# Identity and access management for AWS Global Networks for Transit Gateways Identity and access management AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use AWS Global Networks for Transit Gateways resources. IAM is an AWS service that you can use with no additional charge. You can use features of IAM to allow other users, services, and applications to use your AWS resources fully or in a limited way, without sharing your security credentials. By default, IAM users don't have permission to create, view, or modify AWS resources. To allow an IAM user to access resources, such as a global network, and perform tasks, you must: + Create an IAM policy that grants the IAM user permission to use the specific resources and API actions they need + Attach the policy to the IAM user or to the group to which the IAM user belongs When you attach a policy to a user or group of users, it allows or denies the user permissions to perform the specified tasks on the specified resources. **Important** If you grant access to a global network in Network Manager, you grant access to all AWS service data associated with the registered transit gateways across all Regions. **Topics** + [ ## How Network Manager works with IAM ](#nm-with-iam) + [Example policies](#nm-example-iam-policies) + [Service-linked role](nm-service-linked-roles.md) + [AWS managed policies](security-iam-awsmanpol.md) + [Multi-account access roles](nm-custom-multi-role.md) ## How Network Manager works with IAM With IAM identity-based policies, you can specify allowed or denied actions and resources, and specify the conditions under which actions are allowed or denied. Network Manager supports specific actions, resources, and condition keys. For a complete list, see [Actions, Resources, and Condition Keys for AWS Network Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkmanager.html) in the *Service Authorization Reference*. To learn about all of the elements that you use in a JSON policy, see [IAM JSON Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*. ### Actions Policy actions in Network Manager use the following prefix before the action: `networkmanager:`. For example, to grant someone permission to create a global network with the `CreateGlobalNetwork` API operation, you include the `networkmanager:CreateGlobalNetwork` action in their policy. For a list of global networks actions, see the [Network Manager API Reference](https://docs.aws.amazon.com/networkmanager/latest/APIReference/). ### Resources The Resource element specifies the object or objects to which the action applies. Statements must include either a Resource or a NotResource element. You specify a resource using an ARN or using the wildcard (\$1) to indicate that the statement applies to all resources. The global network resource has the following ARN. ``` arn:${Partition}:networkmanager::${Account}:global-network/${GlobalNetworkId} ``` For example, to specify the `global-network-1122334455aabbccd` global network in your statement, use the following ARN. ``` "Resource": "arn:aws:networkmanager::123456789012:global-network/global-network-1122334455aabbccd" ``` ### Condition keys The `Condition` element (or `Condition` *block*) lets you specify conditions in which a statement is in effect. The `Condition` element is optional. You can build conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. If you specify multiple `Condition` elements in a statement, or multiple keys in a single `Condition` element, AWS evaluates them using a logical `AND` operation. If you specify multiple values for a single condition key, AWS evaluates the condition using a logical `OR` operation. All of the conditions must be met before the statement's permissions are granted. You can also use placeholder variables when you specify conditions. For example, you can grant an IAM user permission to access a resource only if it is tagged with their IAM user name. For more information, see [IAM Policy Elements: Variables and Tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the *IAM User Guide*. You can attach tags to global networks resources or pass tags in a request to global networks. To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys. To see all AWS global condition keys, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*. global networks also supports the following condition keys: + `networkmanager:tgwArn`—Controls which transit gateways can be registered or deregistered in your global network. + `networkmanager:cgwArn`—Controls which customer gateways can be associated or disassociated from devices and links in your global network. + `networkmanager:tgwConnectPeerArn`—Controls which Connect peers can be associated or disassociated from devices and links in your global network. ## Example policies to manage global networks Example policies The following are example IAM policies for working with global networks. **Administrator access** The following IAM policy grants full access to the Amazon EC2, global networks, Direct Connect, and CloudWatch APIs. This enables administrators to create and manage transit gateways and their attachments (such as VPCs and Direct Connect gateways), create and manage global networks resources, and monitor global networks using CloudWatch metrics and events. The policy also grants user permissions to create any required service-linked roles. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*" }, { "Effect": "Allow", "Action": "networkmanager:*", "Resource": "*" }, { "Effect": "Allow", "Action": "cloudwatch:*", "Resource": "*" }, { "Effect": "Allow", "Action": "events:*", "Resource": "*" }, { "Effect": "Allow", "Action": "directconnect:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/*" } ] } ``` ------ **Read-only access** The following IAM policy grants read-only access to the Amazon EC2, global networks, Direct Connect, CloudWatch, and EventBridge APIs. This enables users to use the global networks console to view and monitor global networks and their associated resources, and view metrics and events for the resources. Users cannot create or modify any resources. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:Get*", "ec2:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "networkmanager:Get*", "networkmanager:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:List*", "cloudwatch:Get*", "cloudwatch:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:Describe*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:List*", "events:TestEventPattern", "events:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "directconnect:Describe*", "Resource": "*" } ] } ``` ------ ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "networkmanager:CreateSite" ], "Resource": [ "arn:aws:networkmanager::111122223333:global-network/global-network-1122334455aabbccd", "arn:aws:networkmanager::111122223333:site/*" ] }, { "Effect": "Allow", "Action": [ "networkmanager:CreateDevice" ], "Resource": [ "arn:aws:networkmanager::111122223333:global-network/global-network-1122334455aabbccd", "arn:aws:networkmanager::111122223333:site/*", "arn:aws:networkmanager::111122223333:device/*" ] }, { "Effect": "Allow", "Action": [ "networkmanager:CreateLink" ], "Resource": [ "arn:aws:networkmanager::111122223333:global-network/global-network-1122334455aabbccd", "arn:aws:networkmanager::111122223333:link/*" ] } ] } ``` ------ **Controlling the use of transit gateways and customer gateways** The following IAM policy enables users to work with global networks resources, but they are explicitly denied permission to do the following: + Register or deregister a specific transit gateway (`tgw-aabbccdd112233445`) in the global network. + Associate or disassociate a specific customer gateway (`cgw-11223344556677abc`) in the global network. The policy uses the `networkmanager:tgwArn` and `networkmanager:cgwArn` condition keys to enforce these conditions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "networkmanager:*" ], "Resource": [ "*" ] }, { "Effect": "Deny", "Action": [ "networkmanager:RegisterTransitGateway", "networkmanager:DeregisterTransitGateway" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "networkmanager:tgwArn": "arn:aws:ec2:region:123456789012:transit-gateway/tgw-aabbccdd112233445" } } }, { "Effect": "Deny", "Action": [ "networkmanager:AssociateCustomerGateway", "networkmanager:DisassociateCustomerGateway" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "networkmanager:cgwArn": "arn:aws:ec2:region:123456789012:customer-gateway/cgw-11223344556677abc" } } } ] } ``` ------ # AWS Global Networks for Transit Gateways service-linked roles Service-linked role AWS Global Networks for Transit Gateways uses service-linked roles for the permissions that it requires to call other AWS services on your behalf. These service-linked roles are not propagated to your AWS Organizations management account. ## Permissions granted by the service-linked role AWS Global Networks for Transit Gateways uses a Network Manager service-linked role named AWSServiceRoleForNetworkManager to call the actions on your behalf when you work with global networks. The AWSServiceRoleForNetworkManager service-linked role trusts the following service to assume the role: + `networkmanager.amazonaws.com` This service-linked role uses the managed policy AWSNetworkManagerServiceRolePolicy. To view the permissions for this policy, see [AWSNetworkManagerServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSNetworkManagerServiceRolePolicy.html) in the *AWS Managed Policy Reference*. ## Create the service-linked role You don't need to manually create the **AWSServiceRoleForNetworkManager** role. global networks creates this role for you when you create your first global network. For global networks to create a service-linked role on your behalf, you must have the required permissions. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html#service-linked-role-permissions) in the *IAM User Guide*. ## Edit the service-linked role You can edit the description of **AWSServiceRoleForNetworkManager** using IAM. For more information, see [Edit a service-linked role description](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-service-linked-role.html#edit-service-linked-role-iam-console) in the *IAM User Guide*. ## Delete the service-linked role If you no longer need to use global networks, we recommend that you delete the **AWSServiceRoleForNetworkManager** role. You can delete this service-linked role only after you delete your global network. For information about how to delete your global network, see [Delete a global network](global-networks-deleting.md). You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more information, see [Delete a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#id_roles_manage_delete_slr) in the *IAM User Guide*. After you delete **AWSServiceRoleForNetworkManager**, Network Manager will create the role again when you create a new global network. ## Supported Regions for AWS Global Networks for Transit Gateways service-linked roles Supported Regions AWS Global Networks for Transit Gateways supports the custom-linked roles in all of AWS Regions where the service is available. For more information, see [Region availability](what-are-global-networks.md#nm-available-regions). # AWS managed policies for AWS Global Networks for Transit Gateways AWS managed policies To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to [create IAM customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions. Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*. ## AWS managed policy: NetworkAdministrator NetworkAdministrator You can attach the NetworkAdministrator policy to your IAM identities. This policy grants permissions that allow registered delegated administrators and the management account *administrator* access to global networks. For more information, see [Multi-account access roles for AWS Global Networks for Transit Gateways](nm-custom-multi-role.md). To view the permissions for this policy, see [NetworkAdministrator](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/NetworkAdministrator.html) in the *AWS Managed Policy Reference*. ## AWS managed policy: AWSNetworkManagerReadOnlyAccess AWSNetworkManagerReadOnlyAccess You can attach the AWSNetworkManagerReadOnlyAccess policy to your IAM identities. This policy grants permissions that allow registered delegated administrators and the management account *read-only* access to global networks. For more information, see [Multi-account access roles for AWS Global Networks for Transit Gateways](nm-custom-multi-role.md). To view the permissions for this policy, see [AWSNetworkManagerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSNetworkManagerReadOnlyAccess.html) in the *AWS Managed Policy Reference*. ## AWS managed policy: AWSNetworkManagerServiceRolePolicy AWSNetworkManagerServiceRolePolicy This policy is attached to the service-linked role named AWSServiceRoleForNetworkManager to allow AWS Global Networks for Transit Gateways to call API actions on your behalf when you work with global networks. For more information, see [AWS Global Networks for Transit Gateways service-linked roles](nm-service-linked-roles.md). To view the permissions for this policy, see [AWSNetworkManagerServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSNetworkManagerServiceRolePolicy.html) in the *AWS Managed Policy Reference*. ## AWS Global Networks for Transit Gateways updates to AWS managed policies Policy updates View details about updates to AWS managed policies for Network Manager since this service began tracking these changes in April 2021. For automatic alerts about changes to this page, subscribe to the RSS feed on the Network Manager Document history page. | Change | Description | Date | | --- | --- | --- | | [AWSNetworkManagerServiceRolePolicy](#security-iam-AWSNetworkManagerServiceRolePolicy) | AWS Global Networks for Transit Gateways added permission to call the following API action: GetTransitGatewayRouteTablePropagations. | July 12, 2022 | | [NetworkAdministrator](#security-iam-NetworkAdministrator) | AWS Global Networks for Transit Gateways began using administrative permissions in member accounts for multi-account access. | May 24, 2022 | | [AWSNetworkManagerReadOnlyAccess](#security-iam-AWSNetworkManagerReadOnlyAccess) - Updated existing policy | AWS Global Networks for Transit Gateways began using read-only permissions in member accounts for multi-account access. | May 24, 2022 | | [AWSNetworkManagerServiceRolePolicy](#security-iam-AWSNetworkManagerServiceRolePolicy) - Updated existing policy | AWS Global Networks for Transit Gateways added permission to call the following API actions: organizations:DescribeAccount, organizations:DescribeOrganization, organizations:ListAccounts, organizations:ListAWSServiceAccessForOrganization, and organizations:ListDelegatedAdministrators. | May 24, 2022 | | [AWSNetworkManagerServiceRolePolicy](#security-iam-AWSNetworkManagerServiceRolePolicy) - Updated existing policy | AWS Global Networks for Transit Gateways added permissions to call the following API action: ec2:DescribeRegions. | December 2, 2021 | | [AWSNetworkManagerServiceRolePolicy](#security-iam-AWSNetworkManagerServiceRolePolicy): updated existing policy | AWS Global Networks for Transit Gateways added permissions to call the following API actions: directconnect:DescribeDirectConnectGateways, ec2:DescribeVpnConnections, ec2:DescribeVpcs, ec2:GetTransitGatewayRouteTableAssociations, ec2:SearchTransitGatewayRoutes, ec2:DescribeTransitGatewayPeeringAttachments, ec2:DescribeTransitGatewayConnects, and ec2:DescribeTransitGatewayConnectPeers. | June 1, 2021 | # Multi-account access roles for AWS Global Networks for Transit Gateways Multi-account access roles AWS Global Networks for Transit Gateways uses CloudFormation StackSets to deploy and manage the following two custom IAM roles in AWS Organizations member accounts to support multi-account permissions. These two roles are deployed to every member account in the organization when `AWSServiceAccess` is enabled (trusted access). For more information about multi-account, see [Manage multiple accounts in global networks using AWS Organizations](nm-multi-account.md#tgw-nm-multi). The custom IAM roles are created automatically through the `Network Manager` service when you enable multi-account access using the global networks console. We strongly recommend that you use the console for enabling multi-account. Choosing an alternative approach requires an advanced level of expertise, and opens the multi-account for your global network to be more prone to error. ## CloudWatch-CrossAccountSharingRole This policy provides delegated administrators and the management accounts access to CloudWatch monitoring data from other member accounts. The following is an example of the template. ``` AWSTemplateFormatVersion: '2010-09-09' Description: Enables CloudWatch in central monitoring accounts to assume permissions to view CloudWatch data in the current account Resources: CloudWatch-CrossAccountSharingRole: Type: AWS::IAM::Role Properties: RoleName: CloudWatch-CrossAccountSharingRole AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: [ "arn:aws:iam:::root", "arn:aws:iam:::root", "arn:aws:iam:::root" ] Action: - sts:AssumeRole Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess ``` ## IAMRoleForAWSNetworkManagerCrossAccountResourceAccess The `IAMRoleForAWSNetworkManagerCrossAccountResourceAccess` IAM policy role, based on your selection when enabling trusted access through the global networksconsole, enables either administrative or read-only global networks console switch role access. An associated administrative or read-only template is also deployed along with the policy. For information about these templates, see [Permission templates](#nm-permission-templates). The following is an example of the administrator role template. ``` AWSTemplateFormatVersion: '2010-09-09' Description: Enables admin cross account resource access through switch role Resources: IAMRoleForAWSNetworkManagerCrossAccountResourceAccess: Type: AWS::IAM::Role Properties: RoleName: IAMRoleForAWSNetworkManagerCrossAccountResourceAccess AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: [ "arn:aws:iam:::root", "arn:aws:iam:::root", "arn:aws:iam:::root" ] Action: - sts:AssumeRole Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/NetworkAdministrator ``` The following is the read-only role template. ``` AWSTemplateFormatVersion: '2010-09-09' Description: Enables read only cross account resource access through switch role Resources: IAMRoleForAWSNetworkManagerCrossAccountResourceAccess: Type: AWS::IAM::Role Properties: RoleName: IAMRoleForAWSNetworkManagerCrossAccountResourceAccess AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: [ "arn:aws:iam:::root", "arn:aws:iam:::root", "arn:aws:iam:::root" ] Action: - sts:AssumeRole Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSNetworkManagerReadOnlyAccess - arn:aws:iam::aws:policy/AWSDirectConnectReadOnlyAccess - arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess - arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess ``` ## Permission templates When choosing the `IAMRoleForAWSNetworkManagerCrossAccountResourceAccess` permission, an associated administrative or read-only template is also passed to CloudFormation StackSets. These templates contain a list of accounts that are able to assume these roles. These accounts include the AWS Organizations management account and all registered delegated administrators for the Network Manager service. Deregistering a delegated administrator removes it from this list so that it can no longer assume these roles. Disabling trusted access deletes the CloudFormation StackSets, and in turn all member account stacks and custom IAM roles in those accounts that were StackSets-managed for multi-account. **Template policies for `IAMRoleForAWSNetworkManagerCrossAccountResourceAccess`** ### NetworkAdministrator This policy enables administrator permission for the delegated administrator and management accounts to modify resources from other accounts in the global network while using the Network Manager console switch role. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:Describe*", "cloudfront:ListDistributions", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricAlarm", "directconnect:*", "ec2:AcceptVpcEndpointConnections", "ec2:AllocateAddress", "ec2:AssignIpv6Addresses", "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AssociateDhcpOptions", "ec2:AssociateRouteTable", "ec2:AssociateSubnetCidrBlock", "ec2:AssociateVpcCidrBlock", "ec2:AttachInternetGateway", "ec2:AttachNetworkInterface", "ec2:AttachVpnGateway", "ec2:CreateCarrierGateway", "ec2:CreateCustomerGateway", "ec2:CreateDefaultSubnet", "ec2:CreateDefaultVpc", "ec2:CreateDhcpOptions", "ec2:CreateEgressOnlyInternetGateway", "ec2:CreateFlowLogs", "ec2:CreateInternetGateway", "ec2:CreateNatGateway", "ec2:CreateNetworkAcl", "ec2:CreateNetworkAclEntry", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreatePlacementGroup", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVpc", "ec2:CreateVpcEndpoint", "ec2:CreateVpcEndpointConnectionNotification", "ec2:CreateVpcEndpointServiceConfiguration", "ec2:CreateVpnConnection", "ec2:CreateVpnConnectionRoute", "ec2:CreateVpnGateway", "ec2:DeleteCarrierGateway", "ec2:DeleteEgressOnlyInternetGateway", "ec2:DeleteFlowLogs", "ec2:DeleteNatGateway", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DeletePlacementGroup", "ec2:DeleteSubnet", "ec2:DeleteTags", "ec2:DeleteVpc", "ec2:DeleteVpcEndpointConnectionNotifications", "ec2:DeleteVpcEndpointServiceConfigurations", "ec2:DeleteVpcEndpoints", "ec2:DeleteVpnConnection", "ec2:DeleteVpnConnectionRoute", "ec2:DeleteVpnGateway", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeCarrierGateways", "ec2:DescribeClassicLinkInstances", "ec2:DescribeCustomerGateways", "ec2:DescribeDhcpOptions", "ec2:DescribeEgressOnlyInternetGateways", "ec2:DescribeFlowLogs", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeMovingAddresses", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeNetworkInterfacePermissions", "ec2:DescribeNetworkInterfaces", "ec2:DescribePlacementGroups", "ec2:DescribePrefixLists", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroupReferences", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSecurityGroups", "ec2:DescribeStaleSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcClassicLink", "ec2:DescribeVpcClassicLinkDnsSupport", "ec2:DescribeVpcEndpointConnectionNotifications", "ec2:DescribeVpcEndpointConnections", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpointServicePermissions", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:DescribePublicIpv4Pools", "ec2:DescribeIpv6Pools", "ec2:DetachInternetGateway", "ec2:DetachNetworkInterface", "ec2:DetachVpnGateway", "ec2:DisableVgwRoutePropagation", "ec2:DisableVpcClassicLinkDnsSupport", "ec2:DisassociateAddress", "ec2:DisassociateRouteTable", "ec2:DisassociateSubnetCidrBlock", "ec2:DisassociateVpcCidrBlock", "ec2:EnableVgwRoutePropagation", "ec2:EnableVpcClassicLinkDnsSupport", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifySecurityGroupRules", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:ModifyVpcEndpoint", "ec2:ModifyVpcEndpointConnectionNotification", "ec2:ModifyVpcEndpointServiceConfiguration", "ec2:ModifyVpcEndpointServicePermissions", "ec2:ModifyVpcPeeringConnectionOptions", "ec2:ModifyVpcTenancy", "ec2:MoveAddressToVpc", "ec2:RejectVpcEndpointConnections", "ec2:ReleaseAddress", "ec2:ReplaceNetworkAclAssociation", "ec2:ReplaceNetworkAclEntry", "ec2:ReplaceRoute", "ec2:ReplaceRouteTableAssociation", "ec2:ResetNetworkInterfaceAttribute", "ec2:RestoreAddressToClassic", "ec2:UnassignIpv6Addresses", "ec2:UnassignPrivateIpAddresses", "ec2:UpdateSecurityGroupRuleDescriptionsEgress", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticloadbalancing:*", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents", "route53:*", "route53domains:*", "sns:CreateTopic", "sns:ListSubscriptionsByTopic", "sns:ListTopics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:AcceptVpcPeeringConnection", "ec2:AttachClassicLinkVpc", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateVpcPeeringConnection", "ec2:DeleteCustomerGateway", "ec2:DeleteDhcpOptions", "ec2:DeleteInternetGateway", "ec2:DeleteNetworkAcl", "ec2:DeleteNetworkAclEntry", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DeleteVpcPeeringConnection", "ec2:DetachClassicLinkVpc", "ec2:DisableVpcClassicLink", "ec2:EnableVpcClassicLink", "ec2:GetConsoleScreenshot", "ec2:RejectVpcPeeringConnection", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateLocalGatewayRoute", "ec2:CreateLocalGatewayRouteTableVpcAssociation", "ec2:DeleteLocalGatewayRoute", "ec2:DeleteLocalGatewayRouteTableVpcAssociation", "ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations", "ec2:DescribeLocalGatewayRouteTableVpcAssociations", "ec2:DescribeLocalGatewayRouteTables", "ec2:DescribeLocalGatewayVirtualInterfaceGroups", "ec2:DescribeLocalGatewayVirtualInterfaces", "ec2:DescribeLocalGateways", "ec2:SearchLocalGatewayRoutes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetBucketWebsite", "s3:ListBucket" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRoles", "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/flow-logs-*" }, { "Effect": "Allow", "Action": [ "networkmanager:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:AcceptTransitGatewayVpcAttachment", "ec2:AssociateTransitGatewayRouteTable", "ec2:CreateTransitGateway", "ec2:CreateTransitGatewayRoute", "ec2:CreateTransitGatewayRouteTable", "ec2:CreateTransitGatewayVpcAttachment", "ec2:DeleteTransitGateway", "ec2:DeleteTransitGatewayRoute", "ec2:DeleteTransitGatewayRouteTable", "ec2:DeleteTransitGatewayVpcAttachment", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeTransitGateways", "ec2:DisableTransitGatewayRouteTablePropagation", "ec2:DisassociateTransitGatewayRouteTable", "ec2:EnableTransitGatewayRouteTablePropagation", "ec2:ExportTransitGatewayRoutes", "ec2:GetTransitGatewayAttachmentPropagations", "ec2:GetTransitGatewayRouteTableAssociations", "ec2:GetTransitGatewayRouteTablePropagations", "ec2:ModifyTransitGateway", "ec2:ModifyTransitGatewayVpcAttachment", "ec2:RejectTransitGatewayVpcAttachment", "ec2:ReplaceTransitGatewayRoute", "ec2:SearchTransitGatewayRoutes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": [ "transitgateway.amazonaws.com" ] } } } ] } ``` ------ ### AWSNetworkManagerReadOnlyAccess This policy enables read-only permission for the delegated administrator and management accounts to review information about resources from other accounts in the global network while using the global networks console switch role, but doesn't allow either account to make changes. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "networkmanager:Describe*", "networkmanager:Get*", "networkmanager:List*" ], "Resource": "*" } ] } ``` ------