Amazon Virtual Private Cloud
Transit Gateways

Authentication and Access Control for Your Transit Gateways

AWS uses security credentials to identify you and to grant you access to your AWS resources. You can use features of AWS Identity and Access Management (IAM) to allow other users, services, and applications to use your AWS resources fully or in a limited way, without sharing your security credentials.

By default, IAM users don't have permission to create, view, or modify AWS resources. To allow an IAM user to access resources, such as a transit gateway, and perform tasks, you must create an IAM policy that grants the IAM user permission to use the specific resources and API actions they'll need, then attach the policy to the IAM user or the group to which the IAM user belongs. When you attach a policy to a user or group of users, it allows or denies the users permission to perform the specified tasks on the specified resources.

To work with a transit gateway, one of the following AWS managed policies might meet your needs:

  • PowerUserAccess

  • ReadOnlyAccess

  • AmazonEC2FullAccess

  • AmazonEC2ReadOnlyAccess

For more information, see IAM Policies for Amazon EC2 in the Amazon EC2 User Guide.

Example Policies to Manage Transit Gateways

The following are example IAM policies for working with transit gateways.

Creating a Tagged Transit Gateway

The following example enables users to create transit gateways. The aws:RequestTag condition key requires users to tag the transit gateway with the tag stack=prod. The aws:TagKeys condition key uses the ForAllValues modifier to indicate that only the key stack is allowed in the request (no other tags can be specified). If users don't pass this specific tag when they create the transit gateway, or if they don't specify tags at all, the request fails.

The second statement uses the ec2:CreateAction condition key to allow users to create tags only in the context of CreateTransitGateway.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCreateTaggedTGWs", "Effect": "Allow", "Action": "ec2:CreateTransitGateway", "Resource": "arn:aws:ec2:region:account-id:transit-gateway/*", "Condition": { "StringEquals": { "aws:RequestTag/stack": "prod" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "stack" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account-id:transit-gateway/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateTransitGateway" } } } ] }

Working with Transit Gateway Route Tables

The following example enables users to create and delete transit gateway route tables for a specific transit gateway only (tgw-11223344556677889). Users can also create and replace routes in any transit gateway route table, but only for attachments that have the tag network=new-york-office.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DeleteTransitGatewayRouteTable", "ec2:CreateTransitGatewayRouteTable" ], "Resource": [ "arn:aws:ec2:region:account-id:transit-gateway/tgw-11223344556677889", "arn:aws:ec2:*:*:transit-gateway-route-table/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateTransitGatewayRoute", "ec2:ReplaceTransitGatewayRoute" ], "Resource": "arn:aws:ec2:*:*:transit-gateway-attachment/*", "Condition": { "StringEquals": { "ec2:ResourceTag/network": "new-york-office" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTransitGatewayRoute", "ec2:ReplaceTransitGatewayRoute" ], "Resource": "arn:aws:ec2:*:*:transit-gateway-route-table/*" } ] }