Step B: Create policies

After you have identified the policies that you need, create them on the IAM console. Follow this procedure for each policy. Remember that this policy is attached to the MediaLive trusted entity that the user chooses. You should only include actions that you want MediaLive to be able to perform at runtime when working on behalf of that user.

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane on the left, choose Policies. Then choose Create policy. The Create policy wizard appears. This wizard walks you through the steps, including these key steps:

   • Select a service.

   • Select actions for that service.

     Typically (and by default), you specify the actions that you want to allow.

     But you can also choose the Switch to deny permissions button to deny the chosen actions instead. We recommend as a security best practice that you deny permissions only if you want to override a permission separately allowed by another statement or policy. We recommend that you limit the number of deny permissions to a minimum because they can increase the difficulty of troubleshooting permissions.

   • Specify resources for each action (if supported for the action). For example, if you choose the MediaLive DescribeChannel ARN you can specify the ARNs of specific channels.

   • Specify conditions (optional). For example:

     • You can specify that a user is allowed to perform an actions only when that user's request happens within a certain time range.

     • You can specify that the user must use a multi-factor authentication (MFA) device to authenticate.

     • You can specify that the request must originate from a range of IP addresses.

     For lists of all of the context keys that you can use in a policy condition, see Actions, resources, and condition keys for AWS services in the Service Authorization Reference.

3. Choose Create policy.