Permissions for @turbot/aws-vpc-core
Taking a look at permissions and associated grant levels for each permission for VPC:
Permission | Grant Level | Help |
---|---|---|
acm:ListCertificates | Metadata | |
ec2:AcceptTransitGatewayMulticastDomainAssociations | Admin | |
ec2:AcceptTransitGatewayPeeringAttachment | Admin | |
ec2:AcceptTransitGatewayVpcAttachment | Admin | |
ec2:AcceptVpcEndpointConnections | Whitelist | |
ec2:AcceptVpcPeeringConnection | Whitelist | |
ec2:AdvertiseByoipCidr | Admin | |
ec2:AllocateAddress | Admin | Admins can allocate new elastic IP addresses; this is considered safe as the proper routing still needs to be configured for public access. |
ec2:AllocateIpamPoolCidr | Admin | |
ec2:ApplySecurityGroupsToClientVpnTargetNetwork | Admin | |
ec2:AssociateAddress | Admin | Admins can associate elastic IP addresses; this is considered safe as the proper routing still needs to be configured for public access. |
ec2:AssociateClientVpnTargetNetwork | Admin | |
ec2:AssociateDhcpOptions | Whitelist | |
ec2:AssociateRouteTable | Whitelist | |
ec2:AssociateSubnetCidrBlock | Whitelist | |
ec2:AssociateTransitGatewayMulticastDomain | Admin | |
ec2:AssociateTransitGatewayRouteTable | Admin | |
ec2:AssociateVpcCidrBlock | Whitelist | |
ec2:AttachClassicLinkVpc | Admin | |
ec2:AttachInternetGateway | Whitelist | |
ec2:AttachVpnGateway | Whitelist | |
ec2:AuthorizeClientVpnIngress | Admin | |
ec2:AuthorizeSecurityGroupEgress | Whitelist | |
ec2:AuthorizeSecurityGroupIngress | Whitelist | |
ec2:AuthorizeSecurityGroupEgress | Whitelist | |
ec2:AuthorizeSecurityGroupIngress | Whitelist | |
ec2:CreateCarrierGateway | Admin | |
ec2:CreateClientVpnEndpoint | Admin | |
ec2:CreateClientVpnRoute | Admin | |
ec2:CreateCustomerGateway | Whitelist | |
ec2:CreateDefaultSubnet | Whitelist | |
ec2:CreateDefaultVpc | Whitelist | |
ec2:CreateDhcpOptions | Whitelist | |
ec2:CreateEgressOnlyInternetGateway | Whitelist | |
ec2:CreateFlowLogs | Whitelist | |
ec2:CreateInternetGateway | Whitelist | |
ec2:CreateIpam | Admin | |
ec2:CreateIpamPool | Admin | |
ec2:CreateIpamScope | Admin | |
ec2:CreateLocalGatewayRoute | Admin | |
ec2:CreateLocalGatewayRouteTableVpcAssociation | Admin | |
ec2:CreateNatGateway | Whitelist | |
ec2:CreateNetworkAcl | Whitelist | |
ec2:CreateNetworkAclEntry | Whitelist | |
ec2:CreateNetworkInsightsPath | Admin | |
ec2:CreateNetworkInsightsAccessScope | Admin | |
ec2:CreatePublicIpv4Pool | Admin | |
ec2:CreateRoute | Whitelist | |
ec2:CreateRoute | Whitelist | |
ec2:CreateRouteTable | Whitelist | |
ec2:CreateSecurityGroup | Whitelist | |
ec2:CreateSubnet | Whitelist | |
ec2:CreateSubnetCidrReservation | Admin | |
ec2:CreateTags | Operator | Tags are low risk for management in Guardrails since accounts are the isolation boundary; not tags. |
ec2:CreateTrafficMirrorFilter | Admin | |
ec2:CreateTrafficMirrorFilterRule | Admin | |
ec2:CreateTrafficMirrorSession | Admin | |
ec2:CreateTrafficMirrorTarget | Admin | |
ec2:CreateTransitGateway | Admin | |
ec2:CreateTransitGatewayConnect | Admin | |
ec2:CreateTransitGatewayConnectPeer | Admin | |
ec2:CreateTransitGatewayMulticastDomain | Admin | |
ec2:CreateTransitGatewayPeeringAttachment | Admin | |
ec2:CreateTransitGatewayPrefixListReference | Admin | |
ec2:CreateTransitGatewayRoute | Admin | |
ec2:CreateTransitGatewayRouteTable | Admin | |
ec2:CreateTransitGatewayVpcAttachment | Admin | |
ec2:CreateTransitGatewayVpcAttachment | Admin | |
ec2:CreateVpc | Whitelist | |
ec2:CreateVpcEndpoint | Whitelist | |
ec2:CreateVpcEndpointConnectionNotification | Whitelist | User is required to also have AWS/SNS/Operator role assigned for this action. |
ec2:CreateVpcEndpointServiceConfiguration | Whitelist | Allows cross-account access. |
ec2:CreateVpcPeeringConnection | Whitelist | |
ec2:CreateVpnConnection | Whitelist | |
ec2:CreateVpnConnectionRoute | Whitelist | |
ec2:CreateVpnGateway | Whitelist | |
ec2:DeleteCarrierGateway | Admin | |
ec2:DeleteClientVpnEndpoint | Admin | |
ec2:DeleteClientVpnRoute | Admin | |
ec2:DeleteCustomerGateway | Whitelist | |
ec2:DeleteDhcpOptions | Whitelist | |
ec2:DeleteEgressOnlyInternetGateway | Whitelist | |
ec2:DeleteFlowLogs | Whitelist | |
ec2:DeleteInternetGateway | Whitelist | |
ec2:DeleteIpam | Admin | |
ec2:DeleteIpamPool | Admin | |
ec2:DeleteIpamScope | Admin | |
ec2:DeleteLocalGatewayRoute | Admin | |
ec2:DeleteLocalGatewayRouteTableVpcAssociation | Admin | |
ec2:DeleteNatGateway | Whitelist | |
ec2:DeleteNetworkAcl | Whitelist | |
ec2:DeleteNetworkAclEntry | Whitelist | |
ec2:DeleteNetworkInsightsAnalysis | Admin | |
ec2:DeleteNetworkInsightsAccessScope | Admin | |
ec2:DeleteNetworkInsightsAccessScopeAnalysis | Admin | |
ec2:DeleteNetworkInsightsPath | Admin | |
ec2:DeletePublicIpv4Pool | Admin | |
ec2:DeleteRoute | Whitelist | |
ec2:DeleteRoute | Whitelist | |
ec2:DeleteRouteTable | Whitelist | |
ec2:DeleteSecurityGroup | Whitelist | |
ec2:DeleteSubnet | Whitelist | |
ec2:DeleteSubnetCidrReservation | Admin | |
ec2:DeleteTags | Operator | Tags are low risk for management in Guardrails since accounts are the isolation boundary; not tags. Most deletions are denied to operator but tags are a low risk management activity even for deletion. |
ec2:DeleteTrafficMirrorFilter | Admin | |
ec2:DeleteTrafficMirrorFilterRule | Admin | |
ec2:DeleteTrafficMirrorSession | Admin | |
ec2:DeleteTrafficMirrorTarget | Admin | |
ec2:DeleteTransitGateway | Admin | |
ec2:DeleteTransitGatewayConnect | Admin | |
ec2:DeleteTransitGatewayConnectPeer | Admin | |
ec2:DeleteTransitGatewayMulticastDomain | Admin | |
ec2:DeleteTransitGatewayPeeringAttachment | Admin | |
ec2:DeleteTransitGatewayPrefixListReference | Admin | |
ec2:DeleteTransitGatewayRoute | Admin | |
ec2:DeleteTransitGatewayRouteTable | Admin | |
ec2:DeleteTransitGatewayVpcAttachment | Admin | |
ec2:DeleteTransitGatewayVpcAttachment | Admin | |
ec2:DeleteVpc | Whitelist | |
ec2:DeleteVpcEndpointConnectionNotifications | Whitelist | User is required to also have AWS/SNS/Operator role assigned for this action. |
ec2:DeleteVpcEndpointServiceConfigurations | Whitelist | Allows cross-account access. |
ec2:DeleteVpcEndpoints | Whitelist | |
ec2:DeleteVpcPeeringConnection | Whitelist | |
ec2:DeleteVpnConnection | Whitelist | |
ec2:DeleteVpnConnectionRoute | Whitelist | |
ec2:DeleteVpnGateway | Whitelist | |
ec2:DeprovisionByoipCidr | Admin | |
ec2:DeprovisionIpamPoolCidr | Admin | |
ec2:DeprovisionPublicIpv4PoolCidr | Admin | |
ec2:DeregisterTransitGatewayMulticastGroupMembers | Admin | |
ec2:DeregisterTransitGatewayMulticastGroupSources | Admin | |
ec2:DescribeAddresses | Metadata | |
ec2:DescribeAggregateIdFormat | Metadata | |
ec2:DescribeByoipCidrs | Metadata | |
ec2:DescribeClientVpnAuthorizationRules | Metadata | |
ec2:DescribeClientVpnConnections | Metadata | |
ec2:DescribeClientVpnEndpoints | Metadata | |
ec2:DescribeClientVpnRoutes | Metadata | |
ec2:DescribeClientVpnTargetNetworks | Metadata | |
ec2:DescribeCoipPools | Metadata | |
ec2:DescribeCustomerGateways | Metadata | |
ec2:DescribeDhcpOptions | Metadata | |
ec2:DescribeEgressOnlyInternetGateways | Metadata | |
ec2:DescribeFlowLogs | Metadata | |
ec2:DescribeInternetGateways | Metadata | |
ec2:DescribeIpamPools | Metadata | |
ec2:DescribeIpamScopes | Metadata | |
ec2:DescribeIpams | Metadata | |
ec2:DescribeIpv6Pools | Metadata | |
ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations | Metadata | |
ec2:DescribeLocalGatewayRouteTableVpcAssociations | Metadata | |
ec2:DescribeLocalGatewayRouteTables | Metadata | |
ec2:DescribeLocalGatewayVirtualInterfaceGroups | Metadata | |
ec2:DescribeLocalGatewayVirtualInterfaces | Metadata | |
ec2:DescribeLocalGateways | Metadata | |
ec2:DescribeManagedPrefixLists | Metadata | |
ec2:DescribeMovingAddresses | Metadata | |
ec2:DescribeNatGateways | Metadata | |
ec2:DescribeNetworkAcls | Metadata | |
ec2:DescribeNetworkInsightsAccessScopeAnalyses | Metadata | |
ec2:DescribeNetworkInsightsAccessScopes | Metadata | |
ec2:DescribeNetworkInsightsAnalyses | Metadata | |
ec2:DescribeNetworkInsightsPaths | Metadata | |
ec2:DescribeNetworkInterfaces | Metadata | |
ec2:DescribePrefixLists | Metadata | |
ec2:DescribePrincipalIdFormat | Metadata | |
ec2:DescribePublicIpv4Pools | Metadata | |
ec2:DescribeRouteTables | Metadata | |
ec2:DescribeSecurityGroupReferences | Metadata | |
ec2:DescribeSecurityGroupRules | Metadata | |
ec2:DescribeSecurityGroups | Metadata | |
ec2:DescribeStaleSecurityGroups | Metadata | |
ec2:DescribeSubnets | Metadata | |
ec2:DescribeTags | Metadata | |
ec2:DescribeTrafficMirrorFilters | Metadata | |
ec2:DescribeTrafficMirrorSessions | Metadata | |
ec2:DescribeTrafficMirrorTargets | Metadata | |
ec2:DescribeTransitGatewayAttachments | Metadata | |
ec2:DescribeTransitGatewayConnectPeers | Metadata | |
ec2:DescribeTransitGatewayConnects | Metadata | |
ec2:DescribeTransitGatewayMulticastDomains | Metadata | |
ec2:DescribeTransitGatewayPeeringAttachments | Metadata | |
ec2:DescribeTransitGatewayRouteTables | Metadata | |
ec2:DescribeTransitGatewayVpcAttachments | Metadata | |
ec2:DescribeTransitGateways | Metadata | |
ec2:DescribeTrunkInterfaceAssociations | Metadata | |
ec2:DescribeVpcAttribute | Metadata | |
ec2:DescribeVpcClassicLink | Metadata | |
ec2:DescribeVpcClassicLinkDnsSupport | Metadata | |
ec2:DescribeVpcEndpointConnectionNotifications | Metadata | |
ec2:DescribeVpcEndpointConnections | Metadata | |
ec2:DescribeVpcEndpointServiceConfigurations | Metadata | |
ec2:DescribeVpcEndpointServicePermissions | Metadata | |
ec2:DescribeVpcEndpointServices | Metadata | |
ec2:DescribeVpcEndpoints | Metadata | |
ec2:DescribeVpcPeeringConnection | Metadata | |
ec2:DescribeVpcPeeringConnections | Metadata | |
ec2:DescribeVpcs | Metadata | |
ec2:DescribeVpnConnections | Metadata | |
ec2:DescribeVpnGateways | Metadata | |
ec2:DetachInternetGateway | Whitelist | |
ec2:DetachVpnGateway | Whitelist | |
ec2:DisableIpamOrganizationAdminAccount | Admin | |
ec2:DisableTransitGatewayRouteTablePropagation | Admin | |
ec2:DisableVgwRoutePropagation | Whitelist | |
ec2:DisableVpcClassicLink | None | EC2 classic should not be used |
ec2:DisableVpcClassicLinkDnsSupport | None | EC2 classic should not be used |
ec2:DisassociateAddress | Admin | Admins can disassociate elastic IP addresses. |
ec2:DisassociateClientVpnTargetNetwork | Admin | |
ec2:DisassociateRouteTable | Whitelist | |
ec2:DisassociateSubnetCidrBlock | Whitelist | |
ec2:DisassociateTransitGatewayRouteTable | Admin | |
ec2:DisassociateVpcCidrBlock | Whitelist | |
ec2:DisassociateTransitGatewayMulticastDomain | Admin | |
ec2:EnableIpamOrganizationAdminAccount | Admin | |
ec2:EnableTransitGatewayRouteTablePropagation | Admin | |
ec2:EnableVgwRoutePropagation | Whitelist | |
ec2:EnableVpcClassicLink | None | EC2 classic should not be used |
ec2:EnableVpcClassicLinkDnsSupport | None | EC2 classic should not be used |
ec2:ExportClientVpnClientCertificateRevocationList | Admin | |
ec2:ExportClientVpnClientConfiguration | Admin | |
ec2:ExportTransitGatewayRoutes | Admin | |
ec2:GetAssociatedIpv6PoolCidrs | Metadata | |
ec2:GetCapacityReservationUsage | Metadata | |
ec2:GetCoipPoolUsage | Metadata | |
ec2:GetFlowLogsIntegrationTemplate | Metadata | |
ec2:GetIpamAddressHistory | Metadata | |
ec2:GetIpamPoolAllocations | Metadata | |
ec2:GetIpamPoolCidrs | Metadata | |
ec2:GetIpamResourceCidrs | Metadata | |
ec2:GetManagedPrefixListAssociations | Metadata | |
ec2:GetManagedPrefixListEntries | Metadata | |
ec2:GetNetworkInsightsAccessScopeAnalysisFindings | Metadata | |
ec2:GetNetworkInsightsAccessScopeContent | Metadata | |
ec2:GetSubnetCidrReservations | Metadata | |
ec2:GetTransitGatewayAttachmentPropagations | Metadata | |
ec2:GetTransitGatewayMulticastDomainAssociations | Metadata | |
ec2:GetTransitGatewayPrefixListReferences | Metadata | |
ec2:GetTransitGatewayRouteTableAssociations | Metadata | |
ec2:GetTransitGatewayRouteTablePropagations | Metadata | |
ec2:GetVpnConnectionDeviceSampleConfiguration | Metadata | |
ec2:GetVpnConnectionDeviceTypes | Metadata | |
ec2:ImportClientVpnClientCertificateRevocationList | Admin | |
ec2:ModifyAddressAttribute | Admin | |
ec2:ModifyCapacityReservation | Admin | |
ec2:ModifyClientVpnEndpoint | Admin | |
ec2:ModifyIpam | Admin | |
ec2:ModifyIpamPool | Admin | |
ec2:ModifyIpamResourceCidr | Admin | |
ec2:ModifyIpamScope | Admin | |
ec2:ModifyManagedPrefixList | Admin | |
ec2:ModifySecurityGroupRules | Whitelist | |
ec2:ModifySubnetAttribute | Whitelist | |
ec2:ModifyTrafficMirrorFilterNetworkServices | Admin | |
ec2:ModifyTrafficMirrorFilterRule | Admin | |
ec2:ModifyTrafficMirrorSession | Admin | |
ec2:ModifyTransitGateway | Admin | |
ec2:ModifyTransitGatewayPrefixListReference | Admin | |
ec2:ModifyTransitGatewayVpcAttachment | Admin | |
ec2:ModifyVpcAttribute | Whitelist | |
ec2:ModifyVpcEndpoint | Whitelist | |
ec2:ModifyVpcEndpointConnectionNotification | Whitelist | User is required to also have AWS/SNS/Operator role assigned for this action. |
ec2:ModifyVpcEndpointServiceConfiguration | Whitelist | Allows cross-account access. |
ec2:ModifyVpcEndpointServicePermissions | Whitelist | Allows cross-account access. |
ec2:ModifyVpcPeeringConnectionOptions | Whitelist | |
ec2:ModifyVpcTenancy | Whitelist | |
ec2:ModifyVpnConnection | Admin | Allows to create the transit gateway attachment via vpn connection. |
ec2:ModifyVpnConnection | Admin | |
ec2:ModifyVpnConnectionOptions | Admin | |
ec2:ModifyVpnTunnelCertificate | Admin | |
ec2:ModifyVpnTunnelOptions | Admin | |
ec2:MoveAddressToVpc | None | EC2 classic should not be used |
ec2:MoveByoipCidrToIpam | Admin | |
ec2:ProvisionByoipCidr | Admin | |
ec2:ProvisionIpamPoolCidr | Admin | |
ec2:ProvisionPublicIpv4PoolCidr | Admin | |
ec2:RegisterTransitGatewayMulticastGroupMembers | Admin | |
ec2:RegisterTransitGatewayMulticastGroupSources | Admin | |
ec2:RejectTransitGatewayMulticastDomainAssociations | Admin | |
ec2:RejectTransitGatewayPeeringAttachment | Admin | |
ec2:RejectTransitGatewayVpcAttachment | Admin | |
ec2:RejectVpcEndpointConnections | Whitelist | |
ec2:RejectVpcPeeringConnection | Whitelist | |
ec2:ReleaseAddress | Admin | Admins can release elastic IP addresses. |
ec2:ReleaseIpamPoolAllocation | Admin | |
ec2:ReplaceNetworkAclAssociation | Whitelist | |
ec2:ReplaceNetworkAclEntry | Whitelist | |
ec2:ReplaceRoute | Whitelist | |
ec2:ReplaceRouteTableAssociation | Whitelist | |
ec2:ReplaceTransitGatewayRoute | Admin | |
ec2:ResetAddressAttribute | Admin | |
ec2:RestoreAddressToClassic | None | EC2 classic should not be used |
ec2:RestoreManagedPrefixListVersion | Admin | |
ec2:RevokeClientVpnIngress | Admin | |
ec2:RevokeSecurityGroupEgress | Whitelist | |
ec2:RevokeSecurityGroupIngress | Whitelist | |
ec2:RevokeSecurityGroupEgress | Whitelist | |
ec2:RevokeSecurityGroupIngress | Whitelist | |
ec2:SearchLocalGatewayRoutes | Metadata | |
ec2:SearchTransitGatewayMulticastGroups | Metadata | |
ec2:SearchTransitGatewayRoutes | Metadata | |
ec2:StartNetworkInsightsAnalysis | Admin | |
ec2:StartNetworkInsightsAccessScopeAnalysis | Admin | |
ec2:StartVpcEndpointServicePrivateDnsVerification | Admin | |
ec2:TerminateClientVpnConnections | Admin | |
ec2:UpdateSecurityGroupRuleDescriptionsEgress | Whitelist | Admin can update the description field only. |
ec2:UpdateSecurityGroupRuleDescriptionsIngress | Whitelist | Admin can update the description field only. |
ec2:WithdrawByoipCidr | Admin | |
elasticloadbalancing:DescribeLoadBalancers | Metadata | |
logs:DescribeLogGroups | Metadata | |
logs:DescribeLogStreams | Metadata | |
ram:GetResourceShareAssociations | Metadata | |
tiros:CreateQuery | Admin | |
tiros:GetQueryAnswer | Metadata | |
tiros:GetQueryExplanation | Metadata |