Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon EC2

Amazon EC2 (service prefix: ec2) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon EC2

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptReservedInstancesExchangeQuote Accepts the Convertible Reserved Instance exchange quote described in the GetReservedInstancesExchangeQuote call. Write
AcceptVpcEndpointConnections Accepts one or more interface VPC endpoint connection requests to your VPC endpoint service. Write
AcceptVpcPeeringConnection Accept a VPC peering connection request. Write

vpc*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/tag-key

AllocateAddress Acquires an Elastic IP address. Write
AllocateHosts Allocates a Dedicated Host to your account. Write
AssignIpv6Addresses Assigns one or more IPv6 addresses to the specified network interface. Write
AssignPrivateIpAddresses Assigns one or more secondary private IP addresses to the specified network interface. Write
AssociateAddress Associates an Elastic IP address with an instance or a network interface. Write
AssociateDhcpOptions Associates a set of DHCP options (that you've previously created) with the specified VPC, or associates no DHCP options with the VPC. Write
AssociateIamInstanceProfile Associates an IAM instance profile with a running or stopped instance. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

AssociateRouteTable Associates a subnet with a route table. Write
AssociateSubnetCidrBlock Associates a CIDR block with your subnet. Write
AssociateVpcCidrBlock Associates a CIDR block with your VPC. Write
AttachClassicLinkVpc Links an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

vpc*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

AttachInternetGateway Attaches an Internet gateway to a VPC, enabling connectivity between the Internet and the VPC. Write
AttachNetworkInterface Attaches a network interface to an instance. Write
AttachVolume Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

volume*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

AttachVpnGateway Attaches a virtual private gateway to a VPC. Write
AuthorizeSecurityGroupEgress [EC2-VPC only] Adds one or more egress rules to a security group for use with a VPC. Write

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

AuthorizeSecurityGroupIngress Adds one or more ingress rules to a security group. Write

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

BundleInstance Bundles an Amazon instance store-backed Windows instance. Write
CancelBundleTask Cancels a bundling operation for an instance store-backed Windows instance. Write
CancelConversionTask Cancels an active conversion task. Write
CancelExportTask Cancels an active export task. Write
CancelImportTask Cancels an in-process import virtual machine or import snapshot task. Write
CancelReservedInstancesListing Cancels the specified Reserved Instance listing in the Reserved Instance Marketplace. Write
CancelSpotFleetRequests Cancels the specified Spot fleet requests. Write
CancelSpotInstanceRequests Cancels one or more Spot instance requests. Write
ConfirmProductInstance Determines whether a product code is associated with an instance. Write
CopyFpgaImage Initiates the copy of an Amazon FPGA Image (AFI) from the specified source region to the current region. Write
CopyImage Initiates the copy of an AMI from the specified source region to the current region. Write
CopySnapshot Copies a point-in-time snapshot of an EBS volume and stores it in Amazon S3. Write
CreateCustomerGateway Provides information to AWS about your VPN customer gateway device. Write
CreateDefaultSubnet Creates a default subnet with a size /20 IPv4 CIDR block in the specified Availability Zone in your default VPC. Write
CreateDefaultVpc Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone. Write
CreateDhcpOptions Creates a set of DHCP options for your VPC. Write
CreateEgressOnlyInternetGateway Creates an egress-only Internet gateway for your VPC. Write
CreateFlowLogs Creates one or more flow logs to capture IP traffic for a specific network interface, subnet, or VPC. Write
CreateFpgaImage Creates an Amazon FPGA Image (AFI) from the specified design checkpoint (DCP). Write
CreateImage Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped. Write
CreateInstanceExportTask Exports a running or stopped instance to an S3 bucket. Write
CreateInternetGateway Creates an Internet gateway for use with a VPC. Write
CreateKeyPair Creates a 2048-bit RSA key pair with the specified name. Write
CreateLaunchTemplate Creates a new launch template. Write
CreateLaunchTemplateVersion Creates a new version for the specified launch template. Write

launch-template*

ec2:Region

ec2:ResourceTag/tag-key

CreateNatGateway Creates a NAT gateway in the specified subnet. Write
CreateNetworkAcl Creates a network ACL in a VPC. Write
CreateNetworkAclEntry Creates an entry (a rule) in a network ACL with the specified rule number. Write
CreateNetworkInterface Creates a network interface in the specified subnet. Write
CreateNetworkInterfacePermission Creates a permission for a network interface that grants certain operations to another authorized user. Write

network-interface*

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:Permission

ec2:Region

ec2:ResourceTag/tag-key

ec2:Subnet

ec2:Vpc

ec2:AuthorizedService

CreatePlacementGroup Creates a placement group that you launch cluster instances into. Write
CreateReservedInstancesListing Creates a listing for Amazon EC2 Standard Reserved Instances to be sold in the Reserved Instance Marketplace. Write
CreateRoute Creates a route in a route table within a VPC. Write

route-table*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

CreateRouteTable Creates a route table for the specified VPC. Write
CreateSecurityGroup Creates a security group. Write
CreateSnapshot Creates a snapshot of an EBS volume and stores it in Amazon S3. Write

snapshot*

aws:TagKeys

aws:RequestTag/tag-key

ec2:ParentVolume

ec2:Region

volume*

ec2:Encrypted

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

CreateSpotDatafeedSubscription Creates a data feed for Spot instances, enabling you to view Spot instance usage logs. You can create one data feed per AWS account. Write
CreateSubnet Creates a subnet in an existing VPC. Write
CreateTags Adds or overwrites one or more tags for the specified Amazon EC2 resource or resources. Tagging

dhcp-options

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

fpga-image

aws:RequestTag/tag-key

aws:TagKeys

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/tag-key

image

aws:RequestTag/tag-key

aws:TagKeys

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

instance

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

network-acl

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

network-interface

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Subnet

ec2:Vpc

reserved-instances

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/tag-key

ec2:Tenancy

route-table

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

security-group

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

snapshot

aws:RequestTag/tag-key

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/tag-key

ec2:SnapshotTime

ec2:VolumeSize

spot-instance-request

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

subnet

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

volume

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

vpc

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

vpn-connection

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

vpn-gateway

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:CreateAction

CreateVolume Creates an EBS volume that can be attached to an instance in the same Availability Zone. Write

volume*

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

CreateVpc Creates a VPC with the specified CIDR block. Write
CreateVpcEndpoint Creates a VPC endpoint for a specified AWS service. Write

route53:AssociateVPCWithHostedZone

CreateVpcEndpointConnectionNotification Creates a connection notification for a specified VPC endpoint or VPC endpoint service. Write
CreateVpcEndpointServiceConfiguration Creates a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect. Write
CreateVpcPeeringConnection Requests a VPC peering connection between two VPCs: a requester VPC that you own and a peer VPC with which to create the connection. Write

vpc*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

CreateVpnConnection Creates a VPN connection between an existing virtual private gateway and a VPN customer gateway. Write
CreateVpnConnectionRoute Creates a static route associated with a VPN connection between an existing virtual private gateway and a VPN customer gateway. Write
CreateVpnGateway Creates a virtual private gateway. Write
DeleteCustomerGateway Deletes the specified customer gateway. Write

customer-gateway*

ec2:Region

ec2:ResourceTag/tag-key

DeleteDhcpOptions Deletes the specified set of DHCP options. Write

dhcp-options*

ec2:Region

ec2:ResourceTag/tag-key

DeleteEgressOnlyInternetGateway Deletes the specified egress-only Internet gateway. Write
DeleteFlowLogs Deletes one or more flow logs. Write
DeleteFpgaImage Deletes the specified Amazon FPGA Image (AFI). Write
DeleteInternetGateway Deletes the specified Internet gateway. Write

internet-gateway*

ec2:Region

ec2:ResourceTag/tag-key

DeleteKeyPair Deletes the specified key pair, by removing the public key from Amazon EC2. Write
DeleteLaunchTemplate Deletes the specified launch template and all associated versions. Write

launch-template*

ec2:Region

ec2:ResourceTag/tag-key

DeleteLaunchTemplateVersions Deletes the specified versions for the specified launch template. Write

launch-template*

ec2:Region

ec2:ResourceTag/tag-key

DeleteNatGateway Deletes the specified NAT gateway. Write
DeleteNetworkAcl Deletes the specified network ACL. Write

network-acl*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteNetworkAclEntry Deletes the specified ingress or egress entry (rule) from the specified network ACL. Write

network-acl*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteNetworkInterface Deletes the specified network interface. You must detach the network interface before you can delete it. Write
DeleteNetworkInterfacePermission Deletes a permission associated with a network interface. Write
DeletePlacementGroup Deletes the specified placement group. Write
DeleteRoute Deletes the specified route from the specified route table. Write

route-table*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteRouteTable Deletes the specified route table. Write

route-table*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteSecurityGroup Deletes a security group. Write

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteSnapshot Deletes the specified snapshot. Write

snapshot*

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/tag-key

ec2:SnapshotTime

ec2:VolumeSize

DeleteSpotDatafeedSubscription Deletes the data feed for Spot instances. Write
DeleteSubnet Deletes the specified subnet. Write
DeleteTags Deletes the specified set of tags from the specified set of resources. Tagging

dhcp-options

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

fpga-image

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

image

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

instance

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

internet-gateway

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

network-acl

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

network-interface

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

reserved-instances

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

route-table

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

security-group

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

snapshot

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

spot-instance-request

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

subnet

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

volume

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

vpc

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

vpn-connection

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

vpn-gateway

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

DeleteVolume Deletes the specified EBS volume. Write

volume*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

DeleteVpc Deletes the specified VPC. You must detach or delete all gateways and resources that are associated with the VPC before you can delete it. Write
DeleteVpcEndpointConnectionNotifications Deletes one or more VPC endpoint connection notifications. Write
DeleteVpcEndpointServiceConfigurations Deletes one or more VPC endpoint service configurations in your account. Write
DeleteVpcEndpoints Deletes one or more specified VPC endpoints. Write
DeleteVpcPeeringConnection Description for DeleteVpcPeeringConnection Write

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/tag-key

DeleteVpnConnection Deletes a VPC peering connection. Write
DeleteVpnConnectionRoute Deletes the specified static route associated with a VPN connection between an existing virtual private gateway and a VPN customer gateway. Write
DeleteVpnGateway Deletes the specified virtual private gateway. Write
DeregisterImage Deregisters the specified AMI. Write
DescribeAccountAttributes Describes attributes of your AWS account. List
DescribeAddresses Describes one or more of your Elastic IP addresses. List
DescribeAvailabilityZones escribes one or more of the Availability Zones that are available to you. List
DescribeBundleTasks Describes one or more of your bundling tasks. List
DescribeClassicLinkInstances Describes one or more of your linked EC2-Classic instances. List
DescribeConversionTasks Describes one or more of your conversion tasks. List
DescribeCustomerGateways Describes one or more of your VPN customer gateways. List
DescribeDhcpOptions Describes one or more of your DHCP options sets. List
DescribeEgressOnlyInternetGateways Describes one or more of your egress-only Internet gateways. List
DescribeElasticGpus Describes the Elastic GPUs associated with your instances. Read
DescribeExportTasks Describes one or more of your export tasks. List
DescribeFlowLogs Describes one or more flow logs. List
DescribeFpgaImageAttribute Describes the specified attribute of the specified Amazon FPGA Images (AFI). List
DescribeFpgaImages Describes one or more of the Amazon FPGA Images (AFIs) available to you. List
DescribeHostReservationOfferings Describes the Dedicated Host Reservations that are available to purchase. List
DescribeHostReservations Describes Dedicated Host Reservations which are associated with Dedicated Hosts in your account. List
DescribeHosts Describes one or more of your Dedicated Hosts. List
DescribeIamInstanceProfileAssociations Describes your IAM instance profile associations. List
DescribeIdFormat Describes the ID format settings for your resources on a per-region basis, for example, to view which resource types are enabled for longer IDs. List
DescribeIdentityIdFormat Describes the ID format settings for resources for the specified IAM user, IAM role, or root user. List
DescribeImageAttribute Describes the specified attribute of the specified AMI. List
DescribeImages Describes one or more of the images (AMIs, AKIs, and ARIs) available to you. List
DescribeImportImageTasks Displays details about an import virtual machine or import snapshot tasks that are already created. List
DescribeImportSnapshotTasks Describes your import snapshot tasks. List
DescribeInstanceAttribute Describes the specified attribute of the specified instance. List
DescribeInstanceCreditSpecifications Describes the credit option for CPU usage of one or more of your instances. List
DescribeInstanceStatus Describes the status of one or more instances. List
DescribeInstances Describes one or more of your instances. List
DescribeInternetGateways Describes one or more of your Internet gateways. List
DescribeKeyPairs Describes one or more of your key pairs. List
DescribeLaunchTemplateVersions Describes one or more of your launch template versions. List
DescribeLaunchTemplates Describes one or more of your launch templates. List
DescribeMovingAddresses Describes your Elastic IP addresses that are being moved to the EC2-VPC platform, or that are being restored to the EC2-Classic platform. List
DescribeNatGateways Describes one or more of the your NAT gateways. List
DescribeNetworkAcls Describes one or more of your network ACLs. List
DescribeNetworkInterfaceAttribute Describes a network interface attribute. You can specify only one attribute at a time. List
DescribeNetworkInterfacePermissions Describes the permissions associated with a network interface. List
DescribeNetworkInterfaces Describes one or more of your network interfaces. List
DescribePlacementGroups Describes one or more of your placement groups. List
DescribePrefixLists Describes available AWS services in a prefix list format, which includes the prefix list name and prefix list ID of the service and the IP address range for the service. List
DescribeRegions Describes one or more regions that are currently available to you. List
DescribeReservedInstances Describes one or more of the Reserved Instances that you purchased. List
DescribeReservedInstancesListings Describes your account's Reserved Instance listings in the Reserved Instance Marketplace. List
DescribeReservedInstancesModifications Describes the modifications made to your Reserved Instances. List
DescribeReservedInstancesOfferings Describes Reserved Instance offerings that are available for purchase. List
DescribeRouteTables Describes one or more of your route tables. List
DescribeScheduledInstanceAvailability Finds available schedules that meet the specified criteria. Read
DescribeScheduledInstances Describes one or more of your Scheduled Instances. Read
DescribeSecurityGroupReferences [EC2-VPC only] Describes the VPCs on the other side of a VPC peering connection that are referencing the security groups you've specified in this request. List
DescribeSecurityGroups Describes one or more of your security groups. List
DescribeSnapshotAttribute Describes the specified attribute of the specified snapshot. List
DescribeSnapshots Describes one or more of the EBS snapshots available to you. List
DescribeSpotDatafeedSubscription Describes the data feed for Spot instances. List
DescribeSpotFleetInstances Describes the running instances for the specified Spot fleet. List
DescribeSpotFleetRequestHistory Describes the events for the specified Spot fleet request during the specified time. List
DescribeSpotFleetRequests Describes your Spot fleet requests. List
DescribeSpotInstanceRequests Describes the Spot instance requests that belong to your account. List
DescribeSpotPriceHistory Describes the Spot price history. List
DescribeStaleSecurityGroups [EC2-VPC only] Describes the stale security group rules for security groups in a specified VPC. List
DescribeSubnets Describes one or more of your subnets. List
DescribeTags Describes one or more of the tags for your EC2 resources. Read
DescribeVolumeAttribute Describes the specified attribute of the specified volume. List
DescribeVolumeStatus Describes the status of the specified volumes. List
DescribeVolumes Describes the specified EBS volumes. List
DescribeVolumesModifications Reports the current modification status of EBS volumes. Read
DescribeVpcAttribute Describes the specified attribute of the specified VPC. List
DescribeVpcClassicLink Describes the ClassicLink status of one or more VPCs. List
DescribeVpcClassicLinkDnsSupport Describes the ClassicLink DNS support status of one or more VPCs. List
DescribeVpcEndpointConnectionNotifications Describes the connection notifications for VPC endpoints and VPC endpoint services. List
DescribeVpcEndpointConnections Describes the VPC endpoint connections to your VPC endpoint services, including any endpoints that are pending your acceptance. List
DescribeVpcEndpointServiceConfigurations Describes the VPC endpoint service configurations in your account (your services). List
DescribeVpcEndpointServicePermissions Describes the principals (service consumers) that are permitted to discover your VPC endpoint service. List
DescribeVpcEndpointServices Describes all supported AWS services that can be specified when creating a VPC endpoint. List
DescribeVpcEndpoints Describes one or more of your VPC endpoints. List
DescribeVpcPeeringConnections Describes one or more of your VPC peering connections. List
DescribeVpcs Describes one or more of your VPCs. List
DescribeVpnConnections Describes one or more of your VPN connections. Read
DescribeVpnGateways Describes one or more of your virtual private gateways. List
DetachClassicLinkVpc Unlinks (detaches) a linked EC2-Classic instance from a VPC. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

vpc*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

DetachInternetGateway Detaches an Internet gateway from a VPC, disabling connectivity between the Internet and the VPC. Write
DetachNetworkInterface Detaches a network interface from an instance. Write
DetachVolume Detaches an EBS volume from an instance. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

volume*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

DetachVpnGateway Detaches a virtual private gateway from a VPC. Write
DisableVgwRoutePropagation Disables a virtual private gateway (VGW) from propagating routes to a specified route table of a VPC. Write
DisableVpcClassicLink Disables ClassicLink for a VPC. Write

vpc*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

DisableVpcClassicLinkDnsSupport Disables ClassicLink DNS support for a VPC. Write
DisassociateAddress Disassociates an Elastic IP address from the instance or network interface it's associated with. Write
DisassociateIamInstanceProfile Disassociates an IAM instance profile from a running or stopped instance. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

DisassociateRouteTable Disassociates a subnet from a route table. Write
DisassociateSubnetCidrBlock Disassociates a CIDR block from a subnet. Write
DisassociateVpcCidrBlock Disassociates a CIDR block from a VPC. Write
EnableVgwRoutePropagation Enables a virtual private gateway (VGW) to propagate routes to the specified route table of a VPC. Write
EnableVolumeIO Enables I/O operations for a volume that had I/O operations disabled because the data on the volume was potentially inconsistent. Write
EnableVpcClassicLink Enables a VPC for ClassicLink. Write

vpc*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

EnableVpcClassicLinkDnsSupport Enables a VPC to support DNS hostname resolution for ClassicLink. Write
GetConsoleOutput Gets the console output for the specified instance. Read
GetConsoleScreenshot Retrieve a JPG-format screenshot of a running instance to help with troubleshooting. Read

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

GetHostReservationPurchasePreview Preview a reservation purchase with configurations that match those of your Dedicated Host. Read
GetLaunchTemplateData Retrieves the configuration data of the specified instance. Read
GetPasswordData Retrieves the encrypted administrator password for an instance running Windows. Read
GetReservedInstancesExchangeQuote Returns details about the values and term of your specified Convertible Reserved Instances. Read
ImportImage Import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI). Write
ImportInstance Creates an import instance task using metadata from the specified disk image. Write
ImportKeyPair Imports the public key from an RSA key pair that you created with a third-party tool. Write
ImportSnapshot Imports a disk into an EBS snapshot. Write
ImportVolume Creates an import volume task using metadata from the specified disk image. Write
ModifyFpgaImageAttribute Modifies the specified attribute of the specified Amazon FPGA Image (AFI). Write
ModifyHosts Modify the auto-placement setting of a Dedicated Host. Write
ModifyIdFormat Modifies the ID format for the specified resource on a per-region basis. Write
ModifyIdentityIdFormat Modifies the ID format of a resource for a specified IAM user, IAM role, or the root user for an account; or all IAM users, IAM roles, and the root user for an account. Write
ModifyImageAttribute Modifies the specified attribute of the specified AMI. Write
ModifyInstanceAttribute Modifies the specified attribute of the specified instance. Write
ModifyInstanceCreditSpecification Modifies the credit option for CPU usage on an instance. Write
ModifyInstancePlacement Set the instance affinity value for a specific stopped instance and modify the instance tenancy setting. Write
ModifyLaunchTemplate Modifies the specified launch template. Write

launch-template*

ec2:Region

ec2:ResourceTag/tag-key

ModifyNetworkInterfaceAttribute Modifies the specified network interface attribute. You can specify only one attribute at a time. Write
ModifyReservedInstances Modifies the Availability Zone, instance count, instance type, or network platform (EC2-Classic or EC2-VPC) of your Standard Reserved Instances. Write
ModifySnapshotAttribute Adds or removes permission settings for the specified snapshot. Write

snapshot*

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/tag-key

ec2:SnapshotTime

ec2:VolumeSize

ModifySpotFleetRequest Modifies the specified Spot fleet request. Write
ModifySubnetAttribute Modifies a subnet attribute. Write
ModifyVolume You can modify several parameters of an existing EBS volume, including volume size, volume type, and IOPS capacity. Write
ModifyVolumeAttribute Modifies a volume attribute. Write
ModifyVpcAttribute Modifies the specified attribute of the specified VPC. Write
ModifyVpcEndpoint Modifies attributes of a specified VPC endpoint. Write
ModifyVpcEndpointConnectionNotification Modifies a connection notification for VPC endpoint or VPC endpoint service. Write
ModifyVpcEndpointServiceConfiguration Modifies the attributes of your VPC endpoint service configuration. Write
ModifyVpcEndpointServicePermissions Modifies the permissions for your VPC endpoint service. Write
ModifyVpcPeeringConnectionOptions Modifies the VPC peering connection options on one side of a VPC peering connection. Write
ModifyVpcTenancy Modifies the instance tenancy attribute of the specified VPC. Write
MonitorInstances Enables detailed monitoring for a running instance. Write
MoveAddressToVpc Moves an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform. Write
PurchaseHostReservation Purchase a reservation with configurations that match those of your Dedicated Host. Write
PurchaseReservedInstancesOffering Purchases a Reserved Instance for use with your account. Write
PurchaseScheduledInstances Purchases one or more Scheduled Instances with the specified schedule. Write
RebootInstances Requests a reboot of one or more instances. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

RegisterImage Registers an AMI. Write
RejectVpcEndpointConnections Rejects one or more VPC endpoint connection requests to your VPC endpoint service. Write
RejectVpcPeeringConnection Rejects a VPC peering connection request. Write

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/tag-key

ReleaseAddress Releases the specified Elastic IP address. Write
ReleaseHosts When you no longer want to use an On-Demand Dedicated Host it can be released Write
ReplaceIamInstanceProfileAssociation Replaces an IAM instance profile for the specified instance. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

ReplaceNetworkAclAssociation Changes which network ACL a subnet is associated with. Write
ReplaceNetworkAclEntry Replaces an entry (rule) in a network ACL. Write
ReplaceRoute Replaces an existing route within a route table in a VPC. Write

route-table*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

ReplaceRouteTableAssociation Changes the route table associated with a given subnet in a VPC. Write
ReportInstanceStatus Submits feedback about the status of an instance Write
RequestSpotFleet Creates a Spot fleet request Write
RequestSpotInstances Creates a Spot instance request Write
ResetFpgaImageAttribute Resets an attribute of an Amazon FPGA Image (AFI) to its default value. Write
ResetImageAttribute Resets an attribute of an AMI to its default value Write
ResetInstanceAttribute Resets an attribute of an instance to its default value Write
ResetNetworkInterfaceAttribute Resets a network interface attribute. You can specify only one attribute at a time. Write
ResetSnapshotAttribute Resets permission settings for the specified snapshot. Write
RestoreAddressToClassic Restores an Elastic IP address that was previously moved to the EC2-VPC platform back to the EC2-Classic platform. Write
RevokeSecurityGroupEgress [EC2-VPC only] Removes one or more egress rules from a security group for EC2-VPC. This action doesn't apply to security groups for use in EC2-Classic. Write

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

RevokeSecurityGroupIngress Removes one or more ingress rules from a security group. Write

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

RunInstances Launches the specified number of instances using an AMI for which you have permissions. Tagging

image*

ec2:ImageType

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

instance*

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

network-interface*

ec2:AvailabilityZone

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

ec2:ResourceTag/

ec2:Subnet

ec2:Vpc

security-group*

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

subnet*

ec2:AvailabilityZone

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

volume*

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

key-pair

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

launch-template

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

placement-group

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:PlacementGroupStrategy

ec2:Region

snapshot

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/tag-key

ec2:SnapshotTime

ec2:VolumeSize

SCENARIO: EC2-Classic-EBS

image*

instance*

security-group*

volume*

key-pair

placement-group

snapshot

SCENARIO: EC2-Classic-InstanceStore

image*

instance*

security-group*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-EBS

image*

instance*

network-interface*

security-group*

volume*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-EBS-Subnet

image*

instance*

network-interface*

security-group*

subnet*

volume*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-InstanceStore

image*

instance*

network-interface*

security-group*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-InstanceStore-Subnet

image*

instance*

network-interface*

security-group*

subnet*

key-pair

placement-group

snapshot

RunScheduledInstances Launches the specified Scheduled Instances. Write
StartInstances Starts an Amazon EBS-backed AMI that you've previously stopped. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

StopInstances Stops an Amazon EBS-backed instance. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

TerminateInstances Shuts down one or more instances. Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

UnassignIpv6Addresses Unassigns one or more IPv6 addresses from the specified network interface. Write
UnassignPrivateIpAddresses Unassigns one or more secondary private IP addresses from a network interface. Write
UnmonitorInstances Disables detailed monitoring for a running instance. Write
UpdateSecurityGroupRuleDescriptionsEgress [EC2-VPC only] Update descriptions for one or more egress rules of a security group. This action doesn't apply to security groups for use in EC2-Classic. Write

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

UpdateSecurityGroupRuleDescriptionsIngress Update descriptions for one or more ingress rules of a security group. Write

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Resources Defined by EC2

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
customer-gateway arn:${Partition}:ec2:${Region}:${Account}:customer-gateway/${CustomerGatewayId}

ec2:Region

ec2:ResourceTag/tag-key

dhcp-options arn:${Partition}:ec2:${Region}:${Account}:dhcp-options/${DhcpOptionsId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

elastic-gpu arn:${Partition}:ec2:${Region}:${Account}:elasticGpu/${ElasticGpuId}
fpga-image arn:${Partition}:ec2:${Region}::fpga-image/${FpgaImageId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/tag-key

image arn:${Partition}:ec2:${Region}::image/${ImageId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

instance arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

internet-gateway arn:${Partition}:ec2:${Region}:${Account}:internet-gateway/${InternetGatewayId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

key-pair arn:${Partition}:ec2:${Region}:${Account}:key-pair/${KeyPairName}

ec2:Region

launch-template arn:${Partition}:ec2:${Region}:${Account}:launch-template/${LaunchTemplateId}

ec2:Region

ec2:ResourceTag/tag-key

network-acl arn:${Partition}:ec2:${Region}:${Account}:network-acl/${NaclId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

network-interface arn:${Partition}:ec2:${Region}:${Account}:network-interface/${NetworkInterfaceId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Subnet

ec2:Vpc

placement-group arn:${Partition}:ec2:${Region}:${Account}:placement-group/${PlacementGroupName}

ec2:PlacementGroupStrategy

ec2:Region

reserved-instances arn:${Partition}:ec2:${Region}:${Account}:reserved-instances/${ReservationId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/tag-key

ec2:Tenancy

route-table arn:${Partition}:ec2:${Region}:${Account}:route-table/${RouteTableId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

security-group arn:${Partition}:ec2:${Region}:${Account}:security-group/${SecurityGroupId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

snapshot arn:${Partition}:ec2:${Region}::snapshot/${SnapshotId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/tag-key

ec2:SnapshotTime

ec2:VolumeSize

spot-instance-request arn:${Partition}:ec2:${Region}::spot-instance-request/${SpotInstanceRequestId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

subnet arn:${Partition}:ec2:${Region}:${Account}:subnet/${SubnetId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

volume arn:${Partition}:ec2:${Region}:${Account}:volume/${VolumeId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

vpc arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

vpc-peering-connection arn:${Partition}:ec2:${Region}:${Account}:vpc-peering-connection/${VpcPeeringConnectionId}

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/tag-key

vpn-connection arn:${Partition}:ec2:${Region}:${Account}:vpn-connection/${VpnConnectionId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

vpn-gateway arn:${Partition}:ec2:${Region}:${Account}:vpn-gateway/${VpnGatewayId}

Condition Keys for Amazon EC2

Amazon EC2 defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/tag-key A key that is present in the request the user makes to the EC2 service. String
aws:TagKeys The list of all the tag key names associated with the resource in the request. String
ec2:AccepterVpc The ARN of an accepter VPC in a VPC peering connection. String
ec2:AuthorizedService The AWS service that has permission to use a resource. String
ec2:AuthorizedUser The IAM principal that has permission to use a resource. String
ec2:AvailabilityZone The name of an Availability Zone in a region. String
ec2:CreateAction The name of a resource-creating API action. String
ec2:EbsOptimized Whether the instance is enabled for EBS-optimization. String
ec2:ElasticGpuType The name of the type of ElasticGpu. String
ec2:Encrypted Whether the volume is encrypted. String
ec2:ImageType The name of the type of image. String
ec2:InstanceMarketType The name of the market type. String
ec2:InstanceProfile The ARN of the instance profile. String
ec2:InstanceType The name of the instance type. String
ec2:IsLaunchTemplateResource Launch template resource flag. String
ec2:LaunchTemplate The ARN of the launch template. String
ec2:Owner The name or account ID of the owner. String
ec2:ParentSnapshot The ARN of the parent snapshot. String
ec2:ParentVolume The ARN of the parent volume. String
ec2:Permission The type of permission for a resource. String
ec2:PlacementGroup The ARN of the placement group. String
ec2:PlacementGroupStrategy The name of the placement group strategy. String
ec2:ProductCode The product code of the product. String
ec2:Public Whether the image is public. String
ec2:Region The name of the region. String
ec2:RequesterVpc The ARN of a requester VPC in a VPC peering connection. String
ec2:ReservedInstancesOfferingType The payment option for a Reserved Instance. String
ec2:ResourceTag/ The preface string for a tag key and value pair attached to a resource. String
ec2:ResourceTag/tag-key A tag key and value pair. String
ec2:RootDeviceType The root device type: ebs or instance-store. String
ec2:SnapshotTime The snapshot creation time. String
ec2:SourceInstanceARN The ARN of the instance from which the request originated. ARN
ec2:Subnet The ARN of the subnet. String
ec2:Tenancy The tenancy of the instance or VPC. String
ec2:VolumeIops The number of input/output operations per second. Numeric
ec2:VolumeSize The size of the volume, in GiB. Numeric
ec2:VolumeType The name of the type of volume. String
ec2:Vpc The ARN of the VPC. String