If you’re new to AWS Portal we recommend starting here. If you’re new to Deadline we recommend starting here.

AWSPortal IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1503340968000",
            "Effect": "Allow",
            "Action": [
                "ec2:AllocateAddress",
                "ec2:CreateInternetGateway",
                "ec2:CreateNatGateway",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSpotFleetInstances",
                "ec2:DescribeSpotFleetRequests",
                "ec2:DescribeSpotPriceHistory",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DeleteVpc",
                "ec2:ReleaseAddress",
                "ec2:DeleteInternetGateway",
                "ec2:DescribeAddresses",
                "ec2:RequestSpotFleet",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:ModifyVpcAttribute",
                "ec2:DescribeRouteTables",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSubnet",
                "ec2:AttachInternetGateway",
                "ec2:AssociateRouteTable",
                "ec2:DeleteRoute",
                "ec2:DeleteNatGateway",
                "ec2:DetachInternetGateway",
                "ec2:DescribeNatGateways",
                "ec2:DisassociateRouteTable",
                "ec2:RunInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:TerminateInstances",
                "ec2:AssociateAddress",
                "ec2:DisassociateAddress",
                "ec2:GetConsoleOutput",
                "ec2:ModifySpotFleetRequest",
                "ec2:CancelSpotFleetRequests",
                "ec2:DescribeAvailabilityZones",
                "ec2:ImportKeyPair",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeSpotFleetRequestHistory",
                "ec2:CreateVpcEndpoint",
                "ec2:DescribeVpcEndpoints",
                "ec2:DeleteVpcEndpoints"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1503341224000",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:AttachRolePolicy",
                "iam:AttachUserPolicy",
                "iam:DetachRolePolicy",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:CreateUser",
                "iam:DeletePolicyVersion",
                "iam:GetPolicy",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetUser",
                "iam:ListEntitiesForPolicy",
                "iam:ListPolicyVersions",
                "iam:CreateInstanceProfile",
                "iam:GetInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:DeleteInstanceProfile",
                "iam:PassRole",
                "iam:ListAccessKeys",
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1503341437000",
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketVersioning",
                "s3:ListAllMyBuckets",
                "s3:PutBucketAcl",
                "s3:PutBucketCORS",
                "s3:PutBucketVersioning",
                "s3:GetBucketAcl",
                "s3:GetObject",
                "s3:PutBucketLogging",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:DeleteBucketPolicy",
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:DeleteObjectVersion",
                "s3:PutBucketPolicy",
                "s3:PutEncryptionConfiguration",
                "s3:PutLifecycleConfiguration"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1496243120000",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResources",
                "cloudformation:ListStacks",
                "cloudformation:EstimateTemplateCost",
                "cloudformation:ListStackResources",
                "cloudformation:CreateChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:UpdateTerminationProtection",
                "cloudformation:DeleteChangeSet"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1506545147000",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "logs:CreateLogGroup",
                "logs:PutRetentionPolicy",
                "logs:DeleteRetentionPolicy"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "DynamoDBPermissions",
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DescribeTable",
                "dynamodb:DeleteTable",
                "dynamodb:TagResource",
                "dynamodb:UntagResource",
                "dynamodb:ListTagsOfResource",
                "dynamodb:BatchWriteItem",
                "dynamodb:Scan"
            ],
            "Resource": "*"
        },
        {
            "Sid": "SQSPermissions",
            "Effect": "Allow",
            "Action": [
                "sqs:CreateQueue",
                "sqs:GetQueueAttributes",
                "sqs:DeleteQueue",
                "sqs:GetQueueUrl",
                "sqs:ListQueueTags",
                "sqs:UntagQueue",
                "sqs:TagQueue"
            ],
            "Resource": "*"
        },
        {
            "Sid": "LambdaPermissions",
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction",
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:CreateEventSourceMapping",
                "lambda:GetEventSourceMapping",
                "lambda:DeleteEventSourceMapping",
                "lambda:AddPermission"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EventPermissions",
            "Effect": "Allow",
            "Action": [
                "events:PutRule",
                "events:DescribeRule",
                "events:RemoveTargets",
                "events:DeleteRule",
                "events:PutTargets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AutoScalingPermissions",
            "Effect": "Allow",
            "Action": [
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:RegisterScalableTarget",
                "application-autoscaling:DeregisterScalableTarget",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:DeleteScalingPolicy"
            ],
            "Resource": "*"
        },
        {
            "Sid": "STSPermissions",
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}

Note

For further security, consider adding an IP address condition to each of these statements. Place this text after the “Resource” entry in each of the statements.

"Condition": {
    "IpAddress" : {
        "aws:SourceIp" : ["<your_public_ip_address>"]
    }
}

This way, only API calls from your IP address will be accepted by AWS.