AWS Elemental MediaLive CreateInput IAM policy not working

Question

I'm trying to setup an AWS IAM policy to create MediaLive inputs.

I'm running this through the simulator

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "medialive:CreateInput",
            "Resource": [
                "arn:aws:medialive:us-west-2:XXXXXXXXXXXX:input:*"
            ]
        }
    ]
}

and I get Implicitly denied (no matching statements). error.

Of course that, if I try to use the following policy, I get successful in the simulation, but this is not a good implementation because of the wide range of resources.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "medialive:CreateInput",
            "Resource": "*"
        }
    ]
}

I've also tried to include "arn:aws:medialive:us-west-2:XXXXXXXXXXXX:inputSecurityGroup:*" and "arn:aws:medialive:us-west-2:XXXXXXXXXXXX:channel:*" next to the already existing resource, but I still get the error message.

Any suggestion?

Answer 1

You will need to Specify input-security-group resource ARN for the CreateInput action, in order to have the simulation to succeed.

Can you please confirm if you have used the following syntax or similar when testing it through the aws IAM Policy simulator

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "medialive:CreateInput",
            "Resource": [
                "arn:aws:medialive:us-west-2:XXXXXXX:input:*",
                "arn:aws:medialive:*:XXXXXXXX:inputSecurityGroup:*"
            ]
        }
    ]
}

NOTE: User used for simulating this IAM Policy needs to have appropriate role/rights to create MediaLive resources. MediaLive UserGuide has detailed steps on how to create it.