AWS Cloud WAN service-linked roles
AWS Cloud WAN uses the following service-linked roles for the permissions that it requires to call other AWS services on your behalf:
AWSServiceRoleForNetworkManagerCloudWAN
AWS Cloud WAN uses the service-linked role named
AWSServiceRoleForNetworkManagerCloudWAN to create and announce
transit gateway route tables, and then propagates transit gateway routes to those tables.
The AWSServiceRoleForNetworkManagerCloudWAN service-linked role trusts the following
service to assume the role:
-
networkmanager.amazonaws.com
The following AWSNetworkManagerCloudWANServiceRolePolicy policy
is attached to the role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateTransitGatewayRouteTableAnnouncement", "ec2:DeleteTransitGatewayRouteTableAnnouncement", "ec2:EnableTransitGatewayRouteTablePropagation", "ec2:DisableTransitGatewayRouteTablePropagation" ], "Resource": "*" } ] }
AWSServiceRoleForVPCTransitGateway
Amazon VPC uses the service-linked role named AWSServiceRoleForVPCTransitGateway to call the following actions on your behalf when you work with a transit gateway:
ec2:CreateNetworkInterfaceec2:DescribeNetworkInterfaceec2:ModifyNetworkInterfaceAttributeec2:DeleteNetworkInterfaceec2:CreateNetworkInterfacePermissionec2:AssignIpv6Addressesec2:UnAssignIpv6Addresses
AWSServiceRoleForVPCTransitGateway trusts the
transitgateway.amazonaws.com service to assume the role.
AWSServiceRoleForNetworkManager
AWS Cloud WAN uses the service-linked role named AWSServiceRoleForNetworkManager to call actions on
your behalf when you work with global networks.
The AWSServiceRoleForNetworkManager service-linked role trusts the following service to assume
the role:
-
networkmanager.amazonaws.com
The following AWSNetworkManagerServiceRolePolicy policy is attached to
the role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "directconnect:DescribeDirectConnectGateways", "directconnect:DescribeConnections", "directconnect:DescribeDirectConnectGatewayAttachments", "directconnect:DescribeLocations", "directconnect:DescribeVirtualInterfaces", "ec2:DescribeCustomerGateways", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGateways", "ec2:DescribeVpnConnections", "ec2:DescribeVpcs", "ec2:GetTransitGatewayRouteTableAssociations", "ec2:GetTransitGatewayRouteTablePropagations", "ec2:SearchTransitGatewayRoutes", "ec2:DescribeTransitGatewayPeeringAttachments", "ec2:DescribeTransitGatewayConnects", "ec2:DescribeTransitGatewayConnectPeers", "ec2:DescribeRegions", "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAccounts", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListDelegatedAdministrators", "ec2:DescribeTransitGatewayRouteTableAnnouncements", "ec2:DescribeTransitGatewayPolicyTables", "ec2:GetTransitGatewayPolicyTableAssociations", "ec2:GetTransitGatewayPolicyTableEntries" ], "Resource": "*" } ] }
AWS Cloud WAN uses the service-linked role named
AWSServiceRoleForNetworkManagerCloudWAN to create and announce transit gateway
routing tables, and then propagates transit gateway routes to those tables.
The AWSServiceRoleForNetworkManager service-linked role trusts the following service to assume
the role:
-
networkmanager.amazonaws.com
The following AWSNetworkManagerCloudWANServiceRolePolicy policy is
attached to the role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateTransitGatewayRouteTableAnnouncement", "ec2:DeleteTransitGatewayRouteTableAnnouncement", "ec2:EnableTransitGatewayRouteTablePropagation", "ec2:DisableTransitGatewayRouteTablePropagation" ], "Resource": "*" } ] }
Create the service-linked role
You don't need to manually create the AWSServiceRoleForNetworkManager or
AWSServiceRoleForVPCTransitGateway roles.
-
Network Manager creates the
AWSServiceRoleForNetworkManagerrole when you create your first global network. -
Amazon VPC creates the
AWSServiceRoleForVPCTransitGatewayrole when you attach a VPC to a transit gateway in your account.
For Network Manager to create a service-linked role on your behalf, you must have the required permissions. For more information, see Service-Linked Role Permissions in the IAM User Guide.
Edit the service-linked role
You can edit the AWSServiceRoleForNetworkManager or
AWSServiceRoleForVPCTransitGateway descriptions using IAM. For more
information, see Editing
a Service-Linked Role in the IAM User Guide.
Delete the service-linked role
If you no longer need to use Network Manager, we recommend that you delete the
AWSServiceRoleForNetworkManager or AWSServiceRoleForVPCTransitGateway roles.
You can delete these service-linked roles only after you delete your global network. For information about deleting your global network, see Delete a global network.
You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more information, see Deleting a Service-Linked Role in the IAM User Guide.
After you delete AWSServiceRoleForNetworkManager< Network Manager will create the role again when you
create a new global network. After you delete
AWSServiceRoleForVPCTransitGateway Amazon VPC will create that role again
when you attach a VPC to a transit gateway in your account.
Supported Regions for Network Manager service-linked roles
Network Manager supports the service-linked roles in all of AWS Regions where the service is available. For more information, see AWS endpoints in the AWS General Reference.
