Required API permissions for VPC Reachability Analyzer - Amazon Virtual Private Cloud

Required API permissions for VPC Reachability Analyzer

VPC Reachability Analyzer relies on data from other AWS services. The following permissions are used by Reachability Analyzer for various operations:

  • ec2:GetTransitGatewayRouteTablePropagations

  • ec2:DescribeTransitGatewayPeeringAttachments

  • ec2:SearchTransitGatewayRoutes

  • ec2:DescribeTransitGatewayRouteTables

  • ec2:DescribeTransitGatewayVpcAttachments

  • ec2:DescribeTransitGatewayAttachments

  • ec2:DescribeTransitGateways

  • ec2:GetManagedPrefixListEntries

  • ec2:DescribeManagedPrefixLists

  • ec2:DescribeAvailabilityZones

  • ec2:DescribeCustomerGateways

  • ec2:DescribeInstances

  • ec2:DescribeInternetGateways

  • ec2:DescribeNatGateways

  • ec2:DescribeNetworkAcls

  • ec2:DescribeNetworkInterfaces

  • ec2:DescribePrefixLists

  • ec2:DescribeRegions

  • ec2:DescribeRouteTables

  • ec2:DescribeSecurityGroups

  • ec2:DescribeSubnets

  • ec2:DescribeVpcEndpoints

  • ec2:DescribeVpcPeeringConnections

  • ec2:DescribeVpcs

  • ec2:DescribeVpnConnections

  • ec2:DescribeVpnGateways

  • ec2:DescribeVpcEndpointServiceConfigurations

  • elasticloadbalancing:DescribeListeners

  • elasticloadbalancing:DescribeLoadBalancers

  • elasticloadbalancing:DescribeLoadBalancerAttributes

  • elasticloadbalancing:DescribeRules

  • elasticloadbalancing:DescribeTags

  • elasticloadbalancing:DescribeTargetGroups

  • elasticloadbalancing:DescribeTargetHealth

  • tiros:CreateQuery

  • tiros:GetQueryAnswer

  • tiros:GetQueryExplanation

  • ec2:CreateNetworkInsightsPath

  • ec2:DescribeNetworkInsightsPaths

  • ec2:DeleteNetworkInsightsPath

  • ec2:StartNetworkInsightsAnalysis

  • ec2:DescribeNetworkInsightsAnalyses

  • ec2:DeleteNetworkInsightsAnalysis

  • ec2:CreateTags

  • ec2:DeleteTags

Networking-related describe calls

Reachability Analyzer uses various describe calls to resources in Amazon VPC, Amazon EC2, and Elastic Load Balancing to analyze and return information about a network configuration (such as a CIDR block, subnet, network interface, or security group). To access Reachability Analyzer, IAM users must also have the same API permissions.

Tiros API calls

If you monitor API calls, you might see calls to Tiros APIs. Tiros is a service that is only accessible by AWS services and that surfaces network reachability findings to Reachability Analyzer. Calls to the Tiros endpoint are required for Reachability Analyzer to function. To access Reachability Analyzer, IAM users must also have the same API permissions.

Reachability Analyzer API calls

The following permissions are required to call the Reachability Analyzer APIs. Users need these permissions to create and start analyzing a specified path for reachability, or to view and delete existing paths and analyses in your account. You must grant IAM users permission to call the Reachability Analyzer API actions they need.

  • ec2:CreateNetworkInsightsPath

  • ec2:DescribeNetworkInsightsPaths

  • ec2:DeleteNetworkInsightsPath

  • ec2:StartNetworkInsightsAnalysis

  • ec2:DescribeNetworkInsightsAnalyses

  • ec2:DeleteNetworkInsightsAnalysis

Tagging-related API calls

To tag or untag Reachability Analyzer resources, users need the following Amazon EC2 API permissions. To allow IAM users to work with tags, you must grant them permission to use the specific tagging actions they need.

  • ec2:CreateTags

  • ec2:DeleteTags