AWS deadline-cloud documentation change
Summary
Added detailed 'Policy to access the console' with expanded permissions including EC2, VPC Lattice, IAM, SSO, and other service interactions required for full console functionality
Security assessment
The change adds documentation for a comprehensive IAM policy required to access the Deadline Cloud console. While it includes sensitive permissions (e.g., iam:PassRole, ec2:CreateVpcEndpoint), these are explained as necessary for console operations with service-specific conditions (aws:CalledViaFirst) to limit scope. This is a security documentation improvement rather than a response to a specific vulnerability.
Diff
diff --git a/deadline-cloud/latest/developerguide/security_iam_id-based-policy-examples.md b/deadline-cloud/latest/developerguide/security_iam_id-based-policy-examples.md index 754c5f1ab..7bdde98a9 100644 --- a//deadline-cloud/latest/developerguide/security_iam_id-based-policy-examples.md +++ b//deadline-cloud/latest/developerguide/security_iam_id-based-policy-examples.md @@ -5 +5 @@ -Policy best practicesUsing the consolePolicy to submit jobs to a queue Policy to allow creating a license endpoint Policy to allow monitoring a specific farm queue +Policy best practicesUsing the consolePolicy to access the consolePolicy to submit jobs to a queue Policy to allow creating a license endpoint Policy to allow monitoring a specific farm queue @@ -20,0 +21,2 @@ For details about actions and resource types defined by Deadline Cloud, includin + * Policy to access the console + @@ -57 +59 @@ To ensure that users and roles can still use the Deadline Cloud console, also at -## Policy to submit jobs to a queue +## Policy to access the console @@ -59 +61 @@ To ensure that users and roles can still use the Deadline Cloud console, also at -In this example, you create a scoped-down policy that grants permission to submit jobs to a specific queue in a specific farm. +To grant access to all functionality in the Deadline Cloud console, attach this identity policy to a user or role you want to have full access. @@ -72 +74,32 @@ JSON - "Sid": "SubmitJobsFarmAndQueue", + "Sid": "EC2InstanceTypeSelection", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstanceTypeOfferings", + "ec2:DescribeInstanceTypes", + "ec2:GetInstanceTypesFromInstanceRequirements", + "pricing:GetProducts" + ], + "Resource": ["*"] + }, + { + "Sid": "VPCResourceSelection", + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Resource": ["*"] + }, + { + "Sid": "ViewVpcLatticeResources", + "Effect": "Allow", + "Action": [ + "vpc-lattice:ListResourceConfigurations", + "vpc-lattice:GetResourceConfiguration", + "vpc-lattice:GetResourceGateway" + ], + "Resource": ["*"] + }, + { + "Sid": "ManageVpcEndpointsViaDeadline", @@ -74,2 +107,9 @@ JSON - "Action": "deadline:CreateJob", - "Resource": "arn:aws:deadline:REGION:111122223333:farm/FARM_A/queue/QUEUE_B/job/*" + "Action": [ + "ec2:CreateVpcEndpoint", + "ec2:DescribeVpcEndpoints", + "ec2:DeleteVpcEndpoints", + "ec2:CreateTags" + ], + "Resource": ["*"], + "Condition": { + "StringEquals": { "aws:CalledViaFirst": "deadline.amazonaws.com" } @@ -77 +117,14 @@ JSON - ] + }, + { + "Sid": "ChooseJobAttachmentsBucket", + "Effect": "Allow", + "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"], + "Resource": "*" + }, + { + "Sid": "CreateDeadlineCloudLogGroups", + "Effect": "Allow", + "Action": ["logs:CreateLogGroup"], + "Resource": "arn:aws:logs:*:*:log-group:/aws/deadline/*", + "Condition": { + "StringLike": { "aws:CalledViaFirst": "deadline.amazonaws.com" } @@ -79,13 +132 @@ JSON - - -## Policy to allow creating a license endpoint - -In this example, you create a scoped-down policy that grants the required permissions to create and manage license endpoints. Use this policy to create the license endpoint for the VPC associated with your farm. - -JSON - - -**** - - - + }, @@ -93,3 +134,31 @@ JSON - "Version": "2012-10-17", - "Statement": [{ - "Sid": "CreateLicenseEndpoint", + "Sid": "ValidateDependencies", + "Effect": "Allow", + "Action": ["s3:ListBucket"], + "Resource": "*", + "Condition": { + "StringLike": { "aws:CalledViaFirst": "deadline.amazonaws.com" } + } + }, + { + "Sid": "RoleSelection", + "Effect": "Allow", + "Action": ["iam:GetRole", "iam:ListRoles"], + "Resource": "*" + }, + { + "Sid": "PassRoleToDeadlineCloud", + "Effect": "Allow", + "Action": ["iam:PassRole"], + "Condition": { + "StringLike": { "iam:PassedToService": "deadline.amazonaws.com" } + }, + "Resource": "*" + }, + { + "Sid": "KMSKeySelection", + "Effect": "Allow", + "Action": ["kms:ListKeys", "kms:ListAliases"], + "Resource": "*" + }, + { + "Sid": "IdentityStoreReadOnly", @@ -97,0 +167,122 @@ JSON + "identitystore:DescribeUser", + "identitystore:DescribeGroup", + "identitystore:ListGroups", + "identitystore:ListUsers", + "identitystore:IsMemberInGroups", + "identitystore:ListGroupMemberships", + "identitystore:ListGroupMembershipsForMember", + "identitystore:GetGroupMembershipId" + ], + "Resource": "*" + }, + { + "Sid": "OrganizationAndIdentityCenterIdentification", + "Effect": "Allow", + "Action": [ + "sso:ListDirectoryAssociations", + "organizations:DescribeAccount", + "organizations:DescribeOrganization", + "sso:DescribeRegisteredRegions", + "sso:GetManagedApplicationInstance", + "sso:GetSharedSsoConfiguration", + "sso:ListInstances", + "sso:GetApplicationAssignmentConfiguration" + ], + "Resource": "*" + }, + { + "Sid": "ManagedDeadlineCloudIDCApplication", + "Effect": "Allow", + "Action": [ + "sso:CreateApplication", + "sso:PutApplicationAssignmentConfiguration", + "sso:PutApplicationAuthenticationMethod", + "sso:PutApplicationGrant", + "sso:DeleteApplication", + "sso:UpdateApplication" + ], + "Resource": "*", + "Condition": { + "StringLike": { "aws:CalledViaFirst": "deadline.amazonaws.com" } + } + }, + { + "Sid": "ChooseSecret", + "Effect": "Allow", + "Action": ["secretsmanager:ListSecrets"], + "Resource": "*" + }, + { + "Sid": "DeadlineMembershipActions", + "Effect": "Allow", + "Action": [ + "deadline:AssociateMemberToFarm", + "deadline:AssociateMemberToFleet", + "deadline:AssociateMemberToQueue", + "deadline:AssociateMemberToJob", + "deadline:DisassociateMemberFromFarm", + "deadline:DisassociateMemberFromFleet", + "deadline:DisassociateMemberFromQueue", + "deadline:DisassociateMemberFromJob", + "deadline:ListFarmMembers", + "deadline:ListFleetMembers", + "deadline:ListQueueMembers", + "deadline:ListJobMembers" + ], + "Resource": ["*"] + }, + { + "Sid": "DeadlineControlPlaneActions", + "Effect": "Allow", + "Action": [