AWS Security ChangesHomeSearch

AWS deadline-cloud documentation change

Service: deadline-cloud · 2026-04-19 · Documentation low

File: deadline-cloud/latest/developerguide/cmf-network.md

Summary

Complete restructuring of networking documentation from a brief connectivity guide to a comprehensive worker host data flow guide for customer-managed fleets, including detailed endpoint tables, API operations, data transmission details, and private connectivity options.

Security assessment

The change significantly expands security documentation by detailing network protocols (HTTPS/TLS 1.2+), outbound-only communication patterns, specific API operations with security implications (credential exchange via AssumeFleetRoleForWorker, AssumeQueueRoleForWorker), and private connectivity options (AWS PrivateLink). However, there is no evidence this addresses a specific security vulnerability or incident - it appears to be a routine documentation enhancement for better security configuration guidance.

Diff

diff --git a/deadline-cloud/latest/developerguide/cmf-network.md b/deadline-cloud/latest/developerguide/cmf-network.md
index bd1f53546..7b5ca0396 100644
--- a//deadline-cloud/latest/developerguide/cmf-network.md
+++ b//deadline-cloud/latest/developerguide/cmf-network.md
@@ -7 +7 @@
-# Configure networking to allow AWS endpoint connections
+Endpoints and protocolsAPI operations used by workersOther data transmittedPrivate connectivity options
@@ -9 +9 @@
-Deadline Cloud requires secure connectivity to various AWS service endpoints for proper operation. To use Deadline Cloud, you must make sure that your network environment allows your Deadline Cloud workers to connect to these endpoints.
+# Worker host data flow for customer-managed fleets
@@ -11 +11 @@ Deadline Cloud requires secure connectivity to various AWS service endpoints for
-If you have a network firewall setup that blocks outbound connections, you may need to add firewall exceptions for specific endpoints. For Deadline Cloud, you must add exceptions for the following services:
+This topic describes the network connections that AWS Deadline Cloud (Deadline Cloud) worker hosts make during operation, including the endpoints contacted, protocols used, and data transmitted. This information applies to customer-managed fleet (CMF) workers, including both Amazon Elastic Compute Cloud (Amazon EC2) instances and on-premises workers. Use this information to configure firewall rules, create VPC endpoints, perform security audits, or plan network policies for your worker hosts. For information about service-managed fleet networking, see [Inter-network traffic privacy](./inter-network-traffic-privacy.html).
@@ -13 +13 @@ If you have a network firewall setup that blocks outbound connections, you may n
-  * [Deadline Cloud endpoints](https://docs.aws.amazon.com/general/latest/gr/deadlinecloud.html)
+All worker communication is outbound only. Worker hosts initiate all connections—you don't need to allow any inbound connections. All connections use HTTPS (TLS 1.2 or later) over port 443.
@@ -15 +15 @@ If you have a network firewall setup that blocks outbound connections, you may n
-  * [Amazon CloudWatch Logs endpoints](https://docs.aws.amazon.com/general/latest/gr/cwl_region.html)
+This topic includes the following sections:
@@ -17 +17 @@ If you have a network firewall setup that blocks outbound connections, you may n
-  * [Amazon Simple Storage Service endpoints](https://docs.aws.amazon.com/general/latest/gr/s3.html)
+  * Endpoints and protocols
@@ -18,0 +19 @@ If you have a network firewall setup that blocks outbound connections, you may n
+  * API operations used by workers
@@ -19,0 +21 @@ If you have a network firewall setup that blocks outbound connections, you may n
+  * Other data transmitted
@@ -20,0 +23 @@ If you have a network firewall setup that blocks outbound connections, you may n
+  * Private connectivity options
@@ -22 +24,0 @@ If you have a network firewall setup that blocks outbound connections, you may n
-If your jobs use other AWS services, you may need to add exceptions for those services as well. You can find these endpoints in the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html) chapter of the _AWS General Reference_ guide. After you identify the required endpoints, create outbound rules in your firewall to permit traffic to these specific endpoints.
@@ -24 +26,68 @@ If your jobs use other AWS services, you may need to add exceptions for those se
-Making sure that these endpoints are accessible is required for proper operation. Additionally, consider implementing appropriate security measures, such as using virtual private clouds (VPCs), security groups, and network access control lists (ACLs) to maintain a secure environment while allowing the required Deadline Cloud traffic.
+
+
+## Endpoints and protocols
+
+The following table lists the AWS service endpoints that worker hosts connect to during operation. For the complete list of regional endpoints for each service, see the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html) in the _AWS General Reference_.
+
+Worker host endpoint reference AWS service | Endpoint | Port / Protocol | Purpose | Required  
+---|---|---|---|---  
+[Deadline Cloud](https://docs.aws.amazon.com/general/latest/gr/deadlinecloud.html) (scheduling) | `scheduling.deadline.`[Region]`.amazonaws.com` | 443 / HTTPS | Worker registration, task polling, status updates, credential exchange, job entity retrieval. See API operations used by workers. | Always  
+[Amazon CloudWatch Logs](https://docs.aws.amazon.com/general/latest/gr/cwl_region.html) (CloudWatch Logs) | `logs.`[Region]`.amazonaws.com` | 443 / HTTPS | Worker agent and session log delivery. | Always  
+[Amazon Simple Storage Service](https://docs.aws.amazon.com/general/latest/gr/s3.html) (Amazon S3) | `s3.`[Region]`.amazonaws.com` | 443 / HTTPS | Job attachment upload and download. | If using job attachments  
+  
+If your jobs use other AWS services, you might also need to allow outbound connections to those service endpoints.
+
+## API operations used by workers
+
+All of the following API operations use the `scheduling.deadline.`[Region]`.amazonaws.com` endpoint. For the complete request and response schemas of each operation, see the [Deadline Cloud API Reference](https://docs.aws.amazon.com/deadline-cloud/latest/APIReference/Welcome.html).
+
+### Bootstrap phase
+
+When a worker host starts, the worker agent registers with the fleet. The bootstrap credentials require the permissions in the `AWSDeadlineCloud-WorkerHost` AWS managed policy, or equivalent custom permissions. The bootstrap phase uses the following API operations:
+
+  * [`CreateWorker`](https://docs.aws.amazon.com/deadline-cloud/latest/APIReference/API_CreateWorker.html) – Registers the worker with the fleet. Sends the host name and IP addresses. Receives a worker ID.
+
+  * [`AssumeFleetRoleForWorker`](https://docs.aws.amazon.com/deadline-cloud/latest/APIReference/API_AssumeFleetRoleForWorker.html) – Obtains fleet role credentials. Receives temporary AWS credentials that the worker agent uses for subsequent operations.
+
+
+
+
+### Operational phase
+
+After bootstrap, the worker agent polls for work and processes sessions. The fleet role requires the permissions in the `AWSDeadlineCloud-FleetWorker` AWS managed policy, or equivalent custom permissions, and uses the following API operations:
+
+  * [`UpdateWorker`](https://docs.aws.amazon.com/deadline-cloud/latest/APIReference/API_UpdateWorker.html) – Updates the worker status, for example to `STOPPED` during shutdown.
+
+  * [`UpdateWorkerSchedule`](https://docs.aws.amazon.com/deadline-cloud/latest/APIReference/API_UpdateWorkerSchedule.html) – Polls for work assignments. Sends session action status updates including completion status, progress percent, progress message, and output manifest hashes. Receives assigned sessions (job ID, queue ID, session actions, log configuration), cancellation requests, desired worker status, and the update interval.
+
+  * [`BatchGetJobEntity`](https://docs.aws.amazon.com/deadline-cloud/latest/APIReference/API_BatchGetJobEntity.html) – Fetches job details for assigned work. Sends job entity identifiers. Receives job details, environment details, and job attachment details.
+
+  * [`AssumeFleetRoleForWorker`](https://docs.aws.amazon.com/deadline-cloud/latest/APIReference/API_AssumeFleetRoleForWorker.html) – Periodically refreshes fleet role credentials.
+
+  * [`AssumeQueueRoleForWorker`](https://docs.aws.amazon.com/deadline-cloud/latest/APIReference/API_AssumeQueueRoleForWorker.html) – Obtains queue role credentials scoped to a specific queue. The worker uses these credentials to access job attachments in Amazon S3.
+
+
+
+
+## Other data transmitted
+
+In addition to the Deadline Cloud scheduling API operations, worker hosts transmit the following data to other AWS services:
+
+**Log data**
+    
+
+The worker agent sends worker agent logs and session logs (stdout and stderr from job processes) to CloudWatch Logs using the `PutLogEvents` API operation.
+
+**Job attachments**
+    
+
+Workers transfer input and output files through Amazon S3 using `GetObject` and `PutObject` API operations. The worker uses queue role credentials obtained through `AssumeQueueRoleForWorker` for this access.
+
+**Telemetry (optional)**
+    
+
+The worker agent sends operational metrics such as crash reports. You can opt out of telemetry collection. For more information, see [Opt out](./opt-out.html).
+
+## Private connectivity options
+
+You can use AWS PrivateLink to keep traffic between CMF worker hosts and Deadline Cloud within your VPC, without traversing the public internet. For on-premises workers, you can combine AWS PrivateLink with AWS Direct Connect (Direct Connect) or a VPN connection. For more information, see [Access AWS Deadline Cloud using an interface endpoint (AWS PrivateLink)](./vpc-interface-endpoints.html).