Overview
This guide explains how to configure an IPsec VPN connection between AWS and an on-premises or third-party gateway. It covers the required IAM permissions, security prerequisites, and best practices.
1. Required IAM Permissions
The IAM user or role configuring the VPN must have permissions for the following services:
Amazon VPC
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateCustomerGateway",
"ec2:CreateVpnGateway",
"ec2:AttachVpnGateway",
"ec2:CreateVpnConnection",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:DescribeCustomerGateways",
"ec2:DeleteVpnConnection",
"ec2:DeleteVpnGateway",
"ec2:DeleteCustomerGateway",
"ec2:ModifyVpnConnection",
"ec2:ModifyVpnTunnelOptions"
],
"Resource": "*"
}
]
}
CloudWatch (for tunnel health monitoring)
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
Optional – IAM (for managing roles & policies)
If automation or Terraform is used:
{
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:GetRole",
"iam:ListRoles"
],
"Resource": "*"
}
2. Security Recommendations
Limit these permissions to dedicated admin or CI/CD roles only.
Apply resource-level restrictions once specific ARNs are known.
Use AWS CloudTrail to audit changes to VPN configurations.
Always enable tunnel redundancy (two tunnels) for each VPN connection.
3. Related AWS Services
AWS VPN Gateway (VGW): Managed IPsec endpoint in AWS.
Customer Gateway (CGW): Represents Timus Gateway
Transit Gateway (TGW): Use for scalable multi-VPC IPsec setups.
4. References
Updated
Comments
0 comments
Please sign in to leave a comment.