# Identity and Access Management for Amazon WorkSpaces Applications
Your security credentials identify you to services in AWS and grant you unlimited use of your AWS resources, such as your WorkSpaces Applications resources. You can use features of WorkSpaces Applications and AWS Identity and Access Management (IAM) to allow other users, services, and applications to use your WorkSpaces Applications resources without sharing your security credentials.
You can use IAM to control how other users use resources in your Amazon Web Services account, and you can use security groups to control access to your WorkSpaces Applications streaming instances. You can allow full use or limited use of your WorkSpaces Applications resources.
**Topics**
+ [Network Access to Your Streaming Instance](network-access-to-streaming-instances.md)
+ [Using AWS Managed Policies and Linked Roles to Manage Administrator Access to WorkSpaces Applications Resources](controlling-administrator-access-with-policies-roles.md)
+ [Using IAM Policies to Manage Administrator Access to Application Auto Scaling](autoscaling-iam-policy.md)
+ [Using IAM Policies to Manage Administrator Access to the Amazon S3 Bucket for Home Folders and Application Settings Persistence](s3-iam-policy.md)
+ [Using an IAM Role to Grant Permissions to Applications and Scripts Running on WorkSpaces Applications Streaming Instances](using-iam-roles-to-grant-permissions-to-applications-scripts-streaming-instances.md)
+ [SELinux on Red Hat Enterprise Linux and Rocky Linux](selinux.md)
+ [Cookie-Based Authentication in Amazon WorkSpaces Applications](cookie-auth.md)
# Network Access to Your Streaming Instance
A security group acts as a stateful firewall that controls what traffic is allowed to reach your streaming instances. When you launch an WorkSpaces Applications streaming instance, assign it to one or more security groups. Then, add rules to each security group that control traffic for the instance. You can modify the rules for a security group at any time. The new rules are automatically applied to all instances to which the security group is assigned.
For more information, see [Security Groups in Amazon WorkSpaces Applications](managing-network-security-groups.md).
# Using AWS Managed Policies and Linked Roles to Manage Administrator Access to WorkSpaces Applications Resources
By default, IAM users don't have the permissions required to create or modify WorkSpaces Applications resources, or perform tasks by using the WorkSpaces Applications API. This means that these users can't perform these actions in the WorkSpaces Applications console or by using WorkSpaces Applications AWS CLI commands. To allow IAM users to create or modify resources and perform tasks, attach an IAM policy to the IAM users or groups that require those permissions.
When you attach a policy to a user, group of users, or IAM role, it allows or denies the users permission to perform the specified tasks on the specified resources.
**Topics**
+ [AWS Managed Policies Required to Access WorkSpaces Applications Resources](managed-policies-required-to-access-appstream-resources.md)
+ [Roles Required for WorkSpaces Applications, Application Auto Scaling, and AWS Certificate Manager Private CA](roles-required-for-appstream.md)
+ [Checking for the AmazonAppStreamServiceAccess Service Role and Policies](controlling-access-checking-for-iam-service-access.md)
+ [Checking for the ApplicationAutoScalingForAmazonAppStreamAccess Service Role and Policies](controlling-access-checking-for-iam-autoscaling.md)
+ [Checking for the `AWSServiceRoleForApplicationAutoScaling_AppStreamFleet` Service-Linked Role and Policies](controlling-access-checking-for-iam-service-linked-role-application-autoscaling-appstream-fleet.md)
+ [Checking for the AmazonAppStreamPCAAccess Service Role and Policies](controlling-access-checking-for-AppStreamPCAAccess.md)
# AWS Managed Policies Required to Access WorkSpaces Applications Resources
To provide full administrative or read-only access to WorkSpaces Applications, you must attach one of the following AWS managed policies to the IAM users or groups that require those permissions. An *AWS managed policy* is a standalone policy that is created and administered by AWS. For more information, see [AWS Managed Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
**Note**
In AWS, IAM roles are used to grant permissions to an AWS service so it can access AWS resources. The policies that are attached to the role determine which AWS resources the service can access and what it can do with those resources. For WorkSpaces Applications, in addition to having the permissions defined in the **AmazonAppStreamFullAccess** policy, you must also have the required roles in your AWS account. For more information, see [Roles Required for WorkSpaces Applications, Application Auto Scaling, and AWS Certificate Manager Private CA](roles-required-for-appstream.md).
**AmazonAppStreamFullAccess**
This managed policy provides full administrative access to WorkSpaces Applications resources. To manage WorkSpaces Applications resources and perform API actions through the AWS Command Line Interface (AWS CLI), AWS SDK, or AWS Management Console, you must have the permissions defined in this policy.
If you sign into the WorkSpaces Applications console as an IAM user, you must attach this policy to your AWS account. If you sign in through console federation, you must attach this policy to the IAM role that was used for federation.
To view the permissions for this policy, see [AmazonAppStreamFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAppStreamFullAccess.html).
**AmazonAppStreamReadOnlyAccess**
This identity-based policy grants users read-only permissions to view and monitor WorkSpaces Applications resources and related service configurations. Users can access the WorkSpaces Applications console to view streaming applications, fleet status, usage reports, and associated resources, but cannot make any changes. The policy also includes necessary read permissions for supporting services like IAM, Application Auto Scaling, and CloudWatch to enable comprehensive monitoring and reporting capabilities.
To view the permissions for this policy, see [AmazonAppStreamReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAppStreamReadOnlyAccess.html).
The WorkSpaces Applications console uses an additional action that provides functionality that is not available through the AWS CLI or AWS SDK. The **AmazonAppStreamFullAccess** and **AmazonAppStreamReadOnlyAccess** policies both provide permissions for the following action.
| Action | Description | Access Level |
| --- | --- | --- |
| DescribeImageBuilders | Grants permission to retrieve a list that describes one or more specified image builders, if the image builder names are provided. Otherwise, all image builders in the account are described. | Read |
**AmazonAppStreamPCAAccess**
This managed policy provides full administrative access to AWS Certificate Manager Private CA resources in your AWS account for certificate-based authentication.
To view the permissions for this policy, see [AmazonAppStreamPCAAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAppStreamPCAAccess.html).
**AmazonAppStreamServiceAccess**
This managed policy is the default policy for the WorkSpaces Applications service role.
This role permissions policy allows WorkSpaces Applications to complete the following actions:
+ When using subnets in your account for your WorkSpaces Applications fleets, WorkSpaces Applications is able to describe subnets, VPCs, and availability zones, as well as create and manage the lifecycle of all elastic network interfaces associated with the fleet instances in those subnets. This also includes being able to attach Security Groups and IP addresses from those subnets to those elastic network interfaces.
+ When using features such as UPP and HomeFolders, WorkSpaces Applications is able to create and manage Amazon S3 buckets, objects and their lifecyles, policies, and encryption configuration in the account. These buckets include the following naming prefixes:
+ `"arn:aws:s3:::appstream2-36fb080bb8-",`
+ `"arn:aws:s3:::appstream-app-settings-",`
+ `"arn:aws:s3:::appstream-logs-"`
To view the permissions for this policy, see [AmazonAppStreamServiceAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAppStreamServiceAccess.html).
**ApplicationAutoScalingForAmazonAppStreamAccess**
This managed policy enables application autoscaling for WorkSpaces Applications.
To view the permissions for this policy, see [ApplicationAutoScalingForAmazonAppStreamAccess ](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ApplicationAutoScalingForAmazonAppStreamAccess.html).
**AWSApplicationAutoscalingAppStreamFleetPolicy**
This managed policy grants permissions for Application Auto Scaling to access WorkSpaces Applications and CloudWatch .
To view the permissions for this policy, see [AWSApplicationAutoscalingAppStreamFleetPolicy ](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingAppStreamFleetPolicy.html).
## WorkSpaces Applications updates to AWS managed policies
View details about updates to AWS managed policies for WorkSpaces Applications since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the [Document History for Amazon WorkSpaces Applications](doc-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| AmazonAppStreamServiceAccess – Change | Added allow permissions for `"ec2:DescribeImages"` to the policy JSON policy document | November 17, 2025 |
| AmazonAppStreamReadOnlyAccess – Change | Removed `"appstream:Get*",` from the JSON policy document | October 22, 2025 |
| WorkSpaces Applications started tracking changes | WorkSpaces Applications started tracking changes for its AWS managed policies | October 31, 2022 |
# Roles Required for WorkSpaces Applications, Application Auto Scaling, and AWS Certificate Manager Private CA
In AWS, IAM roles are used to grant permissions to an AWS service so it can access AWS resources. The policies that are attached to the role determine which AWS resources the service can access and what it can do with those resources. For WorkSpaces Applications, in addition to having the permissions defined in the **AmazonAppStreamFullAccess** policy, you must also have the following roles in your AWS account.
**Topics**
+ [AmazonAppStreamServiceAccess](#AmazonAppStreamServiceAccess)
+ [ApplicationAutoScalingForAmazonAppStreamAccess](#ApplicationAutoScalingForAmazonAppStreamAccess)
+ [AWSServiceRoleForApplicationAutoScaling\$1AppStreamFleet](#AWSServiceRoleForApplicationAutoScaling_AppStreamFleet)
+ [AmazonAppStreamPCAAccess](#AppStreamPCAAccess)
## AmazonAppStreamServiceAccess
This role is a service role that is created for you automatically when you get started with WorkSpaces Applications in an AWS Region. For more information about services roles, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
While WorkSpaces Applications resources are being created, the WorkSpaces Applications service makes API calls to other AWS services on your behalf by assuming this role. To create fleets, you must have this role in your account. If this role is not in your AWS account and the required IAM permissions and trust relationship policies are not attached, you cannot create WorkSpaces Applications fleets.
For more information, see [Checking for the AmazonAppStreamServiceAccess Service Role and Policies](controlling-access-checking-for-iam-service-access.md) to check whether the **AmazonAppStreamServiceAccess** service role is present and has the correct policies attached.
**Note**
This service role can have permissions that are different from the first user that is getting started with WorkSpaces Applications. For details on the permissions of this role see “AmazonAppStreamServiceAccess” in [AWS Managed Policies Required to Access WorkSpaces Applications Resources](managed-policies-required-to-access-appstream-resources.md).
## ApplicationAutoScalingForAmazonAppStreamAccess
This role is a service role that is created for you automatically when you get started with WorkSpaces Applications in an AWS Region. For more information about services roles, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
Automatic scaling is a feature of WorkSpaces Applications fleets. To configure scaling policies, you must have this service role in your AWS account. If this service role is not in your AWS account and the required IAM permissions and trust relationship policies are not attached, you cannot scale WorkSpaces Applications fleets.
For more information, see [Checking for the ApplicationAutoScalingForAmazonAppStreamAccess Service Role and Policies](controlling-access-checking-for-iam-autoscaling.md).
## AWSServiceRoleForApplicationAutoScaling\$1AppStreamFleet
This role is a service-linked role that is created for you automatically. For more information, see [Service-linked roles](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-service-linked-roles.html) in the *Application Auto Scaling User Guide*.
Application Auto Scaling uses a service-linked role to perform automatic scaling on your behalf. A *service-linked role* is an IAM role that is linked directly to an AWS service. This role includes all the permissions that the service requires to call other AWS services on your behalf.
For more information, see [Checking for the `AWSServiceRoleForApplicationAutoScaling_AppStreamFleet` Service-Linked Role and Policies](controlling-access-checking-for-iam-service-linked-role-application-autoscaling-appstream-fleet.md).
## AmazonAppStreamPCAAccess
This role is a service role that is created for you automatically when you get started with WorkSpaces Applications in an AWS Region. For more information about services roles, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
Certificate-based authentication is a feature of WorkSpaces Applications fleets joined to Microsoft Active Directory domains. To enable and use certificate-based authentication, you must have this service role in your AWS account. If this service role is not in your AWS account and the required IAM permissions and trust relationship policies are not attached, you cannot enable or use certificate-based authentication.
For more information, see [Checking for the AmazonAppStreamPCAAccess Service Role and Policies](controlling-access-checking-for-AppStreamPCAAccess.md).
# Checking for the AmazonAppStreamServiceAccess Service Role and Policies
Complete the steps in this section to check whether the **AmazonAppStreamServiceAccess** service role is present and has the correct policies attached. If this role is not in your account and must be created, you or an administrator with the required permissions must perform the steps to get started with WorkSpaces Applications in your Amazon Web Services account.
**To check whether the AmazonAppStreamServiceAccess IAM service role is present**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. In the search box, type **amazonappstreamservice** to narrow the list of roles to select, and then choose **AmazonAppStreamServiceAccess**. If this role is listed, select it to view the role **Summary** page.
1. On the **Permissions** tab, confirm whether the **AmazonAppStreamServiceAccess** permissions policy is attached.
1. Return to the role **Summary** page.
1. On the **Trust relationships** tab, choose **Show policy document**, and then confirm whether the **AmazonAppStreamServiceAccess** trust relationship policy is attached and follows the correct format. If so, the trust relationship is correctly configured. Choose **Cancel** and close the IAM console.
## AmazonAppStreamServiceAccess trust relationship policy
The **AmazonAppStreamServiceAccess** trust relationship policy must include the WorkSpaces Applications service as the principal. A *principal* is an entity in AWS that can perform actions and access resources. This policy must also include the `sts:AssumeRole` action. The following policy configuration defines WorkSpaces Applications as a trusted entity.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "appstream.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
# Checking for the ApplicationAutoScalingForAmazonAppStreamAccess Service Role and Policies
Complete the steps in this section to check whether the **ApplicationAutoScalingForAmazonAppStreamAccess** service role is present and has the correct policies attached. If this role is not in your account and must be created, you or an administrator with the required permissions must perform the steps to get started with WorkSpaces Applications in your Amazon Web Services account.
**To check whether the ApplicationAutoScalingForAmazonAppStreamAccessIAM service role is present**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. In the search box, type **applicationautoscaling** to narrow the list of roles to select, and then choose **ApplicationAutoScalingForAmazonAppStreamAccess**. If this role is listed, select it to view the role **Summary** page.
1. On the **Permissions** tab, confirm whether the **ApplicationAutoScalingForAmazonAppStreamAccess** permissions policy is attached.
1. Return to the role **Summary** page.
1. On the **Trust relationships** tab, choose **Show policy document**, and then confirm whether the **ApplicationAutoScalingForAmazonAppStreamAccess** trust relationship policy is attached and follows the correct format. If so, the trust relationship is correctly configured. Choose **Cancel** and close the IAM console.
## ApplicationAutoScalingForAmazonAppStreamAccess trust relationship policy
The **ApplicationAutoScalingForAmazonAppStreamAccess** trust relationship policy must include the Application Auto Scaling service as the principal. This policy must also include the `sts:AssumeRole` action. The following policy configuration defines Application Auto Scaling as a trusted entity.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "application-autoscaling.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
# Checking for the `AWSServiceRoleForApplicationAutoScaling_AppStreamFleet` Service-Linked Role and Policies
Complete the steps in this section to check whether the `AWSServiceRoleForApplicationAutoScaling_AppStreamFleet` service-linked role is present and has the correct policies attached. If this role is not in your account and must be created, you or an administrator with the required permissions must perform the steps to get started with WorkSpaces Applications in your Amazon Web Services account.
**To check whether the `AWSServiceRoleForApplicationAutoScaling_AppStreamFleet` IAM service-linked role is present**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. In the search box, type **applicationautoscaling** to narrow the list of roles to select, and then choose `AWSServiceRoleForApplicationAutoScaling_AppStreamFleet`. If this role is listed, select it to view the role **Summary**page.
1. On the **Permissions** tab, confirm whether the `AWSApplicationAutoscalingAppStreamFleetPolicy` permissions policy is attached.
1. Return to the **Role** summary page.
1. On the **Trust relationships **tab, choose **Show policy document**, and then confirm whether the `AWSServiceRoleForApplicationAutoScaling_AppStreamFleet` trust relationship policy is attached and follows the correct format. If so, the trust relationship is correctly configured. Choose **Cancel** and close the IAM console.
## AWSServiceRoleForApplicationAutoScaling\$1AppStreamFleet trust relationship policy
The `AWSServiceRoleForApplicationAutoScaling_AppStreamFleet` trust relationship policy must include **appstream.application-autoscaling.amazonaws.com** as the principal. This policy must also include the `sts:AssumeRole` action. The following policy configuration defines **appstream.application-autoscaling.amazonaws.com** as a trusted entity.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "appstream.application-autoscaling.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
# Checking for the AmazonAppStreamPCAAccess Service Role and Policies
Complete the steps in this section to check whether the **AmazonAppStreamPCAAccess** service role is present and has the correct policies attached. If this role is not in your account and must be created, you or an administrator with the required permissions must perform the steps to get started with WorkSpaces Applications in your Amazon Web Services account.
**To check whether the AmazonAppStreamPCAAccess IAM service role is present**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. In the search box, type **appstreampca ** to narrow the list of roles to select, and then choose **AmazonAppStreamPCAAccess**. If this role is listed, select it to view the role **Summary**page.
1. On the **Permissions** tab, confirm whether the **AmazonAppStreamPCAAccess ** permissions policy is attached.
1. Return to the **Role** summary page.
1. On the **Trust relationships **tab, choose **Show policy document**, and then confirm whether the **AmazonAppStreamPCAAccess ** trust relationship policy is attached and follows the correct format. If so, the trust relationship is correctly configured. Choose **Cancel** and close the IAM console.
## AmazonAppStreamPCAAccess trust relationship policy
The **AmazonAppStreamPCAAccess** trust relationship policy must include prod.euc.ecm.amazonaws.com as the principal. This policy must also include the `sts:AssumeRole` action. The following policy configuration defines ECM as a trusted entity.
**To create the AmazonAppStreamPCAAccess trust relationship policy using the AWS CLI**
1. Create a JSON file named `AmazonAppStreamPCAAccess.json` with the following text.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"prod.euc.ecm.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
```
------
1. Adjust the `AmazonAppStreamPCAAccess.json` path as needed and run the following AWS CLI commands to create the trust relationship policy and attach the AmazonAppStreamPCAAccess managed policy. For more information about the managed policy, see [AWS Managed Policies Required to Access WorkSpaces Applications Resources](managed-policies-required-to-access-appstream-resources.md).
```
aws iam create-role --path /service-role/ --role-name AmazonAppStreamPCAAccess --assume-role-policy-document file://AmazonAppStreamPCAAccess.json
```
```
aws iam attach-role-policy —role-name AmazonAppStreamPCAAccess —policy-arn arn:aws:iam::aws:policy/AmazonAppStreamPCAAccess
```
# Using IAM Policies to Manage Administrator Access to Application Auto Scaling
Automatic scaling for fleets is made possible by a combination of the WorkSpaces Applications, Amazon CloudWatch, and Application Auto Scaling APIs. WorkSpaces Applications fleets are created with WorkSpaces Applications, alarms are created with CloudWatch, and scaling policies are created with Application Auto Scaling.
In addition to having the permissions defined in the [AmazonAppStreamFullAccess](managed-policies-required-to-access-appstream-resources.md) policy, the IAM user that accesses fleet scaling settings must have the required permissions for the services that support dynamic scaling. IAM users must have permissions to use the actions shown in the following example policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"appstream:*",
"application-autoscaling:*",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:DisableAlarmActions",
"cloudwatch:DescribeAlarms",
"cloudwatch:EnableAlarmActions",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Sid": "iamPassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "application-autoscaling.amazonaws.com"
}
}
}
]
}
```
------
You can also create your own IAM policies to set more specific permissions for calls to the Application Auto Scaling API. For more information, see [Authentication and Access Control](https://docs.aws.amazon.com/autoscaling/application/userguide/auth-and-access-control.html) in the *Application Auto Scaling User Guide*.
# Using IAM Policies to Manage Administrator Access to the Amazon S3 Bucket for Home Folders and Application Settings Persistence
The following examples show how you can use IAM policies to manage access to the Amazon S3 bucket for home folders and application settings persistence.
**Topics**
+ [Deleting the Amazon S3 Bucket for Home Folders and Application Settings Persistence](s3-iam-policy-delete.md)
+ [Restricting Administrator Access to the Amazon S3 Bucket for Home Folders and Application Settings Persistence](s3-iam-policy-restricted-access.md)
# Deleting the Amazon S3 Bucket for Home Folders and Application Settings Persistence
WorkSpaces Applications adds an Amazon S3 bucket policy to the buckets that it creates to prevent them from being accidentally deleted. To delete an S3 bucket, you must first delete the S3 bucket policy. Following are the bucket policies that you must delete for home folders and application settings persistence.
**Home folders policy**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PreventAccidentalDeletionOfBucket",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::appstream2-36fb080bb8-region-code-123456789012-without-hyphens"
}
]
}
```
------
**Application settings persistence policy**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PreventAccidentalDeletionOfBucket",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::appstream-app-settings-region-code-123456789012-without-hyphens-unique-identifier"
}
]
}
```
------
For more information, see [Deleting or Emptying a Bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-or-empty-bucket.html) in the *Amazon Simple Storage Service User Guide*.
# Restricting Administrator Access to the Amazon S3 Bucket for Home Folders and Application Settings Persistence
By default, administrators who can access the Amazon S3 buckets created by WorkSpaces Applications can view and modify content that is part of users' home folders and persistent application settings. To restrict administrator access to the S3 buckets that contain user files, we recommend applying the S3 bucket access policy based on the following template:
```
{
"Sid": "RestrictedAccess",
"Effect": "Deny",
"NotPrincipal":
{
"AWS": [
"arn:aws:iam::account:role/service-role/AmazonAppStreamServiceAccess",
"arn:aws:sts::account:assumed-role/AmazonAppStreamServiceAccess/PhotonSession",
"arn:aws:iam::account:user/IAM-user-name"
]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::home-folder-or-application-settings-persistence-s3-bucket-region-account"
}
]
}
```
This policy allows S3 bucket access only to the users specified and to the WorkSpaces Applications service. For every IAM user who should have access, replicate the following line:
```
"arn:aws:iam::account:user/IAM-user-name"
```
In the following example, the policy restricts access to the home folder S3 bucket for anyone other than IAM users marymajor and johnstiles. It also allows access to the WorkSpaces Applications service, in AWS Region US West (Oregon) for account ID 123456789012.
```
{
"Sid": "RestrictedAccess",
"Effect": "Deny",
"NotPrincipal":
{
"AWS": [
"arn:aws:iam::123456789012:role/service-role/AmazonAppStreamServiceAccess",
"arn:aws:sts::123456789012:assumed-role/AmazonAppStreamServiceAccess/PhotonSession",
"arn:aws:iam::123456789012:user/marymajor",
"arn:aws:iam::123456789012:user/johnstiles"
]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::appstream2-36fb080bb8-us-west-2-123456789012"
}
]
}
```
# Using an IAM Role to Grant Permissions to Applications and Scripts Running on WorkSpaces Applications Streaming Instances
Applications and scripts that run on WorkSpaces Applications streaming instances must include AWS credentials in their AWS API requests. You can create an IAM role to manage these credentials. An IAM role specifies a set of permissions that you can use to access AWS resources. This role is not uniquely associated with one person, however. Instead, it can be assumed by anyone that needs it.
You can apply an IAM role to an WorkSpaces Applications streaming instance. When the streaming instance switches to (assumes) the role, the role provides temporary security credentials. Your application or scripts use these credentials to perform API actions and management tasks on the streaming instance. WorkSpaces Applications manages the temporary credential switch for you.
**Topics**
+ [Best Practices for Using IAM Roles With WorkSpaces Applications Streaming Instances](best-practices-for-using-iam-role-with-streaming-instances.md)
+ [Configuring an Existing IAM Role to Use With WorkSpaces Applications Streaming Instances](configuring-existing-iam-role-to-use-with-streaming-instances.md)
+ [How to Create an IAM Role to Use With WorkSpaces Applications Streaming Instances](how-to-create-iam-role-to-use-with-streaming-instances.md)
+ [How to Use the IAM Role With WorkSpaces Applications Streaming Instances](how-to-use-iam-role-with-streaming-instances.md)
# Best Practices for Using IAM Roles With WorkSpaces Applications Streaming Instances
When you use IAM roles with WorkSpaces Applications streaming instances, we recommend that you follow these practices:
+ Limit the permissions that you grant to AWS API actions and resources.
Follow least privilege principles when you create and attach IAM policies to the IAM roles associated with WorkSpaces Applications streaming instances. When you use an application or script that requires access to AWS API actions or resources, determine the specific actions and resources that are required. Then, create policies that allow the application or script to perform only those actions. For more information, see [Grant Least Privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in the *IAM User Guide*.
+ Create an IAM role for each WorkSpaces Applications resource.
Creating a unique IAM role for each WorkSpaces Applications resource is a practice that follows least privilege principles. Doing so also lets you modify permissions for a resource without affecting other resources.
+ Limit where the credentials can be used.
IAM policies let you define the conditions under which your IAM role can be used to access a resource. For example, you can include conditions to specify a range of IP addresses that requests can come from. Doing so prevents the credentials from being used outside of your environment. For more information, see [Use Policy Conditions for Extra Security](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-policy-conditions) in the *IAM User Guide*.
# Configuring an Existing IAM Role to Use With WorkSpaces Applications Streaming Instances
This topic describes how to configure an existing IAM role so that you can use it with image builders and fleet streaming instances.
**Prerequisites**
The IAM role that you want to use with an WorkSpaces Applications image builder or fleet streaming instance must meet the following prerequisites:
+ The IAM role must be in the same Amazon Web Services account as the WorkSpaces Applications streaming instance.
+ The IAM role cannot be a service role.
+ The trust relationship policy that is attached to the IAM role must include the WorkSpaces Applications service as the principal. A *principal* is an entity in AWS that can perform actions and access resources. The policy must also include the `sts:AssumeRole` action. This policy configuration defines WorkSpaces Applications as a trusted entity.
+ If you are applying the IAM role to an image builder, the image builder must run a version of the WorkSpaces Applications agent released on or after September 3, 2019. If you are applying the IAM role to a fleet, the fleet must use an image that uses a version of the agent released on or after the same date. For more information, see [WorkSpaces Applications Agent Release Notes](agent-software-versions.md).
**To enable the WorkSpaces Applications service principal to assume an existing IAM role**
To perform the following steps, you must sign into the account as an IAM user who has the permissions required to list and update IAM roles. If you don't have the required permissions, ask your Amazon Web Services account administrator either to perform these steps in your account or to grant you the required permissions.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. In the list of roles in your account, choose the name of the role that you want to modify.
1. Choose the **Trust relationships** tab, and then choose **Edit trust relationship**.
1. Under **Policy Document**, verify that the trust relationship policy includes the `sts:AssumeRole` action for the `appstream.amazonaws.com` service principal:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"appstream.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. When you are finished editing your trust policy, choose **Update Trust Policy** to save your changes.
1. The IAM role that you selected will display in the WorkSpaces Applications console. This role grants permissions to applications and scripts to perform API actions and management tasks on streaming instances.
# How to Create an IAM Role to Use With WorkSpaces Applications Streaming Instances
This topic describes how to create a new IAM role so that you can use it with image builders and fleet streaming instances.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. For **Select type of trusted entity**, choose **AWS service**.
1. From the list of AWS services, choose **WorkSpaces Applications**.
1. Under **Select your use case**, **WorkSpaces Applications — Allows WorkSpaces Applications instances to call AWS services on your behalf** is already selected. Choose **Next: Permissions**.
1. If possible, select the policy to use for the permissions policy or choose **Create policy** to open a new browser tab and create a new policy from scratch. For more information, see step 4 in the procedure [Creating IAM Policies (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-start) in the *IAM User Guide*.
After you create the policy, close that tab and return to your original tab. Select the check box next to the permissions policies that you want WorkSpaces Applications to have.
1. (Optional) Set a permissions boundary. This is an advanced feature that is available for service roles, but not service-linked roles. For more information, see [Permissions Boundaries for IAM Entities ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
1. Choose **Next: Tags**. You can optionally attach tags as key-value pairs. For more information, see [Tagging IAM Users and Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.
1. Choose **Next: Review**.
1. For **Role name**, type a role name that is unique within your Amazon Web Services account. Because other AWS resources might reference the role, you can't edit the name of the role after it has been created.
1. For **Role description**, keep the default role description or type a new one.
1. Review the role, and then choose **Create role**.
# How to Use the IAM Role With WorkSpaces Applications Streaming Instances
After you create an IAM role, you can apply it to an image builder or fleet streaming instance when you launch the image builder or create a fleet. You can also apply an IAM role to existing fleets. For information about how to apply IAM role when you launch an image builder, see [Launch an Image Builder to Install and Configure Streaming Applications](tutorial-image-builder-create.md). For information about how to apply IAM role when you create a fleet, see [Create a Fleet in Amazon WorkSpaces Applications](set-up-stacks-fleets-create.md).
When you apply an IAM role to your image builder or fleet streaming instance, WorkSpaces Applications retrieves temporary credentials and creates the **appstream\$1machine\$1role** credential profile on the instance. The temporary credentials are valid for 1 hour, and new credentials retrieved every hour. The previous credentials do not expire, so you can use them for as long as they are valid. You can use the credential profile to call AWS services programmatically by using the AWS Command Line Interface (AWS CLI), AWS Tools for PowerShell, or the AWS SDK with the language of your choice.
When you make the API calls, specify **appstream\$1machine\$1role** as the credential profile. Otherwise, the operation fails due to insufficient permissions.
WorkSpaces Applications assumes the specified role while the streaming instance is provisioned. Because WorkSpaces Applications uses the elastic network interface that is attached to your VPC for AWS API calls, your application or script must wait for the elastic network interface to become available before making AWS API calls. If API calls are made before the elastic network interface is available, the calls fail.
The following examples show how you can use the **appstream\$1machine\$1role** credential profile to describe streaming instances (EC2 instances) and to create the Boto client. Boto is the Amazon Web Services (AWS) SDK for Python.
**Describe Streaming Instances (EC2 instances) by Using the AWS CLI**
```
aws ec2 describe-instances --region us-east-1 --profile appstream_machine_role
```
**Describe Streaming Instances (EC2 instances) by Using AWS Tools for PowerShell**
You must use AWS Tools for PowerShell version 3.3.563.1 or later, with the Amazon Web Services SDK for .NET version 3.3.103.22 or later. You can download the AWS Tools for Windows installer, which includes AWS Tools for PowerShell and the Amazon Web Services SDK for .NET, from the [AWS Tools for PowerShell](https://aws.amazon.com/powershell/) website.
```
Get-EC2Instance -Region us-east-1 -ProfileName appstream_machine_role
```
**Creating the Boto Client by Using the AWS SDK for Python**
```
session = boto3.Session(profile_name='appstream_machine_role')
```
# SELinux on Red Hat Enterprise Linux and Rocky Linux
By default, Security Enhanced Linux (SELinux) is `enabled` and set to `enforcing` mode for WorkSpaces Applications image builders and streaming instances powered by Red Hat Enterprise Linux and Rocky Linux. In `enforcing` mode, permission denials are enforced. SELinux is a collection of kernel features and utilities to provide a strong, flexible, mandatory access control (MAC) architecture to the major subsystems of the kernel.
SELinux provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements. This separation of information reduces threats of tampering and bypassing of application security mechanisms. It also confines damage that can be caused by malicious or flawed applications.
SELinux includes a set of sample security policy configuration files that's designed to meet everyday security goals. For more information about SELinux features and functionality, see [What is SELinux](https://www.redhat.com/en/topics/linux/what-is-selinux)?
# Cookie-Based Authentication in Amazon WorkSpaces Applications
WorkSpaces Applications uses browser cookies to authenticate streaming sessions and allow users to reconnect to an active session without re-entering their sign-in credentials every time. Authentication tokens are stored in browser cookies for every authentication scenario. While cookies are necessary for many online services, they can potentially be vulnerable to cookie theft attacks. We strongly recommend that you take proactive measures to prevent cookie theft, such as implementing robust endpoint protection solutions for your users' devices. Furthermore, to mitigate the potential impact in the event of cookie theft, we advise you to consider the following actions:
+ **Enforce single-session limit**: For your WorkSpaces Applications Windows images, create a registry key under `HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware\dcv\session-management` with the name **max-concurrent-clients** set to 1 to only allow one connection at a time. This limits the number of concurrent session to one, and blocks mirroring of active sessions. For more information, see [session-management Parameters](https://docs.aws.amazon.com/dcv/latest/adminguide/config-param-ref.html#session_management).
+ **Enforce session expiry and re-authentication**
+ Reduce the SessionDuration value so that the authentication token expires after the user successfully starts the streaming session. Reusing authentication cookies after the sessionDuration expires requires users to re-authenticate themselves. SessionDuration specifies the maximum amount of time that a federated streaming session for a user can remain active before re-authentication is required. The default value is 60 minutes. For more information, see [Step 5: Create Assertions for the SAML Authentication Response](external-identity-providers-setting-up-saml.md#external-identity-providers-create-assertions).
+ To help maximize security, users should end sessions properly with the toolbar (terminate session), instead of closing the streaming window. Ending the session through the toolbar terminates both the user session and the streaming instance. This requires re-authentication for future access, preventing cookie misuse. If a user closes the streaming window without ending the session, the session and instance remains active for a configurable disconnect timeout period (in minutes). The disconnect timeout must be a number between 1 and 5760, with a default value of 15 minutes. To prevent misuse of inactive sessions, we recommend setting a short disconnect timeout. For more information, see [Create a Fleet in Amazon WorkSpaces Applications](set-up-stacks-fleets-create.md).
+ **Limit access to stream WorkSpaces Applications applications to your IP ranges**: We recommend that you implement IP-based IAM policies. This ensures that WorkSpaces Applications sessions can only be accessed from clients whose IP address belongs to an authorized IP range. All connection attempts initiated by a user whose client's IP address is outside an authorized range will be denied, even if they are presenting an otherwise valid authentication cookie (potentially stolen from a user). For more information, see [Limit access to stream Amazon AppStream 2.0 applications to your IP ranges](https://aws.amazon.com/blogs/desktop-and-application-streaming/limit-access-to-stream-amazon-appstream-2-0-applications-to-your-ip-ranges/).
+ **Add additional authentication**: To launch domain-joined streaming instances, you can join your WorkSpaces Applications Always-On and On-Demand Windows fleets and image builders to domains in Microsoft Active Directory, and use your existing Active Directory domains, either cloud-based or on-premises. After the initial SAML-based authentication, your users will be prompted to provide their domain credentials for additional authentication against the organizational domain. For more information, see [Using Active Directory with WorkSpaces Applications](active-directory.md).
If you have any concerns or need help, contact [AWS Support Center](https://console.aws.amazon.com/support/home#/).