Required API permissions for Reachability Analyzer - Amazon Virtual Private Cloud

Required API permissions for Reachability Analyzer

Reachability Analyzer relies on data from other AWS services. It uses permissions from the following services:

  • Amazon EC2

  • Elastic Load Balancing

  • AWS Network Firewall

  • AWS Tiros

To view the permissions for this policy, see AmazonVPCReachabilityAnalyzerFullAccessPolicy in the AWS Managed Policy Reference.

Additional information

Reachability Analyzer API calls

The following permissions are required to call the Reachability Analyzer APIs. Users need these permissions to create and start analyzing a specified path for reachability, or to view and delete existing paths and analyses in your account. You must grant users permission to call the Reachability Analyzer API actions they need.

  • ec2:CreateNetworkInsightsPath

  • ec2:DeleteNetworkInsightsAnalysis

  • ec2:DeleteNetworkInsightsPath

  • ec2:DescribeNetworkInsightsAnalyses

  • ec2:DescribeNetworkInsightsPaths

  • ec2:EnableReachabilityAnalyzerOrganizationSharing

  • ec2:StartNetworkInsightsAnalysis

Describe API calls for networking-related resources

Reachability Analyzer uses describe API calls while gathering information about your resources from Amazon VPC, Amazon EC2, and Elastic Load Balancing (for example, subnets, network interfaces, and security groups). To access Reachability Analyzer, users must also have these API permissions.

Cross-account analysis

The following permissions are required to establish a trust relationship between Reachability Analyzer and AWS Organizations.

  • cloudformation:ActivateOrganizationsAccess

  • iam:CreateServiceLinkedRole

  • iam:GetRole

  • organizations:EnableAWSServiceAccess

  • organizations:DescribeOrganization

  • organizations:DisableAWSServiceAccess

  • organizations:ListRoots

After you establish a trust relationship, a user in the management account or a delegated administrator account can run cross-account analyses using resources from the member accounts. The user must have the following permissions to do so.

  • organizations:ListAWSServiceAccessForOrganization

  • organizations:ListDelegatedServicesForAccount

  • organizations:ListDelegatedAdministrators

  • organizations:ListAccounts

Tagging-related API calls

To tag or untag Reachability Analyzer resources, users need the following Amazon EC2 API permissions. To allow users to work with tags, you must grant them permission to use the specific tagging actions they need.

  • ec2:CreateTags

  • ec2:DeleteTags

Tiros API calls

If you monitor API calls, you might see calls to Tiros APIs. Tiros is a service that is only accessible by AWS services and that surfaces network reachability findings to Reachability Analyzer. Calls to the Tiros endpoint are required for Reachability Analyzer to function. To access Reachability Analyzer, users must also have the same API permissions.