Step 1: Identify requirements for permissions for users
You must identify the IAM permissions that you need to grant to users, for AWS Elemental MediaLive features and for ancillary services that MediaLive always interacts with.
To do that, you should understand the MediaLive workflows for your organization and the different AWS services that the workflows use.
You might not want all regular users to have the same permissions. For example, you might be able to group regular users into three sets: users who can start channels and watch channel activity, users who have some write capabilities, and advanced users who can do everything. As you identify these permissions, think about how many different sets of users you need.
Topics
• Requirements for AWS Elemental MediaLive features (p. 27)
• Requirements for AWS CloudFormation (p. 29)
• Requirements for Amazon CloudFront (p. 29)
• Requirements for AWS CloudTrail (p. 30)
• Requirements for Amazon CloudWatch—monitoring channel health (p. 30)
• Requirements for CloudWatch and Amazon SNS—setting up email notification (p. 30)
• Requirements for Amazon CloudWatch Logs—setting up channel logging (p. 31)
• Requirements for Amazon Elastic Compute Cloud—VPC inputs (p. 31)
• Requirements for Amazon Elastic Compute Cloud—delivery via VPC (p. 32)
• Requirements for AWS Identity and Access Management—trusted entity role (p. 32)
• Requirements for AWS Elemental MediaConnect (p. 36)
• Requirements for AWS Elemental MediaPackage (p. 36)
• Requirements for AWS Elemental MediaStore (p. 37)
• Requirements for AWS Resource Groups—tagging (p. 37)
• Requirements for Amazon S3 (p. 37)
• Requirements for AWS Systems Manager—creating password parameters in parameter store (p. 38)
Step 1: Requirements for permissions
Requirements for AWS Elemental MediaLive features
You must give your users access to AWS Elemental MediaLive features. The permissions for MediaLive can be divided into three categories:
• Permissions to create
• Permissions to view
• Permissions to run
You might choose to give different access to different kinds of users. For example, you might decide that
"basic operators" should not have create permissions.
In particular, you must decide whether to restrict the ability to work with reservations; you might decide to give this access only to administrators or advanced users. For more information about reservations, see Resources: MediaLive reservations (p. 254).
The following table shows the operations in IAM that relate to access for MediaLive.
Permissions Service name in IAM Actions
Create, modify, and delete channels, devices, inputs, and input security groups
MediaLive CreateChannel
CreateInput
CreateInputSecurityGroup DeleteChannel
DeleteInput
DeleteInputSecurityGroup UpdateChannel
UpdateInput UpdateInputDevice
UpdateInputSecurityGroup View channels, devices, inputs,
and input security groups MediaLive ListChannels
ListInputDevices ListInputs
ListInputSecurityGroups DescribeChannel
DescribeInput DescribeInputDevice
DescribeInputDeviceThumbnail DescribeInputSecurityGroup
View alerts for running channels MediaLive ListAlerts
Step 1: Requirements for permissions
Permissions Service name in IAM Actions
Note that this action doesn't appear in the policy wizard on the IAM console. To include this action, create a policy, then edit the policy and type the line
"medialive:ListAlerts", directly in the JSON. You can perform all these steps in the IAM console.
Perform a batch operation on several channels or inputs or multiplexes or input security groups
MediaLive BatchDelete
BatchStart BatchStop Create or cancel an outgoing
device transfer, or accept or reject an incoming device
Work with schedules MediaLive DescribeSchedule
BatchUpdateSchedule
You need this operation to view the list of Availability Zones on the MediaLive console, so that you can choose two for the multiplex.
Change the class for a channel MediaLive UpdateChannelClass
Run channels MediaLive StartChannel
StopChannel
Pause channels MediaLive Pause is part of the schedule
feature, above.
Step 1: Requirements for permissions
Permissions Service name in IAM Actions
Run multiplexes MediaLive StartMultiplex
StopMultiplex Attach tags to channels, inputs,
and input security groups when creating those resources
MediaLive CreateTag
DeleteTags
ListTagsForResources Create, modify, delete, and view
reservations and offerings MediaLive DeleteReservation
DescribeOffering DescribeReservation ListOfferings ListReservations PurchaseOffering
Requirements for AWS CloudFormation
MediaLive includes a workflow wizard. Creation of a workflow always includes automatic creation of an AWS CloudFormation stack. Therefore, to use the workflow wizard, users need permissions in AWS CloudFormation.
Permissions Service name in IAM Actions
Work with the workflow wizard AWS CloudFormation ListStacks DescribeStacks
DescribeStackResources CreateStack
DeleteStack
Requirements for Amazon CloudFront
MediaLive includes a workflow wizard. One of the options in the wizard is to deliver output to AWS Elemental MediaPackage and from there to Amazon CloudFront. Therefore, for users to create a workflow with delivery to MediaPackage, users need permissions in CloudFront.
Permissions Service name in IAM Actions
Use the workflow wizard to create the CloudFront distribution that is associated with a MediaPackage channel, if your organization supports
CloudFront ListDistributions\
DescribeDistribution CreateDistribution
Step 1: Requirements for permissions
Permissions Service name in IAM Actions
MediaPackage as an output destination.
Use the workflow wizard to delete a workflow that includes a CloudFront distribution.
DeleteDistribution
CloudFrontCreate and delete a CloudFront distribution, if your organization supports MediaPackage as an output destination.
Note how the required permissions here are very different from the permissions because the workflow wizard actually creates the distribution.
Requirements for AWS CloudTrail
MediaLive is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in MediaLive.
Users don't need special permissions for AWS CloudTrail.
Requirements for Amazon CloudWatch—monitoring channel health
The AWS Elemental MediaLive console includes a page (Channel details) that collects CloudWatch metrics information about the health of channels and displays it directly on the MediaLive console.
You must decide if you want to give some or all of your users permission to view metrics on the console.
For a user to view this information on the MediaLive console, that user must have view permissions for metrics operations in Amazon CloudWatch. When users have these permissions, they can also view the information through the CloudWatch console, AWS CLI, or REST API.
The following table shows the actions in IAM that relate to access for monitoring channel health.
Permissions Service Name in IAM Actions
View Metrics CloudWatch ListMetrics
GetMetricData GetMetricStatistics
Requirements for CloudWatch and Amazon SNS—setting up email notification
MediaLive provides information about channels as they are running. It sends this information to Amazon CloudWatch as events. The details of these events can optionally be distributed to one or more users.
Someone must set up this distribution. (For the setup procedure, see the section called “Monitoring using CloudWatch events” (p. 336).)
You must decide if you want to give some or all of your users these permissions. You might choose to allow each user to perform their own distribution setup. Or you might decide that an administrator must
Step 1: Requirements for permissions
be responsible for performing the setup at startup for applicable users, and then again whenever a new user is added.
The following table shows the actions in IAM that relate to access for setting up email notification.
Permissions Service Name in IAM Actions
Write CloudWatch Events All actions
Write SNS All actions
Requirements for Amazon CloudWatch Logs—setting up channel logging
MediaLive produces channel logs that it sends to CloudWatch Logs, where users can view them. For more information about channel logs, see the section called “Monitoring using CloudWatch Logs” (p. 338).
You must decide if you want to give some or all of your users permission to view the logs in CloudWatch Logs.
You must also decide if you want to give some or all of your users permission to set the retention policy for logs. If you decide not to give this access to any user, an administrator must be responsible for setting the policy.
Users don't need special permission to enable logging from within MediaLive.
The following table shows the actions in IAM that relate to access for setting up channel logs.
Permissions Service name in IAM Actions
View Logs CloudWatch Logs FilterLogEvents
GetLogEvents
Set Retention Policy CloudWatch Logs DeleteRetentionPolicy
PutRetentionPolicy
Requirements for Amazon Elastic Compute Cloud—VPC inputs
Your deployment might include push inputs that connect to MediaLive from a VPC that you created with Amazon VPC.
When a user creates this type of input on the MediaLive console, they have the option to choose the subnet and security group from a dropdown list. For the dropdown list to be populated with the resources in Amazon VPC, the user must have the appropriate permissions. For more information about Amazon VPC inputs, see the section called “Creating an input” (p. 221).
The following table shows the actions in IAM that relate to access for populating the dropdown.
Permissions Service name in IAM Actions
View the VPC subnets and VPC security groups on the MediaLive console
EC2 DescribeSubnets
DescribeSecurityGroups
Step 1: Requirements for permissions
Requirements for Amazon Elastic Compute Cloud—delivery via VPC
Your deployment might include setting up some channels for delivery to output endpoints in Amazon Virtual Private Cloud (Amazon VPC).
When a user sets up for this feature on the MediaLive console, they have the option to choose subnets, security groups, and EIPs from a dropdown list. For the dropdown list to be populated with the resources in Amazon VPC, the user must have the appropriate permissions. For information about this feature, see the section called “VPC delivery” (p. 515).
The following table shows the actions in IAM that relate to access for populating the dropdowns.
Permissions Service name in IAM Actions
View the VPC subnets and VPC security groups on the MediaLive console.
EC2 DescribeSubnets
DescribeSecurityGroups View the Elastic IP addresses on
the console. The console finds the Elastic IP addresses that have been allocated for use in your AWS account.
EC2 DescribeAddresses
Requirements for AWS Identity and Access Management—
trusted entity role
This requirements analysis must be performed by a person in your organization who understands your organization's requirements for access to resources. This person must understand whether there is a requirement that AWS Elemental MediaLive channels should be restricted in their access to resources in other AWS services. For example, this person should determine whether channels should be restricted in their access to containers in AWS Elemental MediaStore so that a specified channel can access some containers and not others.
Every time a user creates a channel, they must attach an IAM role that sets up MediaLive as a trusted entity for that channel. The user makes this attachment using the IAM role pane on the Create channel page on the MediaLive console.
You must decide what access you need to give to users for working in this IAM role pane.
If you followed the procedures in the section called “Creating a non-administrator IAM user” (p. 16) to set up users for the period when you are experimenting with MediaLive, then you already set up this trusted entity role. You set it up by creating the MediaLiveAccessRole role. However, you should still read this section to determine if MediaLiveAccessRole is suitable for your organization when you are working in a production environment.
Topics
• About the trusted entity role (p. 33)
• Options for implementing the role (p. 33)
• Requirements for permissions for the simple option (p. 34)
Step 1: Requirements for permissions
About the trusted entity role
AWS Elemental MediaLive must be set up so that when a channel is running, MediaLive itself has access to perform operations on resources that belong to your organization's AWS account. For example, your deployment might use AWS Elemental MediaStore as a source for files, such as blackout images, that MediaLive requires during processing. For MediaLive to obtain these files, it must have read access to some or all containers in MediaStore.
To perform the required operations on those resources, MediaLive must be set up as a trusted entity on your account.
MediaLive is set up as a trusted entity as follows: A role (that belongs to your AWS account) identifies MediaLive as a trusted entity. The role is attached to one or more policies. Each policy contains statements about allowed operations and resources. The chain between the trusted entity, role, and policies makes this statement:
"MediaLive is allowed to assume this role in order to perform the operations on the resources that are specified in the policies."
After this role is created, the role must be attached to a specified channel. This attachment makes this statement:
"For this channel, MediaLive is allowed to assume this role in order to perform the operations on the resources specified in the policies."
Creating this attachment at the channel level allows each channel to give MediaLive access to different operations and, especially, different resources.
Options for implementing the role
There are two options for setting up the trusted entity role in AWS Elemental MediaLive: a simple option and a complex option.
Simple option
The simple option typically applies when users in your organization are using AWS Elemental MediaLive to encode the organization's own assets (not assets belonging to customers), and you don't have rigorous rules about accessing assets (for example, you don't have video assets that can be handled only by specific users or departments).
With the simple option, there is only one role: MediaLiveAccessRole. All channels use this role and all users can attach that role to the channels that they work with.
The simple option works only on the MediaLive console. It can't be performed using the AWS CLI, for example.
Step 1: Requirements for permissions
The MediaLiveAccessRole role grants broad access to operations and complete access to all resources. It allows either read-only access or read/write access to all the services that MediaLive must access when a channel is running. And most significantly, it allows full access to all the resources associated with those services.
If the simple option is suitable to your deployment, see the section called “Requirements for permissions for the simple option” (p. 34).
Complex option
The complex option applies when the MediaLiveAccessRole role is too broad for your use, given that it allows broad access to operations and complete access to all resources.
For example, you might have the following requirements:
• A requirement that a given channel should be allowed to access only specific resources and another channel should be allowed to access only specific, different resources. Therefore, you need to create several access roles, each of which narrows down permissions to a different set of resources.
• A requirement that each user should be allowed to display only specific roles on the console, to prevent a user from viewing a role they should not know about or to prevent a user from selecting the wrong role.
If the complex option is applicable to your deployment, see the section called “Setting up AWS Elemental MediaLive as a trusted service” (p. 44).
Requirements for permissions for the simple option
Read this section if you decide that the simple option (p. 33) for the trusted entity is appropriate to your deployment.
(To set up for the complex option, see the section called “Setting up AWS Elemental MediaLive as a trusted service” (p. 44).)
For users to work in the IAM Role section on the Channel and input details pane, they must have access to specific IAM actions.
The following screenshot shows the IAM Role section on the Channel and input details pane as it appears when you start to create a channel.
Step 1: Requirements for permissions
You must set up users as follows:
• Users must be able to choose MediaLiveAccessRole from the selection field that accompanies the Use existing role field.
• Users must be able to choose the Create role from template field. (The role needs to be created only once, by the first user to create a channel. But it is easiest to give all users these permissions.)
• Users do not need to be able to use the Specify custom role ARN field. They will use MediaLiveAccessRole. They will never use a custom role.
• Users must be able to choose the Update button, in order to update the MediaLiveAccessRole from time to time.
The following table shows the service and action in IAM that you must grant to regular users with the simple option.
Step 1: Requirements for permissions
Permissions Service name in IAM Actions
Choose the Create role from
template option IAM CreateRole
PutRolePolicy AttachRolePolicy Choose MediaLiveAccessRole
from the list in Use existing role IAM ListRole
PassRole
Choose Update IAM GetRolePolicy
PutRolePolicy AttachRolePolicy
Requirements for AWS Elemental MediaConnect
Your deployment might include using a flow from AWS Elemental MediaConnect as an input to AWS Elemental MediaLive.
The user needs permissions to perform actions in MediaConnect when they use the MediaLive workflow wizard. The user doesn't need special permissions when they use the regular MediaLive console to specify a MediaConnect flow in an input or channel.
Permissions Service name in IAM Actions
Use the workflow wizard to create a MediaConnect flow, if your organization supports sources from MediaConnect.
Use the workflow wizard to delete a workflow that includes a source from MediaConnect.
MediaConnect List*
Describe*
Create*
Delete*
Requirements for AWS Elemental MediaPackage
Your deployment might send outputs to AWS Elemental MediaPackage, either by creating an HLS output group or by creating a MediaPackage output group (p. 74). (Note that both MediaLive and MediaPackage have "channels"; however, they are different objects.)
The user needs permissions to perform actions in MediaPackage when they use the MediaLive console and when they use the MediaLive workflow wizard.
Permissions Service name in IAM Actions
On the MediaLive console, view the MediaPackage channels in the dropdown list on the MediaLive channel.
MediaPackage Describe*
Step 1: Requirements for permissions
Permissions Service name in IAM Actions
Use the workflow wizard to create a MediaPackage channel, if your organization supports MediaPackage as an output destination.
Use the workflow wizard to delete a workflow that includes a MediaPackage output.
MediaPackage List*
Describe*
Create*
Delete*
Requirements for AWS Elemental MediaStore
Your deployment might include using files in an AWS Elemental MediaStore container. For example, your deployment might use files in the following ways:
• As the source for an HLS input
• As the destination for an HLS output group
The user needs permissions to perform actions in MediaStore when they use the MediaLive workflow wizard. The user doesn't need special permissions when they use the regular MediaLive console to specify a MediaStore container in a channel.
Permissions Service name in IAM Actions
Use the workflow wizard to create a MediaStore container, if your organization supports MediaStore as an output destination.
Use the workflow wizard, to delete a workflow that includes a MediaStore output.
MediaStore List*
Describe*
Create*
Delete*
Requirements for AWS Resource Groups—tagging
When users create channels, inputs, or input security groups, they can optionally attach tags to the resource during creation. Typically, your organization has a policy to tag or to omit tags. There are two services that control permissions for tagging, for two different scenarios:
• The ability to tag during channel creation is controlled by actions within AWS Elemental MediaLive.
See the section called “MediaLive” (p. 27).
• The ability to modify tags in existing resources is controlled by actions within Resource Group Tagging.
See Working with Tag Editor in Getting Started with the AWS Management Console.
Requirements for Amazon S3
Your deployment might include using files in an Amazon S3 bucket. For example, your deployment might use files in the following ways:
Step 1: Requirements for permissions
• As the source for an HLS input
• As the destination for an Archive output group
• As the destination for an HLS output group
Users don't need special permissions to specify an Amazon S3 bucket in a field on the MediaLive console.
Requirements for AWS Systems Manager—creating password parameters in parameter store
The AWS Elemental MediaLive console includes a feature that lets a user create a password parameter in the AWS Systems Manager Parameter Store. This feature is part of the Create Channel page. This feature
The AWS Elemental MediaLive console includes a feature that lets a user create a password parameter in the AWS Systems Manager Parameter Store. This feature is part of the Create Channel page. This feature