AWS Security ChangesHomeSearch

AWS medialive medium security documentation change

Service: medialive · 2026-06-04 · Security-related medium

File: medialive/latest/ug/device-iam-for-medialive.md

Summary

Added clarification about MediaConnect and Secrets Manager permissions

Security assessment

Explicitly documents security boundaries: clarifies MediaLive has read-only MediaConnect access and limited Secrets Manager permissions. Mitigates privilege escalation risks by specifying these service account restrictions.

Diff

diff --git a/medialive/latest/ug/device-iam-for-medialive.md b/medialive/latest/ug/device-iam-for-medialive.md
index b8c926566..0d32c068e 100644
--- a//medialive/latest/ug/device-iam-for-medialive.md
+++ b//medialive/latest/ug/device-iam-for-medialive.md
@@ -25 +25 @@ For you to use a Link device, MediaLive must have permissions on operations and
-  * For MediaConnect: MediaLive must be able to read details about a flow.
+  * For MediaConnect: MediaLive must be able to read details about a flow. This allows MediaLive to retrieve flow configuration information (such as the ingest endpoint) so that the device knows where to send content. This permission is read-only and does not allow MediaLive to modify or delete the flow.
@@ -27 +27 @@ For you to use a Link device, MediaLive must have permissions on operations and
-  * For Secrets Manager: The device always encrypts the content it sends to MediaConnect. It encrypts using an encryption key that MediaLiveprovides. MediaLive in turn obtains the encryption key from a secret that the MediaConnect user has stored in Secrets Manager. Therefore, MediaLive needs permission to read the encryption key that is stored in a secret.
+  * For Secrets Manager: The device always encrypts the content it sends to MediaConnect. It encrypts using an encryption key that MediaLive provides. MediaLive in turn obtains the encryption key from a secret that the MediaConnect user has stored in Secrets Manager. Therefore, MediaLive needs permission to read the encryption key that is stored in a secret. This permission is limited to reading the specific secrets that you identify in the policy. It does not grant MediaLive access to other secrets in your account.