# Identity and access management for AWS Elemental MediaConnect Identity and access managementUpdated the IAM guidance for MediaConnect Updated guide to align with the IAM best practices. For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html). AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use MediaConnect resources. IAM is an AWS service that you can use with no additional charge. ## Audience How you use AWS Identity and Access Management (IAM) differs based on your role: + **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting AWS Elemental MediaConnect identity and access](security_iam_troubleshoot.md)) + **Service administrator** - determine user access and submit permission requests (see [How AWS Elemental MediaConnect works with IAM](security_iam_service-with-iam.md)) + **IAM administrator** - write policies to manage access (see [AWS Elemental MediaConnect identity-based policy examples](security_iam_id-based-policy-examples.md)) ## Authenticating with identities Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role. You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*. For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*. ### AWS account root user When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*. ### IAM users and groups An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*. An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*. ### IAM roles An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*. IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*. ## Managing access using policies You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*. Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**. By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation. ### Identity-based policies Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*. Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*. ### Other policy types AWS supports additional policy types that can set the maximum permissions granted by more common policy types: + **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. + **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*. + **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*. + **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*. ### Multiple policy types When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*. ## Learn more For more information about identity and access management for MediaConnect, continue to the following pages: + [How MediaConnect works with IAM](security_iam_service-with-iam.md) + [Identity-based policy examples](security_iam_id-based-policy-examples.md) + [Resource-based policy examples](security_iam_resource-based-policy-examples.md) + [Policy examples for secrets in AWS Secrets Manager](iam-policy-examples-asm-secrets.md) + [Troubleshooting](security_iam_troubleshoot.md) # How AWS Elemental MediaConnect works with IAM How MediaConnect works with IAM Before you use IAM to manage access to MediaConnect, you should understand what IAM features are available to use with MediaConnect. To get a high-level view of how MediaConnect and other AWS services work with IAM, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*. **Topics** + [ ## MediaConnect identity-based policies ](#security_iam_service-with-iam-id-based-policies) + [ ## MediaConnect resource-based policies ](#security_iam_service-with-iam-resource-based-policies) + [ ## Authorization based on MediaConnect tags ](#security_iam_service-with-iam-tags) + [ ## MediaConnect IAM roles ](#security_iam_service-with-iam-roles) ## MediaConnect identity-based policies With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. MediaConnect supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see [IAM JSON Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*. ### Actions Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation. Policy actions in MediaConnect use the following prefix before the action: `mediaconnect:`. For example, to grant someone permission to view a list of entitlements with the MediaConnect `ListEntitlements` API operation, you include the `mediaconnect:ListEntitlements` action in their policy. Policy statements must include either an `Action` or `NotAction` element. MediaConnect defines its own set of actions that describe tasks that you can perform with this service. To specify multiple actions in a single statement, separate them with commas as follows: ``` "Action": [ "mediaconnect:action1", "mediaconnect:action2" ``` You can specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `List`, include the following action: ``` "Action": "mediaconnect:List*" ``` To see a list of MediaConnect actions, see [Actions Defined by AWS Elemental MediaConnect](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awselementalmediaconnect.html#awselementalmediaconnect-actions-as-permissions) in the *IAM User Guide*. ### Resources Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources. ``` "Resource": "*" ``` MediaConnect has the following ARNs: ``` arn:${Partition}:mediaconnect:${Region}:${Account}:entitlement:${resourceID}:${resourceName} arn:${Partition}:mediaconnect:${Region}:${Account}:flow:${resourceID}:${resourceName} arn:${Partition}:mediaconnect:${Region}:${Account}:output:${resourceID}:${resourceName} arn:${Partition}:mediaconnect:${Region}:${Account}:source:${resourceID}:${resourceName} ``` For more information about the format of ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). For example, to specify the `1-23aBC45dEF67hiJ8-12AbC34DE5fG` flow in your statement, use the following ARN: ``` "Resource": "arn:aws:mediaconnect:us-east-1:111122223333:flow:1-23aBC45dEF67hiJ8-12AbC34DE5fG:BasketballGame" ``` To specify all flows that belong to a specific account, use the wildcard (\$1): ``` "Resource": "arn:aws:mediaconnect:us-east-1:111122223333:flow:*" ``` Some MediaConnect actions, such as those for creating resources, can't be performed on a specific resource. In those cases, you must use the wildcard (\$1). ``` "Resource": "*" ``` Many MediaConnect API actions involve multiple resources. For example, `RemoveFlowOutput` removes an output from a particular flow, so an IAM user must have permissions for the flow and the output. To specify multiple resources in a single statement, separate the ARNs with commas. ``` "Resource": [ "resource1", "resource2" ``` To see a list of MediaConnect resource types and their ARNs, see [Resources Defined by AWS Elemental MediaConnect](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html#list_awselementalmediaconnect.html#awselementalmediaconnect-resources-for-iam-policies) in the *IAM User Guide*. To learn with which actions you can specify the ARN of each resource, see [Actions Defined by AWS Elemental MediaConnect](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awselementalmediaconnect.html#awselementalmediaconnect-actions-as-permissions). ### Condition keys Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*. ### Examples To view examples of MediaConnect identity-based policies, see [AWS Elemental MediaConnect identity-based policy examples](security_iam_id-based-policy-examples.md). ## MediaConnect resource-based policies AWS Elemental MediaConnect does not support resource-based policies. ## Authorization based on MediaConnect tags AWS Elemental MediaConnect does not support tagging resources or controlling access based on tags. ## MediaConnect IAM roles An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an entity within your AWS account that has specific permissions. ### Using temporary credentials with MediaConnect You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html). MediaConnect supports using temporary credentials. ### Service-linked roles [Service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role) allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view but not edit the permissions for service-linked roles. MediaConnect does not support service-linked roles. ### Service roles This feature allows a service to assume a [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role) on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service. MediaConnect does not support service roles. # AWS Elemental MediaConnect identity-based policy examples Identity-based policy examples By default, IAM users and roles don't have permission to create or modify MediaConnect resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions. To learn how to create an IAM identity-based policy using these example JSON policy documents, see [Creating Policies on the JSON Tab](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*. ## Policy best practices Identity-based policies determine whether someone can create, access, or delete MediaConnect resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations: + **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*. + **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*. + **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*. + **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*. + **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*. For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. ## Using the MediaConnect console Using the console To access the AWS Elemental MediaConnect console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the MediaConnect resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (IAM users or roles) with that policy. To ensure that those entities can still use the MediaConnect console, also attach the following AWS managed policy to the entities. For more information, see [Adding Permissions to a User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "mediaconnect:*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudwatch:GetMetricData" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "mediaconnect.amazonaws.com" } } } ] } ``` ------ You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that you're trying to perform. ## Allow users to view their own permissions This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] } ``` # AWS Elemental MediaConnect resource-based policy examples Resource-based policy examples To access the AWS Elemental MediaConnect console, you must have a minimum set of permissions that allows you to list and view details about the MediaConnect resources in your AWS account. The IAM policies in this section show examples of policies that allow specific actions on resources in AWS Elemental MediaConnect. ## Allow read access to all resources in AWS Elemental MediaConnect To access the AWS Elemental MediaConnect console, you must have a policy that defines which actions you are allowed to take on MediaConnect resources in your AWS account. The IAM policy below provides the following permissions: + The section for the `mediaconnect:List*` and `mediaconnect:Describe*` actions allow read-only access to all resources that you create in AWS Elemental MediaConnect. + The section for the `ec2:DescribeAvailabilityZones` action allows the service to obtain information about which Availability Zone the flow is in. This portion of the policy is required. + The section for the `cloudwatch:GetMetricData` action allows the service to obtain metrics from Amazon CloudWatch. This portion of the policy is required. + The section for the `iam:PassRole` action allows IAM to *pass* a role to AWS Elemental MediaConnect the service to communicate with IAM in order to assume a role on behalf of the service. This allows the service to assume the role later and perform actions on your behalf. This portion of the policy is required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "mediaconnect:List*", "mediaconnect:Describe*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:DescribeAvailabilityZones" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudwatch:GetMetricData" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "mediaconnect.amazonaws.com" } } } ] } ``` ------ ## Allow all actions on all AWS Elemental MediaConnect resources Every user of AWS Elemental MediaConnect must have a policy that defines permissions on AWS Elemental MediaConnect resources. The IAM policy below provides the following permissions: + The section for the `mediaconnect:*` action allows all actions on all resources that you create in AWS Elemental MediaConnect. + The section for the `ec2:DescribeAvailabilityZones` action allows the service to obtain information about which Availability Zone the flow is in. This portion of the policy is required. + The section for the `cloudwatch:GetMetricData` action allows the service to obtain metrics from Amazon CloudWatch. This portion of the policy is required. + The section for the `iam:PassRole` action allows IAM to *pass* a role to AWS Elemental MediaConnect the service to communicate with IAM in order to assume a role on behalf of the service. This allows the service to assume the role later and perform actions on your behalf. This portion of the policy is required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "mediaconnect:*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:DescribeAvailabilityZones" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudwatch:GetMetricData" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "mediaconnect.amazonaws.com" } } } ] } ``` ------ ## Allow AWS Elemental MediaConnect to create and manage network interfaces in your VPC Policy example for connecting to your VPC This example IAM policy allows AWS Elemental MediaConnect to create and manage network interfaces in your VPC so that content can flow from your VPC to MediaConnect. If you want to connect your VPC to your flow, you must set up this policy. + The section for the `ec2:` actions allows MediaConnect to create, read, update, and delete network interfaces in your VPC. This portion of the policy is required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission" ], "Effect": "Allow", "Resource": "*" } ] } ``` ------ # Policy examples for accessing MediaConnect encryption keys in Secrets Manager Policy examples for secrets in AWS Secrets Manager You can create IAM policies that allow AWS Elemental MediaConnect to read encryption keys that are stored as secrets in AWS Secrets Manager. When setting up static key encryption using MediaConnect, [you create an IAM policy](encryption-static-key-set-up.md#encryption-static-key-set-up-create-iam-policy) that you assign to MediaConnect. This policy allows MediaConnect to read the secrets that you have stored in Secrets Manager. The settings for this policy are entirely up to you. The policy can range from most restrictive (allowing access to only specific secrets) to least restrictive (allowing access to any secret that you create using your AWS account). We recommend using the most restrictive policy as a best practice. However, the following examples show you how to set up policies with different levels of restriction. Because MediaConnect only needs read access to secrets, all of the examples show only the actions that are necessary to read the values that you store. **Note** While the following example IAM policies for Secrets Manager are broadly applicable to various AWS services, this page specifically demonstrates their use in the context of MediaConnect. For more information about Secrets Manager, refer to the [AWS Secrets Manager documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html). **Topics** + [ ## Allow read access to specific secrets in Secrets Manager ](#iam-policy-examples-asm-specific-secrets) + [ ## Allow read access to all secrets created in a specific AWS Region in Secrets Manager ](#iam-policy-examples-asm-secrets-in-a-region) + [ ## Allow read access to all resources in Secrets Manager ](#iam-policy-examples-asm-secrets-all) ## Allow read access to specific secrets in Secrets Manager Allow read access to specific secrets The following example IAM policy allows read access to specific resources (secrets) that you create in Secrets Manager. Replace the *placeholder text* in the ARNs with your own information. The ARNs should represent the secrets that store the encryption keys you want to use with MediaConnect. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": [ "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c", "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes192-4D5e6F", "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes256-7g8H9i" ] }, { "Effect": "Allow", "Action": "secretsmanager:ListSecrets", "Resource": "*" } ] } ``` ------ ## Allow read access to all secrets created in a specific AWS Region in Secrets Manager Allow read access to all secrets created in a specific Region The following IAM policy allows read access to all secrets that you create in a specific AWS Region in Secrets Manager, including any encryption keys used for MediaConnect. This policy applies to resources that you have created already and all resources that you create in the future in the specified Region. This might be useful when managing multiple encrypted MediaConnect flows within the same Region. Replace the *placeholder text* in the ARNs with your own information. The Region and account ID should represent where your secrets are stored. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": "arn:aws:secretsmanager:us-west-2:111122223333:secret:*" }, { "Effect": "Allow", "Action": "secretsmanager:ListSecrets", "Resource": "*" } ] } ``` ------ ## Allow read access to all resources in Secrets Manager Allow read access to all resources The following IAM policy allows read access to all resources that you create in Secrets Manager, including any encryption keys used for MediaConnect. This policy applies to resources that you have created already and all resources that you create in the future. This broader access might be needed when managing encrypted MediaConnect flows across multiple regions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds", "secretsmanager:ListSecrets" ], "Resource": [ "*" ] } ] } ``` ------ For more information on setting up encryption for your MediaConnect flows, see [Data protection](https://docs.aws.amazon.com/mediaconnect/latest/ug/data-protection.html) in this guide. For general information about using Secrets Manager, refer to the [AWS Secrets Manager User Guide](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html). # AWS managed policies for AWS Elemental MediaConnect AWS managed policiesAWS managed policy - New policy The MediaConnectGatewayInstanceRolePolicy has been created.AWS managed policy - New policy The AWSMediaConnectServicePolicy has been created.AWS managed policy - New policy The AWSElementalMediaConnectReadOnlyAccess policy has been created.AWS managed policy - New policy The AWSElementalMediaConnectFullAccess policy has been created.Updated AWS managed policy AWS Elemental MediaConnect has updated the [AWSMediaConnectServicePolicy](https://docs.aws.amazon.com/mediaconnect/latest/ug/security-iam-awsmanpol.html#security-iam-awsmanpol-AWSMediaConnectServicePolicy). An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles. Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. ## AWS managed policy: AWSElementalMediaConnectReadOnlyAccess AWSElementalMediaConnectReadOnlyAccess You can attach `AWSElementalMediaConnectReadOnlyAccess` to your users, groups, and roles. This policy grants read-only permissions that allow users to view all resources in MediaConnect. **Permissions details** This policy includes the following permissions. + `mediaconnect:DescribeBridge` – Allows principals to view detailed information about a specific bridge in MediaConnect. This is required so that you can inspect the bridge configuration and status. + `mediaconnect:DescribeFlow` – Allows principals to view detailed information about a specific flow in MediaConnect. This is required so that you can inspect the flow configuration and status. + `mediaconnect:DescribeFlowSourceMetadata` – Allows principals to view metadata about a flow's source in MediaConnect. This is required so that you can see technical details about the input stream. + `mediaconnect:DescribeFlowSourceThumbnail` – Allows principals to view the details of the thumbnail image for a flow's source in MediaConnect. This is required so that you can see visual previews of your video streams. + `mediaconnect:DescribeGateway` – Allows principals to view detailed information about a specific gateway in MediaConnect. This is required so that you can inspect the gateway configuration and status. + `mediaconnect:DescribeGatewayInstance` – Allows principals to view detailed information about a specific gateway instance in MediaConnect. This is required so that you can inspect the gateway instance configuration and status. + `mediaconnect:DescribeOffering` – Allows principals to view detailed information about a specific service offering in MediaConnect. This is required so that you can see bandwidth commitment options and their associated discount rates. + `mediaconnect:DescribeReservation` – Allows principals to view detailed information about a specific reservation in MediaConnect. This is required so that you can see the details of your bandwidth commitment and its associated discount. + `mediaconnect:ListBridges` – Allows principals to view a list of bridges in MediaConnect. This is required so that you can see all the available bridge resources in your account. + `mediaconnect:ListEntitlements` – Allows principals to view a list of entitlements in MediaConnect. This is required so that you can see all permissions granted to other AWS accounts to access your transport stream flows. + `mediaconnect:ListFlows` – Allows principals to view a list of flows in MediaConnect. This is required so that you can see all the available flow resources in your account. + `mediaconnect:ListGatewayInstances` – Allows principals to view a list of gateway instances in MediaConnect. This is required so that you can see all the running gateway compute resources in your account. + `mediaconnect:ListGateways` – Allows principals to view a list of gateways in MediaConnect. This is required so that you can see all the available gateway resources in your account. + `mediaconnect:ListOfferings` – Allows principals to view a list of service offerings in MediaConnect. This is required so that you can see the available bandwidth discount options that require a commitment. The offerings that are displayed may vary based on your AWS Region. + `mediaconnect:ListReservations` – Allows principals to view a list of reservations in MediaConnect. This is required so that you can see your active bandwidth commitments and their associated discounts. + `mediaconnect:ListTagsForResource` – Allows principals to view tags associated with MediaConnect resources. This is required so that you can see resource organization and classification metadata. To view the permissions for this policy, see [AWSElementalMediaConnectReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElementalMediaConnectReadOnlyAccess.html) in the *AWS Managed Policy Reference*. ## AWS managed policy: AWSElementalMediaConnectFullAccess AWSElementalMediaConnectFullAccess You can attach `AWSElementalMediaConnectFullAccess` to your users, groups, and roles. This policy grants administrative permissions that allow the user permission to create, read, update, and delete MediaConnect resources. **Permissions details** This policy includes the following permissions. + `mediaconnect:*` – Allows principals to perform all actions in MediaConnect. This is required so that administrators and other users can create, read, update, and delete MediaConnect resources and manage all aspects of video transport workflows. The wildcard (\$1) permission includes all possible MediaConnect actions, such as creating and deleting flows, managing entitlements and outputs, and configuring video transport workflows. To view the permissions for this policy, see [AWSElementalMediaConnectFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElementalMediaConnectFullAccess.html) in the *AWS Managed Policy Reference*. ## AWS managed policy: MediaConnectGatewayInstanceRolePolicy MediaConnectGatewayInstanceRolePolicy You can attach the `MediaConnectGatewayInstanceRolePolicy` policy to your IAM identities. This policy grants permission to register MediaConnect Gateway Instances to a MediaConnect Gateway. This policy will be attached to a role. The entity assuming the role will have the ability to register instances to the gateway. **Permissions details** This policy includes the following permissions. + `mediaconnect:DiscoverGatewayPollEndpoint` – Allows principals to locate the gateway poll endpoints for the specified gateway. + `mediaconnect:PollGateway` – Allows principals to regularly query the gateway in MediaConnect. This is required so that MediaConnect Gateway Instances can check for and receive updates, configurations, and instructions from the gateway service. + `mediaconnect:SubmitGatewayStateChange` – Allows principals to report status updates in MediaConnect. This is required so that MediaConnect Gateway Instances can notify the gateway service about changes in their operational state, health, and configuration status. To view the permissions for this policy, see [MediaConnectGatewayInstanceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/MediaConnectGatewayInstanceRolePolicy.html) in the *AWS Managed Policy Reference*. ## AWS managed policy: AWSMediaConnectServicePolicy AWSMediaConnectServicePolicy You can’t attach AWSMediaConnectServicePolicy to your IAM entities. This policy is attached to a service-linked role that allows MediaConnect to perform actions on your behalf. For more information, visit [Using service-linked roles](using-service-linked-roles.md). This policy is attached to the **AWSServiceRoleForMediaConnect** service-linked role. This policy allows the service-linked role to manage Amazon ECS resources on your behalf. AWS Elemental MediaConnect Gateway uses Amazon ECS as the foundation for the on-premises implementation of AWS Elemental MediaConnect Gateway. As a result, MediaConnect must have the ability to create, update, and delete Amazon ECS resources as needed. The policy also allows the service-linked role to manage Amazon EC2 resources on your behalf. The MediaConnect router requires EC2 networking capabilities for audio and video routing. As a result, MediaConnect must have the ability to create, update, and delete Amazon EC2 resources as needed, as well as view network configuration details. When MediaConnect performs actions on EC2 resources using this service-linked role, we tag them with `aws:ResourceTag/created-for-service: MediaConnect`. This helps you easily distinguish between the EC2 resources that MediaConnect creates, and the ones that you create yourself. **Permissions details** This policy includes the following permissions. + **Amazon ECS permissions** **Note** These permissions are restricted to ECS clusters with names starting with `MediaConnectGateway` through the condition block. + `ecs:CreateCluster` - Allows principals to create new ECS clusters. This is required so that MediaConnect can establish new clusters needed for Gateway operations. + `ecs:CreateService` – Allows principals to establish new ECS services. This is required so that MediaConnect can set up new service components for the Gateway implementation. + `ecs:DeleteAttributes` – Allows principals to remove attributes from ECS resources. This is required so that MediaConnect can clean up metadata when no longer needed. + `ecs:DeleteService` – Allows principals to remove ECS services. This is required so that MediaConnect can clean up services when they're no longer needed. + `ecs:DescribeClusters` – Allows principals to view details about ECS clusters. This is required so that MediaConnect can monitor the state and configuration of Gateway clusters. + `ecs:DescribeContainerInstances` – Allows principals to view details about ECS container instances. This is required so that MediaConnect can monitor the health and status of Gateway components. + `ecs:DeregisterContainerInstance` - Allows principals to remove container instances from an ECS cluster. This is required so that MediaConnect can remove Gateway components from the cluster when no longer needed. + `ecs:DescribeServices` – Allows principals to view details about ECS services. This is required so that MediaConnect can monitor and manage the state of its services. + `ecs:DescribeTasks` – Allows principals to view details about ECS tasks. This is required so that MediaConnect can monitor the status of running tasks. + `ecs:ListAttributes` – Allows principals to retrieve attributes from ECS resources. This is required so that MediaConnect can monitor and manage metadata for Gateway components. + `ecs:ListContainerInstances` - Allows principals to retrieve a list of container instances in a cluster. This is required so that MediaConnect can track all Gateway components running in the cluster. + `ecs:ListTasks` – Allows principals to view all tasks in ECS. This is required so that MediaConnect can monitor and manage running tasks. + `ecs:PutAttributes` – Allows principals to add attributes to ECS resources. This is required so that MediaConnect can configure resources by applying the necessary metadata. + `ecs:RegisterTaskDefinition` - Allows principals to register new task definitions. This is required so that MediaConnect can define specifications for new Gateway components. + `ecs:RunTask` – Allows principals to start new tasks in ECS. This is required so that MediaConnect can launch new Gateway components as needed. + `ecs:StartTask` – Allows principals to initiate specific tasks in ECS. This is required so that MediaConnect can launch specific Gateway components. + `ecs:StopTask` – Allows principals to terminate running tasks in ECS. This is required so that MediaConnect can stop Gateway components when needed. + `ecs:UpdateContainerInstancesState` – Allows principals to modify the state of container instances. This is required so that MediaConnect can manage the lifecycle of container instances. + `ecs:UpdateCluster` - Allows principals to modify existing ECS cluster configurations. This is required so that MediaConnect can adjust cluster settings as needed for optimal Gateway operations. + `ecs:UpdateClusterSettings` - Allows principals to modify cluster-wide settings. This is required so that MediaConnect can update cluster settings to support Gateway requirements. + `ecs:UpdateService` – Allows principals to modify existing ECS services. This is required so that MediaConnect can update service configurations for MediaConnect Gateway components running on ECS. + **Amazon EC2 permissions** + `ec2:CreateNetworkInterfacePermission` – Allows MediaConnect to grant permissions for network interfaces used within the router. + `ec2:DeleteNetworkInterface` – Allows MediaConnect to remove network interfaces when they're no longer needed. + `ec2:DeleteNetworkInterfacePermission` – Allows MediaConnect to revoke permissions for network interfaces used within the router. + `ec2:DescribeNetworkInterfaces` – Allows MediaConnect to view details about network interfaces used within the router. + `ec2:DescribeSecurityGroups` – Allows MediaConnect to view details about security groups used with a router network interface. + `ec2:DescribeSubnets` – Allows MediaConnect to view details about subnets used with a router network interface. To view the permissions for this policy, see [AWSMediaConnectServicePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMediaConnectServicePolicy.html) in the *AWS Managed Policy Reference*. ## MediaConnect updates to AWS managed policies Policy updates View details about updates to AWS managed policies for MediaConnect since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the MediaConnect [document history](doc-history.md) page. | Change | Description | Date | | --- | --- | --- | | **AWSMediaConnectServicePolicy** – Update to an existing policy | MediaConnect added the following Amazon EC2 permissions to support the router feature: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/mediaconnect/latest/ug/security-iam-awsmanpol.html) These permissions allow MediaConnect to view and manage router network interfaces as needed for cross-Region audio and video routing. | November 19, 2025 | | The MediaConnect managed policy **AWSElementalMediaConnectReadOnlyAccess** has been added. | This policy provides read-only access to MediaConnect resources. | February 12, 2025 | | The MediaConnect managed policy **AWSElementalMediaConnectFullAccess** has been added. | This policy provides full access to MediaConnect resources. | February 12, 2025 | | The MediaConnect managed policy MediaConnectGatewayInstanceRolePolicy has been added. | This policy grants permission to register MediaConnect Gateway Instances to a MediaConnect Gateway. | April 12, 2023 | | The MediaConnect managed policy AWSMediaConnectServicePolicy has been added. | This policy is used by a service-link role and grants permissions to access AWS services and resources used by MediaConnect. | April 12, 2023 | | MediaConnect started tracking changes | MediaConnect started tracking changes for its AWS managed policies. | April 12, 2023 | # Using service-linked roles for MediaConnect Using service-linked rolesAWS service-linked role - New role The AWSServiceRoleForMediaConnect role has been created. AWS Elemental MediaConnect uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to MediaConnect. Service-linked roles are predefined by MediaConnect and include all the permissions that the service requires to call other AWS services on your behalf. A service-linked role makes setting up MediaConnect easier because you don’t have to manually add the necessary permissions. MediaConnect defines the permissions of its service-linked roles, and unless defined otherwise, only MediaConnect can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. You can delete a service-linked role only after first deleting their related resources. This protects your MediaConnect resources because you can't inadvertently remove permission to access the resources. For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-linked roles** column. Choose a **Yes** with a link to view the service-linked role documentation for that service. # Service-linked role permissions for MediaConnect MediaConnect uses the service-linked role named **AWSServiceRoleForMediaConnect**. This is the default Service-Linked Role that enables access to AWS services and resources used or managed by MediaConnect. The AWSServiceRoleForMediaConnect service-linked role trusts the following services to assume the role: + `MediaConnect` The role permissions policy named MediaConnectServiceRolePolicy allows MediaConnect to complete the following actions on the specified resources: 1. **Actions on all ECS resources** + Actions: + `ecs:CreateCluster` + `ecs:RegisterTaskDefinition` + Resource: `*` 1. **Actions on the MediaConnect Gateway ECS cluster** + Actions: + `ecs:DeregisterContainerInstance` + `ecs:DescribeClusters` + `ecs:ListAttributes` + `ecs:ListContainerInstances` + `ecs:UpdateCluster` + `ecs:UpdateClusterSettings` + Resource: `arn:aws:ecs:*:*:cluster/MediaConnectGateway` 1. **Actions on ECS services and tasks within the MediaConnect Gateway cluster** + Actions: + `ecs:CreateService` + `ecs:DeleteAttributes` + `ecs:DeleteService` + `ecs:DescribeContainerInstances` + `ecs:DescribeServices` + `ecs:DescribeTasks` + `ecs:ListTasks` + `ecs:PutAttributes` + `ecs:RunTask` + `ecs:StartTask` + `ecs:StopTask` + `ecs:UpdateContainerInstancesState` + `ecs:UpdateService` + Resource: `*` + Condition: `ArnLike: {"ecs:cluster": "arn:aws:ecs:*:*:cluster/MediaConnectGateway"}` 1. **Actions on network interfaces within the MediaConnect router** + Actions: + `ec2:DeleteNetworkInterface` + `ec2:DeleteNetworkInterfacePermission` + `ec2:CreateNetworkInterfacePermission` + Resource: `arn:aws:ec2:*:*:network-interface/*"` + Condition: `aws:ResourceTag/created-for-service": "MediaConnect"` 1. **Actions to describe available network resources** + Actions: + `ec2:DescribeNetworkInterfaces` + `ec2:DescribeSecurityGroups` + `ec2:DescribeSubnets` + Resource: `*` You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*. # Creating a service-linked role for MediaConnect Creating a service-linked role for MediaConnect You don't need to manually create a service-linked role. When you create an associated MediaConnect resource in the AWS Management Console, the AWS CLI, or the AWS API, MediaConnect creates the service-linked role for you. **Important** This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. Also, if you were using the MediaConnect service before January 1, 2023, when it began supporting service-linked roles, then MediaConnect created the AWSServiceRoleForMediaConnect role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared). If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create an associated MediaConnect resource, MediaConnect creates the service-linked role for you again. You can also use the IAM console to create a service-linked role with the **MediaConnect** use case. In the AWS CLI or the AWS API, create a service-linked role with the `MediaConnect` service name. For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again. # Editing a service-linked role for MediaConnect Editing a service-linked role MediaConnect does not allow you to edit the AWSServiceRoleForMediaConnect service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*. # Deleting a service-linked role for MediaConnect Deleting a service-linked role for MediaConnect If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it. **Note** If the MediaConnect service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. **To delete MediaConnect resources used by the AWSServiceRoleForMediaConnect** 1. Delete all Bridges in all Gateways. 1. De-register all Instances in all Gateways. 1. Delete all Gateways. **To manually delete the service-linked role using IAM** Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForMediaConnect service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*. ## Supported Regions for MediaConnect service-linked roles MediaConnect supports using service-linked roles in all of the regions where the service is available. For more information, see [MediaConnect Regions and endpoints](https://docs.aws.amazon.com/general/latest/gr/mediaconnect.html#mediaconnect_region). # Setting up AWS Elemental MediaConnect as a trusted service Setting up MediaConnect as a trusted service You can use AWS Identity and Access Management (IAM) to control which AWS resources can be accessed by which users and applications. This includes setting up permissions to allow AWS Elemental MediaConnect to communicate with other services on behalf of your account. To set up AWS Elemental MediaConnect as a trusted entity, you must perform the following steps: **[Step 1.](#security-iam-trusted-entity-create-policy)** – Create an IAM policy that governs which actions you want to allow. **[Step 2](#security-iam-trusted-entity-create-role)** – Create an IAM role with a trusted relationship, and attach the policy that you created in the previous step. ## Step 1: Create an IAM policy to allow specific actions Step 1: Create a policy to allow specific actions In this step, you create an IAM policy that governs which actions you want to allow. **To create the IAM policy** 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane, choose **Policies**. 1. Choose **Create policy**, and then choose the **JSON** tab. 1. Enter a policy that uses the JSON format. For examples, see the following: + [ Policy example for connecting to your VPC](security_iam_resource-based-policy-examples.md#iam-policy-examples-for-mediaconnect-vpc) + [Policy examples for secrets in AWS Secrets Manager](iam-policy-examples-asm-secrets.md) 1. Choose **Review policy**. 1. For **Name**, enter a name for your policy. 1. Choose **Create policy**. ## Step 2: Create an IAM role with a trusted relationship Step 2. Create a role with a trusted relationship In [step 1](#security-iam-trusted-entity-create-policy), you created an IAM policy that governs which actions you want to allow. In this step, you create an IAM role and assign the policy to that role. Then you define AWS Elemental MediaConnect as a trusted entity that can assume the role. **To create a role with a trusted relationship** 1. In the navigation pane of the IAM console, choose **Roles**. 1. On the **Role** page, choose **Create role**. 1. On the **Create role** page, for **Select type of trusted entity**, choose **AWS service** (the default). 1. For **Choose the service that will use this role**, choose **EC2**. You choose EC2 because MediaConnect is not currently included in this list. Choosing EC2 lets you create a role. In a later step, you change this role to include MediaConnect instead of EC2. 1. Choose **Next: Permissions**. 1. For **Attach permissions policies**, enter the name of the policy that you created in [step 1](#security-iam-trusted-entity-create-policy). 1. Select the check box next to the name of the policy, and then choose **Next: Tags**. 1. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see [Tagging IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. 1. Choose **Next: Review**. 1. For **Role name**, enter a name. The name `MediaConnectAccessRole` is reserved, so you can't use it. Instead, use a name that includes `MediaConnect` and describes this role's purpose. 1. For **Role description**, replace the default text with a description that will help you remember the purpose of this role. 1. Choose **Create role**. 1. In the confirmation message that appears across the top of your page, choose the name of the role that you just created by selecting **View role**. 1. Choose **Trust relationships** tab, and then choose **Edit trust policy**. 1. in the **Edit trust policy** window, make the following changes to the JSON: + For **Service**, change `ec2.amazonaws.com` to `mediaconnect.amazonaws.com` + For added security, define specific conditions for the trust policy. This will limit MediaConnect to only using resources in your account. You do this by using a global condition such as the **Account ID**, the **flow ARN**, or both. See the following example of the conditional trust policy. For more information about the security benefits of the global conditions, see [Cross-service confused deputy prevention](cross-service-confused-deputy-prevention.md). **Note** The following example uses both the **Account ID** and **flow ARN** conditions. Your policy will look different if you do not use both conditions. If you don't know the full ARN of the flow or if you are specifying multiple flows, use the `aws:SourceArn` global context condition key with wildcard characters (`*`) for the unknown portions of the ARN. For example, `arn:aws:mediaconnect:*:111122223333:*`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mediaconnect.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws:mediaconnect:us-west-2:111122223333:flow:*:flow-name" } } } ] } ``` ------ 1. Choose **Update policy**. 1. On the **Summary** page, make a note of the value for **Role ARN**. It looks like this: `arn:aws:iam::111122223333:role/MediaConnectASM`. # Cross-service confused deputy prevention The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In AWS, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the *calling service*) calls another service (the *called service*). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. To prevent this, AWS provides tools that help you protect your data for all services with service principals that have been given access to resources in your account. We recommend using the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) of the flow and [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context keys in resource policies to limit the permissions that AWS Elemental MediaConnect gives another service to the resource. Use the flow's `aws:SourceArn` if you want only one resource to be associated with the cross-service access. Use `aws:SourceAccount` if you want to allow any resource in that account to be associated with the cross-service use. The most effective way to protect against the confused deputy problem is to use the `aws:SourceArn` global condition context key with the full ARN of the flow. If you don't know the full ARN of the flow or if you are specifying multiple flows, use the `aws:SourceArn` global context condition key with wildcard characters (`*`) for the unknown portions of the ARN. For example, `arn:aws:mediaconnect:*:111122223333:*`. The following example shows how you can use the `aws:SourceArn` and `aws:SourceAccount` global condition context keys in MediaConnect to prevent the confused deputy problem. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mediaconnect.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws:mediaconnect:us-west-2:111122223333:flow:1-ABCDEFGHJxyzMNoP-a1234bc12345:flow-name" } } } ] } ``` ------ # Troubleshooting AWS Elemental MediaConnect identity and access Troubleshooting Use the following information to help you diagnose and fix common issues that you might encounter when working with MediaConnect and IAM. **Topics** + [ ## I am not authorized to perform an action in MediaConnect ](#security_iam_troubleshoot-no-permissions) + [ ## I want to allow people outside of my AWS account to access my MediaConnect resources ](#security_iam_troubleshoot-cross-account-access) ## I am not authorized to perform an action in MediaConnect If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your user name and password. The following example error occurs when the `mateojackson` user tries to use the console to view details about a flow but does not have `mediaconnect:DescribeFlow` permissions. ``` User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: mediaconnect:DescribeFlow on resource: myExampleFlow ``` In this case, Mateo asks his administrator to update his policies to allow him to access the `myExampleFlow` resource using the `mediaconnect:DescribeFlow` action. ## I want to allow people outside of my AWS account to access my MediaConnect resources You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources. To learn more, consult the following: + To learn whether MediaConnect supports these features, see [How AWS Elemental MediaConnect works with IAM](security_iam_service-with-iam.md). + To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*. + To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*. + To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*. + To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.