AWS deadline-cloud documentation change
Summary
Added comprehensive IAM policy for console access including EC2, VPC Lattice, S3, IAM, KMS, SSO, and identity store permissions with service-linked conditions
Security assessment
The change adds detailed security documentation about required permissions for console access, including sensitive actions like iam:PassRole and security service integrations (KMS, SSO). However, there's no evidence this addresses an existing vulnerability - it appears to be routine documentation of required permissions for a feature.
Diff
diff --git a/deadline-cloud/latest/userguide/security_iam_id-based-policy-examples.md b/deadline-cloud/latest/userguide/security_iam_id-based-policy-examples.md index cbc7694bd..bb23fa0f6 100644 --- a//deadline-cloud/latest/userguide/security_iam_id-based-policy-examples.md +++ b//deadline-cloud/latest/userguide/security_iam_id-based-policy-examples.md @@ -5 +5 @@ -Policy best practicesUsing the consolePolicy to submit jobs to a queue Policy to allow creating a license endpoint Policy to allow monitoring a specific farm queue +Policy best practicesUsing the consolePolicy to access the consolePolicy to submit jobs to a queue Policy to allow creating a license endpoint Policy to allow monitoring a specific farm queue @@ -20,0 +21,2 @@ For details about actions and resource types defined by Deadline Cloud, includin + * Policy to access the console + @@ -57 +59 @@ To ensure that users and roles can still use the Deadline Cloud console, also at -## Policy to submit jobs to a queue +## Policy to access the console @@ -59 +61 @@ To ensure that users and roles can still use the Deadline Cloud console, also at -In this example, you create a scoped-down policy that grants permission to submit jobs to a specific queue in a specific farm. +To grant access to all functionality in the Deadline Cloud console, attach this identity policy to a user or role you want to have full access. @@ -72 +74,32 @@ JSON - "Sid": "SubmitJobsFarmAndQueue", + "Sid": "EC2InstanceTypeSelection", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstanceTypeOfferings", + "ec2:DescribeInstanceTypes", + "ec2:GetInstanceTypesFromInstanceRequirements", + "pricing:GetProducts" + ], + "Resource": ["*"] + }, + { + "Sid": "VPCResourceSelection", + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Resource": ["*"] + }, + { + "Sid": "ViewVpcLatticeResources", + "Effect": "Allow", + "Action": [ + "vpc-lattice:ListResourceConfigurations", + "vpc-lattice:GetResourceConfiguration", + "vpc-lattice:GetResourceGateway" + ], + "Resource": ["*"] + }, + { + "Sid": "ManageVpcEndpointsViaDeadline", @@ -74,2 +107,9 @@ JSON - "Action": "deadline:CreateJob", - "Resource": "arn:aws:deadline:REGION:111122223333:farm/FARM_A/queue/QUEUE_B/job/*" + "Action": [ + "ec2:CreateVpcEndpoint", + "ec2:DescribeVpcEndpoints", + "ec2:DeleteVpcEndpoints", + "ec2:CreateTags" + ], + "Resource": ["*"], + "Condition": { + "StringEquals": { "aws:CalledViaFirst": "deadline.amazonaws.com" } @@ -77 +117,14 @@ JSON - ] + }, + { + "Sid": "ChooseJobAttachmentsBucket", + "Effect": "Allow", + "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"], + "Resource": "*" + }, + { + "Sid": "CreateDeadlineCloudLogGroups", + "Effect": "Allow", + "Action": ["logs:CreateLogGroup"], + "Resource": "arn:aws:logs:*:*:log-group:/aws/deadline/*", + "Condition": { + "StringLike": { "aws:CalledViaFirst": "deadline.amazonaws.com" } @@ -79,13 +132 @@ JSON - - -## Policy to allow creating a license endpoint - -In this example, you create a scoped-down policy that grants the required permissions to create and manage license endpoints. Use this policy to create the license endpoint for the VPC associated with your farm. - -JSON - - -**** - - - + }, @@ -93,3 +134,31 @@ JSON - "Version": "2012-10-17", - "Statement": [{ - "Sid": "CreateLicenseEndpoint", + "Sid": "ValidateDependencies", + "Effect": "Allow", + "Action": ["s3:ListBucket"], + "Resource": "*", + "Condition": { + "StringLike": { "aws:CalledViaFirst": "deadline.amazonaws.com" } + } + }, + { + "Sid": "RoleSelection", + "Effect": "Allow", + "Action": ["iam:GetRole", "iam:ListRoles"], + "Resource": "*" + }, + { + "Sid": "PassRoleToDeadlineCloud", + "Effect": "Allow", + "Action": ["iam:PassRole"], + "Condition": { + "StringLike": { "iam:PassedToService": "deadline.amazonaws.com" } + }, + "Resource": "*" + }, + { + "Sid": "KMSKeySelection", + "Effect": "Allow", + "Action": ["kms:ListKeys", "kms:ListAliases"], + "Resource": "*" + }, + { + "Sid": "IdentityStoreReadOnly", @@ -97,0 +167,122 @@ JSON + "identitystore:DescribeUser", + "identitystore:DescribeGroup", + "identitystore:ListGroups", + "identitystore:ListUsers", + "identitystore:IsMemberInGroups", + "identitystore:ListGroupMemberships", + "identitystore:ListGroupMembershipsForMember", + "identitystore:GetGroupMembershipId" + ], + "Resource": "*" + }, + { + "Sid": "OrganizationAndIdentityCenterIdentification", + "Effect": "Allow", + "Action": [ + "sso:ListDirectoryAssociations", + "organizations:DescribeAccount", + "organizations:DescribeOrganization", + "sso:DescribeRegisteredRegions", + "sso:GetManagedApplicationInstance", + "sso:GetSharedSsoConfiguration", + "sso:ListInstances", + "sso:GetApplicationAssignmentConfiguration" + ], + "Resource": "*" + }, + { + "Sid": "ManagedDeadlineCloudIDCApplication", + "Effect": "Allow", + "Action": [ + "sso:CreateApplication", + "sso:PutApplicationAssignmentConfiguration", + "sso:PutApplicationAuthenticationMethod", + "sso:PutApplicationGrant", + "sso:DeleteApplication", + "sso:UpdateApplication" + ], + "Resource": "*", + "Condition": { + "StringLike": { "aws:CalledViaFirst": "deadline.amazonaws.com" } + } + }, + { + "Sid": "ChooseSecret", + "Effect": "Allow", + "Action": ["secretsmanager:ListSecrets"], + "Resource": "*" + }, + { + "Sid": "DeadlineMembershipActions", + "Effect": "Allow", + "Action": [ + "deadline:AssociateMemberToFarm", + "deadline:AssociateMemberToFleet", + "deadline:AssociateMemberToQueue", + "deadline:AssociateMemberToJob", + "deadline:DisassociateMemberFromFarm", + "deadline:DisassociateMemberFromFleet", + "deadline:DisassociateMemberFromQueue", + "deadline:DisassociateMemberFromJob", + "deadline:ListFarmMembers", + "deadline:ListFleetMembers", + "deadline:ListQueueMembers", + "deadline:ListJobMembers" + ], + "Resource": ["*"] + }, + { + "Sid": "DeadlineControlPlaneActions", + "Effect": "Allow", + "Action": [