AWSThinkboxAWSPortalAdminPolicy¶
You can attach the AWSThinkboxAWSPortalAdminPolicy policy to your IAM identities.
This policy grants administrative permissions that allow AWS Thinkbox’s Deadline software full access to multiple AWS services as required for AWS Portal administration. This includes access to create arbitrary tags on several EC2 resource types.
This Policy is meant to be used by the on-premise Deadline software which is responsible for:
Launch/Terminate gateway and worker EC2 resources
Read IAM permissions created during one-time setup
Create/Modify deadline owned S3 buckets
Read DynamoDB table to fetch application health statuses
Deploy permissions for CloudFormation to manage resources needed by deadline
Read/Write Cloudwatch logs for operational purposes
Encrypt/Decrypt user certificates using KMS managed CMKs
Create/Modify user credentials using SecretsManager secrets
Tagging permissions for the above resources.
Permissions details¶
This policy includes the following permissions.
logs- Used by the on-premise Deadline software to access Thinkbox-created logs from CloudWatch. Additionally, there are permissions to create the necessary log groups/streams if they don’t already exist.ec2- Used to create and manage EC2 instances for AWS Portal Gateway and Deadline Worker (and other related EC2 resources).iam- Used by the on-premise Deadline software to retrieve corresponding IAM entity for various reasons like error reporting, record keeping, etc.s3- Used to create S3 buckets for asset transfer and AWS Portal CloudFormation template. These contain user data like certificates and assets. Also, there are corresponding logging buckets which contain the generated CloudWatch logs. There is permission to access the bucket which contains Deadline specific dynamic configuration.dynamodb- Used by Deadline Monitor to read Resource Tracker’s DeadlineFleetHealth DynamoDB table.cloudformation- Used by the on-premise Deadline software to launch and manage the resources created as part of a single logical stack.kms- Used to encrypt S3 buckets and SecretManager secrets.secretsmanager- Used by the on-premise Deadline software to safely store/read/delete the secured password for the RCS TLS certificate, if it has one.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSThinkboxAWSPortal1",
"Effect": "Allow",
"Action": [
"ec2:AttachInternetGateway",
"ec2:AssociateAddress",
"ec2:AssociateRouteTable",
"ec2:AllocateAddress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate",
"ec2:CreateInternetGateway",
"ec2:CreateNatGateway",
"ec2:CreatePlacementGroup",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateVpc",
"ec2:CreateVpcEndpoint",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeAddresses",
"ec2:DescribeFleets",
"ec2:DescribeFleetHistory",
"ec2:DescribeFleetInstances",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeRouteTables",
"ec2:DescribeNatGateways",
"ec2:DescribeTags",
"ec2:DescribeKeyPairs",
"ec2:DescribePlacementGroups",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeRegions",
"ec2:DescribeSpotFleetRequestHistory",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSpotFleetRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeVpcEndpoints",
"ec2:GetConsoleOutput",
"ec2:ImportKeyPair",
"ec2:ReleaseAddress",
"ec2:RequestSpotFleet",
"ec2:CancelSpotFleetRequests",
"ec2:DisassociateAddress",
"ec2:DeleteFleets",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteVpc",
"ec2:DeletePlacementGroup",
"ec2:DeleteVpcEndpoints",
"ec2:DeleteInternetGateway",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DisassociateRouteTable",
"ec2:DeleteSubnet",
"ec2:DeleteNatGateway",
"ec2:DetachInternetGateway",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyFleet",
"ec2:ModifySpotFleetRequest",
"ec2:ModifyVpcAttribute"
],
"Resource": "*"
},
{
"Sid": "AWSThinkboxAWSPortal2",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Sid": "AWSThinkboxAWSPortal3",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"ArnLike": {
"ec2:InstanceProfile": "arn:aws:iam::*:instance-profile/AWSPortal*"
}
}
},
{
"Sid": "AWSThinkboxAWSPortal4",
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/aws:cloudformation:logical-id": "ReverseForwarder"
}
}
},
{
"Sid": "AWSThinkboxAWSPortal5",
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "*",
"Condition": {
"Null": {
"ec2:ResourceTag/aws:ec2spot:fleet-request-id": false
}
}
},
{
"Sid": "AWSThinkboxAWSPortal6",
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "*",
"Condition": {
"ArnLike": {
"ec2:PlacementGroup": "arn:aws:ec2:*:*:placement-group/*DeadlinePlacementGroup*"
}
}
},
{
"Sid": "AWSThinkboxAWSPortal7",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"ArnLike": {
"ec2:PlacementGroup": "arn:aws:ec2:*:*:placement-group/*DeadlinePlacementGroup*"
}
}
},
{
"Sid": "AWSThinkboxAWSPortal8",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:CreateAction": "RunInstances"
}
}
},
{
"Sid": "AWSThinkboxAWSPortal9",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:internet-gateway/*",
"arn:aws:ec2:*:*:route-table/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:vpc/*",
"arn:aws:ec2:*:*:natgateway/*",
"arn:aws:ec2:*:*:elastic-ip/*"
]
},
{
"Sid": "AWSThinkboxAWSPortal10",
"Effect": "Allow",
"Action": [
"iam:GetUser"
],
"Resource": "*"
},
{
"Sid": "AWSThinkboxAWSPortal11",
"Effect": "Allow",
"Action": [
"iam:GetInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:instance-profile/AWSPortal*"
]
},
{
"Sid": "AWSThinkboxAWSPortal12",
"Effect": "Allow",
"Action": [
"iam:GetPolicy",
"iam:ListEntitiesForPolicy",
"iam:ListPolicyVersions"
],
"Resource": [
"arn:aws:iam::*:policy/AWSPortal*"
]
},
{
"Sid": "AWSThinkboxAWSPortal13",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/AWSPortal*",
"arn:aws:iam::*:role/DeadlineSpot*"
]
},
{
"Sid": "AWSThinkboxAWSPortal14",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/AWSPortal*",
"arn:aws:iam::*:role/DeadlineSpot*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com",
"ec2fleet.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"cloudformation.amazonaws.com"
]
}
}
},
{
"Sid": "AWSThinkboxAWSPortal15",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"ec2fleet.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com"
]
}
}
},
{
"Sid": "AWSThinkboxAWSPortal16",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketVersioning",
"s3:PutBucketAcl",
"s3:PutBucketCORS",
"s3:PutBucketVersioning",
"s3:GetBucketAcl",
"s3:GetObject",
"s3:PutBucketLogging",
"s3:PutBucketTagging",
"s3:PutObject",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteBucketPolicy",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3::*:awsportal*",
"arn:aws:s3::*:stack*",
"arn:aws:s3::*:aws-portal-cache*",
"arn:aws:s3::*:logs-for-aws-portal-cache*",
"arn:aws:s3::*:logs-for-stack*"
]
},
{
"Sid": "AWSThinkboxAWSPortal17",
"Effect": "Allow",
"Action": [
"s3:PutBucketPolicy"
],
"Resource": [
"arn:aws:s3::*:logs-for-aws-portal-cache*"
]
},
{
"Sid": "AWSThinkboxAWSPortal18",
"Effect": "Allow",
"Action": [
"s3:PutBucketOwnershipControls"
],
"Resource": [
"arn:aws:s3::*:logs-for-stack*"
]
},
{
"Sid": "AWSThinkboxAWSPortal19",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "AWSThinkboxAWSPortal20",
"Effect": "Allow",
"Action": [
"dynamodb:Scan"
],
"Resource": "arn:aws:dynamodb:*:*:table/DeadlineFleetHealth*"
},
{
"Sid": "AWSThinkboxAWSPortal21",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResources",
"cloudformation:DeleteStack",
"cloudformation:DeleteChangeSet",
"cloudformation:ListStackResources",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:UpdateTerminationProtection",
"cloudformation:TagResource",
"cloudformation:UntagResource"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/stack*/*",
"arn:aws:cloudformation:*:*:stack/Deadline*/*"
]
},
{
"Sid": "AWSThinkboxAWSPortal22",
"Effect": "Allow",
"Action": [
"cloudformation:EstimateTemplateCost",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks"
],
"Resource": "*"
},
{
"Sid": "AWSThinkboxAWSPortal23",
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:PutRetentionPolicy",
"logs:DeleteRetentionPolicy"
],
"Resource": "arn:aws:logs:*:*:log-group:/thinkbox*"
},
{
"Sid": "AWSThinkboxAWSPortal24",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:CreateLogGroup"
],
"Resource": "*"
},
{
"Sid": "AWSThinkboxAWSPortal25",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"s3.*.amazonaws.com",
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Sid": "AWSThinkboxAWSPortal26",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret"
],
"Resource": "*",
"Condition": {
"StringLike": {
"secretsmanager:Name": [
"rcs-tls-pw*"
]
}
}
},
{
"Sid": "AWSThinkboxAWSPortal27",
"Effect": "Allow",
"Action": [
"secretsmanager:DeleteSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:TagResource"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:rcs-tls-pw*"
}
]
}
