Introduction to authorization and access control - MediaConvert
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Introduction to authorization and access control

To work with Amazon services and resources, you need both authentication and access control.

Authentication – To sign in to Amazon, you must use credentials: root user credentials (not recommended), IAM user credentials, or temporary credentials using IAM roles. To learn more about these entities, see What is authentication?.

Access control – Amazon administrators use policies to control access to Amazon resources, such as an AWS Elemental MediaConvert job. To learn more, see What is access control? and What are policies?.


All resources in an account are owned by the account, regardless of who created those resources. A user must be granted access to create a resource. However, just because a user creates a resource doesn't mean that the user automatically has full access to that resource. An administrator must explicitly grant permissions for each action that each user wants to perform. That administrator can also revoke these permissions at any time.

Ownership of Media Files and AWS Elemental MediaConvert Jobs

When you use your Amazon account to create an AWS Elemental MediaConvert job and to create Amazon S3 buckets for your input and output files, your Amazon account is the owner of the job and the output files created by the job. This has the following implications:

  • Any user in your account with permissions to access your Amazon S3 objects can access the output files of your job.

  • Only an administrator on your account can grant permissions to access these output files.

  • Only users in your account can receive permissions to access the job object.

If you want to set up your workflow so that the outputs of your job are owned by another account—for example, by the account of one of your customers—then the administrator of the other account must grant you cross-account permissions to write to their Amazon S3 bucket. In this setup, your Amazon account owns the job resource, but not the outputs of the job. For more information, see Access management in the IAM User Guide.

Understanding the Basics of IAM

To help you understand the basics of how IAM works, review the following terms:

  • Resources – Amazon services, such as AWS Elemental MediaConvert, Amazon S3, and IAM, are made up of objects called resources. You can create, manage, and delete these resources from the service. IAM resources include users, groups, roles, and policies:

    • Users – An IAM user represents the person or application that uses its credentials to interact with Amazon. A user consists of a name, a password to sign in to the Amazon Web Services Management Console, and up to two access keys that can be used with the Amazon CLI or Amazon API.

    • Groups – An IAM group is a collection of IAM users. You can use groups to specify permissions for its member users. This makes it easier for you to manage permissions for multiple users.

    • Roles – An IAM role doesn't have any long-term credentials (password or access keys) associated with it. A role can be assumed by anyone who has the right permissions. An IAM user can assume a role to temporarily take on different permissions for a specific task. Federated users can assume a role by using an external identity provider that is mapped to the role. Some Amazon services can assume a service role to access Amazon resources on your behalf.

    • Policies – Policies are JSON policy documents that define the permissions for the object that they are attached to. Amazon supports identity-based policies that you attach to identities (users, groups, or roles). Some Amazon services allow you to attach resource-based policies to resources to control what a principal (person or application) can do with that resource. AWS Elemental MediaConvert does not support resource-based policies.

  • Identities – Identities are IAM resources for which you can define permissions. These include users, groups, and roles.

  • Entities – Entities are IAM resources that you use for authentication. These include users and roles.

  • Principals – In Amazon, a principal is a person or application that uses an entity to sign in and make requests to Amazon. As a principal, you can use the Amazon Web Services Management Console, the Amazon CLI, or the Amazon API to perform an operation (such as deleting a job). This creates a request for that operation. Your request specifies the action, resource, principal, principal account, and any additional information about your request. All of this information provides Amazon with context for your request. Amazon checks all the policies that apply to the context of your request. Amazon authorizes the request only if each part of your request is allowed by the policies.

To view a diagram of the authentication and access control process, see Understanding how IAM works in the IAM User Guide. For details about how Amazon determines whether a request is allowed, see Policy evaluation logic in the IAM User Guide.