AWS managed policies for Thinkbox Deadline

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can’t change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won’t break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

AWSThinkboxAWSPortalAdminPolicy

You can attach the AWSThinkboxAWSPortalAdminPolicy policy to your IAM identities.

This policy grants administrative permissions that allow AWS Thinkbox’s Deadline software full access to multiple AWS services as required for AWS Portal administration. This includes access to create arbitrary tags on several EC2 resource types.

This Policy is meant to be used by the on-prem Deadline software which is responsible for:

  • Launch/Terminate gateway and worker EC2 resources

  • Read IAM permissions created during one-time setup.

  • Create/Modify deadline owned S3 buckets

  • Read DynamoDB table to fetch application health statuses

  • Deploy permissions for CloudFormation to manage resources needed by deadline

  • Read/Write Cloudwatch logs for operational purposes

  • Encrypt/Decrypt user certificates using KMS managed CMKs

  • Create/Modify user credentials using SecretsManager secrets

  • Tagging permissions for the above resources

Permissions details

This policy includes the following permissions.

  • logs - Used by the on-premise Deadline software to access Thinkbox created logs from CloudWatch. Additionally there are permissions to create the necessary log groups/streams if they don’t already exist.

  • ec2 - Used to create and manage EC2 instances for AWS Portal Gateway and Deadline Worker (and other related ec2 resources).

  • iam - Used by the on-premise Deadline software to retrieve corresponding IAM entity for various reasons like error reporting, record keeping, etc.

  • s3 - Used to create S3 buckets for asset transfer and AWS Portal CloudFormation template. These contain user data like certificates and assets. Also, there are corresponding logging buckets which contain the generated CloudWatch logs. There is permission to access the bucket which contains Deadline specific dynamic configuration.

  • dynamodb - Used by Deadline Monitor to read Resource Tracker’s DeadlineFleetHealth DynamoDB table.

  • cloudformation - Used by the on-premise Deadline software to launch and manage the resources which are created as part of a single logical stack.

  • kms - Used to encrypt S3 buckets and SecretManager secrets.

  • secretsmanager - Used by the on-premise Deadline software to safely store/read/delete the secured password for the RCS TLS certificate, if it has one.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachInternetGateway",
                "ec2:AssociateAddress",
                "ec2:AssociateRouteTable",
                "ec2:AllocateAddress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateFleet",
                "ec2:CreateLaunchTemplate",
                "ec2:CreateInternetGateway",
                "ec2:CreateNatGateway",
                "ec2:CreatePlacementGroup",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateVpc",
                "ec2:CreateVpcEndpoint",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeAddresses",
                "ec2:DescribeFleets",
                "ec2:DescribeFleetHistory",
                "ec2:DescribeFleetInstances",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeRouteTables",
                "ec2:DescribeNatGateways",
                "ec2:DescribeTags",
                "ec2:DescribeKeyPairs",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeInstanceTypeOfferings",
                "ec2:DescribeRegions",
                "ec2:DescribeSpotFleetRequestHistory",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSpotFleetInstances",
                "ec2:DescribeSpotFleetRequests",
                "ec2:DescribeSpotPriceHistory",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcEndpoints",
                "ec2:GetConsoleOutput",
                "ec2:ImportKeyPair",
                "ec2:ReleaseAddress",
                "ec2:RequestSpotFleet",
                "ec2:CancelSpotFleetRequests",
                "ec2:DisassociateAddress",
                "ec2:DeleteFleets",
                "ec2:DeleteLaunchTemplate",
                "ec2:DeleteVpc",
                "ec2:DeletePlacementGroup",
                "ec2:DeleteVpcEndpoints",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteSecurityGroup",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DisassociateRouteTable",
                "ec2:DeleteSubnet",
                "ec2:DeleteNatGateway",
                "ec2:DetachInternetGateway",
                "ec2:ModifyInstanceAttribute",
                "ec2:ModifyFleet",
                "ec2:ModifySpotFleetRequest",
                "ec2:ModifyVpcAttribute"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:launch-template/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:placement-group/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*::image/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringLike": {
                    "ec2:InstanceProfile": "arn:aws:iam::*:instance-profile/AWSPortal*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/aws:cloudformation:logical-id": "ReverseForwarder"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/aws:ec2spot:fleet-request-id": "*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:PlacementGroup": "*DeadlinePlacementGroup*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringLike": {
                    "ec2:PlacementGroup": "*DeadlinePlacementGroup*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:CreateAction": "RunInstances"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:internet-gateway/*",
                "arn:aws:ec2:*:*:route-table/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:vpc/*",
                "arn:aws:ec2:*:*:natgateway/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUser"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetInstanceProfile"
            ],
            "Resource": [
                "arn:aws:iam::*:instance-profile/AWSPortal*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetPolicy",
                "iam:ListEntitiesForPolicy",
                "iam:ListPolicyVersions"
            ],
            "Resource": [
                "arn:aws:iam::*:policy/AWSPortal*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:GetRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::*:role/AWSPortal*",
                "arn:aws:iam::*:role/DeadlineSpot*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/AWSPortal*",
                "arn:aws:iam::*:role/DeadlineSpot*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "ec2.amazonaws.com",
                        "ec2fleet.amazonaws.com",
                        "spot.amazonaws.com",
                        "spotfleet.amazonaws.com",
                        "cloudformation.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "ec2fleet.amazonaws.com",
                        "spot.amazonaws.com",
                        "spotfleet.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketVersioning",
                "s3:PutBucketAcl",
                "s3:PutBucketCORS",
                "s3:PutBucketVersioning",
                "s3:GetBucketAcl",
                "s3:GetObject",
                "s3:PutBucketLogging",
                "s3:PutBucketTagging",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:PutEncryptionConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:DeleteBucket",
                "s3:DeleteObject",
                "s3:DeleteBucketPolicy",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3::*:awsportal*",
                "arn:aws:s3::*:stack*",
                "arn:aws:s3::*:aws-portal-cache*",
                "arn:aws:s3::*:logs-for-aws-portal-cache*",
                "arn:aws:s3::*:logs-for-stack*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:Scan"
            ],
            "Resource": "arn:aws:dynamodb:*:*:table/DeadlineFleetHealth*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResources",
                "cloudformation:DeleteStack",
                "cloudformation:DeleteChangeSet",
                "cloudformation:ListStackResources",
                "cloudformation:CreateChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:UpdateTerminationProtection"
            ],
            "Resource": [
                "arn:aws:cloudformation:*:*:stack/stack*/*",
                "arn:aws:cloudformation:*:*:stack/Deadline*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:EstimateTemplateCost",
                "cloudformation:DescribeStacks"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "logs:PutRetentionPolicy",
                "logs:DeleteRetentionPolicy"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/thinkbox*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups",
                "logs:CreateLogGroup"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "s3.*.amazonaws.com",
                        "secretsmanager.*.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:CreateSecret"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "secretsmanager:Name": [
                        "rcs-tls-pw*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DeleteSecret",
                "secretsmanager:UpdateSecret",
                "secretsmanager:DescribeSecret",
                "secretsmanager:TagResource"
            ],
            "Resource": "arn:aws:secretsmanager:*:*:secret:rcs-tls-pw*"
        }
    ]
}

AWSThinkboxAWSPortalGatewayPolicy

You can attach the AWSThinkboxAWSPortalGatewayPolicy policy to your IAM identities.

This policy grants operative permissions that allow Gateway instance in AWS Portal to write Thinkbox created logs to CloudWatch, perform upload and download actions on the S3 Cache bucket (for backwards compatibility purposes), read the Resource Tracker Fleet Health table, get UBL and TLS certificates from the stack bucket, and get the password for the RCS TLS cert if necessary.

Permissions details

This policy includes the following permissions.

  • dynamodb - Used by Deadline Pulse running on the Gateway instance to read the Resource Tracker’s DeadlineFleetHealth DynamoDB table. This is needed so that Pulse can report fleet health back to on-premise.

  • logs - Used by Gateway instance to stream Thinkbox created logs to CloudWatch. Additionally there are permissions to create the necessary log groups/streams if they don’t already exist.

  • s3 - Used by Gateway instance to get Usage Based Licensing (UBL) and Deadline Client RCS certificates from S3. Additionally there are permissiosn to upload the CA certificate it used to sign its server certificate with, which Workers will use to authenticate the Gateway.

  • secretsmanager - Used by the Gateway instance to fetch the passphrase for the RCS TLS certificate, if it has one.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups",
                "logs:CreateLogStream"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:/thinkbox*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::aws-portal-cache*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "dynamodb:Scan",
            "Resource": [
                "arn:aws:dynamodb:*:*:table/DeadlineFleetHealth*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::stack*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::stack*/gateway_certs/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:*:secret:rcs-tls-pw-stack*"
            ]
        }
    ]
}

AWSThinkboxAWSPortalWorkerPolicy

You can attach the AWSThinkboxAWSPortalWorkerPolicy policy to your IAM identities.

This policy grants operative permissions that allow Deadline Workers in AWS Portal to have the access to S3 Buckets, CloudWatch Logs, and SQS queues that it needs. This includes performing upload and download actions on the S3 Cache Bucket, streaming Thinkbox logs to CloudWatch, and reporting information to the Resource Tracker SQS queue.

Permissions details

This policy includes the following permissions.

  • ec2 - Used by Deadline Worker to query its tag in order to determine whether it’s tracked by the Resource Tracker. These permissions are also used to self terminate when the Deadline Worker is idle.

  • s3 - Used by Deadline Worker to retrieve a CA certificate, which will be used to establish a TLS connection with the AWS Portal Gateway. Also used to upload/download files to/from the AWS Portal S3 Cache bucket.

  • logs - Used by Deadline Worker to stream Thinkbox created logs to CloudWatch. Additionally, there are permissions to create the necessary log groups/streams if they don’t already exist.

  • sqs - Used by Deadline Worker to report its health information to the Resource Tracker SQS queue.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeTags"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ARN": "${ec2:SourceInstanceARN}"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::aws-portal-cache*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::stack*/gateway_certs/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:/thinkbox*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:SendMessage",
                "sqs:GetQueueUrl"
            ],
            "Resource": [
                "arn:aws:sqs:*:*:DeadlineAWS*"
            ]
        }
    ]
}

AWSThinkboxAssetServerPolicy

You can attach the AWSThinkboxAssetServerPolicy policy to your IAM identities.

This policy grants operative permissions that allow AWS Portal Asset Server to access AWS CloudWatch logs and AWS S3 bucket for normal operation.

Permissions details

This policy includes the following permissions.

  • logs - Used to get CloudWatch logs created by Deadline and AWS Portal back on-premise.

  • s3 - Used to upload and download files to/from the S3 cache bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:/thinkbox*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::aws-portal-cache*"
            ]
        }
    ]
}

AWSThinkboxDeadlineResourceTrackerAccessPolicy

You can attach the AWSThinkboxDeadlineResourceTrackerAccessPolicy policy to your IAM identities.

This policy grants operative permissions that allow Deadline’s Resource Tracker to store and monitor the state of Deadline resources using DynamoDB, Lambda and SQS.

Permissions details

This policy includes the following permissions.

  • dynamodb - The Resource Tracker uses DynamoDB to store the state of the resources that it’s tracking. These permissions grants access to those DynamoDB tables.

  • ec2 - Used to get the status of EC2 instances and fleets, and to terminate unhealthy instances and fleets.

  • events - The Resource Tracker publishes custom events to CloudWatch, for example, when an EC2 instance becomes unhealthy. Our customers can connect these events to targets such as Amazon Simple Notification Service (SNS) notifications or Lambda functions.

  • lambda - The Resource Tracker uses AWS Lambda functions for computation. These permissions enables the Resource Tracker to invoke those functions.

  • logs - Used to store the Resource Tracker’s execution logs.

  • sqs - The Resource Tracker uses SQS to report status from the Deadline Worker application to the Resource Tracker system.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:ListStreams"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchWriteItem",
                "dynamodb:DeleteItem",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:PutItem",
                "dynamodb:Scan",
                "dynamodb:UpdateItem",
                "dynamodb:UpdateTable"
            ],
            "Resource": [
                "arn:aws:dynamodb:*:*:table/DeadlineEC2ComputeNodeHealth*",
                "arn:aws:dynamodb:*:*:table/DeadlineEC2ComputeNodeInfo*",
                "arn:aws:dynamodb:*:*:table/DeadlineFleetHealth*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CancelSpotFleetRequests",
                "ec2:DeleteFleets",
                "ec2:DescribeFleetInstances",
                "ec2:DescribeFleets",
                "ec2:DescribeInstances",
                "ec2:DescribeSpotFleetInstances",
                "ec2:DescribeSpotFleetRequests"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RebootInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/DeadlineTrackedAWSResource": "*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:PutEvents"
            ],
            "Resource": [
                "arn:aws:events:*:*:event-bus/default"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:*:*:function:DeadlineResourceTracker*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:/aws/lambda/DeadlineResourceTracker*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:DeleteMessage",
                "sqs:GetQueueAttributes",
                "sqs:ReceiveMessage"
            ],
            "Resource": [
                "arn:aws:sqs:*:*:DeadlineAWSComputeNodeStateMessageQueue*"
            ]
        }
    ]
}

AWSThinkboxDeadlineResourceTrackerAdminPolicy

You can attach the AWSThinkboxDeadlineResourceTrackerAdminPolicy policy to your IAM identities.

This policy grants administrative permissions that allow Deadline to create, destroy, and administer AWS Thinkbox’s Deadline Resource Tracker.

Permissions details

This policy includes the following permissions.

  • application-autoscaling - Used for DynamoDB autoscaling, to automatically scale database capacity according to load.

  • cloudformation - The Deadline Resource Tracker is implemented using a CloudFormation stack. These permissions are used to create, delete, and configure this stack.

  • dynamodb - Deadline Resource Tracker uses DynamoDB to store the state of the resources that it’s tracking. These permissions are used to create, delete, and configure these resources. We also include Scan in order for the Deadline applications to get fleet health information from AWS, and BatchWriteItem in order to remove unhealthy fleets from the Resource Tracker system.

  • events - We use EventBridge rules to trigger the execution of Resource Tracker Lambda functions. These permissions are used to create, delete, and configure these rules.

  • iam - Used to retrieve information about IAM roles and users to improve error messages. We use CreateServiceLinkedRole to create DynamoDB Application Autoscaling that automatically provision capacity for the Deadline Resource Tracker’s DynamoDB tables. We also use PassRole to grant the permissions required by Resource Tracker Lambda functions and the DynamoDB Application Autoscaling service.

  • lambda - The Resource Tracker execution is implemented using Lambda functions. These permissions are used to create, delete, update, tag and configure these Lambda functions.

  • s3 - The Resource Tracker use S3 to store the Deadline Resource Tracker’s CloudFormation template and Lambda deployment package files. These permission grants read access to those files.

  • sqs - SQS is used to communicate between Deadline Worker instances and the Resource Tracker system. These permissions are used to create, delete, and configure the queue that we use for this communication.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "application-autoscaling:DeleteScalingPolicy",
                "application-autoscaling:DeregisterScalableTarget",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:RegisterScalableTarget"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:ListStacks"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeStacks",
                "cloudformation:UpdateTerminationProtection"
            ],
            "Resource": [
                "arn:aws:cloudformation:*:*:stack/DeadlineResourceTracker*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DeleteTable",
                "dynamodb:DescribeTable",
                "dynamodb:ListTagsOfResource",
                "dynamodb:TagResource",
                "dynamodb:UntagResource"
            ],
            "Resource": [
                "arn:aws:dynamodb:*:*:table/DeadlineEC2ComputeNodeHealth*",
                "arn:aws:dynamodb:*:*:table/DeadlineEC2ComputeNodeInfo*",
                "arn:aws:dynamodb:*:*:table/DeadlineFleetHealth*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchWriteItem",
                "dynamodb:Scan"
            ],
            "Resource": [
                "arn:aws:dynamodb:*:*:table/DeadlineFleetHealth*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:DeleteRule",
                "events:DescribeRule",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": [
                "arn:aws:events:*:*:rule/DeadlineResourceTracker*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListAttachedRolePolicies"
            ],
            "Resource": [
                "arn:aws:iam::*:role/DeadlineResourceTracker*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUser"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "dynamodb.application-autoscaling.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/DeadlineResourceTrackerAccess*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "lambda.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "application-autoscaling.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:GetEventSourceMapping"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:CreateEventSourceMapping",
                "lambda:DeleteEventSourceMapping"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringLike": {
                    "lambda:FunctionArn": [
                        "arn:aws:lambda:*:*:function:DeadlineResourceTracker*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:AddPermission",
                "lambda:RemovePermission"
            ],
            "Resource": [
                "arn:aws:lambda:*:*:function:DeadlineResourceTracker*"
            ],
            "Condition": {
                "StringLike": {
                    "lambda:Principal": "events.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:ListTags",
                "lambda:PutFunctionConcurrency",
                "lambda:TagResource",
                "lambda:UntagResource",
                "lambda:UpdateFunctionCode"
            ],
            "Resource": [
                "arn:aws:lambda:*:*:function:DeadlineResourceTracker*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::*/deadline_aws_resource_tracker-*.zip",
                "arn:aws:s3:::*/DeadlineAWSResourceTrackerTemplate-*.yaml"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:CreateQueue",
                "sqs:DeleteQueue",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags",
                "sqs:TagQueue",
                "sqs:UntagQueue"
            ],
            "Resource": [
                "arn:aws:sqs:*:*:DeadlineAWSComputeNodeState*",
                "arn:aws:sqs:*:*:DeadlineResourceTracker*"
            ]
        }
    ]
}

AWSThinkboxDeadlineSpotEventPluginAdminPolicy

You can attach the AWSThinkboxDeadlineSpotEventPluginAdminPolicy policy to your IAM identities.

This policy grants administrative permissions that allow Deadline to operate Spot Event Plugin. This includes permission to request, modify, and cancel a spot fleet, as well as limited PassRole permission.

Permissions details

This policy includes the following permissions.

  • ec2 - Used to create, delete, update, and get the current state of a Spot Fleet Request. The plugin also calls TerminateInstances to enforce a user-configured hard cap on the number of instances and RunInstances to see if the user is allowed to launch instances in the requested Spot Fleet. The plugin also use CreateTags to tag the launched instances so that they can be tracked by the Resource Tracker.

  • iam - Used to enable Spot-related services to create Service-Linked Roles that they need to operate. These permissions are also used to improve the error messages by logging Role, User and Instance Profile. The PassRole permission is required to pass the default IAM fleet Role (aws-ec2-spot-fleet-tagging-role) used by the Spot Fleet service.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CancelSpotFleetRequests",
                "ec2:DescribeSpotFleetInstances",
                "ec2:DescribeSpotFleetRequests",
                "ec2:ModifySpotFleetRequest",
                "ec2:RequestSpotFleet"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "RunInstances"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/aws:ec2spot:fleet-request-id": "*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "spot.amazonaws.com",
                        "spotfleet.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetInstanceProfile"
            ],
            "Resource": [
                "arn:aws:iam::*:instance-profile/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-ec2-spot-fleet-tagging-role",
                "arn:aws:iam::*:role/DeadlineSpot*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUser"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-ec2-spot-fleet-tagging-role",
                "arn:aws:iam::*:role/DeadlineSpot*"
            ],
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}

AWSThinkboxDeadlineSpotEventPluginWorkerPolicy

You can attach the AWSThinkboxDeadlineSpotEventPluginWorkerPolicy policy to your IAM identities.

This policy grants operative permissions that allow an EC2 instance to run the Spot Event Plugin as a Deadline Worker.

Permissions details

This policy includes the following permissions.

  • ec2 - Used to query Spot Fleet Request Id from the instance’s tag. DescribeInstances is required to query the up time of the instance. TerminateInstances is used by the instance for self-termination when it is idle.

  • sqs - Used by the instance to report its status to the Deadline Resource Tracker system.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeTags"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ARN": "${ec2:SourceInstanceARN}"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:GetQueueUrl",
                "sqs:SendMessage"
            ],
            "Resource": [
                "arn:aws:sqs:*:*:DeadlineAWSComputeNodeState*"
            ]
        }
    ]
}

Deadline updates to AWS managed policies

View details about updates to AWS managed policies for Security Hub since this service began tracking these changes.

Change

Description

Date

AWSThinkboxDeadlineResourceTrackerAdminPolicy

Deadline added a new action to grant lambda:PutFunctionConcurrency permissions to limit concurrency of lambda function execution. This permission is required by Resource Tracker to set maximum number of simultaneous executions while deploying the lambda functions.

August 12, 2021

Deadline started tracking changes

Deadline started tracking changes for its AWS managed policies.

July 27, 2021