Step 1: Create a policy - AWS Elemental MediaPackage

Step 1: Create a policy

The IAM policy defines the permissions that AWS Elemental MediaPackage requires to access other services.

  • For video on demand (VOD) workflows, create a policy that allows MediaPackage to read from the Amazon S3 bucket, verify the billing method, and retrieve content. For the billing method, MediaPackage must verify that the bucket does not require the requester to pay for requests. If the bucket has requestPayment enabled, MediaPackage can't ingest content from that bucket.

  • For live-to-VOD workflows, create a policy that allows MediaPackage to read from the Amazon S3 bucket and store the live-to-VOD asset in it.

  • For content delivery network (CDN) authorization, create a policy that allows MediaPackage to read from a secret in Secrets Manager.

The following sections describe how to create these policies.

Policy for live-to-VOD workflows

If you use MediaPackage to harvest a live-to-VOD asset from a live stream, you need a policy that allows you to do these things in Amazon S3:

  • PutObject: MediaPackage can save the VOD asset in the bucket.

  • GetBucketLocation: MediaPackage can retrieve the Region for the bucket. The bucket must be in the same AWS Region as the MediaPackage VOD resources.

If you also use MediaPackage for VOD asset delivery, add these actions to the policy: GetObject and GetBucketRequestPayment. For more information about the required policy for VOD workflows, see Amazon S3 access for VOD workflows.

To use the JSON policy editor to create a policy

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the navigation column on the left, choose Policies.

    If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.

  3. At the top of the page, choose Create policy.

  4. Choose the JSON tab.

  5. Enter the following JSON policy document:

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{bucket_name}/*", "arn:aws:s3:::{bucket_name}" ], "Effect": "Allow" } ] }
  6. Choose Review policy.


    You can switch between the Visual editor and JSON tabs any time. However, if you make changes or choose Review policy in the Visual editor tab, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring in the IAM User Guide.

  7. On the Review policy page, enter a Name and an optional Description for the policy that you are creating. Review the policy Summary to see the permissions that are granted by your policy. Then choose Create policy to save your work.