Reference: summary of requirements for the MediaLive trusted entity - AWS Elemental MediaLive

Reference: summary of requirements for the MediaLive trusted entity

The following table shows all the types of permissions that the MediaLive trusted entity might need. Refer to this table when you determine the access requirements for the MediaLive trusted entity.

Each row in the column describes a task or set of related tasks that the MediaLive trusted entity might need to perform for a user. The third column describes the type of access that the trusted entity requires to perform that task. The last column lists the IAM actions or policy that control that access.

Service Tasks Type of access required Suggested actions or policy
AWS Elemental MediaLive Working with MediaLive features. MediaLive doesn't need access to itself. Only the users need access.
AWS CloudTrail Capturing MediaLive activity. MediaLive doesn't need IAM access for this task.
CloudWatch Displaying CloudWatch metrics information on the console, to monitor channel health. MediaLive doesn't need IAM access for this task. Only the users need access.

CloudWatch Events and Amazon SNS

Setting up email notification so that users can be notified about MediaLive alerts that are sent to CloudWatch Events. MediaLive doesn't need access for this task. Only the users need access.
CloudWatch Logs Sending channel log information to CloudWatch Logs when a channel is running. When the channel is running, MediaLive must be able to send log messages to CloudWatch Logs.

CreateLogGroup

CreateLogStream

PutLogEvents

PutMetricFilter

PutRetentionPolicy

DescribeLogStreams

DescribeLogGroups

And these resources:

arn:aws:logs:*

arn:aws:log-group:*

Amazon EC2 Creating a CDI VPC, an RTP VPC input, or an RTMP VPC push input. When the user is creating a VPC input, MediaLive must have write access to Amazon EC2 in order to create network interfaces for the input.

CreateNetworkInterface

CreateNetwork InterfacePermission

DescribeNetworkInterfaces

DescribeSecurityGroups

DescribeSubnets

Deleting a CDI VPC, an RTP VPC input, or an RTMP VPC push input. When the user deletes a VPC input, MediaLive must have write access to Amazon Elastic Compute Cloud in order to delete the network interfaces for the input.

DeleteNetworkInterface

DeleteNetworkInterfacePermission

DescribeNetworkInterfaces

DescribeSubnets

Setting up a channel for delivery of output via your VPC Create and delete elastic network interfaces on your VPC. MediaLive creates these network interfaces in the subnet for the channel pipeline endpoints.

CreateNetworkInterface

CreateNetworkInterfacePermission

DeleteNetworkInterface

DescribeSubnets

DescribeSecurityGroups

DescribeAddresses

Associate Elastic IP addresses with the elastic network interfaces that MediaLive creates. Associating Elastic IP addresses is optional.There is no need to give access to DisassociateAddress. When MediaLive deletes any unnecessary network interfaces, the Elastic IP address will be automatically disassociated from the network interface. AssociateAddress

DescribeAddresses

MediaConnect Creating a MediaConnect input. When the user creates a MediaConnect input, MediaLive must have read/write access to the MediaConnect flow, in order to add an output to that flow. ManagedDescribeFlow

ManagedAddOutput

To include these actions that start with "Managed" in a policy, you must view the policy in the JSON tab and enter the names of the actions. You can't use the visual editor to choose these actions.

Deleting a MediaConnect input. When the user deletes a MediaConnect input, MediaLive should have read/write access to the MediaConnect flow, in order to delete the outputs on the flow, because the outputs are no longer needed. ManagedDescribeFlow

ManagedRemoveOutput

To include these actions that start with "Managed" in a policy, you must view the policy in the JSON tab and enter the names of the actions. You can't use the visual editor to choose these actions.

Creating a MediaConnect entitlement. When the user creates a multiplex, MediaLive automatically creates an entitlement as the destination for the MPTS. MediaLive doesn't need access for this task.
AWS Elemental MediaPackage Sending channel output to MediaPackage when a channel is running, if your deployment uses this service. When the user creates a MediaPackage output group, MediaLive must have read access to the AWS Elemental MediaPackage channel, in order to obtain the credentials required to send to that channel. DescribeChannel
AWS Elemental MediaStore Sending and retrieving assets from a MediaStore container when a channel is running, if your deployment uses this service. When the channel is running, MediaLive must have read access (for a source) or read/write access (for a destination).

ListContainers

DescribeObject

PutObject

GetObject

DeleteObject

Resource Group Tagging Attaching tags when creating resources—channels, inputs, and input security groups—and revising tags on existing resources. MediaLive doesn't need IAM access for this task. Only the users need access.
Amazon S3 Sending and retrieving assets from an Amazon S3 bucket when a channel is running, if your deployment uses this service. When the channel is running, MediaLive must have read access (for a source) or read/write access (for a destination) to the buckets.

ListBucket

PutObject

GetObject

DeleteObject

AWS Systems Manager Creating a password parameter on the MediaLive console. MediaLive doesn't need IAM access for this task. Only the users need access.
Using a password parameter in the channel configuration. See Requirements for AWS Systems Manager—creating password parameters in parameter store . When the channel is running, MediaLive must have read access to the AWS Systems Manager Parameter Store. The managed policy AmazonSSMRead OnlyAccess