkSpaces Manager permission to interact with **Amazon S3**, including listing, getting, putting, and deleting objects in the specified S3 bucket. You can apply this policy via the AWS Management Console, CLI, or tools like Terraform or CloudFormation. Here is the JSON snippet for the custom policy **"WSMSecretsPolicy"**: {% tabs %} {% tab title="JSON" %} ```json { "Statement": [ { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": "*", "Sid": "VisualEditor0" } ], "Version": "2012-10-17" } ``` {% endtab %} {% endtabs %} This policy grants WorkSpaces Manager permission to retrieve and read secrets stored in **AWS Secrets Manager**, including database connection details and application credentials. This allows sensitive configuration information to be securely managed outside of the EC2 instance rather than being stored locally on the server. You can apply this policy using the AWS Management Console, CLI, or automation tools like Terraform or CloudFormation. Here is the JSON snippet for the custom policy **"WSMSSMParameterStorePolicy"**: {% tabs %} {% tab title="JSON" %} ```json { "Statement": [ { "Action": [ "ssm:PutParameter", "ssm:GetParameter", "ssm:GetParameters", "ssm:DeleteParameter" ], "Effect": "Allow", "Resource": "*", "Sid": "VisualEditor0" } ], "Version": "2012-10-17" } ``` {% endtab %} {% endtabs %} This policy grants WorkSpaces Manager permission to read, create, update, and delete parameters stored in **AWS Systems Manager Parameter Store**. This is used to securely manage application configuration values, operational settings, and integration parameters outside of the EC2 instance configuration for the Load Balancer. You can apply this policy using the AWS Management Console, CLI, or automation tools like Terraform or CloudFormation. JSON templates can also be downloaded from [this repo](https://gitlab.com/nuvens-public/wsmv6-tf/wsm-iam-policies-role/-/tree/main/json?ref_type=heads). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.nuvens.cloud/install/appendices/iam-policies-in-json-format.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.