Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon EC2

Amazon EC2 (service prefix: ec2) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon EC2

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptReservedInstancesExchangeQuote Accepts the Convertible Reserved Instance exchange quote described in the GetReservedInstancesExchangeQuote call.

Write

AcceptVpcEndpointConnections Accepts one or more interface VPC endpoint connection requests to your VPC endpoint service.

Write

AcceptVpcPeeringConnection Accept a VPC peering connection request.

Write

vpc*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/tag-key

AllocateAddress Acquires an Elastic IP address.

Write

AllocateHosts Allocates a Dedicated Host to your account.

Write

AssignIpv6Addresses Assigns one or more IPv6 addresses to the specified network interface.

Write

AssignPrivateIpAddresses Assigns one or more secondary private IP addresses to the specified network interface.

Write

AssociateAddress Associates an Elastic IP address with an instance or a network interface.

Write

AssociateDhcpOptions Associates a set of DHCP options (that you've previously created) with the specified VPC, or associates no DHCP options with the VPC.

Write

AssociateIamInstanceProfile Associates an IAM instance profile with a running or stopped instance.

Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

AssociateRouteTable Associates a subnet with a route table.

Write

AssociateSubnetCidrBlock Associates a CIDR block with your subnet.

Write

AssociateVpcCidrBlock Associates a CIDR block with your VPC.

Write

AttachClassicLinkVpc Links an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups.

Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

vpc*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

AttachInternetGateway Attaches an Internet gateway to a VPC, enabling connectivity between the Internet and the VPC.

Write

AttachNetworkInterface Attaches a network interface to an instance.

Write

AttachVolume Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.

Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

volume*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

AttachVpnGateway Attaches a virtual private gateway to a VPC.

Write

AuthorizeSecurityGroupEgress [EC2-VPC only] Adds one or more egress rules to a security group for use with a VPC.

Write

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

AuthorizeSecurityGroupIngress Adds one or more ingress rules to a security group.

Write

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

BundleInstance Bundles an Amazon instance store-backed Windows instance.

Write

CancelBundleTask Cancels a bundling operation for an instance store-backed Windows instance.

Write

CancelConversionTask Cancels an active conversion task.

Write

CancelExportTask Cancels an active export task.

Write

CancelImportTask Cancels an in-process import virtual machine or import snapshot task.

Write

CancelReservedInstancesListing Cancels the specified Reserved Instance listing in the Reserved Instance Marketplace.

Write

CancelSpotFleetRequests Cancels the specified Spot fleet requests.

Write

CancelSpotInstanceRequests Cancels one or more Spot instance requests.

Write

ConfirmProductInstance Determines whether a product code is associated with an instance.

Write

CopyFpgaImage Initiates the copy of an Amazon FPGA Image (AFI) from the specified source region to the current region.

Write

CopyImage Initiates the copy of an AMI from the specified source region to the current region.

Write

CopySnapshot Copies a point-in-time snapshot of an EBS volume and stores it in Amazon S3.

Write

CreateCustomerGateway Provides information to AWS about your VPN customer gateway device.

Write

CreateDefaultSubnet Creates a default subnet with a size /20 IPv4 CIDR block in the specified Availability Zone in your default VPC.

Write

CreateDefaultVpc Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.

Write

CreateDhcpOptions Creates a set of DHCP options for your VPC.

Write

CreateEgressOnlyInternetGateway Creates an egress-only Internet gateway for your VPC.

Write

CreateFlowLogs Creates one or more flow logs to capture IP traffic for a specific network interface, subnet, or VPC.

Write

CreateFpgaImage Creates an Amazon FPGA Image (AFI) from the specified design checkpoint (DCP).

Write

CreateImage Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.

Write

CreateInstanceExportTask Exports a running or stopped instance to an S3 bucket.

Write

CreateInternetGateway Creates an Internet gateway for use with a VPC.

Write

CreateKeyPair Creates a 2048-bit RSA key pair with the specified name.

Write

CreateLaunchTemplate Creates a new launch template.

Write

CreateLaunchTemplateVersion Creates a new version for the specified launch template.

Write

launch-template*

ec2:Region

ec2:ResourceTag/tag-key

CreateNatGateway Creates a NAT gateway in the specified subnet.

Write

CreateNetworkAcl Creates a network ACL in a VPC.

Write

CreateNetworkAclEntry Creates an entry (a rule) in a network ACL with the specified rule number.

Write

CreateNetworkInterface Creates a network interface in the specified subnet.

Write

CreateNetworkInterfacePermission Creates a permission for a network interface that grants certain operations to another authorized user.

Write

network-interface*

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:Permission

ec2:Region

ec2:ResourceTag/tag-key

ec2:Subnet

ec2:Vpc

CreatePlacementGroup Creates a placement group that you launch cluster instances into.

Write

CreateReservedInstancesListing Creates a listing for Amazon EC2 Standard Reserved Instances to be sold in the Reserved Instance Marketplace.

Write

CreateRoute Creates a route in a route table within a VPC.

Write

CreateRouteTable Creates a route table for the specified VPC.

Write

CreateSecurityGroup Creates a security group.

Write

CreateSnapshot Creates a snapshot of an EBS volume and stores it in Amazon S3.

Write

snapshot*

aws:TagKeys

aws:RequestTag/tag-key

ec2:ParentVolume

ec2:Region

volume*

ec2:Encrypted

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

CreateSpotDatafeedSubscription Creates a data feed for Spot instances, enabling you to view Spot instance usage logs. You can create one data feed per AWS account.

Write

CreateSubnet Creates a subnet in an existing VPC.

Write

CreateTags Adds or overwrites one or more tags for the specified Amazon EC2 resource or resources.

Tagging

dhcp-options

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

fpga-image

aws:RequestTag/tag-key

aws:TagKeys

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/tag-key

image

aws:RequestTag/tag-key

aws:TagKeys

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

instance

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

network-acl

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

network-interface

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Subnet

ec2:Vpc

reserved-instances

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/tag-key

ec2:Tenancy

route-table

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

security-group

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

snapshot

aws:RequestTag/tag-key

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/tag-key

ec2:SnapshotTime

ec2:VolumeSize

spot-instance-request

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

subnet

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

volume

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

vpc

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

vpn-connection

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

vpn-gateway

ec2:CreateAction

CreateVolume Creates an EBS volume that can be attached to an instance in the same Availability Zone.

Write

volume*

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

CreateVpc Creates a VPC with the specified CIDR block.

Write

CreateVpcEndpoint Creates a VPC endpoint for a specified AWS service.

Write

CreateVpcEndpointConnectionNotification Creates a connection notification for a specified VPC endpoint or VPC endpoint service.

Write

CreateVpcEndpointServiceConfiguration Creates a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect.

Write

CreateVpcPeeringConnection Requests a VPC peering connection between two VPCs: a requester VPC that you own and a peer VPC with which to create the connection.

Write

vpc*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

CreateVpnConnection Creates a VPN connection between an existing virtual private gateway and a VPN customer gateway.

Write

CreateVpnConnectionRoute Creates a static route associated with a VPN connection between an existing virtual private gateway and a VPN customer gateway.

Write

CreateVpnGateway Creates a virtual private gateway.

Write

DeleteCustomerGateway Deletes the specified customer gateway.

Write

customer-gateway*

ec2:Region

ec2:ResourceTag/tag-key

DeleteDhcpOptions Deletes the specified set of DHCP options.

Write

dhcp-options*

ec2:Region

ec2:ResourceTag/tag-key

DeleteEgressOnlyInternetGateway Deletes the specified egress-only Internet gateway.

Write

DeleteFlowLogs Deletes one or more flow logs.

Write

DeleteFpgaImage Deletes the specified Amazon FPGA Image (AFI).

Write

DeleteInternetGateway Deletes the specified Internet gateway.

Write

internet-gateway*

ec2:Region

ec2:ResourceTag/tag-key

DeleteKeyPair Deletes the specified key pair, by removing the public key from Amazon EC2.

Write

DeleteLaunchTemplate Deletes the specified launch template and all associated versions.

Write

launch-template*

ec2:Region

ec2:ResourceTag/tag-key

DeleteLaunchTemplateVersions Deletes the specified versions for the specified launch template.

Write

launch-template*

ec2:Region

ec2:ResourceTag/tag-key

DeleteNatGateway Deletes the specified NAT gateway.

Write

DeleteNetworkAcl Deletes the specified network ACL.

Write

network-acl*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteNetworkAclEntry Deletes the specified ingress or egress entry (rule) from the specified network ACL.

Write

network-acl*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteNetworkInterface Deletes the specified network interface. You must detach the network interface before you can delete it.

Write

DeleteNetworkInterfacePermission Deletes a permission associated with a network interface.

Write

DeletePlacementGroup Deletes the specified placement group.

Write

DeleteRoute Deletes the specified route from the specified route table.

Write

route-table*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteRouteTable Deletes the specified route table.

Write

route-table*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteSecurityGroup Deletes a security group.

Write

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteSnapshot Deletes the specified snapshot.

Write

snapshot*

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/tag-key

ec2:SnapshotTime

ec2:VolumeSize

DeleteSpotDatafeedSubscription Deletes the data feed for Spot instances.

Write

DeleteSubnet Deletes the specified subnet.

Write

DeleteTags Deletes the specified set of tags from the specified set of resources.

Tagging

dhcp-options

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

fpga-image

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

image

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

instance

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

internet-gateway

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

network-acl

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

network-interface

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

reserved-instances

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

route-table

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

security-group

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

snapshot

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

spot-instance-request

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

subnet

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

volume

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

vpc

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

vpn-connection

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

vpn-gateway

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

DeleteVolume Deletes the specified EBS volume.

Write

volume*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

DeleteVpc Deletes the specified VPC. You must detach or delete all gateways and resources that are associated with the VPC before you can delete it.

Write

DeleteVpcEndpointConnectionNotifications Deletes one or more VPC endpoint connection notifications.

Write

DeleteVpcEndpointServiceConfigurations Deletes one or more VPC endpoint service configurations in your account.

Write

DeleteVpcEndpoints Deletes one or more specified VPC endpoints.

Write

DeleteVpcPeeringConnection Description for DeleteVpcPeeringConnection

Write

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/tag-key

DeleteVpnConnection Deletes a VPC peering connection.

Write

DeleteVpnConnectionRoute Deletes the specified static route associated with a VPN connection between an existing virtual private gateway and a VPN customer gateway.

Write

DeleteVpnGateway Deletes the specified virtual private gateway.

Write

DeregisterImage Deregisters the specified AMI.

Write

DescribeAccountAttributes Describes attributes of your AWS account.

List

DescribeAddresses Describes one or more of your Elastic IP addresses.

List

DescribeAvailabilityZones escribes one or more of the Availability Zones that are available to you.

List

DescribeBundleTasks Describes one or more of your bundling tasks.

List

DescribeClassicLinkInstances Describes one or more of your linked EC2-Classic instances.

List

DescribeConversionTasks Describes one or more of your conversion tasks.

List

DescribeCustomerGateways Describes one or more of your VPN customer gateways.

List

DescribeDhcpOptions Describes one or more of your DHCP options sets.

List

DescribeEgressOnlyInternetGateways Describes one or more of your egress-only Internet gateways.

List

DescribeElasticGpus Describes the Elastic GPUs associated with your instances.

Read

DescribeExportTasks Describes one or more of your export tasks.

List

DescribeFlowLogs Describes one or more flow logs.

List

DescribeFpgaImageAttribute Describes the specified attribute of the specified Amazon FPGA Images (AFI).

List

DescribeFpgaImages Describes one or more of the Amazon FPGA Images (AFIs) available to you.

List

DescribeHostReservationOfferings Describes the Dedicated Host Reservations that are available to purchase.

List

DescribeHostReservations Describes Dedicated Host Reservations which are associated with Dedicated Hosts in your account.

List

DescribeHosts Describes one or more of your Dedicated Hosts.

List

DescribeIamInstanceProfileAssociations Describes your IAM instance profile associations.

List

DescribeIdFormat Describes the ID format settings for your resources on a per-region basis, for example, to view which resource types are enabled for longer IDs.

List

DescribeIdentityIdFormat Describes the ID format settings for resources for the specified IAM user, IAM role, or root user.

List

DescribeImageAttribute Describes the specified attribute of the specified AMI.

List

DescribeImages Describes one or more of the images (AMIs, AKIs, and ARIs) available to you.

List

DescribeImportImageTasks Displays details about an import virtual machine or import snapshot tasks that are already created.

List

DescribeImportSnapshotTasks Describes your import snapshot tasks.

List

DescribeInstanceAttribute Describes the specified attribute of the specified instance.

List

DescribeInstanceCreditSpecifications Describes the credit option for CPU usage of one or more of your instances.

List

DescribeInstanceStatus Describes the status of one or more instances.

List

DescribeInstances Describes one or more of your instances.

List

DescribeInternetGateways Describes one or more of your Internet gateways.

List

DescribeKeyPairs Describes one or more of your key pairs.

List

DescribeLaunchTemplateVersions Describes one or more of your launch template versions.

List

DescribeLaunchTemplates Describes one or more of your launch templates.

List

DescribeMovingAddresses Describes your Elastic IP addresses that are being moved to the EC2-VPC platform, or that are being restored to the EC2-Classic platform.

List

DescribeNatGateways Describes one or more of the your NAT gateways.

List

DescribeNetworkAcls Describes one or more of your network ACLs.

List

DescribeNetworkInterfaceAttribute Describes a network interface attribute. You can specify only one attribute at a time.

List

DescribeNetworkInterfacePermissions Describes the permissions associated with a network interface.

List

DescribeNetworkInterfaces Describes one or more of your network interfaces.

List

DescribePlacementGroups Describes one or more of your placement groups.

List

DescribePrefixLists Describes available AWS services in a prefix list format, which includes the prefix list name and prefix list ID of the service and the IP address range for the service.

List

DescribeRegions Describes one or more regions that are currently available to you.

List

DescribeReservedInstances Describes one or more of the Reserved Instances that you purchased.

List

DescribeReservedInstancesListings Describes your account's Reserved Instance listings in the Reserved Instance Marketplace.

List

DescribeReservedInstancesModifications Describes the modifications made to your Reserved Instances.

List

DescribeReservedInstancesOfferings Describes Reserved Instance offerings that are available for purchase.

List

DescribeRouteTables Describes one or more of your route tables.

List

DescribeScheduledInstanceAvailability Finds available schedules that meet the specified criteria.

Read

DescribeScheduledInstances Describes one or more of your Scheduled Instances.

Read

DescribeSecurityGroupReferences [EC2-VPC only] Describes the VPCs on the other side of a VPC peering connection that are referencing the security groups you've specified in this request.

List

DescribeSecurityGroups Describes one or more of your security groups.

List

DescribeSnapshotAttribute Describes the specified attribute of the specified snapshot.

List

DescribeSnapshots Describes one or more of the EBS snapshots available to you.

List

DescribeSpotDatafeedSubscription Describes the data feed for Spot instances.

List

DescribeSpotFleetInstances Describes the running instances for the specified Spot fleet.

List

DescribeSpotFleetRequestHistory Describes the events for the specified Spot fleet request during the specified time.

List

DescribeSpotFleetRequests Describes your Spot fleet requests.

List

DescribeSpotInstanceRequests Describes the Spot instance requests that belong to your account.

List

DescribeSpotPriceHistory Describes the Spot price history.

List

DescribeStaleSecurityGroups [EC2-VPC only] Describes the stale security group rules for security groups in a specified VPC.

List

DescribeSubnets Describes one or more of your subnets.

List

DescribeTags Describes one or more of the tags for your EC2 resources.

Read

DescribeVolumeAttribute Describes the specified attribute of the specified volume.

List

DescribeVolumeStatus Describes the status of the specified volumes.

List

DescribeVolumes Describes the specified EBS volumes.

List

DescribeVolumesModifications Reports the current modification status of EBS volumes.

Read

DescribeVpcAttribute Describes the specified attribute of the specified VPC.

List

DescribeVpcClassicLink Describes the ClassicLink status of one or more VPCs.

List

DescribeVpcClassicLinkDnsSupport Describes the ClassicLink DNS support status of one or more VPCs.

List

DescribeVpcEndpointConnectionNotifications Describes the connection notifications for VPC endpoints and VPC endpoint services.

List

DescribeVpcEndpointConnections Describes the VPC endpoint connections to your VPC endpoint services, including any endpoints that are pending your acceptance.

List

DescribeVpcEndpointServiceConfigurations Describes the VPC endpoint service configurations in your account (your services).

List

DescribeVpcEndpointServicePermissions Describes the principals (service consumers) that are permitted to discover your VPC endpoint service.

List

DescribeVpcEndpointServices Describes all supported AWS services that can be specified when creating a VPC endpoint.

List

DescribeVpcEndpoints Describes one or more of your VPC endpoints.

List

DescribeVpcPeeringConnections Describes one or more of your VPC peering connections.

List

DescribeVpcs Describes one or more of your VPCs.

List

DescribeVpnConnections Describes one or more of your VPN connections.

Read

DescribeVpnGateways Describes one or more of your virtual private gateways.

List

DetachClassicLinkVpc Unlinks (detaches) a linked EC2-Classic instance from a VPC.

Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

vpc*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

DetachInternetGateway Detaches an Internet gateway from a VPC, disabling connectivity between the Internet and the VPC.

Write

DetachNetworkInterface Detaches a network interface from an instance.

Write

DetachVolume Detaches an EBS volume from an instance.

Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

volume*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

DetachVpnGateway Detaches a virtual private gateway from a VPC.

Write

DisableVgwRoutePropagation Disables a virtual private gateway (VGW) from propagating routes to a specified route table of a VPC.

Write

DisableVpcClassicLink Disables ClassicLink for a VPC.

Write

vpc*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

DisableVpcClassicLinkDnsSupport Disables ClassicLink DNS support for a VPC.

Write

DisassociateAddress Disassociates an Elastic IP address from the instance or network interface it's associated with.

Write

DisassociateIamInstanceProfile Disassociates an IAM instance profile from a running or stopped instance.

Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

DisassociateRouteTable Disassociates a subnet from a route table.

Write

DisassociateSubnetCidrBlock Disassociates a CIDR block from a subnet.

Write

DisassociateVpcCidrBlock Disassociates a CIDR block from a VPC.

Write

EnableVgwRoutePropagation Enables a virtual private gateway (VGW) to propagate routes to the specified route table of a VPC.

Write

EnableVolumeIO Enables I/O operations for a volume that had I/O operations disabled because the data on the volume was potentially inconsistent.

Write

EnableVpcClassicLink Enables a VPC for ClassicLink.

Write

vpc*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

EnableVpcClassicLinkDnsSupport Enables a VPC to support DNS hostname resolution for ClassicLink.

Write

GetConsoleOutput Gets the console output for the specified instance.

Read

GetConsoleScreenshot Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.

Read

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

GetHostReservationPurchasePreview Preview a reservation purchase with configurations that match those of your Dedicated Host.

Read

GetLaunchTemplateData Retrieves the configuration data of the specified instance.

Read

GetPasswordData Retrieves the encrypted administrator password for an instance running Windows.

Read

GetReservedInstancesExchangeQuote Returns details about the values and term of your specified Convertible Reserved Instances.

Read

ImportImage Import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI).

Write

ImportInstance Creates an import instance task using metadata from the specified disk image.

Write

ImportKeyPair Imports the public key from an RSA key pair that you created with a third-party tool.

Write

ImportSnapshot Imports a disk into an EBS snapshot.

Write

ImportVolume Creates an import volume task using metadata from the specified disk image.

Write

ModifyFpgaImageAttribute Modifies the specified attribute of the specified Amazon FPGA Image (AFI).

Write

ModifyHosts Modify the auto-placement setting of a Dedicated Host.

Write

ModifyIdFormat Modifies the ID format for the specified resource on a per-region basis.

Write

ModifyIdentityIdFormat Modifies the ID format of a resource for a specified IAM user, IAM role, or the root user for an account; or all IAM users, IAM roles, and the root user for an account.

Write

ModifyImageAttribute Modifies the specified attribute of the specified AMI.

Write

ModifyInstanceAttribute Modifies the specified attribute of the specified instance.

Write

ModifyInstanceCreditSpecification Modifies the credit option for CPU usage on an instance.

Write

ModifyInstancePlacement Set the instance affinity value for a specific stopped instance and modify the instance tenancy setting.

Write

ModifyLaunchTemplate Modifies the specified launch template.

Write

launch-template*

ec2:Region

ec2:ResourceTag/tag-key

ModifyNetworkInterfaceAttribute Modifies the specified network interface attribute. You can specify only one attribute at a time.

Write

ModifyReservedInstances Modifies the Availability Zone, instance count, instance type, or network platform (EC2-Classic or EC2-VPC) of your Standard Reserved Instances.

Write

ModifySnapshotAttribute Adds or removes permission settings for the specified snapshot.

Write

snapshot*

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/tag-key

ec2:SnapshotTime

ec2:VolumeSize

ModifySpotFleetRequest Modifies the specified Spot fleet request.

Write

ModifySubnetAttribute Modifies a subnet attribute.

Write

ModifyVolume You can modify several parameters of an existing EBS volume, including volume size, volume type, and IOPS capacity.

Write

ModifyVolumeAttribute Modifies a volume attribute.

Write

ModifyVpcAttribute Modifies the specified attribute of the specified VPC.

Write

ModifyVpcEndpoint Modifies attributes of a specified VPC endpoint.

Write

ModifyVpcEndpointConnectionNotification Modifies a connection notification for VPC endpoint or VPC endpoint service.

Write

ModifyVpcEndpointServiceConfiguration Modifies the attributes of your VPC endpoint service configuration.

Write

ModifyVpcEndpointServicePermissions Modifies the permissions for your VPC endpoint service.

Write

ModifyVpcPeeringConnectionOptions Modifies the VPC peering connection options on one side of a VPC peering connection.

Write

ModifyVpcTenancy Modifies the instance tenancy attribute of the specified VPC.

Write

MonitorInstances Enables detailed monitoring for a running instance.

Write

MoveAddressToVpc Moves an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform.

Write

PurchaseHostReservation Purchase a reservation with configurations that match those of your Dedicated Host.

Write

PurchaseReservedInstancesOffering Purchases a Reserved Instance for use with your account.

Write

PurchaseScheduledInstances Purchases one or more Scheduled Instances with the specified schedule.

Write

RebootInstances Requests a reboot of one or more instances.

Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

RegisterImage Registers an AMI.

Write

RejectVpcEndpointConnections Rejects one or more VPC endpoint connection requests to your VPC endpoint service.

Write

RejectVpcPeeringConnection Rejects a VPC peering connection request.

Write

vpc-peering-connection*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/tag-key

ReleaseAddress Releases the specified Elastic IP address.

Write

ReleaseHosts When you no longer want to use an On-Demand Dedicated Host it can be released

Write

ReplaceIamInstanceProfileAssociation Replaces an IAM instance profile for the specified instance.

Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

ReplaceNetworkAclAssociation Changes which network ACL a subnet is associated with.

Write

ReplaceNetworkAclEntry Replaces an entry (rule) in a network ACL.

Write

ReplaceRoute Replaces an existing route within a route table in a VPC.

Write

ReplaceRouteTableAssociation Changes the route table associated with a given subnet in a VPC.

Write

ReportInstanceStatus Submits feedback about the status of an instance

Write

RequestSpotFleet Creates a Spot fleet request

Write

RequestSpotInstances Creates a Spot instance request

Write

ResetFpgaImageAttribute Resets an attribute of an Amazon FPGA Image (AFI) to its default value.

Write

ResetImageAttribute Resets an attribute of an AMI to its default value

Write

ResetInstanceAttribute Resets an attribute of an instance to its default value

Write

ResetNetworkInterfaceAttribute Resets a network interface attribute. You can specify only one attribute at a time.

Write

ResetSnapshotAttribute Resets permission settings for the specified snapshot.

Write

RestoreAddressToClassic Restores an Elastic IP address that was previously moved to the EC2-VPC platform back to the EC2-Classic platform.

Write

RevokeSecurityGroupEgress [EC2-VPC only] Removes one or more egress rules from a security group for EC2-VPC. This action doesn't apply to security groups for use in EC2-Classic.

Write

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

RevokeSecurityGroupIngress Removes one or more ingress rules from a security group.

Write

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

RunInstances Launches the specified number of instances using an AMI for which you have permissions.

Tagging

image*

ec2:ImageType

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

instance*

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

network-interface*

ec2:AvailabilityZone

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

ec2:ResourceTag/

ec2:Subnet

ec2:Vpc

security-group*

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

subnet*

ec2:AvailabilityZone

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

volume*

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

key-pair

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

launch-template

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

placement-group

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:PlacementGroupStrategy

ec2:Region

snapshot

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/tag-key

ec2:SnapshotTime

ec2:VolumeSize

SCENARIO: EC2-Classic-EBS

image*

instance*

security-group*

volume*

key-pair

placement-group

snapshot

SCENARIO: EC2-Classic-InstanceStore

image*

instance*

security-group*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-EBS

image*

instance*

network-interface*

security-group*

volume*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-EBS-Subnet

image*

instance*

network-interface*

security-group*

subnet*

volume*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-InstanceStore

image*

instance*

network-interface*

security-group*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-InstanceStore-Subnet

image*

instance*

network-interface*

security-group*

subnet*

key-pair

placement-group

snapshot

RunScheduledInstances Launches the specified Scheduled Instances.

Write

StartInstances Starts an Amazon EBS-backed AMI that you've previously stopped.

Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

StopInstances Stops an Amazon EBS-backed instance.

Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

TerminateInstances Shuts down one or more instances.

Write

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

UnassignIpv6Addresses Unassigns one or more IPv6 addresses from the specified network interface.

Write

UnassignPrivateIpAddresses Unassigns one or more secondary private IP addresses from a network interface.

Write

UnmonitorInstances Disables detailed monitoring for a running instance.

Write

UpdateSecurityGroupRuleDescriptionsEgress [EC2-VPC only] Update descriptions for one or more egress rules of a security group. This action doesn't apply to security groups for use in EC2-Classic.

Write

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

UpdateSecurityGroupRuleDescriptionsIngress Update descriptions for one or more ingress rules of a security group.

Write

security-group*

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Resources Defined by EC2

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
customer-gateway arn:${Partition}:ec2:${Region}:${Account}:customer-gateway/${CustomerGatewayId}

ec2:Region

ec2:ResourceTag/tag-key

dhcp-options arn:${Partition}:ec2:${Region}:${Account}:dhcp-options/${DhcpOptionsId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

elastic-gpu arn:${Partition}:ec2:${Region}:${Account}:elasticGpu/${ElasticGpuId}
fpga-image arn:${Partition}:ec2:${Region}::fpga-image/${FpgaImageId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/tag-key

image arn:${Partition}:ec2:${Region}::image/${ImageId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

instance arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

internet-gateway arn:${Partition}:ec2:${Region}:${Account}:internet-gateway/${InternetGatewayId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

key-pair arn:${Partition}:ec2:${Region}:${Account}:key-pair/${KeyPairName}

ec2:Region

launch-template arn:${Partition}:ec2:${Region}:${Account}:launch-template/${LaunchTemplateId}

ec2:Region

ec2:ResourceTag/tag-key

network-acl arn:${Partition}:ec2:${Region}:${Account}:network-acl/${NaclId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

network-interface arn:${Partition}:ec2:${Region}:${Account}:network-interface/${NetworkInterfaceId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Subnet

ec2:Vpc

placement-group arn:${Partition}:ec2:${Region}:${Account}:placement-group/${PlacementGroupName}

ec2:PlacementGroupStrategy

ec2:Region

reserved-instances arn:${Partition}:ec2:${Region}:${Account}:reserved-instances/${ReservationId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/tag-key

ec2:Tenancy

route-table arn:${Partition}:ec2:${Region}:${Account}:route-table/${RouteTableId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

security-group arn:${Partition}:ec2:${Region}:${Account}:security-group/${SecurityGroupId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

snapshot arn:${Partition}:ec2:${Region}::snapshot/${SnapshotId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/tag-key

ec2:SnapshotTime

ec2:VolumeSize

spot-instance-request arn:${Partition}:ec2:${Region}::spot-instance-request/${SpotInstanceRequestId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

subnet arn:${Partition}:ec2:${Region}:${Account}:subnet/${SubnetId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

volume arn:${Partition}:ec2:${Region}:${Account}:volume/${VolumeId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

vpc arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

vpc-peering-connection arn:${Partition}:ec2:${Region}:${Account}:vpc-peering-connection/${VpcPeeringConnectionId}

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/tag-key

vpn-connection arn:${Partition}:ec2:${Region}:${Account}:vpn-connection/${VpnConnectionId}

aws:RequestTag/tag-key

aws:TagKeys

ec2:Region

ec2:ResourceTag/tag-key

vpn-gateway arn:${Partition}:ec2:${Region}:${Account}:vpn-gateway/${VpnGatewayId}

Condition Keys for Amazon EC2

Amazon EC2 defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/tag-key A key that is present in the request the user makes to the EC2 service. String
aws:TagKeys The list of all the tag key names associated with the resource in the request. String
ec2:AccepterVpc The ARN of an accepter VPC in a VPC peering connection. String
ec2:AuthorizedService The AWS service that has permission to use a resource. String
ec2:AuthorizedUser The IAM principal that has permission to use a resource. String
ec2:AvailabilityZone The name of an Availability Zone in a region. String
ec2:CreateAction The name of a resource-creating API action. String
ec2:EbsOptimized Whether the instance is enabled for EBS-optimization. String
ec2:Encrypted Whether the volume is encrypted. String
ec2:ImageType The name of the type of image. String
ec2:InstanceProfile The ARN of the instance profile. String
ec2:InstanceType The name of the instance type. String
ec2:IsLaunchTemplateResource Launch template resource flag. String
ec2:LaunchTemplate The ARN of the launch template. String
ec2:Owner The name or account ID of the owner. String
ec2:ParentSnapshot The ARN of the parent snapshot. String
ec2:ParentVolume The ARN of the parent volume. String
ec2:Permission The type of permission for a resource. String
ec2:PlacementGroup The ARN of the placement group. String
ec2:PlacementGroupStrategy The name of the placement group strategy. String
ec2:Public Whether the image is public. String
ec2:Region The name of the region. String
ec2:RequesterVpc The ARN of a requester VPC in a VPC peering connection. String
ec2:ReservedInstancesOfferingType The payment option for a Reserved Instance. String
ec2:ResourceTag/ The preface string for a tag key and value pair attached to a resource. String
ec2:ResourceTag/tag-key A tag key and value pair. String
ec2:RootDeviceType The root device type: ebs or instance-store. String
ec2:SnapshotTime The snapshot creation time. String
ec2:Subnet The ARN of the subnet. String
ec2:Tenancy The tenancy of the instance or VPC. String
ec2:VolumeIops The number of input/output operations per second. String
ec2:VolumeSize The size of the volume, in GiB. String
ec2:VolumeType The name of the type of volume. String
ec2:Vpc The ARN of the VPC. String