AWS deadline-cloud documentation change
Summary
Reorganized existing policy examples (submit jobs, license endpoint, monitoring) and updated their resource ARN formats
Security assessment
Structural reorganization of existing policy examples without substantive security changes. Updates to ARN formats appear to be consistency improvements rather than security-related modifications.
Diff
diff --git a/deadline-cloud/latest/developerguide/security_iam_id-based-policy-examples.md b/deadline-cloud/latest/developerguide/security_iam_id-based-policy-examples.md index 754c5f1ab..7bdde98a9 100644 --- a//deadline-cloud/latest/developerguide/security_iam_id-based-policy-examples.md +++ b//deadline-cloud/latest/developerguide/security_iam_id-based-policy-examples.md @@ -5 +5 @@ -Policy best practicesUsing the consolePolicy to submit jobs to a queue Policy to allow creating a license endpoint Policy to allow monitoring a specific farm queue +Policy best practicesUsing the consolePolicy to access the consolePolicy to submit jobs to a queue Policy to allow creating a license endpoint Policy to allow monitoring a specific farm queue @@ -20,0 +21,2 @@ For details about actions and resource types defined by Deadline Cloud, includin + * Policy to access the console + @@ -57 +59 @@ To ensure that users and roles can still use the Deadline Cloud console, also at -## Policy to submit jobs to a queue +## Policy to access the console @@ -59 +61 @@ To ensure that users and roles can still use the Deadline Cloud console, also at -In this example, you create a scoped-down policy that grants permission to submit jobs to a specific queue in a specific farm. +To grant access to all functionality in the Deadline Cloud console, attach this identity policy to a user or role you want to have full access. @@ -72 +74,32 @@ JSON - "Sid": "SubmitJobsFarmAndQueue", + "Sid": "EC2InstanceTypeSelection", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstanceTypeOfferings", + "ec2:DescribeInstanceTypes", + "ec2:GetInstanceTypesFromInstanceRequirements", + "pricing:GetProducts" + ], + "Resource": ["*"] + }, + { + "Sid": "VPCResourceSelection", + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Resource": ["*"] + }, + { + "Sid": "ViewVpcLatticeResources", + "Effect": "Allow", + "Action": [ + "vpc-lattice:ListResourceConfigurations", + "vpc-lattice:GetResourceConfiguration", + "vpc-lattice:GetResourceGateway" + ], + "Resource": ["*"] + }, + { + "Sid": "ManageVpcEndpointsViaDeadline", @@ -74,2 +107,9 @@ JSON - "Action": "deadline:CreateJob", - "Resource": "arn:aws:deadline:REGION:111122223333:farm/FARM_A/queue/QUEUE_B/job/*" + "Action": [ + "ec2:CreateVpcEndpoint", + "ec2:DescribeVpcEndpoints", + "ec2:DeleteVpcEndpoints", + "ec2:CreateTags" + ], + "Resource": ["*"], + "Condition": { + "StringEquals": { "aws:CalledViaFirst": "deadline.amazonaws.com" } @@ -77 +117,14 @@ JSON - ] + }, + { + "Sid": "ChooseJobAttachmentsBucket", + "Effect": "Allow", + "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"], + "Resource": "*" + }, + { + "Sid": "CreateDeadlineCloudLogGroups", + "Effect": "Allow", + "Action": ["logs:CreateLogGroup"], + "Resource": "arn:aws:logs:*:*:log-group:/aws/deadline/*", + "Condition": { + "StringLike": { "aws:CalledViaFirst": "deadline.amazonaws.com" } @@ -79,13 +132 @@ JSON - - -## Policy to allow creating a license endpoint - -In this example, you create a scoped-down policy that grants the required permissions to create and manage license endpoints. Use this policy to create the license endpoint for the VPC associated with your farm. - -JSON - - -**** - - - + }, @@ -93,3 +134,31 @@ JSON - "Version": "2012-10-17", - "Statement": [{ - "Sid": "CreateLicenseEndpoint", + "Sid": "ValidateDependencies", + "Effect": "Allow", + "Action": ["s3:ListBucket"], + "Resource": "*", + "Condition": { + "StringLike": { "aws:CalledViaFirst": "deadline.amazonaws.com" } + } + }, + { + "Sid": "RoleSelection", + "Effect": "Allow", + "Action": ["iam:GetRole", "iam:ListRoles"], + "Resource": "*" + }, + { + "Sid": "PassRoleToDeadlineCloud", + "Effect": "Allow", + "Action": ["iam:PassRole"], + "Condition": { + "StringLike": { "iam:PassedToService": "deadline.amazonaws.com" } + }, + "Resource": "*" + }, + { + "Sid": "KMSKeySelection", + "Effect": "Allow", + "Action": ["kms:ListKeys", "kms:ListAliases"], + "Resource": "*" + }, + { + "Sid": "IdentityStoreReadOnly", @@ -97,0 +167,122 @@ JSON + "identitystore:DescribeUser", + "identitystore:DescribeGroup", + "identitystore:ListGroups", + "identitystore:ListUsers", + "identitystore:IsMemberInGroups", + "identitystore:ListGroupMemberships", + "identitystore:ListGroupMembershipsForMember", + "identitystore:GetGroupMembershipId" + ], + "Resource": "*" + }, + { + "Sid": "OrganizationAndIdentityCenterIdentification", + "Effect": "Allow", + "Action": [ + "sso:ListDirectoryAssociations", + "organizations:DescribeAccount", + "organizations:DescribeOrganization", + "sso:DescribeRegisteredRegions", + "sso:GetManagedApplicationInstance", + "sso:GetSharedSsoConfiguration", + "sso:ListInstances", + "sso:GetApplicationAssignmentConfiguration" + ], + "Resource": "*" + }, + { + "Sid": "ManagedDeadlineCloudIDCApplication", + "Effect": "Allow", + "Action": [ + "sso:CreateApplication", + "sso:PutApplicationAssignmentConfiguration", + "sso:PutApplicationAuthenticationMethod", + "sso:PutApplicationGrant", + "sso:DeleteApplication", + "sso:UpdateApplication" + ], + "Resource": "*", + "Condition": { + "StringLike": { "aws:CalledViaFirst": "deadline.amazonaws.com" } + } + }, + { + "Sid": "ChooseSecret", + "Effect": "Allow", + "Action": ["secretsmanager:ListSecrets"], + "Resource": "*" + }, + { + "Sid": "DeadlineMembershipActions", + "Effect": "Allow", + "Action": [ + "deadline:AssociateMemberToFarm", + "deadline:AssociateMemberToFleet", + "deadline:AssociateMemberToQueue", + "deadline:AssociateMemberToJob", + "deadline:DisassociateMemberFromFarm", + "deadline:DisassociateMemberFromFleet", + "deadline:DisassociateMemberFromQueue", + "deadline:DisassociateMemberFromJob", + "deadline:ListFarmMembers", + "deadline:ListFleetMembers", + "deadline:ListQueueMembers", + "deadline:ListJobMembers" + ], + "Resource": ["*"] + }, + { + "Sid": "DeadlineControlPlaneActions", + "Effect": "Allow", + "Action": [