By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What are the minimum IAM permissions needed to use VPC peering to set up communication between Lightsail and other AWS services?

3 minute read
0

I want to use Amazon Virtual Private Cloud (VPC) peering to set up communication between Amazon Lightsail and other AWS services.

Resolution

Lightsail requires a peering connection with your Amazon Virtual Private Cloud (Amazon VPC) to connect to other AWS resources. To establish a VPC peering connection with Lightsail, update your AWS Identity and Access Management (IAM) entity's Amazon Elastic Compute Cloud (Amazon EC2) permissions. Use AWS Command Line Interface (AWS CLI) to create, check, and delete peering connections.

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

To set up VPC peering, complete the following steps:

  1. You must have a default Amazon VPC. If you don't have a default Amazon VPC, then create one. You must set up VPC peering in each AWS Region where you have Lightsail resources.

  2. Set up your permissions. It's a best practice to grant the IAM user the minimum permissions necessary to create the connection. Specify only the necessary Amazon EC2 actions within the policy. This includes access to the EC2 endpoint, accepted peering connections, and edits to the existing route table. For example:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AcceptVpcPeeringConnection",
        "ec2:DescribeVpcs",
        "ec2:CreateRoute",
        "ec2:DescribeVpcPeeringConnections",
        "ec2:DeleteRoute",
        "ec2:ModifyVpcPeeringConnectionOptions",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroups",
        "lightsail:*"
      ],
      "Resource": "*"
    }
  ]
}

    Note: This policy gives full access to Lightsail ("lightsail:*"). If your IAM entity uses a restrictive policy for Lightsail, then include "lightsail:PeerVpc" and "lightsail:UnpeerVpc". With a restrictive policy, you might not be able to use Lightsail to perform the peering actions. Instead, use API calls such as PeerVpc and UnpeerVpc to set up the peering connection.

  3. To create the peering connection, run the peer-vpc command:

    aws lightsail peer-vpc --region regionName

    Note: Replace regionName with the Region that's connected to your Lightsail resource.

  4. To check the VPC peering connection, run the is-vpc-peered command:

    aws lightsail is-vpc-peered --region regionName

    Note: Replace regionName with the Region that's connected to your Lightsail resource.

  5. To delete the VPC peering connection, run the unpeer-vpc command:

    aws lightsail unpeer-vpc --region regionName

    Note: Replace regionName with the Region that's connected to your Lightsail resource.

This policy covers the minimum IAM permissions that you need to set up VPC peering in Lightsail. To export Lightsail snapshots to Amazon EC2 or set up access to other AWS services, you might need to include more permissions.

Topics
Compute
Tags
Amazon Lightsail
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 8 days ago
No comments

Relevant content