Required API permissions for Reachability Analyzer - Amazon Virtual Private Cloud

Required API permissions for Reachability Analyzer

Reachability Analyzer relies on data from other AWS services. It uses the following permissions:

  • cloudformation:EnableOrganizationsAccess

  • ec2:CreateNetworkInsightsPath

  • ec2:CreateTags

  • ec2:DeleteNetworkInsightsAnalysis

  • ec2:DeleteNetworkInsightsPath

  • ec2:DeleteTags

  • ec2:DescribeAvailabilityZones

  • ec2:DescribeCustomerGateways

  • ec2:DescribeInstances

  • ec2:DescribeInternetGateways

  • ec2:DescribeManagedPrefixLists

  • ec2:DescribeNatGateways

  • ec2:DescribeNetworkAcls

  • ec2:DescribeNetworkInsightsAnalyses

  • ec2:DescribeNetworkInsightsPaths

  • ec2:DescribeNetworkInterfaces

  • ec2:DescribePrefixLists

  • ec2:DescribeRegions

  • ec2:DescribeRouteTables

  • ec2:DescribeSecurityGroups

  • ec2:DescribeSubnets

  • ec2:DescribeTransitGatewayAttachments

  • ec2:DescribeTransitGatewayConnects

  • ec2:DescribeTransitGatewayPeeringAttachments

  • ec2:DescribeTransitGatewayRouteTables

  • ec2:DescribeTransitGateways

  • ec2:DescribeTransitGatewayVpcAttachments

  • ec2:DescribeVpcEndpoints

  • ec2:DescribeVpcEndpointServiceConfigurations

  • ec2:DescribeVpcPeeringConnections

  • ec2:DescribeVpcs

  • ec2:DescribeVpnConnections

  • ec2:DescribeVpnGateways

  • ec2:EnableReachabilityAnalyzerOrganizationSharing

  • ec2:GetManagedPrefixListEntries

  • ec2:GetTransitGatewayRouteTablePropagations

  • ec2:SearchTransitGatewayRoutes

  • ec2:StartNetworkInsightsAnalysis

  • elasticloadbalancing:DescribeListeners

  • elasticloadbalancing:DescribeLoadBalancerAttributes

  • elasticloadbalancing:DescribeLoadBalancers

  • elasticloadbalancing:DescribeRules

  • elasticloadbalancing:DescribeTags

  • elasticloadbalancing:DescribeTargetGroups

  • elasticloadbalancing:DescribeTargetHealth

  • iam:CreateServiceLinkedRole

  • iam:GetRole

  • organizations:EnableAWSServiceAccess

  • organizations:DescribeOrganization

  • organizations:DisableAWSServiceAccess

  • organizations:ListRoots

  • tiros:CreateQuery

  • tiros:GetQueryAnswer

  • tiros:GetQueryExplanation

Reachability Analyzer API calls

The following permissions are required to call the Reachability Analyzer APIs. Users need these permissions to create and start analyzing a specified path for reachability, or to view and delete existing paths and analyses in your account. You must grant IAM users permission to call the Reachability Analyzer API actions they need.

  • ec2:CreateNetworkInsightsPath

  • ec2:DeleteNetworkInsightsAnalysis

  • ec2:DeleteNetworkInsightsPath

  • ec2:DescribeNetworkInsightsAnalyses

  • ec2:DescribeNetworkInsightsPaths

  • ec2:EnableReachabilityAnalyzerOrganizationSharing

  • ec2:StartNetworkInsightsAnalysis

Describe API calls for networking-related resources

Reachability Analyzer uses describe API calls while gathering information about your resources from Amazon VPC, Amazon EC2, and Elastic Load Balancing (for example, subnets, network interfaces, and security groups). To access Reachability Analyzer, IAM users must also have these API permissions.

Cross-account analysis

The following permissions are required to establish a trust relationship between Reachability Analyzer and AWS Organizations. After you establish a trust relationship, a user in the management account or a delegated administrator account can run cross-account analyses using resources from the member accounts.

  • cloudformation:EnableOrganizationsAccess

  • iam:CreateServiceLinkedRole

  • iam:GetRole

  • organizations:EnableAWSServiceAccess

  • organizations:DescribeOrganization

  • organizations:DisableAWSServiceAccess

  • organizations:ListRoots

Tagging-related API calls

To tag or untag Reachability Analyzer resources, users need the following Amazon EC2 API permissions. To allow IAM users to work with tags, you must grant them permission to use the specific tagging actions they need.

  • ec2:CreateTags

  • ec2:DeleteTags

Tiros API calls

If you monitor API calls, you might see calls to Tiros APIs. Tiros is a service that is only accessible by AWS services and that surfaces network reachability findings to Reachability Analyzer. Calls to the Tiros endpoint are required for Reachability Analyzer to function. To access Reachability Analyzer, IAM users must also have the same API permissions.