BLAM AWS Service Permissions

 
BLAM requires certain IAM and ARN permissions in order to interact with AWS Services on your AWS account. Policies should be applied by User group permissions directly on the IAM user account set up specifically for use by BLAM. Some services require Role ARNs in addition to group permissions to order to perform additional actions such send requests to other services on your behalf such S3 or SNS.
 
BLAM automatically calls the correct Amazon Region based on which S3 Region the source media is held on. Service calls are regionally locked meaning both input and output locations must be located in the same Amazon Region. An exemption is made when transferring files between AWS Accounts and similarly, a dedicated BLidget is provided for copying S3 Objects between Amazon Regions within the same AWS Account to reduce the risk of unintentional data egress charges.

S3

IAM Group Permissions

• AmazonS3FullAccess (AWS Managed Policy) – gives BLAM access to all S3 operations to fully orchestrate S3 storage from within BLAM
• Cross-Account Bucket Policy (Custom Policy) – required to allow transferring S3 Objects between AWS Accounts e.g. delivering media to a third party

Media Convert

IAM Group Permissions

• AWSElementalMediaConvertFullAccess (AWS Managed Policy) – gives BLAM permission to submit Media Convert jobs

Role ARN

• MediaConvert Service (AWS Managed Policy) – Role ARN value must be created and set in the MediaConvert BLidgets to allow the MediaConvert service to access objects on the S3 storage

Amazon Translate

IAM Group Permissions

• TranslateFullAccess (AWS Managed Policy) – gives BLAM permission to submit Amazon Translate jobs

Amazon Transcribe

IAM Group Permissions

• AmazonTranscribeFullAccess (AWS Managed Policy) – gives BLAM permission to submit Amazon Transcribe jobs

Rekognition

IAM Group Permissions

• AmazonRekognitionFullAccess (AWS Managed Policy) – gives BLAM permission to submit Rekognition jobs