AWS Security ChangesHomeSearch

AWS deadline-cloud documentation change

Service: deadline-cloud · 2025-08-28 · Documentation medium

File: deadline-cloud/latest/userguide/security_iam_id-based-policy-examples.md

Summary

Added comprehensive IAM policy for console access including EC2, VPC Lattice, S3, IAM, KMS, SSO, and identity store permissions with service-linked conditions

Security assessment

The change adds detailed security documentation about required permissions for console access, including sensitive actions like iam:PassRole and security service integrations (KMS, SSO). However, there's no evidence this addresses an existing vulnerability - it appears to be routine documentation of required permissions for a feature.

Diff

diff --git a/deadline-cloud/latest/userguide/security_iam_id-based-policy-examples.md b/deadline-cloud/latest/userguide/security_iam_id-based-policy-examples.md
index cbc7694bd..bb23fa0f6 100644
--- a//deadline-cloud/latest/userguide/security_iam_id-based-policy-examples.md
+++ b//deadline-cloud/latest/userguide/security_iam_id-based-policy-examples.md
@@ -5 +5 @@
-Policy best practicesUsing the consolePolicy to submit jobs to a queue Policy to allow creating a license endpoint Policy to allow monitoring a specific farm queue
+Policy best practicesUsing the consolePolicy to access the consolePolicy to submit jobs to a queue Policy to allow creating a license endpoint Policy to allow monitoring a specific farm queue
@@ -20,0 +21,2 @@ For details about actions and resource types defined by Deadline Cloud, includin
+  * Policy to access the console
+
@@ -57 +59 @@ To ensure that users and roles can still use the Deadline Cloud console, also at
-## Policy to submit jobs to a queue
+## Policy to access the console
@@ -59 +61 @@ To ensure that users and roles can still use the Deadline Cloud console, also at
-In this example, you create a scoped-down policy that grants permission to submit jobs to a specific queue in a specific farm.
+To grant access to all functionality in the Deadline Cloud console, attach this identity policy to a user or role you want to have full access.
@@ -72 +74,32 @@ JSON
-                "Sid": "SubmitJobsFarmAndQueue",
+        "Sid": "EC2InstanceTypeSelection",
+        "Effect": "Allow",
+        "Action": [
+        "ec2:DescribeInstanceTypeOfferings",
+        "ec2:DescribeInstanceTypes",
+        "ec2:GetInstanceTypesFromInstanceRequirements",
+        "pricing:GetProducts"
+        ],
+        "Resource": ["*"]
+        },
+        {
+        "Sid": "VPCResourceSelection",
+        "Effect": "Allow",
+        "Action": [
+        "ec2:DescribeVpcs",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeSecurityGroups"
+        ],
+        "Resource": ["*"]
+        },
+        {
+        "Sid": "ViewVpcLatticeResources",
+        "Effect": "Allow",
+        "Action": [
+        "vpc-lattice:ListResourceConfigurations",
+        "vpc-lattice:GetResourceConfiguration",
+        "vpc-lattice:GetResourceGateway"
+        ],
+        "Resource": ["*"]
+        },
+        {
+        "Sid": "ManageVpcEndpointsViaDeadline",
@@ -74,2 +107,9 @@ JSON
-                "Action": "deadline:CreateJob",
-                "Resource": "arn:aws:deadline:REGION:111122223333:farm/FARM_A/queue/QUEUE_B/job/*"
+        "Action": [
+        "ec2:CreateVpcEndpoint",
+        "ec2:DescribeVpcEndpoints",
+        "ec2:DeleteVpcEndpoints",
+        "ec2:CreateTags"
+        ],
+        "Resource": ["*"],
+        "Condition": {
+        "StringEquals": { "aws:CalledViaFirst": "deadline.amazonaws.com" }
@@ -77 +117,14 @@ JSON
-        ]
+        },
+        {
+        "Sid": "ChooseJobAttachmentsBucket",
+        "Effect": "Allow",
+        "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
+        "Resource": "*"
+        },
+        {
+        "Sid": "CreateDeadlineCloudLogGroups",
+        "Effect": "Allow",
+        "Action": ["logs:CreateLogGroup"],
+        "Resource": "arn:aws:logs:*:*:log-group:/aws/deadline/*",
+        "Condition": {
+        "StringLike": { "aws:CalledViaFirst": "deadline.amazonaws.com" }
@@ -79,13 +132 @@ JSON
-    
-
-##  Policy to allow creating a license endpoint
-
-In this example, you create a scoped-down policy that grants the required permissions to create and manage license endpoints. Use this policy to create the license endpoint for the VPC associated with your farm.
-
-JSON
-    
-
-****
-    
-    
-    
+        },
@@ -93,3 +134,31 @@ JSON
-        "Version": "2012-10-17",
-        "Statement": [{
-            "Sid": "CreateLicenseEndpoint",
+        "Sid": "ValidateDependencies",
+        "Effect": "Allow",
+        "Action": ["s3:ListBucket"],
+        "Resource": "*",
+        "Condition": {
+        "StringLike": { "aws:CalledViaFirst": "deadline.amazonaws.com" }
+        }
+        },
+        {
+        "Sid": "RoleSelection",
+        "Effect": "Allow",
+        "Action": ["iam:GetRole", "iam:ListRoles"],
+        "Resource": "*"
+        },
+        {
+        "Sid": "PassRoleToDeadlineCloud",
+        "Effect": "Allow",
+        "Action": ["iam:PassRole"],
+        "Condition": {
+        "StringLike": { "iam:PassedToService": "deadline.amazonaws.com" }
+        },
+        "Resource": "*"
+        },
+        {
+        "Sid": "KMSKeySelection",
+        "Effect": "Allow",
+        "Action": ["kms:ListKeys", "kms:ListAliases"],
+        "Resource": "*"
+        },
+        {
+        "Sid": "IdentityStoreReadOnly",
@@ -97,0 +167,122 @@ JSON
+        "identitystore:DescribeUser",
+        "identitystore:DescribeGroup",
+        "identitystore:ListGroups",
+        "identitystore:ListUsers",
+        "identitystore:IsMemberInGroups",
+        "identitystore:ListGroupMemberships",
+        "identitystore:ListGroupMembershipsForMember",
+        "identitystore:GetGroupMembershipId"
+        ],
+        "Resource": "*"
+        },
+        {
+        "Sid": "OrganizationAndIdentityCenterIdentification",
+        "Effect": "Allow",
+        "Action": [
+        "sso:ListDirectoryAssociations",
+        "organizations:DescribeAccount",
+        "organizations:DescribeOrganization",
+        "sso:DescribeRegisteredRegions",
+        "sso:GetManagedApplicationInstance",
+        "sso:GetSharedSsoConfiguration",
+        "sso:ListInstances",
+        "sso:GetApplicationAssignmentConfiguration"
+        ],
+        "Resource": "*"
+        },
+        {
+        "Sid": "ManagedDeadlineCloudIDCApplication",
+        "Effect": "Allow",
+        "Action": [
+        "sso:CreateApplication",
+        "sso:PutApplicationAssignmentConfiguration",
+        "sso:PutApplicationAuthenticationMethod",
+        "sso:PutApplicationGrant",
+        "sso:DeleteApplication",
+        "sso:UpdateApplication"
+        ],
+        "Resource": "*",
+        "Condition": {
+        "StringLike": { "aws:CalledViaFirst": "deadline.amazonaws.com" }
+        }
+        },
+        {
+        "Sid": "ChooseSecret",
+        "Effect": "Allow",
+        "Action": ["secretsmanager:ListSecrets"],
+        "Resource": "*"
+        },
+        {
+        "Sid": "DeadlineMembershipActions",
+        "Effect": "Allow",
+        "Action": [
+        "deadline:AssociateMemberToFarm",
+        "deadline:AssociateMemberToFleet",
+        "deadline:AssociateMemberToQueue",
+        "deadline:AssociateMemberToJob",
+        "deadline:DisassociateMemberFromFarm",
+        "deadline:DisassociateMemberFromFleet",
+        "deadline:DisassociateMemberFromQueue",
+        "deadline:DisassociateMemberFromJob",
+        "deadline:ListFarmMembers",
+        "deadline:ListFleetMembers",
+        "deadline:ListQueueMembers",
+        "deadline:ListJobMembers"
+        ],
+        "Resource": ["*"]
+        },
+        {
+        "Sid": "DeadlineControlPlaneActions",
+        "Effect": "Allow",
+        "Action": [