Actions, resources, and condition keys for Amazon WorkSpaces Web

Amazon WorkSpaces Web (service prefix: workspaces-web) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Amazon WorkSpaces Web
Resource types defined by Amazon WorkSpaces Web
Condition keys for Amazon WorkSpaces Web

Actions defined by Amazon WorkSpaces Web

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
AssociateBrowserSettings	Grants permission to associate browser settings to web portals	Write	browserSettings*
AssociateBrowserSettings		Write	portal*
AssociateIpAccessSettings	Grants permission to associate ip access settings with web portals	Write	ipAccessSettings*
AssociateIpAccessSettings		Write	portal*
AssociateNetworkSettings	Grants permission to associate network settings to web portals	Write	networkSettings*		ec2:CreateNetworkInterface ec2:CreateNetworkInterfacePermission ec2:CreateTags ec2:DeleteNetworkInterface ec2:DeleteNetworkInterfacePermission ec2:ModifyNetworkInterfaceAttribute
AssociateNetworkSettings		Write	portal*
AssociateTrustStore	Grants permission to associate trust stores with web portals	Write	portal*
AssociateTrustStore		Write	trustStore*
AssociateUserAccessLoggingSettings	Grants permission to associate user access logging settings with web portals	Write	portal*		kinesis:PutRecord kinesis:PutRecords
AssociateUserAccessLoggingSettings		Write	userAccessLoggingSettings*
AssociateUserSettings	Grants permission to associate user settings with web portals	Write	portal*
AssociateUserSettings		Write	userSettings*
CreateBrowserSettings	Grants permission to create browser settings	Write		aws:TagKeys aws:RequestTag/${TagKey}	kms:CreateGrant kms:Decrypt kms:DescribeKey kms:GenerateDataKey
CreateIdentityProvider	Grants permission to create identity providers	Write	identityProvider*
CreateIdentityProvider	Grants permission to create identity providers	Write	portal*
CreateIpAccessSettings	Grants permission to create ip access settings	Write		aws:TagKeys aws:RequestTag/${TagKey}
CreateNetworkSettings	Grants permission to create network settings	Write		aws:TagKeys aws:RequestTag/${TagKey}	iam:CreateServiceLinkedRole
CreatePortal	Grants permission to create web portals	Write		aws:TagKeys aws:RequestTag/${TagKey}	iam:CreateServiceLinkedRole kms:CreateGrant kms:Decrypt kms:DescribeKey kms:GenerateDataKey
CreateTrustStore	Grants permission to create trust stores	Write		aws:TagKeys aws:RequestTag/${TagKey}
CreateUserAccessLoggingSettings	Grants permission to create user access logging settings	Write		aws:TagKeys aws:RequestTag/${TagKey}
CreateUserSettings	Grants permission to create user settings	Write		aws:TagKeys aws:RequestTag/${TagKey}
DeleteBrowserSettings	Grants permission to delete browser settings	Write	browserSettings*
DeleteIdentityProvider	Grants permission to delete identity providers	Write	identityProvider*
DeleteIdentityProvider	Grants permission to delete identity providers	Write	portal*
DeleteIpAccessSettings	Grants permission to delete ip access settings	Write	ipAccessSettings*
DeleteNetworkSettings	Grants permission to delete network settings	Write	networkSettings*
DeletePortal	Grants permission to delete web portals	Write	portal*
DeleteTrustStore	Grants permission to delete trust stores	Write	trustStore*
DeleteUserAccessLoggingSettings	Grants permission to delete user access logging settings	Write	userAccessLoggingSettings*
DeleteUserSettings	Grants permission to delete user settings	Write	userSettings*
DisassociateBrowserSettings	Grants permission to disassociate browser settings from web portals	Write	portal*
DisassociateIpAccessSettings	Grants permission to disassociate ip access logging from web portals	Write	portal*
DisassociateNetworkSettings	Grants permission to disassociate network settings from web portals	Write	portal*
DisassociateTrustStore	Grants permission to disassociate trust stores from web portals	Write	portal*
DisassociateUserAccessLoggingSettings	Grants permission to disassociate user access logging settings from web portals	Write	portal*
DisassociateUserSettings	Grants permission to disassociate user settings from web portals	Write	portal*
GetBrowserSettings	Grants permission to get details on browser settings	Read	browserSettings*
GetIdentityProvider	Grants permission to get details on identity providers	Read	identityProvider*
GetIpAccessSettings	Grants permission to get details on ip access settings	Read	ipAccessSettings*
GetNetworkSettings	Grants permission to get details on network settings	Read	networkSettings*
GetPortal	Grants permission to get details on web portals	Read	portal*
GetPortalServiceProviderMetadata	Grants permission to get service provider metadata information for web portals	Read	portal*
GetTrustStore	Grants permission to get details on trust stores	Read	trustStore*
GetTrustStoreCertificate	Grants permission to get certificates from trust stores	Read	trustStore*
GetUserAccessLoggingSettings	Grants permission to get details on user access logging settings	Read	userAccessLoggingSettings*
GetUserSettings	Grants permission to get details on user settings	Read	userSettings*
ListBrowserSettings	Grants permission to list browser settings	Read
ListIdentityProviders	Grants permission to list identity providers	Read	identityProvider*
ListIpAccessSettings	Grants permission to list ip access settings	Read
ListNetworkSettings	Grants permission to list network settings	Read
ListPortals	Grants permission to list web portals	Read
ListTagsForResource	Grants permission to list tags for a resource	Read
ListTrustStoreCertificates	Grants permission to list certificates in a trust store	Read
ListTrustStores	Grants permission to list trust stores	Read
ListUserAccessLoggingSettings	Grants permission to list user access logging settings	Read
ListUserSettings	Grants permission to list user settings	Read
TagResource	Grants permission to add one or more tags to a resource	Tagging	browserSettings
			ipAccessSettings
			networkSettings
			portal
			trustStore
			userAccessLoggingSettings
			userSettings
				aws:TagKeys aws:RequestTag/${TagKey}
UntagResource	Grants permission to remove one or more tags from a resource	Tagging	browserSettings
			ipAccessSettings
			networkSettings
			portal
			trustStore
			userAccessLoggingSettings
			userSettings
				aws:TagKeys aws:RequestTag/${TagKey}
UpdateBrowserSettings	Grants permission to update browser settings	Write	browserSettings*
UpdateIdentityProvider	Grants permission to update identity provider	Write	identityProvider*
UpdateIdentityProvider	Grants permission to update identity provider	Write	portal*
UpdateIpAccessSettings	Grants permission to update ip access settings	Write	ipAccessSettings*
UpdateNetworkSettings	Grants permission to update network settings	Write	networkSettings*		ec2:CreateNetworkInterface ec2:CreateNetworkInterfacePermission ec2:CreateTags ec2:DeleteNetworkInterface ec2:DeleteNetworkInterfacePermission ec2:ModifyNetworkInterfaceAttribute
UpdatePortal	Grants permission to update web portals	Write	portal*
UpdateTrustStore	Grants permission to update trust stores	Write	trustStore*
UpdateUserAccessLoggingSettings	Grants permission to update user access logging settings	Write	userAccessLoggingSettings*		kinesis:PutRecord kinesis:PutRecords
UpdateUserSettings	Grants permission to update user settings	Write	userSettings*

Resource types defined by Amazon WorkSpaces Web

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
browserSettings	`arn:${Partition}:workspaces-web:${Region}:${Account}:browserSettings/${BrowserSettingsId}`	aws:ResourceTag/${TagKey}
identityProvider	`arn:${Partition}:workspaces-web:${Region}:${Account}:identityProvider/${PortalId}/${IdentityProviderId}`
networkSettings	`arn:${Partition}:workspaces-web:${Region}:${Account}:networkSettings/${NetworkSettingsId}`	aws:ResourceTag/${TagKey}
portal	`arn:${Partition}:workspaces-web:${Region}:${Account}:portal/${PortalId}`	aws:ResourceTag/${TagKey}
trustStore	`arn:${Partition}:workspaces-web:${Region}:${Account}:trustStore/${TrustStoreId}`	aws:ResourceTag/${TagKey}
userSettings	`arn:${Partition}:workspaces-web:${Region}:${Account}:userSettings/${UserSettingsId}`	aws:ResourceTag/${TagKey}
userAccessLoggingSettings	`arn:${Partition}:workspaces-web:${Region}:${Account}:userAccessLoggingSettings/${UserAccessLoggingSettingsId}`	aws:ResourceTag/${TagKey}
ipAccessSettings	`arn:${Partition}:workspaces-web:${Region}:${Account}:ipAccessSettings/${IpAccessSettingsId}`	aws:ResourceTag/${TagKey}

Condition keys for Amazon WorkSpaces Web

Amazon WorkSpaces Web defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by the tags that are passed in the request	String
aws:ResourceTag/${TagKey}	Filters access by the tags associated with the resource	String
aws:TagKeys	Filters access by the tag keys that are passed in the request	ArrayOfString

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon WorkSpaces Thin Client

AWS X-Ray