Menu
Amazon Elastic Compute Cloud
User Guide for Linux Instances

Supported Resource-Level Permissions for Amazon EC2 API Actions

Resource-level permissions refers to the ability to specify which resources users are allowed to perform actions on. Amazon EC2 has partial support for resource-level permissions. This means that for certain Amazon EC2 actions, you can control when users are allowed to use those actions based on conditions that have to be fulfilled, or specific resources that users are allowed to use. For example, you can grant users permission to launch instances, but only of a specific type, and only using a specific AMI.

The following table describes the Amazon EC2 API actions that currently support resource-level permissions, as well as the supported resources (and their ARNs) and condition keys for each action. When specifying an ARN, you can use the * wildcard in your paths; for example, when you cannot or do not want to specify exact resource IDs. For examples of using wildcards, see Example Policies for Working With the AWS CLI or an AWS SDK.

Important

If an Amazon EC2 API action is not listed in this table, then it does not support resource-level permissions. If an Amazon EC2 API action does not support resource-level permissions, you can grant users permission to use the action, but you have to specify a * for the resource element of your policy statement. For an example, see 1: Read-Only Access. For a list of Amazon EC2 API actions that currently do not support resource-level permissions, see Unsupported Resource-Level Permissions in the Amazon EC2 API Reference.

All Amazon EC2 actions support the ec2:Region condition key. For an example, see 2: Restricting Access to a Specific Region.

API Action Resources Condition Keys
AcceptVpcPeeringConnection

VPC peering connection

arn:aws:ec2:region:account:vpc-peering-connection/*

arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

ec2:AccepterVpc

ec2:Region

ec2:ResourceTag/tag-key

ec2:RequesterVpc

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

Where vpc-id is a VPC owned by the accepter.

ec2:ResourceTag/tag-key

ec2:Region

ec2:Tenancy

AssociateIamInstanceProfile

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

AttachClassicLinkVpc

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Security group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

Where the security group is the security group for the VPC.

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

AttachVolume

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Volume

arn:aws:ec2:region:account:volume/*

arn:aws:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

AuthorizeSecurityGroupEgress

Security group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

AuthorizeSecurityGroupIngress

Security group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

CreateTags

DHCP options set

arn:aws:ec2:region:account:dhcp-options/*

arn:aws:ec2:region:account:dhcp-options/dhcp-options-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Image

arn:aws:ec2:region::image/*

arn:aws:ec2:region::image/image-id

ec2:CreateAction

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

aws:RequestTag/tag-key

aws:TagKeys

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:CreateAction

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

aws:RequestTag/tag-key

aws:TagKeys

Internet gateway

arn:aws:ec2:region:account:internet-gateway/*

arn:aws:ec2:region:account:internet-gateway/igw-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Network ACL

arn:aws:ec2:region:account:network-acl/*

arn:aws:ec2:region:account:network-acl/nacl-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

aws:RequestTag/tag-key

aws:TagKeys

Network interface

arn:aws:ec2:region:account:network-interface/*

arn:aws:ec2:region:account:network-interface/eni-id

ec2:AvailabilityZone

ec2:CreateAction

ec2:Region

ec2:Subnet

ec2:ResourceTag/tag-key

ec2:Vpc

aws:RequestTag/tag-key

aws:TagKeys

Reserved Instance

arn:aws:ec2:region:account:reserved-instance/*

arn:aws:ec2:region:account:reserved-instance/reservation-id

ec2:AvailabilityZone

ec2:CreateAction

ec2:InstanceType

ec2:ReservedInstancesOfferingType

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

aws:RequestTag/tag-key

aws:TagKeys

Route table

arn:aws:ec2:region:account:route-table/*

arn:aws:ec2:region:account:route-table/route-table-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

aws:RequestTag/tag-key

aws:TagKeys

Security group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

aws:RequestTag/tag-key

aws:TagKeys

Snapshot

arn:aws:ec2:region::snapshot/*

arn:aws:ec2:region::snapshot/snapshot-id

ec2:CreateAction

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/tag-key

ec2:SnapshotTime

ec2:VolumeSize

aws:RequestTag/tag-key

aws:TagKeys

Spot Instance request

arn:aws:ec2:region:account:spot-instances-request/*

arn:aws:ec2:region:account:spot-instances-request/spot-instance-request-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Subnet

arn:aws:ec2:region:account:subnet/*

arn:aws:ec2:region:account:subnet/subnet-id

ec2:AvailabilityZone

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

aws:RequestTag/tag-key

aws:TagKeys

Volume

arn:aws:ec2:region:account:volume/*

arn:aws:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:CreateAction

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

aws:RequestTag/tag-key

aws:TagKeys

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

aws:RequestTag/tag-key

aws:TagKeys

VPN connection

arn:aws:ec2:region:account:vpn-connection/*

arn:aws:ec2:region:account:vpn-connection/vpn-connection-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

VPN gateway

arn:aws:ec2:region:account:vpn-gateway/*

arn:aws:ec2:region:account:vpn-gateway/vpn-gateway-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

CreateVolume

Volume

arn:aws:ec2:region:account:volume/*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

aws:RequestTag/tag-key

aws:TagKeys

CreateVpcPeeringConnection

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

Where vpc-id is a requester VPC.

ec2:ResourceTag/tag-key

ec2:Region

ec2:Tenancy

VPC peering connection

arn:aws:ec2:region:account:vpc-peering-connection/*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

DeleteCustomerGateway

Customer gateway

arn:aws:ec2:region:account:customer-gateway/*

arn:aws:ec2:region:account:customer-gateway/cgw-id

ec2:Region

ec2:ResourceTag/tag-key

DeleteDhcpOptions

DHCP options set

arn:aws:ec2:region:account:dhcp-options/*

arn:aws:ec2:region:account:dhcp-options/dhcp-options-id

ec2:Region

ec2:ResourceTag/tag-key

DeleteInternetGateway

Internet gateway

arn:aws:ec2:region:account:internet-gateway/*

arn:aws:ec2:region:account:internet-gateway/igw-id

ec2:Region

ec2:ResourceTag/tag-key

DeleteNetworkAcl

Network ACL

arn:aws:ec2:region:account:network-acl/*

arn:aws:ec2:region:account:network-acl/nacl-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteNetworkAclEntry

Network ACL

arn:aws:ec2:region:account:network-acl/*

arn:aws:ec2:region:account:network-acl/nacl-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteRoute

Route table

arn:aws:ec2:region:account:route-table/*

arn:aws:ec2:region:account:route-table/route-table-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteRouteTable

Route table

arn:aws:ec2:region:account:route-table/*

arn:aws:ec2:region:account:route-table/route-table-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteSecurityGroup

Security group

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteTags

DHCP options set

arn:aws:ec2:region:account:dhcp-options/*

arn:aws:ec2:region:account:dhcp-options/dhcp-options-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Image

arn:aws:ec2:region::image/*

arn:aws:ec2:region::image/image-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Internet gateway

arn:aws:ec2:region:account:internet-gateway/*

arn:aws:ec2:region:account:internet-gateway/igw-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Network ACL

arn:aws:ec2:region:account:network-acl/*

arn:aws:ec2:region:account:network-acl/nacl-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Network interface

arn:aws:ec2:region:account:network-interface/*

arn:aws:ec2:region:account:network-interface/eni-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Reserved Instance

arn:aws:ec2:region:account:reserved-instance/*

arn:aws:ec2:region:account:reserved-instance/reservation-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Route table

arn:aws:ec2:region:account:route-table/*

arn:aws:ec2:region:account:route-table/route-table-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Security group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Snapshot

arn:aws:ec2:region::snapshot/*

arn:aws:ec2:region::snapshot/snapshot-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Spot Instance request

arn:aws:ec2:region:account:spot-instances-request/*

arn:aws:ec2:region:account:spot-instances-request/spot-instance-request-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Subnet

arn:aws:ec2:region:account:subnet/*

arn:aws:ec2:region:account:subnet/subnet-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Volume

arn:aws:ec2:region:account:volume/*

arn:aws:ec2:region:account:volume/volume-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

VPN connection

arn:aws:ec2:region:account:vpn-connection/*

arn:aws:ec2:region:account:vpn-connection/vpn-connection-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

VPN gateway

arn:aws:ec2:region:account:vpn-gateway/*

arn:aws:ec2:region:account:vpn-gateway/vpn-gateway-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

DeleteVolume

Volume

arn:aws:ec2:region:account:volume/*

arn:aws:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

DeleteVpcPeeringConnection

VPC peering connection

arn:aws:ec2:region:account:vpc-peering-connection/*

arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

ec2:AccepterVpc

ec2:Region

ec2:ResourceTag/tag-key

ec2:RequesterVpc

DetachClassicLinkVpc

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

DetachVolume

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Volume

arn:aws:ec2:region:account:volume/*

arn:aws:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

DisableVpcClassicLink

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

DisassociateIamInstanceProfile

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

EnableVpcClassicLink

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

GetConsoleScreenshot

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

RebootInstances

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

RejectVpcPeeringConnection

VPC peering connection

arn:aws:ec2:region:account:vpc-peering-connection/*

arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

ec2:AccepterVpc

ec2:Region

ec2:ResourceTag/tag-key

ec2:RequesterVpc

ReplaceIamInstanceProfileAssociation

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

RevokeSecurityGroupEgress

Security group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

RevokeSecurityGroupIngress

Security group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

RunInstances

Image

arn:aws:ec2:region::image/*

arn:aws:ec2:region::image/image-id

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:RootDeviceType

ec2:ResourceTag/tag-key

Instance

arn:aws:ec2:region:account:instance/*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

aws:RequestTag/tag-key

aws:TagKeys

Key pair

arn:aws:ec2:region:account:key-pair/*

arn:aws:ec2:region:account:key-pair/key-pair-name

ec2:Region

Network interface

arn:aws:ec2:region:account:network-interface/*

arn:aws:ec2:region:account:network-interface/eni-id

ec2:AvailabilityZone

ec2:Region

ec2:Subnet

ec2:ResourceTag/tag-key

ec2:Vpc

Placement group

arn:aws:ec2:region:account:placement-group/*

arn:aws:ec2:region:account:placement-group/placement-group-name

ec2:Region

ec2:PlacementGroupStrategy

Security group

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Snapshot

arn:aws:ec2:region::snapshot/*

arn:aws:ec2:region::snapshot/snapshot-id

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:SnapshotTime

ec2:ResourceTag/tag-key

ec2:VolumeSize

Subnet

arn:aws:ec2:region:account:subnet/*

arn:aws:ec2:region:account:subnet/subnet-id

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Volume

arn:aws:ec2:region:account:volume/*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

aws:RequestTag/tag-key

aws:TagKeys

StartInstances

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

StopInstances

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

TerminateInstances

Instance

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Resource-Level Permissions for RunInstances

The RunInstances API action launches one or more instances, and creates and uses a number of Amazon EC2 resources. The action requires an AMI and creates an instance; and the instance must be associated with a security group. Launching into a VPC requires a subnet, and creates a network interface. Launching from an Amazon EBS-backed AMI creates a volume. The user must have permission to use these resources, so they must be specified in the Resource element of any policy that uses resource-level permissions for the ec2:RunInstances action. If you don't intend to use resource-level permissions with the ec2:RunInstances action, you can specify the * wildcard in the Resource element of your statement instead of individual ARNs.

If you are using resource-level permissions, the following table describes the minimum resources required to use the ec2:RunInstances action.

Type of launch Resources required Condition keys
Launching into EC2-Classic using an instance store-backed AMI

arn:aws:ec2:region:account:instance/*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

arn:aws:ec2:region::image/* (or a specific AMI ID)

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:RootDeviceType

ec2:ResourceTag/tag-key

arn:aws:ec2:region:account:security-group/* (or a specific security group ID)

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Launching into EC2-Classic using an Amazon EBS-backed AMI

arn:aws:ec2:region:account:instance/*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

arn:aws:ec2:region::image/* (or a specific AMI ID)

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:RootDeviceType

ec2:ResourceTag/tag-key

arn:aws:ec2:region:account:security-group/* (or a specific security group ID)

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

arn:aws:ec2:region:account:volume/*

ec2:AvailabilityZone

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

Launching into a VPC using an instance store-backed AMI

arn:aws:ec2:region:account:instance/*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

arn:aws:ec2:region::image/* (or a specific AMI ID)

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:RootDeviceType

ec2:ResourceTag/tag-key

arn:aws:ec2:region:account:security-group/* (or a specific security group ID)

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

arn:aws:ec2:region:account:network-interface/* (or a specific network interface ID)

ec2:AvailabilityZone

ec2:Region

ec2:Subnet

ec2:ResourceTag/tag-key

ec2:Vpc

arn:aws:ec2:region:account:subnet/* (or a specific subnet ID)

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Launching into a VPC using an Amazon EBS-backed AMI

arn:aws:ec2:region:account:instance/*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

arn:aws:ec2:region::image/* (or a specific AMI ID)

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:RootDeviceType

ec2:ResourceTag/tag-key

arn:aws:ec2:region:account:security-group/* (or a specific security group ID)

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

arn:aws:ec2:region:account:network-interface/* (or a specific network interface ID)

ec2:AvailabilityZone

ec2:Region

ec2:Subnet

ec2:ResourceTag/tag-key

ec2:Vpc

arn:aws:ec2:region:account:volume/*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

arn:aws:ec2:region:account:subnet/* (or a specific subnet ID)

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

We recommend that you also specify the key pair resource in your policy — even though it's not required to launch an instance, you cannot connect to your instance without a key pair. For examples of using resource-level permissions with the ec2:RunInstances action, see 5: Launching Instances (RunInstances).

For additional information about resource-level permissions in Amazon EC2, see the following AWS Security Blog post: Demystifying EC2 Resource-Level Permissions.

Resource-Level Permissions for Tagging

Some resource-creating Amazon EC2 API actions enable you to specify tags when you create the resource. For more information, see Tagging Your Resources.

To enable users to tag resources on creation, they must have permission to use the action that creates the resource (for example, ec2:RunInstances or ec2:CreateVolume). If tags are specified in the resource-creating action, Amazon performs additional authorization on the ec2:CreateTags action to verify if users have permission to create tags. Therefore, users must also have explicit permission to use the ec2:CreateTags action.

For the ec2:CreateTags action, you can use the ec2:CreateAction condition key to restrict tagging permissions to the resource-creating actions only. For example, the following policy allows users to launch instances and apply any tags to instances and volumes during launch. Users are not permitted to tag any existing resources (they cannot call the ec2:CreateTags action directly).

Copy
{ "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account:*/*", "Condition": { "StringEquals": { "ec2:CreateAction" : "RunInstances" } } } ] }

Similarly, the following policy allows users to create volumes and apply any tags to the volumes during volume creation. Users are not permitted to tag any existing resources (they cannot call the ec2:CreateTags action directly).

Copy
{ "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account:*/*", "Condition": { "StringEquals": { "ec2:CreateAction" : "CreateVolume" } } } ] }

The ec2:CreateTags action is only evaluated if tags are applied during the resource-creating action. Therefore, a user that has permission to create a resource (assuming there are no tagging conditions) does not require permission to use the ec2:CreateTags action if no tags are specified in the request. However, if the user attempts to create a resource with tags, the request fails if the user does not have permission to use the ec2:CreateTags action.

You can control the tag keys and values that are applied to resources by using the following condition keys:

  • aws:RequestTag: To indicate that a particular tag key or tag key and value must be present in a request. Other tags can also be specified in the request.

    • Use with the StringEquals condition operator to enforce a specific tag key and value combination, for example, to enforce the tag cost-center=cc123:

      "StringEquals": "aws:RequestTag/cost-center": "cc123"
    • Use with the StringLike condition operator to enforce a specific tag key in the request; for example, to enforce the tag key purpose:

      "StringLike": "aws:RequestTag/purpose": "*"
  • aws:TagKeys: To enforce the tag keys that are used in the request.

    • Use with the ForAllValues modifier to enforce specific tag keys if they are provided in the request (if tags are specified in the request, only specific tag keys are allowed; no other tags are allowed). For example, the tag keys environment or cost-center are allowed:

      "ForAllValues:StringEquals": { "aws:TagKeys": ["environment","cost-center"]}
    • Use with the ForAnyValue modifier to enforce the presence of at least one of the specified tag keys in the request. For example, at least one of the tag keys environment or webserver must be present in the request:

      "ForAnyValue:StringEquals": { "aws:TagKeys": ["environment","webserver"]}

These condition keys can be applied to resource-creating actions that support tagging, as well as the ec2:CreateTags and ec2:DeleteTags actions.

To force users to specify tags when they create a resource, you must use the aws:RequestTag condition key or the aws:TagKeys condition key with the ForAnyValue modifier on the resource-creating action. The ec2:CreateTags action is not evaluated if a user does not specify tags for the resource-creating action.

For conditions, the condition key is not case-sensitive and the condition value is case-sensitive. Therefore, to enforce the case-sensitivity of a tag key, use the aws:TagKeys condition key, where the tag key is specified as a value in the condition.

For more information about multi-value conditions, see Creating a Condition That Tests Multiple Key Values in the IAM User Guide. For example IAM policies, see Example Policies for Working With the AWS CLI or an AWS SDK.