Actions, resources, and condition keys for AWS Network Manager - Service Authorization Reference

Actions, resources, and condition keys for AWS Network Manager

AWS Network Manager (service prefix: networkmanager) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Network Manager

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptAttachment Grants permission to accept creation of an attachment between a source and destination in a core network Write

attachment*

ec2:DescribeRegions

AssociateConnectPeer Grants permission to associate a Connect Peer Write

device*

global-network*

AssociateCustomerGateway Grants permission to associate a customer gateway to a device Write

device*

global-network*

link

networkmanager:cgwArn

Grants permission to associate a link to a device Write

device*

global-network*

link*

AssociateTransitGatewayConnectPeer Grants permission to associate a transit gateway connect peer to a device Write

device*

global-network*

link

networkmanager:tgwConnectPeerArn

CreateConnectAttachment Grants permission to create a Connect attachment Write

attachment*

ec2:DescribeRegions

networkmanager:TagResource

core-network*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateConnectPeer Grants permission to create a Connect Peer connection Write

attachment*

ec2:DescribeRegions

networkmanager:TagResource

aws:RequestTag/${TagKey}

aws:TagKeys

CreateConnection Grants permission to create a new connection Write

global-network*

networkmanager:TagResource

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCoreNetwork Grants permission to create a new core network Write

global-network*

ec2:DescribeRegions

networkmanager:TagResource

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDevice Grants permission to create a new device Write

global-network*

networkmanager:TagResource

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDirectConnectGatewayAttachment Grants permission to create a Direct Connect gateway attachment Write

core-network*

ec2:DescribeRegions

networkmanager:TagResource

aws:RequestTag/${TagKey}

aws:TagKeys

networkmanager:directConnectGatewayArn

networkmanager:edgeLocations

CreateGlobalNetwork Grants permission to create a new global network Write

aws:RequestTag/${TagKey}

aws:TagKeys

iam:CreateServiceLinkedRole

networkmanager:TagResource

Grants permission to create a new link Write

global-network*

networkmanager:TagResource

site

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSite Grants permission to create a new site Write

global-network*

networkmanager:TagResource

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSiteToSiteVpnAttachment Grants permission to create a site-to-site VPN attachment Write

core-network*

ec2:DescribeRegions

networkmanager:TagResource

aws:RequestTag/${TagKey}

aws:TagKeys

networkmanager:vpnConnectionArn

CreateTransitGatewayPeering Grants permission to create a Transit Gateway peering Write

core-network*

ec2:DescribeRegions

networkmanager:TagResource

aws:RequestTag/${TagKey}

aws:TagKeys

networkmanager:tgwArn

CreateTransitGatewayRouteTableAttachment Grants permission to create a TGW RTB attachment Write

peering*

ec2:DescribeRegions

networkmanager:TagResource

aws:RequestTag/${TagKey}

aws:TagKeys

networkmanager:tgwRtbArn

CreateVpcAttachment Grants permission to create a VPC attachment Write

core-network*

ec2:DescribeRegions

networkmanager:TagResource

aws:RequestTag/${TagKey}

aws:TagKeys

networkmanager:vpcArn

networkmanager:subnetArns

DeleteAttachment Grants permission to delete an attachment Write

attachment*

ec2:DescribeRegions

DeleteConnectPeer Grants permission to delete a Connect Peer Write

connect-peer*

ec2:DescribeRegions

DeleteConnection Grants permission to delete a connection Write

connection*

global-network*

DeleteCoreNetwork Grants permission to delete a core network Write

core-network*

ec2:DescribeRegions

DeleteCoreNetworkPolicyVersion Grants permission to delete the core network policy version Write

core-network*

DeleteDevice Grants permission to delete a device Write

device*

global-network*

DeleteGlobalNetwork Grants permission to delete a global network Write

global-network*

Grants permission to delete a link Write

global-network*

link*

DeletePeering Grants permission to delete a peering Write

peering*

ec2:DescribeRegions

DeleteResourcePolicy Grants permission to delete a resource Write

core-network*

DeleteSite Grants permission to delete a site Write

global-network*

site*

DeregisterTransitGateway Grants permission to deregister a transit gateway from a global network Write

global-network*

networkmanager:tgwArn

DescribeGlobalNetworks Grants permission to describe global networks List

global-network

DisassociateConnectPeer Grants permission to disassociate a Connect Peer Write

global-network*

DisassociateCustomerGateway Grants permission to disassociate a customer gateway from a device Write

global-network*

networkmanager:cgwArn

Grants permission to disassociate a link from a device Write

device*

global-network*

link*

DisassociateTransitGatewayConnectPeer Grants permission to disassociate a transit gateway connect peer from a device Write

global-network*

networkmanager:tgwConnectPeerArn

ExecuteCoreNetworkChangeSet Grants permission to apply changes to the core network Write

core-network*

ec2:DescribeRegions

GetConnectAttachment Grants permission to retrieve a Connect attachment Read

attachment*

GetConnectPeer Grants permission to retrieve a Connect Peer Read

connect-peer*

GetConnectPeerAssociations Grants permission to describe Connect Peer associations Read

global-network*

GetConnections Grants permission to describe connections List

global-network*

connection

GetCoreNetwork Grants permission to retrieve a core network Read

core-network*

GetCoreNetworkChangeEvents Grants permission to retrieve a list of core network change events Read

core-network*

GetCoreNetworkChangeSet Grants permission to retrieve a list of core network change sets Read

core-network*

GetCoreNetworkPolicy Grants permission to retrieve core network policy Read

core-network*

GetCustomerGatewayAssociations Grants permission to describe customer gateway associations List

global-network*

GetDevices Grants permission to describe devices List

global-network*

device

GetDirectConnectGatewayAttachment Grants permission to retrieve a Direct Connect gateway attachment Read

attachment*

GetLinkAssociations Grants permission to describe link associations List

global-network*

device

link

Grants permission to describe links List

global-network*

link

GetNetworkResourceCounts Grants permission to return the number of resources for a global network grouped by type Read

global-network*

GetNetworkResourceRelationships Grants permission to retrieve related resources for a resource within the global network Read

global-network*

GetNetworkResources Grants permission to retrieve a global network resource Read

global-network*

GetNetworkRoutes Grants permission to retrieve routes for a route table within the global network Read

global-network*

GetNetworkTelemetry Grants permission to retrieve network telemetry objects for the global network Read

global-network*

GetResourcePolicy Grants permission to retrieve a resource policy Read

core-network*

GetRouteAnalysis Grants permission to retrieve a route analysis configuration and result Read

global-network*

GetSiteToSiteVpnAttachment Grants permission to retrieve a site-to-site VPN attachment Read

attachment*

GetSites Grants permission to describe global networks List

global-network*

site

GetTransitGatewayConnectPeerAssociations Grants permission to describe transit gateway connect peer associations List

global-network*

GetTransitGatewayPeering Grants permission to retrieve a Transit Gateway peering Read

peering*

GetTransitGatewayRegistrations Grants permission to describe transit gateway registrations List

global-network*

GetTransitGatewayRouteTableAttachment Grants permission to retrieve a TGW RTB attachment Read

attachment*

GetVpcAttachment Grants permission to retrieve a VPC attachment Read

attachment*

ListAttachments Grants permission to describe attachments List

attachment*

ListConnectPeers Grants permission to describe Connect Peers List

connect-peer*

ListCoreNetworkPolicyVersions Grants permission to list core network policy versions List

core-network*

ListCoreNetworks Grants permission to list core networks List
ListOrganizationServiceAccessStatus Grants permission to list organization service access status List
ListPeerings Grants permission to describe peerings List
ListTagsForResource Grants permission to list tags for a Network Manager resource Read

attachment

connect-peer

connection

core-network

device

global-network

link

peering

site

aws:ResourceTag/${TagKey}

PutCoreNetworkPolicy Grants permission to create a core network policy Write

core-network*

ec2:DescribeRegions

PutResourcePolicy Grants permission to create or update a resource policy Write

core-network*

RegisterTransitGateway Grants permission to register a transit gateway to a global network Write

global-network*

networkmanager:tgwArn

RejectAttachment Grants permission to reject attachment request Write

attachment*

RestoreCoreNetworkPolicyVersion Grants permission to restore the core network policy to a previous version Write

core-network*

ec2:DescribeRegions

StartOrganizationServiceAccessUpdate Grants permission to start organization service access update Write
StartRouteAnalysis Grants permission to start a route analysis and stores analysis configuration Write

global-network*

TagResource Grants permission to tag a Network Manager resource Tagging

attachment

connect-peer

connection

core-network

device

global-network

link

peering

site

aws:TagKeys

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

UntagResource Grants permission to untag a Network Manager resource Tagging

attachment

connect-peer

connection

core-network

device

global-network

link

peering

site

aws:TagKeys

UpdateConnection Grants permission to update a connection Write

connection*

global-network*

UpdateCoreNetwork Grants permission to update a core network Write

core-network*

UpdateDevice Grants permission to update a device Write

device*

global-network*

UpdateDirectConnectGatewayAttachment Grants permission to update a Direct Connect gateway attachment Write

attachment*

ec2:DescribeRegions

aws:RequestTag/${TagKey}

aws:TagKeys

networkmanager:edgeLocations

UpdateGlobalNetwork Grants permission to update a global network Write

global-network*

Grants permission to update a link Write

global-network*

link*

UpdateNetworkResourceMetadata Grants permission to add or update metadata key/value pairs on network resource Write

global-network*

UpdateSite Grants permission to update a site Write

global-network*

site*

UpdateVpcAttachment Grants permission to update a VPC attachment Write

attachment*

ec2:DescribeRegions

aws:RequestTag/${TagKey}

aws:TagKeys

networkmanager:subnetArns

Resource types defined by AWS Network Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
global-network arn:${Partition}:networkmanager::${Account}:global-network/${ResourceId}

aws:ResourceTag/${TagKey}

site arn:${Partition}:networkmanager::${Account}:site/${GlobalNetworkId}/${ResourceId}

aws:ResourceTag/${TagKey}

arn:${Partition}:networkmanager::${Account}:link/${GlobalNetworkId}/${ResourceId}

aws:ResourceTag/${TagKey}

device arn:${Partition}:networkmanager::${Account}:device/${GlobalNetworkId}/${ResourceId}

aws:ResourceTag/${TagKey}

connection arn:${Partition}:networkmanager::${Account}:connection/${GlobalNetworkId}/${ResourceId}

aws:ResourceTag/${TagKey}

core-network arn:${Partition}:networkmanager::${Account}:core-network/${ResourceId}

aws:ResourceTag/${TagKey}

attachment arn:${Partition}:networkmanager::${Account}:attachment/${ResourceId}

aws:ResourceTag/${TagKey}

connect-peer arn:${Partition}:networkmanager::${Account}:connect-peer/${ResourceId}

aws:ResourceTag/${TagKey}

peering arn:${Partition}:networkmanager::${Account}:peering/${ResourceId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Network Manager

AWS Network Manager defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters access by the tags associated with the resource String
aws:TagKeys Filters access by the tag keys that are passed in the request ArrayOfString
networkmanager:cgwArn Filters access by which customer gateways can be associated or disassociated ARN
networkmanager:directConnectGatewayArn Filters access by which Direct Connect gateway can be used to a create/update attachment ARN
networkmanager:edgeLocations Filters access by which edge locations can be added or removed from a Direct Connect gateway attachment ArrayOfString
networkmanager:subnetArns Filters access by which VPC subnets can be added or removed from a VPC attachment ArrayOfARN
networkmanager:tgwArn Filters access by which transit gateways can be registered, deregistered, or peered ARN
networkmanager:tgwConnectPeerArn Filters access by which transit gateway connect peers can be associated or disassociated ARN
networkmanager:tgwRtbArn Filters access by which Transit Gateway Route Table can be used to create an attachment ARN
networkmanager:vpcArn Filters access by which VPC can be used to a create/update attachment ARN
networkmanager:vpnConnectionArn Filters access by which Site-to-Site VPN can be used to a create/update attachment ARN