If you’re new to AWS Portal we recommend starting here. If you’re new to Deadline we recommend starting here.
AWSPortal Admin IAM Managed Policy¶
This Identity and Access Management (IAM) Managed Policy is meant to be used by the on-prem Deadline software via AWSPortal IAM user. It contains permissions that allow administration of various AWS resources:
Launch/Terminate Gateway and Worker EC2 resources
Read IAM permissions created during one-time setup.
Create/Modify Deadline owned S3 buckets
Read DynamoDB table to fetch application health statuses
Deploy permissions for Cloudformation to manage resources needed by Deadline
Read/Write Cloudwatch logs for operational purposes
Encrypt/Decrypt user certificates using KMS managed CMKs
Create/Modify user credentials using Secrets Manager secrets
Tagging permissions for the above resources
AWS Thinkbox makes this available as an AWS Managed Policy and maintains it on behalf of Deadline customers.
Permission Breakdown¶
AWS Portal CloudWatch Logs¶
Permissions¶
logs:GetLogEvents, logs:DescribeLogGroups, logs:PutRetentionPolicy, logs:DeleteRetentionPolicy, logs:CreateLogGroup, logs:DescribeLogStreams
Restrictions¶
These permissions are restricted to doing actions on Log Groups prefixed with the name Thinkbox. It should be noted
that logs:CreateLogGroup and logs:DescribeLogGroups don’t have any restrictions on it.
Purpose¶
These permissions are needed so that on-prem software can access Thinkbox created logs from CloudWatch. Additionally there are permissions to create the necessary log groups/streams if they don’t already exist.
AWS Portal Gateway and Worker EC2 instances¶
Permissions¶
ec2:RunInstances, ec2:TerminateInstances, ec2:CreateTags, ec2:RequestSpotFleet, ec2:AttachInternetGateway, ec2:DeleteVpc, and several other EC2 read/modify permissions
Restrictions¶
ec2:RunInstancesThese permissions are restricted such that we only allow launching instances with instance profiles names prefixed with
AWSPortal.
ec2:CreateTagsFor instances, only allow tagging if launched in a
Placement Groupwith prefixDeadlinePlacementGroupor at instance creation time throughRunInstances. For Subnet,Security-Group,Internet-Gateway,Route,Volume and VPC, allow tags on all resources. For all other EC2 resources, don’t allow tagging.
ec2:TerminateInstancesAllow termination of instances which contain tag pair
{"aws:cloudformation:logical-id": "ReverseForwarder"}, or if launched in a Placement Group with prefixDeadlinePlacementGroup, or if it contains tag key “ec2:ResourceTag/aws:ec2spot:fleet-request-id”.
All other permissions are unrestricted.
Purpose¶
These permissions are needed so that Gateway and Worker EC2 instances(and other related EC2 resources) can be created and managed.
AWS Portal IAM entities¶
Permissions¶
iam:GetUser, iam:GetInstanceProfile, iam:GetPolicy, iam:ListEntitiesForPolicy, iam:ListPolicyVersions, iam:GetRole, iam:GetRolePolicy, iam:PassRole, iam:CreateServiceLinkedRole
Restrictions¶
These permissions are restricted to doing actions on IAM user/role/policy prefixed with the name AWSPortal. There are a few exceptions though:
iam:GetUserdoesn’t have any resource or condition restrictions on it. This is by design in case you, either by choice or by mistake, don’t use the suggested name(AWSPortal)iam:CreateServiceLinkedRoleis caller restricted such that it can only be invoked via AWS services Deadline actually interacts with.iam:PassRolealso allows access to passing a role prefixed withDeadlineSpotand restricts the services where the roles can be passed toEC2,Spot,EC2fleet,SpotfleetandCloudformation.
Purpose¶
These permissions are required by Deadline software running on-prem to access IAM entities for the purpose of presenting errors and record keeping.
AWS Portal S3 Buckets¶
Permissions¶
s3:CreateBucket, s3:PutObject, s3:ListBucket, s3:PutEncryptionConfiguration, s3:ListAllMyBuckets, and several other S3 read/modify permissions
Restrictions¶
These permission can only operate on buckets prefixed with either of the following names: aws-portal-cache,logs-for-aws~portal-cache,stack,logs-for-stack or awsportal.
It should be noted that s3:ListAllMyBuckets doesn’t have any restrictions on it.
Purpose¶
These permissions are needed to create S3 buckets for asset transfer and AWS-Portal Cloudformation stack. These contain user data like certificates and assets. Also, there are corresponding logging buckets which contain the generated Cloudwatch logs. There is permission to access the AWSportal bucket which contains Deadline specific dynamic configuration.
Resource Tracker DynamoDB Fleet Health Reading¶
Permissions¶
dynamodb:Scan
Restrictions¶
This permission can only operate on DynamoDB tables prefixed with the name DeadlineFleetHealth.
Purpose¶
This is needed so that the Deadline Monitor can read Resource Tracker’s DeadlineFleetHealth DynamoDB table.
AWS Portal Cloudformation Deployment¶
Permissions¶
cloudformation:CreateStack, cloudformation:DescribeStackEvents, cloudformation:DeleteStack, and several other read/modify permissions
Restrictions¶
These permissions can only operate on Cloudformation stacks prefixed with the name stack or deadline. However, there are some permissions (ListStacks, EstimateTemplateCost, and DescribeStacks) which don’t have any restrictions.
Purpose¶
This is needed so that the on-prem software can launch and manage the resources which are created as part of a single logical stack.
AWS Portal KMS Key Encryption¶
Permissions¶
kms:Encrypt, kms:GenerateDataKey, kms:Decrypt
Restrictions¶
These permission are caller restricted such that it can only be invoked via Secrets Manager or S3 AWS services
Purpose¶
This is needed so that S3 buckets and Secrets Manager secrets can be encrypted/decrypted.
AWS portal Secrets Manager RCS Password Administration¶
Permissions¶
secretsmanager:CreateSecret, secretsmanager:DeleteSecret, secretsmanager:UpdateSecret, secretsmanager:DescribeSecret, secretsmanager:TagResource
Restrictions¶
These permissions can only operate on secrets in AWS Secrets Manager prefixed with the name rcs-tls-pw-stack.
Purpose¶
This is needed so that the on-prem software can safely store/read/delete the secured password for the RCS TLS certificate, if it has one.
