AWSThinkboxDeadlineResourceTrackerAdminPolicy

You can attach the AWSThinkboxDeadlineResourceTrackerAdminPolicy policy to your IAM identities.

This policy grants administrative permissions that allow Deadline to create, destroy, and administer AWS Thinkbox’s Deadline Resource Tracker.

Permissions details

This policy includes the following permissions.

  • application-autoscaling - Used for DynamoDB autoscaling, to automatically scale database capacity according to load.

  • cloudformation - The Deadline Resource Tracker is implemented using a CloudFormation stack. These permissions are used to create, delete, and configure this stack.

  • dynamodb - Deadline Resource Tracker uses DynamoDB to store the state of the resources that it’s tracking. These permissions are used to create, delete, and configure these resources. We also include Scan in order for the Deadline applications to get fleet health information from AWS, and BatchWriteItem in order to remove unhealthy fleets from the Resource Tracker system.

  • events - We use EventBridge rules to trigger the execution of Resource Tracker Lambda functions. These permissions are used to create, delete, and configure these rules.

  • iam - Used to retrieve information about IAM roles and users to improve error messages. We use CreateServiceLinkedRole to create DynamoDB Application Autoscaling that automatically provision capacity for the Deadline Resource Tracker’s DynamoDB tables. We also use PassRole to grant the permissions required by Resource Tracker Lambda functions and the DynamoDB Application Autoscaling service.

  • lambda - The Resource Tracker execution is implemented using Lambda functions. These permissions are used to create, delete, update, tag and configure these Lambda functions.

  • s3 - The Resource Tracker use S3 to store the Deadline Resource Tracker’s CloudFormation template and Lambda deployment package files. These permission grants read access to those files.

  • sqs - SQS is used to communicate between Deadline Worker instances and the Resource Tracker system. These permissions are used to create, delete, and configure the queue that we use for this communication.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker1",
            "Effect": "Allow",
            "Action": [
                "application-autoscaling:DeleteScalingPolicy",
                "application-autoscaling:DeregisterScalableTarget",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:RegisterScalableTarget"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker2",
            "Effect": "Allow",
            "Action": [
                "cloudformation:ListStacks"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker3",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeStacks",
                "cloudformation:UpdateTerminationProtection",
                "cloudformation:TagResource",
                "cloudformation:UntagResource"
            ],
            "Resource": [
                "arn:aws:cloudformation:*:*:stack/DeadlineResourceTracker*"
            ]
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker4",
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DeleteTable",
                "dynamodb:DescribeTable",
                "dynamodb:ListTagsOfResource",
                "dynamodb:TagResource",
                "dynamodb:UntagResource"
            ],
            "Resource": [
                "arn:aws:dynamodb:*:*:table/DeadlineEC2ComputeNodeHealth*",
                "arn:aws:dynamodb:*:*:table/DeadlineEC2ComputeNodeInfo*",
                "arn:aws:dynamodb:*:*:table/DeadlineFleetHealth*"
            ]
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker5",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchWriteItem",
                "dynamodb:Scan"
            ],
            "Resource": [
                "arn:aws:dynamodb:*:*:table/DeadlineFleetHealth*"
            ]
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker6",
            "Effect": "Allow",
            "Action": [
                "events:DeleteRule",
                "events:DescribeRule",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": [
                "arn:aws:events:*:*:rule/DeadlineResourceTracker*"
            ]
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker7",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListAttachedRolePolicies"
            ],
            "Resource": [
                "arn:aws:iam::*:role/DeadlineResourceTracker*"
            ]
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker8",
            "Effect": "Allow",
            "Action": [
                "iam:GetUser"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker9",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "dynamodb.application-autoscaling.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker10",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/DeadlineResourceTrackerAccess*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "lambda.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker11",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "application-autoscaling.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker12",
            "Effect": "Allow",
            "Action": [
                "lambda:GetEventSourceMapping"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker13",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateEventSourceMapping",
                "lambda:DeleteEventSourceMapping"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "ArnLike": {
                    "lambda:FunctionArn": [
                        "arn:aws:lambda:*:*:function:DeadlineResourceTracker*"
                    ]
                }
            }
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker14",
            "Effect": "Allow",
            "Action": [
                "lambda:AddPermission",
                "lambda:RemovePermission"
            ],
            "Resource": [
                "arn:aws:lambda:*:*:function:DeadlineResourceTracker*"
            ],
            "Condition": {
                "StringLike": {
                    "lambda:Principal": "events.amazonaws.com"
                }
            }
        },
        {
        "Sid": "AWSThinkboxDeadlineResourceTracker15",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:DeleteFunctionConcurrency",
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:ListTags",
                "lambda:PutFunctionConcurrency",
                "lambda:TagResource",
                "lambda:UntagResource",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration"
            ],
            "Resource": [
                "arn:aws:lambda:*:*:function:DeadlineResourceTracker*"
            ]
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker16",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::*/deadline_aws_resource_tracker-*.zip",
                "arn:aws:s3:::*/DeadlineAWSResourceTrackerTemplate-*.yaml"
            ]
        },
        {
            "Sid": "AWSThinkboxDeadlineResourceTracker17",
            "Effect": "Allow",
            "Action": [
                "sqs:CreateQueue",
                "sqs:DeleteQueue",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags",
                "sqs:TagQueue",
                "sqs:UntagQueue"
            ],
            "Resource": [
                "arn:aws:sqs:*:*:DeadlineAWSComputeNodeState*",
                "arn:aws:sqs:*:*:DeadlineResourceTracker*"
            ]
        }
    ]
}