Permissions for @turbot/aws-vpc-core
Taking a look at permissions and associated grant levels for each permission for VPC:
| Permission | Grant Level | Help |
|---|---|---|
| acm:ListCertificates | Metadata | |
| ec2:AcceptTransitGatewayMulticastDomainAssociations | Admin | |
| ec2:AcceptTransitGatewayPeeringAttachment | Admin | |
| ec2:AcceptTransitGatewayVpcAttachment | Admin | |
| ec2:AcceptVpcEndpointConnections | Whitelist | |
| ec2:AcceptVpcPeeringConnection | Whitelist | |
| ec2:AdvertiseByoipCidr | Admin | |
| ec2:AllocateAddress | Admin | Admins can allocate new elastic IP addresses; this is considered safe as the proper routing still needs to be configured for public access. |
| ec2:AllocateIpamPoolCidr | Admin | |
| ec2:ApplySecurityGroupsToClientVpnTargetNetwork | Admin | |
| ec2:AssociateAddress | Admin | Admins can associate elastic IP addresses; this is considered safe as the proper routing still needs to be configured for public access. |
| ec2:AssociateClientVpnTargetNetwork | Admin | |
| ec2:AssociateDhcpOptions | Whitelist | |
| ec2:AssociateRouteTable | Whitelist | |
| ec2:AssociateSubnetCidrBlock | Whitelist | |
| ec2:AssociateTransitGatewayMulticastDomain | Admin | |
| ec2:AssociateTransitGatewayRouteTable | Admin | |
| ec2:AssociateVpcCidrBlock | Whitelist | |
| ec2:AttachClassicLinkVpc | Admin | |
| ec2:AttachInternetGateway | Whitelist | |
| ec2:AttachVpnGateway | Whitelist | |
| ec2:AuthorizeClientVpnIngress | Admin | |
| ec2:AuthorizeSecurityGroupEgress | Whitelist | |
| ec2:AuthorizeSecurityGroupIngress | Whitelist | |
| ec2:AuthorizeSecurityGroupEgress | Whitelist | |
| ec2:AuthorizeSecurityGroupIngress | Whitelist | |
| ec2:CreateCarrierGateway | Admin | |
| ec2:CreateClientVpnEndpoint | Admin | |
| ec2:CreateClientVpnRoute | Admin | |
| ec2:CreateCustomerGateway | Whitelist | |
| ec2:CreateDefaultSubnet | Whitelist | |
| ec2:CreateDefaultVpc | Whitelist | |
| ec2:CreateDhcpOptions | Whitelist | |
| ec2:CreateEgressOnlyInternetGateway | Whitelist | |
| ec2:CreateFlowLogs | Whitelist | |
| ec2:CreateInternetGateway | Whitelist | |
| ec2:CreateIpam | Admin | |
| ec2:CreateIpamPool | Admin | |
| ec2:CreateIpamScope | Admin | |
| ec2:CreateLocalGatewayRoute | Admin | |
| ec2:CreateLocalGatewayRouteTableVpcAssociation | Admin | |
| ec2:CreateNatGateway | Whitelist | |
| ec2:CreateNetworkAcl | Whitelist | |
| ec2:CreateNetworkAclEntry | Whitelist | |
| ec2:CreateNetworkInsightsPath | Admin | |
| ec2:CreateNetworkInsightsAccessScope | Admin | |
| ec2:CreatePublicIpv4Pool | Admin | |
| ec2:CreateRoute | Whitelist | |
| ec2:CreateRoute | Whitelist | |
| ec2:CreateRouteTable | Whitelist | |
| ec2:CreateSecurityGroup | Whitelist | |
| ec2:CreateSubnet | Whitelist | |
| ec2:CreateSubnetCidrReservation | Admin | |
| ec2:CreateTags | Operator | Tags are low risk for management in Guardrails since accounts are the isolation boundary; not tags. |
| ec2:CreateTrafficMirrorFilter | Admin | |
| ec2:CreateTrafficMirrorFilterRule | Admin | |
| ec2:CreateTrafficMirrorSession | Admin | |
| ec2:CreateTrafficMirrorTarget | Admin | |
| ec2:CreateTransitGateway | Admin | |
| ec2:CreateTransitGatewayConnect | Admin | |
| ec2:CreateTransitGatewayConnectPeer | Admin | |
| ec2:CreateTransitGatewayMulticastDomain | Admin | |
| ec2:CreateTransitGatewayPeeringAttachment | Admin | |
| ec2:CreateTransitGatewayPrefixListReference | Admin | |
| ec2:CreateTransitGatewayRoute | Admin | |
| ec2:CreateTransitGatewayRouteTable | Admin | |
| ec2:CreateTransitGatewayVpcAttachment | Admin | |
| ec2:CreateTransitGatewayVpcAttachment | Admin | |
| ec2:CreateVpc | Whitelist | |
| ec2:CreateVpcEndpoint | Whitelist | |
| ec2:CreateVpcEndpointConnectionNotification | Whitelist | User is required to also have AWS/SNS/Operator role assigned for this action. |
| ec2:CreateVpcEndpointServiceConfiguration | Whitelist | Allows cross-account access. |
| ec2:CreateVpcPeeringConnection | Whitelist | |
| ec2:CreateVpnConnection | Whitelist | |
| ec2:CreateVpnConnectionRoute | Whitelist | |
| ec2:CreateVpnGateway | Whitelist | |
| ec2:DeleteCarrierGateway | Admin | |
| ec2:DeleteClientVpnEndpoint | Admin | |
| ec2:DeleteClientVpnRoute | Admin | |
| ec2:DeleteCustomerGateway | Whitelist | |
| ec2:DeleteDhcpOptions | Whitelist | |
| ec2:DeleteEgressOnlyInternetGateway | Whitelist | |
| ec2:DeleteFlowLogs | Whitelist | |
| ec2:DeleteInternetGateway | Whitelist | |
| ec2:DeleteIpam | Admin | |
| ec2:DeleteIpamPool | Admin | |
| ec2:DeleteIpamScope | Admin | |
| ec2:DeleteLocalGatewayRoute | Admin | |
| ec2:DeleteLocalGatewayRouteTableVpcAssociation | Admin | |
| ec2:DeleteNatGateway | Whitelist | |
| ec2:DeleteNetworkAcl | Whitelist | |
| ec2:DeleteNetworkAclEntry | Whitelist | |
| ec2:DeleteNetworkInsightsAnalysis | Admin | |
| ec2:DeleteNetworkInsightsAccessScope | Admin | |
| ec2:DeleteNetworkInsightsAccessScopeAnalysis | Admin | |
| ec2:DeleteNetworkInsightsPath | Admin | |
| ec2:DeletePublicIpv4Pool | Admin | |
| ec2:DeleteRoute | Whitelist | |
| ec2:DeleteRoute | Whitelist | |
| ec2:DeleteRouteTable | Whitelist | |
| ec2:DeleteSecurityGroup | Whitelist | |
| ec2:DeleteSubnet | Whitelist | |
| ec2:DeleteSubnetCidrReservation | Admin | |
| ec2:DeleteTags | Operator | Tags are low risk for management in Guardrails since accounts are the isolation boundary; not tags. Most deletions are denied to operator but tags are a low risk management activity even for deletion. |
| ec2:DeleteTrafficMirrorFilter | Admin | |
| ec2:DeleteTrafficMirrorFilterRule | Admin | |
| ec2:DeleteTrafficMirrorSession | Admin | |
| ec2:DeleteTrafficMirrorTarget | Admin | |
| ec2:DeleteTransitGateway | Admin | |
| ec2:DeleteTransitGatewayConnect | Admin | |
| ec2:DeleteTransitGatewayConnectPeer | Admin | |
| ec2:DeleteTransitGatewayMulticastDomain | Admin | |
| ec2:DeleteTransitGatewayPeeringAttachment | Admin | |
| ec2:DeleteTransitGatewayPrefixListReference | Admin | |
| ec2:DeleteTransitGatewayRoute | Admin | |
| ec2:DeleteTransitGatewayRouteTable | Admin | |
| ec2:DeleteTransitGatewayVpcAttachment | Admin | |
| ec2:DeleteTransitGatewayVpcAttachment | Admin | |
| ec2:DeleteVpc | Whitelist | |
| ec2:DeleteVpcEndpointConnectionNotifications | Whitelist | User is required to also have AWS/SNS/Operator role assigned for this action. |
| ec2:DeleteVpcEndpointServiceConfigurations | Whitelist | Allows cross-account access. |
| ec2:DeleteVpcEndpoints | Whitelist | |
| ec2:DeleteVpcPeeringConnection | Whitelist | |
| ec2:DeleteVpnConnection | Whitelist | |
| ec2:DeleteVpnConnectionRoute | Whitelist | |
| ec2:DeleteVpnGateway | Whitelist | |
| ec2:DeprovisionByoipCidr | Admin | |
| ec2:DeprovisionIpamPoolCidr | Admin | |
| ec2:DeprovisionPublicIpv4PoolCidr | Admin | |
| ec2:DeregisterTransitGatewayMulticastGroupMembers | Admin | |
| ec2:DeregisterTransitGatewayMulticastGroupSources | Admin | |
| ec2:DescribeAddresses | Metadata | |
| ec2:DescribeAggregateIdFormat | Metadata | |
| ec2:DescribeByoipCidrs | Metadata | |
| ec2:DescribeClientVpnAuthorizationRules | Metadata | |
| ec2:DescribeClientVpnConnections | Metadata | |
| ec2:DescribeClientVpnEndpoints | Metadata | |
| ec2:DescribeClientVpnRoutes | Metadata | |
| ec2:DescribeClientVpnTargetNetworks | Metadata | |
| ec2:DescribeCoipPools | Metadata | |
| ec2:DescribeCustomerGateways | Metadata | |
| ec2:DescribeDhcpOptions | Metadata | |
| ec2:DescribeEgressOnlyInternetGateways | Metadata | |
| ec2:DescribeFlowLogs | Metadata | |
| ec2:DescribeInternetGateways | Metadata | |
| ec2:DescribeIpamPools | Metadata | |
| ec2:DescribeIpamScopes | Metadata | |
| ec2:DescribeIpams | Metadata | |
| ec2:DescribeIpv6Pools | Metadata | |
| ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations | Metadata | |
| ec2:DescribeLocalGatewayRouteTableVpcAssociations | Metadata | |
| ec2:DescribeLocalGatewayRouteTables | Metadata | |
| ec2:DescribeLocalGatewayVirtualInterfaceGroups | Metadata | |
| ec2:DescribeLocalGatewayVirtualInterfaces | Metadata | |
| ec2:DescribeLocalGateways | Metadata | |
| ec2:DescribeManagedPrefixLists | Metadata | |
| ec2:DescribeMovingAddresses | Metadata | |
| ec2:DescribeNatGateways | Metadata | |
| ec2:DescribeNetworkAcls | Metadata | |
| ec2:DescribeNetworkInsightsAccessScopeAnalyses | Metadata | |
| ec2:DescribeNetworkInsightsAccessScopes | Metadata | |
| ec2:DescribeNetworkInsightsAnalyses | Metadata | |
| ec2:DescribeNetworkInsightsPaths | Metadata | |
| ec2:DescribeNetworkInterfaces | Metadata | |
| ec2:DescribePrefixLists | Metadata | |
| ec2:DescribePrincipalIdFormat | Metadata | |
| ec2:DescribePublicIpv4Pools | Metadata | |
| ec2:DescribeRouteTables | Metadata | |
| ec2:DescribeSecurityGroupReferences | Metadata | |
| ec2:DescribeSecurityGroupRules | Metadata | |
| ec2:DescribeSecurityGroups | Metadata | |
| ec2:DescribeStaleSecurityGroups | Metadata | |
| ec2:DescribeSubnets | Metadata | |
| ec2:DescribeTags | Metadata | |
| ec2:DescribeTrafficMirrorFilters | Metadata | |
| ec2:DescribeTrafficMirrorSessions | Metadata | |
| ec2:DescribeTrafficMirrorTargets | Metadata | |
| ec2:DescribeTransitGatewayAttachments | Metadata | |
| ec2:DescribeTransitGatewayConnectPeers | Metadata | |
| ec2:DescribeTransitGatewayConnects | Metadata | |
| ec2:DescribeTransitGatewayMulticastDomains | Metadata | |
| ec2:DescribeTransitGatewayPeeringAttachments | Metadata | |
| ec2:DescribeTransitGatewayRouteTables | Metadata | |
| ec2:DescribeTransitGatewayVpcAttachments | Metadata | |
| ec2:DescribeTransitGateways | Metadata | |
| ec2:DescribeTrunkInterfaceAssociations | Metadata | |
| ec2:DescribeVpcAttribute | Metadata | |
| ec2:DescribeVpcClassicLink | Metadata | |
| ec2:DescribeVpcClassicLinkDnsSupport | Metadata | |
| ec2:DescribeVpcEndpointConnectionNotifications | Metadata | |
| ec2:DescribeVpcEndpointConnections | Metadata | |
| ec2:DescribeVpcEndpointServiceConfigurations | Metadata | |
| ec2:DescribeVpcEndpointServicePermissions | Metadata | |
| ec2:DescribeVpcEndpointServices | Metadata | |
| ec2:DescribeVpcEndpoints | Metadata | |
| ec2:DescribeVpcPeeringConnection | Metadata | |
| ec2:DescribeVpcPeeringConnections | Metadata | |
| ec2:DescribeVpcs | Metadata | |
| ec2:DescribeVpnConnections | Metadata | |
| ec2:DescribeVpnGateways | Metadata | |
| ec2:DetachInternetGateway | Whitelist | |
| ec2:DetachVpnGateway | Whitelist | |
| ec2:DisableIpamOrganizationAdminAccount | Admin | |
| ec2:DisableTransitGatewayRouteTablePropagation | Admin | |
| ec2:DisableVgwRoutePropagation | Whitelist | |
| ec2:DisableVpcClassicLink | None | EC2 classic should not be used |
| ec2:DisableVpcClassicLinkDnsSupport | None | EC2 classic should not be used |
| ec2:DisassociateAddress | Admin | Admins can disassociate elastic IP addresses. |
| ec2:DisassociateClientVpnTargetNetwork | Admin | |
| ec2:DisassociateRouteTable | Whitelist | |
| ec2:DisassociateSubnetCidrBlock | Whitelist | |
| ec2:DisassociateTransitGatewayRouteTable | Admin | |
| ec2:DisassociateVpcCidrBlock | Whitelist | |
| ec2:DisassociateTransitGatewayMulticastDomain | Admin | |
| ec2:EnableIpamOrganizationAdminAccount | Admin | |
| ec2:EnableTransitGatewayRouteTablePropagation | Admin | |
| ec2:EnableVgwRoutePropagation | Whitelist | |
| ec2:EnableVpcClassicLink | None | EC2 classic should not be used |
| ec2:EnableVpcClassicLinkDnsSupport | None | EC2 classic should not be used |
| ec2:ExportClientVpnClientCertificateRevocationList | Admin | |
| ec2:ExportClientVpnClientConfiguration | Admin | |
| ec2:ExportTransitGatewayRoutes | Admin | |
| ec2:GetAssociatedIpv6PoolCidrs | Metadata | |
| ec2:GetCapacityReservationUsage | Metadata | |
| ec2:GetCoipPoolUsage | Metadata | |
| ec2:GetFlowLogsIntegrationTemplate | Metadata | |
| ec2:GetIpamAddressHistory | Metadata | |
| ec2:GetIpamPoolAllocations | Metadata | |
| ec2:GetIpamPoolCidrs | Metadata | |
| ec2:GetIpamResourceCidrs | Metadata | |
| ec2:GetManagedPrefixListAssociations | Metadata | |
| ec2:GetManagedPrefixListEntries | Metadata | |
| ec2:GetNetworkInsightsAccessScopeAnalysisFindings | Metadata | |
| ec2:GetNetworkInsightsAccessScopeContent | Metadata | |
| ec2:GetSubnetCidrReservations | Metadata | |
| ec2:GetTransitGatewayAttachmentPropagations | Metadata | |
| ec2:GetTransitGatewayMulticastDomainAssociations | Metadata | |
| ec2:GetTransitGatewayPrefixListReferences | Metadata | |
| ec2:GetTransitGatewayRouteTableAssociations | Metadata | |
| ec2:GetTransitGatewayRouteTablePropagations | Metadata | |
| ec2:GetVpnConnectionDeviceSampleConfiguration | Metadata | |
| ec2:GetVpnConnectionDeviceTypes | Metadata | |
| ec2:ImportClientVpnClientCertificateRevocationList | Admin | |
| ec2:ModifyAddressAttribute | Admin | |
| ec2:ModifyCapacityReservation | Admin | |
| ec2:ModifyClientVpnEndpoint | Admin | |
| ec2:ModifyIpam | Admin | |
| ec2:ModifyIpamPool | Admin | |
| ec2:ModifyIpamResourceCidr | Admin | |
| ec2:ModifyIpamScope | Admin | |
| ec2:ModifyManagedPrefixList | Admin | |
| ec2:ModifySecurityGroupRules | Whitelist | |
| ec2:ModifySubnetAttribute | Whitelist | |
| ec2:ModifyTrafficMirrorFilterNetworkServices | Admin | |
| ec2:ModifyTrafficMirrorFilterRule | Admin | |
| ec2:ModifyTrafficMirrorSession | Admin | |
| ec2:ModifyTransitGateway | Admin | |
| ec2:ModifyTransitGatewayPrefixListReference | Admin | |
| ec2:ModifyTransitGatewayVpcAttachment | Admin | |
| ec2:ModifyVpcAttribute | Whitelist | |
| ec2:ModifyVpcEndpoint | Whitelist | |
| ec2:ModifyVpcEndpointConnectionNotification | Whitelist | User is required to also have AWS/SNS/Operator role assigned for this action. |
| ec2:ModifyVpcEndpointServiceConfiguration | Whitelist | Allows cross-account access. |
| ec2:ModifyVpcEndpointServicePermissions | Whitelist | Allows cross-account access. |
| ec2:ModifyVpcPeeringConnectionOptions | Whitelist | |
| ec2:ModifyVpcTenancy | Whitelist | |
| ec2:ModifyVpnConnection | Admin | Allows to create the transit gateway attachment via vpn connection. |
| ec2:ModifyVpnConnection | Admin | |
| ec2:ModifyVpnConnectionOptions | Admin | |
| ec2:ModifyVpnTunnelCertificate | Admin | |
| ec2:ModifyVpnTunnelOptions | Admin | |
| ec2:MoveAddressToVpc | None | EC2 classic should not be used |
| ec2:MoveByoipCidrToIpam | Admin | |
| ec2:ProvisionByoipCidr | Admin | |
| ec2:ProvisionIpamPoolCidr | Admin | |
| ec2:ProvisionPublicIpv4PoolCidr | Admin | |
| ec2:RegisterTransitGatewayMulticastGroupMembers | Admin | |
| ec2:RegisterTransitGatewayMulticastGroupSources | Admin | |
| ec2:RejectTransitGatewayMulticastDomainAssociations | Admin | |
| ec2:RejectTransitGatewayPeeringAttachment | Admin | |
| ec2:RejectTransitGatewayVpcAttachment | Admin | |
| ec2:RejectVpcEndpointConnections | Whitelist | |
| ec2:RejectVpcPeeringConnection | Whitelist | |
| ec2:ReleaseAddress | Admin | Admins can release elastic IP addresses. |
| ec2:ReleaseIpamPoolAllocation | Admin | |
| ec2:ReplaceNetworkAclAssociation | Whitelist | |
| ec2:ReplaceNetworkAclEntry | Whitelist | |
| ec2:ReplaceRoute | Whitelist | |
| ec2:ReplaceRouteTableAssociation | Whitelist | |
| ec2:ReplaceTransitGatewayRoute | Admin | |
| ec2:ResetAddressAttribute | Admin | |
| ec2:RestoreAddressToClassic | None | EC2 classic should not be used |
| ec2:RestoreManagedPrefixListVersion | Admin | |
| ec2:RevokeClientVpnIngress | Admin | |
| ec2:RevokeSecurityGroupEgress | Whitelist | |
| ec2:RevokeSecurityGroupIngress | Whitelist | |
| ec2:RevokeSecurityGroupEgress | Whitelist | |
| ec2:RevokeSecurityGroupIngress | Whitelist | |
| ec2:SearchLocalGatewayRoutes | Metadata | |
| ec2:SearchTransitGatewayMulticastGroups | Metadata | |
| ec2:SearchTransitGatewayRoutes | Metadata | |
| ec2:StartNetworkInsightsAnalysis | Admin | |
| ec2:StartNetworkInsightsAccessScopeAnalysis | Admin | |
| ec2:StartVpcEndpointServicePrivateDnsVerification | Admin | |
| ec2:TerminateClientVpnConnections | Admin | |
| ec2:UpdateSecurityGroupRuleDescriptionsEgress | Whitelist | Admin can update the description field only. |
| ec2:UpdateSecurityGroupRuleDescriptionsIngress | Whitelist | Admin can update the description field only. |
| ec2:WithdrawByoipCidr | Admin | |
| elasticloadbalancing:DescribeLoadBalancers | Metadata | |
| logs:DescribeLogGroups | Metadata | |
| logs:DescribeLogStreams | Metadata | |
| ram:GetResourceShareAssociations | Metadata | |
| tiros:CreateQuery | Admin | |
| tiros:GetQueryAnswer | Metadata | |
| tiros:GetQueryExplanation | Metadata |