Change log of AWS IAM permissions

2025-06-12

13 new actions, 2 new resources, 3 new conditions

Additions

Actions

AssociateVolume
- Description: Grants permission to associate a workspace managed volume to a workspace managed instance in your account
- Access: Write
- Resources:
  Name: WorkspaceInstanceId
  
  Required: Yes
- Dependents:
  ec2:AttachVolume
  
  ec2:DescribeVolumes
CreateVolume
- Description: Grants permission to create a workspace managed volume in your account
- Access: Write
- Dependents:
  ec2:CreateVolume
CreateWorkspaceInstance
- Description: Grants permission to create a workspace managed instance in your account
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  ec2:DescribeInstances
  
  ec2:RunInstances
DeleteVolume
- Description: Grants permission to delete a workspace managed volume in your account
- Access: Write
- Resources:
  Name: VolumeId
  
  Required: Yes
- Dependents:
  ec2:DeleteVolume
  
  ec2:DescribeVolumes
DeleteWorkspaceInstance
- Description: Grants permission to delete a workspace managed instance in your account
- Access: Write
- Resources:
  Name: WorkspaceInstanceId
  
  Required: Yes
- Dependents:
  ec2:TerminateInstances
DisassociateVolume
- Description: Grants permission to disassociate a workspace managed volume from a workspace managed instance in your account
- Access: Write
- Resources:
  Name: WorkspaceInstanceId
  
  Required: Yes
- Dependents:
  ec2:DescribeVolumes
  
  ec2:DetachVolume
GetWorkspaceInstance
- Description: Grants permission to get details for a specific workspace managed instance in your account
- Access: Read
- Resources:
  Name: WorkspaceInstanceId
  
  Required: Yes
ListInstanceTypes
- Description: Grants permission to list all supported instance types
- Access: List
ListRegions
- Description: Grants permission to list all supported AWS regions
- Access: List
ListTagsForResource
- Description: Grants permission to list user tags for resources in your account
- Access: List
- Resources:
  Name: WorkspaceInstanceId
  
  Required: Yes
ListWorkspaceInstances
- Description: Grants permission to list workspace managed instances in your account
- Access: List
TagResource
- Description: Grants permission to add user tags to resources in your account
- Access: Tagging
- Resources:
  Name: WorkspaceInstanceId
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
UntagResource
- Description: Grants permission to remove user tags from resources in your account
- Access: Tagging
- Resources:
  Name: WorkspaceInstanceId
  
  Required: Yes
- Conditions:
  aws:TagKeys

Resources

WorkspaceInstanceId
- Arn: arn:${Partition}:workspaces-instances:${Region}:${Account}:workspaceinstance/${WorkspaceInstanceId}
- Conditions:
  aws:ResourceTag/${TagKey}
VolumeId
- Arn: arn:${Partition}:ec2:${Region}:${Account}:volume/${VolumeId}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access based on the tags that are passed in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access based on the tags associated with the resource
- Type: String
aws:TagKeys
- Description: Filters access based on the tag keys that are passed in the request
- Type: ArrayOfString

AWS WorkSpaces Managed Instances (workspaces-instances)

Additions