If you’re new to AWS Portal we recommend starting here. If you’re new to Deadline we recommend starting here.

AWSPortal Admin IAM Managed Policy

This Identity and Access Management (IAM) Managed Policy is meant to be used by the on-prem Deadline software via AWSPortal IAM user. It contains permissions that allow administration of various AWS resources:

  • Launch/Terminate Gateway and Worker EC2 resources
  • Read IAM permissions created during one-time setup.
  • Create/Modify Deadline owned S3 buckets
  • Read DynamoDB table to fetch application health statuses
  • Deploy permissions for Cloudformation to manage resources needed by Deadline
  • Read/Write Cloudwatch logs for operational purposes
  • Encrypt/Decrypt user certificates using KMS managed CMKs
  • Create/Modify user credentials using Secrets Manager secrets
  • Tagging permissions for the above resources

AWS Thinkbox makes this available as an AWS Managed Policy and maintains it on behalf of Deadline customers.

Permission Breakdown

AWS Portal CloudWatch Logs

Permissions

logs:GetLogEvents, logs:DescribeLogGroups, logs:PutRetentionPolicy, logs:DeleteRetentionPolicy, logs:CreateLogGroup, logs:DescribeLogStreams

Restrictions

These permissions are restricted to doing actions on Log Groups prefixed with the name Thinkbox. It should be noted that logs:CreateLogGroup and logs:DescribeLogGroups don’t have any restrictions on it.

Purpose

These permissions are needed so that on-prem software can access Thinkbox created logs from CloudWatch. Additionally there are permissions to create the necessary log groups/streams if they don’t already exist.

AWS Portal Gateway and Worker EC2 instances

Permissions

ec2:RunInstances, ec2:TerminateInstances, ec2:CreateTags, ec2:RequestSpotFleet, ec2:AttachInternetGateway, ec2:DeleteVpc, and several other EC2 read/modify permissions

Restrictions

  • ec2:RunInstances
    • These permissions are restricted such that we only allow launching instances with instance profiles names prefixed with AWSPortal.
  • ec2:CreateTags
    • For instances, only allow tagging if launched in a Placement Group with prefix DeadlinePlacementGroup or at instance creation time through RunInstances. For Subnet,Security-Group,Internet-Gateway,Route,Volume and VPC, allow tags on all resources. For all other EC2 resources, don’t allow tagging.
  • ec2:TerminateInstances
    • Allow termination of instances which contain tag pair {"aws:cloudformation:logical-id": "ReverseForwarder"}, or if launched in a Placement Group with prefix DeadlinePlacementGroup, or if it contains tag key “ec2:ResourceTag/aws:ec2spot:fleet-request-id”.

All other permissions are unrestricted.

Purpose

These permissions are needed so that Gateway and Worker EC2 instances(and other related EC2 resources) can be created and managed.

AWS Portal IAM entities

Permissions

iam:GetUser, iam:GetInstanceProfile, iam:GetPolicy, iam:ListEntitiesForPolicy, iam:ListPolicyVersions, iam:GetRole, iam:GetRolePolicy, iam:PassRole, iam:CreateServiceLinkedRole

Restrictions

These permissions are restricted to doing actions on IAM user/role/policy prefixed with the name AWSPortal. There are a few exceptions though:

  • iam:GetUser doesn’t have any resource or condition restrictions on it. This is by design in case you, either by choice or by mistake, don’t use the suggested name(AWSPortal)
  • iam:CreateServiceLinkedRole is caller restricted such that it can only be invoked via AWS services Deadline actually interacts with.
  • iam:PassRole also allows access to passing a role prefixed with DeadlineSpot and restricts the services where the roles can be passed to EC2,Spot,EC2fleet,Spotfleet and Cloudformation.

Purpose

These permissions are required by Deadline software running on-prem to access IAM entities for the purpose of presenting errors and record keeping.

AWS Portal S3 Buckets

Permissions

s3:CreateBucket, s3:PutObject, s3:ListBucket, s3:PutEncryptionConfiguration, s3:ListAllMyBuckets, and several other S3 read/modify permissions

Restrictions

These permission can only operate on buckets prefixed with either of the following names: aws-portal-cache,logs-for-aws~portal-cache,stack,logs-for-stack or awsportal. It should be noted that s3:ListAllMyBuckets doesn’t have any restrictions on it.

Purpose

These permissions are needed to create S3 buckets for asset transfer and AWS-Portal Cloudformation stack. These contain user data like certificates and assets. Also, there are corresponding logging buckets which contain the generated Cloudwatch logs. There is permission to access the AWSportal bucket which contains Deadline specific dynamic configuration.

Resource Tracker DynamoDB Fleet Health Reading

Permissions

dynamodb:Scan

Restrictions

This permission can only operate on DynamoDB tables prefixed with the name DeadlineFleetHealth.

Purpose

This is needed so that the Deadline Monitor can read Resource Tracker’s DeadlineFleetHealth DynamoDB table.

AWS Portal Cloudformation Deployment

Permissions

cloudformation:CreateStack, cloudformation:DescribeStackEvents, cloudformation:DeleteStack, and several other read/modify permissions

Restrictions

These permissions can only operate on Cloudformation stacks prefixed with the name stack or deadline. However, there are some permissions (ListStacks, EstimateTemplateCost, and DescribeStacks) which don’t have any restrictions.

Purpose

This is needed so that the on-prem software can launch and manage the resources which are created as part of a single logical stack.

AWS Portal KMS Key Encryption

Permissions

kms:Encrypt, kms:GenerateDataKey, kms:Decrypt

Restrictions

These permission are caller restricted such that it can only be invoked via Secrets Manager or S3 AWS services

Purpose

This is needed so that S3 buckets and Secrets Manager secrets can be encrypted/decrypted.

AWS portal Secrets Manager RCS Password Administration

Permissions

secretsmanager:CreateSecret, secretsmanager:DeleteSecret, secretsmanager:UpdateSecret, secretsmanager:DescribeSecret, secretsmanager:TagResource

Restrictions

These permissions can only operate on secrets in AWS Secrets Manager prefixed with the name rcs-tls-pw-stack.

Purpose

This is needed so that the on-prem software can safely store/read/delete the secured password for the RCS TLS certificate, if it has one.