Reference: summary of non-administrator user access requirements - AWS Elemental MediaLive

Reference: summary of non-administrator user access requirements

The following table shows all the types of permissions that you might need to assign to users. This table is a summary of the tables found in Step 1: Identify requirements for permissions for users. Each row in the column describes an activity or set of related activities that you might want to allow the user to perform. The last column lists the IAM actions that control access to those activities.

General activity that the user can perform Corresponding service in IAM Specific activities the user can perform Actions to include in the policy
Use the features of MediaLive MediaLive Create, modify, and delete channels, devices, inputs, and input security groups CreateChannel

CreateInput

CreateInputSecurityGroup

DeleteChannel

DeleteInput

DeleteInputSecurityGroup

UpdateChannel

UpdateInput

UpdateInputDevice

UpdateInputSecurityGroup

MediaLive View channels, devices, inputs, and input security groups

ListChannels

ListInputDevices

ListInputs

ListInputSecurityGroups

DescribeChannel

DescribeInput

DescribeInputDevice

DescribeInputDeviceThumbnail

DescribeInputSecurityGroup

MediaLive Perform a batch operation on several channels or inputs or multiplexes or input security groups

BatchDelete

BatchStart

BatchStop

MediaLive Create or cancel an outgoing device transfer, or accept or reject an incoming device transfer, and view pending device transfers

AcceptInputDeviceTransfer

CancelInputDeviceTransfer

ListInputDeviceTransfers

RejectInputDeviceTransfer

TransferInputDevice

MediaLive Work with schedules DescribeSchedule

BatchUpdateSchedule

MediaLive Create or modify multiplexes CreateMultiplex

DescribeMultiplex

ListMultiplexes

UpdateMultiplex

Amazon EC2 DescribeAvailabilityZones

You need this operation to view the list of Availability Zones on the MediaLive console, so that you can choose two for the multiplex.

MediaLive Delete multiplexes

DeleteMultiplex

DescribeMultiplex

ListMultiplexes

MediaLive View multiplexes

DescribeMultiplex

ListMultiplexes

MediaLive Change the class for a channel UpdateChannelClass
MediaLive Run channels StartChannel

StopChannel

MediaLive Pause channels Pause is an activity within the schedule feature, shown earlier in this table.
MediaLive Run multiplexes StartMultiplex

StopMultiplex

MediaLive Attach tags to channels, inputs, and input security groups when creating those resources CreateTag

DeleteTags

ListTagsForResources

MediaLive Create, modify, delete, and view reservations and offerings

DeleteReservation

DescribeOffering

DescribeReservation

ListOfferings

ListReservations

PurchaseOffering

AWS CloudFormation Create and delete the AWS CloudFormation stack. These permissions are always required. For example, if a user is using the workflow wizard and doesn't have CreateStack access, MediaLive will fail to create the workflow.

ListStacks

DescribeStacks

DescribeStackResources

CreateStack

DeleteStack

CloudFront Create and delete a CloudFront distribution, if your organization supports MediaPackage as an output destination.

Note how the required permissions here are very different from the permissions because the workflow wizard actually creates the distribution.

ListDistributions

DescribeDistribution

CreateDistribution

DeleteDistribution

Amazon EC2 Create a VPC input – View the VPC subnets and VPC security groups on the MediaLive console DescribeSubnets

DescribeSecurityGroups

Amazon EC2 Set up a channel for delivery of output via your VPC – View the VPC subnets and VPC security groups on the MediaLive console. DescribeSubnets

DescribeSecurityGroups

Amazon EC2 Set up a channel for delivery of output via your VPC – View the Elastic IP addresses on the console. The console finds the Elastic IP addresses that have been allocated for use in your AWS account. DescribeAddresses
MediaConnect Use the workflow wizard to create a MediaConnect flow, if your organization supports sources from MediaConnect.

Use the workflow wizard to delete a workflow that includes a source from MediaConnect.

List*

Describe*

Create*

Delete*

MediaPackage On the MediaLive console, view the MediaPackage channels in the dropdown list on the MediaLive channel. Describe*
Use the workflow wizard to create a MediaPackage channel, if your organization supports MediaPackage as an output destination.

Use the workflow wizard to delete a workflow that includes a MediaPackage output.

List*

Describe*

Create*

Delete*

MediaStore Use the workflow wizard to to create a MediaStore container, if your organization supports MediaStore as an output destination.

Use the workflow wizard to delete a workflow that includes a MediaStore output.

List*

Describe*

Create*

Delete*

Monitoring Channel Health CloudWatch

ListMetrics

GetMetricData

GetMetricStatistics

Setting Up Events CloudWatch Events All actions

The managed policy CloudWatchEventsFullAccess provides these permissions

Setting Up Channel Logging Amazon CloudWatch Logs View logs FilterLogEvents

GetLogEvents

Set retention policy DeleteRetentionPolicy

PutRetentionPolicy

Simple Option for the Trusted Entity Role IAM Create the MediaLiveAccessRole

CreateRole

PutRolePolicy

AttachRolePolicy

Choose the MediaLiveAccessRole

ListRole

PassRole

Update the MediaLiveAccessRole

GetRolePolicy

PutRolePolicy

AttachRolePolicy

Setting Up Email Notification

Amazon SNS

All actions

The managed policy AmazonSNSFullAccess provides these permissions

AWS Systems Manager Systems Manager Create a password parameter using the MediaLive console or the AWS Systems Manager console

DeleteParameter

DeleteParameters

DescribeParameters

GetParameter

GetParameterHistory

GetParameters

GetParametersByPath

PutParameter

Systems Manager Choose a password parameter from the dropdown list on the MediaLive console DescribeParameters