# Security in AWS Elemental MediaConnect Security Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations. Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud: + **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS compliance programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to AWS Elemental MediaConnect, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/). + **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations. This documentation helps you understand how to apply the shared responsibility model when using AWS Elemental MediaConnect. The following topics show you how to configure AWS Elemental MediaConnect to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your AWS Elemental MediaConnect resources. **Topics** + [ # Data protection for AWS Elemental MediaConnect ](data-protection.md) + [ # Identity and access management for AWS Elemental MediaConnect ](security-iam.md) + [ # Logging and monitoring ](incident-response.md) + [ # Compliance validation for AWS Elemental MediaConnect ](mediaconnect-compliance.md) + [ # Resilience in AWS Elemental MediaConnect ](disaster-recovery-resiliency.md) + [ # Infrastructure security in AWS Elemental MediaConnect ](infrastructure-security.md) # Data protection for AWS Elemental MediaConnect Data protection You can protect your data using tools that are provided by AWS. AWS Elemental MediaConnect can decrypt your incoming video (flow source or router input) and encrypt your outgoing video (flow outputs, router outputs and entitlements). You have three options for encrypting content in transit: + **Static key encryption:** You can use this option to encrypt flow sources, flow outputs, router I/O and entitlements. You store your encryption key in AWS Secrets Manager, and then you give MediaConnect permission to obtain the encryption key from Secrets Manager. Advantages: You have full control over storage of the encryption key for your account. The key is stored in AWS Secrets Manager, where you can access it any time. Challenges: All parties (the owners of the flow or router input source, the flow, any flow or router outputs, and any entitlements) need the encryption key. If the content is shared using an entitlement, both the originator and the subscriber must store the encryption key in AWS Secrets Manager. If the encryption key changes, you must notify all parties of the new key. + **Secure Packager and Encoder Key Exchange (SPEKE):** You can use this option to encrypt content that is sent through an entitlement. You partner with a conditional access (CA) platform key provider who manages and provides encryption keys. Then you give Amazon API Gateway permission to act as a proxy between the CA platform key provider and your AWS account. Advantages: The content originator has full control over access to the encryption key. As the content originator, you partner with your CA platform key provider who manages the encryption key, but you don't handle the key itself and you don't share it with any other parties. Depending on the capabilities of your key provider, this option allows you to assign time limitations to an encryption key or revoke the key entirely. The subscriber doesn't need to set up encryption. This information is automatically provided through the entitlement. Challenges: You must work with a third party (the key provider). + **Secure Reliable Transport (SRT) password encryption:** You can use this option to encrypt flow sources, flow outputs and router I/O when using SRT protocols. SRT protocols are highly available, low-latency protocols that are suitable for long-distance applications. You store your encryption password in AWS Secrets Manager, and then you give MediaConnect permission to obtain the encryption password from Secrets Manager. Advantages: Uses AES with key lengths of 128, 192 or 256 bits. You have full control over the storage of the encryption password. The password is stored in AWS Secrets Manager, where you can access it any time. Challenges: Only usable with SRT protocols. **Note** Encryption is supported for entitlements, flow sources and outputs that use the Zixi or SRT protocols, and for router I/O that use the SRT protocol. **Topics** + [ # Static key encryption in AWS Elemental MediaConnect ](encryption-static-key.md) + [ # SPEKE encryption in AWS Elemental MediaConnect ](encryption-speke.md) + [ # SRT password encryption in AWS Elemental MediaConnect ](encryption-srt-password.md) + [ # Internetwork traffic privacy ](internetwork-traffic-privacy.md) # Static key encryption in AWS Elemental MediaConnect Static key encryption You can use static key encryption to protect your sources, outputs, entitlements and router I/O. You store your encryption key in AWS Secrets Manager, and then you give MediaConnect permission to obtain the encryption key from Secrets Manager. **Topics** + [ # Key management for static key encryption ](encryption-static-key-key-management.md) + [ # Setting up static key encryption using AWS Elemental MediaConnect ](encryption-static-key-set-up.md) # Key management for static key encryption In AWS Elemental MediaConnect, you can use static key encryption to secure content in sources, outputs, entitlements and router I/O. To use this method, you store an encryption key as a *secret* in AWS Secrets Manager, and you give AWS Elemental MediaConnect permission to access the secret. Secrets Manager keeps your encryption key secure, allowing it be accessed only by entities that you specify in an AWS Identity and Access Management (IAM) policy. With static key encryption, all participants (the owner of the flow source, the flow, and any flow outputs, entitlements and router I/O) need the encryption key. If the content is shared using an entitlement, both AWS account owners must store the encryption key in AWS Secrets Manager. For more information, see [Setting up static key encryption](encryption-static-key-set-up.md). # Setting up static key encryption using AWS Elemental MediaConnect Setting up static key encryption Before you can create a flow or a router I/O with an encrypted source or an output, or an entitlement that uses static key encryption, you must perform the following steps: **[ Step 1](#encryption-static-key-set-up-store-key)** – Store your encryption key as a secret in AWS Secrets Manager. **[ Step 2](#encryption-static-key-set-up-create-iam-policy)** – Create an IAM policy that allows AWS Elemental MediaConnect to read the secret that you stored in AWS Secrets Manager. **[ Step 3](#encryption-static-key-set-up-create-iam-role)** – Create an IAM role and attach the policy that you created in step 2. Next, set up AWS Elemental MediaConnect as a trusted entity that is allowed to assume this role and make requests on behalf of your account. **Note** MediaConnect supports encryption only for entitlements, flow sources and outputs that use the Zixi or SRT protocols, and for router I/O that use the SRT protocol. Your stored key in Secrets Manager for the Zixi protocol is a static key in a hexadecimal format. SRT uses a passkey for encryption. ## Step 1: Store your encryption key in AWS Secrets Manager To use static key encryption to encrypt your AWS Elemental MediaConnect content, you must use AWS Secrets Manager to create a secret that stores the encryption key. You must create the secret, and the resource (source, output, entitlement or router I/O) that uses the secret in the same AWS account. You can’t share secrets across accounts. **Note** If you use MediaConnect to distribute video from one AWS Region to another, you must create two secrets (one secret in each Region). **To store an encryption key in Secrets Manager** 1. Obtain the encryption key from the entity that manages the source. 1. Sign in to the AWS Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/). 1. On the **Store a new secret** page, for **Select secret type**, choose **Other type of secrets**. 1. For **Key/value pairs**, choose **Plaintext**. 1. Clear any text in the box and replace it with only the **value** of the encryption key. For hexadecimal keys, check the length of the key to ensure that it matches the length specified for the encryption type. For example, an AES-256 encryption key must have 64 digits, because each digit is 4 bits in size. 1. For **Select the encryption key**, keep the default set to **DefaultEncryptionKey**. 1. Choose **Next**. 1. For **Secret name**, specify a name for your secret that will help you identify it later. For example, **2018-12-01\$1baseball-game-source**. 1. Choose **Next**. 1. For **Configure automatic rotation** section, choose **Disable automatic rotation**. 1. Choose **Next**, and then choose **Store**. The details page for your new secret appears, showing information such as the secret ARN. 1. Make a note of the secret ARN from Secrets Manager. You will need this information in the next procedure. ## Step 2: Create an IAM policy to allow AWS Elemental MediaConnect to access your secret Step 2. Create a policy to allow MediaConnect to access your secret In [step 1](#encryption-static-key-set-up-store-key), you created a secret and stored it in AWS Secrets Manager. In this step, you create an IAM policy that allows AWS Elemental MediaConnect to read the secret that you stored. **To create an IAM policy that allows MediaConnect to access your secret** 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane of the IAM console, choose **Policies**. 1. Choose **Create policy**, and then choose the **JSON** tab. 1. Enter a policy that uses the following format: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": [ "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes256-7g8H9i" ] } ] } ``` ------ In the `Resource` section, each line represents the ARN of a different secret that you created. For more examples, see [Policy examples for accessing MediaConnect encryption keys in Secrets Manager](iam-policy-examples-asm-secrets.md). 1. Choose **Review policy**. 1. For **Name**, enter a name for your policy such as **SecretsManagerForMediaConnect**. 1. Choose **Create policy**. ## Step 3: Create an IAM role with a trusted relationship Step 3. Create a role with a trusted relationship In [step 2](#encryption-static-key-set-up-create-iam-policy), you created an IAM policy that allows read access to the secret that you stored in AWS Secrets Manager. In this step, you create an IAM role and assign the policy to that role. Then you define AWS Elemental MediaConnect as a trusted entity that can assume the role. This allows MediaConnect to have read access to your secret. **To create a role with a trusted relationship** 1. In the navigation pane of the IAM console, choose **Roles**. 1. On the **Role** page, choose **Create role**. 1. On the **Create role** page, for **Select type of trusted entity**, choose **AWS service** (the default). 1. For **Choose the service that will use this role**, choose **EC2**. You choose EC2 because AWS Elemental MediaConnect is not currently included in this list. Choosing EC2 lets you create a role. In a later step, you change this role to include MediaConnect instead of EC2. 1. Choose **Next: Permissions**. 1. For **Attach permissions policies**, enter the name of the policy that you created in [step 2](#encryption-static-key-set-up-create-iam-policy), such as **SecretsManagerForMediaConnect**. 1. For **SecretsManagerReadWrite**, select the check box, and then choose **Next: Review**. 1. For **Role name**, enter a name. We highly recommend that you don't use the name `MediaConnectAccessRole` because it is reserved. Instead, use a name that includes `MediaConnect` and describes this role's purpose, such as **MediaConnect-ASM**. 1. For **Role description**, replace the default text with a description that will help you remember the purpose of this role. For example, **Allows MediaConnect to view secrets stored in AWS Secrets Manager.** 1. Choose **Create role**. 1. In the confirmation message that appears across the top of your page, choose the name of the role that you just created. 1. Choose **Trust relationships**, and then choose **Edit trust policy**. 1. in the **Edit trust policy** window, make the following changes to the JSON: + For **Service**, change `ec2.amazonaws.com` to `mediaconnect.amazonaws.com` + For added security, define specific conditions for the trust policy. This will limit MediaConnect to only using resources in your account. You do this by using a global condition such as the **Account ID**, the **flow ARN**, or both. See the following example of the conditional trust policy. For more information about the security benefits of the global conditions, see [Cross-service confused deputy prevention](cross-service-confused-deputy-prevention.md). **Note** The following example uses both the **Account ID** and **flow ARN** conditions. Your policy will look different if you do not use both conditions. If you don't know the full ARN of the flow or if you are specifying multiple flows, use the `aws:SourceArn` global context condition key with wildcard characters (`*`) for the unknown portions of the ARN. For example, `arn:aws:mediaconnect:*:111122223333:*`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mediaconnect.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws:mediaconnect:us-west-2:111122223333:flow:*:flow-name" } } } ] } ``` ------ 1. Choose **Update Trust Policy**. 1. On the **Summary** page, make a note of the value for **Role ARN**. It looks like this: `arn:aws:iam::111122223333:role/MediaConnectASM`. # SPEKE encryption in AWS Elemental MediaConnect SPEKE encryption You can use Secure Packager and Encoder Key Exchange (SPEKE) with AWS Elemental MediaConnect to encrypt an [entitlement](entitlements.md). This gives you, as the content originator, full control of permissions for this content. This usage is a customization of the SPEKE cloud-based architecture described in the [SPEKE documentation](https://docs.aws.amazon.com/speke/latest/documentation/what-is.html#services-architecture). **Topics** + [ # Key management for SPEKE ](encryption-speke-key-management.md) + [ # Setting up SPEKE encryption using AWS Elemental MediaConnect ](encryption-speke-set-up.md) # Key management for SPEKE With a SPEKE implementation, a conditional access (CA) system provides keys to AWS Elemental MediaConnect for content encryption and decryption. API Gateway acts as a proxy for the communication between the service and the CA platform key provider. Each AWS Elemental MediaConnect flow must reside in the same AWS Region as its API Gateway proxy. The following illustration shows how AWS Elemental MediaConnect obtains the encryption or decryption key using SPEKE. In the originator's flow, the service obtains the encryption key and uses it to encrypt the content before sending it through the entitlement. In the subscriber's flow, the service obtains the decryption key when the content is received from the entitlement. ![\[The figure shows an AWS account with an AWS Elemental MediaConnect flow and an instance of API Gateway in the same AWS Region. An arrow shows that AWS Elemental MediaConnect sends a request for the encryption key. The request is sent to the CA platform key provider through API Gateway. A second arrow shows that the key provider returns the encryption key through API Gateway.\]](http://docs.aws.amazon.com/mediaconnect/latest/ug/images/speke-encryption.png) These are the main services and components: + **AWS Elemental MediaConnect** – Provides and controls the encryption setup for the flow. AWS Elemental MediaConnect obtains the encryption keys from the CA platform key provider through Amazon API Gateway. Using the encryption keys, AWS Elemental MediaConnect encrypts the content (for the originator's flow) or decrypts the content (for the subscriber's flow). + **API Gateway** – Manages customer-trusted roles and proxy communication between the encryptor and the key provider. API Gateway provides logging capabilities and lets customers control their relationships with the encryptor and with the CA platform. The API Gateway must reside in the same AWS Region as the encryptor. + **CA platform key provider** – Provides encryption and decryption keys to AWS Elemental MediaConnect through a SPEKE-compliant API. For more information, see [Setting up SPEKE encryption](encryption-speke-set-up.md). # Setting up SPEKE encryption using AWS Elemental MediaConnect Setting up SPEKE encryptionSPEKE support You can now encrypt the contents of your entitlements using (SPEKE). Before you can grant an entitlement that uses SPEKE encryption, you must perform the following steps: **[Step 1.](#encryption-speke-set-up-on-board-key-provider)** – Get on board with a conditional access (CA) platform key provider who will manage your encryption key. During this process, you create an API in Amazon API Gateway that sends requests on behalf of AWS Elemental MediaConnect to the key provider. **[Step 2](#encryption-speke-set-up-create-iam-policy)** – Create an IAM policy that allows the API that you created in step 1 to act as a proxy to make requests to the key provider. **[Step 3.](#encryption-speke-set-up-create-iam-role)** – Create an IAM role and attach the policy that you created in step 2. Next, set up AWS Elemental MediaConnect as a trusted entity that is allowed to assume this role and access the API Gateway endpoint on your behalf. ## Step 1: Get on board with a CA provider Step 1: Get on board with a CA provider To use SPEKE with AWS Elemental MediaConnect, you must have a CA platform key provider. The following AWS partners provide conditional access (CA) solutions for the MediaConnect customization of SPEKE: + [Verimatrix](https://aws.amazon.com/partners/find/partnerdetails/?n=Verimatrix&id=001E000000be2SEIAY) If you are a content originator, contact your CA platform key provider for assistance with the onboarding process. With the help of your CA platform key provider, you manage who gets access to which content. During the onboarding process, make a note of the following: + **ARN of the `POST` method request** – The Amazon Resource Name (ARN) that AWS assigns to the request that you create in API Gateway. + **Constant initialization vector (optional)** – A 128-bit, 16-byte hex value represented by a 32-character string, to be used with the key for encrypting content. + **Device ID** – A unique identifier for each device that you configure with the key provider. Each device represents a different recipient for your content. + **Resource ID** – A unique identifier that you create for each piece of content that you configure with the key provider. + **URL** – The URL assigned by AWS for the API that you create in Amazon API Gateway. You need these values later, when you configure the [entitlement](entitlements-grant.md) in MediaConnect. ## Step 2: Create an IAM policy to allow API Gateway to act as your proxy Step 2: Create a policy for an API Gateway proxy In [step 1](#encryption-speke-set-up-on-board-key-provider), you worked with a CA platform key provider who manages your encryption key. In this step, you create an IAM policy that allows API Gateway to make requests on your behalf. API Gateway acts as a proxy for communication between your account and the key provider. **To create an IAM policy for an API Gateway proxy** 1. In the navigation pane of the IAM console, choose **Policies**. 1. Choose **Create policy**, and then choose the **JSON** tab. 1. Enter a policy that uses the following format: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "execute-api:Invoke" ], "Resource": [ "arn:aws:execute-api:us-west-2:111122223333:1abcdefghi/*/POST/*" ] } ] } ``` ------ In the `Resource` section, replace the sample Amazon Resource Name (ARN) with the ARN of the `POST` method request that you created in API Gateway with the CA platform key provider. 1. Choose **Review policy**. 1. For **Name**, enter **APIGateway-Proxy-Access**. 1. Choose **Create policy**. ## Step 3: Create an IAM role with a trusted relationship Step 3: Create an IAM role In [step 2](#encryption-speke-set-up-create-iam-policy), you created an **APIGateway-Proxy-Access** policy that allows API Gateway to act as a proxy and make requests on your behalf. In this step, you create an IAM role and attach the following permissions: + The **APIGateway-Proxy-Access** policy allows Amazon API Gateway to act as a proxy on your behalf so that it can make requests between your account and the CA platform key provider. This is the policy you created in step 1. + A **trust relationship** policy allows AWS Elemental MediaConnect to assume the role on your behalf. You will create this policy as part of the following procedure. **To create an IAM role with a trusted relationship** 1. In the navigation pane of the IAM console, choose **Roles**. 1. On the **Role** page, choose **Create role**. 1. On the **Create role** page, for **Select type of trusted entity**, choose **AWS service** (the default). 1. For **Choose the service that will use this role**, choose **EC2**. You choose EC2 because AWS Elemental MediaConnect is not currently included in this list. Choosing EC2 lets you create a role. In a later step, you change this role to include MediaConnect instead of EC2. 1. Choose **Next: Permissions**. 1. For **Filter policies**, choose **Customer managed**. 1. Select the check box next to **APIGateway-Proxy-Access**, and then choose **Next: Tags**. 1. Enter tag values (optional), and then choose **Next: Review**. 1. For **Role name**, enter a name such as **SpekeAccess**. 1. For **Role description**, replace the default text with a description that will help you remember the purpose of this role. For example, **Allows AWS Elemental MediaConnect to talk to API Gateway on my behalf.** 1. Choose **Create role**. 1. In the confirmation message that appears across the top of your page, choose the name of the role that you just created. 1. Choose **Trust relationships**, and then choose **Edit Trust Relationship**. 1. For **Policy Document**, change the policy to look like this: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mediaconnect.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ 1. Choose **Update Trust Policy**. 1. On the **Summary** page, make a note of the value for **Role ARN**. It looks like this: `arn:aws:iam::111122223333:role/SpekeAccess`. # SRT password encryption in AWS Elemental MediaConnect SRT password encryptionSRT password encryption Documentation for SRT password encryption has been added to the guide. You can use the Secure Reliable Transport (SRT) password encryption option to encrypt sources, outputs and router I/O when using the SRT protocols. SRT protocols are a highly available, low-latency protocol suitable for long-distance applications. You store your encryption password in AWS Secrets Manager, and then you give MediaConnect permission to obtain the encryption password from Secrets Manager. **Topics** + [ # Password management for SRT password encryption ](encryption-srt-password-password-management.md) + [ # Setting up SRT password encryption using AWS Elemental MediaConnect ](encryption-srt-password-set-up.md) # Password management for SRT password encryption In AWS Elemental MediaConnect, you can use SRT password encryption to secure content in sources, outputs and router I/O. To use this method, you store an SRT password as a *secret* in AWS Secrets Manager, and you give AWS Elemental MediaConnect permission to access the secret. Secrets Manager keeps your password secure, allowing it be accessed only by entities that you specify in an AWS Identity and Access Management (IAM) policy. With SRT password encryption, all participants (the owner of the source, the flow, the outputs and the router I/O) need the SRT password. For more information, see [Setting up SRT password encryption](encryption-srt-password-set-up.md). # Setting up SRT password encryption using AWS Elemental MediaConnect Setting up SRT password encryption Before you can create a flow or a router I/O that uses SRT password encryption, you must perform the following steps: **[ Step 1](encryption-static-key-set-up.md#encryption-static-key-set-up-store-key)** – Store your SRT password as a secret in AWS Secrets Manager. **[ Step 2](encryption-static-key-set-up.md#encryption-static-key-set-up-create-iam-policy)** – Create an IAM policy that allows AWS Elemental MediaConnect to read the secret that you stored in AWS Secrets Manager. **[ Step 3](encryption-static-key-set-up.md#encryption-static-key-set-up-create-iam-role)** – Create an IAM role and attach the policy that you created in step 2. Next, set up AWS Elemental MediaConnect as a trusted entity that is allowed to assume this role and make requests on behalf of your account. ## Step 1: Store your encryption password in AWS Secrets Manager To use SRT password encryption to encrypt your AWS Elemental MediaConnect content, you must use AWS Secrets Manager to create a secret that stores the password. You must create the secret, and the resource (source, output or router I/O) that uses the secret in the same AWS account. You can’t share secrets across accounts. **Note** If you distribute video from one AWS Region to another, you must create two secrets (one secret in each Region). If you are creating a new SRT password to encrypt a flow or a router output, we recommend the following password policy: + Minimum password length of 10 characters and a maximum length of 80 characters + Minimum of three of the following mix of character types: uppercase, lowercase, numbers, and **\$1 @ \$1 \$1 % ^ & \$1 ( ) \$1 \$1 - = [ ] \$1 \$1 \$1 '** symbols + Not be identical to your AWS account name or email address **To store a password in Secrets Manager** 1. Sign in to the AWS Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/). 1. On the **Store a new secret** page, for **Select secret type**, choose **Other type of secrets**. 1. For **Key/value pairs**, choose **Plaintext**. 1. Clear any text in the box and replace it with only the **value** of the SRT password. 1. For **Encryption key**, keep the default set to **aws/secretsmanager**. 1. Choose **Next**. 1. For **Secret name**, specify a name for your secret that will help you identify it later. For example, **2018-12-01\$1baseball-game-source**. 1. Choose **Next**. 1. For the **Configure automatic rotation** section, leave **Automatic rotation** off. 1. Choose **Next**, and then choose **Store**. On the next screen, select the name of the secret you created. The details page for your new secret appears, showing information such as the secret ARN. 1. Make a note of the secret ARN from Secrets Manager. You will need this information in the next procedure. ## Step 2: Create an IAM policy to allow AWS Elemental MediaConnect to access your secret Step 2. Create a policy to allow MediaConnect to access your secret In [step 1](encryption-static-key-set-up.md#encryption-static-key-set-up-store-key), you created a secret and stored it in AWS Secrets Manager. In this step, you create an IAM policy that allows AWS Elemental MediaConnect to read the secret that you stored. **To create an IAM policy that allows MediaConnect to access your secret** 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane of the IAM console, choose **Policies**. 1. Choose **Create policy**, and then choose the **JSON** tab. 1. Enter a policy that uses the following format: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": [ "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes256-7g8H9i" ] } ] } ``` ------ In the `Resource` section, each line represents the ARN of a different secret that you created. Enter the secret ARN from the previous procedure. Choose **Next: Tags**. 1. Choose **Next: Review**. 1. For **Name**, enter a name for your policy such as **SecretsManagerForMediaConnect**. 1. Choose **Create policy**. ## Step 3: Create an IAM role with a trusted relationship Step 3. Create a role with a trusted relationship In [step 2](encryption-static-key-set-up.md#encryption-static-key-set-up-create-iam-policy), you created an IAM policy that allows read access to the secret that you stored in AWS Secrets Manager. In this step, you create an IAM role and assign the policy to that role. Then you define AWS Elemental MediaConnect as a trusted entity that can assume the role. This allows MediaConnect to have read access to your secret. **To create a role with a trusted relationship** 1. In the navigation pane of the IAM console, choose **Roles**. 1. On the **Role** page, choose **Create role**. 1. On the **Create role** page, for **Select type of trusted entity**, choose **AWS service** (the default). 1. For **Choose the service that will use this role**, choose **EC2**. You choose EC2 because AWS Elemental MediaConnect is not currently included in this list. Choosing EC2 lets you create a role. In a later step, you change this role to include MediaConnect instead of EC2. 1. Choose **Next: Permissions**. 1. For **Attach permissions policies**, enter the name of the policy that you created in [step 2](encryption-static-key-set-up.md#encryption-static-key-set-up-create-iam-policy), such as **SecretsManagerForMediaConnect**. 1. For **SecretsManagerForMediaConnect**, select the check box, and then choose **Next**. 1. For **Role name**, enter a name. We highly recommend that you don't use the name `MediaConnectAccessRole` because it is reserved. Instead, use a name that includes `MediaConnect` and describes this role's purpose, such as **MediaConnect-ASM**. 1. For **Role description**, replace the default text with a description that will help you remember the purpose of this role. For example, **Allows MediaConnect to view secrets stored in AWS Secrets Manager.** 1. Choose **Create role**. 1. In the confirmation message that appears across the top of your page, choose the name of the role that you just created. 1. Choose **Trust relationships**, and then choose **Edit trust policy**. 1. For **Edit trust policy**, change `ec2.amazonaws.com` to `mediaconnect.amazonaws.com`. The policy document should now look like this: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mediaconnect.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ 1. Choose **Update policy**. 1. On the **Summary** page, make a note of the value for **Role ARN**. It looks like this: `arn:aws:iam::111122223333:role/MediaConnectASM`. # Internetwork traffic privacy Internetwork traffic privacy To set up a private connection between your Amazon VPC and your corporate network, you can choose to set up either an IPsec VPN connection over the internet or a private physical connection using Direct Connect connection. Direct Connect enables you to establish a private virtual interface from your on-premises network directly to your Amazon VPC, providing you with a private, high-bandwidth network connection between your network and your VPC. With multiple virtual interfaces, you can establish private connectivity to multiple VPCs while maintaining network isolation. For more information, see [What is AWS Site-to-Site VPN?](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html) and [What is Direct Connect?](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html) **To route traffic directly between MediaConnect and your corporate network via a virtual private cloud (VPC)** 1. Set up a private connection between your Amazon VPC and your corporate network. You can choose between an IPsec VPN connection over the internet or a private physical connection using Direct Connect connection. 1. [Create a flow that uses a VPC *source*](flows-create-vpc-source.md). During this process, you add a VPC *interface* to your flow to establish the initial connection between your VPC and your flow. You also specify that same VPC interface as the source for the new flow. **Note** If your flow already exists, you can update the flow to [add a VPC interface](vpc-interface-add.md) and then [add another source that uses that VPC interface](source-adding-vpc.md). # Identity and access management for AWS Elemental MediaConnect Identity and access managementUpdated the IAM guidance for MediaConnect Updated guide to align with the IAM best practices. For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html). AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use MediaConnect resources. IAM is an AWS service that you can use with no additional charge. ## Audience How you use AWS Identity and Access Management (IAM) differs based on your role: + **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting AWS Elemental MediaConnect identity and access](security_iam_troubleshoot.md)) + **Service administrator** - determine user access and submit permission requests (see [How AWS Elemental MediaConnect works with IAM](security_iam_service-with-iam.md)) + **IAM administrator** - write policies to manage access (see [AWS Elemental MediaConnect identity-based policy examples](security_iam_id-based-policy-examples.md)) ## Authenticating with identities Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role. You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*. For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*. ### AWS account root user When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*. ### IAM users and groups An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*. An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*. ### IAM roles An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*. IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*. ## Managing access using policies You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*. Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**. By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation. ### Identity-based policies Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*. Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*. ### Other policy types AWS supports additional policy types that can set the maximum permissions granted by more common policy types: + **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. + **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*. + **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*. + **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*. ### Multiple policy types When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*. ## Learn more For more information about identity and access management for MediaConnect, continue to the following pages: + [How MediaConnect works with IAM](security_iam_service-with-iam.md) + [Identity-based policy examples](security_iam_id-based-policy-examples.md) + [Resource-based policy examples](security_iam_resource-based-policy-examples.md) + [Policy examples for secrets in AWS Secrets Manager](iam-policy-examples-asm-secrets.md) + [Troubleshooting](security_iam_troubleshoot.md) # How AWS Elemental MediaConnect works with IAM How MediaConnect works with IAM Before you use IAM to manage access to MediaConnect, you should understand what IAM features are available to use with MediaConnect. To get a high-level view of how MediaConnect and other AWS services work with IAM, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*. **Topics** + [ ## MediaConnect identity-based policies ](#security_iam_service-with-iam-id-based-policies) + [ ## MediaConnect resource-based policies ](#security_iam_service-with-iam-resource-based-policies) + [ ## Authorization based on MediaConnect tags ](#security_iam_service-with-iam-tags) + [ ## MediaConnect IAM roles ](#security_iam_service-with-iam-roles) ## MediaConnect identity-based policies With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. MediaConnect supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see [IAM JSON Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*. ### Actions Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation. Policy actions in MediaConnect use the following prefix before the action: `mediaconnect:`. For example, to grant someone permission to view a list of entitlements with the MediaConnect `ListEntitlements` API operation, you include the `mediaconnect:ListEntitlements` action in their policy. Policy statements must include either an `Action` or `NotAction` element. MediaConnect defines its own set of actions that describe tasks that you can perform with this service. To specify multiple actions in a single statement, separate them with commas as follows: ``` "Action": [ "mediaconnect:action1", "mediaconnect:action2" ``` You can specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `List`, include the following action: ``` "Action": "mediaconnect:List*" ``` To see a list of MediaConnect actions, see [Actions Defined by AWS Elemental MediaConnect](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awselementalmediaconnect.html#awselementalmediaconnect-actions-as-permissions) in the *IAM User Guide*. ### Resources Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources. ``` "Resource": "*" ``` MediaConnect has the following ARNs: ``` arn:${Partition}:mediaconnect:${Region}:${Account}:entitlement:${resourceID}:${resourceName} arn:${Partition}:mediaconnect:${Region}:${Account}:flow:${resourceID}:${resourceName} arn:${Partition}:mediaconnect:${Region}:${Account}:output:${resourceID}:${resourceName} arn:${Partition}:mediaconnect:${Region}:${Account}:source:${resourceID}:${resourceName} ``` For more information about the format of ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). For example, to specify the `1-23aBC45dEF67hiJ8-12AbC34DE5fG` flow in your statement, use the following ARN: ``` "Resource": "arn:aws:mediaconnect:us-east-1:111122223333:flow:1-23aBC45dEF67hiJ8-12AbC34DE5fG:BasketballGame" ``` To specify all flows that belong to a specific account, use the wildcard (\$1): ``` "Resource": "arn:aws:mediaconnect:us-east-1:111122223333:flow:*" ``` Some MediaConnect actions, such as those for creating resources, can't be performed on a specific resource. In those cases, you must use the wildcard (\$1). ``` "Resource": "*" ``` Many MediaConnect API actions involve multiple resources. For example, `RemoveFlowOutput` removes an output from a particular flow, so an IAM user must have permissions for the flow and the output. To specify multiple resources in a single statement, separate the ARNs with commas. ``` "Resource": [ "resource1", "resource2" ``` To see a list of MediaConnect resource types and their ARNs, see [Resources Defined by AWS Elemental MediaConnect](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html#list_awselementalmediaconnect.html#awselementalmediaconnect-resources-for-iam-policies) in the *IAM User Guide*. To learn with which actions you can specify the ARN of each resource, see [Actions Defined by AWS Elemental MediaConnect](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awselementalmediaconnect.html#awselementalmediaconnect-actions-as-permissions). ### Condition keys Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*. ### Examples To view examples of MediaConnect identity-based policies, see [AWS Elemental MediaConnect identity-based policy examples](security_iam_id-based-policy-examples.md). ## MediaConnect resource-based policies AWS Elemental MediaConnect does not support resource-based policies. ## Authorization based on MediaConnect tags AWS Elemental MediaConnect does not support tagging resources or controlling access based on tags. ## MediaConnect IAM roles An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an entity within your AWS account that has specific permissions. ### Using temporary credentials with MediaConnect You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html). MediaConnect supports using temporary credentials. ### Service-linked roles [Service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role) allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view but not edit the permissions for service-linked roles. MediaConnect does not support service-linked roles. ### Service roles This feature allows a service to assume a [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role) on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service. MediaConnect does not support service roles. # AWS Elemental MediaConnect identity-based policy examples Identity-based policy examples By default, IAM users and roles don't have permission to create or modify MediaConnect resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions. To learn how to create an IAM identity-based policy using these example JSON policy documents, see [Creating Policies on the JSON Tab](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*. ## Policy best practices Identity-based policies determine whether someone can create, access, or delete MediaConnect resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations: + **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*. + **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*. + **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*. + **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*. + **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*. For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. ## Using the MediaConnect console Using the console To access the AWS Elemental MediaConnect console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the MediaConnect resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (IAM users or roles) with that policy. To ensure that those entities can still use the MediaConnect console, also attach the following AWS managed policy to the entities. For more information, see [Adding Permissions to a User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "mediaconnect:*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudwatch:GetMetricData" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "mediaconnect.amazonaws.com" } } } ] } ``` ------ You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that you're trying to perform. ## Allow users to view their own permissions This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] } ``` # AWS Elemental MediaConnect resource-based policy examples Resource-based policy examples To access the AWS Elemental MediaConnect console, you must have a minimum set of permissions that allows you to list and view details about the MediaConnect resources in your AWS account. The IAM policies in this section show examples of policies that allow specific actions on resources in AWS Elemental MediaConnect. ## Allow read access to all resources in AWS Elemental MediaConnect To access the AWS Elemental MediaConnect console, you must have a policy that defines which actions you are allowed to take on MediaConnect resources in your AWS account. The IAM policy below provides the following permissions: + The section for the `mediaconnect:List*` and `mediaconnect:Describe*` actions allow read-only access to all resources that you create in AWS Elemental MediaConnect. + The section for the `ec2:DescribeAvailabilityZones` action allows the service to obtain information about which Availability Zone the flow is in. This portion of the policy is required. + The section for the `cloudwatch:GetMetricData` action allows the service to obtain metrics from Amazon CloudWatch. This portion of the policy is required. + The section for the `iam:PassRole` action allows IAM to *pass* a role to AWS Elemental MediaConnect the service to communicate with IAM in order to assume a role on behalf of the service. This allows the service to assume the role later and perform actions on your behalf. This portion of the policy is required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "mediaconnect:List*", "mediaconnect:Describe*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:DescribeAvailabilityZones" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudwatch:GetMetricData" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "mediaconnect.amazonaws.com" } } } ] } ``` ------ ## Allow all actions on all AWS Elemental MediaConnect resources Every user of AWS Elemental MediaConnect must have a policy that defines permissions on AWS Elemental MediaConnect resources. The IAM policy below provides the following permissions: + The section for the `mediaconnect:*` action allows all actions on all resources that you create in AWS Elemental MediaConnect. + The section for the `ec2:DescribeAvailabilityZones` action allows the service to obtain information about which Availability Zone the flow is in. This portion of the policy is required. + The section for the `cloudwatch:GetMetricData` action allows the service to obtain metrics from Amazon CloudWatch. This portion of the policy is required. + The section for the `iam:PassRole` action allows IAM to *pass* a role to AWS Elemental MediaConnect the service to communicate with IAM in order to assume a role on behalf of the service. This allows the service to assume the role later and perform actions on your behalf. This portion of the policy is required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "mediaconnect:*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:DescribeAvailabilityZones" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudwatch:GetMetricData" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "mediaconnect.amazonaws.com" } } } ] } ``` ------ ## Allow AWS Elemental MediaConnect to create and manage network interfaces in your VPC Policy example for connecting to your VPC This example IAM policy allows AWS Elemental MediaConnect to create and manage network interfaces in your VPC so that content can flow from your VPC to MediaConnect. If you want to connect your VPC to your flow, you must set up this policy. + The section for the `ec2:` actions allows MediaConnect to create, read, update, and delete network interfaces in your VPC. This portion of the policy is required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission" ], "Effect": "Allow", "Resource": "*" } ] } ``` ------ # Policy examples for accessing MediaConnect encryption keys in Secrets Manager Policy examples for secrets in AWS Secrets Manager You can create IAM policies that allow AWS Elemental MediaConnect to read encryption keys that are stored as secrets in AWS Secrets Manager. When setting up static key encryption using MediaConnect, [you create an IAM policy](encryption-static-key-set-up.md#encryption-static-key-set-up-create-iam-policy) that you assign to MediaConnect. This policy allows MediaConnect to read the secrets that you have stored in Secrets Manager. The settings for this policy are entirely up to you. The policy can range from most restrictive (allowing access to only specific secrets) to least restrictive (allowing access to any secret that you create using your AWS account). We recommend using the most restrictive policy as a best practice. However, the following examples show you how to set up policies with different levels of restriction. Because MediaConnect only needs read access to secrets, all of the examples show only the actions that are necessary to read the values that you store. **Note** While the following example IAM policies for Secrets Manager are broadly applicable to various AWS services, this page specifically demonstrates their use in the context of MediaConnect. For more information about Secrets Manager, refer to the [AWS Secrets Manager documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html). **Topics** + [ ## Allow read access to specific secrets in Secrets Manager ](#iam-policy-examples-asm-specific-secrets) + [ ## Allow read access to all secrets created in a specific AWS Region in Secrets Manager ](#iam-policy-examples-asm-secrets-in-a-region) + [ ## Allow read access to all resources in Secrets Manager ](#iam-policy-examples-asm-secrets-all) ## Allow read access to specific secrets in Secrets Manager Allow read access to specific secrets The following example IAM policy allows read access to specific resources (secrets) that you create in Secrets Manager. Replace the *placeholder text* in the ARNs with your own information. The ARNs should represent the secrets that store the encryption keys you want to use with MediaConnect. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": [ "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c", "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes192-4D5e6F", "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes256-7g8H9i" ] }, { "Effect": "Allow", "Action": "secretsmanager:ListSecrets", "Resource": "*" } ] } ``` ------ ## Allow read access to all secrets created in a specific AWS Region in Secrets Manager Allow read access to all secrets created in a specific Region The following IAM policy allows read access to all secrets that you create in a specific AWS Region in Secrets Manager, including any encryption keys used for MediaConnect. This policy applies to resources that you have created already and all resources that you create in the future in the specified Region. This might be useful when managing multiple encrypted MediaConnect flows within the same Region. Replace the *placeholder text* in the ARNs with your own information. The Region and account ID should represent where your secrets are stored. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": "arn:aws:secretsmanager:us-west-2:111122223333:secret:*" }, { "Effect": "Allow", "Action": "secretsmanager:ListSecrets", "Resource": "*" } ] } ``` ------ ## Allow read access to all resources in Secrets Manager Allow read access to all resources The following IAM policy allows read access to all resources that you create in Secrets Manager, including any encryption keys used for MediaConnect. This policy applies to resources that you have created already and all resources that you create in the future. This broader access might be needed when managing encrypted MediaConnect flows across multiple regions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds", "secretsmanager:ListSecrets" ], "Resource": [ "*" ] } ] } ``` ------ For more information on setting up encryption for your MediaConnect flows, see [Data protection](https://docs.aws.amazon.com/mediaconnect/latest/ug/data-protection.html) in this guide. For general information about using Secrets Manager, refer to the [AWS Secrets Manager User Guide](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html). # AWS managed policies for AWS Elemental MediaConnect AWS managed policiesAWS managed policy - New policy The MediaConnectGatewayInstanceRolePolicy has been created.AWS managed policy - New policy The AWSMediaConnectServicePolicy has been created.AWS managed policy - New policy The AWSElementalMediaConnectReadOnlyAccess policy has been created.AWS managed policy - New policy The AWSElementalMediaConnectFullAccess policy has been created.Updated AWS managed policy AWS Elemental MediaConnect has updated the [AWSMediaConnectServicePolicy](https://docs.aws.amazon.com/mediaconnect/latest/ug/security-iam-awsmanpol.html#security-iam-awsmanpol-AWSMediaConnectServicePolicy). An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles. Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. ## AWS managed policy: AWSElementalMediaConnectReadOnlyAccess AWSElementalMediaConnectReadOnlyAccess You can attach `AWSElementalMediaConnectReadOnlyAccess` to your users, groups, and roles. This policy grants read-only permissions that allow users to view all resources in MediaConnect. **Permissions details** This policy includes the following permissions. + `mediaconnect:DescribeBridge` – Allows principals to view detailed information about a specific bridge in MediaConnect. This is required so that you can inspect the bridge configuration and status. + `mediaconnect:DescribeFlow` – Allows principals to view detailed information about a specific flow in MediaConnect. This is required so that you can inspect the flow configuration and status. + `mediaconnect:DescribeFlowSourceMetadata` – Allows principals to view metadata about a flow's source in MediaConnect. This is required so that you can see technical details about the input stream. + `mediaconnect:DescribeFlowSourceThumbnail` – Allows principals to view the details of the thumbnail image for a flow's source in MediaConnect. This is required so that you can see visual previews of your video streams. + `mediaconnect:DescribeGateway` – Allows principals to view detailed information about a specific gateway in MediaConnect. This is required so that you can inspect the gateway configuration and status. + `mediaconnect:DescribeGatewayInstance` – Allows principals to view detailed information about a specific gateway instance in MediaConnect. This is required so that you can inspect the gateway instance configuration and status. + `mediaconnect:DescribeOffering` – Allows principals to view detailed information about a specific service offering in MediaConnect. This is required so that you can see bandwidth commitment options and their associated discount rates. + `mediaconnect:DescribeReservation` – Allows principals to view detailed information about a specific reservation in MediaConnect. This is required so that you can see the details of your bandwidth commitment and its associated discount. + `mediaconnect:ListBridges` – Allows principals to view a list of bridges in MediaConnect. This is required so that you can see all the available bridge resources in your account. + `mediaconnect:ListEntitlements` – Allows principals to view a list of entitlements in MediaConnect. This is required so that you can see all permissions granted to other AWS accounts to access your transport stream flows. + `mediaconnect:ListFlows` – Allows principals to view a list of flows in MediaConnect. This is required so that you can see all the available flow resources in your account. + `mediaconnect:ListGatewayInstances` – Allows principals to view a list of gateway instances in MediaConnect. This is required so that you can see all the running gateway compute resources in your account. + `mediaconnect:ListGateways` – Allows principals to view a list of gateways in MediaConnect. This is required so that you can see all the available gateway resources in your account. + `mediaconnect:ListOfferings` – Allows principals to view a list of service offerings in MediaConnect. This is required so that you can see the available bandwidth discount options that require a commitment. The offerings that are displayed may vary based on your AWS Region. + `mediaconnect:ListReservations` – Allows principals to view a list of reservations in MediaConnect. This is required so that you can see your active bandwidth commitments and their associated discounts. + `mediaconnect:ListTagsForResource` – Allows principals to view tags associated with MediaConnect resources. This is required so that you can see resource organization and classification metadata. To view the permissions for this policy, see [AWSElementalMediaConnectReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElementalMediaConnectReadOnlyAccess.html) in the *AWS Managed Policy Reference*. ## AWS managed policy: AWSElementalMediaConnectFullAccess AWSElementalMediaConnectFullAccess You can attach `AWSElementalMediaConnectFullAccess` to your users, groups, and roles. This policy grants administrative permissions that allow the user permission to create, read, update, and delete MediaConnect resources. **Permissions details** This policy includes the following permissions. + `mediaconnect:*` – Allows principals to perform all actions in MediaConnect. This is required so that administrators and other users can create, read, update, and delete MediaConnect resources and manage all aspects of video transport workflows. The wildcard (\$1) permission includes all possible MediaConnect actions, such as creating and deleting flows, managing entitlements and outputs, and configuring video transport workflows. To view the permissions for this policy, see [AWSElementalMediaConnectFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElementalMediaConnectFullAccess.html) in the *AWS Managed Policy Reference*. ## AWS managed policy: MediaConnectGatewayInstanceRolePolicy MediaConnectGatewayInstanceRolePolicy You can attach the `MediaConnectGatewayInstanceRolePolicy` policy to your IAM identities. This policy grants permission to register MediaConnect Gateway Instances to a MediaConnect Gateway. This policy will be attached to a role. The entity assuming the role will have the ability to register instances to the gateway. **Permissions details** This policy includes the following permissions. + `mediaconnect:DiscoverGatewayPollEndpoint` – Allows principals to locate the gateway poll endpoints for the specified gateway. + `mediaconnect:PollGateway` – Allows principals to regularly query the gateway in MediaConnect. This is required so that MediaConnect Gateway Instances can check for and receive updates, configurations, and instructions from the gateway service. + `mediaconnect:SubmitGatewayStateChange` – Allows principals to report status updates in MediaConnect. This is required so that MediaConnect Gateway Instances can notify the gateway service about changes in their operational state, health, and configuration status. To view the permissions for this policy, see [MediaConnectGatewayInstanceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/MediaConnectGatewayInstanceRolePolicy.html) in the *AWS Managed Policy Reference*. ## AWS managed policy: AWSMediaConnectServicePolicy AWSMediaConnectServicePolicy You can’t attach AWSMediaConnectServicePolicy to your IAM entities. This policy is attached to a service-linked role that allows MediaConnect to perform actions on your behalf. For more information, visit [Using service-linked roles](using-service-linked-roles.md). This policy is attached to the **AWSServiceRoleForMediaConnect** service-linked role. This policy allows the service-linked role to manage Amazon ECS resources on your behalf. AWS Elemental MediaConnect Gateway uses Amazon ECS as the foundation for the on-premises implementation of AWS Elemental MediaConnect Gateway. As a result, MediaConnect must have the ability to create, update, and delete Amazon ECS resources as needed. The policy also allows the service-linked role to manage Amazon EC2 resources on your behalf. The MediaConnect router requires EC2 networking capabilities for audio and video routing. As a result, MediaConnect must have the ability to create, update, and delete Amazon EC2 resources as needed, as well as view network configuration details. When MediaConnect performs actions on EC2 resources using this service-linked role, we tag them with `aws:ResourceTag/created-for-service: MediaConnect`. This helps you easily distinguish between the EC2 resources that MediaConnect creates, and the ones that you create yourself. **Permissions details** This policy includes the following permissions. + **Amazon ECS permissions** **Note** These permissions are restricted to ECS clusters with names starting with `MediaConnectGateway` through the condition block. + `ecs:CreateCluster` - Allows principals to create new ECS clusters. This is required so that MediaConnect can establish new clusters needed for Gateway operations. + `ecs:CreateService` – Allows principals to establish new ECS services. This is required so that MediaConnect can set up new service components for the Gateway implementation. + `ecs:DeleteAttributes` – Allows principals to remove attributes from ECS resources. This is required so that MediaConnect can clean up metadata when no longer needed. + `ecs:DeleteService` – Allows principals to remove ECS services. This is required so that MediaConnect can clean up services when they're no longer needed. + `ecs:DescribeClusters` – Allows principals to view details about ECS clusters. This is required so that MediaConnect can monitor the state and configuration of Gateway clusters. + `ecs:DescribeContainerInstances` – Allows principals to view details about ECS container instances. This is required so that MediaConnect can monitor the health and status of Gateway components. + `ecs:DeregisterContainerInstance` - Allows principals to remove container instances from an ECS cluster. This is required so that MediaConnect can remove Gateway components from the cluster when no longer needed. + `ecs:DescribeServices` – Allows principals to view details about ECS services. This is required so that MediaConnect can monitor and manage the state of its services. + `ecs:DescribeTasks` – Allows principals to view details about ECS tasks. This is required so that MediaConnect can monitor the status of running tasks. + `ecs:ListAttributes` – Allows principals to retrieve attributes from ECS resources. This is required so that MediaConnect can monitor and manage metadata for Gateway components. + `ecs:ListContainerInstances` - Allows principals to retrieve a list of container instances in a cluster. This is required so that MediaConnect can track all Gateway components running in the cluster. + `ecs:ListTasks` – Allows principals to view all tasks in ECS. This is required so that MediaConnect can monitor and manage running tasks. + `ecs:PutAttributes` – Allows principals to add attributes to ECS resources. This is required so that MediaConnect can configure resources by applying the necessary metadata. + `ecs:RegisterTaskDefinition` - Allows principals to register new task definitions. This is required so that MediaConnect can define specifications for new Gateway components. + `ecs:RunTask` – Allows principals to start new tasks in ECS. This is required so that MediaConnect can launch new Gateway components as needed. + `ecs:StartTask` – Allows principals to initiate specific tasks in ECS. This is required so that MediaConnect can launch specific Gateway components. + `ecs:StopTask` – Allows principals to terminate running tasks in ECS. This is required so that MediaConnect can stop Gateway components when needed. + `ecs:UpdateContainerInstancesState` – Allows principals to modify the state of container instances. This is required so that MediaConnect can manage the lifecycle of container instances. + `ecs:UpdateCluster` - Allows principals to modify existing ECS cluster configurations. This is required so that MediaConnect can adjust cluster settings as needed for optimal Gateway operations. + `ecs:UpdateClusterSettings` - Allows principals to modify cluster-wide settings. This is required so that MediaConnect can update cluster settings to support Gateway requirements. + `ecs:UpdateService` – Allows principals to modify existing ECS services. This is required so that MediaConnect can update service configurations for MediaConnect Gateway components running on ECS. + **Amazon EC2 permissions** + `ec2:CreateNetworkInterfacePermission` – Allows MediaConnect to grant permissions for network interfaces used within the router. + `ec2:DeleteNetworkInterface` – Allows MediaConnect to remove network interfaces when they're no longer needed. + `ec2:DeleteNetworkInterfacePermission` – Allows MediaConnect to revoke permissions for network interfaces used within the router. + `ec2:DescribeNetworkInterfaces` – Allows MediaConnect to view details about network interfaces used within the router. + `ec2:DescribeSecurityGroups` – Allows MediaConnect to view details about security groups used with a router network interface. + `ec2:DescribeSubnets` – Allows MediaConnect to view details about subnets used with a router network interface. To view the permissions for this policy, see [AWSMediaConnectServicePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMediaConnectServicePolicy.html) in the *AWS Managed Policy Reference*. ## MediaConnect updates to AWS managed policies Policy updates View details about updates to AWS managed policies for MediaConnect since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the MediaConnect [document history](doc-history.md) page. | Change | Description | Date | | --- | --- | --- | | **AWSMediaConnectServicePolicy** – Update to an existing policy | MediaConnect added the following Amazon EC2 permissions to support the router feature: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/mediaconnect/latest/ug/security-iam-awsmanpol.html) These permissions allow MediaConnect to view and manage router network interfaces as needed for cross-Region audio and video routing. | November 19, 2025 | | The MediaConnect managed policy **AWSElementalMediaConnectReadOnlyAccess** has been added. | This policy provides read-only access to MediaConnect resources. | February 12, 2025 | | The MediaConnect managed policy **AWSElementalMediaConnectFullAccess** has been added. | This policy provides full access to MediaConnect resources. | February 12, 2025 | | The MediaConnect managed policy MediaConnectGatewayInstanceRolePolicy has been added. | This policy grants permission to register MediaConnect Gateway Instances to a MediaConnect Gateway. | April 12, 2023 | | The MediaConnect managed policy AWSMediaConnectServicePolicy has been added. | This policy is used by a service-link role and grants permissions to access AWS services and resources used by MediaConnect. | April 12, 2023 | | MediaConnect started tracking changes | MediaConnect started tracking changes for its AWS managed policies. | April 12, 2023 | # Using service-linked roles for MediaConnect Using service-linked rolesAWS service-linked role - New role The AWSServiceRoleForMediaConnect role has been created. AWS Elemental MediaConnect uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to MediaConnect. Service-linked roles are predefined by MediaConnect and include all the permissions that the service requires to call other AWS services on your behalf. A service-linked role makes setting up MediaConnect easier because you don’t have to manually add the necessary permissions. MediaConnect defines the permissions of its service-linked roles, and unless defined otherwise, only MediaConnect can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. You can delete a service-linked role only after first deleting their related resources. This protects your MediaConnect resources because you can't inadvertently remove permission to access the resources. For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-linked roles** column. Choose a **Yes** with a link to view the service-linked role documentation for that service. # Service-linked role permissions for MediaConnect MediaConnect uses the service-linked role named **AWSServiceRoleForMediaConnect**. This is the default Service-Linked Role that enables access to AWS services and resources used or managed by MediaConnect. The AWSServiceRoleForMediaConnect service-linked role trusts the following services to assume the role: + `MediaConnect` The role permissions policy named MediaConnectServiceRolePolicy allows MediaConnect to complete the following actions on the specified resources: 1. **Actions on all ECS resources** + Actions: + `ecs:CreateCluster` + `ecs:RegisterTaskDefinition` + Resource: `*` 1. **Actions on the MediaConnect Gateway ECS cluster** + Actions: + `ecs:DeregisterContainerInstance` + `ecs:DescribeClusters` + `ecs:ListAttributes` + `ecs:ListContainerInstances` + `ecs:UpdateCluster` + `ecs:UpdateClusterSettings` + Resource: `arn:aws:ecs:*:*:cluster/MediaConnectGateway` 1. **Actions on ECS services and tasks within the MediaConnect Gateway cluster** + Actions: + `ecs:CreateService` + `ecs:DeleteAttributes` + `ecs:DeleteService` + `ecs:DescribeContainerInstances` + `ecs:DescribeServices` + `ecs:DescribeTasks` + `ecs:ListTasks` + `ecs:PutAttributes` + `ecs:RunTask` + `ecs:StartTask` + `ecs:StopTask` + `ecs:UpdateContainerInstancesState` + `ecs:UpdateService` + Resource: `*` + Condition: `ArnLike: {"ecs:cluster": "arn:aws:ecs:*:*:cluster/MediaConnectGateway"}` 1. **Actions on network interfaces within the MediaConnect router** + Actions: + `ec2:DeleteNetworkInterface` + `ec2:DeleteNetworkInterfacePermission` + `ec2:CreateNetworkInterfacePermission` + Resource: `arn:aws:ec2:*:*:network-interface/*"` + Condition: `aws:ResourceTag/created-for-service": "MediaConnect"` 1. **Actions to describe available network resources** + Actions: + `ec2:DescribeNetworkInterfaces` + `ec2:DescribeSecurityGroups` + `ec2:DescribeSubnets` + Resource: `*` You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*. # Creating a service-linked role for MediaConnect Creating a service-linked role for MediaConnect You don't need to manually create a service-linked role. When you create an associated MediaConnect resource in the AWS Management Console, the AWS CLI, or the AWS API, MediaConnect creates the service-linked role for you. **Important** This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. Also, if you were using the MediaConnect service before January 1, 2023, when it began supporting service-linked roles, then MediaConnect created the AWSServiceRoleForMediaConnect role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared). If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create an associated MediaConnect resource, MediaConnect creates the service-linked role for you again. You can also use the IAM console to create a service-linked role with the **MediaConnect** use case. In the AWS CLI or the AWS API, create a service-linked role with the `MediaConnect` service name. For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again. # Editing a service-linked role for MediaConnect Editing a service-linked role MediaConnect does not allow you to edit the AWSServiceRoleForMediaConnect service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*. # Deleting a service-linked role for MediaConnect Deleting a service-linked role for MediaConnect If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it. **Note** If the MediaConnect service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. **To delete MediaConnect resources used by the AWSServiceRoleForMediaConnect** 1. Delete all Bridges in all Gateways. 1. De-register all Instances in all Gateways. 1. Delete all Gateways. **To manually delete the service-linked role using IAM** Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForMediaConnect service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*. ## Supported Regions for MediaConnect service-linked roles MediaConnect supports using service-linked roles in all of the regions where the service is available. For more information, see [MediaConnect Regions and endpoints](https://docs.aws.amazon.com/general/latest/gr/mediaconnect.html#mediaconnect_region). # Setting up AWS Elemental MediaConnect as a trusted service Setting up MediaConnect as a trusted service You can use AWS Identity and Access Management (IAM) to control which AWS resources can be accessed by which users and applications. This includes setting up permissions to allow AWS Elemental MediaConnect to communicate with other services on behalf of your account. To set up AWS Elemental MediaConnect as a trusted entity, you must perform the following steps: **[Step 1.](#security-iam-trusted-entity-create-policy)** – Create an IAM policy that governs which actions you want to allow. **[Step 2](#security-iam-trusted-entity-create-role)** – Create an IAM role with a trusted relationship, and attach the policy that you created in the previous step. ## Step 1: Create an IAM policy to allow specific actions Step 1: Create a policy to allow specific actions In this step, you create an IAM policy that governs which actions you want to allow. **To create the IAM policy** 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane, choose **Policies**. 1. Choose **Create policy**, and then choose the **JSON** tab. 1. Enter a policy that uses the JSON format. For examples, see the following: + [ Policy example for connecting to your VPC](security_iam_resource-based-policy-examples.md#iam-policy-examples-for-mediaconnect-vpc) + [Policy examples for secrets in AWS Secrets Manager](iam-policy-examples-asm-secrets.md) 1. Choose **Review policy**. 1. For **Name**, enter a name for your policy. 1. Choose **Create policy**. ## Step 2: Create an IAM role with a trusted relationship Step 2. Create a role with a trusted relationship In [step 1](#security-iam-trusted-entity-create-policy), you created an IAM policy that governs which actions you want to allow. In this step, you create an IAM role and assign the policy to that role. Then you define AWS Elemental MediaConnect as a trusted entity that can assume the role. **To create a role with a trusted relationship** 1. In the navigation pane of the IAM console, choose **Roles**. 1. On the **Role** page, choose **Create role**. 1. On the **Create role** page, for **Select type of trusted entity**, choose **AWS service** (the default). 1. For **Choose the service that will use this role**, choose **EC2**. You choose EC2 because MediaConnect is not currently included in this list. Choosing EC2 lets you create a role. In a later step, you change this role to include MediaConnect instead of EC2. 1. Choose **Next: Permissions**. 1. For **Attach permissions policies**, enter the name of the policy that you created in [step 1](#security-iam-trusted-entity-create-policy). 1. Select the check box next to the name of the policy, and then choose **Next: Tags**. 1. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see [Tagging IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. 1. Choose **Next: Review**. 1. For **Role name**, enter a name. The name `MediaConnectAccessRole` is reserved, so you can't use it. Instead, use a name that includes `MediaConnect` and describes this role's purpose. 1. For **Role description**, replace the default text with a description that will help you remember the purpose of this role. 1. Choose **Create role**. 1. In the confirmation message that appears across the top of your page, choose the name of the role that you just created by selecting **View role**. 1. Choose **Trust relationships** tab, and then choose **Edit trust policy**. 1. in the **Edit trust policy** window, make the following changes to the JSON: + For **Service**, change `ec2.amazonaws.com` to `mediaconnect.amazonaws.com` + For added security, define specific conditions for the trust policy. This will limit MediaConnect to only using resources in your account. You do this by using a global condition such as the **Account ID**, the **flow ARN**, or both. See the following example of the conditional trust policy. For more information about the security benefits of the global conditions, see [Cross-service confused deputy prevention](cross-service-confused-deputy-prevention.md). **Note** The following example uses both the **Account ID** and **flow ARN** conditions. Your policy will look different if you do not use both conditions. If you don't know the full ARN of the flow or if you are specifying multiple flows, use the `aws:SourceArn` global context condition key with wildcard characters (`*`) for the unknown portions of the ARN. For example, `arn:aws:mediaconnect:*:111122223333:*`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mediaconnect.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws:mediaconnect:us-west-2:111122223333:flow:*:flow-name" } } } ] } ``` ------ 1. Choose **Update policy**. 1. On the **Summary** page, make a note of the value for **Role ARN**. It looks like this: `arn:aws:iam::111122223333:role/MediaConnectASM`. # Cross-service confused deputy prevention The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In AWS, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the *calling service*) calls another service (the *called service*). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. To prevent this, AWS provides tools that help you protect your data for all services with service principals that have been given access to resources in your account. We recommend using the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) of the flow and [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context keys in resource policies to limit the permissions that AWS Elemental MediaConnect gives another service to the resource. Use the flow's `aws:SourceArn` if you want only one resource to be associated with the cross-service access. Use `aws:SourceAccount` if you want to allow any resource in that account to be associated with the cross-service use. The most effective way to protect against the confused deputy problem is to use the `aws:SourceArn` global condition context key with the full ARN of the flow. If you don't know the full ARN of the flow or if you are specifying multiple flows, use the `aws:SourceArn` global context condition key with wildcard characters (`*`) for the unknown portions of the ARN. For example, `arn:aws:mediaconnect:*:111122223333:*`. The following example shows how you can use the `aws:SourceArn` and `aws:SourceAccount` global condition context keys in MediaConnect to prevent the confused deputy problem. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mediaconnect.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws:mediaconnect:us-west-2:111122223333:flow:1-ABCDEFGHJxyzMNoP-a1234bc12345:flow-name" } } } ] } ``` ------ # Troubleshooting AWS Elemental MediaConnect identity and access Troubleshooting Use the following information to help you diagnose and fix common issues that you might encounter when working with MediaConnect and IAM. **Topics** + [ ## I am not authorized to perform an action in MediaConnect ](#security_iam_troubleshoot-no-permissions) + [ ## I want to allow people outside of my AWS account to access my MediaConnect resources ](#security_iam_troubleshoot-cross-account-access) ## I am not authorized to perform an action in MediaConnect If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your user name and password. The following example error occurs when the `mateojackson` user tries to use the console to view details about a flow but does not have `mediaconnect:DescribeFlow` permissions. ``` User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: mediaconnect:DescribeFlow on resource: myExampleFlow ``` In this case, Mateo asks his administrator to update his policies to allow him to access the `myExampleFlow` resource using the `mediaconnect:DescribeFlow` action. ## I want to allow people outside of my AWS account to access my MediaConnect resources You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources. To learn more, consult the following: + To learn whether MediaConnect supports these features, see [How AWS Elemental MediaConnect works with IAM](security_iam_service-with-iam.md). + To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*. + To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*. + To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*. + To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*. # Logging and monitoring This section provides an overview of the options for logging and monitoring in AWS Elemental MediaConnect for security purposes. For more information about logging and monitoring in MediaConnect see [Monitoring and tagging in AWS Elemental MediaConnect](monitor.md). Monitoring is an important part of maintaining the reliability, availability, and performance of AWS Elemental MediaConnect and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution so that you can more easily debug a multi-point failure if one occurs. AWS provides several tools for monitoring your MediaConnect resources and responding to potential incidents: ## Amazon CloudWatch alarms Using CloudWatch alarms, you watch a single metric over a time period that you specify. If the metric exceeds a given threshold, a notification is sent to an Amazon SNS topic or AWS Auto Scaling policy. CloudWatch alarms do not invoke actions because they are in a particular state. Rather, the state must have changed and been maintained for a specified number of periods. For more information, see [Monitoring with CloudWatch metrics](monitor-with-cloudwatch.md). ## AWS CloudTrail logs CloudTrail provides a record of actions taken by a user, role, or an AWS service in AWS Elemental MediaConnect. Using the information collected by CloudTrail, you can determine the request that was made to MediaConnect, the IP address from which the request was made, who made the request, when it was made, and additional details. For more information, see [Logging API calls with AWS CloudTrail](logging-using-cloudtrail.md). ## AWS Trusted Advisor Trusted Advisor draws upon best practices learned from serving hundreds of thousands of AWS customers. Trusted Advisor inspects your AWS environment and then makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps. All AWS customers have access to five Trusted Advisor checks. Customers with a Business or Enterprise support plan can view all Trusted Advisor checks. For more information, see [AWS Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html#trusted-advisor). # Compliance validation for AWS Elemental MediaConnect Compliance validation To learn whether an AWS service is within the scope of specific compliance programs, see [AWS services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/) and choose the compliance program that you are interested in. For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html). Your compliance responsibility when using AWS services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. For more information about your compliance responsibility when using AWS services, see [AWS Security Documentation](https://docs.aws.amazon.com/security/). # Resilience in AWS Elemental MediaConnect Resilience The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures. For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/). # Infrastructure security in AWS Elemental MediaConnect Infrastructure security As a managed service, AWS Elemental MediaConnect is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*. You use AWS published API calls to access MediaConnect through the network. Clients must support the following: + Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3. + Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes. # MediaConnect interface VPC endpoints (AWS PrivateLink) Interface VPC endpoints (AWS PrivateLink) You can use an interface VPC endpoint to keep all MediaConnect API request traffic between your VPC and MediaConnect in the Amazon network, thus improving the security of your VPC. Interface VPC endpoints don't need an internet gateway, a NAT device, or a virtual private gateway. The VPC endpoints are powered by AWS PrivateLink, a technology that you can use to privately access MediaConnect APIs with private IP addresses. For more information about AWS PrivateLink and VPC endpoints, see [VPC endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html) in the *Amazon VPC User Guide*. ## Considerations for MediaConnect VPC endpoints Before you set up an interface endpoint for MediaConnect, be sure to review [Interface endpoint properties and limitations](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html#vpce-interface-limitations) in the *Amazon VPC User Guide*, and be aware of the following considerations: + VPC endpoints currently don't support cross-Region requests. Ensure that you create your endpoint in the same Region where you plan to interact with MediaConnect. + VPC endpoints only support Amazon-provided DNS through Amazon Route 53. If you want to use your own DNS, you can use conditional DNS forwarding. For more information, see [DHCP Options Sets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) in the *Amazon VPC User Guide*. + The security group attached to the VPC endpoint must allow incoming connections on port 443 from the private subnet of the VPC. ## Creating the VPC Endpoints for MediaConnect You can create an interface endpoint for MediaConnect using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). Follow the procedure outlined in [Creating an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html#create-interface-endpoint) in the *Amazon VPC User Guide*. ## Controlling Access to VPC Endpoints for MediaConnect You can control access to MediaConnect by attaching an endpoint policy to your VPC endpoint. The policy specifies the following information: + The principal that can perform actions. + The actions that can be performed. + The resources on which actions can be performed. For more information, see [Controlling access to services with VPC endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html) in the *Amazon VPC User Guide*. **Example: VPC endpoint policy for actions** The following is an example of an endpoint policy for MediaConnect. When attached to an endpoint, this policy grants access to the listed MediaConnect actions for all principals on all resources. ``` { "Statement":[ { "Principal":"*", "Effect":"Allow", "Action":[ "mediaconnect:action-1", "mediaconnect:action-2", "mediaconnect:action-3" ], "Resource":"*" } ] } ```