From 48fbd5fde77465edc60a0022594bff7539ff017b Mon Sep 17 00:00:00 2001
From: Viren Nadkarni <viren.nadkarni@gmail.com>
Date: Tue, 19 Sep 2023 14:19:10 +0530
Subject: [PATCH] Add section on cross-account VPC peering

---
 content/en/references/cross-account-access.md | 64 ++++++++++---------
 1 file changed, 35 insertions(+), 29 deletions(-)

diff --git a/content/en/references/cross-account-access.md b/content/en/references/cross-account-access.md
index da794dba89..0ffa247708 100644
--- a/content/en/references/cross-account-access.md
+++ b/content/en/references/cross-account-access.md
@@ -27,6 +27,32 @@ IAM currently does not enforce cross-account access.
 Any ACLs, identity-based or resource-based policy attached to these operations or resources will be ignored.
 {{< /alert >}}
 
+### EC2 VPCs
+
+It is possible to peer VPCs that are in a different region or account than the requester.
+Ensure that the `PeerRegion` and `PeerOwnerId` arguments are correctly set when creating VPC peering connections.
+
+### KMS keys
+
+- `CreateGrant`
+- `Decrypt`
+- `DescribeKey`
+- `Encrypt`
+- `GenerateDataKey`
+- `GenerateDataKeyPair`
+- `GenerateDataKeyPairWithoutPlaintext`
+- `GenerateDataKeyWithoutPlaintext`
+- `GenerateMac`
+- `GetKeyRotationStatus`
+- `GetPublicKey`
+- `ListGrants`
+- `RetireGrant`
+- `RevokeGrant`
+- `Sign`
+- `Verify`
+- `VerifyMac`
+<!--    - ReEncrypt (NOT IMPLEMENTED IN LOCALSTACK) -->
+
 ### Lambda functions and layers
 
 - `AddLayerVersionPermission`
@@ -55,32 +81,15 @@ Any ACLs, identity-based or resource-based policy attached to these operations o
 - `UpdateAlias`
 - `UpdateFunctionCode`
 
-### SQS queues
-
-On AWS, all operations except `AddPermission`, `CreateQueue`, `DeleteQueue`, `ListQueues`, `ListQueueTags`, `RemovePermission`, `SetQueueAttributes`, `TagQueue` and `UntagQueue` allow cross-account access.
+### S3 buckets
 
-On LocalStack, all operations allow cross-account access.
+Like AWS, LocalStack S3 has a bucket namespace which is shared by all accounts.
+This means that the bucket name has to be globally unique.
 
-### KMS keys
+- `GetObject`
+- `ListObjects`
+- `PutObject`
 
-- `CreateGrant`
-- `Decrypt`
-- `DescribeKey`
-- `Encrypt`
-- `GenerateDataKey`
-- `GenerateDataKeyPair`
-- `GenerateDataKeyPairWithoutPlaintext`
-- `GenerateDataKeyWithoutPlaintext`
-- `GenerateMac`
-- `GetKeyRotationStatus`
-- `GetPublicKey`
-- `ListGrants`
-- `RetireGrant`
-- `RevokeGrant`
-- `Sign`
-- `Verify`
-- `VerifyMac`
-<!--    - ReEncrypt (NOT IMPLEMENTED IN LOCALSTACK) -->
 
 ### SNS topics
 
@@ -93,14 +102,11 @@ On LocalStack, all operations allow cross-account access.
 - `SetTopicAttributes`
 - `Subscribe`
 
-### S3 buckets
+### SQS queues
 
-Like AWS, LocalStack S3 has a bucket namespace which is shared by all accounts.
-This means that the bucket name has to be globally unique.
+On AWS, all operations except `AddPermission`, `CreateQueue`, `DeleteQueue`, `ListQueues`, `ListQueueTags`, `RemovePermission`, `SetQueueAttributes`, `TagQueue` and `UntagQueue` allow cross-account access.
 
-- `GetObject`
-- `ListObjects`
-- `PutObject`
+On LocalStack, all operations allow cross-account access.
 
 ## Cross-Region