Network Access Analyzer resource statements - Amazon Virtual Private Cloud
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

Network Access Analyzer resource statements

A resource statement in Network Access Analyzer defines the network components for a match or exclude condition. Each resource statement includes resource IDs, resource ARNs, or resource types. A single resource statement can include either resource IDs or resource types, but not both.

You can specify the following components by resource ID or resource ARN:

  • EC2 instances (source and destination only)

  • Internet gateways (source and destination only)

  • NAT gateways (through only)

  • Network firewalls (through only)

  • Network interfaces (source and destination only)

  • Resource groups

  • Security groups (source and destination only)

  • Subnets (source and destination only)

  • Transit gateway attachments

  • Virtual private clouds (VPC) (source and destination only)

  • Virtual private gateways (source and destination only)

  • VPC endpoint services

  • VPC endpoints

  • VPC peering connections

You must specify the following components by ARN:

  • Classic, Application, Network, and Gateway Load Balancers (through only)

You can specify the following components by resource type:

  • AWS::EC2::InternetGateway (source and destination only)

  • AWS::EC2::NatGateway (through only)

  • AWS::EC2::TransitGatewayAttachment

  • AWS::EC2::VPCEndpoint (destination and through only)

  • AWS::EC2::VPCEndpointService

  • AWS::EC2::VPCPeeringConnection

  • AWS::EC2::VPNGateway (source and destination only)

  • AWS::ElasticLoadBalancing::LoadBalancer (through only)

  • AWS::ElasticLoadBalancingV2::LoadBalancer (through only)

  • AWS::NetworkFirewall::NetworkFirewall (through only)