AWS Security ChangesHomeSearch

AWS workspaces-thin-client documentation change

Service: workspaces-thin-client · 2025-08-28 · Documentation medium

File: workspaces-thin-client/latest/ag/security-iam-awsmanpol.md

Summary

Added service-linked role permissions for CloudWatch monitoring and new AmazonWorkSpacesThinClientMonitoringServiceRolePolicy

Security assessment

Expanded IAM policy documentation with monitoring permissions and service-linked role creation. While security-related, these changes appear to be routine feature updates rather than addressing specific vulnerabilities.

Diff

diff --git a/workspaces-thin-client/latest/ag/security-iam-awsmanpol.md b/workspaces-thin-client/latest/ag/security-iam-awsmanpol.md
index bf14f20fb..c1aa5f799 100644
--- a//workspaces-thin-client/latest/ag/security-iam-awsmanpol.md
+++ b//workspaces-thin-client/latest/ag/security-iam-awsmanpol.md
@@ -5 +5 @@
-AmazonWorkSpacesThinClientReadOnlyAccessAmazonWorkSpacesThinClientFullAccessPolicy updates
+AmazonWorkSpacesThinClientReadOnlyAccessAmazonWorkSpacesThinClientFullAccessAmazonWorkSpacesThinClientMonitoringServiceRolePolicyPolicy updates
@@ -36,6 +35,0 @@ This policy includes the following permissions.
-JSON
-    
-
-****
-    
-    
@@ -108,0 +102 @@ This policy includes the following permissions:
+  * `iam` – Allows WorkSpaces Thin Client to create a service-linked role in your account. This role enables WorkSpaces Thin Client to publish metrics to CloudWatch on your behalf.
@@ -112,5 +105,0 @@ This policy includes the following permissions:
-JSON
-    
-
-****
-    
@@ -155,0 +145,11 @@ JSON
+        },
+        {
+          "Sid": "AllowCreateServiceLinkedRole",
+          "Effect": "Allow",
+          "Action": "iam:CreateServiceLinkedRole",
+          "Resource": "arn:aws:iam::*:role/aws-service-role/monitoring.thinclient.amazonaws.com/AWSServiceRoleForAmazonWorkSpacesThinClientMonitoring",
+          "Condition": {
+            "StringEquals": {
+              "iam:AWSServiceName": "monitoring.thinclient.amazonaws.com"
+            }
+          }
@@ -159,0 +160,37 @@ JSON
+## AWS managed policy: AmazonWorkSpacesThinClientMonitoringServiceRolePolicy
+
+This AWS managed policy is attached to the service-linked role (AWSServiceRoleForAmazonWorkSpacesThinClientMonitoringServiceRolePolicy) that enables Amazon WorkSpaces Thin Client to publish operational metrics to your AWS account. The policy defines the permissions needed for the service to publish both service-specific and usage metrics to Amazon CloudWatch. .
+
+For more information about Service-Linked Roles, please refer to [Using service-linked roles for WorkSpaces Thin Client](https://docs.aws.amazon.com/workspaces-thin-client/latest/ag/using-service-linked-roles.html).
+
+**Permissions details**
+
+This policy includes the following permissions:
+
+  * `cloudwatch` (WorkSpaces Thin Client) – Allows WorkSpaces Thin Client to publish metrics to Amazon CloudWatch in specific namespaces (AWS/WorkSpacesThinClient and AWS/Usage).
+
+
+
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AllowCloudWatchPutMetricData",
+                "Effect": "Allow",
+                "Action": [
+                    "cloudwatch:PutMetricData"
+                ],
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+                        "cloudwatch:namespace": [
+                            "AWS/WorkSpacesThinClient",
+                            "AWS/Usage"
+                        ]
+                    }
+                }
+            }
+        ]
+    }
@@ -164,0 +202 @@ Change | Description | Date
+AmazonWorkSpacesThinClientFullAccess – Updated policy AmazonWorkSpacesThinClientMonitoringServiceRolePolicy – New policy |  WorkSpaces Thin Client updated the policy to include service linked roles. | August 26th 2025