AWS Elemental MediaLive

(1)

AWS Elemental MediaLive

User Guide

(2)

AWS Elemental MediaLive: User Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What Is AWS Elemental MediaLive?

AWS Elemental MediaLive is a real-time video service that lets you create live outputs for broadcast and streaming delivery.

You use MediaLive to transform live video content from one format and package into other formats and packages. You typically need to transform the content in order to provide a format and package that a playback device can handle. Playback devices include smartphones and set-top boxes attached to televisions.

Topics

• How AWS Elemental MediaLive Works (p. 1)

• AWS Elemental MediaLive Terminology (p. 4)

• Related Services (p. 5)

• Accessing AWS Elemental MediaLive (p. 6)

How AWS Elemental MediaLive Works

From the point of view of AWS Elemental MediaLive, a live streaming workﬂow that includes MediaLive involves three systems:

• A MediaLive channel, which ingests and transcodes source content.

• One or more upstream systems that provide the source content (the video) to MediaLive.

Examples of an upstream system are a streaming camera or appliance that is directly connected to the internet, or a contribution encoder that is located in a sports stadium where a sports event is being held.

The source content is in a speciﬁc package format and protocol. For example, the source content might be available as streaming HLS or streaming TS (transport stream). The source content contains video, audio, and optional captions streams that are in speciﬁc codecs or formats.

• One or more downstream systems that are the destinations for the output that MediaLive produces.

A typical downstream system consists of an origin service or a packager that is connected to MediaLive, a content distribution network (CDN) that is downstream of the origin service or the packager, and a playback device or website where the users view the content. AWS Elemental

MediaPackage is an example of an origin service and packager. Amazon CloudFront is an example of a CDN.

To create a MediaLive workﬂow, you create one or more MediaLive inputs. The inputs contain

information about how MediaLive and the upstream system are connected. You also create a MediaLive channel and attach the inputs to the channel. The channel conﬁguration data includes information about how MediaLive connects to the downstream systems.

This setup connects the components as illustrated in this diagram.

(13)

Pipelines

To start processing the content, you start the channel. When the channel is running, it ingests the source content from the upstream system that is identiﬁed by the input. The channel then transcodes that video (and the related audio, captions, and metadata) and creates outputs. MediaLive sends the outputs to the speciﬁed downstream systems.

Pipelines

The processing within MediaLive occurs within one or two pipelines.

If you set up the workﬂow so that the channel and inputs have two pipelines (recommended), both pipelines work independently of each other but perform identical processing. Setting up with two pipelines provides resiliency within MediaLive.

With two pipelines, the upstream system must be set up to provide two sources, and the downstream system must be set up to receive two outputs.

AWS Elemental MediaLive Inputs

An input contains information about how the upstream system and the channel connect to each other.

The connection between the input and the upstream system might be a push (the upstream system pushes the content) or a pull (MediaLive pulls the content from the upstream system).

A push input has a MediaLive input security group associated with it. The input security group identiﬁes a range of IP addresses that includes the source addresses on the upstream system. IP addresses within this range are allowed to push content to the input.

AWS Elemental MediaLive Channels

A channel can have several inputs attached to it, but it only ingests source content from one input at a time. (You use the channel schedule (p. 3) to set up the channel to switch from one input to another.) The channel ingests the source content, transcodes it (decodes and encodes it), and packages it into output groups.

The channel contains one or more output groups. There are diﬀerent types of output groups to handle the requirements of diﬀerent downstream systems.

The output group consists of one or more outputs. Each output contains a specific combination of encodes. An encode is one video stream, one audio stream, or one captions track. Different encodes have different characteristics. The rules for combining encodes into outputs and for combining outputs into output groups depend on the type of the output group.

The following diagram is a detailed illustration of the workﬂow.

(14)

MediaLive Schedule

The illustration shows a channel with only one output group.

As another example, the channel might contain one HLS output group and one RTMP output group. The HLS output group might contain two outputs. One HLS output contains one high-resolution video, one audio, and one captions encode. The other HLS output contains one low-resolution video, one audio, and no captions. The RTMP output group contains one output that contains one video and one audio.

For information about designing this workﬂow and creating a channel, see Setup: Preparing upstream and downstream (p. 72) and Setup: Planning the channel (p. 121).

AWS Elemental MediaLive Schedule

Each MediaLive channel has one schedule associated with it. You add actions to the schedule to suit your requirements. There are diﬀerent types of actions, including "switch input" (to switch to ingesting a diﬀerent input) and "insert image overlay" (to overlay an image that you specify onto the video).

You can add these actions when the channel isn't running or when it is running. MediaLive sends the actions to the channel at the time identiﬁed in the schedule, and the channel performs the action.

For more information about schedules, see Resources: MediaLive schedule (p. 260)

(15)

Terminology

AWS Elemental MediaLive Terminology

CDN

A content distribution network (CDN) is a network of servers that is downstream of the origin server or packager. The CDN distributes the content from the origin server to dozens or hundreds of networked servers that serve the content to your viewing users. This distributed network ensures that content can be delivered to thousands or millions of viewing users simultaneously.

Channel

A MediaLive channel ingests and transcodes (decodes and encodes) source content from the inputs that are attached to that channel, and packages the new content into outputs.

Channel class

Each channel belongs to one of the following classes:

• Standard class – a channel has two processing pipelines

• Single-pipeline class – a channel has one processing pipeline Channel conﬁguration

A MediaLive channel conﬁguration contains information about how the channel ingests, transcodes, and packages content into output.

Downstream system

The downstream system is a set of one or more servers that is positioned after MediaLive in the workﬂow. The downstream system handles the content that is output from MediaLive.

Encode

An encode exists within an output. There are three types of encodes: video, audio, and captions. Each encode contains the instructions for one video stream, one audio stream, or one captions track that the transcoding process will create. Diﬀerent encodes have diﬀerent characteristics. For example, one video encode produced from the input might be high resolution while another is low resolution.

Input

A MediaLive input holds information that describes how the upstream system and the MediaLive channel are connected. The input identifies endpoints (IP addresses) in MediaLive (for a push input, where the upstream system pushes to MediaLive) or source IP addresses on the upstream system (for a pull input, where MediaLive pulls from the upstream system). MediaLive has different input types for different formats and protocols of the source content. For example, HLS input and RTMP Push input.

Input security group

A MediaLive input security group is a set of one or more ranges of IP addresses that deﬁne an allow list. You associate one or more input security groups with a push input in order to identify a range of IP addresses that are allowed to push content to the input.

Output

An output exists within an output group. It is a collection of encodes that you want to handle as one set.

Origin service

An origin service might be part of the downstream system that is positioned after MediaLive in the workﬂow. It accepts the video output from MediaLive.

Output Group

An output group is a collection of outputs within the MediaLive channel.

(16)

Related Services

Packager

A packager might be part of the downstream system. It accepts the video output from MediaLive and repackages it. AWS Elemental MediaPackage is a packager.

Pipeline

In MediaLive, there are one or two separate and independent pipelines that perform the processing within the MediaLive input and the MediaLive channel.

Playback device

A playback device is the ﬁnal component of the downstream system. It is the device that the people who are your audience use to view the video.

Schedule

Each MediaLive channel has an associated schedule. The schedule contains a list of actions to perform in the channel at a speciﬁc time.

Source content

The video content that MediaLive transcodes. The content typically consists of video, audio, captions, and metadata.

Upstream system

The system that is in front of MediaLive in the workﬂow and that holds the source content. Examples of an upstream system are a streaming camera or appliance that is directly connected to the

internet, or a contribution encoder that is located in a stadium at a sports event.

Related Services

Amazon CloudWatch is a monitoring service for AWS Cloud resources and the applications that you run on AWS. Use CloudWatch to track MediaLive events about the progress of running channels and to view metrics about your resources.

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. Use IAM to control who can use your AWS resources (authentication) and what resources users can use in which ways (authorization).

AWS Elemental MediaPackage is a just-in-time video packaging and origination service that runs in the AWS Cloud. You can use AWS Elemental MediaPackage to package content that has been encoded by MediaLive.

AWS Elemental MediaConnect is a transport service for live video that runs in the AWS Cloud. You can use MediaConnect as a source for video to transcode.

AWS Elemental MediaStore is a video origination and storage service that oﬀers the high performance and immediate consistency required for live and on-demand media. You can use AWS Elemental MediaStore to store assets that MediaLive retrieves and uses when transcoding, and as a destination for output from MediaLive.

AWS Resource Groups includes a tagging editor that lets you assign metadata to AWS resources. You can use Tag Editor to assign metadata to MediaLive channels and other resources.

Amazon Simple Storage Service (Amazon S3) is storage for the internet. You can use Amazon S3 to store assets that MediaLive retrieves and uses when transcoding, and as a destination for output from MediaLive.

(17)

Accessing AWS Elemental MediaLive

AWS Systems Manager lets you store passwords in MediaLive in a secure manner, rather than storing them as plaintext. If you connect to external servers that you provide user credentials for, it is likely that you will have to use Systems Manager.

Amazon Virtual Private Cloud lets you set up your own virtual network within the AWS Cloud. Use Amazon VPC as the location for an upstream system, so that the transfer of source content is within a private cloud.

Accessing AWS Elemental MediaLive

You can access AWS Elemental MediaLive using any of the following methods:

• AWS Management Console – The procedures throughout this guide explain how to use the AWS Management Console to perform tasks for AWS Elemental MediaLive.

• AWS SDKs – If you're using a programming language that AWS provides an SDK for, you can use an SDK to access AWS Elemental MediaLive. SDKs simplify authentication, integrate easily with your development environment, and provide easy access to AWS Elemental MediaLive commands. For more information, see Tools for Amazon Web Services.

• AWS Elemental MediaLive API – If you're using a programming language that an SDK isn't available for, see the AWS Elemental MediaLive API Reference for information about API actions and about how to make API requests.

• AWS Command Line Interface – For more information, see the AWS Command Line Interface User Guide.

• AWS Tools for Windows PowerShell – For more information, see the AWS Tools for Windows PowerShell User Guide.

(18)

Pricing

As with other AWS products, there are no contracts or minimum commitments for using AWS Elemental MediaLive.

There are two components to pricing: pricing based on the input of the channel that is being processed, and pricing based on the outputs of the channel:

• The input pricing is based on a combination of the input codec, the bitrate of the input, and the resolution of the input. You specify these three characteristics in the input speciﬁcation when you create the channel. For more information, see the section called “Input speciﬁcations settings” (p. 147).

• The output pricing is based on a combination of the output codec, the output frame rate, and the output resolution. You specify these values in the codec, frame rate, width, and height ﬁelds in the video settings of each output in the channel. For more information, see the section called “Step 6: Set up video” (p. 204). Note that it is possible to set up the output frame rate to match the frame rate of the input. In this case, the frame rate portion of the pricing calculation uses the rate for "30-60 fps"

frame rate; it doesn't use the actual input frame rate.

There are diﬀerent charges for inputs and outputs when the channel is running compared to when the channel is idle.

As soon as you start a channel, running charges start accruing for inputs and outputs. Running charges continue if you pause one or both pipelines in a channel. Running charges stop accruing only when you stop the channel.

For more information about pricing, see https://aws.amazon.com/medialive/pricing/.

(19)

Quotas in AWS Elemental MediaLive

There are quotas (formerly referred to as limits) that apply to the resources and operations of AWS Elemental MediaLive. A quota is a resource or operation cap that you can increase. MediaLive also includes constraints that you can't change. For more information about these constraints, see Feature rules and limits (p. 9).

Note

There is a limit on the number of actions that a channel schedule can contain. This limit isn't listed here because it's not a quota that you can change. This schedule actions limit is documented in Feature rules and limits (p. 9).

The Service Quotas console provides information about MediaLive quotas. Use the Service Quotas console to view default quotas and request quota increases for AWS Elemental MediaLive.

The following table describes the quotas for MediaLive.

Resource or operation Default quota Comments

Channels 5 The maximum number of channels that you can create in this

account in the current Region.

Channels with HEVC

outputs 5 The maximum number of HEVC channels (channels that include

one or more HEVC outputs) that you can create in this account in the current Region.

Channels with UHD

outputs 1 The maximum number of UHD channels (channels that include

a UHD output) that you can create in this account in the current Region.

For information about the maximum number of UHD outputs in these channels, see Feature rules and limits (p. 9).

Channels with CDI inputs 2 The maximum number of CDI channels (channels that include

one or more CDI inputs) that you can create in this account in the current Region.

Inputs of type push (not

including VPC push inputs) 5 The maximum number of push inputs (not including VPC push

inputs) that you can create in this account in the current Region.

Inputs of type pull 100 The maximum number of pull inputs that you can create in this

Inputs of type VPC push 50 The maximum number of VPC push inputs that you can create in

this account in the current Region.

Inputs of type Elemental

Link 100 The maximum number of Elemental Link inputs that you can create

in this account in the current Region.

Input security groups 5 The maximum number of input security groups that you can create

in this account in the current Region.

Multiplexes 2 The maximum number of channels that you can create in the

current Region in this account in the current Region.

Reservations 50 The maximum number of reservations that you can create in this

(20)

Limits for inputs

AWS Elemental MediaLive feature rules and limits

The following table provides a summary of many of the rules and constraints that apply to AWS Elemental MediaLive features. You can't change any of these constraints.

MediaLive also includes quotas, which you can change. For more information about quotas, see Quotas (p. 8).

Topics

• Limits for inputs (p. 9)

• Limits for outputs (p. 10)

• Limits for other features (p. 11)

Limits for inputs

Resource or feature Constraint or rule

Input number, push inputs You can attach 0 to 2 push inputs to a channel.

Input number, pull inputs You can attach up to 20 inputs to a channel. After you have counted the push inputs, the remainder can be pull inputs.

Input number, CDI inputs You can attach 0 or 1 regular CDI inputs to a channel. This input is a push input, so it counts towards the maximum number of push inputs in the channel.

You can attach one set of partner CDI inputs to a channel. Attaching this set uses up the maximum number of push inputs in the channel. For information about these inputs, see the section called “CDI inputs as partner inputs” (p. 393).

Input number, Elemental Link inputs You can attach up to 2 Elemental Link inputs to a channel. Elemental Link inputs are push inputs, so each counts towards your maximum number of push inputs in the channel.

Input number, Elemental Link inputs per

MediaLive device You can create up to 4 inputs (Link inputs) from each AWS Elemental Link hardware device. You can then attach each input to a diﬀerent channel.

Input types – in automatic input failover You can set up two push inputs as an automatic input failover pair (p. 360). You can't set up pull inputs as a failover pair.

(21)

Limits for outputs

The failover pair uses up your maximum number of push inputs.

Input types – for dynamic inputs Only MP4 and Transport Stream (TS) ﬁle inputs that are stored in Amazon S3 or AWS Elemental MediaStore be set up as dynamic inputs.

You can attach multiple inputs to a channel, in order to implement input switching.

You can't include an HLS input that is a VOD asset.

For the deﬁnition of a VOD asset, see the section called “Support for live and ﬁle inputs” (p. 544).

Input types – in multiple-input channels

For the inputs that you attach in order to implement input switching, there are restrictions related to input types and Availability Zones:

• You can have multiple MediaConnect inputs attached to one channel, but all those inputs must be in the same two Availability Zones.

• You can have multiple VPC inputs attached to one channel, but all these inputs must be in the same two Availability Zones. VPC inputs include CDI inputs, RTP VPC inputs, and RTMP VPC inputs.

• If the channel has both MediaConnect inputs and VPC inputs, all these inputs must be in the same two Availability Zones.

Input – audio and captions selectors Maximum of 32 audio and captions selectors (in any combination) in one channel.

Input – captions selectors for OCR conversion A maximum of three captions selectors that will use OCR conversion, per input.

A selector uses OCR conversion if the speciﬁed format is DVB-Sub or SCTE-27, and at least one output encode that uses the selector is a WebVTT encode (p. 383).

If the selector is used in more than one WebVTT encode (for example, in two output groups), the selector counts only once towards the limit.

Input charges Input from an AWS Elemental Link UHD device is

charged at one rate. There are not separate rates for diﬀerent resolutions in the content.

Limits for outputs

Output, types Maximum of one archive output groups in a

channel.

(22)

Limits for other features

For information about output types, see the section called “Supported containers and downstream systems” (p. 548).

Output encodes, frame capture For frame capture encodes:

• Maximum of three frame capture encodes in a channel. The single encode in a Frame Capture output group, and each (optional) frame capture encode (p. 9) in an HLS output group both count towards this limit.

• Maximum of three frame capture outputs in each HLS output group.

For information about output types, see the section called “Supported containers and downstream systems” (p. 548).

Output video encodes, UHD resolution, and input

type A channel with a CDI input allows one UHD output

encode (maximum).

The maximum number of channels with UHD is a quota that you can change, as described in Quotas (p. 8). If you are using a CDI input, the maximum number of UHD outputs is a limitation.

You can't change it.

Standard deﬁnition (SD) video is supported with all codecs. For information about supported output codecs, see the section called “Supported codecs for outputs” (p. 551).

High deﬁnition (HD) video is supported with H.264 and H.265.

Output video encodes, resolutions, and codecs

Ultra-high deﬁnition (UHD or 4K) video is supported with H.264 and H.265.

For information about output video resolutions, see the section called “Supported codecs for outputs” (p. 551).

Output – audio encodes Maximum of 33 audio encodes in one channel.

Limits for other features

Image Overlays Maximum of eight diﬀerent overlays (layers)

active at one time in a channel. This means that the video can show up to eight diﬀerent overlays at the same time.

(23)

For information about image overlay, see the section called “Image overlays” (p. 401).

Motion graphic overlay Maximum of one motion graphic overlay active at one time in a channel.

For information about motion graphic overlay, see the section called “Motion graphics overlay” (p. 441).

Each multiplex produces only one MPTS.

For information about multiplex, see the section called “Multiplex and MPTS” (p. 443).

Multiplexes

All multiplex programs must include video.

Maximum of 20 programs per multiplex.

Multiplexes, programs in a multiplex

Each program in a multiplex is single use. It is attached only to one multiplex, and you can use it only for that multiplex.

Each channel contains one and only one output group, of type multiplex. It can't contain any other type of output group.

Multiplexes, channels in a multiplex

Each channel is single use. You can attach it to only one program in the multiplex. You can use it only for that multiplex.

Output locking feature Output locking is supported only with HLS and Microsoft Smooth. Although you enable the feature globally (for the entire channel), it only works with HLS output groups and Microsoft Smooth output groups.

Resiliency, automatic input failover (p. 360) The automatic input failover applies to inputs, not to the entire channel.

You can set up failover in only two, paired, inputs.

The inputs must be push inputs.

Resiliency, pipeline redundancy (p. 456) The pipeline redundancy feature (channel class) applies to the channel and all its inputs. The following rules apply to the channels and inputs:

• Standard channel – You can attach only standard-class inputs.

• Single-pipeline channel – You can attach single- class inputs (to omit support for pipeline redundancy) or standard-class inputs (to allow for easy upgrade of the channel at a later date).

(24)

Schedule, maximum number of actions The schedule can contain a maximum of 1500 actions. You can't change this maximum.

This maximum includes stale actions, actions that are in progress, and actions that aren't yet active.

If you are near this maximum, you should delete stale actions.

The schedule can contain any number of scheduled input switching actions.

For information about input switching, see the section called “Input switching” (p. 411).

Schedule and input switches

You can switch to a speciﬁc input as many times as you want.

5 steady-state TPS (transactions per second) Frequency of API requests

30 burst TPS

Limits for other features

5 steady-state TPS (transactions per second) Frequency of API requests

30 burst TPS

(25)

Signing up

Setting up: IAM permissions for AWS Elemental MediaLive

This chapter provides procedures for setting up users to work with AWS Elemental MediaLive. It

describes how to grant permissions that are appropriate for the period when you are experimenting with MediaLive, before you start using MediaLive in a production environment.

This chapter covers the following tasks:

• Setting up one or more administrators for the service

• Creating or modifying user identities that have permissions to access AWS Elemental MediaLive and ancillary services that MediaLive typically works with

• Setting up MediaLive as a trusted service

After you perform the procedures in this chapter, you and other users will have permissions that let you successfully follow the Getting started with AWS Elemental MediaLive (p. 63).

Important

This chapter includes steps that grant broad permissions to AWS Elemental MediaLive and other services. These permissions are known as AWS Identity and Access Management (IAM) permissions. The permissions are intended to allow you and others in your organization to get started with MediaLive as quickly as possible. These permissions are not suitable for assigning to a wide group of users or for users working in a production environment.

To set up users for production use of AWS Elemental MediaLive, see Setting up: IAM permissions for production (p. 21).

Topics

• Signing up for AWS Elemental MediaLive (p. 14)

• Creating an administrator IAM user (p. 14)

• Creating a non-administrator IAM user (p. 16)

• Setting up AWS Elemental MediaLive as a trusted service (p. 20)

Signing up for AWS Elemental MediaLive

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

Part of the sign-up procedure involves receiving a phone call and entering a veriﬁcation code on the phone keypad.

Creating an administrator IAM user

The procedures in this section show how to create an IAM user that has full read/write administrator permissions. This administrator might be you or another person. You set up an administrator by creating a group, and then creating a user that belongs to that group:

(26)

Creating an administrator IAM user

• If your organization is new to AWS, follow both steps in this procedure: create the group, and then create the users for that group.

• If your organization is not new to AWS, then the group probably has already been created. Follow only the second step to create users for that group.

To create a full-access administrator group

1. Use your AWS account email address and password to sign in to the AWS Management Console as the AWS account root user.

2. Open the IAM console at https://console.aws.amazon.com/iam/.

3. In the navigation pane, choose Groups, and then choose Create New Group.

4. On the Set Group Name page, for Group Name, enter a name such as Administrators. Choose Next Step.

5. On the Attach Policy page, choose Filter: Policy Type, and then choose Job function.

6. In the policy list, select the check box for AdministratorAccess, and then choose Next Step.

7. On the Review page, review the information, and then choose Create Group.

Now that you have an administrator group, you are ready to create an IAM user and add the user to your group.

To add an IAM user to the full-access administrator group 1. Open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane, choose Users, and then choose Add user.

3. On the Add User page, for User name, enter a name such as Administrator or Admin_2 (if Administrator has already been created).

4. For Access type, select AWS Management Console access.

For Console password, choose Custom password, and then enter a password.

If this administrator is not you, we recommend that you select Require password reset.

5. Choose Next: Permissions.

6. On the Set permissions page, choose Add user to group.

7. Select the check box for the group that you created in the preceding procedure, and then choose Next: Review.

8. Review the information, and then choose Create user. To return to the navigation pane, choose Close.

After you create this IAM user with administrator permissions, sign out and sign in again using the administrator credentials.

We highly recommend that from this point forward you always sign in using the IAM administrator credentials instead of your root user credentials, unless AWS requires you to use your root user credentials to perform certain operations. For more information, see AWS Tasks That Require AWS Account Root User Credentials.

Repeat the procedure to set up more administrators (as backups), if needed. Or anyone who is now set up as a full-access administrator can set up more administrators.

(27)

Creating a non-administrator IAM user

This section shows how to create non-administrator IAM users and grant those users the following permissions:

• Full read/write access to the following AWS services and features:

• AWS Elemental MediaLive

• AWS Elemental MediaConnect

• AWS Elemental MediaPackage

• Amazon CloudWatch

• Amazon CloudWatch Events

• Amazon CloudWatch Logs

• Amazon EC2

• AWS Systems Manager

• AWS Resource Groups

• Amazon SNS

• Amazon VPC

• Limited access to AWS IAM. Users of AWS Elemental MediaLive need some access to IAM in order to use the MediaLive console to set up MediaLive as a trusted entity. This setup is always required when using MediaLive. For more information, see the section called “Setting up as a trusted service” (p. 20).

Warning

These permissions are broad. You should set up only a few users with these permissions and only for the pre-production period of using MediaLive. For information about setting up users for standard production use, see Setting up: IAM permissions for production (p. 21).

To set up an IAM user, you follow three main steps:

• Create customer managed policies.

• Create a group and attach the policies to the group.

• Create users and add the users to the group.

Policies grant permissions. Policies are attached to a group. Users belong to a group. Therefore, the users have the permissions of the policies that are attached to the group.

The following diagram shows this relationship.

Topics

• Step 1: Create customer managed policies (p. 17)

• Step 2: Create an IAM group (p. 18)

• Step 3: Create or add an IAM user to your group (p. 19)

(28)

Step 1: Create customer managed policies

The procedures in this section show how to create three IAM customer managed policies. A customer managed policy is one that you create and manage. (IAM also includes AWS managed policies, which you can't change.)

Anyone with IAM administrator-level credentials can perform the procedures.

The ﬁrst procedure shows how to create a policy called MediaLivePowerAccess that gives full read/

write access to AWS Elemental MediaLive.

The second procedure shows how to create a policy called MediaConnectPowerAccess that gives full read/write access to MediaConnect.

The third procedure shows how to create a policy called MediaLiveTrustedEntityAccess that gives access to six operations in AWS IAM. These actions allow IAM users to create and update a trusted entity role for AWS Elemental MediaLive by setting the ﬁelds in the IAM role section on the Channel and input details page on the MediaLive console.

To create the MediaLivePowerAccess policy

2. In the navigation pane, choose Policies, and then choose Create policy. On the Visual editor tab, follow the prompts to create a policy with these options:

• Service: MediaLive

• Actions: All MediaLive actions (medialive.*)

• Resources: Choose Resources to open the section, and choose All resources.

• Request conditions: Omit this option 3. Choose Review policy.

4. On the Create policy page, for Name, enter MediaLivePowerAccess.

5. For Description, optionally describe the purpose of this policy. This helps you identify the policy on the dashboard.

6. Choose Create policy.

To create the MediaConnectPowerAccess policy

• Service: MediaConnect

• Actions: All MediaConnect actions (mediaconnect.*)

4. On the Create policy page, for Name, enter MediaConnectPowerAccess.

(29)

Step 2: Create an IAM group

To create the MediaLiveTrustedEntityAccess policy

• Service: IAM

• Actions: In the ﬁlter box under Specify the actions allowed in IAM, search for and then select each of these actions:

• ListRoles

• GetRolePolicy

• CreateRole

• PassRole

• AttachRolePolicy

• PutRolePolicy

4. On the Create policy page, for Name, enter MediaLiveTrustedEntityAccess.

Step 2: Create an IAM group

The procedure in this section shows how to create an IAM group and attach policies. Anyone with IAM administrator-level credentials can perform the procedure. Perform this procedure once, at initial setup.

Before you start the procedure, you should have already created the two policies in Step 1: Create Customer Managed Policies (p. 17).

To create a group

2. In the navigation pane, choose Groups, and then choose Create New Group.

3. On the Set Group Name page, for Group Name, enter MediaLivePowerUsers, and then choose Next Step.

4. On the Attach Policy page, select the check boxes for the following policies:

• MediaLivePowerAccess (customer managed policy)

• MediaConnectPowerAccess (customer managed policy)

• MediaLiveTrustedEntityAccess (customer managed policy)

• CloudWatchReadOnlyAccess (AWS managed policy)

• CloudWatchEventsFullAccess (AWS managed policy)

• AmazonEC2FullAccess (AWS managed policy for access to AWS Virtual Private Network)

• AWSElementalMediaPackageFullAccess (AWS managed policy)

• ResourceGroupsandTagEditorFullAccess (AWS managed policy)

• AmazonSSMFullAccess (AWS managed policy for access to AWS Systems Manager)

• AmazonSNSFullAccess (AWS managed policy)

(30)

Step 3: Create or add an IAM user to your group

This diagram shows how the policies and group are associated.

Step 3: Create or add an IAM user to your group

The procedure in this section shows how to create or edit an IAM user identity. Anyone with IAM administrator-level credentials can perform the procedure. Perform this step for each user.

NoteThis procedure shows how to set up an IAM user for console access, but not for AWS CLI or AWS SDK access. To set up for programmatic access, see the IAM User Guide.

Creating an iam user and adding the user to your group

Typically, you create an IAM user identity for an AWS user only if a person doesn't have an existing identity. If the person already has an IAM user identity, you can modify their access (p. 20) instead.

To create an IAM user and add the user to your group

1. Sign in to the AWS Management Console as an administrator, and open the IAM console at https://

console.aws.amazon.com/iam/.

2. In the navigation pane, choose Users, and then choose Add user.

3. On the Add User page, for User name, enter a name for the user.

For Access type, select AWS Management Console access.

For Console password, choose Custom password, and then enter a password.

For Require password reset, we recommend that you select the check box.

4. Choose Next: Permissions.

5. On the Set permissions for user page, choose Add user to group.

6. Select the check box for the MediaLivePowerUsers group that you created in Step 2: Create a Group (p. 18), and then choose Next: Review.

7. Choose Create user.

8. Optionally choose Send email to send an email to this user. Your local email client opens with a draft email that includes the user name and sign-in URL.

9. Choose Close to return to the navigation pane.

10. Provide the user with their password (it is not included in the generated email). You must provide the password in a way that complies with your organization's security guidelines.

Repeat the steps to add more IAM users. As an example, the following diagram shows three IAM users that are associated with the same group, MediaLivePowerUsers.

(31)

Setting up as a trusted service

Adding an existing IAM user to your group

You can add an existing IAM user to a group that you create for AWS Elemental MediaLive, even if the user is already a member of other groups. In this procedure, you add the user to the MediaLivePowerUsers group that you created in Step 2: Create a Group (p. 18).

For more information about IAM users and groups, see IAM User Guide.

To add an existing IAM user to your group

1. Sign in to the AWS Management Console as an administrator, and open the IAM console at https://

console.aws.amazon.com/iam/.

2. In the navigation pane, choose Users.

3. In the list of users, choose the user name (don't choose the check box).

4. On the Summary page, choose the Groups tab. On the Groups tab, choose Add user to groups, and then select the MediaLivePowerUsers group that you created in Step 2: Create a Group (p. 18).

5. Choose Add to Groups.

You now have a setup where an IAM user belongs to more than one group: the original groups and the group that you added. If one of the groups has a policy that gives speciﬁc permissions to a given service or resource, and another group has a policy that gives diﬀerent permissions, the policy with the least permission applies. One situation in which this rule might apply is if the existing user currently has permissions in IAM that are broader than those in the MediaLiveTrustedEntityAccess policy that you created.

Setting up AWS Elemental MediaLive as a trusted service

Every time a user creates a channel, they must attach an IAM role that sets up MediaLive as a trusted entity for that channel. You must give the user the permissions to set up this trusted entity.

You give this permission when you create the user. You create a policy called

MediaLiveTrustedEntityAccess and attach it to the group that the users belong to. For detailed information, see the section called “Step 1: Create customer managed policies” (p. 17).

(32)

Setting up: IAM permissions for AWS Elemental MediaLive for a production environment

This chapter provides procedures for setting up users and other AWS identities so that they can use AWS Elemental MediaLive in a production environment. It describes options for imposing restricted controls on users, so that you can set up permissions that conform with the security policies and procedures of your organization.

Before you follow these procedures, do the initial setup described in Setting up: IAM permissions (p. 14).

Those instructions show you how to grant broad permissions to users for non-production environments.

Then return to this chapter to create limited permissions for a production environment.

NoteFor part of the setup described in this chapter, you use the AWS Identity and Access Management (AWS IAM) service to create user and administrator identities. There might be features of IAM, such as cross-account access, that are not covered in this chapter but are appropriate and useful to your deployment. For information about all IAM features, see the AWS IAM User Guide.

In this chapter, we assume the following:

• You are now moving from experimenting with MediaLive to using MediaLive in a production environment.

• You have followed the procedures in Setting up: IAM permissions (p. 14) to sign up for MediaLive and to create a full-access administrator user.

• You have followed the procedures in the section called “Creating a non-administrator IAM user” (p. 16) and are therefore familiar with the process for creating IAM users and IAM groups using the IAM console.

This chapter also describes the AWS services that integrate with or depend on MediaLive. For some of these services, you must grant permissions so that users can access the services and use them with MediaLive. For other services, you don't need to grant permissions because the services are fully integrated with MediaLive. Following is a list of the AWS services that are covered in this chapter:

• AWS CloudTrail

• Amazon CloudWatch

• Amazon CloudWatch Events

• Amazon CloudWatch Logs

• Amazon Elastic Compute Cloud (Amazon EC2)

• AWS IAM

• AWS Elemental MediaConnect

• AWS Elemental MediaPackage

• AWS Elemental MediaStore

• AWS Resource Groups (Resource Group Tagging)

• Amazon Simple Notiﬁcation Service (Amazon SNS)

(33)

Setting up administrators and users

• Amazon Simple Storage Service (Amazon S3)

• AWS Systems Manager

The following sections describe how to grant permissions to MediaLive and, if needed, the other AWS services.

Topics

• Setting up administrators and users (p. 22)

• Creating an administrator user with limited access (p. 22)

• Creating a non-administrator user (p. 25)

• Setting up AWS Elemental MediaLive as a trusted service (p. 44)

• Reference: summary of non-administrator user access requirements (p. 50)

• Reference: summary of requirements for the MediaLive trusted entity (p. 56)

Setting up administrators and users

You must set up each person who will use AWS Elemental MediaLive as a IAM user. It is useful to split user identities into three general groups:

• Full-access administrator users. These users have full read/write access to all AWS services, users, and resources, including broad permissions in IAM.

You already created this user when you followed the procedure in the section called “Creating an administrator IAM user” (p. 14).

• Administrators with limited access. Typically, these users have more permissions than a non- administrator user, but they don't have broad permissions in IAM.

See the section called “Creating an administrator user with limited access” (p. 22).

• Non-administrator users or "regular users." Typically, these users have broad permissions to MediaLive and to some of the services, such as MediaConnect, that MediaLive interacts with. These users have very limited permissions in IAM.

See the section called “Creating a non-administrator user ” (p. 25).

We recommend that you set up most users as non-administrator users. Set up only highly trusted users as administrator users.

Creating an administrator user with limited access

If you are a full-access administrator, you can create other administrator users and assign each one a diﬀerent level of access. These administrator users have more access than non-administrator users ("regular" users), but they have less access than full-access administrator users. They can use AWS Elemental MediaLive in the same way as regular users, but they can also create non-administrative users and set up some of the services that MediaLive integrates with.

For example, you might create an administrator user with the following access:

• For MediaLive and services that integrate with MediaLive, the administrator has the same access as regular users.

• For services that require some setup to work with MediaLive, the administrator has more access than regular users.

(34)

Creating an administrator user with limited access

• For IAM, the administrator has more access than regular users, but less than full-access administrators.

The following procedure shows how to create an administrative user who has limited access. You start by creating a custom policy with a name such as MediaLiveAdminAccess, creating a group called MediaLiveAdministrators, and attaching the policy to the group. Next, you create the administrator user and add the user to the group. The procedure assumes that the new administrator user does not need permissions to troubleshoot issues with MediaLive other than access issues.

To create a custom policy for a MediaLive administrator

1. Sign in to the AWS Management Console as a full-access administrator, and open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane, choose Policies, and then choose Create policy. On the Create policy page, choose the Visual editor tab. This tab is a policy generator that lets you build a policy by selecting actions from a list to add them to the policy.

3. Read the table at the end of this procedure, and create a policy that gives access to the actions that aren't already covered by an existing policy. You don't need to create a policy when we suggest using an existing policy. For information about the purpose of these actions, see the section called “Step 1:

Requirements for permissions” (p. 26).

4. To create the policy, follow the prompts on the console. Here are some tips for creating the policy:

• You can create one policy that covers several services. You don't need to create a policy for each separate service. To create a policy for several services, choose the actions for one service, and then choose Add additional permissions at the bottom of the page to set up another service. You might need to move both of the vertical scroll bars to the bottom to display this link.

• If you do choose to create one policy that covers several services, you might choose to create the policy with actions for one service, save it, then edit the policy to add permissions for another service, and so on.

• You can choose the Import managed policy button to import an existing policy into this policy.

The policy actions are copied over (the policy is not copied by reference), so after importing you can add and remove actions if you want.

For full instructions on creating a custom policy, see the IAM User Guide.

The following table shows which actions to include in the policy in order to grant the identiﬁed access to the user.

Feature Corresponding service

in IAM Type of access Actions to include in

the policy MediaLive Features MediaLive Full access to

MediaLive. It is a good idea for the administrator to be able to work with all MediaLive features.

Use the customer managed policy

MediaLivePowerAccess.

If you followed the procedures in Setting up: IAM permissions (p. 14), you created this policy in the the section called “Step 1: Create customer managed policies” (p. 17) section.

(35)

Creating an administrator user with limited access

Feature Corresponding service

in IAM Type of access Actions to include in

the policy Monitoring Channel

Health CloudWatch Limited access to

CloudWatch (the same access as non- administrator users).

See the section called “Reference:

summary of user access” (p. 50).

Setting Up for Email

Notiﬁcation CloudWatch Events Full access to

CloudWatch Events, to set up users for email notiﬁcation. (To set up for email notiﬁcation, users also need access to SNS. See later in this table.)

Use the

managed policy

CloudWatchEventsFullAccess.

The administrator might not need all these actions, but giving full access is probably low risk.

Setting Up Channel

Logging CloudWatch Logs Limited access to

CloudWatch Logs (the same access as non- administrator users).

Creating a VPC Input Setting up for delivery to your VPC

EC2 Limited access to

Amazon EC2 (the same access as non- administrator users)

Setting Up User Identities for MediaLive

IAM Limited access to

manage users, groups, policies, and trusted entity roles.

The action ChangePassword And all actions that have any of these strings in their name:

"User", "Group",

"Policy", "Policies",

"Role", "AccessKey",

"LoginProﬁle".

Except don't include actions that also have the string

"Instance", or the string "ContextKeys"

Setting Up Email

Notiﬁcation SNS Full access to SNS,

to set up email notiﬁcation for users.

(To set up for email notiﬁcation, users also need access to CloudWatch Events.

See earlier in this table.)

Use the

managed policy AmazonSNSFullAccess.

The administrator might not need all these actions, but giving full access is probably low risk.

AWS Elemental MediaLive

AWS Elemental MediaLive

User Guide

AWS Elemental MediaLive: User Guide

Table of Contents

What Is AWS Elemental MediaLive?

How AWS Elemental MediaLive Works

Pipelines

AWS Elemental MediaLive Inputs

AWS Elemental MediaLive Channels

AWS Elemental MediaLive Schedule

AWS Elemental MediaLive Terminology

Related Services

Accessing AWS Elemental MediaLive

Pricing

Quotas in AWS Elemental MediaLive

AWS Elemental MediaLive feature rules and limits

Limits for inputs

Limits for outputs

Limits for other features

Limits for other features

Setting up: IAM permissions for AWS Elemental MediaLive

Signing up for AWS Elemental MediaLive

Creating an administrator IAM user

Creating a non-administrator IAM user

Step 1: Create customer managed policies

Step 2: Create an IAM group

Step 3: Create or add an IAM user to your group

Creating an iam user and adding the user to your group

Adding an existing IAM user to your group

Setting up AWS Elemental MediaLive as a trusted service

Setting up: IAM permissions for AWS Elemental MediaLive for a production environment

Setting up administrators and users

Creating an administrator user with limited access