AWS mediapackage documentation change
Summary
Added detailed instructions for CDN authorization with static headers using Secrets Manager and KMS, updated trust relationship to mediapackagev2, restructured policy creation steps
Security assessment
The changes document security-related configurations for CDN authorization using AWS security services (Secrets Manager and KMS). While it adds security feature documentation, there's no evidence of addressing a specific existing vulnerability. The updates focus on proper IAM policies for secret management and encryption, which are security best practices but not remediation of a known issue.
Diff
diff --git a/mediapackage/latest/userguide/setting-up-create-trust-rel.md b/mediapackage/latest/userguide/setting-up-create-trust-rel.md index 48bf478ea..4b22f2374 100644 --- a//mediapackage/latest/userguide/setting-up-create-trust-rel.md +++ b//mediapackage/latest/userguide/setting-up-create-trust-rel.md @@ -11 +11 @@ Some features require you to allow MediaPackage to access other AWS services, su -###### Topics +###### Steps @@ -27,0 +28 @@ The IAM policy defines the permissions that AWS Elemental MediaPackage (MediaPac + * For content delivery network (CDN) authorization with static headers, create a policy that allows MediaPackage to read from a secret in Secrets Manager and a key in AWS Key Management Service (AWS KMS). This policy is _not_ needed if you're using AWS Signature Version 4 (SigV4) authentication. @@ -31 +31,0 @@ The IAM policy defines the permissions that AWS Elemental MediaPackage (MediaPac -The following sections describe how to create these policies. @@ -33,8 +33 @@ The following sections describe how to create these policies. -###### Topics - - * Policy for live-to-VOD workflows - - - - -### Policy for live-to-VOD workflows +Use the following instructions to set up the policies that you need. @@ -95,0 +89,74 @@ You can switch between the **Visual** and **JSON** editor options anytime. Howev +If you use content delivery network (CDN) authorization headers to restrict access to your endpoints in MediaPackage, you need a policy that allows you to do these things in Secrets Manager: + + * `GetSecretValue` \- MediaPackage can retrieve the encrypted authorization code from a version of the secret that's in Secrets Manager. + + * `DescribeSecret` \- MediaPackage can retrieve the details of the secret from Secrets Manager, excluding encrypted fields. + + * `BatchGetSecretValue` \- MediaPackage can retrieve a list of secrets from Secrets Manager. + + + + +The following permissions are required only if you customer-managed AWS KMS key. If you use the default key that AWS KMS creates, you don't need to manually add permissions. AWS KMS automatically adds the appropriate permissions for default keys. + + * `Decrypt`: MediaPackage can decrypt the key from AWS KMS. + + * `DescribeKey`: MediaPackage can retrieve the details of the key from AWS KMS. + + + + +###### To use the JSON policy editor to create a policy + + 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). + + 2. In the navigation column on the left, choose **Policies**. + +If this is your first time choosing **Policies** , the **Welcome to Managed Policies** page appears. Choose **Get Started**. + + 3. At the top of the page, choose **Create policy**. + + 4. Choose the **JSON** tab. + + 5. Enter the following JSON policy document, replacing `region`, `account-id`, `secret-name`, and `key-name` with your own information: + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret", + ], + "Resource": "arn:aws:secretsmanager:region:account-id:secret:secret-name" + }, + { + "Effect": "Allow", + "Action": [ + "secretsmanager:BatchGetSecretValue" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "kms:Decrypt", + "kms:DescribeKey" + ], + "Resource": "arn:aws:kms:region:account-id:key:key-name" + } + ] + } + + 6. Choose **Review policy**. + +###### Note + +You can switch between the **Visual editor** and **JSON** tabs any time. However, if you make changes or choose **Review policy** in the **Visual editor** tab, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_policies.html#troubleshoot_viseditor-restructure) in the _IAM User Guide_. + + 7. On the **Review policy** page, enter a **Name** and an optional **Description** for the policy that you are creating. Review the policy **Summary** to see the permissions that are granted by your policy. Then choose **Create policy** to save your work. + + + + @@ -98 +165 @@ You can switch between the **Visual** and **JSON** editor options anytime. Howev -An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. Create a role that AWS Elemental MediaPackage assumes when ingesting source content from Amazon S3. +An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. @@ -100 +167 @@ An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is -When you create the role, you choose Amazon Elastic Compute Cloud (Amazon EC2) as the trusted entity that can assume the role because MediaPackage isn't available for selection. In Step 3: Modify the trust relationship, you change the trusted entity to MediaPackage. +Create a role that AWS Elemental MediaPackage assumes when ingesting source content or reading secrets and keys for CDN authorization. When you create the role, MediaPackage isn't available to pick as the trusted entity to assume the role. Choose Amazon Elastic Compute Cloud (Amazon EC2) temporarily instead. In the next step, you change the trusted entity to MediaPackage. @@ -110 +177 @@ The trust relationship defines what entities can assume the role that you create - 1. Access the role that you created in Step 2: Create a role. + 1. Access the role that you created in the previous step. @@ -118 +185 @@ If you're not already displaying the role, in the navigation pane of the IAM con - 4. On the **Edit Trust Relationship** page, in the **Policy Document** , change `ec2.amazonaws.com` to `mediapackage.amazonaws.com`. + 4. On the **Edit Trust Relationship** page, in the **Policy Document** , change `ec2.amazonaws.com` to `mediapackagev2.amazonaws.com`. @@ -129 +196 @@ The policy document should now look like this: - "Service": "mediapackage.amazonaws.com" + "Service": "mediapackagev2.amazonaws.com" @@ -145 +212 @@ If you're using MediaPackage and related services in an opt-in Region, the Regio - "Service": "mediapackage.amazonaws.com","mediapackage.ap-southeast-4.amazonaws.com" + "Service": "mediapackagev2.amazonaws.com","mediapackagev2.ap-southeast-4.amazonaws.com" @@ -156 +223 @@ For a list of opt-in Regions, see [AWS opt-in Regions](./regions-and-endpoints.h - 6. On the **Summary** page, make a note of the value in **Role ARN**. You use this ARN when you ingest source content for video on demand (VOD) workflows. The ARN looks like this: + 6. On the **Summary** page, make a note of the value in **Role ARN**. You use this ARN when you ingest source content for video on demand (VOD) workflows or set up CDN authorization. The ARN looks like this: