Menu
Amazon Elastic Compute Cloud
API Reference (API Version 2016-04-01)

Granting IAM Users Required Permissions for Amazon EC2 Resources

By default, AWS Identity and Access Management (IAM) users don't have permission to create or modify Amazon EC2 resources, or perform tasks using the Amazon EC2 API. To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant IAM users permissions for the specific resources and API actions they'll need to use, and then attach those policies to the IAM users or groups that require those permissions.

For more information and for example policies, see IAM Policies for Amazon EC2 in the Amazon EC2 User Guide.

When you make an API request, the parameters that you specify in the request determine which resources an IAM user must have permission to use. If the user doesn't have the required permissions, the request fails. For example, if you use RunInstances to launch an instance in a subnet (by specifying the SubnetId parameter), an IAM user must have permission to use the VPC.

If an action creates a resource, an IAM user must have permission to create the resource or the request fails. Many Amazon EC2 resources receive an identifier when they are created. Because you can't know what that identifier is in advance, you must use a wildcard in the ARN for a resource when it is to be created by the request, as shown in the following sections. Note that because you can't tag a resource when you create it, you can't use any of the tag condition keys with a resource that's created by an action. (We'll add support for tagging a resource at creation later.)

Resource-level permissions refers to the ability to specify which resources users are allowed to perform actions on. Amazon EC2 has partial support for resource-level permissions. This means that for certain Amazon EC2 actions, you can control when users are allowed to use those actions based on conditions that have to be fulfilled, or specific resources that users are allowed to use. For example, you can grant users permission to launch instances, but only of a specific type, and only using a specific AMI.

Supported Resource-Level Permissions

The following sections describe the resources that are created or modified by the Amazon EC2 actions, and the ARNs and Amazon EC2 condition keys that you can use in an IAM policy statement to grant users permission to create or modify particular Amazon EC2 resources. (We'll add support for additional actions, ARNs, and condition keys later.)

When specifying an ARN, you can use the * wildcard in your paths; for example, when you cannot or do not want to specify exact resource IDs. For examples of using wildcards, see Example 5: Allow users to launch instances with a specific configuration in the Amazon EC2 User Guide.

Customer Gateways

ResourceARN FormatCondition Keys
Action: DeleteCustomerGateway

Customer gateway

arn:aws:ec2:region:account:customer-gateway/*

arn:aws:ec2:region:account:customer-gateway/cgw-id

ec2:Region

ec2:ResourceTag/tag-key

DHCP Options Sets

ResourceARN FormatCondition Keys
Action: DeleteDhcpOptions

DHCP options set

arn:aws:ec2:region:account:dhcp-options/*

arn:aws:ec2:region:account:dhcp-options/dhcp-options-id

ec2:Region

ec2:ResourceTag/tag-key

Instances

ResourceARN FormatCondition Keys
Action: AttachClassicLinkVpc
Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Security Group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

Action: DetachClassicLinkVpc
Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

Action: GetConsoleScreenshot

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Action: RebootInstances

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Action: RunInstances

Image

arn:aws:ec2:region::image/*

arn:aws:ec2:region::image/image-id

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:RootDeviceType

ec2:ResourceTag/tag-key

Instance

arn:aws:ec2:region:account:instance/*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

Key pair

arn:aws:ec2:region:account:key-pair/*

arn:aws:ec2:region:account:key-pair/key-pair-name

ec2:Region

Network interface

arn:aws:ec2:region:account:network-interface/* (if specifying a subnet in the request)

arn:aws:ec2:region:account:network-interface/eni-id

ec2:AvailabilityZone

ec2:Region

ec2:Subnet

ec2:ResourceTag/tag-key

ec2:Vpc

Placement group

arn:aws:ec2:region:account:placement-group/*

arn:aws:ec2:region:account:placement-group/placement-group-name

ec2:Region

ec2:PlacementGroupStrategy

Security group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Snapshot

arn:aws:ec2:region::snapshot/*

arn:aws:ec2:region::snapshot/snapshot-id

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:SnapshotTime

ec2:ResourceTag/tag-key

ec2:VolumeSize

Subnet

arn:aws:ec2:region:account:subnet/*

arn:aws:ec2:region:account:subnet/subnet-id

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Volume

arn:aws:ec2:region:account:volume/* (if launching from an EBS-backed image)

ec2:AvailabilityZone

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

Action: StartInstances

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Action: StopInstances

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Action: TerminateInstances

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Internet Gateways

ResourceARN FormatCondition Keys
Action: DeleteInternetGateway

Internet gateway

arn:aws:ec2:region:account:internet-gateway/*

arn:aws:ec2:region:account:internet-gateway/igw-id

ec2:Region

ec2:ResourceTag/tag-key

Network ACLs

ResourceARN FormatCondition Keys
Action: DeleteNetworkAcl

Network ACL

arn:aws:ec2:region:account:network-acl/*

arn:aws:ec2:region:account:network-acl/nacl-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Action: DeleteNetworkAclEntry

Network ACL

arn:aws:ec2:region:account:network-acl/*

arn:aws:ec2:region:account:network-acl/nacl-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Route Tables

ResourceARN FormatCondition Keys
Action: DeleteRoute

Route table

arn:aws:ec2:region:account:route-table/*

arn:aws:ec2:region:account:route-table/route-table-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Action: DeleteRouteTable

Route table

arn:aws:ec2:region:account:route-table/*

arn:aws:ec2:region:account:route-table/route-table-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Security Groups

ResourceARN FormatCondition Keys
Action: AuthorizeSecurityGroupEgress

Security group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Action: AuthorizeSecurityGroupIngress

Security group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Action: DeleteSecurityGroup

Security group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Action: RevokeSecurityGroupEgress

Security group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Action: RevokeSecurityGroupIngress

Security group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Volumes

ResourceARN FormatCondition Keys
Action: AttachVolume

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Volume

arn:aws:ec2:region:account:volume/*

arn:aws:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

Action: DeleteVolume

Volume

arn:aws:ec2:region:account:volume/*

arn:aws:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

Action: DetachVolume

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Volume

arn:aws:ec2:region:account:volume/*

arn:aws:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

VPCs

ResourceARN FormatCondition Keys
Action: DisableVpcClassicLink

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

Action: EnableVpcClassicLink

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

VPC Peering Connections

ResourceARN FormatCondition Keys
Action: AcceptVpcPeeringConnection

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

VPC peering connection

arn:aws:ec2:region:account:vpc-peering-connection/*

arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

ec2:AccepterVpc

ec2:Region

ec2:ResourceTag/tag-key

ec2:RequesterVpc

Action: CreateVpcPeeringConnection

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

VPC peering connectionarn:aws:ec2:region:account:vpc-peering-connection/*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

Action: DeleteVpcPeeringConnection
VPC peering connection

arn:aws:ec2:region:account:vpc-peering-connection/*

arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

ec2:AccepterVpc

ec2:Region

ec2:ResourceTag/tag-key

ec2:RequesterVpc

Action: RejectVpcPeeringConnection
VPC peering connection

arn:aws:ec2:region:account:vpc-peering-connection/*

arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

ec2:AccepterVpc

ec2:Region

ec2:ResourceTag/tag-key

ec2:RequesterVpc

Unsupported Resource-Level Permissions

All Amazon EC2 actions can be used in an IAM policy to either grant or deny users permission to use that action. However, not all Amazon EC2 actions support resource-level permissions, which enable you to specify the resources on which an action can be performed. The following Amazon EC2 API actions currently do not support resource-level permissions; therefore, to use these actions in an IAM policy, you must grant users permission to use all resources for the action by using a * wildcard for the Resource element in your statement. You cannot use Amazon EC2 condition keys for these actions. For examples, see Example Policies for CLI or SDK.

  • AllocateAddress

  • AllocateHosts

  • AssignPrivateIpAddresses

  • AssociateAddress

  • AssociateDhcpOptions

  • AssociateRouteTable

  • AttachInternetGateway

  • AttachNetworkInterface

  • AttachVpnGateway

  • BundleInstance

  • CancelBundleTask

  • CancelConversionTask

  • CancelExportTask

  • CancelImportTask

  • CancelReservedInstancesListing

  • CancelSpotFleetRequests

  • CancelSpotInstanceRequests

  • ConfirmProductInstance

  • CopyImage

  • CopySnapshot

  • CreateCustomerGateway

  • CreateDhcpOptions

  • CreateFlowLogs

  • CreateImage

  • CreateInstanceExportTask

  • CreateInternetGateway

  • CreateKeyPair

  • CreateNatGateway

  • CreateNetworkAcl

  • CreateNetworkAclEntry

  • CreateNetworkInterface

  • CreatePlacementGroup

  • CreateReservedInstancesListing

  • CreateRoute

  • CreateRouteTable

  • CreateSecurityGroup

  • CreateSnapshot

  • CreateSpotDatafeedSubscription

  • CreateSubnet

  • CreateTags

  • CreateVolume

  • CreateVpc

  • CreateVpcEndpoint

  • CreateVpnConnection

  • CreateVpnConnectionRoute

  • CreateVpnGateway

  • DeleteFlowLogs

  • DeleteKeyPair

  • DeleteNatGateways

  • DeleteNetworkInterface

  • DeletePlacementGroup

  • DeleteSnapshot

  • DeleteSpotDatafeedSubscription

  • DeleteSubnet

  • DeleteTags

  • DeleteVpc

  • DeleteVpcEndpoints

  • DeleteVpnConnection

  • DeleteVpnConnectionRoute

  • DeleteVpnGateway

  • DeregisterImage

  • DescribeAccountAttributes

  • DescribeAddresses

  • DescribeAvailabilityZones

  • DescribeBundleTasks

  • DescribeClassicLinkInstances

  • DescribeConversionTasks

  • DescribeCustomerGateways

  • DescribeDhcpOptions

  • DescribeExportTasks

  • DescribeHosts

  • DescribeIdentityIdFormat

  • DescribeIdFormat

  • DescribeImageAttribute

  • DescribeImages

  • DescribeImportImageTasks

  • DescribeImportSnapshotTasks

  • DescribeInstanceAttribute

  • DescribeInstances

  • DescribeInstanceStatus

  • DescribeInternetGateways

  • DescribeFlowLogs

  • DescribeKeyPairs

  • DescribeMovingAddresses

  • DescribeNatGateways

  • DescribeNetworkAcls

  • DescribeNetworkInterfaceAttribute

  • DescribeNetworkInterfaces

  • DescribePlacementGroups

  • DescribePrefixLists

  • DescribeRegions

  • DescribeReservedInstances

  • DescribeReservedInstancesListings

  • DescribeReservedInstancesModifications

  • DescribeReservedInstancesOfferings

  • DescribeRouteTables

  • DescribeScheduledInstanceAvailability

  • DescribeScheduledInstances

  • DescribeSecurityGroupReferences

  • DescribeSecurityGroups

  • DescribeStaleSecurityGroups

  • DescribeSnapshotAttribute

  • DescribeSnapshots

  • DescribeSpotDatafeedSubscription

  • DescribeSpotFleetInstances

  • DescribeSpotFleetRequestHistory

  • DescribeSpotFleetRequests

  • DescribeSpotInstanceRequests

  • DescribeSpotPriceHistory

  • DescribeSubnets

  • DescribeTags

  • DescribeVolumeAttribute

  • DescribeVolumes

  • DescribeVolumeStatus

  • DescribeVpcAttribute

  • DescribeVpcClassicLink

  • DescribeVpcClassicLinkDnsSupport

  • DescribeVpcEndpoints

  • DescribeVpcEndpointServices

  • DescribeVpcPeeringConnections

  • DescribeVpcs

  • DescribeVpnConnections

  • DescribeVpnGateways

  • DetachInternetGateway

  • DetachNetworkInterface

  • DetachVpnGateway

  • DisableVgwRoutePropagation

  • DisableVpcClassicLinkDnsSupport

  • DisassociateAddress

  • DisassociateRouteTable

  • EnableVgwRoutePropagation

  • EnableVolumeIO

  • EnableVpcClassicLinkDnsSupport

  • GetConsoleOutput

  • GetPasswordData

  • ImportImage

  • ImportInstance

  • ImportKeyPair

  • ImportSnapshot

  • ImportVolume

  • ModifyHosts

  • ModifyIdentityIdFormat

  • ModifyIdFormat

  • ModifyImageAttribute

  • ModifyInstanceAttribute

  • ModifyInstancePlacement

  • ModifyNetworkInterfaceAttribute

  • ModifyReservedInstances

  • ModifySnapshotAttribute

  • ModifySpotFleetRequest

  • ModifySubnetAttribute

  • ModifyVolumeAttribute

  • ModifyVpcAttribute

  • ModifyVpcEndpoint

  • ModifyVpcPeeringConnectionOptions

  • MonitorInstances

  • MoveAddressToVpc

  • PurchaseReservedInstancesOffering

  • PurchaseScheduledInstances

  • RegisterImage

  • ReleaseAddress

  • ReleaseHosts

  • ReplaceNetworkAclAssociation

  • ReplaceNetworkAclEntry

  • ReplaceRoute

  • ReplaceRouteTableAssociation

  • ReportInstanceStatus

  • RequestSpotFleet

  • RequestSpotInstances

  • ResetImageAttribute

  • ResetInstanceAttribute

  • ResetNetworkInterfaceAttribute

  • ResetSnapshotAttribute

  • RestoreAddressToClassic

  • RunScheduledInstances

  • UnassignPrivateIpAddresses

  • UnmonitorInstances