AWSThinkboxDeadlineResourceTrackerAccessPolicy¶
You can attach the AWSThinkboxDeadlineResourceTrackerAccessPolicy policy to your IAM identities.
This policy grants operative permissions that allow Deadline’s Resource Tracker to store and monitor the state of Deadline resources using DynamoDB, Lambda and SQS.
Permissions details¶
This policy includes the following permissions.
dynamodb- The Resource Tracker uses DynamoDB to store the state of the resources that it’s tracking. These permissions grants access to those DynamoDB tables.ec2- Used to get the status of EC2 instances and fleets, and to terminate unhealthy instances and fleets.events- The Resource Tracker publishes custom events to CloudWatch, for example, when an EC2 instance becomes unhealthy. Our customers can connect these events to targets such as Amazon Simple Notification Service (SNS) notifications or Lambda functions.lambda- The Resource Tracker uses AWS Lambda functions for computation. These permissions enables the Resource Tracker to invoke those functions.logs- Used to store the Resource Tracker’s execution logs.sqs- The Resource Tracker uses SQS to report status from the Deadline Worker application to the Resource Tracker system.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:ListStreams"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:UpdateItem",
"dynamodb:UpdateTable"
],
"Resource": [
"arn:aws:dynamodb:*:*:table/DeadlineEC2ComputeNodeHealth*",
"arn:aws:dynamodb:*:*:table/DeadlineEC2ComputeNodeInfo*",
"arn:aws:dynamodb:*:*:table/DeadlineFleetHealth*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CancelSpotFleetRequests",
"ec2:DeleteFleets",
"ec2:DescribeFleetInstances",
"ec2:DescribeFleets",
"ec2:DescribeInstances",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSpotFleetRequests"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/DeadlineTrackedAWSResource": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"events:PutEvents"
],
"Resource": [
"arn:aws:events:*:*:event-bus/default"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:DeadlineResourceTracker*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda/DeadlineResourceTracker*"
]
},
{
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:ReceiveMessage"
],
"Resource": [
"arn:aws:sqs:*:*:DeadlineAWSComputeNodeStateMessageQueue*"
]
}
]
}
