Actions, Resources, and Condition Keys for Amazon EC2 - AWS Identity and Access Management

Actions, Resources, and Condition Keys for Amazon EC2

Amazon EC2 (service prefix: ec2) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon EC2

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource Types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptReservedInstancesExchangeQuote Grants permission to accept a Convertible Reserved Instance exchange quote Write
AcceptTransitGatewayPeeringAttachment Grants permission to accept a transit gateway peering attachment request Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

AcceptTransitGatewayVpcAttachment Grants permission to accept a request to attach a VPC to a transit gateway Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

AcceptVpcEndpointConnections Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service Write

vpc-endpoint-service*

ec2:Region

AcceptVpcPeeringConnection Grants permission to accept a VPC peering connection request Write

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

AdvertiseByoipCidr Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP) Write
AllocateAddress Grants permission to allocate an Elastic IP address (EIP) to your account Write
AllocateHosts Grants permission to allocate a Dedicated Host to your account Write

dedicated-host*

ApplySecurityGroupsToClientVpnTargetNetwork Grants permission to apply a security group to the association between a Client VPN endpoint and a target network Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

security-group*

ec2:Region

ec2:ResourceTag/${TagKey}

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

AssignIpv6Addresses Grants permission to assign one or more IPv6 addresses to a network interface Write
AssignPrivateIpAddresses Grants permission to assign one or more secondary private IP addresses to a network interface Write
AssociateAddress Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface Write
AssociateClientVpnTargetNetwork Grants permission to associate a target network with a Client VPN endpoint Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

subnet*

ec2:Region

ec2:ResourceTag/${TagKey}

AssociateDhcpOptions Grants permission to associate or disassociate a set of DHCP options with a VPC Write
AssociateIamInstanceProfile Grants permission to associate an IAM instance profile with a running or stopped instance Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

AssociateRouteTable Grants permission to associate a subnet or gateway with a route table Write
AssociateSubnetCidrBlock Grants permission to associate a CIDR block with a subnet Write
AssociateTransitGatewayMulticastDomain Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain Write

subnet*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

ec2:Region

ec2:ResourceTag/${TagKey}

AssociateTransitGatewayRouteTable Grants permission to associate an attachment with a transit gateway route table Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

AssociateVpcCidrBlock Grants permission to associate a CIDR block with a VPC Write
AttachClassicLinkVpc Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

AttachInternetGateway Grants permission to attach an internet gateway to a VPC Write
AttachNetworkInterface Grants permission to attach a network interface to an instance Write
AttachVolume Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

volume*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

AttachVpnGateway Grants permission to attach a virtual private gateway to a VPC Write
AuthorizeClientVpnIngress Grants permission to add an inbound authorization rule to a Client VPN endpoint Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

AuthorizeSecurityGroupEgress Grants permission to add one or more outbound rules to a VPC security group Write

security-group*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

AuthorizeSecurityGroupIngress Grants permission to add one or more inbound rules to a security group Write

security-group*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

BundleInstance Grants permission to bundle an instance store-backed Windows instance Write
CancelBundleTask Grants permission to cancel a bundling operation Write
CancelCapacityReservation Grants permission to cancel a Capacity Reservation and release the reserved capacity Write

capacity-reservation*

ec2:Region

ec2:ResourceTag/${TagKey}

CancelConversionTask Grants permission to cancel an active conversion task Write
CancelExportTask Grants permission to cancel an active export task Write
CancelImportTask Grants permission to cancel an in-process import virtual machine or import snapshot task Write
CancelReservedInstancesListing Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace Write
CancelSpotFleetRequests Grants permission to cancel one or more Spot Fleet requests Write
CancelSpotInstanceRequests Grants permission to cancel one or more Spot Instance requests Write
ConfirmProductInstance Grants permission to determine whether an owned product code is associated with an instance Write
CopyFpgaImage Grants permission to copy a source Amazon FPGA image (AFI) to the current Region Write
CopyImage Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region Write
CopySnapshot Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3 Write

snapshot*

aws:TagKeys

aws:RequestTag/${TagKey}

ec2:Region

CreateCapacityReservation Grants permission to create a Capacity Reservation Write
CreateClientVpnEndpoint Grants permission to create a Client VPN endpoint Write

client-vpn-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateClientVpnRoute Grants permission to add a network route to a Client VPN endpoint's route table Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

subnet*

ec2:Region

ec2:ResourceTag/${TagKey}

CreateCustomerGateway Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device Write
CreateDefaultSubnet Grants permission to create a default subnet in a specified Availability Zone in a default VPC Write
CreateDefaultVpc Grants permission to create a default VPC with a default subnet in each Availability Zone Write
CreateDhcpOptions Grants permission to create a set of DHCP options for a VPC Write
CreateEgressOnlyInternetGateway Grants permission to create an egress-only internet gateway for a VPC Write
CreateFleet Grants permission to launch an EC2 Fleet Write
CreateFlowLogs Grants permission to create one or more flow logs to capture IP traffic for a network interface Write

iam:PassRole

CreateFpgaImage Grants permission to create an Amazon FPGA Image (AFI) from a design checkpoint (DCP) Write
CreateImage Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance Write
CreateInstanceExportTask Grants permission to export a running or stopped instance to an Amazon S3 bucket Write
CreateInternetGateway Grants permission to create an internet gateway for a VPC Write
CreateKeyPair Grants permission to create a 2048-bit RSA key pair Write
CreateLaunchTemplate Grants permission to create a launch template Write
CreateLaunchTemplateVersion Grants permission to create a new version of a launch template Write

launch-template*

ec2:Region

ec2:ResourceTag/${TagKey}

CreateLocalGatewayRoute Grants permission to create a static route for a local gateway route table Write

local-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group*

ec2:Region

ec2:ResourceTag/${TagKey}

CreateLocalGatewayRouteTableVpcAssociation Grants permission to associate a VPC with a local gateway route table Write

local-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateNatGateway Grants permission to create a NAT gateway in a subnet Write
CreateNetworkAcl Grants permission to create a network ACL in a VPC Write
CreateNetworkAclEntry Grants permission to create a numbered entry (a rule) in a network ACL Write
CreateNetworkInterface Grants permission to create a network interface in a subnet Write
CreateNetworkInterfacePermission Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface Permissions management

network-interface*

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:Permission

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AuthorizedService

CreatePlacementGroup Grants permission to create a placement group Write
CreateReservedInstancesListing Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace Write
CreateRoute Grants permission to create a route in a VPC route table Write

route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateRouteTable Grants permission to create a route table for a VPC Write
CreateSecurityGroup Grants permission to create a security group Write
CreateSnapshot Grants permission to create a snapshot of an EBS volume and store it in Amazon S3 Write

snapshot*

aws:TagKeys

aws:RequestTag/${TagKey}

ec2:ParentVolume

ec2:Region

volume*

ec2:Encrypted

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

CreateSnapshots Grants permission to create crash-consistent snapshots of multiple EBS volumes and store them in Amazon S3 Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

snapshot*

aws:TagKeys

aws:RequestTag/${TagKey}

ec2:ParentVolume

ec2:Region

volume*

ec2:Encrypted

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

CreateSpotDatafeedSubscription Grants permission to create a data feed for Spot Instances to view Spot Instance usage logs Write
CreateSubnet Grants permission to create a subnet in a VPC Write
CreateTags Grants permission to add or overwrite one or more tags for Amazon EC2 resources Tagging

capacity-reservation

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

client-vpn-endpoint

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

dedicated-host

dhcp-options

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

fpga-image

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

image

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

instance

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway

local-gateway-route-table

local-gateway-route-table-virtual-interface-group-association

local-gateway-route-table-vpc-association

local-gateway-virtual-interface

local-gateway-virtual-interface-group

network-acl

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

network-interface

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

reserved-instances

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

route-table

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

security-group

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

snapshot

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

spot-instance-request

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

traffic-mirror-filter

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

volume

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

vpc

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpc-endpoint

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpn-connection

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:CreateAction

CreateTrafficMirrorFilter Grants permission to create a traffic mirror filter Write

traffic-mirror-filter*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTrafficMirrorFilterRule Grants permission to create a traffic mirror filter rule Write

traffic-mirror-filter*

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

ec2:Region

CreateTrafficMirrorSession Grants permission to create a traffic mirror session Write

network-interface*

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter*

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-session*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

traffic-mirror-target*

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTrafficMirrorTarget Grants permission to create a traffic mirror target Write

traffic-mirror-target*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

network-interface

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTransitGateway Grants permission to create a transit gateway Write

transit-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayMulticastDomain Grants permission to create a multicast domain for a transit gateway Write

transit-gateway*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayPeeringAttachment Grants permission to request a transit gateway peering attachment between a requester and accepter transit gateway Write

transit-gateway*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayRoute Grants permission to create a static route for a transit gateway route table Write

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTransitGatewayRouteTable Grants permission to create a route table for a transit gateway Write

transit-gateway*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayVpcAttachment Grants permission to attach a VPC to a transit gateway Write

transit-gateway*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

ec2:Region

ec2:ResourceTag/${TagKey}

CreateVolume Grants permission to create an EBS volume Write

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

CreateVpc Grants permission to create a VPC with a specified CIDR block Write
CreateVpcEndpoint Grants permission to create a VPC endpoint for an AWS service Write

vpc*

ec2:Region

route53:AssociateVPCWithHostedZone

vpc-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:VpceServiceName

ec2:VpceServiceOwner

route-table

ec2:Region

security-group

ec2:Region

subnet

ec2:Region

CreateVpcEndpointConnectionNotification Grants permission to create a connection notification for a VPC endpoint or VPC endpoint service Write
CreateVpcEndpointServiceConfiguration Grants permission to create a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect Write

vpc-endpoint-service*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:VpceServicePrivateDnsName

CreateVpcPeeringConnection Grants permission to request a VPC peering connection between two VPCs Write

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

CreateVpnConnection Grants permission to create a VPN connection between a virtual private gateway or transit gateway and a customer gateway Write

vpn-connection*

ec2:Region

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:Phase1DHGroupNumbers

ec2:Phase2DHGroupNumbers

ec2:Phase1EncryptionAlgorithms

ec2:Phase2EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2LifetimeSeconds

ec2:PresharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:RoutingType

CreateVpnConnectionRoute Grants permission to create a static route for a VPN connection between a virtual private gateway and a customer gateway Write
CreateVpnGateway Grants permission to create a virtual private gateway Write
DeleteClientVpnEndpoint Grants permission to delete a Client VPN endpoint Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteClientVpnRoute Grants permission to delete a route from a Client VPN endpoint Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteCustomerGateway Grants permission to delete a customer gateway Write

customer-gateway*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteDhcpOptions Grants permission to delete a set of DHCP options Write

dhcp-options*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteEgressOnlyInternetGateway Grants permission to delete an egress-only internet gateway Write
DeleteFleets Grants permission to delete one or more EC2 Fleets Write
DeleteFlowLogs Grants permission to delete one or more flow logs Write
DeleteFpgaImage Grants permission to delete an Amazon FPGA Image (AFI) Write
DeleteInternetGateway Grants permission to delete an internet gateway Write

internet-gateway*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteKeyPair Grants permission to delete a key pair by removing the public key from Amazon EC2 Write
DeleteLaunchTemplate Grants permission to delete a launch template and its associated versions Write

launch-template*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteLaunchTemplateVersions Grants permission to delete one or more versions of a launch template Write

launch-template*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteLocalGatewayRoute Grants permission to delete a route from a local gateway route table Write

local-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteLocalGatewayRouteTableVpcAssociation Grants permission to delete an association between a VPC and local gateway route table Write

local-gateway-route-table-vpc-association*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteNatGateway Grants permission to delete a NAT gateway Write
DeleteNetworkAcl Grants permission to delete a network ACL Write

network-acl*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteNetworkAclEntry Grants permission to delete an inbound or outbound entry (rule) from a network ACL Write

network-acl*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteNetworkInterface Grants permission to delete a detached network interface Write
DeleteNetworkInterfacePermission Grants permission to delete a permission that is associated with a network interface Permissions management
DeletePlacementGroup Grants permission to delete a placement group Write
DeleteRoute Grants permission to delete a route from a route table Write

route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteRouteTable Grants permission to delete a route table Write

route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteSecurityGroup Grants permission to delete a security group Write

security-group*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteSnapshot Grants permission to delete a snapshot of an EBS volume Write

snapshot*

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

DeleteSpotDatafeedSubscription Grants permission to delete a data feed for Spot Instances Write
DeleteSubnet Grants permission to delete a subnet Write
DeleteTags Grants permission to delete one or more tags from Amazon EC2 resources Tagging

capacity-reservation

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

client-vpn-endpoint

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

dedicated-host

dhcp-options

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

fpga-image

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

image

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

instance

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

internet-gateway

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway

local-gateway-route-table

local-gateway-route-table-virtual-interface-group-association

local-gateway-route-table-vpc-association

local-gateway-virtual-interface

local-gateway-virtual-interface-group

network-acl

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

network-interface

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

reserved-instances

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

route-table

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

security-group

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

snapshot

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

spot-instance-request

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

volume

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpc

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-endpoint

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpn-connection

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTrafficMirrorFilter Grants permission to delete a traffic mirror filter Write

traffic-mirror-filter*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTrafficMirrorFilterRule Grants permission to delete a traffic mirror filter rule Write

traffic-mirror-filter*

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

ec2:Region

DeleteTrafficMirrorSession Grants permission to delete a traffic mirror session Write

traffic-mirror-session*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTrafficMirrorTarget Grants permission to delete a traffic mirror target Write

traffic-mirror-target*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGateway Grants permission to delete a transit gateway Write

transit-gateway*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayMulticastDomain Grants permissions to delete a transit gateway multicast domain Write

transit-gateway-multicast-domain*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayPeeringAttachment Grants permission to delete a peering attachment from a transit gateway Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayRoute Grants permission to delete a route from a transit gateway route table Write

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayRouteTable Grants permission to delete a transit gateway route table Write

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayVpcAttachment Grants permission to delete a VPC attachment from a transit gateway Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteVolume Grants permission to delete an EBS volume Write

volume*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

DeleteVpc Grants permission to delete a VPC Write
DeleteVpcEndpointConnectionNotifications Grants permission to delete one or more VPC endpoint connection notifications Write
DeleteVpcEndpointServiceConfigurations Grants permission to delete one or more VPC endpoint service configurations Write

vpc-endpoint-service*

ec2:Region

DeleteVpcEndpoints Grants permission to delete one or more VPC endpoints Write

vpc-endpoint*

ec2:Region

DeleteVpcPeeringConnection Grants permission to delete a VPC peering connection Write

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

DeleteVpnConnection Grants permission to delete a VPN connection Write
DeleteVpnConnectionRoute Grants permission to delete a static route for a VPN connection between a virtual private gateway and a customer gateway Write
DeleteVpnGateway Grants permission to delete a virtual private gateway Write
DeprovisionByoipCidr Grants permission to release an IP address range that was provisioned through bring your own IP addresses (BYOIP), and to delete the corresponding address pool Write
DeregisterImage Grants permission to deregister an Amazon Machine Image (AMI) Write
DeregisterTransitGatewayMulticastGroupMembers Grants permission to deregister one or more network interface members from a group IP address in a transit gateway multicast domain Write

network-interface*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

ec2:Region

ec2:ResourceTag/${TagKey}

DeregisterTransitGatewayMulticastGroupSources Grants permission to deregister one or more network interface sources from a group IP address in a transit gateway multicast domain Write

network-interface*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

ec2:Region

ec2:ResourceTag/${TagKey}

DescribeAccountAttributes Grants permission to describe the attributes of the AWS account List
DescribeAddresses Grants permission to describe one or more Elastic IP addresses List
DescribeAggregateIdFormat Grants permission to describe the longer ID format settings for all resource types List
DescribeAvailabilityZones Grants permission to describe one or more of the Availability Zones that are available to you List
DescribeBundleTasks Grants permission to describe one or more bundling tasks List
DescribeByoipCidrs Grants permission to describe the IP address ranges that were provisioned through bring your own IP addresses (BYOIP) List
DescribeCapacityReservations Grants permission to describe one or more Capacity Reservations List
DescribeClassicLinkInstances Grants permission to describe one or more linked EC2-Classic instances List
DescribeClientVpnAuthorizationRules Grants permission to describe the authorization rules for a Client VPN endpoint List
DescribeClientVpnConnections Grants permission to describe active client connections and connections that have been terminated within the last 60 minutes for a Client VPN endpoint List
DescribeClientVpnEndpoints Grants permission to describe one or more Client VPN endpoints List
DescribeClientVpnRoutes Grants permission to describe the routes for a Client VPN endpoint List
DescribeClientVpnTargetNetworks Grants permission to describe the target networks that are associated with a Client VPN endpoint List
DescribeConversionTasks Grants permission to describe one or more conversion tasks List
DescribeCustomerGateways Grants permission to describe one or more customer gateways List
DescribeDhcpOptions Grants permission to describe one or more DHCP options sets List
DescribeEgressOnlyInternetGateways Grants permission to describe one or more egress-only internet gateways List
DescribeElasticGpus Grants permission to describe an Elastic Graphics accelerator that is associated with an instance Read
DescribeExportImageTasks Grants permission to describe one or more export image tasks List
DescribeExportTasks Grants permission to describe one or more export instance tasks List
DescribeFastSnapshotRestores Grants permission to describe the state of fast snapshot restores for snapshots Read
DescribeFleetHistory Grants permission to describe the events for an EC2 Fleet during a specified time List
DescribeFleetInstances Grants permission to describe the running instances for an EC2 Fleet List
DescribeFleets Grants permission to describe one or more EC2 Fleets List
DescribeFlowLogs Grants permission to describe one or more flow logs List
DescribeFpgaImageAttribute Grants permission to describe the attributes of an Amazon FPGA Image (AFI) List
DescribeFpgaImages Grants permission to describe one or more Amazon FPGA Images (AFIs) List
DescribeHostReservationOfferings Grants permission to describe the Dedicated Host Reservations that are available to purchase List
DescribeHostReservations Grants permission to describe the Dedicated Host Reservations that are associated with Dedicated Hosts in the AWS account List
DescribeHosts Grants permission to describe one or more Dedicated Hosts List
DescribeIamInstanceProfileAssociations Grants permission to describe the IAM instance profile associations List
DescribeIdFormat Grants permission to describe the ID format settings for resources List
DescribeIdentityIdFormat Grants permission to describe the ID format settings for resources for an IAM user, IAM role, or root user List
DescribeImageAttribute Grants permission to describe an attribute of an Amazon Machine Image (AMI) List
DescribeImages Grants permission to describe one or more images (AMIs, AKIs, and ARIs) List
DescribeImportImageTasks Grants permission to describe import virtual machine or import snapshot tasks List
DescribeImportSnapshotTasks Grants permission to describe import snapshot tasks List
DescribeInstanceAttribute Grants permission to describe the attributes of an instance List
DescribeInstanceCreditSpecifications Grants permission to describe the credit option for CPU usage of one or more burstable performance instances List
DescribeInstanceStatus Grants permission to describe the status of one or more instances List
DescribeInstanceTypes Grants permission to describe all instance types that are offered in an AWS Region List
DescribeInstances Grants permission to describe one or more instances List
DescribeInternetGateways Grants permission to describe one or more internet gateways List
DescribeKeyPairs Grants permission to describe one or more key pairs List
DescribeLaunchTemplateVersions Grants permission to describe one or more launch template versions List
DescribeLaunchTemplates Grants permission to describe one or more launch templates List
DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations Grants permission to describe the associations between virtual interface groups and local gateway route tables List
DescribeLocalGatewayRouteTableVpcAssociations Grants permission to describe an association between VPCs and local gateway route tables List
DescribeLocalGatewayRouteTables Grants permission to describe one or more local gateway route tables List
DescribeLocalGatewayVirtualInterfaceGroups Grants permission to describe local gateway virtual interface groups List
DescribeLocalGatewayVirtualInterfaces Grants permission to describe local gateway virtual interfaces List
DescribeLocalGateways Grants permission to describe one or more local gateways List
DescribeMovingAddresses Grants permission to describe Elastic IP addresses that are being moved to the EC2-VPC platform List
DescribeNatGateways Grants permission to describe one or more NAT gateways List
DescribeNetworkAcls Grants permission to describe one or more network ACLs List
DescribeNetworkInterfaceAttribute Grants permission to describe a network interface attribute List
DescribeNetworkInterfacePermissions Grants permission to describe the permissions that are associated with a network interface List
DescribeNetworkInterfaces Grants permission to describe one or more network interfaces List
DescribePlacementGroups Grants permission to describe one or more placement groups List
DescribePrefixLists Grants permission to describe available AWS services in a prefix list format List
DescribePrincipalIdFormat Grants permission to describe the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified a longer ID (17-character ID) preference List
DescribePublicIpv4Pools Grants permission to describe one or more IPv4 address pools List
DescribeRegions Grants permission to describe one or more AWS Regions that are currently available in your account List
DescribeReservedInstances Grants permission to describe one or more purchased Reserved Instances in your account List
DescribeReservedInstancesListings Grants permission to describe your account's Reserved Instance listings in the Reserved Instance Marketplace List
DescribeReservedInstancesModifications Grants permission to describe the modifications made to one or more Reserved Instances List
DescribeReservedInstancesOfferings Grants permission to describe the Reserved Instance offerings that are available for purchase List
DescribeRouteTables Grants permission to describe one or more route tables List
DescribeScheduledInstanceAvailability Grants permission to find available schedules for Scheduled Instances Read
DescribeScheduledInstances Grants permission to describe one or more Scheduled Instances in your account Read
DescribeSecurityGroupReferences Grants permission to describe the VPCs on the other side of a VPC peering connection that are referencing specified VPC security groups List
DescribeSecurityGroups Grants permission to describe one or more security groups List
DescribeSnapshotAttribute Grants permission to describe an attribute of a snapshot List
DescribeSnapshots Grants permission to describe one or more EBS snapshots List
DescribeSpotDatafeedSubscription Grants permission to describe the data feed for Spot Instances List
DescribeSpotFleetInstances Grants permission to describe the running instances for a Spot Fleet List
DescribeSpotFleetRequestHistory Grants permission to describe the events for a Spot Fleet request during a specified time List
DescribeSpotFleetRequests Grants permission to describe one or more Spot Fleet requests List
DescribeSpotInstanceRequests Grants permission to describe one or more Spot Instance requests List
DescribeSpotPriceHistory Grants permission to describe the Spot Instance price history List
DescribeStaleSecurityGroups Grants permission to describe the stale security group rules for security groups in a specified VPC List
DescribeSubnets Grants permission to describe one or more subnets List
DescribeTags Grants permission to describe one or more tags for an Amazon EC2 resource Read
DescribeTrafficMirrorFilters Grants permission to describe one or more traffic mirror filters List
DescribeTrafficMirrorSessions Grants permission to describe one or more traffic mirror sessions List
DescribeTrafficMirrorTargets Grants permission to describe one or more traffic mirror targets List
DescribeTransitGatewayAttachments Grants permission to describe one or more attachments between resources and transit gateways List
DescribeTransitGatewayMulticastDomains Grants permission to describe one or more transit gateway multicast domains List
DescribeTransitGatewayPeeringAttachments Grants permission to describe one or more transit gateway peering attachments List
DescribeTransitGatewayRouteTables Grants permission to describe one or more transit gateway route tables List
DescribeTransitGatewayVpcAttachments Grants permission to describe one or more VPC attachments on a transit gateway List
DescribeTransitGateways Grants permission to describe one or more transit gateways List
DescribeVolumeAttribute Grants permission to describe an attribute of an EBS volume List
DescribeVolumeStatus Grants permission to describe the status of one or more EBS volumes List
DescribeVolumes Grants permission to describe one or more EBS volumes List
DescribeVolumesModifications Grants permission to describe the current modification status of one or more EBS volumes Read
DescribeVpcAttribute Grants permission to describe an attribute of a VPC List
DescribeVpcClassicLink Grants permission to describe the ClassicLink status of one or more VPCs List
DescribeVpcClassicLinkDnsSupport Grants permission to describe the ClassicLink DNS support status of one or more VPCs List
DescribeVpcEndpointConnectionNotifications Grants permission to describe the connection notifications for VPC endpoints and VPC endpoint services List
DescribeVpcEndpointConnections Grants permission to describe the VPC endpoint connections to your VPC endpoint services List
DescribeVpcEndpointServiceConfigurations Grants permission to describe VPC endpoint service configurations (your services) List
DescribeVpcEndpointServicePermissions Grants permission to describe the principals (service consumers) that are permitted to discover your VPC endpoint service List
DescribeVpcEndpointServices Grants permission to describe all supported AWS services that can be specified when creating a VPC endpoint List
DescribeVpcEndpoints Grants permission to describe one or more VPC endpoints List
DescribeVpcPeeringConnections Grants permission to describe one or more VPC peering connections List
DescribeVpcs Grants permission to describe one or more VPCs List
DescribeVpnConnections Grants permission to describe one or more VPN connections Read
DescribeVpnGateways Grants permission to describe one or more virtual private gateways List
DetachClassicLinkVpc Grants permission to unlink (detach) a linked EC2-Classic instance from a VPC Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

DetachInternetGateway Grants permission to detach an internet gateway from a VPC Write
DetachNetworkInterface Grants permission to detach a network interface from an instance Write
DetachVolume Grants permission to detach an EBS volume from an instance Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

volume*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

DetachVpnGateway Grants permission to detach a virtual private gateway from a VPC Write
DisableEbsEncryptionByDefault Grants permission to disable EBS encryption by default for your account Write
DisableFastSnapshotRestores Grants permission to disable fast snapshot restores for one or more snapshots in specified Availability Zones Write

snapshot*

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:AvailabilityZone

ec2:SnapshotTime

ec2:Encrypted

ec2:VolumeSize

ec2:ResourceTag/${TagKey}

DisableTransitGatewayRouteTablePropagation Grants permission to disable a resource attachment from propagating routes to the specified propagation route table Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

DisableVgwRoutePropagation Grants permission to disable a virtual private gateway from propagating routes to a specified route table of a VPC Write
DisableVpcClassicLink Grants permission to disable ClassicLink for a VPC Write

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

DisableVpcClassicLinkDnsSupport Grants permission to disable ClassicLink DNS support for a VPC Write
DisassociateAddress Grants permission to disassociate an Elastic IP address from an instance or network interface Write
DisassociateClientVpnTargetNetwork Grants permission to disassociate a target network from a Client VPN endpoint Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

DisassociateIamInstanceProfile Grants permission to disassociate an IAM instance profile from a running or stopped instance Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

DisassociateRouteTable Grants permission to disassociate a subnet from a route table Write
DisassociateSubnetCidrBlock Grants permission to disassociate a CIDR block from a subnet Write
DisassociateTransitGatewayMulticastDomain Grants permission to disassociate one or more subnets from a transit gateway multicast domain Write

subnet*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

ec2:Region

ec2:ResourceTag/${TagKey}

DisassociateTransitGatewayRouteTable Grants permission to disassociate a resource attachment from a transit gateway route table Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

DisassociateVpcCidrBlock Grants permission to disassociate a CIDR block from a VPC Write
EnableEbsEncryptionByDefault Grants permission to enable EBS encryption by default for your account Write
EnableFastSnapshotRestores Grants permission to enable fast snapshot restores for one or more snapshots in specified Availability Zones Write

snapshot*

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:AvailabilityZone

ec2:SnapshotTime

ec2:Encrypted

ec2:VolumeSize

ec2:ResourceTag/${TagKey}

EnableTransitGatewayRouteTablePropagation Grants permission to enable an attachment to propagate routes to a propagation route table Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

EnableVgwRoutePropagation Grants permission to enable a virtual private gateway to propagate routes to a VPC route table Write
EnableVolumeIO Grants permission to enable I/O operations for a volume that had I/O operations disabled Write
EnableVpcClassicLink Grants permission to enable a VPC for ClassicLink Write

vpc*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

EnableVpcClassicLinkDnsSupport Grants permission to enable a VPC to support DNS hostname resolution for ClassicLink Write
ExportClientVpnClientCertificateRevocationList Grants permission to download the client certificate revocation list for a Client VPN endpoint List
ExportClientVpnClientConfiguration Grants permission to download the contents of the Client VPN endpoint configuration file for a Client VPN endpoint List
ExportImage Grants permission to export an Amazon Machine Image (AMI) to a VM file Write
ExportTransitGatewayRoutes Grants permission to export routes from a transit gateway route table to an Amazon S3 bucket Write
GetCapacityReservationUsage Grants permission to get usage information about a Capacity Reservation Read
GetConsoleOutput Grants permission to get the console output for an instance Read
GetConsoleScreenshot Grants permission to retrieve a JPG-format screenshot of a running instance Read

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

GetEbsDefaultKmsKeyId Grants permission to get the ID of the default customer master key (CMK) for EBS encryption by default Read
GetEbsEncryptionByDefault Grants permission to describe whether EBS encryption by default is enabled for your account Read
GetHostReservationPurchasePreview Grants permission to preview a reservation purchase with configurations that match those of a Dedicated Host Read
GetLaunchTemplateData Grants permission to get the configuration data of the specified instance for use with a new launch template or launch template version Read
GetPasswordData Grants permission to retrieve the encrypted administrator password for a running Windows instance Read
GetReservedInstancesExchangeQuote Grants permission to return a quote and exchange information for exchanging one or more Convertible Reserved Instances for a new Convertible Reserved Instance Read
GetTransitGatewayAttachmentPropagations Grants permission to list the route tables to which a resource attachment propagates routes List
GetTransitGatewayMulticastDomainAssociations Grants permission to get information about the associations for a transit gateway multicast domain List
GetTransitGatewayRouteTableAssociations Grants permission to get information about associations for a transit gateway route table List
GetTransitGatewayRouteTablePropagations Grants permission to get information about the route table propagations for a transit gateway route table List
ImportClientVpnClientCertificateRevocationList Grants permission to upload a client certificate revocation list to a Client VPN endpoint Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

ImportImage Grants permission to import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI) Write
ImportInstance Grants permission to create an import instance task using metadata from a disk image Write
ImportKeyPair Grants permission to import a public key from an RSA key pair that was created with a third-party tool Write
ImportSnapshot Grants permission to import a disk into an EBS snapshot Write
ImportVolume Grants permission to create an import volume task using metadata from a disk image Write
ModifyCapacityReservation Grants permission to modify a Capacity Reservation's capacity and the conditions under which it is to be released Write

capacity-reservation*

ec2:Region

ec2:ResourceTag/${TagKey}

ModifyClientVpnEndpoint Grants permission to modify a Client VPN endpoint Write

client-vpn-endpoint*

ec2:Region

ec2:ResourceTag/${TagKey}

ModifyEbsDefaultKmsKeyId Grants permission to change the default customer master key (CMK) for EBS encryption by default for your account Write
ModifyFleet Grants permission to modify an EC2 Fleet Write
ModifyFpgaImageAttribute Grants permission to modify an attribute of an Amazon FPGA Image (AFI) Write
ModifyHosts Grants permission to modify a Dedicated Host Write
ModifyIdFormat Grants permission to modify the ID format for a resource Write
ModifyIdentityIdFormat Grants permission to modify the ID format of a resource for a specific principal in your account Write
ModifyImageAttribute Grants permission to modify an attribute of an Amazon Machine Image (AMI) Write
ModifyInstanceAttribute Grants permission to modify an attribute of an instance Write
ModifyInstanceCapacityReservationAttributes Grants permission to modify the Capacity Reservation settings for a stopped instance Write
ModifyInstanceCreditSpecification Grants permission to modify the credit option for CPU usage on an instance Write
ModifyInstanceEventStartTime Grants permission to modify the start time for a scheduled EC2 instance event Write

instance*

ec2:Region

ModifyInstanceMetadataOptions Grants permission to modify the metadata options for an instance Write
ModifyInstancePlacement Grants permission to modify the placement attributes for an instance Write
ModifyLaunchTemplate Grants permission to modify a launch template Write

launch-template*

ec2:Region

ec2:ResourceTag/${TagKey}

ModifyNetworkInterfaceAttribute Grants permission to modify an attribute of a network interface Write
ModifyReservedInstances Grants permission to modify attributes of one or more Reserved Instances Write
ModifySnapshotAttribute Grants permission to add or remove permission settings for a snapshot Permissions management

snapshot*

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

ModifySpotFleetRequest Grants permission to modify a Spot Fleet request Write
ModifySubnetAttribute Grants permission to modify an attribute of a subnet Write
ModifyTrafficMirrorFilterNetworkServices Grants permission to allow or restrict mirroring network services Write

traffic-mirror-filter*

ec2:Region

ec2:ResourceTag/${TagKey}

ModifyTrafficMirrorFilterRule Grants permission to modify a traffic mirror rule Write

traffic-mirror-filter*

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

ec2:Region

ModifyTrafficMirrorSession Grants permission to modify a traffic mirror session Write

traffic-mirror-session*

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-target

ec2:Region

ec2:ResourceTag/${TagKey}

ModifyTransitGatewayVpcAttachment Grants permission to modify a VPC attachment on a transit gateway Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

ec2:Region

ec2:ResourceTag/${TagKey}

ModifyVolume Grants permission to modify the parameters of an EBS volume Write
ModifyVolumeAttribute Grants permission to modify an attribute of a volume Write
ModifyVpcAttribute Grants permission to modify an attribute of a VPC Write
ModifyVpcEndpoint Grants permission to modify an attribute of a VPC endpoint Write

vpc-endpoint*

ec2:Region

route-table

ec2:Region

security-group

ec2:Region

subnet

ec2:Region

ModifyVpcEndpointConnectionNotification Grants permission to modify a connection notification for a VPC endpoint or VPC endpoint service Write
ModifyVpcEndpointServiceConfiguration Grants permission to modify the attributes of a VPC endpoint service configuration Write

vpc-endpoint-service*

ec2:Region

ec2:VpceServicePrivateDnsName

ModifyVpcEndpointServicePermissions Grants permission to modify the permissions for a VPC endpoint service Permissions management

vpc-endpoint-service*

ec2:Region

ModifyVpcPeeringConnectionOptions Grants permission to modify the VPC peering connection options on one side of a VPC peering connection Write
ModifyVpcTenancy Grants permission to modify the instance tenancy attribute of a VPC Write
ModifyVpnConnection Grants permission to modify the target gateway of a Site-to-Site VPN connection Write

vpn-connection*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:GatewayType

ModifyVpnTunnelCertificate Grants permission to modify the certificate for a Site-to-Site VPN connection Write
ModifyVpnTunnelOptions Grants permission to modify the options for a Site-to-Site VPN connection Write

vpn-connection*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:Phase1DHGroupNumbers

ec2:Phase2DHGroupNumbers

ec2:Phase1EncryptionAlgorithms

ec2:Phase2EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2LifetimeSeconds

ec2:PresharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:RoutingType

MonitorInstances rants permission to enable detailed monitoring for a running instance Write
MoveAddressToVpc Grants permission to move an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform Write
ProvisionByoipCidr Grants permission to provision an address range for use in AWS through bring your own IP addresses (BYOIP), and to create a corresponding address pool Write
PurchaseHostReservation Grants permission to purchase a reservation with configurations that match those of a Dedicated Host Write
PurchaseReservedInstancesOffering Grants permission to purchase a Reserved Instance offering Write
PurchaseScheduledInstances Grants permission to purchase one or more Scheduled Instances with a specified schedule Write
RebootInstances Grants permission to request a reboot of one or more instances Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

RegisterImage Grants permission to register an Amazon Machine Image (AMI) Write
RegisterTransitGatewayMulticastGroupMembers Grants permission to register one or more network interfaces as a member of a group IP address in a transit gateway multicast domain Write

network-interface*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

ec2:Region

ec2:ResourceTag/${TagKey}

RegisterTransitGatewayMulticastGroupSources Grants permission to register one or more network interfaces as a source of a group IP address in a transit gateway multicast domain Write

network-interface*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

ec2:Region

ec2:ResourceTag/${TagKey}

RejectTransitGatewayPeeringAttachment Grants permission to reject a transit gateway peering attachment request Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

RejectTransitGatewayVpcAttachment Grants permission to reject a request to attach a VPC to a transit gateway Write

transit-gateway-attachment*

ec2:Region

ec2:ResourceTag/${TagKey}

RejectVpcEndpointConnections Grants permission to reject one or more VPC endpoint connection requests to a VPC endpoint service Write

vpc-endpoint-service*

ec2:Region

RejectVpcPeeringConnection Grants permission to reject a VPC peering connection request Write

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ReleaseAddress Grants permission to release an Elastic IP address Write
ReleaseHosts Grants permission to release one or more On-Demand Dedicated Hosts Write
ReplaceIamInstanceProfileAssociation Grants permission to replace an IAM instance profile for an instance Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

ReplaceNetworkAclAssociation Grants permission to change which network ACL a subnet is associated with Write
ReplaceNetworkAclEntry Grants permission to replace an entry (rule) in a network ACL Write
ReplaceRoute Grants permission to replace a route within a route table in a VPC Write

route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

ReplaceRouteTableAssociation Grants permission to change the route table that is associated with a subnet Write
ReplaceTransitGatewayRoute Grants permission to replace a route in a transit gateway route table Write

transit-gateway-route-table*

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

ec2:Region

ec2:ResourceTag/${TagKey}

ReportInstanceStatus Grants permission to submit feedback about the status of an instance Write
RequestSpotFleet Grants permission to create a Spot Fleet request Write
RequestSpotInstances Grants permission to create a Spot Instance request Write
ResetEbsDefaultKmsKeyId Grants permission to reset the default customer master key (CMK) for EBS encryption for your account to use the AWS-managed CMK for EBS Write
ResetFpgaImageAttribute Grants permission to reset an attribute of an Amazon FPGA Image (AFI) to its default value Write
ResetImageAttribute Grants permission to reset an attribute of an Amazon Machine Image (AMI) to its default value Write
ResetInstanceAttribute Grants permission to reset an attribute of an instance to its default value Write
ResetNetworkInterfaceAttribute