Actions, resources, and condition keys for AWS Network Manager
AWS Network Manager (service prefix: networkmanager
) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS Network Manager
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource
element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource
element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition
element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
AcceptAttachment | Grants permission to accept creation of an attachment between a source and destination in a core network | Write |
ec2:DescribeRegions |
||
AssociateConnectPeer | Grants permission to associate a Connect Peer | Write | |||
AssociateCustomerGateway | Grants permission to associate a customer gateway to a device | Write | |||
AssociateLink | Grants permission to associate a link to a device | Write | |||
AssociateTransitGatewayConnectPeer | Grants permission to associate a transit gateway connect peer to a device | Write | |||
CreateConnectAttachment | Grants permission to create a Connect attachment | Write |
ec2:DescribeRegions networkmanager:TagResource |
||
CreateConnectPeer | Grants permission to create a Connect Peer connection | Write |
ec2:DescribeRegions networkmanager:TagResource |
||
CreateConnection | Grants permission to create a new connection | Write |
networkmanager:TagResource |
||
CreateCoreNetwork | Grants permission to create a new core network | Write |
ec2:DescribeRegions networkmanager:TagResource |
||
CreateDevice | Grants permission to create a new device | Write |
networkmanager:TagResource |
||
CreateDirectConnectGatewayAttachment | Grants permission to create a Direct Connect gateway attachment | Write |
ec2:DescribeRegions networkmanager:TagResource |
||
CreateGlobalNetwork | Grants permission to create a new global network | Write |
iam:CreateServiceLinkedRole networkmanager:TagResource |
||
CreateLink | Grants permission to create a new link | Write |
networkmanager:TagResource |
||
CreateSite | Grants permission to create a new site | Write |
networkmanager:TagResource |
||
CreateSiteToSiteVpnAttachment | Grants permission to create a site-to-site VPN attachment | Write |
ec2:DescribeRegions networkmanager:TagResource |
||
CreateTransitGatewayPeering | Grants permission to create a Transit Gateway peering | Write |
ec2:DescribeRegions networkmanager:TagResource |
||
CreateTransitGatewayRouteTableAttachment | Grants permission to create a TGW RTB attachment | Write |
ec2:DescribeRegions networkmanager:TagResource |
||
CreateVpcAttachment | Grants permission to create a VPC attachment | Write |
ec2:DescribeRegions networkmanager:TagResource |
||
DeleteAttachment | Grants permission to delete an attachment | Write |
ec2:DescribeRegions |
||
DeleteConnectPeer | Grants permission to delete a Connect Peer | Write |
ec2:DescribeRegions |
||
DeleteConnection | Grants permission to delete a connection | Write | |||
DeleteCoreNetwork | Grants permission to delete a core network | Write |
ec2:DescribeRegions |
||
DeleteCoreNetworkPolicyVersion | Grants permission to delete the core network policy version | Write | |||
DeleteDevice | Grants permission to delete a device | Write | |||
DeleteGlobalNetwork | Grants permission to delete a global network | Write | |||
DeleteLink | Grants permission to delete a link | Write | |||
DeletePeering | Grants permission to delete a peering | Write |
ec2:DescribeRegions |
||
DeleteResourcePolicy | Grants permission to delete a resource | Write | |||
DeleteSite | Grants permission to delete a site | Write | |||
DeregisterTransitGateway | Grants permission to deregister a transit gateway from a global network | Write | |||
DescribeGlobalNetworks | Grants permission to describe global networks | List | |||
DisassociateConnectPeer | Grants permission to disassociate a Connect Peer | Write | |||
DisassociateCustomerGateway | Grants permission to disassociate a customer gateway from a device | Write | |||
DisassociateLink | Grants permission to disassociate a link from a device | Write | |||
DisassociateTransitGatewayConnectPeer | Grants permission to disassociate a transit gateway connect peer from a device | Write | |||
ExecuteCoreNetworkChangeSet | Grants permission to apply changes to the core network | Write |
ec2:DescribeRegions |
||
GetConnectAttachment | Grants permission to retrieve a Connect attachment | Read | |||
GetConnectPeer | Grants permission to retrieve a Connect Peer | Read | |||
GetConnectPeerAssociations | Grants permission to describe Connect Peer associations | Read | |||
GetConnections | Grants permission to describe connections | List | |||
GetCoreNetwork | Grants permission to retrieve a core network | Read | |||
GetCoreNetworkChangeEvents | Grants permission to retrieve a list of core network change events | Read | |||
GetCoreNetworkChangeSet | Grants permission to retrieve a list of core network change sets | Read | |||
GetCoreNetworkPolicy | Grants permission to retrieve core network policy | Read | |||
GetCustomerGatewayAssociations | Grants permission to describe customer gateway associations | List | |||
GetDevices | Grants permission to describe devices | List | |||
GetDirectConnectGatewayAttachment | Grants permission to retrieve a Direct Connect gateway attachment | Read | |||
GetLinkAssociations | Grants permission to describe link associations | List | |||
GetLinks | Grants permission to describe links | List | |||
GetNetworkResourceCounts | Grants permission to return the number of resources for a global network grouped by type | Read | |||
GetNetworkResourceRelationships | Grants permission to retrieve related resources for a resource within the global network | Read | |||
GetNetworkResources | Grants permission to retrieve a global network resource | Read | |||
GetNetworkRoutes | Grants permission to retrieve routes for a route table within the global network | Read | |||
GetNetworkTelemetry | Grants permission to retrieve network telemetry objects for the global network | Read | |||
GetResourcePolicy | Grants permission to retrieve a resource policy | Read | |||
GetRouteAnalysis | Grants permission to retrieve a route analysis configuration and result | Read | |||
GetSiteToSiteVpnAttachment | Grants permission to retrieve a site-to-site VPN attachment | Read | |||
GetSites | Grants permission to describe global networks | List | |||
GetTransitGatewayConnectPeerAssociations | Grants permission to describe transit gateway connect peer associations | List | |||
GetTransitGatewayPeering | Grants permission to retrieve a Transit Gateway peering | Read | |||
GetTransitGatewayRegistrations | Grants permission to describe transit gateway registrations | List | |||
GetTransitGatewayRouteTableAttachment | Grants permission to retrieve a TGW RTB attachment | Read | |||
GetVpcAttachment | Grants permission to retrieve a VPC attachment | Read | |||
ListAttachments | Grants permission to describe attachments | List | |||
ListConnectPeers | Grants permission to describe Connect Peers | List | |||
ListCoreNetworkPolicyVersions | Grants permission to list core network policy versions | List | |||
ListCoreNetworks | Grants permission to list core networks | List | |||
ListOrganizationServiceAccessStatus | Grants permission to list organization service access status | List | |||
ListPeerings | Grants permission to describe peerings | List | |||
ListTagsForResource | Grants permission to list tags for a Network Manager resource | Read | |||
PutCoreNetworkPolicy | Grants permission to create a core network policy | Write |
ec2:DescribeRegions |
||
PutResourcePolicy | Grants permission to create or update a resource policy | Write | |||
RegisterTransitGateway | Grants permission to register a transit gateway to a global network | Write | |||
RejectAttachment | Grants permission to reject attachment request | Write | |||
RestoreCoreNetworkPolicyVersion | Grants permission to restore the core network policy to a previous version | Write |
ec2:DescribeRegions |
||
StartOrganizationServiceAccessUpdate | Grants permission to start organization service access update | Write | |||
StartRouteAnalysis | Grants permission to start a route analysis and stores analysis configuration | Write | |||
TagResource | Grants permission to tag a Network Manager resource | Tagging | |||
UntagResource | Grants permission to untag a Network Manager resource | Tagging | |||
UpdateConnection | Grants permission to update a connection | Write | |||
UpdateCoreNetwork | Grants permission to update a core network | Write | |||
UpdateDevice | Grants permission to update a device | Write | |||
UpdateDirectConnectGatewayAttachment | Grants permission to update a Direct Connect gateway attachment | Write |
ec2:DescribeRegions |
||
UpdateGlobalNetwork | Grants permission to update a global network | Write | |||
UpdateLink | Grants permission to update a link | Write | |||
UpdateNetworkResourceMetadata | Grants permission to add or update metadata key/value pairs on network resource | Write | |||
UpdateSite | Grants permission to update a site | Write | |||
UpdateVpcAttachment | Grants permission to update a VPC attachment | Write |
ec2:DescribeRegions |
||
Resource types defined by AWS Network Manager
The following resource types are defined by this service and can be used in the Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
Resource types | ARN | Condition keys |
---|---|---|
global-network |
arn:${Partition}:networkmanager::${Account}:global-network/${ResourceId}
|
|
site |
arn:${Partition}:networkmanager::${Account}:site/${GlobalNetworkId}/${ResourceId}
|
|
link |
arn:${Partition}:networkmanager::${Account}:link/${GlobalNetworkId}/${ResourceId}
|
|
device |
arn:${Partition}:networkmanager::${Account}:device/${GlobalNetworkId}/${ResourceId}
|
|
connection |
arn:${Partition}:networkmanager::${Account}:connection/${GlobalNetworkId}/${ResourceId}
|
|
core-network |
arn:${Partition}:networkmanager::${Account}:core-network/${ResourceId}
|
|
attachment |
arn:${Partition}:networkmanager::${Account}:attachment/${ResourceId}
|
|
connect-peer |
arn:${Partition}:networkmanager::${Account}:connect-peer/${ResourceId}
|
|
peering |
arn:${Partition}:networkmanager::${Account}:peering/${ResourceId}
|
Condition keys for AWS Network Manager
AWS Network Manager defines the following condition keys that can be used in the Condition
element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | Filters access by the tags that are passed in the request | String |
aws:ResourceTag/${TagKey} | Filters access by the tags associated with the resource | String |
aws:TagKeys | Filters access by the tag keys that are passed in the request | ArrayOfString |
networkmanager:cgwArn | Filters access by which customer gateways can be associated or disassociated | ARN |
networkmanager:directConnectGatewayArn | Filters access by which Direct Connect gateway can be used to a create/update attachment | ARN |
networkmanager:edgeLocations | Filters access by which edge locations can be added or removed from a Direct Connect gateway attachment | ArrayOfString |
networkmanager:subnetArns | Filters access by which VPC subnets can be added or removed from a VPC attachment | ArrayOfARN |
networkmanager:tgwArn | Filters access by which transit gateways can be registered, deregistered, or peered | ARN |
networkmanager:tgwConnectPeerArn | Filters access by which transit gateway connect peers can be associated or disassociated | ARN |
networkmanager:tgwRtbArn | Filters access by which Transit Gateway Route Table can be used to create an attachment | ARN |
networkmanager:vpcArn | Filters access by which VPC can be used to a create/update attachment | ARN |
networkmanager:vpnConnectionArn | Filters access by which Site-to-Site VPN can be used to a create/update attachment | ARN |