# Setting up IAM permissions for users
This section describes the permissions that you must assign to users and other AWS identities so that they can work with AWS Elemental MediaLive and other AWS services that your workflows use. After you have identified the required permissions, you will be able to design and create the relevant policies, and attach those policies to groups of users or to roles.
This section assumes that you have already performed these tasks:
+ You have performed the initial setup described in [Preliminary steps for setting up to use MediaLive](setting-up.md) in order to sign up for MediaLive and to create an administrator.
+ You have read the recommendations in [Identity and Access Management for AWS Elemental MediaLive](security-iam.md) about how to create administrators, users, and other AWS identities.
**Topics**
+ [Reference: summary of user access](setup-users-step-1-summary.md)
+ [MediaLive](requirements-for-medialive.md)
+ [MediaLive Anywhere](requirements-for-emla.md)
+ [CloudFormation](requirements-for-CFN.md)
+ [CloudFront](requirements-for-CFront.md)
+ [CloudTrail](requirements-for-cloudtrail.md)
+ [CloudWatch—channel health](requirements-for-monitor-channel-health.md)
+ [CloudWatch and Amazon SNS—email notification](requirements-for-email-notification.md)
+ [CloudWatch Logs—channel logging](requirements-for-console-logging.md)
+ [EC2 —VPC inputs](requirements-for-vpc-input.md)
+ [EC2 —delivery via VPC](requirements-vpc-delivery.md)
+ [Elemental Inference](requirements-for-inference.md)
+ [Link](requirements-for-link.md)
+ [MediaConnect](requirements-for-media-connect.md)
+ [MediaPackage](requirements-for-mediapackage.md)
+ [Resource Groups—tagging](requirements-for-tagging.md)
+ [Amazon S3](requirements-for-s3.md)
+ [Secrets Manager secrets](requirements-for-secrets.md)
+ [Systems Manager parameter store](requirements-for-EC2.md)
# Reference: summary of non-administrator user access requirements
The following table shows all the types of permissions that you might need to assign to users. Each row in the column describes an activity or set of related activities that you might want to allow the user to perform. The last column lists the IAM actions that control access to those activities.
If this table doesn't provide enough information for you to determine which permissions to assign to users, see the alphabetical list of services that follow this section.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/medialive/latest/ug/setup-users-step-1-summary.html)
# Requirements for AWS Elemental MediaLive features
You must give your users access to AWS Elemental MediaLive features. The permissions for MediaLive can be divided into three categories:
+ Permissions to create
+ Permissions to view
+ Permissions to run
You might choose to give different access to different kinds of users. For example, you might decide that "basic operators" should not have create permissions.
In particular, you must decide whether to restrict the ability to work with reservations; you might decide to give this access only to administrators or advanced users. For more information about reservations, see [Working with reservations in MediaLive](reservations.md).
The following table shows the operations in IAM that relate to access for MediaLive.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/medialive/latest/ug/requirements-for-medialive.html)
# Requirements for MediaLive Anywhere
Your organization might be deploying MediaLive Anywhere, which lets you run MediaLive channels on on-premises hardware located in your organization's data center.
You must give your users access to perform MediaLive Anywhere operations:
+ Permissions to perform the initial configuration of the MediaLive Anywhere clusters, and to modify the configuration as required.
+ Permissions to work with MediaLive Anywhere resources when creating channels and running workflows
## Configuration actions
Some users in your organization will configure the clusters of on-premises nodes to work with MediaLive. These users need the following permissions. We recommend that you create separate policies for the MediaLive permissions and the Amazon Elastic Container Service permissions.
| Permissions | Service name in IAM | Actions |
| --- | --- | --- |
| Create, modify, and delete networks, clusters, nodes, and SDI sources. | MediaLive | CreateNetwork`CreateCluster``CreateNode``CreateSdiSource``DeleteNetwork``DeleteCluster``DeleteNode`DeleteSdiSource`UpdateNetwork``UpdateCluster``UpdateNode``UpdateSdiSource` |
| Create a cluster | Amazon Elastic Container Service | In addition to CreateCluster, users need access to actions in Amazon Elastic Container Service. For more information, see [Create special FAS policies](emla-deploy-users-ecs-permissions.md). |
| View networks, clusters, nodes, and SDI sources | MediaLive | `ListNetworks` `ListClusters` `ListNodes` `ListSdiSources` `DescribeNetwork` `DescribeCluster` `DescribeNode` `DescribeSdiSource` |
## Runtime actions
Some users in your organization will create push inputs and SDI inputs for sources that originate from your on-premises network. These users need the following permissions. These permissions are in addition to the permissions listed in [Requirements for AWS Elemental MediaLive features](requirements-for-medialive.md).
| Permissions | Service name in IAM | Specific activities that the user can perform | Actions |
| --- | --- | --- | --- |
| Create push inputs for channels running on MediaLive Anywhere | MediaLive | Specify the network of a static IP address on a push input. (Using a static IP address is optional.) | `ListNetworks` |
| Create push inputs for channels running on MediaLive Anywhere | MediaLive | Optionally specify the route for a static IP address on a push input. (Using a static IP address is optional.) | `ListNetworks` |
| Create SDI inputs for channels running on MediaLive Anywhere | MediaLive | Select the source for an SDI input | `ListSdiSources` |
# Requirements for CloudFormation
MediaLive includes a workflow wizard. Creation of a workflow always includes automatic creation of an CloudFormation stack. Therefore, to use the workflow wizard, users need permissions in CloudFormation.
| Permissions | Service name in IAM | Actions |
| --- | --- | --- |
| Work with the workflow wizard | CloudFormation | `ListStacks` `DescribeStacks` `DescribeStackResources` `CreateStack` `DeleteStack` |
# Requirements for Amazon CloudFront
MediaLive includes a workflow wizard. One of the options in the wizard is to deliver output to AWS Elemental MediaPackage and from there to Amazon CloudFront. Therefore, for users to create a workflow with delivery to MediaPackage, users need permissions in CloudFront.
| Permissions | Service name in IAM | Actions |
| --- | --- | --- |
| Use the workflow wizard to create the CloudFront distribution that is associated with a MediaPackage channel, if your organization supports MediaPackage as an output destination.Use the workflow wizard to delete a workflow that includes a CloudFront distribution. | CloudFront | `ListDistributions` `DescribeDistribution` `CreateDistribution` `DeleteDistribution` |
CloudFrontCreate and delete a CloudFront distribution, if your organization supports MediaPackage as an output destination.
Note how the required permissions here are very different from the permissions because the workflow wizard actually creates the distribution.
# Requirements for AWS CloudTrail
MediaLive is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in MediaLive.
Users don't need special permissions for AWS CloudTrail.
# Requirements for Amazon CloudWatch—monitoring channel health
The AWS Elemental MediaLive console includes a page (**Channel details**) that collects CloudWatch metrics information about the health of channels and displays it directly on the MediaLive console.
You must decide if you want to give some or all of your users permission to view metrics on the console.
For a user to view this information on the MediaLive console, that user must have view permissions for metrics operations in Amazon CloudWatch. When users have these permissions, they can also view the information through the CloudWatch console, AWS CLI, or REST API.
The following table shows the actions in IAM that relate to access for monitoring channel health.
| Permissions | Service Name in IAM | Actions |
| --- | --- | --- |
| View Metrics | CloudWatch | ListMetrics`GetMetricData``GetMetricStatistics` |
# Requirements for CloudWatch and Amazon SNS—setting up email notification
MediaLive provides information about channels as they are running. It sends this information to Amazon CloudWatch as events. The details of these events can optionally be distributed to one or more users. Someone must set up this distribution. (For the setup procedure, see [Monitoring a channel or multiplex using Amazon CloudWatch Events](monitoring-via-cloudwatch.md).)
You must decide if you want to give some or all of your users these permissions. You might choose to allow each user to perform their own distribution setup. Or you might decide that an administrator must be responsible for performing the setup at startup for applicable users, and then again whenever a new user is added.
The following table shows the actions in IAM that relate to access for setting up email notification.
| Permissions | Service Name in IAM | Actions |
| --- | --- | --- |
| Write | CloudWatch Events | All actions |
| Write | SNS | All actions |
# Requirements for Amazon CloudWatch Logs—setting up channel logging
MediaLive produces channel logs that it sends to CloudWatch Logs, where users can view them. For more information about channel logs, see [Monitoring a channel using Amazon CloudWatch Logs](monitoring-with-logs.md).
You must decide if you want to give some or all of your users permission to view the logs in CloudWatch Logs.
You must also decide if you want to give some or all of your users permission to set the retention policy for logs. If you decide not to give this access to any user, an administrator must be responsible for setting the policy.
Users don't need special permission to enable logging from within MediaLive.
The following table shows the actions in IAM that relate to access for setting up channel logs.
| Permissions | Service name in IAM | Actions |
| --- | --- | --- |
| View Logs | CloudWatch Logs | FilterLogEvents`GetLogEvents` |
| Set Retention Policy | CloudWatch Logs | DeleteRetentionPolicy`PutRetentionPolicy` |
# Requirements for Amazon Elastic Compute Cloud—VPC inputs
Your deployment might include push inputs that connect to MediaLive from a VPC that you created with Amazon VPC.
When a user creates this type of input on the MediaLive console, they have the option to choose the subnet and security group from a dropdown list. For the dropdown list to be populated with the resources in Amazon VPC, the user must have the appropriate permissions. For more information about Amazon VPC inputs, see [Creating an input](create-input.md).
The following table shows the actions in IAM that relate to access for populating the dropdown.
| Permissions | Service name in IAM | Actions |
| --- | --- | --- |
| View the VPC subnets and VPC security groups on the MediaLive console | EC2 | DescribeSubnets`DescribeSecurityGroups` |
# Requirements for Amazon Elastic Compute Cloud—delivery via VPC
Your deployment might include setting up some channels for delivery to output endpoints in Amazon Virtual Private Cloud (Amazon VPC).
When a user sets up for this feature on the MediaLive console, they have the option to choose subnets, security groups, and EIPs from a dropdown list. For the dropdown list to be populated with the resources in Amazon VPC, the user must have the appropriate permissions. For information about this feature, see [Delivering outputs via your VPC](delivery-out-vpc.md).
The following table shows the actions in IAM that relate to access for populating the dropdowns.
| Permissions | Service name in IAM | Actions |
| --- | --- | --- |
| View the VPC subnets and VPC security groups on the MediaLive console. | EC2 | DescribeSubnets`DescribeSecurityGroups` |
| View the Elastic IP addresses on the console. The console finds the Elastic IP addresses that have been allocated for use in your AWS account. | EC2 | DescribeAddresses |
# Requirements for Elemental Inference
Your organization might implement [AWS Elemental Inference features](elemental-inference.md) in a channel. Users who configure the channel to use these features need permissions to work with feeds.
+ Users need permissions to work with feeds. Users need these permissions even though they are using the MediaLive console or API to set up the feeds and to associate the channel with the feed.
+ Users need permissions to let MediaLive perform setup on a feed after the channel has been created or modified. The setup involves associating the channel with the feed. MediaLive uses IAM forward access sessions (FAS) to send and retrieve.
| Permissions | Service name in IAM | Actions |
| --- | --- | --- |
| When configuring a channel, so that MediaLive can work with the Elemental Inference feed. | Elemental Inference | CreateFeed`DeleteFeed``GetFeed``ListFeeds``UpdateFeed` |
| After configuration of a channel, so that MediaLive can use FAS to associate the channel with the Elemental Inference feed. | Elemental Inference | `AssociateFeed` `DisassociateFeed` `GetFeed` |
# Requirements for AWS Elemental Link
Your organization might deploy AWS Elemental Link hardware devices in one or both of these ways:
+ As the video source for the input that you attach to an AWS Elemental MediaLive channel.
+ As the video source for an AWS Elemental MediaConnect flow.
This section describes the permissions that you (an IAM administrator) must assign to users and other AWS identities so that they can configure an AWS Elemental Link device to work with a MediaLive input or an MediaConnect flow. For more information about these devices, see [Setting up AWS Elemental Link](setup-devices.md).
Read this information as follows:
+ Read this information if your organization has users who will both deploy devices and use those devices with MediaLive.
+ Your organization might also have users who will only work with MediaLive to deploy devices and configure them for use as sources, and you might want to follow a *least permissions* rule for those users. If this is the case, see [Setting up users with IAM permissions](device-iam-for-user.md).
You must assign permissions for actions in several services, as described in the following table.
| Permissions | Service name in IAM | Actions |
| --- | --- | --- |
| Deploy, configure, and view an AWS Elemental Link device | MediaLive | `DescribeInputDevice` `DescribeInputDeviceThumbnail` `ListInputDevices` `RebootInputDevice` `StartInputDeviceMaintenanceWindow` `StartInputDevice` `StopInputDevice` `UpdateInputDevice` |
| Handle transfers of AWS Elemental Link devices | MediaLive | `AcceptInputDeviceTransfer` `CancelInputDeviceTransfer` `ClaimDevice` `ListInputDeviceTransfers` `RejectInputDeviceTransfer` `TransferInputDevice` |
| On the MediaLive console, view MediaConnect flows in the dropdown list. This dropdown list appears in the **Flow ARN** field in the **Attachments** tab on the **Device details** page. | MediaConnect | ListFlows |
| On the MediaLive console, view IAM roles in the dropdown list. This dropdown list appears in the **Role ARN** field in the **Attachments** tab on the **Device details** page. | IAM | ListRoles |
| On the MediaLive console, view Secrets Manager secrets in the dropdown list. This dropdown list appears in the **Secret ARN** field in the **Attachments** tab on the **Device details** page. | Secrets Manager | ListSecrets |
# Requirements for AWS Elemental MediaConnect
Your deployment might include using a flow from AWS Elemental MediaConnect as an input to AWS Elemental MediaLive.
Users need permissions to perform actions in MediaConnect when they use the MediaLive workflow wizard. Users don't need special permissions when they use the regular MediaLive console to specify a MediaConnect flow in an input or channel.
| Permissions | Service name in IAM | Actions |
| --- | --- | --- |
| Use the workflow wizard to create a MediaConnect flow, if your organization supports sources from MediaConnect.Use the workflow wizard to delete a workflow that includes a source from MediaConnect. | MediaConnect | List\$1`Describe*``Create*``Delete*` |
# Requirements for AWS Elemental MediaPackage
Your deployment might send outputs to AWS Elemental MediaPackage, either by creating an [HLS output group or by creating a MediaPackage output group](hls-choosing-hls-vs-emp.md). (Note that both MediaLive and MediaPackage have "channels"; however, they are different objects.)
The user needs permissions to perform actions in MediaPackage when they use the MediaLive console and when they use the MediaLive workflow wizard.
| Permissions | Service name in IAM | Actions |
| --- | --- | --- |
| On the MediaLive console, view the MediaPackage channels in the dropdown list on the MediaLive channel. | MediaPackage | Describe\$1 |
| Use the workflow wizard to create a MediaPackage channel, if your organization supports MediaPackage as an output destination.Use the workflow wizard to delete a workflow that includes a MediaPackage output. | MediaPackage | List\$1`Describe*``Create*``Delete*` |
# Requirements for AWS Resource Groups—tagging
When users create channels, inputs, or input security groups, they can optionally attach tags to the resource during creation. Typically, your organization has a policy to tag or to omit tags. There are two services that control permissions for tagging, for two different scenarios:
+ The ability to tag during channel creation is controlled by actions within AWS Elemental MediaLive. See [Requirements for AWS Elemental MediaLive features](requirements-for-medialive.md).
+ The ability to modify tags in existing resources is controlled by actions within Resource Group Tagging. See [Working with Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html) in [Getting Started with the AWS Management Console](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/getting-started.html).
# Requirements for Amazon S3
Your deployment might include using files in an Amazon S3 bucket. For example, your deployment might use files in the following ways:
+ As the source for an HLS input
+ As the destination for an Archive output group
+ As the destination for an HLS output group
Users don't need special permissions to specify an Amazon S3 bucket in a field on the MediaLive console.
# Requirements for Secrets Manager secrets
Your deployment might include the following resources:
+ SRT inputs for SRT content that is encrypted by the upstream system.
When the user creates this type of input, they must enter or select the ARN of a secret that holds the passphrase for decrypting the content.
+ SRT caller outputs. MediaLive always encrypts this type of output
When the user creates this type of output, they must enter or select the ARN of a secret that holds the passphrase for encrypting content.
+ AWS Elemental Link hardware devices that are used in MediaLive or in MediaConnect. For more information about permissions for this use case, see [Requirements for AWS Elemental Link](requirements-for-link.md).
| Permissions | Service name in IAM | Actions |
| --- | --- | --- |
| On the MediaLive console, when creating an SRT Caller input, to view secrets in the dropdown list.On the MediaLive console, when creating an SRT Caller output, to view secrets in the dropdown list. | Secrets Manager | ListSecrets |
## Required permissions
**Permission to create an ARN**
A user with permissions on Secrets Manager must set up the passphrase as a secret, then provide the MediaLive user with the ARN of that secret.
**Permission to select a passphrase**
For a list of ARNs to appear in the dropdown list on the console, the console user must have `ListSecrets` in Secrets Manager. The user can then select an ARN from the list.
**Permission to enter an ARN**
No special permission is required to enter the passphrase on the AWS Elemental MediaLive console.
# Requirements for AWS Systems Manager password parameters
The AWS Elemental MediaLive console includes a feature that lets a user create a password parameter in the AWS Systems Manager Parameter Store. This feature is part of the **Create Channel** page. This feature does not exist in the AWS CLI or REST API.
You must decide if you want to give some or all of your users permission to use this feature. (If you don't give this access to any users, then an administrator must be responsible for creating parameters.)
## About the feature for creating password parameters
The AWS Systems Manager Parameter Store is used extensively in AWS Elemental MediaLive. It is likely that you will use this store. The store holds passwords that MediaLive needs to retrieve and store files externally.
Here are some of the MediaLive functions that use this store to hold passwords:
+ An input of type RTMP Pull or type HLS Pull, if the connection is secure.
+ Fields in the channel that hold the URL to an external file, if the connection is secure. An example of this type of field is **Avail blanking image**.
+ The destination in an HLS output group or a Microsoft Smooth output group, if the connection is secure.
In all these cases, MediaLive needs the user name and the password. The password is always stored in a parameter. Therefore, the console includes a **Username** field and a **Password parameter** field. For an example of the relevant fields, open the MediaLive console, choose **Create channel**, **General settings**, **Avail blanking**, **Avail blanking image**, and then choose **Credentials**.
## How password parameters work
The password parameter feature ensures that when the user is creating a channel, AWS Elemental MediaLive does not store passwords in plaintext. It works as follows:
+ First, a user or administrator creates a password parameter in AWS Systems Manager Parameter Store. The parameter is a name-value pair where the name is something like **corporateStorageImagesPassword** and the value is the actual password.
+ Second, when a user is creating a channel or input in MediaLive and needs to enter a password, the user specifies the password parameter name instead of the password. That name is stored in MediaLive. The actual password is never stored in MediaLive.
+ Finally, when the channel is running and MediaLive needs the password (to either read or write to the external location), it sends the password parameter name to Parameter Store and gets back the actual password in response.
## Create feature that is built into MediaLive
When a password field appears on the console, AWS Elemental MediaLive includes a feature that lets the user do one of the following:
+ Enter the name of an existing password parameter.
+ Create a password parameter by entering the name-value pair (a parameter name and an actual password).
## Required permissions
Users must enter the name of a password parameter or select a name from the dropdown list. Some users might need permission to create a password parameter within AWS Elemental MediaLive.
### Permission to enter a name
No special permission is required to enter the name of an existing password parameter on the AWS Elemental MediaLive console.
### Permission to select a name
For the user to select a name from the dropdown list, the user must have permission for `GetParameters` in AWS Systems Manager.
### Permission to create
For any user to create a password parameter on the AWS Elemental MediaLive console, that user must have permission to specific operations in AWS Systems Manager Parameter Store. (With this permission, the user can also create these password parameters ahead of time on the AWS Systems Manager console. The user can choose the option that they prefer.)
You can give access to some or all users to create these password parameters. Typically, you give this access only to users who are trusted with sensitive passwords; these might be users whom you have identified as advanced users:
+ If you give access only to advanced users, those users must be responsible for creating parameters at startup for the applicable assets and whenever a new asset is required by MediaLive. The users can perform the setup on the MediaLive console or on the AWS Systems Manager console.
+ If you don't give this access to any users, an administrator must be responsible for creating parameters at startup for the applicable assets and whenever a new asset is required by MediaLive. An administrator might prefer to perform this setup on the AWS Systems Manager console.
### Permission to modify and delete
If you want users to be able to modify and delete password parameters (as well as create them), give access to modify and delete operations. The users will be able to modify and delete from the AWS Systems Manager Parameter Store. (There is no feature on the AWS Elemental MediaLive console for modifying and deleting.)
You might choose to give this access to the users who have create permissions. Or you might choose to give this access only to administrators.
The following table shows the actions in IAM that relate to access for the Parameter Store.
| Permissions | Service name in IAM | Actions |
| --- | --- | --- |
| Select | Systems Manager | GetParameters |
| Create | Systems Manager | PutParameter |
| Modify and Delete | Systems Manager | DeleteParameter`DeleteParameters``DescribeParameters``GetParameter``GetParameterHistory``GetParameters``GetParametersByPath` |