Related
I'm having an issue with a seemingly trivial task of getting CodeDeploy to deploy Github code to an AutoScaling Group in a Blue/Green Deployment.
I have a Pipeline setup, a Deployment Group setup, AutoScaling Group, ELB, and LAUCH CONFIGURATION but it fails when it gets to the actual deployment:
and this my roles in codeDeploy-roles
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:PutMetricAlarm",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribePlacementGroups",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSubnets",
"ec2:DescribeVpcClassicLink"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "autoscaling.amazonaws.com"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:CompleteLifecycleAction",
"autoscaling:DeleteLifecycleHook",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:PutLifecycleHook",
"autoscaling:RecordLifecycleActionHeartbeat",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:EnableMetricsCollection",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeNotificationConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:AttachLoadBalancers",
"autoscaling:AttachLoadBalancerTargetGroups",
"autoscaling:PutScalingPolicy",
"autoscaling:PutScheduledUpdateGroupAction",
"autoscaling:PutNotificationConfiguration",
"autoscaling:PutLifecycleHook",
"autoscaling:DescribeScalingActivities",
"autoscaling:DeleteAutoScalingGroup",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:TerminateInstances",
"tag:GetResources",
"sns:Publish",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole",
"ec2:CreateTags",
"ec2:RunInstances"
],
"Resource": "*"
}
]
}
Is there a policy that I'm not considering that needs to be attached to this role?
As I understood,I would rather following steps.
You need to create a CodeDeployServiceRole and you just used built in policy.
Create a CodeDeploy application and deployment group and assign your CodeDeployServiceRole there.
In launch configuration you don't have to worry about CodeDeploy and just config you instance profile with required policies for instance operations.
I'm trying to create a policy, whose JSON is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"kms:UntagResource",
"kms:ListKeyPolicies",
"kms:ListRetirableGrants",
"kms:GetKeyPolicy",
"iam:ListRoles",
"kms:ListResourceTags",
"iam:ListInstanceProfiles",
"kms:ListGrants",
"kms:GetParametersForImport",
"kms:DescribeCustomKeyStores",
"kms:ListKeys",
"kms:TagResource",
"s3:ListAllMyBuckets",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:DescribeKey",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::644748426467:"
}
]
}
But when I click on Review Policy, I get The policy failed legacy parsing (see screenshot below).
Any idea what my wrong syntax is?
Edit 1:
The following gives the same The policy failed legacy parsing error:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"kms:ListKeyPolicies",
"kms:UntagResource",
"kms:ListRetirableGrants",
"kms:GetKeyPolicy",
"iam:ListRoles",
"kms:ListResourceTags",
"iam:ListInstanceProfiles",
"kms:ListGrants",
"kms:GetParametersForImport",
"kms:DescribeCustomKeyStores",
"kms:ListKeys",
"kms:TagResource",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
I figured out the correct format for the policy.
When entering resources from the IAM/edit-policy GUI, the resulting JSON is updated with a wrong format.
The correct format for S3 permissions should be arn:aws:s3:::xxxxxx and not arn:aws:::xxxxxx:.
Note that when one enters, manually, the correctly formatted S3 resource in the JSON, the GUI would display a warning.
This is my working JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:GetParametersForImport",
"kms:TagResource",
"kms:UntagResource",
"kms:ListKeyPolicies",
"kms:ListRetirableGrants",
"kms:GetKeyRotationStatus",
"kms:GetKeyPolicy",
"cloudtrail:CreateTrail",
"kms:DescribeKey",
"s3:ListBucket",
"kms:ListResourceTags",
"kms:ListGrants"
],
"Resource": [
"arn:aws:s3:::644748xxxxxx",
"arn:aws:kms:*:644748xxxxxx:key/*",
"arn:aws:kms:*:644748xxxxxx:alias/*",
"arn:aws:cloudtrail:::*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"kms:DescribeCustomKeyStores",
"kms:ListKeys",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:CreateServiceLinkedRole",
"kms:ListAliases",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:ListInstanceProfiles"
],
"Resource": "*"
}
]
}
I am trying to setup and assign a policy so that a user can only trigger AWS Systems Manager Services (SSM) Run Commands on only authorized or assigned EC2 instances to them.
To do this, I am following instructions from https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sysman-configuring-access-iam-create.html and as per it, I created below custom policy with provisioning access for only 1 EC2 instance:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:DescribeDocument*",
"ssm:GetDocument",
"ssm:DescribeInstance*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"arn:aws:s3:::test-ssm-logs/TESTSERV",
"arn:aws:ssm:us-east-1:123456789012:document/AWS-RunPowerShellScript"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "TESTSERV"
}
}
},
{
"Action": [
"ssm:CancelCommand",
"ssm:ListCommands",
"ssm:ListCommandInvocations"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstanceStatus",
"Effect": "Allow",
"Resource": "*"
}
]
}
After I assigned above policy to a test user and when I log in using it and navigate to "Run Command", under Target Instances I see other EC2 instances as well and I am even able to execute commands to them as well. Shouldn't the user only see the 1 instance that is specified in above policy?
I do not understand what am I doing wrong here and how to fix it? Appreciate your help.
Thanks!
I have below IAM policy assigned to all my EC2 system instances:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ds:CreateComputer",
"ds:DescribeDirectories"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::amazon-ssm-packages-*"
}
]
}
Also, I have below IAM policy assigned to test user to so that they can Start/Stop/Restart EC2 instances:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "TESTSERV"
}
}
}
]
}
I was able to make this work by adjusting policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:DescribeDocument*",
"ssm:GetDocument",
"ssm:DescribeInstance*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"arn:aws:s3:::nsight-ssm-logs/TESTSERV",
"arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript"
]
},
{
"Action": [
"ssm:CancelCommand",
"ssm:ListCommands",
"ssm:ListCommandInvocations"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstanceStatus",
"Effect": "Allow",
"Resource": "*"
}
]
}
My requirement was to only allow execution of PowerShell scripts so the line:
"arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript"
You can replace AWS-RunPowerShellScript with * to allow all commands.
Also, the EC2 Role assignment was necessary since without it I couldn't see any instances under Run Command.
Please also know that the user would see all instances under Run Command but will only be able to execute commands for the EC2 instances for which the policies are assigned to, user account. I do not think there is any option to suppress this.
Thanks for your contribution and helpful tips.
I have a test account where I'd like to give developers access to try out anything they'd like EXCEPT I don't want to give them permissions to add / delete / mess with other users. I tried allowing everything and then denying IAM access but then they couldn't change their own password. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"iam:*"
],
"Resource": [
"*"
]
},
]
}
This made it so users got the following error when they tried to login and change their pw:
User is not authorized to perform iam:ChangePassword
For a more concise answer you can use wild cards. Not perfectly future proof but those are most of the damaging verbs. :)
Also I found the policy simulator very useful: IAM policy simulator
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"iam:Add*",
"iam:Create*",
"iam:Deactivate*",
"iam:Delete*",
"iam:Detach*",
"iam:Enable*",
"iam:PassRole",
"iam:Put*",
"iam:Remove*",
"iam:Resync*",
"iam:Set*",
"iam:Simulate*",
"iam:Update*",
"iam:Put*"
],
"Resource": "*"
}
]}
I figured out an answer that I'm only moderately okay with. I accomplished this by denying every IAM action except the ability to change password and see the password requirements.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:AddUserToGroup",
"iam:AddClientIDToOpenIDConnectProvider",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateAccessKey",
"iam:CreateAccountAlias",
"iam:CreateGroup",
"iam:CreateInstanceProfile",
"iam:CreateLoginProfile",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateSAMLProvider",
"iam:CreateUser",
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteAccessKey",
"iam:DeleteAccountAlias",
"iam:DeleteAccountPasswordPolicy",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteInstanceProfile",
"iam:DeleteLoginProfile",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteSAMLProvider",
"iam:DeleteSSHPublicKey",
"iam:DeleteServerCertificate",
"iam:DeleteSigningCertificate",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:DeleteVirtualMFADevice",
"iam:DetachGroupPolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:EnableMFADevice",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountSummary",
"iam:GetContextKeysForCustomPolicy",
"iam:GetContextKeysForPrincipalPolicy",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetInstanceProfile",
"iam:GetLoginProfile",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetSAMLProvider",
"iam:GetSSHPublicKey",
"iam:GetServerCertificate",
"iam:GetServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetailsWithEntities",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListMFADevices",
"iam:ListOpenIDConnectProviders",
"iam:ListPolicies",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListSAMLProviders",
"iam:ListSSHPublicKeys",
"iam:ListServerCertificates",
"iam:ListSigningCertificates",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:PassRole",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:RemoveClientIDFromOpenIDConnectProvider",
"iam:RemoveRoleFromInstanceProfile",
"iam:RemoveUserFromGroup",
"iam:ResyncMFADevice",
"iam:SetDefaultPolicyVersion",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"iam:UpdateAccessKey",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateGroup",
"iam:UpdateLoginProfile",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:UpdateSAMLProvider",
"iam:UpdateSSHPublicKey",
"iam:UpdateServerCertificate",
"iam:UpdateSigningCertificate",
"iam:UpdateUser",
"iam:UploadSSHPublicKey",
"iam:UploadServerCertificate",
"iam:UploadSigningCertificate"
],
"Resource": [
"*"
]
}
]
}
It works, but I'd love something more concise / future proof.
You can use something like below. Using NotAction. This will deny everything for IAM except whatever you mention in NotAction. You can create user using below, but please do note that you will also have to assign policy/roles so add permissions for those under 'NotAction'. Everything else except actions specified in 'NotAction' will be blocked in IAM console. Another part of policy allows everything in console. So just block IAM while allow everything and certain attributes of IAM.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"NotAction": [
"iam:CreateUser"
],
"Resource": "arn:aws:iam::*:*"
},
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Best regards,
Sanjeev B.
I use the following for Infra admins who don't need access to user/group/policy changes.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"iam:AddUserToGroup",
"iam:AddClientIDToOpenIDConnectProvider",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateGroup",
"iam:CreateLoginProfile",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateSAMLProvider",
"iam:CreateUser",
"iam:DeleteAccountPasswordPolicy",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteLoginProfile",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteSAMLProvider",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:DetachGroupPolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:RemoveClientIDFromOpenIDConnectProvider",
"iam:RemoveUserFromGroup",
"iam:SetDefaultPolicyVersion",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateGroup",
"iam:UpdateLoginProfile",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:UpdateSAMLProvider",
"iam:UpdateUser",
],
"Resource": [
"*"
]
}
]
}
I'm trying to use a Lambda function to trigger an Elastic Transcoder job, but I keep getting this error message:
AccessDeniedException: User: arn:aws:sts::xxx:assumed-role/xxxx/xxx is not authorized to perform: elastictranscoder:CreateJob on resource: arn:aws:elastictranscoder:xxxxx:pipeline/xxxxx
My IAM user policy covers all access requirements:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1465486106000",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"s3:Put*",
"s3:ListBucket",
"s3:*MultipartUpload*",
"s3:Get*"
],
"Resource": "*"
},
{
"Sid": "2",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "*"
},
{
"Sid": "3",
"Effect": "Deny",
"Action": [
"s3:*Delete*",
"s3:*Policy*",
"sns:*Remove*",
"sns:*Delete*",
"sns:*Permission*"
],
"Resource": "*"
}
]
}
Why am I getting the AccessDeniedException and how can I fix it?
Change your policy to below and then try it will work
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1465486106000",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"elastictranscoder:*",
"s3:Put*",
"s3:ListBucket",
"s3:*MultipartUpload*",
"s3:Get*"
],
"Resource": "*"
},
{
"Sid": "2",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "*"
},
{
"Sid": "3",
"Effect": "Deny",
"Action": [
"s3:*Delete*",
"s3:*Policy*",
"sns:*Remove*",
"sns:*Delete*",
"sns:*Permission*"
],
"Resource": "*"
}
]
}
You dont need to change json by editing.
First of all detect which role you want to edit ?
1-) Click Permisson http://prntscr.com/j1giww
2-) see the role name http://prntscr.com/j1gj6s
3-) go to IAM Roles
4-) select the roles that you see at step 2
5-) edit policy and add Transcoder Full Access ( Or selected access )