This document outlines the specific IAM permissions required to deploy and operate each PDF accessibility solution. All permissions follow the principle of least privilege with scoped resources.
- Amazon S3 - File storage and processing
- AWS Lambda - Serverless compute functions
- Amazon ECS - Containerized processing tasks
- Amazon ECR - Container image registry
- AWS Step Functions - Workflow orchestration
- Amazon EC2 - VPC and networking infrastructure
- AWS IAM - Role and policy management
- AWS CloudFormation - Infrastructure deployment
- Amazon Bedrock - AI/ML model access
- AWS Secrets Manager - Adobe API credentials storage
- Amazon CloudWatch - Monitoring and logging
- AWS Systems Manager - Parameter storage
- Amazon Comprehend - Language detection
{
"Sid": "BedrockInvokeModel",
"Effect": "Allow",
"Action": ["bedrock:InvokeModel"],
"Resource": [
"arn:aws:bedrock:${Region}::foundation-model/us.amazon.nova-pro-v1:0",
"arn:aws:bedrock:${Region}::foundation-model/amazon.nova-pro-v1:0"
]
}{
"Sid": "S3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::${BucketName}",
"arn:aws:s3:::${BucketName}/*"
]
}{
"Sid": "ComprehendLanguageDetection",
"Effect": "Allow",
"Action": ["comprehend:DetectDominantLanguage"],
"Resource": "*"
}Note: Comprehend's
DetectDominantLanguageaction does not support resource-level permissions.
{
"Sid": "SecretsManagerAccess",
"Effect": "Allow",
"Action": ["secretsmanager:GetSecretValue"],
"Resource": "arn:aws:secretsmanager:${Region}:${AccountId}:secret:/myapp/*"
}{
"Sid": "BedrockInvokeModel",
"Effect": "Allow",
"Action": ["bedrock:InvokeModel"],
"Resource": [
"arn:aws:bedrock:${Region}::foundation-model/us.amazon.nova-pro-v1:0",
"arn:aws:bedrock:${Region}::foundation-model/amazon.nova-pro-v1:0"
]
}{
"Sid": "CloudWatchMetrics",
"Effect": "Allow",
"Action": ["cloudwatch:PutMetricData"],
"Resource": "*"
}Note: CloudWatch
PutMetricDatadoes not support resource-level permissions.
- Amazon S3 - File storage and processing
- AWS Lambda - Serverless compute functions
- Amazon ECR - Container image registry
- AWS IAM - Role and policy management
- AWS CloudFormation - Infrastructure deployment
- Amazon Bedrock - AI/ML model access and Data Automation
- Amazon CloudWatch - Monitoring and logging
- AWS Systems Manager - Parameter storage
{
"Sid": "S3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:DeleteObjects",
"s3:ListObjects",
"s3:ListObjectsV2",
"s3:GetBucketLocation",
"s3:GetObjectVersion",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:s3:::${BucketName}",
"arn:aws:s3:::${BucketName}/*"
]
}{
"Sid": "BedrockModelInvocation",
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": [
"arn:aws:bedrock:${Region}::foundation-model/us.amazon.nova-lite-v1:0",
"arn:aws:bedrock:${Region}::foundation-model/amazon.nova-lite-v1:0",
"arn:aws:bedrock:${Region}::foundation-model/us.amazon.nova-pro-v1:0",
"arn:aws:bedrock:${Region}::foundation-model/amazon.nova-pro-v1:0"
]
}{
"Sid": "BedrockDataAutomation",
"Effect": "Allow",
"Action": [
"bedrock:InvokeDataAutomationAsync",
"bedrock:GetDataAutomationStatus",
"bedrock:GetDataAutomationProject"
],
"Resource": [
"${BdaProjectArn}",
"arn:aws:bedrock:${Region}:${AccountId}:data-automation-invocation/*",
"arn:aws:bedrock:${Region}:${AccountId}:data-automation-profile/*"
]
}{
"Sid": "CloudWatchLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:${Region}:${AccountId}:log-group:/aws/lambda/Pdf2HtmlPipeline:*"
}The CodeBuild role requires permissions to deploy CDK stacks. These are scoped to specific resource patterns.
{
"Sid": "S3CDKAndBucketAccess",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketPolicy",
"s3:GetBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:GetBucketPublicAccessBlock",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:PutBucketVersioning",
"s3:GetBucketVersioning",
"s3:PutBucketCORS",
"s3:GetBucketCORS",
"s3:PutBucketNotification",
"s3:GetBucketNotification",
"s3:PutBucketTagging",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:DeleteObjectVersion",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::cdk-*",
"arn:aws:s3:::cdk-*/*",
"arn:aws:s3:::pdfaccessibility*",
"arn:aws:s3:::pdfaccessibility*/*"
]
}{
"Sid": "IAMRoleAndPolicyAccess",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:UpdateRole",
"iam:PassRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:GetRolePolicy",
"iam:DeleteRolePolicy",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies",
"iam:TagRole",
"iam:UntagRole",
"iam:ListRoleTags",
"iam:UpdateAssumeRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/PDFAccessibility*",
"arn:aws:iam::*:role/cdk-*"
]
}{
"Sid": "CloudFormationStackAccess",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"cloudformation:GetTemplateSummary",
"cloudformation:ListStacks",
"cloudformation:ValidateTemplate",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:ListChangeSets"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/PDFAccessibility*/*",
"arn:aws:cloudformation:*:*:stack/CDKToolkit/*"
]
}All IAM policies in this solution follow the principle of least privilege:
- Actions are limited to only those required for the specific operation
- Resources are scoped to specific ARN patterns where possible
- Wildcards are only used where AWS does not support resource-level permissions
The following actions require Resource: "*" because AWS does not support resource-level permissions:
cloudwatch:PutMetricDatacomprehend:DetectDominantLanguageecr:GetAuthorizationTokensts:GetCallerIdentity- EC2 VPC-related actions (describe operations)
- ECS cluster and task definition operations
- Adobe API credentials are stored securely in AWS Secrets Manager at
/myapp/client_credentials - All S3 buckets use server-side encryption (SSE-S3)
- VPC configuration isolates ECS tasks in private subnets (PDF-to-PDF solution)
- IAM roles are scoped to specific resource patterns
- CloudWatch logs capture all function executions
- CloudTrail can be enabled for API call auditing
- Custom CloudWatch dashboards provide operational visibility
- CDK Bootstrap Failures: Ensure CloudFormation and S3 permissions for
cdk-*resources - ECR Push Failures: Verify ECR repository permissions and
ecr:GetAuthorizationToken - Lambda Deployment Failures: Check Lambda and IAM role creation permissions
- Step Function Execution Failures: Verify Step Functions and ECS permissions
- Bedrock Access Denied: Ensure Bedrock model access is enabled in the console and IAM policy includes the correct model ARNs
Before deployment, verify your AWS credentials have the required permissions:
aws sts get-caller-identity
aws iam get-user
aws bedrock list-foundation-models --region your-regionWhen scoping Bedrock permissions, use the correct ARN format:
- Foundation models:
arn:aws:bedrock:${Region}::foundation-model/${ModelId} - Data automation projects:
arn:aws:bedrock:${Region}:${AccountId}:data-automation-project/${ProjectId} - Data automation invocations:
arn:aws:bedrock:${Region}:${AccountId}:data-automation-invocation/${JobId}