If you’re new to AWS Portal we recommend starting here. If you’re new to Deadline we recommend starting here.
Deprecated AWSPortal IAM Policy (For Deadline 10.1.7 and Earlier)¶
The IAM policy document below was intended to be attached to Deadline’s AWSPortal IAM User for Deadline 10.1.7 and earlier. For Deadline 10.1.8 or later, use our new AWS-Managed IAM Policies instead.
Warning
We recommend that you do not use this policy because it grants excessive permissions. We recommend that you upgrade to Deadline 10.1.8 or later and use our new AWS-Managed IAM Policies instead.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1503340968000",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:CreateInternetGateway",
"ec2:CreateNatGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSpotFleetRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DeleteVpc",
"ec2:ReleaseAddress",
"ec2:DeleteInternetGateway",
"ec2:DescribeAddresses",
"ec2:RequestSpotFleet",
"ec2:RevokeSecurityGroupIngress",
"ec2:ModifyVpcAttribute",
"ec2:DescribeRouteTables",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:AttachInternetGateway",
"ec2:AssociateRouteTable",
"ec2:DeleteRoute",
"ec2:DeleteNatGateway",
"ec2:DetachInternetGateway",
"ec2:DescribeNatGateways",
"ec2:DisassociateRouteTable",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:TerminateInstances",
"ec2:AssociateAddress",
"ec2:DisassociateAddress",
"ec2:GetConsoleOutput",
"ec2:ModifySpotFleetRequest",
"ec2:CancelSpotFleetRequests",
"ec2:DescribeAvailabilityZones",
"ec2:ImportKeyPair",
"ec2:DescribeKeyPairs",
"ec2:DescribeSpotFleetRequestHistory",
"ec2:CreateVpcEndpoint",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteVpcEndpoints"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1503341224000",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:DetachRolePolicy",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:DeleteRole",
"iam:CreateUser",
"iam:DeletePolicyVersion",
"iam:GetPolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:ListEntitiesForPolicy",
"iam:ListPolicyVersions",
"iam:CreateInstanceProfile",
"iam:GetInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:DeleteInstanceProfile",
"iam:PassRole",
"iam:ListAccessKeys",
"iam:CreateServiceLinkedRole"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1503341437000",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketVersioning",
"s3:ListAllMyBuckets",
"s3:PutBucketAcl",
"s3:PutBucketCORS",
"s3:PutBucketVersioning",
"s3:GetBucketAcl",
"s3:GetObject",
"s3:PutBucketLogging",
"s3:DeleteObject",
"s3:PutObject",
"s3:DeleteBucketPolicy",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:DeleteObjectVersion",
"s3:PutBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:DeleteBucketTagging"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1496243120000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResources",
"cloudformation:ListStacks",
"cloudformation:EstimateTemplateCost",
"cloudformation:ListStackResources",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:UpdateTerminationProtection",
"cloudformation:DeleteChangeSet"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1506545147000",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:CreateLogGroup",
"logs:PutRetentionPolicy",
"logs:DeleteRetentionPolicy"
],
"Resource": [
"*"
]
},
{
"Sid": "DynamoDBPermissions",
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:DeleteTable",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"dynamodb:ListTagsOfResource",
"dynamodb:BatchWriteItem",
"dynamodb:Scan"
],
"Resource": "*"
},
{
"Sid": "SQSPermissions",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:GetQueueAttributes",
"sqs:DeleteQueue",
"sqs:GetQueueUrl",
"sqs:ListQueueTags",
"sqs:UntagQueue",
"sqs:TagQueue"
],
"Resource": "*"
},
{
"Sid": "LambdaPermissions",
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"lambda:CreateEventSourceMapping",
"lambda:GetEventSourceMapping",
"lambda:DeleteEventSourceMapping",
"lambda:AddPermission"
],
"Resource": "*"
},
{
"Sid": "EventPermissions",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:DescribeRule",
"events:RemoveTargets",
"events:DeleteRule",
"events:PutTargets"
],
"Resource": "*"
},
{
"Sid": "AutoScalingPermissions",
"Effect": "Allow",
"Action": [
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:RegisterScalableTarget",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:DeleteScalingPolicy"
],
"Resource": "*"
},
{
"Sid": "STSPermissions",
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity"
],
"Resource": "*"
},
{
"Sid": "SecretsManagerPermissions",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:TagResource"
],
"Resource": [
"*"
]
},
{
"Sid": "KMSPermissions",
"Effect": "Allow",
"Action": [
"kms:CreateKey",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:EnableKeyRotation",
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:ListResourceTags",
"kms:PutKeyPolicy",
"kms:UpdateKeyDescription",
"kms:ScheduleKeyDeletion",
"kms:TagResource"
],
"Resource": [
"*"
]
}
]
}
Note
For further security, consider adding an IP address condition to each of these statements. Place this text after the “Resource” entry in each of the statements.
"Condition": {
"IpAddress" : {
"aws:SourceIp" : ["<your_public_ip_address>"]
}
}
This way, only API calls from your IP address will be accepted by AWS.
