AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon EC2

Amazon EC2 (service prefix: ec2) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon EC2

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptReservedInstancesExchangeQuote Accepts the Convertible Reserved Instance exchange quote described in the GetReservedInstancesExchangeQuote call. Write
AcceptTransitGatewayVpcAttachment Accepts a request to attach a VPC to a transit gateway Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

AcceptVpcEndpointConnections Accepts one or more interface VPC endpoint connection requests to your VPC endpoint service. Write
AcceptVpcPeeringConnection Accept a VPC peering connection request. Write

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

AdvertiseByoipCidr Advertises an IPv4 address range that is provisioned for use with your AWS resources through bring your own IP addresses (BYOIP) Write
AllocateAddress Acquires an Elastic IP address. Write
AllocateHosts Allocates a Dedicated Host to your account. Write
ApplySecurityGroupsToClientVpnTargetNetwork Applies a security group to the association between the target network and the Client VPN endpoint. Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

security-group*

ec2:Region

ec2:ResourceTag/${TagKey}

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

AssignIpv6Addresses Assigns one or more IPv6 addresses to the specified network interface. Write
AssignPrivateIpAddresses Assigns one or more secondary private IP addresses to the specified network interface. Write
AssociateAddress Associates an Elastic IP address with an instance or a network interface. Write
AssociateClientVpnTargetNetwork Associates a target network with a Client VPN endpoint. Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

subnet*

ec2:Region

ec2:ResourceTag/${TagKey}

AssociateDhcpOptions Associates a set of DHCP options (that you've previously created) with the specified VPC, or associates no DHCP options with the VPC. Write
AssociateIamInstanceProfile Associates an IAM instance profile with a running or stopped instance. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

AssociateRouteTable Associates a subnet with a route table. Write
AssociateSubnetCidrBlock Associates a CIDR block with your subnet. Write
AssociateTransitGatewayRouteTable Associates the specified attachment with the specified transit gateway route table Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

AssociateVpcCidrBlock Associates a CIDR block with your VPC. Write
AttachClassicLinkVpc Links an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

AttachInternetGateway Attaches an Internet gateway to a VPC, enabling connectivity between the Internet and the VPC. Write
AttachNetworkInterface Attaches a network interface to an instance. Write
AttachVolume Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

volume*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

AttachVpnGateway Attaches a virtual private gateway to a VPC. Write
AuthorizeClientVpnIngress Adds an ingress authorization rule to a Client VPN endpoint. Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

AuthorizeSecurityGroupEgress [EC2-VPC only] Adds one or more egress rules to a security group for use with a VPC. Write

security-group*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

AuthorizeSecurityGroupIngress Adds one or more ingress rules to a security group. Write

security-group*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

BundleInstance Bundles an Amazon instance store-backed Windows instance. Write
CancelBundleTask Cancels a bundling operation for an instance store-backed Windows instance. Write
CancelCapacityReservation Cancels the specified Capacity Reservation, releases the reserved capacity, and changes the Capacity Reservation's state to cancelled. Write

capacity-reservation*

ec2:Region

ec2:ResourceTag/${TagKey}

CancelConversionTask Cancels an active conversion task. Write
CancelExportTask Cancels an active export task. Write
CancelImportTask Cancels an in-process import virtual machine or import snapshot task. Write
CancelReservedInstancesListing Cancels the specified Reserved Instance listing in the Reserved Instance Marketplace. Write
CancelSpotFleetRequests Cancels the specified Spot fleet requests. Write
CancelSpotInstanceRequests Cancels one or more Spot instance requests. Write
ConfirmProductInstance Determines whether a product code is associated with an instance. Write
CopyFpgaImage Initiates the copy of an Amazon FPGA Image (AFI) from the specified source region to the current region. Write
CopyImage Initiates the copy of an AMI from the specified source region to the current region. Write
CopySnapshot Copies a point-in-time snapshot of an EBS volume and stores it in Amazon S3. Write
CreateCapacityReservation Creates a new Capacity Reservation with the specified attributes. Write
CreateClientVpnEndpoint Creates a Client VPN endpoint. Write

client-vpn-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateClientVpnRoute Adds a route to a network to a Client VPN endpoint. Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

subnet*

ec2:Region

ec2:ResourceTag/${TagKey}

CreateCustomerGateway Provides information to AWS about your VPN customer gateway device. Write
CreateDefaultSubnet Creates a default subnet with a size /20 IPv4 CIDR block in the specified Availability Zone in your default VPC. Write
CreateDefaultVpc Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone. Write
CreateDhcpOptions Creates a set of DHCP options for your VPC. Write
CreateEgressOnlyInternetGateway Creates an egress-only Internet gateway for your VPC. Write
CreateFleet Launches an EC2 Fleet. Write
CreateFlowLogs Creates one or more flow logs to capture IP traffic for a specific network interface, subnet, or VPC. Write
CreateFpgaImage Creates an Amazon FPGA Image (AFI) from the specified design checkpoint (DCP). Write
CreateImage Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped. Write
CreateInstanceExportTask Exports a running or stopped instance to an S3 bucket. Write
CreateInternetGateway Creates an Internet gateway for use with a VPC. Write
CreateKeyPair Creates a 2048-bit RSA key pair with the specified name. Write
CreateLaunchTemplate Creates a new launch template. Write
CreateLaunchTemplateVersion Creates a new version for the specified launch template. Write

launch-template*

ec2:Region

ec2:ResourceTag/${TagKey}

CreateNatGateway Creates a NAT gateway in the specified subnet. Write
CreateNetworkAcl Creates a network ACL in a VPC. Write
CreateNetworkAclEntry Creates an entry (a rule) in a network ACL with the specified rule number. Write
CreateNetworkInterface Creates a network interface in the specified subnet. Write
CreateNetworkInterfacePermission Creates a permission for a network interface that grants certain operations to another authorized user. Permissions management

network-interface*

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:Permission

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AuthorizedService

CreatePlacementGroup Creates a placement group that you launch cluster instances into. Write
CreateReservedInstancesListing Creates a listing for Amazon EC2 Standard Reserved Instances to be sold in the Reserved Instance Marketplace. Write
CreateRoute Creates a route in a route table within a VPC. Write

route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateRouteTable Creates a route table for the specified VPC. Write
CreateSecurityGroup Creates a security group. Write
CreateSnapshot Creates a snapshot of an EBS volume and stores it in Amazon S3. Write

snapshot*

aws:TagKeys

aws:RequestTag/${TagKey}

ec2:ParentVolume

ec2:Region

volume*

ec2:Encrypted

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

CreateSnapshots Creates a snapshots of an EBS volumes which attached to an EC2 instance and stores them in Amazon S3. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

snapshot*

aws:TagKeys

aws:RequestTag/${TagKey}

ec2:ParentVolume

ec2:Region

volume*

ec2:Encrypted

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

CreateSpotDatafeedSubscription Creates a data feed for Spot instances, enabling you to view Spot instance usage logs. You can create one data feed per AWS account. Write
CreateSubnet Creates a subnet in an existing VPC. Write
CreateTags Adds or overwrites one or more tags for the specified Amazon EC2 resource or resources. Tagging

capacity-reservation

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

client-vpn-endpoint

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

dhcp-options

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

fpga-image

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

image

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

instance

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

network-acl

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

network-interface

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

reserved-instances

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

route-table

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

security-group

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

snapshot

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

spot-instance-request

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

traffic-mirror-filter

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

volume

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

vpc

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpn-connection

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:CreateAction

CreateTrafficMirrorFilter Creates a Traffic Mirror filter. Write

traffic-mirror-filter*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTrafficMirrorFilterRule Creates a Traffic Mirror filter rule. Write

traffic-mirror-filter*

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

ec2:Region

CreateTrafficMirrorSession Creates a Traffic Mirror session. Write

network-interface*

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter*

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-session*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

traffic-mirror-target*

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTrafficMirrorTarget Creates a Traffic Mirror target. Write

traffic-mirror-target*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

network-interface

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTransitGateway Creates a transit gateway. Write

transit-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayRoute Creates a static route for the specified transit gateway route table. Write

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTransitGatewayRouteTable Creates a route table for the specified transit gateway. Write

transit-gateway*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayVpcAttachment Attaches the specified VPC to the specified transit gateway. Write

transit-gateway*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

ec2:Region

ec2:ResourceTag/${TagKey}

CreateVolume Creates an EBS volume that can be attached to an instance in the same Availability Zone. Write

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

CreateVpc Creates a VPC with the specified CIDR block. Write
CreateVpcEndpoint Creates a VPC endpoint for a specified AWS service. Write

route53:AssociateVPCWithHostedZone

CreateVpcEndpointConnectionNotification Creates a connection notification for a specified VPC endpoint or VPC endpoint service. Write
CreateVpcEndpointServiceConfiguration Creates a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect. Write
CreateVpcPeeringConnection Requests a VPC peering connection between two VPCs: a requester VPC that you own and a peer VPC with which to create the connection. Write

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

CreateVpnConnection Creates a VPN connection between an existing virtual private gateway and a VPN customer gateway. Write
CreateVpnConnectionRoute Creates a static route associated with a VPN connection between an existing virtual private gateway and a VPN customer gateway. Write
CreateVpnGateway Creates a virtual private gateway. Write
DeleteClientVpnEndpoint Deletes the specified Client VPN endpoint. Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteClientVpnRoute Deletes a route from a Client VPN endpoint. Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteCustomerGateway Deletes the specified customer gateway. Write

customer-gateway*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteDhcpOptions Deletes the specified set of DHCP options. Write

dhcp-options*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteEgressOnlyInternetGateway Deletes the specified egress-only Internet gateway. Write
DeleteFleets Deletes the specified EC2 Fleet. Write
DeleteFlowLogs Deletes one or more flow logs. Write
DeleteFpgaImage Deletes the specified Amazon FPGA Image (AFI). Write
DeleteInternetGateway Deletes the specified Internet gateway. Write

internet-gateway*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteKeyPair Deletes the specified key pair, by removing the public key from Amazon EC2. Write
DeleteLaunchTemplate Deletes the specified launch template and all associated versions. Write

launch-template*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteLaunchTemplateVersions Deletes the specified versions for the specified launch template. Write

launch-template*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteNatGateway Deletes the specified NAT gateway. Write
DeleteNetworkAcl Deletes the specified network ACL. Write

network-acl*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteNetworkAclEntry Deletes the specified ingress or egress entry (rule) from the specified network ACL. Write

network-acl*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteNetworkInterface Deletes the specified network interface. You must detach the network interface before you can delete it. Write
DeleteNetworkInterfacePermission Deletes a permission associated with a network interface. Permissions management
DeletePlacementGroup Deletes the specified placement group. Write
DeleteRoute Deletes the specified route from the specified route table. Write

route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteRouteTable Deletes the specified route table. Write

route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteSecurityGroup Deletes a security group. Write

security-group*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteSnapshot Deletes the specified snapshot. Write

snapshot*

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

DeleteSpotDatafeedSubscription Deletes the data feed for Spot instances. Write
DeleteSubnet Deletes the specified subnet. Write
DeleteTags Deletes the specified set of tags from the specified set of resources. Tagging

capacity-reservation

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

client-vpn-endpoint

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

dhcp-options

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

fpga-image

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

image

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

instance

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

internet-gateway

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

network-acl

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

network-interface

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

reserved-instances

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

route-table

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

security-group

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

snapshot

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

spot-instance-request

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

volume

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpc

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpn-connection

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTrafficMirrorFilter Deletes the specified Traffic Mirror filter. Write

traffic-mirror-filter*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTrafficMirrorFilterRule Deletes the specified Traffic Mirror rule. Write

traffic-mirror-filter*

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

ec2:Region

DeleteTrafficMirrorSession Deletes the specified Traffic Mirror session. Write

traffic-mirror-session*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTrafficMirrorTarget Deletes the specified Traffic Mirror target. Write

traffic-mirror-target*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGateway Deletes the specified transit gateway. Write

transit-gateway*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayRoute Deletes the specified route from the specified transit gateway route table. Write

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayRouteTable Deletes the specified transit gateway route table. Write

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayVpcAttachment Deletes the specified VPC attachment. Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteVolume Deletes the specified EBS volume. Write

volume*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

DeleteVpc Deletes the specified VPC. You must detach or delete all gateways and resources that are associated with the VPC before you can delete it. Write
DeleteVpcEndpointConnectionNotifications Deletes one or more VPC endpoint connection notifications. Write
DeleteVpcEndpointServiceConfigurations Deletes one or more VPC endpoint service configurations in your account. Write
DeleteVpcEndpoints Deletes one or more specified VPC endpoints. Write
DeleteVpcPeeringConnection Deletes a VPC peering connection. Write

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

DeleteVpnConnection Deletes a VPC peering connection. Write
DeleteVpnConnectionRoute Deletes the specified static route associated with a VPN connection between an existing virtual private gateway and a VPN customer gateway. Write
DeleteVpnGateway Deletes the specified virtual private gateway. Write
DeprovisionByoipCidr Releases the specified address range that you provisioned for use with your AWS resources through bring your own IP addresses (BYOIP) and deletes the corresponding address pool. Write
DeregisterImage Deregisters the specified AMI. Write
DescribeAccountAttributes Describes attributes of your AWS account. List
DescribeAddresses Describes one or more of your Elastic IP addresses. List
DescribeAggregateIdFormat Describes the longer ID format settings for all resource types in a specific region. List
DescribeAvailabilityZones Describes one or more of the Availability Zones that are available to you. List
DescribeBundleTasks Describes one or more of your bundling tasks. List
DescribeByoipCidrs Describes the IP address ranges that were specified in calls to ProvisionByoipCidr. List
DescribeCapacityReservations Describes one or more of your Capacity Reservations. List
DescribeClassicLinkInstances Describes one or more of your linked EC2-Classic instances. List
DescribeClientVpnAuthorizationRules Describes the authorization rules for a specified Client VPN endpoint. List
DescribeClientVpnConnections Describes active client connections and connections that have been terminated within the last 60 minutes for the specified Client VPN endpoint. List
DescribeClientVpnEndpoints Describes one or more Client VPN endpoints in the account. List
DescribeClientVpnRoutes Describes the routes for the specified Client VPN endpoint. List
DescribeClientVpnTargetNetworks Describes the target networks associated with the specified Client VPN endpoint. List
DescribeConversionTasks Describes one or more of your conversion tasks. List
DescribeCustomerGateways Describes one or more of your VPN customer gateways. List
DescribeDhcpOptions Describes one or more of your DHCP options sets. List
DescribeEgressOnlyInternetGateways Describes one or more of your egress-only Internet gateways. List
DescribeElasticGpus Describes the Elastic GPUs associated with your instances. Read
DescribeExportTasks Describes one or more of your export tasks. List
DescribeFleetHistory Describes the events for the specified EC2 Fleet during the specified time. List
DescribeFleetInstances Describes the running instances for the specified EC2 Fleet. List
DescribeFleets Describes one or more of your EC2 Fleet. List
DescribeFlowLogs Describes one or more flow logs. List
DescribeFpgaImageAttribute Describes the specified attribute of the specified Amazon FPGA Images (AFI). List
DescribeFpgaImages Describes one or more of the Amazon FPGA Images (AFIs) available to you. List
DescribeHostReservationOfferings Describes the Dedicated Host Reservations that are available to purchase. List
DescribeHostReservations Describes Dedicated Host Reservations which are associated with Dedicated Hosts in your account. List
DescribeHosts Describes one or more of your Dedicated Hosts. List
DescribeIamInstanceProfileAssociations Describes your IAM instance profile associations. List
DescribeIdFormat Describes the ID format settings for your resources on a per-region basis, for example, to view which resource types are enabled for longer IDs. List
DescribeIdentityIdFormat Describes the ID format settings for resources for the specified IAM user, IAM role, or root user. List
DescribeImageAttribute Describes the specified attribute of the specified AMI. List
DescribeImages Describes one or more of the images (AMIs, AKIs, and ARIs) available to you. List
DescribeImportImageTasks Displays details about an import virtual machine or import snapshot tasks that are already created. List
DescribeImportSnapshotTasks Describes your import snapshot tasks. List
DescribeInstanceAttribute Describes the specified attribute of the specified instance. List
DescribeInstanceCreditSpecifications Describes the credit option for CPU usage of one or more of your instances. List
DescribeInstanceStatus Describes the status of one or more instances. List
DescribeInstances Describes one or more of your instances. List
DescribeInternetGateways Describes one or more of your Internet gateways. List
DescribeKeyPairs Describes one or more of your key pairs. List
DescribeLaunchTemplateVersions Describes one or more of your launch template versions. List
DescribeLaunchTemplates Describes one or more of your launch templates. List
DescribeMovingAddresses Describes your Elastic IP addresses that are being moved to the EC2-VPC platform, or that are being restored to the EC2-Classic platform. List
DescribeNatGateways Describes one or more of the your NAT gateways. List
DescribeNetworkAcls Describes one or more of your network ACLs. List
DescribeNetworkInterfaceAttribute Describes a network interface attribute. You can specify only one attribute at a time. List
DescribeNetworkInterfacePermissions Describes the permissions associated with a network interface. List
DescribeNetworkInterfaces Describes one or more of your network interfaces. List
DescribePlacementGroups Describes one or more of your placement groups. List
DescribePrefixLists Describes available AWS services in a prefix list format, which includes the prefix list name and prefix list ID of the service and the IP address range for the service. List
DescribePrincipalIdFormat Describes the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified a longer ID (17-character ID) preference. List
DescribePublicIpv4Pools Describes the specified IPv4 address pools. List
DescribeRegions Describes one or more regions that are currently available to you. List
DescribeReservedInstances Describes one or more of the Reserved Instances that you purchased. List
DescribeReservedInstancesListings Describes your account's Reserved Instance listings in the Reserved Instance Marketplace. List
DescribeReservedInstancesModifications Describes the modifications made to your Reserved Instances. List
DescribeReservedInstancesOfferings Describes Reserved Instance offerings that are available for purchase. List
DescribeRouteTables Describes one or more of your route tables. List
DescribeScheduledInstanceAvailability Finds available schedules that meet the specified criteria. Read
DescribeScheduledInstances Describes one or more of your Scheduled Instances. Read
DescribeSecurityGroupReferences [EC2-VPC only] Describes the VPCs on the other side of a VPC peering connection that are referencing the security groups you've specified in this request. List
DescribeSecurityGroups Describes one or more of your security groups. List
DescribeSnapshotAttribute Describes the specified attribute of the specified snapshot. List
DescribeSnapshots Describes one or more of the EBS snapshots available to you. List
DescribeSpotDatafeedSubscription Describes the data feed for Spot instances. List
DescribeSpotFleetInstances Describes the running instances for the specified Spot fleet. List
DescribeSpotFleetRequestHistory Describes the events for the specified Spot fleet request during the specified time. List
DescribeSpotFleetRequests Describes your Spot fleet requests. List
DescribeSpotInstanceRequests Describes the Spot instance requests that belong to your account. List
DescribeSpotPriceHistory Describes the Spot price history. List
DescribeStaleSecurityGroups [EC2-VPC only] Describes the stale security group rules for security groups in a specified VPC. List
DescribeSubnets Describes one or more of your subnets. List
DescribeTags Describes one or more of the tags for your EC2 resources. Read
DescribeTrafficMirrorFilters Describes one or more Traffic Mirror filters. List
DescribeTrafficMirrorSessions Describes one or more Traffic Mirror sessions. List
DescribeTrafficMirrorTargets Describes one or more Traffic Mirror targets. List
DescribeTransitGatewayAttachments Describes one or more attachments between resources and transit gateways. List
DescribeTransitGatewayRouteTables Describes one or more transit gateway route tables. List
DescribeTransitGatewayVpcAttachments Describes one or more VPC attachments. List
DescribeTransitGateways Describes one or more transit gateways. List
DescribeVolumeAttribute Describes the specified attribute of the specified volume. List
DescribeVolumeStatus Describes the status of the specified volumes. List
DescribeVolumes Describes the specified EBS volumes. List
DescribeVolumesModifications Reports the current modification status of EBS volumes. Read
DescribeVpcAttribute Describes the specified attribute of the specified VPC. List
DescribeVpcClassicLink Describes the ClassicLink status of one or more VPCs. List
DescribeVpcClassicLinkDnsSupport Describes the ClassicLink DNS support status of one or more VPCs. List
DescribeVpcEndpointConnectionNotifications Describes the connection notifications for VPC endpoints and VPC endpoint services. List
DescribeVpcEndpointConnections Describes the VPC endpoint connections to your VPC endpoint services, including any endpoints that are pending your acceptance. List
DescribeVpcEndpointServiceConfigurations Describes the VPC endpoint service configurations in your account (your services). List
DescribeVpcEndpointServicePermissions Describes the principals (service consumers) that are permitted to discover your VPC endpoint service. List
DescribeVpcEndpointServices Describes all supported AWS services that can be specified when creating a VPC endpoint. List
DescribeVpcEndpoints Describes one or more of your VPC endpoints. List
DescribeVpcPeeringConnections Describes one or more of your VPC peering connections. List
DescribeVpcs Describes one or more of your VPCs. List
DescribeVpnConnections Describes one or more of your VPN connections. Read
DescribeVpnGateways Describes one or more of your virtual private gateways. List
DetachClassicLinkVpc Unlinks (detaches) a linked EC2-Classic instance from a VPC. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

DetachInternetGateway Detaches an Internet gateway from a VPC, disabling connectivity between the Internet and the VPC. Write
DetachNetworkInterface Detaches a network interface from an instance. Write
DetachVolume Detaches an EBS volume from an instance. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

volume*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

DetachVpnGateway Detaches a virtual private gateway from a VPC. Write
DisableEbsEncryptionByDefault Disable the default EBS encryption by enabled for your account in the current region Write
DisableTransitGatewayRouteTablePropagation Disables the specified resource attachment from propagating routes to the specified propagation route table. Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

DisableVgwRoutePropagation Disables a virtual private gateway (VGW) from propagating routes to a specified route table of a VPC. Write
DisableVpcClassicLink Disables ClassicLink for a VPC. Write

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

DisableVpcClassicLinkDnsSupport Disables ClassicLink DNS support for a VPC. Write
DisassociateAddress Disassociates an Elastic IP address from the instance or network interface it's associated with. Write
DisassociateClientVpnTargetNetwork Disassociates a target network from the specified Client VPN endpoint. Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

DisassociateIamInstanceProfile Disassociates an IAM instance profile from a running or stopped instance. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

DisassociateRouteTable Disassociates a subnet from a route table. Write
DisassociateSubnetCidrBlock Disassociates a CIDR block from a subnet. Write
DisassociateTransitGatewayRouteTable Disassociates a resource attachment from a transit gateway route table. Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

DisassociateVpcCidrBlock Disassociates a CIDR block from a VPC. Write
EnableEbsEncryptionByDefault Enables EBS encryption by default for your account in the current Region Write
EnableTransitGatewayRouteTablePropagation Enables the specified attachment to propagate routes to the specified propagation route table. Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

EnableVgwRoutePropagation Enables a virtual private gateway (VGW) to propagate routes to the specified route table of a VPC. Write
EnableVolumeIO Enables I/O operations for a volume that had I/O operations disabled because the data on the volume was potentially inconsistent. Write
EnableVpcClassicLink Enables a VPC for ClassicLink. Write

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

EnableVpcClassicLinkDnsSupport Enables a VPC to support DNS hostname resolution for ClassicLink. Write
ExportClientVpnClientCertificateRevocationList Downloads the client certificate revocation list for the specified Client VPN endpoint. List
ExportClientVpnClientConfiguration Downloads the contents of the Client VPN endpoint configuration file for the specified Client VPN endpoint. List
ExportTransitGatewayRoutes Exports routes from the specified transit gateway route table to the specified S3 bucket. Write
GetCapacityReservationUsage Gets usage information about a Capacity Reservation. Read
GetConsoleOutput Gets the console output for the specified instance. Read
GetConsoleScreenshot Retrieve a JPG-format screenshot of a running instance to help with troubleshooting. Read

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

GetEbsDefaultKmsKeyId Get EBS Default Kms Key Id Read
GetEbsEncryptionByDefault Describes whether EBS encryption by default is enabled for your account in the current Region Read
GetHostReservationPurchasePreview Preview a reservation purchase with configurations that match those of your Dedicated Host. Read
GetLaunchTemplateData Retrieves the configuration data of the specified instance. Read
GetPasswordData Retrieves the encrypted administrator password for an instance running Windows. Read
GetReservedInstancesExchangeQuote Returns details about the values and term of your specified Convertible Reserved Instances. Read
GetTransitGatewayAttachmentPropagations Lists the route tables to which the specified resource attachment propagates routes. List
GetTransitGatewayRouteTableAssociations Gets information about the associations for the specified transit gateway route table. List
GetTransitGatewayRouteTablePropagations Gets information about the route table propagations for the specified transit gateway route table. List
ImportClientVpnClientCertificateRevocationList Uploads a client certificate revocation list to the specified Client VPN endpoint. Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

ImportImage Import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI). Write
ImportInstance Creates an import instance task using metadata from the specified disk image. Write
ImportKeyPair Imports the public key from an RSA key pair that you created with a third-party tool. Write
ImportSnapshot Imports a disk into an EBS snapshot. Write
ImportVolume Creates an import volume task using metadata from the specified disk image. Write
ModifyCapacityReservation Modifies a Capacity Reservation's capacity and the conditions under which it is to be released. Write

capacity-reservation*

ec2:Region

ec2:ResourceTag/${TagKey}

ModifyClientVpnEndpoint Modifies the specified Client VPN endpoint. Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

ModifyEbsDefaultKmsKeyId Changes the default customer master key (CMK) for EBS encryption by default for your account in this Region Write
ModifyFleet Modifies the specified EC2 Fleet. Write
ModifyFpgaImageAttribute Modifies the specified attribute of the specified Amazon FPGA Image (AFI). Write
ModifyHosts Modify the auto-placement setting of a Dedicated Host. Write
ModifyIdFormat Modifies the ID format for the specified resource on a per-region basis. Write
ModifyIdentityIdFormat Modifies the ID format of a resource for a specified IAM user, IAM role, or the root user for an account; or all IAM users, IAM roles, and the root user for an account. Write
ModifyImageAttribute Modifies the specified attribute of the specified AMI. Write
ModifyInstanceAttribute Modifies the specified attribute of the specified instance. Write
ModifyInstanceCapacityReservationAttributes Modifies the Capacity Reservation settings for a stopped instance. Write
ModifyInstanceCreditSpecification Modifies the credit option for CPU usage on an instance. Write
ModifyInstanceEventStartTime Modifies the start time for a scheduled EC2 instance event. Write

instance*

ec2:Region

ModifyInstancePlacement Set the instance affinity value for a specific stopped instance and modify the instance tenancy setting. Write
ModifyLaunchTemplate Modifies the specified launch template. Write

launch-template*

ec2:Region

ec2:ResourceTag/${TagKey}

ModifyNetworkInterfaceAttribute Modifies the specified network interface attribute. You can specify only one attribute at a time. Write
ModifyReservedInstances Modifies the Availability Zone, instance count, instance type, or network platform (EC2-Classic or EC2-VPC) of your Standard Reserved Instances. Write
ModifySnapshotAttribute Adds or removes permission settings for the specified snapshot. Permissions management

snapshot*

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

ModifySpotFleetRequest Modifies the specified Spot fleet request. Write
ModifySubnetAttribute Modifies a subnet attribute. Write
ModifyTrafficMirrorFilterNetworkServices Allows or restricts mirroring network services. Write

traffic-mirror-filter*

ec2:Region

ec2:ResourceTag/${TagKey}

ModifyTrafficMirrorFilterRule Modifies the specified Traffic Mirror rule. Write

traffic-mirror-filter*

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

ec2:Region

ModifyTrafficMirrorSession Modifies a Traffic Mirror session. Write

traffic-mirror-session*

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-target

ec2:Region

ec2:ResourceTag/${TagKey}

ModifyTransitGatewayVpcAttachment Modifies the specified VPC attachment. Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

ec2:Region

ec2:ResourceTag/${TagKey}

ModifyVolume You can modify several parameters of an existing EBS volume, including volume size, volume type, and IOPS capacity. Write
ModifyVolumeAttribute Modifies a volume attribute. Write
ModifyVpcAttribute Modifies the specified attribute of the specified VPC. Write
ModifyVpcEndpoint Modifies attributes of a specified VPC endpoint. Write
ModifyVpcEndpointConnectionNotification Modifies a connection notification for VPC endpoint or VPC endpoint service. Write
ModifyVpcEndpointServiceConfiguration Modifies the attributes of your VPC endpoint service configuration. Write
ModifyVpcEndpointServicePermissions Modifies the permissions for your VPC endpoint service. Permissions management
ModifyVpcPeeringConnectionOptions Modifies the VPC peering connection options on one side of a VPC peering connection. Write
ModifyVpcTenancy Modifies the instance tenancy attribute of the specified VPC. Write
ModifyVpnConnection Modifies the target gateway of a AWS Site-to-Site VPN connection Write
MonitorInstances Enables detailed monitoring for a running instance. Write
MoveAddressToVpc Moves an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform. Write
ProvisionByoipCidr Provisions an address range for use with your AWS resources through bring your own IP addresses (BYOIP) and creates a corresponding address pool. Write
PurchaseHostReservation Purchase a reservation with configurations that match those of your Dedicated Host. Write
PurchaseReservedInstancesOffering Purchases a Reserved Instance for use with your account. Write
PurchaseScheduledInstances Purchases one or more Scheduled Instances with the specified schedule. Write
RebootInstances Requests a reboot of one or more instances. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

RegisterImage Registers an AMI. Write
RejectTransitGatewayVpcAttachment Rejects a request to attach a VPC to a transit gateway. Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

RejectVpcEndpointConnections Rejects one or more VPC endpoint connection requests to your VPC endpoint service. Write
RejectVpcPeeringConnection Rejects a VPC peering connection request. Write

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ReleaseAddress Releases the specified Elastic IP address. Write
ReleaseHosts When you no longer want to use an On-Demand Dedicated Host it can be released Write
ReplaceIamInstanceProfileAssociation Replaces an IAM instance profile for the specified instance. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

ReplaceNetworkAclAssociation Changes which network ACL a subnet is associated with. Write
ReplaceNetworkAclEntry Replaces an entry (rule) in a network ACL. Write
ReplaceRoute Replaces an existing route within a route table in a VPC. Write

route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

ReplaceRouteTableAssociation Changes the route table associated with a given subnet in a VPC. Write
ReplaceTransitGatewayRoute Replaces the specified route in the specified transit gateway route table. Write

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

ec2:Region

ec2:ResourceTag/${TagKey}

ReportInstanceStatus Submits feedback about the status of an instance Write
RequestSpotFleet Creates a Spot fleet request Write
RequestSpotInstances Creates a Spot instance request Write
ResetEbsDefaultKmsKeyId Resets the default customer master key (CMK) for EBS encryption for your account in this Region to the AWS managed CMK for EBS Write
ResetFpgaImageAttribute Resets an attribute of an Amazon FPGA Image (AFI) to its default value. Write
ResetImageAttribute Resets an attribute of an AMI to its default value Write
ResetInstanceAttribute Resets an attribute of an instance to its default value Write
ResetNetworkInterfaceAttribute Resets a network interface attribute. You can specify only one attribute at a time. Write
ResetSnapshotAttribute Resets permission settings for the specified snapshot. Permissions management
RestoreAddressToClassic Restores an Elastic IP address that was previously moved to the EC2-VPC platform back to the EC2-Classic platform. Write
RevokeClientVpnIngress Removes an ingress authorization rule from a Client VPN endpoint. Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

RevokeSecurityGroupEgress [EC2-VPC only] Removes one or more egress rules from a security group for EC2-VPC. This action doesn't apply to security groups for use in EC2-Classic. Write

security-group*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

RevokeSecurityGroupIngress Removes one or more ingress rules from a security group. Write

security-group*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

RunInstances Launches the specified number of instances using an AMI for which you have permissions. Write

image*

ec2:ImageType

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

instance*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

network-interface*

ec2:AvailabilityZone

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

ec2:ResourceTag/

ec2:Subnet

ec2:Vpc

security-group*

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

subnet*

ec2:AvailabilityZone

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

key-pair

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

launch-template

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

placement-group

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:PlacementGroupStrategy

ec2:Region

snapshot

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

SCENARIO: EC2-Classic-EBS

image*

instance*

security-group*

volume*

key-pair

placement-group

snapshot

SCENARIO: EC2-Classic-InstanceStore

image*

instance*

security-group*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-EBS

image*

instance*

network-interface*

security-group*

volume*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-EBS-Subnet

image*

instance*

network-interface*

security-group*

subnet*

volume*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-InstanceStore

image*

instance*

network-interface*

security-group*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-InstanceStore-Subnet

image*

instance*

network-interface*

security-group*

subnet*

key-pair

placement-group

snapshot

RunScheduledInstances Launches the specified Scheduled Instances. Write
SearchTransitGatewayRoutes Searches for routes in the specified transit gateway route table. List
SendDiagnosticInterrupt Sends a diagnostic interrupt to the specified Amazon EC2 instance. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

StartInstances Starts an Amazon EBS-backed AMI that you've previously stopped. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

StopInstances Stops an Amazon EBS-backed instance. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

TerminateClientVpnConnections Terminates active Client VPN endpoint connections. Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

TerminateInstances Shuts down one or more instances. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

UnassignIpv6Addresses Unassigns one or more IPv6 addresses from the specified network interface. Write
UnassignPrivateIpAddresses Unassigns one or more secondary private IP addresses from a network interface. Write
UnmonitorInstances Disables detailed monitoring for a running instance. Write
UpdateSecurityGroupRuleDescriptionsEgress [EC2-VPC only] Update descriptions for one or more egress rules of a security group. This action doesn't apply to security groups for use in EC2-Classic. Write

security-group*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

UpdateSecurityGroupRuleDescriptionsIngress Update descriptions for one or more ingress rules of a security group. Write

security-group*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

WithdrawByoipCidr Stops advertising an IPv4 address range that is provisioned as an address pool. Write

Resources Defined by Amazon EC2

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
capacity-reservation arn:${Partition}:ec2:${Region}:${Account}:capacity-reservation/${CapacityReservationId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

client-vpn-endpoint arn:${Partition}:ec2:${Region}:${Account}:client-vpn-endpoint/${ClientVpnEndpointId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

customer-gateway arn:${Partition}:ec2:${Region}:${Account}:customer-gateway/${CustomerGatewayId}

ec2:Region

ec2:ResourceTag/${TagKey}

dhcp-options arn:${Partition}:ec2:${Region}:${Account}:dhcp-options/${DhcpOptionsId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

elastic-gpu arn:${Partition}:ec2:${Region}:${Account}:elasticGpu/${ElasticGpuId}
fpga-image arn:${Partition}:ec2:${Region}::fpga-image/${FpgaImageId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

image arn:${Partition}:ec2:${Region}::image/${ImageId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

instance arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway arn:${Partition}:ec2:${Region}:${Account}:internet-gateway/${InternetGatewayId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

key-pair arn:${Partition}:ec2:${Region}:${Account}:key-pair/${KeyPairName}

ec2:Region

launch-template arn:${Partition}:ec2:${Region}:${Account}:launch-template/${LaunchTemplateId}

ec2:Region

ec2:ResourceTag/${TagKey}

network-acl arn:${Partition}:ec2:${Region}:${Account}:network-acl/${NaclId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

network-interface arn:${Partition}:ec2:${Region}:${Account}:network-interface/${NetworkInterfaceId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

placement-group arn:${Partition}:ec2:${Region}:${Account}:placement-group/${PlacementGroupName}

ec2:PlacementGroupStrategy

ec2:Region

reserved-instances arn:${Partition}:ec2:${Region}:${Account}:reserved-instances/${ReservationId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

route-table arn:${Partition}:ec2:${Region}:${Account}:route-table/${RouteTableId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

security-group arn:${Partition}:ec2:${Region}:${Account}:security-group/${SecurityGroupId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

snapshot arn:${Partition}:ec2:${Region}::snapshot/${SnapshotId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

spot-instance-request arn:${Partition}:ec2:${Region}::spot-instance-request/${SpotInstanceRequestId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

subnet arn:${Partition}:ec2:${Region}:${Account}:subnet/${SubnetId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

traffic-mirror-session arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-session/${TrafficMirrorSessionId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-target arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-target/${TrafficMirrorTargetId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter/${TrafficMirrorFilterId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter-rule/${TrafficMirrorFilterRuleId}

ec2:Region

transit-gateway-attachment arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-attachment/${TransitGatewayAttachmentId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-route-table/${TransitGatewayRouteTableId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway arn:${Partition}:ec2:${Region}:${Account}:transit-gateway/${TransitGatewayId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

volume arn:${Partition}:ec2:${Region}:${Account}:volume/${VolumeId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

vpc arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpc-peering-connection arn:${Partition}:ec2:${Region}:${Account}:vpc-peering-connection/${VpcPeeringConnectionId}

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

vpn-connection arn:${Partition}:ec2:${Region}:${Account}:vpn-connection/${VpnConnectionId}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpn-gateway arn:${Partition}:ec2:${Region}:${Account}:vpn-gateway/${VpnGatewayId}

Condition Keys for Amazon EC2

Amazon EC2 defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} A key that is present in the request the user makes to the EC2 service. String
aws:TagKeys The list of all the tag key names associated with the resource in the request. String
ec2:AccepterVpc The ARN of an accepter VPC in a VPC peering connection. ARN
ec2:AuthorizedService The AWS service that has permission to use a resource. String
ec2:AuthorizedUser The IAM principal that has permission to use a resource. String
ec2:AvailabilityZone The name of an Availability Zone in a region. String
ec2:CreateAction The name of a resource-creating API action. String
ec2:EbsOptimized Whether the instance is enabled for EBS-optimization. Bool
ec2:ElasticGpuType The name of the type of ElasticGpu. String
ec2:Encrypted Whether the volume is encrypted. Bool
ec2:ImageType The name of the type of image. String
ec2:InstanceMarketType The name of the market type. String
ec2:InstanceProfile The ARN of the instance profile. ARN
ec2:InstanceType The name of the instance type. String
ec2:IsLaunchTemplateResource Launch template resource flag. Bool
ec2:LaunchTemplate The ARN of the launch template. ARN
ec2:Owner The name or account ID of the owner. String
ec2:ParentSnapshot The ARN of the parent snapshot. ARN
ec2:ParentVolume The ARN of the parent volume. ARN
ec2:Permission The type of permission for a resource. String
ec2:PlacementGroup The ARN of the placement group. ARN
ec2:PlacementGroupStrategy The name of the placement group strategy. String
ec2:ProductCode The product code of the product. String
ec2:Public Whether the image is public. Bool
ec2:Region The name of the region. String
ec2:RequesterVpc The ARN of a requester VPC in a VPC peering connection. ARN
ec2:ReservedInstancesOfferingType The payment option for a Reserved Instance. String
ec2:ResourceTag/ The preface string for a tag key and value pair attached to a resource. String
ec2:ResourceTag/${TagKey} A tag key and value pair. String
ec2:RootDeviceType The root device type: ebs or instance-store. String
ec2:SnapshotTime The snapshot creation time. String
ec2:SourceInstanceARN The ARN of the instance from which the request originated. ARN
ec2:Subnet The ARN of the subnet. ARN
ec2:Tenancy The tenancy of the instance or VPC. String
ec2:VolumeIops The number of input/output operations per second. Numeric
ec2:VolumeSize The size of the volume, in GiB. Numeric
ec2:VolumeType The name of the type of volume. String
ec2:Vpc The ARN of the VPC. ARN