Identity and access management in the RFDK

Access controls in AWS are governed by the AWS Identity & Access Management (IAM) service. In IAM, you can create and manage identities, roles, and policies to determine what entities are able to access or modify which resources. CDK’s AWS Construct Library provides several constructs, interfaces and classes for working with IAM in your CDK applications. For an overview of working with IAM in CDK, see the CDK Permissions documentation.

The RFDK uses CDK’s IAM concepts to grant access that is required from principals (e.g. EC2 instance profiles, ECS task definitions roles, etc…) that require access to resources. Some examples include:

The Deadline Render Queue’s IAM role is granted read access to the Secrets Manager Secret that stores the credentials to the database
The Deadline Worker Fleet’s IAM role is granted access to stream logs to the CloudWatch log group that it is configured to use

When building a CDK application, it is important to take care when working with IAM resources. As a general rule, it is best to subscribe to the principle of least-privilege and only grant access as minimally required. In the CDK, this is done by scoping IAM policies to minimally required resources and principals. Please refer to Security Best Practices in IAM for more details.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Encryption in transit

Infrastructure security in the RFDK