Amazon VPC Lattice API permissions

You must grant IAM identities (such as users or roles) permission to call the VPC Lattice API actions they need, as described in Policy actions for VPC Lattice. In addition, for some VPC Lattice actions, you must grant IAM identities permission to call specific actions from other AWS APIs.

Required permissions for the API

When calling the following actions from the API, you must grant IAM users permission to call the specified actions.

CreateServiceNetworkVpcAssociation

vpc-lattice:CreateServiceNetworkVpcAssociation
ec2:DescribeVpcs
ec2:DescribeSecurityGroups (Only needed when security groups are provided)

UpdateServiceNetworkVpcAssociation

vpc-lattice:UpdateServiceNetworkVpcAssociation
ec2:DescribeSecurityGroups (Only needed when security groups are provided)

CreateTargetGroup

vpc-lattice:CreateTargetGroup
ec2:DescribeVpcs

RegisterTargets

vpc-lattice:RegisterTargets
ec2:DescribeInstances (Only needed when INSTANCE is the target group type)
ec2:DescribeVpcs (Only needed when INSTANCE or IP is the target group type)
ec2:DescribeSubnets (Only needed when INSTANCE or IP is the target group type)
lambda:GetFunction (Only needed when LAMBDA is the target group type)
lambda:AddPermission (Only needed if the target group doesn't already have permission to invoke the specified Lambda function)

DeregisterTargets

vpc-lattice:DeregisterTargets

CreateAccessLogSubscription

vpc-lattice:CreateAccessLogSubscription
logs:GetLogDelivery
logs:CreateLogDelivery

DeleteAccessLogSubscription

vpc-lattice:DeleteAccessLogSubscription
logs:DeleteLogDelivery

UpdateAccessLogSubscription

vpc-lattice:UpdateAccessLogSubscription
logs:UpdateLogDelivery

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

How Amazon VPC Lattice works with IAM

Identity-based policies