How to allow or disallow input location types
AWS Elemental MediaConvert supports Amazon S3, HTTPS, and HTTP input location types for your input media and files. You can allow or disallow access to one or more of these input location types by using a MediaConvert policy.
By default, each Region in your AWS account does not have a policy and MediaConvert allows all supported input location types. You only need to create an input policy if you want to disallow access to one or more of these input location types.
To prevent jobs from running with a disallowed input location type, create a MediaConvert Input policy.
Additionally, to prevent jobs from being submitted to the MediaConvert API if an Input policy isn't in place, create an IAM policy using condition keys. You can apply these IAM policies to IAM roles across your organization.
The following sections describe how to create an Input policy and how to use IAM condition keys to allow or disallow input location types.
Topics
How to allow or disallow input location types using an Input policy
To create or change a policy, submit a put-policy command using the API, SDK, or Command Line Interface (CLI) and include the policy in JSON. Visit the MediaConvert API Reference to learn more about supported policy commands and expected response codes.
The following is an example of how to submit a policy using the CLI. This example allows jobs with Amazon S3 and HTTPS inputs, and disallows jobs with HTTP inputs:
aws mediaconvert put-policy --policy '{"S3Inputs":"ALLOWED", "HttpsInputs":"ALLOWED", "HttpInputs":"DISALLOWED"}'
If you don’t specify an input location in the policy JSON, MediaConvert will treat the input location as ALLOWED. Here is another example that allows jobs with Amazon S3 and HTTPS inputs, and disallows jobs with HTTP inputs:
aws mediaconvert put-policy --policy '{"HttpInputs":"DISALLOWED"}'
Note that the put-policy command overwrites any existing policy in the Region.
Retrieve the current policy
To retrieve the current policy in JSON, submit a get-policy command:
aws mediaconvert get-policy
Delete the current policy
To delete the current policy and allow all inputs (reverting to the default behavior), submit a delete-policy command:
aws mediaconvert delete-policy
What happens when you try to submit a job with a disallowed input location?
If you attempt to submit a job that specifies an input location that your policy
disallows, MediaConvert will instead return an HTTP 400
(BadRequestException) error. The error message will be: You
specified an input location that your policy disallows. Specify an allowed input
location and resubmit your job. Since MediaConvert prevents these jobs from
being submitted, they will not appear in your job history.
If you submit a job that specifies an input location that is allowed, but the job requires
accessing another input location that is disallowed, your job will fail. For example, you
might encounter this if you specify an Apple HLS manifest on an allowed Amazon S3 location that
references other input segment files on a disallowed HTTP location. The job failure error
code will be 3457 and the message will be: You specified
an input location that your policy disallows. Specify an allowed input location and
resubmit your job.
How to use IAM condition keys with Input policies
When you include a condition key in your IAM policy that you use to submit create job requests, IAM checks if your account has an Input policy that matches that condition. The condition you specify must match your account's Input policy for the API request to be authorized. You can use any of the following boolean condition keys:
-
HttpInputsAllowed
-
HttpsInputsAllowed
-
S3InputsAllowed
When using condition keys, consider the following scenarios:
If the condition and Input policy match, for example if you set HTTPInputsAllowed to true and your account's Input policy allows HTTP inputs, then
your create job request will be submitted to the MediaConvert API.
If the condition and Input policy do not match, for example if you set HTTPInputsAllowed to false and your account's Input policy allows HTTP inputs,
then your create job request will not be submitted to the MediaConvert API. You will
receive following error message instead: "message": "User:
arn:aws:iam::111122223333:user/User is not authorized to perform:
mediaconvert:CreateJob on resource:
arn:aws:mediaconvert:us-west-2:111122223333:queues/Default"
If the condition and Input policy match, for example if you set HTTPInputsAllowed to false and your account's Input policy disallows HTTP inputs, then your create job request will be submitted to
the MediaConvert API. However, the API will then return an HTTP 400
(BadRequestException) error. The error message will be: You
specified an input location that your policy disallows. Specify an allowed input
location and resubmit your job.
For more information about using IAM condition keys, see IAM JSON policy elements: Condition in the IAM User Guide.
The following JSON is an example IAM policy using MediaConvert condition keys that checks if your account has an Input policy that disallows HTTP inputs:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "BlockHTTPInputsExample", "Effect": "Allow", "Action": "mediaconvert:CreateJob", "Resource": "*", "Condition": { "ForAllValues:BoolIfExists": { "mediaconvert:HttpInputsAllowed": [ "false" ], "mediaconvert:HttpsInputsAllowed": [ "true" ], "mediaconvert:S3InputsAllowed": [ "true" ] } } } ] }
For more information about condition key support within MediaConvert, see How AWS Elemental MediaConvert works with IAM.
