The following table shows all the types of permissions that the MediaLive trusted entity might need. Refer to this table when you identify the access requirements for the MediaLive trusted entity.
Each row in the column describes a task or set of related tasks that the MediaLive trusted entity might need to perform for a user. The third column describes the type of access that the trusted entity requires to perform that task. The last column lists the IAM actions or policy that control that access.
| Service | Tasks | Type of access required | Suggested actions or policy |
|---|---|---|---|
| AWS Elemental MediaLive | Working with MediaLive features. | MediaLive doesn't need access to itself. Only the users need access. | |
| AWS CloudTrail | Capturing MediaLive activity. | MediaLive doesn't need IAM access for this task. | |
| CloudWatch | Displaying CloudWatch metrics information on the console, to monitor channel health. | MediaLive doesn't need IAM access for this task. Only the users need access. | |
|
CloudWatch Events and Amazon SNS |
Setting up email notification so that users can be notified about MediaLive alerts that are sent to CloudWatch Events. | MediaLive doesn't need access for this task. Only the users need access. | |
| CloudWatch Logs | Sending channel log information to CloudWatch Logs when a channel is running. | When the channel is running. MediaLive must be able to send log messages to CloudWatch Logs . |
And these resources:
|
| Amazon EC2 | Creating a CDI VPC, an RTP VPC input, or an RTMP VPC push input. | When the user is creating a VPC input. MediaLive must have write access to Amazon EC2 in order to create network interfaces for the input. |
|
| Deleting a CDI VPC, an RTP VPC input, or an RTMP VPC push input. | When the user deletes a VPC input. MediaLive must have write access to Amazon Elastic Compute Cloud in order to delete the network interfaces for the input. |
|
|
| Setting up a channel for delivery of output via your VPC | Create and delete elastic network interfaces on your VPC. MediaLive creates these network interfaces in the subnet for the channel pipeline endpoints. |
|
|
| Associate Elastic IP addresses with the elastic network interfaces that MediaLive creates.
Associating Elastic IP addresses is optional. There is no need to give access to
|
AssociateAddress
|
||
| AWS Elemental MediaConnect | Creating a MediaConnect input. | When the user creates a MediaConnect input. MediaLive must have read/write access to the MediaConnect flow, in order to add an output to that flow. |
ManagedDescribeFlow
To include these actions that start with "Managed" in a policy, you must view the policy in the JSON tab and enter the names of the actions. You can't use the visual editor to choose these actions. |
| Deleting a MediaConnect input. | When the user deletes a MediaConnect input. MediaLive should have read/write access to the MediaConnect flow, in order to delete the outputs on the flow, because the outputs are no longer needed. |
ManagedDescribeFlow
To include these actions that start with "Managed" in a policy, you must view the policy in the JSON tab and enter the names of the actions. You can't use the visual editor to choose these actions. |
|
| Creating a MediaConnect entitlement. When the user creates a multiplex, MediaLive automatically creates an entitlement as the destination for the MPTS. | MediaLive doesn't need access for this task. | ||
| AWS Elemental MediaPackage | Sending channel output to MediaPackage when a channel is running, if your deployment uses this service. | When the user creates a MediaPackage output group. MediaLive must have read access to the AWS Elemental MediaPackage channel, in order to obtain the credentials required to send to that channel. |
DescribeChannel |
| Sending channel output to MediaPackage v2 when a channel is running, if your deployment uses version 2 of that service. To deliver in this way, you create an HLS output group, not a MediaPackage output group. | When the channel is running. When the channel includes an HLS output that is delivering to a MediaPackage channel that uses MediaPackage v2. MediaLive must have write access to the AWS Elemental MediaPackage channel. |
mediapackagev2:PutObject |
|
| AWS Elemental MediaStore | Sending and retrieving assets from a MediaStore container when a channel is running, if your deployment uses this service. | When the channel is running. MediaLive must have read access (for a source) or read/write access (for a destination). |
|
| Resource Group Tagging | Attaching tags when creating resources—channels, inputs, and input security groups—and revising tags on existing resources. | MediaLive doesn't need IAM access for this task. Only the users need access. | |
| Amazon S3 | Sending and retrieving assets from an Amazon S3 bucket when a channel is running, if your deployment uses this service. | When the channel is running. MediaLive must have read access (for a source) or read/write access (for a destination) to the buckets. |
|
| Sending thumbnails to an Amazon S3 bucket when a channel is running, if a channel has input thumbnails enabled | When the channel is running. MediaLive must have read/write access. |
PutObject |
|
| AWS Systems Manager | Creating a password parameter on the MediaLive console. | MediaLive doesn't need IAM access for this task. Only the users need access. | |
| Using a password parameter in the channel configuration. See Requirements for AWS Systems Manager—password parameters. | When the channel is running. MediaLive must have read access to the AWS Systems Manager Parameter Store. |
The managed policy AmazonSSMRead OnlyAccess |
