Required API permissions for Network Access Analyzer - Amazon Virtual Private Cloud

Required API permissions for Network Access Analyzer

Network Access Analyzer relies on data from other AWS services. The following permissions are used by Network Access Analyzer for various operations:

  • cloudformation:DescribeStacks

  • cloudformation:ListStackResources

  • ec2:CreateNetworkInsightsAccessScope

  • ec2:CreateTags

  • ec2:DeleteNetworkInsightsAccessScopeAnalysis

  • ec2:DeleteNetworkInsightsAccessScope

  • ec2:DeleteTags

  • ec2:DescribeAvailabilityZones

  • ec2:DescribeCustomerGateways

  • ec2:DescribeInstances

  • ec2:DescribeInternetGateways

  • ec2:DescribeManagedPrefixLists

  • ec2:DescribeNatGateways

  • ec2:DescribeNetworkAcls

  • ec2:DescribeNetworkInsightsAccessScopeAnalyses

  • ec2:DescribeNetworkInsightsAccessScopes

  • ec2:DescribeNetworkInterfaces

  • ec2:DescribePrefixLists

  • ec2:DescribeRegions

  • ec2:DescribeRouteTables

  • ec2:DescribeSecurityGroups

  • ec2:DescribeSubnets

  • ec2:DescribeTransitGatewayAttachments

  • ec2:DescribeTransitGatewayConnects

  • ec2:DescribeTransitGatewayPeeringAttachments

  • ec2:DescribeTransitGatewayRouteTables

  • ec2:DescribeTransitGatewayVpcAttachments

  • ec2:DescribeTransitGateways

  • ec2:DescribeVpcEndpointServiceConfigurations

  • ec2:DescribeVpcEndpoints

  • ec2:DescribeVpcPeeringConnections

  • ec2:DescribeVpcs

  • ec2:DescribeVpnConnections

  • ec2:DescribeVpnGateways

  • ec2:GetManagedPrefixListEntries

  • ec2:GetNetworkInsightsAccessScopeAnalysisFindings

  • ec2:GetNetworkInsightsAccessScopeContent

  • ec2:GetTransitGatewayRouteTablePropagations

  • ec2:SearchTransitGatewayRoutes

  • ec2:StartNetworkInsightsAccessScopeAnalysis

  • elasticloadbalancing:DescribeListeners

  • elasticloadbalancing:DescribeLoadBalancerAttributes

  • elasticloadbalancing:DescribeLoadBalancers

  • elasticloadbalancing:DescribeRules

  • elasticloadbalancing:DescribeTags

  • elasticloadbalancing:DescribeTargetGroups

  • elasticloadbalancing:DescribeTargetHealth

  • network-firewall:DescribeFirewall

  • network-firewall:DescribeFirewallPolicy

  • network-firewall:DescribeResourcePolicy

  • network-firewall:DescribeRuleGroup

  • network-firewall:ListFirewallPolicies

  • network-firewall:ListFirewalls

  • network-firewall:ListRuleGroups

  • resource-groups:ListGroupResources

  • tag:GetResources

  • tiros:CreateQuery

  • tiros:GetQueryAnswer

Networking-related describe calls

Network Access Analyzer uses various describe calls to resources in Amazon VPC, Amazon EC2, and Elastic Load Balancing to analyze and return information about a network configuration (such as a CIDR block, subnet, network interface, or security group). To access Network Access Analyzer, IAM users must also have the same API permissions.

Tiros API calls

If you monitor API calls, you might see calls to Tiros APIs. Tiros is a service that is only accessible by AWS services and that surfaces network findings to Network Access Analyzer. Calls to the Tiros endpoint are required for Network Access Analyzer to function. To access Network Access Analyzer, IAM users must also have the same API permissions.

Network Access Analyzer API calls

The following permissions are required to call the Network Access Analyzer APIs. Users need these permissions to create and start analyzing Network Access Scopes, or to view and delete existing paths and analyses in your account. You must grant IAM users permission to call the Network Access Analyzer API actions that they need.

  • ec2:CreateNetworkInsightsAccessScope

  • ec2:DeleteNetworkInsightsAccessScope

  • ec2:DeleteNetworkInsightsAccessScopeAnalysis

  • ec2:DescribeNetworkInsightsAccessScopeAnalyses

  • ec2:DescribeNetworkInsightsAccessScopes

  • ec2:GetNetworkInsightsAccessScopeAnalysisFindings

  • ec2:GetNetworkInsightsAccessScopeContent

  • ec2:StartNetworkInsightsAccessScopeAnalysis

Tagging-related API calls

To tag or untag Network Access Analyzer resources, users need the following Amazon EC2 API permissions. To allow IAM users to work with tags, you must grant them permission to use the specific tagging actions that they need.

  • ec2:CreateTags

  • ec2:DeleteTags