What is access control? - MediaConvert
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

What is access control?

After you sign in (are authenticated) to Amazon, your access to Amazon resources and operations is controlled using policies. Access control is also known as authorization.

During authorization, Amazon uses values from the request context to check for policies that apply. It then uses the policies to determine whether to allow or deny the request. Most policies are stored in Amazon as JSON documents and specify the permissions that are allowed or denied for principals. For more information about the structure and contents of JSON policy documents, see What are policies?.

Policies let an administrator specify who has access to Amazon resources, and what actions they can perform on those resources. Every IAM entity (user or role) starts with no permissions. In other words, by default, users can do nothing, not even view their own access keys. To give a user permission to do something, an administrator must attach a permissions policy to a user. Or they can add the user to a group that has the intended permissions. When an administrator then give permissions to a group, all users in that group get those permissions.

You might have valid credentials to authenticate your requests, but unless an administrator grants you permissions you can't create or access AWS Elemental MediaConvert resources. For example, you must have explicit permissions to create an AWS Elemental MediaConvert job.

As an administrator, you can write a policy to control access to the following:

  • Amazon for Principals – Control what the user, account, or service making the request (the principal) is allowed to do.

  • IAM Identities – Control which IAM identities (groups, users, and roles) can be accessed and how.

  • IAM Policies – Control who can create, edit, and delete customer managed policies, and who can attach and detach all managed policies.

  • Amazon Resources – Control who has access to resources using an identity-based policy or a resource-based policy.

  • Amazon Accounts – Control whether a request is allowed only for members of a specific account.

Controlling access for principals

Permissions policies control what you, as a principal, are allowed to do. An administrator must attach an identity-based permissions policy to the identity (user, group, or role) that provides your permissions. Permissions policies allow or deny access to Amazon. Administrators can also set a permissions boundary for an IAM entity (user or role) to define the maximum permissions that the entity can have. Permissions boundaries are an advanced IAM feature. For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide.

For more information and an example of how to control Amazon access for principals, see Controlling access for principals in the IAM User Guide.

Controlling access to identities

Administrators can control what you can do to an IAM identity (user, group, or role) by creating a policy that limits what can be done to an identity, or who can access it. Then attach that policy to the identity that provides your permissions.

For example, an administrator might allow you to reset the password for three specific users. To do this, they attach a policy to your IAM user that allows you to reset the password for only yourself and users with the ARN of the three specified users. This allows you to reset the password of your team members but not other IAM users.

For more information and an example of using a policy to control Amazon access to identities, see Controlling access to identities in the IAM User Guide.

Controlling access to policies

Administrators can control who can create, edit, and delete customer managed policies, and who can attach and detach all managed policies. When you review a policy, you can view the policy summary that includes a summary of the access level for each service within that policy. Amazon categorizes each service action into one of four access levels based on what each action does: List, Read, Write, or Permissions management. You can use these access levels to determine which actions to include in your policies. For more information, see Understanding access level summaries within policy summaries in the IAM User Guide.


You should restrict Permissions Management access-level permissions in your account. Otherwise, your account members can create policies for themselves with more permissions than they should have. Or they can create separate users with full access to Amazon.

For more information and an example of how to control Amazon access to policies, see Controlling access to policies in the IAM User Guide.

Controlling access to resources

Administrators can control access to resources using an identity-based policy or a resource-based policy. In an identity-based policy, you attach the policy to an identity and specify what resources that identity can access. In a resource-based policy, you attach a policy to the resource that you want to control. In the policy, you specify which principals can access that resource.


AWS Elemental MediaConvert doesn't support resource-based policies.

For more information, see Controlling access to resources in the IAM User Guide.

Resource creators do not automatically have permissions

All resources in an account are owned by the account, regardless of who created those resources. only the account owner has permission to perform any action on any resource in the account.

Entities (users or roles) in your account must be granted access to create a resource. But just because they create a resource does not mean they automatically have full access to that resource. You must explicitly grant permissions for each action. Additionally, you can revoke those permissions at any time, as long as you have access to manage user and role permissions.

Controlling access to principals in a different account

Administrators can use Amazon resource-based policies, IAM cross-account roles, or the Amazon Organizations service to allow principals in another account to access resources in your account.

For some Amazon services, you can grant cross-account access to your resources. To do this, you attach a policy directly to the resource that you want to share, instead of using a role as a proxy. If the service supports this policy type, then the resource that you want to share must also support resource-based policies. Unlike a user-based policy, a resource-based policy specifies who (in the form of a list of Amazon account ID numbers) can access that resource. MediaConvert does not support resource-based policies.

Cross-account access with a resource-based policy has some advantages over a role. With a resource that is accessed through a resource-based policy, the principal (person or application) still works in the trusted account and does not have to give up their user permissions in place of the role permissions. In other words, the principal has access to resources in the trusted account and in the trusting account at the same time. This is useful for tasks such as copying information from one account to another. For more information about using cross-account roles, see Providing access to an IAM user in another Amazon account that you own in the IAM User Guide.

Amazon Organizations offers policy-based management for multiple Amazon accounts that you own. With Organizations, you can create groups of accounts, automate account creation, and apply and manage policies for those groups. Organizations enables you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes. Using Amazon Organizations, you can create service control policies (SCPs) that centrally control Amazon service use across Amazon accounts. For more information, see What is Amazon Organizations? in the Amazon Organizations User Guide.