AWS workspaces-thin-client documentation change
Summary
Added service-linked role permissions for CloudWatch monitoring and new AmazonWorkSpacesThinClientMonitoringServiceRolePolicy
Security assessment
Expanded IAM policy documentation with monitoring permissions and service-linked role creation. While security-related, these changes appear to be routine feature updates rather than addressing specific vulnerabilities.
Diff
diff --git a/workspaces-thin-client/latest/ag/security-iam-awsmanpol.md b/workspaces-thin-client/latest/ag/security-iam-awsmanpol.md index bf14f20fb..c1aa5f799 100644 --- a//workspaces-thin-client/latest/ag/security-iam-awsmanpol.md +++ b//workspaces-thin-client/latest/ag/security-iam-awsmanpol.md @@ -5 +5 @@ -AmazonWorkSpacesThinClientReadOnlyAccessAmazonWorkSpacesThinClientFullAccessPolicy updates +AmazonWorkSpacesThinClientReadOnlyAccessAmazonWorkSpacesThinClientFullAccessAmazonWorkSpacesThinClientMonitoringServiceRolePolicyPolicy updates @@ -36,6 +35,0 @@ This policy includes the following permissions. -JSON - - -**** - - @@ -108,0 +102 @@ This policy includes the following permissions: + * `iam` – Allows WorkSpaces Thin Client to create a service-linked role in your account. This role enables WorkSpaces Thin Client to publish metrics to CloudWatch on your behalf. @@ -112,5 +105,0 @@ This policy includes the following permissions: -JSON - - -**** - @@ -155,0 +145,11 @@ JSON + }, + { + "Sid": "AllowCreateServiceLinkedRole", + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::*:role/aws-service-role/monitoring.thinclient.amazonaws.com/AWSServiceRoleForAmazonWorkSpacesThinClientMonitoring", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "monitoring.thinclient.amazonaws.com" + } + } @@ -159,0 +160,37 @@ JSON +## AWS managed policy: AmazonWorkSpacesThinClientMonitoringServiceRolePolicy + +This AWS managed policy is attached to the service-linked role (AWSServiceRoleForAmazonWorkSpacesThinClientMonitoringServiceRolePolicy) that enables Amazon WorkSpaces Thin Client to publish operational metrics to your AWS account. The policy defines the permissions needed for the service to publish both service-specific and usage metrics to Amazon CloudWatch. . + +For more information about Service-Linked Roles, please refer to [Using service-linked roles for WorkSpaces Thin Client](https://docs.aws.amazon.com/workspaces-thin-client/latest/ag/using-service-linked-roles.html). + +**Permissions details** + +This policy includes the following permissions: + + * `cloudwatch` (WorkSpaces Thin Client) – Allows WorkSpaces Thin Client to publish metrics to Amazon CloudWatch in specific namespaces (AWS/WorkSpacesThinClient and AWS/Usage). + + + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowCloudWatchPutMetricData", + "Effect": "Allow", + "Action": [ + "cloudwatch:PutMetricData" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "cloudwatch:namespace": [ + "AWS/WorkSpacesThinClient", + "AWS/Usage" + ] + } + } + } + ] + } @@ -164,0 +202 @@ Change | Description | Date +AmazonWorkSpacesThinClientFullAccess – Updated policy AmazonWorkSpacesThinClientMonitoringServiceRolePolicy – New policy | WorkSpaces Thin Client updated the policy to include service linked roles. | August 26th 2025