TessellAPIsLabsFAQsBlogsVideos

AWS permission mapping

Category
Entity Create Level
Tessell Permission
Request Tag
Resource Tag
Constrained by Condition
Commentary on unconstrained permissions
Attached to Role(s)
Applicable Resources
Cloud Description
Applicable for Register Use Case
Feature Mapping
Applicable for only Private CP DP Use Case
Private CP DP Use Case

*

ec2:Describe*

N/A

N/A

NO

EC2 Describe permissions doesn't support Request/Resource Tag based conditions. Ref: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows describing EC2 resources.

Yes

Provisioning, Start, Stop, Clone, Resize, Refresh, Add Instance

No

Public CP DP, Private CP DP

*

ec2:Get*

N/A

N/A

NO

EC2 Describe permissions doesn't support Request/Resource Tag based conditions. Ref: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html

CrossAccountAccessRole

*

Allows getting EC2 resources.

Yes

Provisioning, Start, Stop, Clone, Resize, Refresh, Add Instance

No

Public CP DP, Private CP DP

*

ec2:List*

N/A

N/A

NO

EC2 Describe permissions doesn't support Request/Resource Tag based conditions. Ref: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html

CrossAccountAccessRole

*

Allows listing EC2 resources.

Yes

Provisioning

No

Public CP DP, Private CP DP

*

ec2:Search*

N/A

N/A

NO

EC2 Describe permissions doesn't support Request/Resource Tag based conditions. Ref: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html

CrossAccountAccessRole

*

Allows searching EC2 resources.

Yes

Provisioning, Delete Service

No

Public CP DP, Private CP DP

CloudWatch

Log Group per DB Service

CloudWatchAgentServerPolicy

N/A

N/A

NO

Managed Policy from AWS

TessellDbVmMgmtRole

N/A

Allows the CloudWatch agent to collect and send metrics and logs to CloudWatch.

Yes

DB Logs

No

Public CP DP, Private CP DP

CloudWatch

Log Group per DB Service

logs:DeleteLogGroup

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting CloudWatch log groups with the specified resource tag.

Yes

DB Deletion, DB Logs

No

Public CP DP, Private CP DP

CloudWatch

Log Group per DB Service

logs:DeleteLogStream

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting log streams with the specified resource tag.

Yes

DB Deletion, DB Logs

No

Public CP DP, Private CP DP

CloudWatch

Log Group per DB Service

logs:DescribeLogGroups

N/A

N/A

NO

CrossAccountAccessRole

*

Allows describing CloudWatch log groups.

Yes

Provisioning, DB Logs

No

Public CP DP, Private CP DP

CloudWatch

Log Group per DB Service

logs:DescribeLogStreams

N/A

N/A

NO

CrossAccountAccessRole

*

Allows describing log streams within CloudWatch log groups.

Yes

Provisioning, DB Logs

No

Public CP DP, Private CP DP

CloudWatch

Log Group per DB Service

logs:GetLogEvents

N/A

N/A

NO

CrossAccountAccessRole

*

Allows retrieving log events from CloudWatch logs.

Yes

Provisioning, DB Logs

No

Public CP DP, Private CP DP

CloudWatch

Log Group per DB Service

logs:PutRetentionPolicy

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows setting retention policies on log groups with the specified resource tag.

Yes

DB Logs

No

Public CP DP, Private CP DP

CloudWatch

Log Group per DB Service

logs:TagLogGroup

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows tagging CloudWatch log groups with the specified resource tag.

Yes

Provisioning, DB Logs

No

Public CP DP, Private CP DP

EC2

Compute Resource

ec2:ModifyInstanceAttribute

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows modifying attributes of instances with the specified resource tag.

Yes

Add Tags

No

Public CP DP, Private CP DP

EC2

Compute Resource

ec2:MonitorInstances

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows enabling detailed monitoring for instances with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

EC2

Compute Resource

ec2:RebootInstances

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows rebooting instances with the specified resource tag.

Yes

provisioning, stop, start, patch, resize

No

Public CP DP, Private CP DP

EC2

Compute Resource

ec2:RunInstances

N/A

N/A

NO

CrossAccountAccessRole

Network interfaces, security groups, subnets, volumes, etc.

Allows launching EC2 instances with access to specified resources.

Yes

Provisioning, Add-replica, Clone

No

Public CP DP, Private CP DP

EC2

Compute Resource

ec2:RunInstances

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

Specific EC2 instances (arn:aws:ec2)

Allows launching EC2 instances with the specified request tag.

Yes

Provisioning, Add-replica, Clone

No

Public CP DP, Private CP DP

EC2

Compute Resource

ec2:StartInstances

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows starting instances with the specified resource tag.

Yes

start service, resize, stop rollback

No

Public CP DP, Private CP DP

EC2

Compute Resource

ec2:StopInstances

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows stopping instances with the specified resource tag.

Yes

stop service, resize, start rollback

No

Public CP DP, Private CP DP

EC2

Compute Resource

ec2:TerminateInstances

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows terminating instances with the specified resource tag.

Yes

Delete replica, delete service, provisioning rollback, add-replica rollback

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:AddTags

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows adding tags to load balancer resources with the specified request tag.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:CreateListener

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows creating load balancer listeners with the specified request tag.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:CreateLoadBalancer

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows creating load balancers with the specified request tag.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:CreateTargetGroup

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows creating target groups with the specified request tag.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:DeleteListener

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting load balancer listeners with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:DeleteLoadBalancer

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting load balancers with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:DeleteTargetGroup

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting target groups with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:DeregisterTargets

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deregistering targets from target groups with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:DescribeListeners

N/A

N/A

NO

CrossAccountAccessRole

*

Allows describing load balancer listeners.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:DescribeLoadBalancerAttributes

N/A

N/A

NO

CrossAccountAccessRole

*

Allows describing attributes of load balancers.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:DescribeLoadBalancers

N/A

N/A

NO

CrossAccountAccessRole

*

Allows describing load balancers.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:DescribeTags

N/A

N/A

NO

CrossAccountAccessRole

*

Allows describing tags for load balancer resources.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:DescribeTargetGroupAttributes

N/A

N/A

NO

CrossAccountAccessRole

*

Allows describing attributes of target groups.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:DescribeTargetGroups

N/A

N/A

NO

CrossAccountAccessRole

*

Allows describing target groups.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:DescribeTargetHealth

N/A

N/A

NO

CrossAccountAccessRole

*

Allows describing the health of targets in a target group.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:ModifyListener

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows modifying load balancer listeners with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:ModifyLoadBalancerAttributes

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows modifying attributes of load balancers with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:ModifyTargetGroup

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows modifying target groups with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:ModifyTargetGroupAttributes

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows modifying attributes of target groups with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:RegisterTargets

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows registering targets with target groups with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:SetIpAddressType

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows setting IP address types for load balancers with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

ELB

VPC

elasticloadbalancing:SetSubnets

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows setting subnets for load balancers with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

IAM

Subscription

ec2:AssociateIamInstanceProfile

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows associating IAM instance profiles with instances that have the specified resource tag.

Yes

Provisioning, DP AWS Services Access

No

Public CP DP, Private CP DP

IAM

Subscription

ec2:DisassociateIamInstanceProfile

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows disassociating IAM instance profiles from instances with the specified resource tag.

Yes

DB Deletion, DP AWS Services Access

No

Public CP DP, Private CP DP

IAM

Subscription

iam:PassRole

N/A

N/A

NO

CrossAccountAccessRole

ARN of TessellDbVmMgmtRole

Allows passing the TessellDbVmMgmtRole to EC2 instances or other services.

Yes

Provisioning, DP AWS Services Access

No

Public CP DP, Private CP DP

IAM

Subscription

iam:CreateServiceLinkedRole

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

AWSServiceRoleForKeyManagementServiceMultiRegionKeys

Allows creating service-linked roles for KMS multi-region keys.

Yes

No

Public CP DP, Private CP DP

IAM

Subscription

iam:CreateServiceLinkedRole

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

AWSServiceRoleForElasticLoadBalancing

Allows creating service-linked roles for AWS services (e.g., ELB, KMS).

Yes

No

Public CP DP, Private CP DP

IP Address

Compute Resource

ec2:AllocateAddress

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows allocating Elastic IP addresses with the specified request tag.

Yes

Provisioning, Add-replica, Clone

No

Public CP DP, Private CP DP

IP Address

Compute Resource

ec2:AssignPrivateIpAddresses

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows assigning private IP addresses to network interfaces with the specified resource tag.

Yes

Provisioning, Add-replica, Clone

No

Public CP DP, Private CP DP

IP Address

Compute Resource

ec2:AssociateAddress

N/A

N/A

NO

CrossAccountAccessRole

*

Allows associating an Elastic IP address with an instance or network interface.

Yes

Provisioning, Add-replica, Clone

No

Public CP DP, Private CP DP

IP Address

Compute Resource

ec2:DisassociateAddress

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows disassociating Elastic IP addresses from resources with the specified resource tag.

Yes

Delete service, Delete-replica

No

Public CP DP, Private CP DP

IP Address

Compute Resource

ec2:ReleaseAddress

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows releasing Elastic IP addresses with the specified resource tag.

Yes

Delete service, Delete-replica

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:CancelKeyDeletion

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows canceling deletion of KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:CreateAlias

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

arn:aws:kms:::alias/*

Allows creating KMS aliases without any tag restrictions.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:CreateAlias

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows creating aliases for KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:CreateGrant

N/A

ALLOW_IMPORT_TO_TESSELL = true

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

KMS keys tagged with ALLOW_IMPORT_TO_TESSELL=true

Allows creating grants on KMS keys with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:CreateGrant

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows creating grants on KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:CreateKey

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows creating new KMS keys with the specified request tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:Decrypt

N/A

ALLOW_IMPORT_TO_TESSELL = true

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

KMS keys tagged with ALLOW_IMPORT_TO_TESSELL=true

Allows decrypting data using KMS keys with the specified resource tag.

Yes

Clone

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:Decrypt

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows decrypting data using KMS keys tagged with the specified resource tag.

No

Clone

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:DeleteAlias

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

arn:aws:kms:::alias/*

Allows deleting KMS aliases without any tag restrictions.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:DeleteAlias

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows deleting aliases for KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:DescribeKey

N/A

ALLOW_IMPORT_TO_TESSELL = true

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

KMS keys tagged with ALLOW_IMPORT_TO_TESSELL=true

Allows describing KMS keys with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:DescribeKey

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows describing KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:DisableKey

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows disabling KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:DisableKeyRotation

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows disabling automatic key rotation for KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:EnableKey

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows enabling KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:EnableKeyRotation

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows enabling automatic key rotation for KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:Encrypt

N/A

ALLOW_IMPORT_TO_TESSELL = true

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

KMS keys tagged with ALLOW_IMPORT_TO_TESSELL=true

Allows encrypting data using KMS keys with the specified resource tag.

Yes

Provisioning, add-replica, clone

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:Encrypt

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows encrypting data using KMS keys tagged with the specified resource tag.

No

Provisioning, add-replica, clone

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:GenerateDataKey*

N/A

ALLOW_IMPORT_TO_TESSELL = true

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

KMS keys tagged with ALLOW_IMPORT_TO_TESSELL=true

Allows generating data keys using KMS keys with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:GenerateDataKey*

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows generating data keys using KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:GetKeyPolicy

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows retrieving key policies for KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:GetKeyRotationStatus

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows getting rotation status of KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:GetParametersForImport

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows obtaining parameters for importing key material into KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:ImportKeyMaterial

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows importing key material into KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:ListAliases

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows listing all KMS aliases.

Yes

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:ListAliases

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows listing aliases of KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:ListKeys

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows listing all KMS keys.

Yes

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:ListKeys

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows listing KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:ListResourceTags

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows listing tags for KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:ReEncrypt*

N/A

ALLOW_IMPORT_TO_TESSELL = true

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

KMS keys tagged with ALLOW_IMPORT_TO_TESSELL=true

Allows re-encrypting data using KMS keys with the specified resource tag.

Yes

Clone

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:ReEncrypt*

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows re-encrypting data using KMS keys tagged with the specified resource tag.

No

Clone

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:ReplicateKey

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows replicating KMS keys tagged with the specified resource tag to other regions.

No

Provisioning, add-replica, clone

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:ScheduleKeyDeletion

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows scheduling deletion of KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:TagResource

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows tagging KMS resources with the specified request tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:UntagResource

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

Resources tagged with TESSELL_TENANT_ID = {{TenantName}}

Allows removing tags from KMS resources tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:UpdateAlias

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

arn:aws:kms:::alias/*

Allows updating KMS aliases without any tag restrictions.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:UpdateAlias

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows updating aliases for KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

KMS

Encryption Key

kms:UpdateKeyDescription

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

* (with resource tag condition)

Allows updating descriptions of KMS keys tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

Network Interface

Compute Resource

ec2:AttachNetworkInterface

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows attaching network interfaces to instances with the specified resource tag.

Yes

Provisioning, add-replica, clone, resize

No

Public CP DP, Private CP DP

Network Interface

Compute Resource

ec2:CreateNetworkInterface

N/A

N/A

NO

CrossAccountAccessRole

*

Allows creating network interfaces.

Yes

Provisioning, add-replica, clone

No

Public CP DP, Private CP DP

Network Interface

Compute Resource

ec2:CreateNetworkInterfacePermission

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows creating permissions for network interfaces with the specified resource tag.

Yes

Provisioning, add-replica, clone

No

Public CP DP, Private CP DP

Network Interface

Compute Resource

ec2:DeleteNetworkInterface

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting network interfaces with the specified resource tag.

Yes

Delete service, Delete replica

No

Public CP DP, Private CP DP

Network Interface

Compute Resource

ec2:DeleteNetworkInterfacePermission

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting permissions for network interfaces with the specified resource tag.

Yes

Delete service, Delete replica

No

Public CP DP, Private CP DP

Network Interface

Compute Resource

ec2:DetachNetworkInterface

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows detaching network interfaces from instances with the specified resource tag.

Yes

Delete service, Delete replica, Resize

No

Public CP DP, Private CP DP

Network Interface

Compute Resource

ec2:ModifyNetworkInterfaceAttribute

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows modifying attributes of network interfaces with the specified resource tag.

Yes

Provisioning, add-replica, clone

No

Public CP DP, Private CP DP

S3

Region

s3:CreateBucket

N/A

N/A

NO

CrossAccountAccessRole

BucketName/dblogstorage-*

Allows creating S3 buckets with the specified request tag.

No

Provisioning, add-replica, clone

No

Public CP DP, Private CP DP

S3

Region

s3:CreateJob

N/A

N/A

NO

CrossAccountAccessRole

arn:aws:s3:::job/*

Allows creating S3 Batch Operations jobs.

Yes

DAP

No

Public CP DP, Private CP DP

S3

Region

s3:DeleteBucket

N/A

N/A

NO

CrossAccountAccessRole

BucketName/dblogstorage-*

Allows deleting S3 buckets tagged with the specified resource tag.

No

Delete database, Delete replica

No

Public CP DP, Private CP DP

S3

Region

s3:DeleteBucketPolicy

N/A

N/A

NO

CrossAccountAccessRole

BucketName/dblogstorage-*

Allows deleting bucket policies from S3 buckets tagged with the specified resource tag.

No

Delete DAP

No

Public CP DP, Private CP DP

S3

Region

s3:DeleteBucketTagging

N/A

N/A

NO

CrossAccountAccessRole

BucketName/dblogstorage-*

Allows deleting tags from S3 buckets tagged with the specified resource tag.

No

Delete database, Delete replica

No

Public CP DP, Private CP DP

S3

Region

s3:DeleteObject*

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

BucketName/dblogstorage-/

Allows deleting objects from the specified S3 bucket.

Yes

AM SLA, Delete AM

No

Public CP DP, Private CP DP

S3

Region

s3:GetBucket*

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

BucketName/dblogstorage-*

Allows getting bucket-level information on the specified S3 bucket.

Yes

Provisioning, add-replica, clone, DAP

No

Public CP DP, Private CP DP

S3

Region

s3:GetObject*

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

BucketName/dblogstorage-/

Allows getting objects from the specified S3 bucket.

Yes

Clone, DAP

No

Public CP DP, Private CP DP

S3

Region

s3:GetReplicationConfiguration

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

BucketName/dblogstorage-*

Allows getting the replication configuration of the specified S3 bucket.

Yes

DAP

No

Public CP DP, Private CP DP

S3

Region

s3:InitiateReplication

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

BucketName/dblogstorage-*

Allows initiating replication on the specified S3 bucket.

Yes

DAP

No

Public CP DP, Private CP DP

S3

Region

s3:ListBucket*

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

BucketName/dblogstorage-*

Allows listing objects in the specified S3 bucket.

Yes

AM, DAP

No

Public CP DP, Private CP DP

S3

Region

s3:PauseReplication

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

BucketName/dblogstorage-*

Allows pausing replication on the specified S3 bucket.

Yes

DAP

No

Public CP DP, Private CP DP

S3

Region

s3:PutBucket*

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

BucketName/dblogstorage-*

Allows putting bucket-level configurations on the specified S3 bucket.

Yes

DAP

No

Public CP DP, Private CP DP

S3

Region

s3:PutObject*

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

BucketName/dblogstorage-/

Allows putting objects into the specified S3 bucket.

Yes

No

Public CP DP, Private CP DP

S3

Region

s3:PutReplicationConfiguration

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

BucketName/dblogstorage-*

Allows setting replication configuration on the specified S3 bucket.

Yes

No

Public CP DP, Private CP DP

S3

Region

s3:ReplicateDelete

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

BucketName/dblogstorage-*

Allows replicating delete markers to the specified S3 bucket.

Yes

No

Public CP DP, Private CP DP

S3

Region

s3:ReplicateObject

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

BucketName/dblogstorage-*

Allows replicating objects to the specified S3 bucket.

Yes

No

Public CP DP, Private CP DP

S3

Region

s3:ReplicateTags

N/A

N/A

NO

CrossAccountAccessRole, TessellDbVmMgmtRole

BucketName/dblogstorage-*

Allows replicating tags to the specified S3 bucket.

Yes

No

Public CP DP, Private CP DP

Secrets Manager

Secret per DB Service

secretsmanager:CancelRotateSecret

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows canceling secret rotation for secrets with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Secrets Manager

Secret per DB Service

secretsmanager:CreateSecret

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows creating secrets with the specified request tag.

Yes

Provisioning, Add-replica, Clone

No

Public CP DP, Private CP DP

Secrets Manager

Secret per DB Service

secretsmanager:DeleteSecret

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting secrets with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Secrets Manager

Secret per DB Service

secretsmanager:DescribeSecret

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows describing secrets with the specified resource tag.

Yes

Provisioning, Add-replica, Clone, Stop, Start, Snapshot

No

Public CP DP, Private CP DP

Secrets Manager

Secret per DB Service

secretsmanager:GetSecretValue

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows retrieving secret values from secrets with the specified resource tag.

Yes

Provisioning, Add-replica, Clone, Stop, Start, Snapshot

No

Public CP DP, Private CP DP

Secrets Manager

Secret per DB Service

secretsmanager:PutSecretValue

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows updating the secret value for secrets with the specified resource tag.

Yes

Reset password

No

Public CP DP, Private CP DP

Secrets Manager

Secret per DB Service

secretsmanager:RemoveRegionsFromReplication

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows removing regions from secret replication for secrets with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Secrets Manager

Secret per DB Service

secretsmanager:ReplicateSecretToRegions

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows replicating secrets to other regions for secrets with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Secrets Manager

Secret per DB Service

secretsmanager:RestoreSecret

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows restoring deleted secrets with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Secrets Manager

Secret per DB Service

secretsmanager:RotateSecret

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows rotating secrets with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Secrets Manager

Secret per DB Service

secretsmanager:StopReplicationToReplica

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows stopping replication to replica secrets with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Secrets Manager

Secret per DB Service

secretsmanager:TagResource

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows tagging secrets with the specified request tag.

Yes

No

Public CP DP, Private CP DP

Secrets Manager

Secret per DB Service

secretsmanager:UpdateSecret

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows updating secrets with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Secrets Manager

Secret per DB Service

secretsmanager:UpdateSecretVersionStage

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows updating the version stage of secrets with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Security Group

Compute Resource

ec2:AuthorizeSecurityGroupEgress

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows authorizing egress rules on security groups with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Security Group

Compute Resource

ec2:AuthorizeSecurityGroupIngress

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows authorizing ingress rules on security groups with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Security Group

Compute Resource

ec2:CreateSecurityGroup

N/A

N/A

NO

CrossAccountAccessRole

*

Allows creating security groups.

Yes

No

Public CP DP, Private CP DP

Security Group

Compute Resource

ec2:DeleteSecurityGroup

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows deleting security groups with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Security Group

Compute Resource

ec2:ModifySecurityGroupRules

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows modifying security group rules with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Security Group

Compute Resource

ec2:RevokeSecurityGroupEgress

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows revoking egress rules in security groups with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Security Group

Compute Resource

ec2:RevokeSecurityGroupIngress

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows revoking ingress rules in security groups with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Security Group

Compute Resource

ec2:UpdateSecurityGroupRuleDescriptionsEgress

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows updating egress rule descriptions in security groups with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Security Group

Compute Resource

ec2:UpdateSecurityGroupRuleDescriptionsIngress

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows updating ingress rule descriptions in security groups with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Snapshot

Snapshots per DB Service

ebs:GetSnapshotBlock

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows getting blocks from EBS snapshots with the specified resource tag.

Yes

AM

No

Public CP DP, Private CP DP

Snapshot

Snapshots per DB Service

ebs:ListChangedBlocks

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows listing changed blocks between two EBS snapshots with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Snapshot

Snapshots per DB Service

ebs:ListSnapshotBlocks

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows listing blocks in EBS snapshots with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Snapshot

Snapshots per DB Service

ec2:CopySnapshot

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows copying EBS snapshots with the specified request tag.

Yes

DAP

No

Public CP DP, Private CP DP

Snapshot

Snapshots per DB Service

ec2:CreateSnapshot

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

arn:aws:ec2:::volume/

Allows creating snapshots of volumes with the specified resource tag.

Yes

AM

No

Public CP DP, Private CP DP

Snapshot

Snapshots per DB Service

ec2:CreateSnapshot

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows creating snapshots with the specified request tag.

Yes

AM

No

Public CP DP, Private CP DP

Snapshot

Snapshots per DB Service

ec2:CreateSnapshots

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

arn:aws:ec2:::volume/

Allows creating EBS snapshots from volumes with the specified resource tag.

Yes

AM

No

Public CP DP, Private CP DP

Snapshot

Snapshots per DB Service

ec2:CreateSnapshots

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows creating EBS snapshots with the specified request tag.

Yes

No

Public CP DP, Private CP DP

Snapshot

Snapshots per DB Service

ec2:DeleteSnapshot

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows deleting snapshots with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Snapshot

Snapshots per DB Service

ec2:ModifySnapshotAttribute

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows modifying attributes of EBS snapshots with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Snapshot

Snapshots per DB Service

ec2:ResetSnapshotAttribute

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows resetting attributes of EBS snapshots with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

STS

Subscription

sts:DecodeAuthorizationMessage

N/A

N/A

NO

CrossAccountAccessRole

*

Allows decoding authorization failure messages.

Yes

No

Public CP DP, Private CP DP

Tags

All Cloud Resources

ec2:CreateTags

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows creating tags on EC2 resources with the specified request tag.

Yes

No

Public CP DP, Private CP DP

Tags

All Cloud Resources

ec2:DeleteTags

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows deleting tags from EC2 resources with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Volume

DB Service

ec2:AttachVolume

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows attaching EBS volumes with the specified resource tag to instances.

Yes

No

Public CP DP, Private CP DP

Volume

DB Service

ec2:CreateVolume

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows creating EBS volumes with the specified request tag.

Yes

No

Public CP DP, Private CP DP

Volume

DB Service

ec2:DeleteVolume

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows deleting EBS volumes with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Volume

DB Service

ec2:DetachVolume

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows detaching EBS volumes with the specified resource tag from instances.

Yes

No

Public CP DP, Private CP DP

Volume

DB Service

ec2:ModifyVolume

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows modifying EBS volumes with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

Volume

DB Service

ec2:ModifyVolumeAttribute

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole, TessellDbVmMgmtRole

*

Allows modifying attributes of EBS volumes with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

VPC

VPC

arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess

N/A

N/A

NO

CrossAccountAccessRole

*

Gives Read Access to VPCs

Yes

No

Public CP DP, Private CP DP

VPC

VPC

ec2:AssociateRouteTable

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows associating route tables tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:AttachInternetGateway

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows attaching Internet Gateways tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:CreateInternetGateway

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows creating Internet Gateways with the specified request tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:CreateNatGateway

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows creating NAT Gateways associated with resources tagged with the specified resource tag.

No

No

Public CP DP,

VPC

VPC

ec2:CreateNatGateway

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows creating NAT Gateways with the specified request tag.

No

No

Public CP DP,

VPC

VPC

ec2:CreateRoute

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows creating routes associated with resources tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:CreateRoute

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows creating routes with the specified request tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:CreateRouteTable

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows creating route tables associated with resources tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:CreateRouteTable

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows creating route tables with the specified request tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:CreateSubnet

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows creating subnets associated with resources tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:CreateSubnet

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows creating subnets with the specified request tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:CreateVpc

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows creating VPCs with the specified request tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:DeleteInternetGateway

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting Internet Gateways tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:DeleteNatGateway

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting NAT Gateways tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:DeleteRoute

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting routes tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:DeleteRouteTable

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting route tables tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:DeleteSubnet

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting subnets tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:DeleteVpc

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting VPCs tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:DetachInternetGateway

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows detaching Internet Gateways tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:DisassociateRouteTable

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows disassociating route tables tagged with the specified resource tag.

No

No

Public CP DP, Private CP DP

VPC

VPC

ec2:ModifySubnetAttribute

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows modifying subnet attributes with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

VPC

VPC

ec2:ModifyVpcAttribute

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows modifying VPC attributes with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

VPC

VPC

ec2:ReplaceRoute

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows replacing routes in route tables with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

VPC Endpoint Service

VPC

ec2:CreateVpcEndpointServiceConfiguration

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows creating VPC endpoint service configurations with the specified request tag.

Yes

No

Public CP DP, Private CP DP

VPC Endpoint Service

VPC

ec2:DeleteVpcEndpointServiceConfigurations

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting VPC endpoint service configurations with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

VPC Endpoint Service

VPC

ec2:ModifyVpcEndpointServiceConfiguration

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows modifying VPC endpoint service configurations with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

VPC Endpoint Service

VPC

ec2:ModifyVpcEndpointServicePermissions

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows modifying permissions for VPC endpoint services with the specified resource tag.

Yes

No

Public CP DP, Private CP DP

VPC Peering

VPC

ec2:CreateVpcPeeringConnection

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows creating VPC peering connections associated with resources tagged with the specified resource tag.

No

DR

No

Public CP DP, Private CP DP

VPC Peering

VPC

ec2:CreateVpcPeeringConnection

TESSELL_TENANT_ID = {{TenantName}}

N/A

YES

CrossAccountAccessRole

*

Allows creating VPC peering connections with the specified request tag.

No

DR

No

Public CP DP, Private CP DP

VPC Peering

VPC

ec2:AcceptVpcPeeringConnection

N/A

N/A

NO

CrossAccountAccessRole

arn:aws:ec2::${AWS::AccountId}:vpc-peering-connection/

Allows accepting VPC peering connections without tag conditions.

No

DR

No

Public CP DP, Private CP DP

VPC Peering

VPC

ec2:AcceptVpcPeeringConnection

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows accepting VPC peering connections tagged with the specified resource tag.

No

DR

No

Public CP DP, Private CP DP

VPC Peering

VPC

ec2:DeleteVpcPeeringConnection

N/A

TESSELL_TENANT_ID = {{TenantName}}

YES

CrossAccountAccessRole

*

Allows deleting VPC peering connections tagged with the specified resource tag.

No

DR

No

Public CP DP, Private CP DP

VPN

ec2:ExportClientVpnClientCertificateRevocationList

N/A

N/A

NO

CrossAccountAccessRole

*

Allows exporting VPN client certificate revocation lists.

Yes

No

Public CP DP, Private CP DP

VPN

ec2:ExportClientVpnClientConfiguration

N/A

N/A

NO

CrossAccountAccessRole

*

Allows exporting VPN client configurations.

Yes

No

Public CP DP, Private CP DP

PreviousSubscriptions

Last updated

Was this helpful?