AWS Cloud WAN service-linked roles

AWS Cloud WAN uses the following service-linked roles for the permissions that it requires to call other AWS services on your behalf:

AWSServiceRoleForNetworkManagerCloudWAN

AWS Cloud WAN uses the service-linked role named AWSServiceRoleForNetworkManagerCloudWAN to create and announce transit gateway route tables, and then propagates transit gateway routes to those tables.

The AWSServiceRoleForNetworkManagerCloudWAN service-linked role trusts the following service to assume the role:

The following AWSNetworkManagerCloudWANServiceRolePolicy policy is attached to the role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTransitGatewayRouteTableAnnouncement",
                "ec2:DeleteTransitGatewayRouteTableAnnouncement",
                "ec2:EnableTransitGatewayRouteTablePropagation",
                "ec2:DisableTransitGatewayRouteTablePropagation"
            ],
            "Resource": "*"
        }
    ]
}

AWSServiceRoleForVPCTransitGateway

Amazon VPC uses the service-linked role named AWSServiceRoleForVPCTransitGateway to call the following actions on your behalf when you work with a transit gateway:

AWSServiceRoleForVPCTransitGateway trusts the transitgateway.amazonaws.com service to assume the role.

AWSServiceRoleForNetworkManager

AWS Cloud WAN uses the service-linked role named AWSServiceRoleForNetworkManager to call actions on your behalf when you work with global networks.

The AWSServiceRoleForNetworkManager service-linked role trusts the following service to assume the role:

The following AWSNetworkManagerServiceRolePolicy policy is attached to the role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "directconnect:DescribeDirectConnectGateways",
                "directconnect:DescribeConnections",
                "directconnect:DescribeDirectConnectGatewayAttachments",
                "directconnect:DescribeLocations",
                "directconnect:DescribeVirtualInterfaces",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeTransitGatewayAttachments",
                "ec2:DescribeTransitGatewayRouteTables",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpcs",
                "ec2:GetTransitGatewayRouteTableAssociations",
                "ec2:GetTransitGatewayRouteTablePropagations",
                "ec2:SearchTransitGatewayRoutes",
                "ec2:DescribeTransitGatewayPeeringAttachments",
                "ec2:DescribeTransitGatewayConnects",
                "ec2:DescribeTransitGatewayConnectPeers",
                "ec2:DescribeRegions",
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:ListAccounts", 
                "organizations:ListAWSServiceAccessForOrganization",
                "organizations:ListDelegatedAdministrators",
                "ec2:DescribeTransitGatewayRouteTableAnnouncements",
                "ec2:DescribeTransitGatewayPolicyTables",
                "ec2:GetTransitGatewayPolicyTableAssociations",
                "ec2:GetTransitGatewayPolicyTableEntries"
            ],
            "Resource": "*"
        }
    ]
}

AWS Cloud WAN uses the service-linked role named AWSServiceRoleForNetworkManagerCloudWAN to create and announce transit gateway routing tables, and then propagates transit gateway routes to those tables.

The AWSServiceRoleForNetworkManager service-linked role trusts the following service to assume the role:

The following AWSNetworkManagerCloudWANServiceRolePolicy policy is attached to the role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTransitGatewayRouteTableAnnouncement",
                "ec2:DeleteTransitGatewayRouteTableAnnouncement",
                "ec2:EnableTransitGatewayRouteTablePropagation",
                "ec2:DisableTransitGatewayRouteTablePropagation"
            ],
            "Resource": "*"
        }
    ]
}

Create the service-linked role

You don't need to manually create the AWSServiceRoleForNetworkManager or AWSServiceRoleForVPCTransitGateway roles.

For Network Manager to create a service-linked role on your behalf, you must have the required permissions. For more information, see Service-Linked Role Permissions in the IAM User Guide.

Edit the service-linked role

You can edit the AWSServiceRoleForNetworkManager or AWSServiceRoleForVPCTransitGateway descriptions using IAM. For more information, see Editing a Service-Linked Role in the IAM User Guide.

Delete the service-linked role

If you no longer need to use Network Manager, we recommend that you delete the AWSServiceRoleForNetworkManager or AWSServiceRoleForVPCTransitGateway roles.

You can delete these service-linked roles only after you delete your global network. For information about deleting your global network, see Delete a global network.

You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more information, see Deleting a Service-Linked Role in the IAM User Guide.

After you delete AWSServiceRoleForNetworkManager< Network Manager will create the role again when you create a new global network. After you delete AWSServiceRoleForVPCTransitGateway Amazon VPC will create that role again when you attach a VPC to a transit gateway in your account.

Supported Regions for Network Manager service-linked roles

Network Manager supports the service-linked roles in all of AWS Regions where the service is available. For more information, see AWS endpoints in the AWS General Reference.