What are the minimum IAM permissions needed to set up communication between Amazon Lightsail and other AWS services using VPC peering?

Resolution

Amazon Lightsail requires a peering connection with your VPC to connect to other AWS resources, such as an Amazon Relational Database Service (Amazon RDS) databases. Along with Lightsail permissions, the IAM entity requires certain Amazon Elastic Compute Cloud (Amazon EC2) permissions to establish and create a VPC peering connection with Lightsail.

Prerequisite: To set up VPC peering in Lightsail, you must have a default Amazon VPC. If you don’t have a default Amazon VPC, then you can create one. To learn more, see Create a default VPC. Because AWS Regions are isolated from one another, a VPC is also isolated in the Region where you created it. You must set up VPC peering in each Region where you have Lightsail resources.

It's a best practice to grant the IAM user the minimum permissions necessary for creating the connection. You can specify only the necessary Amazon EC2 actions within the policy. The following example policy includes actions for accessing the EC2 endpoint, accept peering connections, and editing the existing route table to accommodate this connection.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteNetworkInterfacePermission",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:AcceptVpcPeeringConnection",
                "ec2:DescribeVpcs",
                "ec2:CreateRoute",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DeleteRoute",
                "ec2:ModifyVpcPeeringConnectionOptions",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "lightsail:*"
            ],
            "Resource": "*"
        }
    ]
}

The preceding policy gives full access to Amazon Lightsail ("lightsail:*"). If your IAM entity is using a restrictive policy for Amazon Lightsail, (not "lightsail:*"), make sure that you include "lightsail:PeerVpc" and "lightsail:UnpeerVpc". In this case, you might not be able to use the Amazon Lightsail console to perform the peering actions. Instead, you can use AWS API calls such as PeerVpc and UnpeerVpc to set up the peering connection.

The following are sample AWS Command Line Interface (AWS CLI) calls to set up the peering connection.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Create VPC peering connection

aws lightsail peer-vpc --region regionName

Check VPC peering connection

aws lightsail is-vpc-peered --region regionName

Delete VPC peering connection

aws lightsail unpeer-vpc --region regionName

Replace regionName with the correct Region where you want to add the VPC peering.

Note: Other actions require additional permissions not included in this policy. For example, exporting Lightsail snapshots to Amazon EC2, or accessing other AWS services using this Lightsail VPC peering connection require additional permissions.