AWS Security ChangesHomeSearch

AWS medialive medium security documentation change

Service: medialive · 2025-08-10 · Security-related medium

File: medialive/latest/ug/requirements-for-secrets.md

Summary

Updated secret management requirements for SRT inputs/outputs, added encryption enforcement for SRT caller outputs, and clarified IAM permissions for Secrets Manager.

Security assessment

Explicitly mandates encryption for SRT caller outputs and enforces proper secret ARN usage, addressing potential misconfiguration risks. The addition of required IAM actions (e.g., ListSecrets) strengthens access control, directly mitigating security risks related to credential exposure.

Diff

diff --git a/medialive/latest/ug/requirements-for-secrets.md b/medialive/latest/ug/requirements-for-secrets.md
index ba8b9a1ae..841515aba 100644
--- a//medialive/latest/ug/requirements-for-secrets.md
+++ b//medialive/latest/ug/requirements-for-secrets.md
@@ -13 +13 @@ Your deployment might include the following resources:
-When the user creates this type of input, they must obtain the encryption passphrase from the operator of the upstream system. The user must then enter the ARN when they create the SRT input in MediaLive. They must either select the ARN from a dropdown list, or type the ARN into a field.
+When the user creates this type of input, they must enter or select the ARN of a secret that holds the passphrase for decrypting the content. 
@@ -15 +15 @@ When the user creates this type of input, they must obtain the encryption passph
-  * AWS Elemental Link hardware devices that are used in MediaLive or in MediaConnect. For more information about permissions for this use case, see [Requirements for AWS Elemental Link](./requirements-for-link.html).
+  * SRT caller outputs. MediaLive always encrypts this type of output
@@ -16,0 +17 @@ When the user creates this type of input, they must obtain the encryption passph
+When the user creates this type of output, they must enter or select the ARN of a secret that holds the passphrase for encrypting content.
@@ -17,0 +19 @@ When the user creates this type of input, they must obtain the encryption passph
+  * AWS Elemental Link hardware devices that are used in MediaLive or in MediaConnect. For more information about permissions for this use case, see [Requirements for AWS Elemental Link](./requirements-for-link.html).
@@ -20 +21,0 @@ When the user creates this type of input, they must obtain the encryption passph
-The user needs permissions to perform actions in MediaStore when they use the MediaLive workflow wizard. The user doesn't need special permissions when they use the regular MediaLive console to specify a MediaStore container in a channel. 
@@ -22 +22,0 @@ The user needs permissions to perform actions in MediaStore when they use the Me
-On the MediaLive console, view Secrets Manager secrets in the dropdown list. This dropdown list appears in the **Passphrase secret arn** field on the **Create Input** page, when the user is creating an SRT Caller input.
@@ -24 +24,3 @@ On the MediaLive console, view Secrets Manager secrets in the dropdown list. Thi
-When a user creates this type of input on the MediaLive console, they have the option to choose the subnet and security group from a dropdown list. For the dropdown list to be populated with the resources in Amazon VPC, the user must have the appropriate permissions. For more information about Amazon VPC inputs, see [Creating an input](./create-input.html).
+Permissions | Service name in IAM | Actions  
+---|---|---  
+On the MediaLive console, when creating an SRT Caller input, to view secrets in the dropdown list.On the MediaLive console, when creating an SRT Caller output, to view secrets in the dropdown list. | Secrets Manager | `ListSecrets`