Reference: summary of non-administrator user access requirements
The following table shows all the types of permissions that you might need to assign to users. Each row in the column describes an activity or set of related activities that you might want to allow the user to perform. The last column lists the IAM actions that control access to those activities.
If this table doesn't provide enough information for you to determine which permissions to assign to users, see the alphabetical list of services that follow this section.
| General activity that the user can perform | Corresponding service in IAM | Specific activities the user can perform | Actions to include in the policy |
|---|---|---|---|
| Use the features of MediaLive | MediaLive | Create, modify, and delete channels, devices, inputs, and input security groups | CreateChannel
|
| MediaLive | View channels, devices, inputs, and input security groups |
|
|
| MediaLive | Perform a batch operation on several channels or inputs or multiplexes or input security groups |
Batch Start
|
|
| MediaLive | Create or cancel an outgoing device transfer, or accept or reject an incoming device transfer, and view pending device transfers |
|
|
| MediaLive | Work with schedules | DescribeSchedule
|
|
| MediaLive | Create or modify multiplexes | CreateMultiplex
|
|
| Amazon EC2 | DescribeAvailabilityZonesYou need this operation to view the list of Availability Zones on the MediaLive console, so that you can choose two for the multiplex. |
||
| MediaLive | Delete multiplexes |
|
|
| MediaLive | View multiplexes |
|
|
| MediaLive | Change the class for a channel | UpdateChannelClass |
|
| MediaLive | Run channels | StartChannel
|
|
| MediaLive | Pause channels | Pause is an activity within the schedule feature, shown earlier in this table. | |
| MediaLive | Run multiplexes | StartMultiplex
|
|
| MediaLive | Attach tags to channels, inputs, and input security groups when creating those resources | CreateTag
|
|
| MediaLive | Create, modify, delete, and view reservations and offerings |
|
|
| AWS CloudFormation | Create and delete the AWS CloudFormation stack. These permissions are always
required. For example, if a user is using the workflow wizard and doesn't
have CreateStack access, MediaLive will fail to create the
workflow. |
|
|
| CloudFront | Create and delete a CloudFront distribution, if your organization
supports MediaPackage as an output destination. Note how the required permissions here are very different from the permissions because the workflow wizard actually creates the distribution. |
ListDistributions
|
|
| Amazon EC2 | Create a VPC input – View the VPC subnets and VPC security groups on the MediaLive console | DescribeSubnets
|
|
| Amazon EC2 | Set up a channel for delivery of output via your VPC – View the VPC subnets and VPC security groups on the MediaLive console. | DescribeSubnets
|
|
| Amazon EC2 | Set up a channel for delivery of output via your VPC – View the Elastic IP addresses on the console. The console finds the Elastic IP addresses that have been allocated for use in your AWS account. | DescribeAddresses |
|
| MediaConnect | Use the workflow wizard to create a MediaConnect flow, if your
organization supports sources from MediaConnect. Use the workflow wizard to delete a workflow that includes a source from MediaConnect. |
List*
|
|
| MediaPackage | On the MediaLive console, view the MediaPackage channels in the dropdown list on the MediaLive channel. | Describe* |
|
| Use the workflow wizard to create a MediaPackage channel, if your
organization supports MediaPackage as an output destination. Use the workflow wizard to delete a workflow that includes a MediaPackage output. |
List*
|
||
| MediaStore | Use the workflow wizard to create a MediaStore container, if your
organization supports MediaStore as an output destination. Use the workflow wizard to delete a workflow that includes a MediaStore output. |
List*
|
|
| Monitor channel health | CloudWatch |
|
|
| Set up events | CloudWatch Events | All actions The managed policy
|
|
| Set up channel logging | Amazon CloudWatch Logs | View logs | FilterLogEvents
|
| Set retention policy | DeleteRetentionPolicy
|
||
| Simple option for the trusted entity role | IAM | Create the MediaLiveAccessRole |
|
Choose the MediaLiveAccessRole |
|
||
Update the MediaLiveAccessRole |
|
||
| Complex option for the trusted entity role | IAM | Enter a role for the trusted entity | PassRole |
| Deploy and work with AWS Elemental Link devices | MediaLive | Deploy, configure, and view an AWS Elemental Link device |
|
| Handle transfers of AWS Elemental Link devices | MediaLive | Handle transfers of AWS Elemental Link devices |
|
| Set up a AWS Elemental Link device as the source for a MediaConnect flow | MediaConnect |
On the MediaLive console, view MediaConnect flows in the dropdown list. This dropdown list appears in the Flow ARN field in the Attachments tab on the Device details page. |
ListFlows |
| IAM |
On the MediaLive console, view IAM roles in the dropdown list. This dropdown list appears in the Role ARN field in the Attachments tab on the Device details page. |
ListRoles |
|
| Secrets Manager |
On the MediaLive console, view Secrets Manager secrets in the dropdown list. This dropdown list appears in the Secret ARN field in the Attachments tab on the Device details page. |
ListSecrets |
|
| Set up email notification |
Amazon SNS |
All actions The managed policy
|
|
| AWS Systems Manager | Systems Manager | Create a password parameter using the MediaLive console or the AWS Systems Manager console |
|
| Systems Manager | Choose a password parameter from the dropdown list on the MediaLive console | DescribeParameters |
