Note
While AWS Portal can enable cloud rendering in Deadline 10, AWS Deadline Cloud is a newer offering that has been built specifically for the cloud. It is a fully managed service that does not require installation or maintenance of infrastructure (e.g., repository, database, or license server). Worker fleet auto-scaling, asset synching, and licensing are all managed natively within AWS by Deadline Cloud. See here for more information on Deadline Cloud and its capabilities.
Deprecated AWSPortal IAM Policy (For Deadline 10.1.7 and Earlier)¶
The IAM policy document below was intended to be attached to Deadline’s AWSPortal IAM User for Deadline 10.1.7 and earlier. For Deadline 10.1.8 or later, use our new AWS-Managed IAM Policies instead.
Warning
We recommend that you do not use this policy because it grants excessive permissions. We recommend that you upgrade to Deadline 10.1.8 or later and use our new AWS-Managed IAM Policies instead.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1503340968000",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:CreateInternetGateway",
"ec2:CreateNatGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSpotFleetRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DeleteVpc",
"ec2:ReleaseAddress",
"ec2:DeleteInternetGateway",
"ec2:DescribeAddresses",
"ec2:RequestSpotFleet",
"ec2:RevokeSecurityGroupIngress",
"ec2:ModifyVpcAttribute",
"ec2:DescribeRouteTables",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:AttachInternetGateway",
"ec2:AssociateRouteTable",
"ec2:DeleteRoute",
"ec2:DeleteNatGateway",
"ec2:DetachInternetGateway",
"ec2:DescribeNatGateways",
"ec2:DisassociateRouteTable",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:TerminateInstances",
"ec2:AssociateAddress",
"ec2:DisassociateAddress",
"ec2:GetConsoleOutput",
"ec2:ModifySpotFleetRequest",
"ec2:CancelSpotFleetRequests",
"ec2:DescribeAvailabilityZones",
"ec2:ImportKeyPair",
"ec2:DescribeKeyPairs",
"ec2:DescribeSpotFleetRequestHistory",
"ec2:CreateVpcEndpoint",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteVpcEndpoints"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1503341224000",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:DetachRolePolicy",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:DeleteRole",
"iam:CreateUser",
"iam:DeletePolicyVersion",
"iam:GetPolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:ListEntitiesForPolicy",
"iam:ListPolicyVersions",
"iam:CreateInstanceProfile",
"iam:GetInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:DeleteInstanceProfile",
"iam:PassRole",
"iam:ListAccessKeys",
"iam:CreateServiceLinkedRole"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1503341437000",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketVersioning",
"s3:ListAllMyBuckets",
"s3:PutBucketAcl",
"s3:PutBucketCORS",
"s3:PutBucketVersioning",
"s3:GetBucketAcl",
"s3:GetObject",
"s3:PutBucketLogging",
"s3:DeleteObject",
"s3:PutObject",
"s3:DeleteBucketPolicy",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:DeleteObjectVersion",
"s3:PutBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:DeleteBucketTagging"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1496243120000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResources",
"cloudformation:ListStacks",
"cloudformation:EstimateTemplateCost",
"cloudformation:ListStackResources",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:UpdateTerminationProtection",
"cloudformation:DeleteChangeSet"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1506545147000",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:CreateLogGroup",
"logs:PutRetentionPolicy",
"logs:DeleteRetentionPolicy"
],
"Resource": [
"*"
]
},
{
"Sid": "DynamoDBPermissions",
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:DeleteTable",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"dynamodb:ListTagsOfResource",
"dynamodb:BatchWriteItem",
"dynamodb:Scan"
],
"Resource": "*"
},
{
"Sid": "SQSPermissions",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:GetQueueAttributes",
"sqs:DeleteQueue",
"sqs:GetQueueUrl",
"sqs:ListQueueTags",
"sqs:UntagQueue",
"sqs:TagQueue"
],
"Resource": "*"
},
{
"Sid": "LambdaPermissions",
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"lambda:CreateEventSourceMapping",
"lambda:GetEventSourceMapping",
"lambda:DeleteEventSourceMapping",
"lambda:AddPermission"
],
"Resource": "*"
},
{
"Sid": "EventPermissions",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:DescribeRule",
"events:RemoveTargets",
"events:DeleteRule",
"events:PutTargets"
],
"Resource": "*"
},
{
"Sid": "AutoScalingPermissions",
"Effect": "Allow",
"Action": [
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:RegisterScalableTarget",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:DeleteScalingPolicy"
],
"Resource": "*"
},
{
"Sid": "STSPermissions",
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity"
],
"Resource": "*"
},
{
"Sid": "SecretsManagerPermissions",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:TagResource"
],
"Resource": [
"*"
]
},
{
"Sid": "KMSPermissions",
"Effect": "Allow",
"Action": [
"kms:CreateKey",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:EnableKeyRotation",
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:ListResourceTags",
"kms:PutKeyPolicy",
"kms:UpdateKeyDescription",
"kms:ScheduleKeyDeletion",
"kms:TagResource"
],
"Resource": [
"*"
]
}
]
}
Note
For further security, consider adding an IP address condition to each of these statements. Place this text after the “Resource” entry in each of the statements.
"Condition": {
"IpAddress" : {
"aws:SourceIp" : ["<your_public_ip_address>"]
}
}
This way, only API calls from your IP address will be accepted by AWS.