AWS Security ChangesHomeSearch

AWS deadline-cloud documentation change

Service: deadline-cloud · 2026-01-31 · Documentation low

File: deadline-cloud/latest/developerguide/security-iam-service-roles.md

Summary

Enhanced documentation for monitor role customization, including access level permission examples and advanced workflow guidelines

Security assessment

The changes significantly expand security documentation about IAM role customization. Added content includes: 1) Example policy using deadline:MembershipLevel condition key for granular access control 2) Clearer guidelines for modifying permissions 3) Distinction between access level customization and advanced workflows. This enhances security documentation but doesn't address a specific vulnerability.

Diff

diff --git a/deadline-cloud/latest/developerguide/security-iam-service-roles.md b/deadline-cloud/latest/developerguide/security-iam-service-roles.md
index 061c34ab7..1acae9819 100644
--- a//deadline-cloud/latest/developerguide/security-iam-service-roles.md
+++ b//deadline-cloud/latest/developerguide/security-iam-service-roles.md
@@ -404 +404 @@ Attach all of the following AWS managed policies to your monitor role for basic
-When using the Deadline Cloud monitor, when a service user signs in using the monitor role is assumed. The assume role credentials are used by the monitor application to display the monitor UI, including the list of farms, fleet, queues and other information.
+When using the Deadline Cloud monitor, a service user signs in using (), and the monitor role is assumed. The assumed role credentials are used by the monitor application to display the monitor UI, including the list of farms, fleets, queues, and other information.
@@ -410 +410 @@ This named profile is how the Deadline CLI and submitters access Deadline Cloud
-### Customizing the monitor role for advanced desktop use cases
+### Customizing the monitor role for advanced use cases
@@ -412 +412,5 @@ This named profile is how the Deadline CLI and submitters access Deadline Cloud
-Follow these guidelines when modifying your monitor role:
+You can customize the monitor role to modify what users can do at each access level (Viewer, Contributor, Manager, Owner) or to add permissions for advanced workflows.
+
+#### Customizing access level permissions
+
+The four AWS managed policies attached to the monitor role control what each access level can do. You can add custom policies to the monitor role to grant or restrict permissions for specific access levels using the `deadline:MembershipLevel` condition key.
@@ -414 +418,26 @@ Follow these guidelines when modifying your monitor role:
-  * Don't remove any of the managed policies. This will break monitor functionality.
+For example, to allow Contributors to update and cancel jobs (which is normally restricted to Managers and Owners), add a policy like the following:
+    
+    
+    {
+      "Version": "2012-10-17", 		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "deadline:UpdateJob",
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "deadline:MembershipLevel": "CONTRIBUTOR"
+            }
+          }
+        }
+      ]
+    }
+
+With this policy, Contributors can update and cancel jobs in addition to submitting them.
+
+#### Adding permissions for advanced workflows
+
+You can add custom IAM policies to the monitor role to grant additional permissions to all monitor users. This is useful for advanced scripting workflows where users need access to AWS services beyond the standard Deadline Cloud functionality.
+
+Follow these guidelines when modifying your monitor role:
@@ -416 +445 @@ Follow these guidelines when modifying your monitor role:
-  * You can add additional permissions for advanced scripting workflows.
+  * Don't remove any of the managed policies. Removing these policies breaks monitor functionality.