Actions, resources, and condition keys for Amazon EC2

Amazon EC2 (service prefix: ec2) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Amazon EC2
Resource types defined by Amazon EC2
Condition keys for Amazon EC2

Actions defined by Amazon EC2

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
AcceptReservedInstancesExchangeQuote	Grants permission to accept a Convertible Reserved Instance exchange quote	Write		ec2:Region
AcceptTransitGatewayMulticastDomainAssociations	Grants permission to accept a request to associate subnets with a transit gateway multicast domain	Write	transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-multicast-domain	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
AcceptTransitGatewayPeeringAttachment	Grants permission to accept a transit gateway peering attachment request	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
AcceptTransitGatewayPeeringAttachment		Write		ec2:Region
AcceptTransitGatewayVpcAttachment	Grants permission to accept a request to attach a VPC to a transit gateway	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
AcceptTransitGatewayVpcAttachment		Write		ec2:Region
AcceptVpcEndpointConnections	Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service	Write	vpc-endpoint-service*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
AcceptVpcEndpointConnections		Write		ec2:Region
AcceptVpcPeeringConnection	Grants permission to accept a VPC peering connection request	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
			vpc-peering-connection*	aws:ResourceTag/${TagKey} ec2:AccepterVpc ec2:RequesterVpc ec2:ResourceTag/${TagKey} ec2:VpcPeeringConnectionID
				ec2:Region
AdvertiseByoipCidr	Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP)	Write		ec2:Region
AllocateAddress	Grants permission to allocate an Elastic IP address (EIP) to your account	Write	elastic-ip*		ec2:CreateTags
			ipv4pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
AllocateHosts	Grants permission to allocate a Dedicated Host to your account	Write	dedicated-host*	ec2:AutoPlacement ec2:AvailabilityZone ec2:HostRecovery ec2:InstanceType ec2:Quantity	ec2:CreateTags
AllocateHosts		Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
AllocateIpamPoolCidr	Grants permission to allocate a CIDR from an Amazon VPC IP Address Manager (IPAM) pool	Write	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
AllocateIpamPoolCidr		Write		ec2:Region
ApplySecurityGroupsToClientVpnTargetNetwork	Grants permission to apply a security group to the association between a Client VPN endpoint and a target network	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
			security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpcID
				ec2:Region
AssignIpv6Addresses	Grants permission to assign one or more IPv6 addresses to a network interface	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
AssignIpv6Addresses		Write		ec2:Region
AssignPrivateIpAddresses	Grants permission to assign one or more secondary private IP addresses to a network interface	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
AssignPrivateIpAddresses		Write		ec2:Region
AssociateAddress	Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface	Write	elastic-ip	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
			instance	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			network-interface	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
				ec2:Region
AssociateClientVpnTargetNetwork	Grants permission to associate a target network with a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
			subnet*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SubnetID
				ec2:Region
AssociateDhcpOptions	Grants permission to associate or disassociate a set of DHCP options with a VPC	Write	dhcp-options*	aws:ResourceTag/${TagKey} ec2:DhcpOptionsID ec2:ResourceTag/${TagKey}
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
AssociateEnclaveCertificateIamRole	Grants permission to associate an ACM certificate with an IAM role to be used in an EC2 Enclave	Write	certificate*
			role*
				ec2:Region
AssociateIamInstanceProfile	Grants permission to associate an IAM instance profile with a running or stopped instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:NewInstanceProfile ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy	iam:PassRole
AssociateIamInstanceProfile		Write		ec2:Region
AssociateInstanceEventWindow	Grants permission to associate one or more targets with an event window	Write	instance-event-window*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
AssociateInstanceEventWindow		Write		ec2:Region
AssociateRouteTable	Grants permission to associate a subnet or gateway with a route table	Write	route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
			internet-gateway	aws:ResourceTag/${TagKey} ec2:InternetGatewayID ec2:ResourceTag/${TagKey}
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			vpn-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
AssociateSubnetCidrBlock	Grants permission to associate a CIDR block with a subnet	Write	subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
AssociateSubnetCidrBlock	Grants permission to associate a CIDR block with a subnet	Write		ec2:Region
AssociateTransitGatewayMulticastDomain	Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain	Write	subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-multicast-domain*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
AssociateTransitGatewayPolicyTable	Grants permission to associate a policy table with a transit gateway attachment	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-policy-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
AssociateTransitGatewayRouteTable	Grants permission to associate an attachment with a transit gateway route table	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
AssociateTrunkInterface	Grants permission to associate a branch network interface with a trunk network interface	Write		ec2:Region
AssociateVpcCidrBlock	Grants permission to associate a CIDR block with a VPC	Write	vpc*	aws:ResourceTag/${TagKey} ec2:Ipv4IpamPoolId ec2:Ipv6IpamPoolId ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
			ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipv6pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
AttachClassicLinkVpc	Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceID ec2:InstanceMarketType ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
AttachInternetGateway	Grants permission to attach an internet gateway to a VPC	Write	internet-gateway*	aws:ResourceTag/${TagKey} ec2:InternetGatewayID ec2:ResourceTag/${TagKey}
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
AttachNetworkInterface	Grants permission to attach a network interface to an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
				ec2:Region
AttachVolume	Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceID ec2:InstanceMarketType ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
				ec2:Region
AttachVpnGateway	Grants permission to attach a virtual private gateway to a VPC	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
			vpn-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
AuthorizeClientVpnIngress	Grants permission to add an inbound authorization rule to a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
AuthorizeClientVpnIngress		Write		ec2:Region
AuthorizeSecurityGroupEgress	Grants permission to add one or more outbound rules to a VPC security group	Write	security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc	ec2:CreateTags
			security-group-rule*
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
AuthorizeSecurityGroupIngress	Grants permission to add one or more inbound rules to a security group	Write	security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc	ec2:CreateTags
			security-group-rule*
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
BundleInstance	Grants permission to bundle an instance store-backed Windows instance	Write		ec2:Region
CancelBundleTask	Grants permission to cancel a bundling operation	Write		ec2:Region
CancelCapacityReservation	Grants permission to cancel a Capacity Reservation and release the reserved capacity	Write	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:CapacityReservationFleet ec2:ResourceTag/${TagKey}
CancelCapacityReservation		Write		ec2:Region
CancelCapacityReservationFleets	Grants permission to cancel one or more Capacity Reservation Fleets	Write	capacity-reservation-fleet*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CancelCapacityReservationFleets		Write		ec2:Region
CancelConversionTask	Grants permission to cancel an active conversion task	Write		ec2:Region
CancelExportTask	Grants permission to cancel an active export task	Write	export-image-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			export-instance-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CancelImportTask	Grants permission to cancel an in-process import virtual machine or import snapshot task	Write	import-image-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			import-snapshot-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CancelReservedInstancesListing	Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace	Write		ec2:Region
CancelSpotFleetRequests	Grants permission to cancel one or more Spot Fleet requests	Write	spot-fleet-request*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CancelSpotFleetRequests	Grants permission to cancel one or more Spot Fleet requests	Write		ec2:Region
CancelSpotInstanceRequests	Grants permission to cancel one or more Spot Instance requests	Write	spot-instances-request*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CancelSpotInstanceRequests		Write		ec2:Region
ConfirmProductInstance	Grants permission to determine whether an owned product code is associated with an instance	Write		ec2:Region
CopyFpgaImage	Grants permission to copy a source Amazon FPGA image (AFI) to the current Region. Resource-level permissions specified for this action apply to the new AFI only. They do not apply to the source AFI	Write	fpga-image*	ec2:Owner
CopyFpgaImage		Write		ec2:Region
CopyImage	Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region. Resource-level permissions specified for this action apply to the new AMI only. They do not apply to the source AMI	Write	image*	ec2:ImageID ec2:Owner
CopyImage		Write		ec2:Region
CopySnapshot	Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3. Resource-level permissions specified for this action apply to the new snapshot only. They do not apply to the source snapshot	Write	snapshot*	ec2:OutpostArn ec2:SnapshotID ec2:SourceOutpostArn	ec2:CreateTags
CopySnapshot		Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateCapacityReservation	Grants permission to create a Capacity Reservation	Write	capacity-reservation*	ec2:CapacityReservationFleet	ec2:CreateTags
CreateCapacityReservation	Grants permission to create a Capacity Reservation	Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateCapacityReservationFleet	Grants permission to create a Capacity Reservation Fleet	Write	capacity-reservation-fleet*		ec2:CreateTags
CreateCapacityReservationFleet	Grants permission to create a Capacity Reservation Fleet	Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateCarrierGateway	Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers	Write	carrier-gateway*		ec2:CreateTags
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateClientVpnEndpoint	Grants permission to create a Client VPN endpoint	Write	client-vpn-endpoint*	ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:SamlProviderArn ec2:ServerCertificateArn	ec2:CreateTags
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID
			vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpcID
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateClientVpnRoute	Grants permission to add a network route to a Client VPN endpoint's route table	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
			subnet*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SubnetID
				ec2:Region
CreateCoipPoolPermission [permission only]	Grants permission to allow a service to access a customer owned IP (CoIP) pool	Write		ec2:Region
CreateCustomerGateway	Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device	Write	customer-gateway*		ec2:CreateTags
CreateCustomerGateway		Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateDefaultSubnet	Grants permission to create a default subnet in a specified Availability Zone in a default VPC	Write		ec2:Region
CreateDefaultVpc	Grants permission to create a default VPC with a default subnet in each Availability Zone	Write		ec2:Region
CreateDhcpOptions	Grants permission to create a set of DHCP options for a VPC	Write	dhcp-options*	ec2:DhcpOptionsID	ec2:CreateTags
CreateDhcpOptions	Grants permission to create a set of DHCP options for a VPC	Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateEgressOnlyInternetGateway	Grants permission to create an egress-only internet gateway for a VPC	Write	egress-only-internet-gateway*		ec2:CreateTags
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateFleet	Grants permission to launch an EC2 Fleet	Write	fleet*		ec2:CreateTags
			instance*	ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceID ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:RootDeviceType ec2:Tenancy
			image	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
			key-pair	aws:ResourceTag/${TagKey} ec2:KeyPairName ec2:KeyPairType ec2:ResourceTag/${TagKey}
			launch-template	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-interface	aws:ResourceTag/${TagKey} ec2:AssociatePublicIpAddress ec2:AuthorizedService ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			placement-group	aws:ResourceTag/${TagKey} ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:ResourceTag/${TagKey}
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			snapshot	aws:ResourceTag/${TagKey} ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			volume	ec2:AvailabilityZone ec2:Encrypted ec2:KmsKeyId ec2:ParentSnapshot ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateFlowLogs	Grants permission to create one or more flow logs to capture IP traffic for a network interface	Write	vpc-flow-log*		ec2:CreateTags iam:PassRole
			network-interface	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateFpgaImage	Grants permission to create an Amazon FPGA Image (AFI) from a design checkpoint (DCP)	Write	fpga-image*	ec2:Owner ec2:Public	ec2:CreateTags
CreateFpgaImage		Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateImage	Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance	Write	image*	ec2:ImageID ec2:Owner	ec2:CreateTags
			instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			snapshot*	ec2:OutpostArn ec2:Owner ec2:ParentVolume ec2:SnapshotID ec2:SnapshotTime ec2:SourceOutpostArn ec2:VolumeSize
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateInstanceEventWindow	Grants permission to create an event window in which scheduled events for the associated Amazon EC2 instances can run	Write	instance-event-window*		ec2:CreateTags
CreateInstanceEventWindow		Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateInstanceExportTask	Grants permission to export a running or stopped instance to an Amazon S3 bucket	Write	export-instance-task*		ec2:CreateTags
			instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateInternetGateway	Grants permission to create an internet gateway for a VPC	Write	internet-gateway*	ec2:InternetGatewayID	ec2:CreateTags
CreateInternetGateway	Grants permission to create an internet gateway for a VPC	Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateIpam	Grants permission to create an Amazon VPC IP Address Manager (IPAM)	Write	ipam*		ec2:CreateTags iam:CreateServiceLinkedRole
CreateIpam		Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateIpamPool	Grants permission to create an IP address pool for Amazon VPC IP Address Manager (IPAM), which is a collection of contiguous IP address CIDRs	Write	ipam-pool*		ec2:CreateTags
			ipam-scope*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateIpamScope	Grants permission to create an Amazon VPC IP Address Manager (IPAM) scope, which is the highest-level container within IPAM	Write	ipam*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			ipam-scope*
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateKeyPair	Grants permission to create a 2048-bit RSA key pair	Write	key-pair*	ec2:KeyPairType	ec2:CreateTags
CreateKeyPair	Grants permission to create a 2048-bit RSA key pair	Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateLaunchTemplate	Grants permission to create a launch template	Write	launch-template*		ec2:CreateTags
CreateLaunchTemplate	Grants permission to create a launch template	Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateLaunchTemplateVersion	Grants permission to create a new version of a launch template	Write	launch-template*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CreateLaunchTemplateVersion		Write		ec2:Region
CreateLocalGatewayRoute	Grants permission to create a static route for a local gateway route table	Write	local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			local-gateway-virtual-interface-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CreateLocalGatewayRouteTablePermission [permission only]	Grants permission to allow a service to access a local gateway route table	Write	local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CreateLocalGatewayRouteTablePermission [permission only]		Write		ec2:Region
CreateLocalGatewayRouteTableVpcAssociation	Grants permission to associate a VPC with a local gateway route table	Write	local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			local-gateway-route-table-vpc-association*
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateManagedPrefixList	Grants permission to create a managed prefix list	Write	prefix-list*		ec2:CreateTags
CreateManagedPrefixList	Grants permission to create a managed prefix list	Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateNatGateway	Grants permission to create a NAT gateway in a subnet	Write	natgateway*		ec2:CreateTags
			subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			elastic-ip	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateNetworkAcl	Grants permission to create a network ACL in a VPC	Write	network-acl*	ec2:NetworkAclID	ec2:CreateTags
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateNetworkAclEntry	Grants permission to create a numbered entry (a rule) in a network ACL	Write	network-acl*	aws:ResourceTag/${TagKey} ec2:NetworkAclID ec2:ResourceTag/${TagKey} ec2:Vpc
CreateNetworkAclEntry		Write		ec2:Region
CreateNetworkInsightsAccessScope	Grants permission to create a Network Access Scope	Write	network-insights-access-scope*		ec2:CreateTags
CreateNetworkInsightsAccessScope	Grants permission to create a Network Access Scope	Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateNetworkInsightsPath	Grants permission to create a path to analyze for reachability	Write	network-insights-path*		ec2:CreateTags
			instance	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceID ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			internet-gateway	aws:ResourceTag/${TagKey} ec2:InternetGatewayID ec2:ResourceTag/${TagKey}
			network-interface	aws:ResourceTag/${TagKey} ec2:AssociatePublicIpAddress ec2:AuthorizedService ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			transit-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			vpc-endpoint	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			vpc-peering-connection	aws:ResourceTag/${TagKey} ec2:AccepterVpc ec2:RequesterVpc ec2:ResourceTag/${TagKey} ec2:VpcPeeringConnectionID
			vpn-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateNetworkInterface	Grants permission to create a network interface in a subnet	Write	network-interface*	ec2:NetworkInterfaceID	ec2:CreateTags
			subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateNetworkInterfacePermission	Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface	Permissions management	network-interface*	aws:ResourceTag/${TagKey} ec2:AuthorizedService ec2:AuthorizedUser ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:Permission ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
CreateNetworkInterfacePermission		Permissions management		ec2:Region
CreatePlacementGroup	Grants permission to create a placement group	Write	placement-group*	ec2:PlacementGroupName ec2:PlacementGroupStrategy	ec2:CreateTags
CreatePlacementGroup	Grants permission to create a placement group	Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreatePublicIpv4Pool	Grants permission to create a public IPv4 address pool for public IPv4 CIDRs that you own and bring to Amazon to manage with Amazon VPC IP Address Manager (IPAM)	Write	network-insights-access-scope*		ec2:CreateTags
CreatePublicIpv4Pool		Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateReplaceRootVolumeTask	Grants permission to create a root volume replacement task	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy	ec2:CreateTags
			replace-root-volume-task*
			volume*	ec2:VolumeID
			snapshot	aws:ResourceTag/${TagKey} ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateReservedInstancesListing	Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace	Write		ec2:Region
CreateRestoreImageTask	Grants permission to start a task that restores an AMI from an S3 object previously created by using CreateStoreImageTask	Write	image*	ec2:ImageID ec2:Owner	ec2:CreateTags
CreateRestoreImageTask		Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateRoute	Grants permission to create a route in a VPC route table	Write	route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
CreateRoute	Grants permission to create a route in a VPC route table	Write		ec2:Region
CreateRouteTable	Grants permission to create a route table for a VPC	Write	route-table*	ec2:RouteTableID	ec2:CreateTags
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateSecurityGroup	Grants permission to create a security group	Write	security-group*	ec2:SecurityGroupID	ec2:CreateTags
			vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateSnapshot	Grants permission to create a snapshot of an EBS volume and store it in Amazon S3	Write	snapshot*	ec2:OutpostArn ec2:ParentVolume ec2:SnapshotID ec2:SourceOutpostArn ec2:VolumeSize	ec2:CreateTags
			volume*	aws:ResourceTag/${TagKey} ec2:Encrypted ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateSnapshots	Grants permission to create crash-consistent snapshots of multiple EBS volumes and store them in Amazon S3	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceID ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy	ec2:CreateTags
			snapshot*	ec2:OutpostArn ec2:ParentVolume ec2:SnapshotID ec2:SourceOutpostArn ec2:VolumeSize
			volume*	aws:ResourceTag/${TagKey} ec2:Encrypted ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateSpotDatafeedSubscription	Grants permission to create a data feed for Spot Instances to view Spot Instance usage logs	Write		ec2:Region
CreateStoreImageTask	Grants permission to store an AMI as a single object in an S3 bucket	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
CreateStoreImageTask		Write		ec2:Region
CreateSubnet	Grants permission to create a subnet in a VPC	Write	subnet*	ec2:SubnetID	ec2:CreateTags
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateSubnetCidrReservation	Grants permission to create a subnet CIDR reservation	Write		ec2:Region
CreateTags	Grants permission to add or overwrite one or more tags for Amazon EC2 resources	Tagging	capacity-reservation	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			capacity-reservation-fleet	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			carrier-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:Vpc
			client-vpn-endpoint	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
			customer-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			dedicated-host	aws:ResourceTag/${TagKey} ec2:AutoPlacement ec2:AvailabilityZone ec2:HostRecovery ec2:InstanceType ec2:Quantity ec2:ResourceTag/${TagKey}
			dhcp-options	aws:ResourceTag/${TagKey} ec2:DhcpOptionsID ec2:ResourceTag/${TagKey}
			egress-only-internet-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			elastic-gpu	aws:ResourceTag/${TagKey} ec2:ElasticGpuType ec2:ResourceTag/${TagKey}
			elastic-ip	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
			export-image-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			export-instance-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			fleet	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			fpga-image	aws:ResourceTag/${TagKey} ec2:Owner ec2:Public ec2:ResourceTag/${TagKey}
			host-reservation	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			image	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
			import-image-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			import-snapshot-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			instance	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			instance-event-window	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			internet-gateway	aws:ResourceTag/${TagKey} ec2:InternetGatewayID ec2:ResourceTag/${TagKey}
			ipam	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipam-scope	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipv4pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipv6pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			key-pair	aws:ResourceTag/${TagKey} ec2:KeyPairName ec2:KeyPairType ec2:ResourceTag/${TagKey}
			launch-template	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			local-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			local-gateway-route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			local-gateway-route-table-virtual-interface-group-association	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			local-gateway-route-table-vpc-association	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			local-gateway-virtual-interface	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			local-gateway-virtual-interface-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			natgateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-acl	aws:ResourceTag/${TagKey} ec2:NetworkAclID ec2:ResourceTag/${TagKey} ec2:Vpc
			network-insights-access-scope	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-insights-access-scope-analysis	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-insights-analysis	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-insights-path	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-interface	aws:ResourceTag/${TagKey} ec2:AssociatePublicIpAddress ec2:AuthorizedService ec2:AuthorizedUser ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:Permission ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			placement-group	aws:ResourceTag/${TagKey} ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:ResourceTag/${TagKey}
			prefix-list	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			replace-root-volume-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			reserved-instances	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:InstanceType ec2:ReservedInstancesOfferingType ec2:ResourceTag/${TagKey} ec2:Tenancy
			route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			security-group-rule	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			snapshot	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
			spot-fleet-request	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			spot-instances-request	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			subnet-cidr-reservation	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			traffic-mirror-filter	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			traffic-mirror-session	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			traffic-mirror-target	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-connect-peer	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-multicast-domain	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-policy-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table-announcement	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			volume	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
vpc-endpoint	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
vpc-endpoint-service	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpceServicePrivateDnsName
vpc-flow-log	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
vpc-peering-connection	aws:ResourceTag/${TagKey} ec2:AccepterVpc ec2:RequesterVpc ec2:ResourceTag/${TagKey} ec2:VpcPeeringConnectionID
vpn-connection	aws:ResourceTag/${TagKey} ec2:AuthenticationType ec2:DPDTimeoutSeconds ec2:GatewayType ec2:IKEVersions ec2:InsideTunnelCidr ec2:InsideTunnelIpv6Cidr ec2:Phase1DHGroup ec2:Phase1EncryptionAlgorithms ec2:Phase1IntegrityAlgorithms ec2:Phase1LifetimeSeconds ec2:Phase2DHGroup ec2:Phase2EncryptionAlgorithms ec2:Phase2IntegrityAlgorithms ec2:Phase2LifetimeSeconds ec2:PreSharedKeys ec2:RekeyFuzzPercentage ec2:RekeyMarginTimeSeconds ec2:ReplayWindowSizePackets ec2:ResourceTag/${TagKey} ec2:RoutingType
vpn-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
	ec2:CreateAction ec2:Region
CreateTrafficMirrorFilter	Grants permission to create a traffic mirror filter	Write	traffic-mirror-filter*		ec2:CreateTags
CreateTrafficMirrorFilter	Grants permission to create a traffic mirror filter	Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateTrafficMirrorFilterRule	Grants permission to create a traffic mirror filter rule	Write	traffic-mirror-filter*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CreateTrafficMirrorFilterRule	Grants permission to create a traffic mirror filter rule	Write		ec2:Region
CreateTrafficMirrorSession	Grants permission to create a traffic mirror session	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey}	ec2:CreateTags
			traffic-mirror-filter*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			traffic-mirror-session*
			traffic-mirror-target*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateTrafficMirrorTarget	Grants permission to create a traffic mirror target	Write	traffic-mirror-target*		ec2:CreateTags
			network-interface	aws:ResourceTag/${TagKey} ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey}
			vpc-endpoint	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpceServiceName ec2:VpceServiceOwner
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateTransitGateway	Grants permission to create a transit gateway	Write	transit-gateway*		ec2:CreateTags
CreateTransitGateway	Grants permission to create a transit gateway	Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateTransitGatewayConnect	Grants permission to create a Connect attachment from a specified transit gateway attachment	Write	transit-gateway-attachment*		ec2:CreateTags
CreateTransitGatewayConnect		Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateTransitGatewayConnectPeer	Grants permission to create a Connect peer between a transit gateway and an appliance	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			transit-gateway-connect-peer*
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateTransitGatewayMulticastDomain	Grants permission to create a multicast domain for a transit gateway	Write	transit-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			transit-gateway-multicast-domain*
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateTransitGatewayPeeringAttachment	Grants permission to request a transit gateway peering attachment between a requester and accepter transit gateway	Write	transit-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			transit-gateway-attachment*
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateTransitGatewayPolicyTable	Grants permission to create a transit gateway policy table	Write	transit-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			transit-gateway-policy-table*
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateTransitGatewayPrefixListReference	Grants permission to create a transit gateway prefix list reference	Write	prefix-list*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CreateTransitGatewayRoute	Grants permission to create a static route for a transit gateway route table	Write	transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CreateTransitGatewayRouteTable	Grants permission to create a route table for a transit gateway	Write	transit-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			transit-gateway-route-table*
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateTransitGatewayRouteTableAnnouncement	Grants permission to create an announcement for a transit gateway route table	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table-announcement*
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateTransitGatewayVpcAttachment	Grants permission to attach a VPC to a transit gateway	Write	transit-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			transit-gateway-attachment*
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateVolume	Grants permission to create an EBS volume	Write	volume*	ec2:AvailabilityZone ec2:Encrypted ec2:KmsKeyId ec2:ParentSnapshot ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType	ec2:CreateTags
CreateVolume	Grants permission to create an EBS volume	Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateVpc	Grants permission to create a VPC with a specified CIDR block	Write	vpc*	ec2:Ipv4IpamPoolId ec2:Ipv6IpamPoolId ec2:VpcID	ec2:CreateTags
			ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipv6pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateVpcEndpoint	Grants permission to create a VPC endpoint for an AWS service	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpcID	ec2:CreateTags route53:AssociateVPCWithHostedZone
			vpc-endpoint*	ec2:VpceServiceName ec2:VpceServiceOwner
			route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID
			subnet	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SubnetID
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateVpcEndpointConnectionNotification	Grants permission to create a connection notification for a VPC endpoint or VPC endpoint service	Write	vpc-endpoint	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CreateVpcEndpointConnectionNotification		Write		ec2:Region
CreateVpcEndpointServiceConfiguration	Grants permission to create a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect	Write	vpc-endpoint-service*	ec2:VpceServicePrivateDnsName	ec2:CreateTags
CreateVpcEndpointServiceConfiguration		Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateVpcPeeringConnection	Grants permission to request a VPC peering connection between two VPCs	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID	ec2:CreateTags
			vpc-peering-connection*	ec2:AccepterVpc ec2:RequesterVpc ec2:VpcPeeringConnectionID
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateVpnConnection	Grants permission to create a VPN connection between a virtual private gateway or transit gateway and a customer gateway	Write	customer-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			vpn-connection*	ec2:AuthenticationType ec2:DPDTimeoutSeconds ec2:GatewayType ec2:IKEVersions ec2:InsideTunnelCidr ec2:InsideTunnelIpv6Cidr ec2:Phase1DHGroup ec2:Phase1EncryptionAlgorithms ec2:Phase1IntegrityAlgorithms ec2:Phase1LifetimeSeconds ec2:Phase2DHGroup ec2:Phase2EncryptionAlgorithms ec2:Phase2IntegrityAlgorithms ec2:Phase2LifetimeSeconds ec2:PreSharedKeys ec2:RekeyFuzzPercentage ec2:RekeyMarginTimeSeconds ec2:ReplayWindowSizePackets ec2:RoutingType
			transit-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			vpn-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
CreateVpnConnectionRoute	Grants permission to create a static route for a VPN connection between a virtual private gateway and a customer gateway	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CreateVpnConnectionRoute		Write		ec2:Region
CreateVpnGateway	Grants permission to create a virtual private gateway	Write	vpn-gateway*		ec2:CreateTags
CreateVpnGateway	Grants permission to create a virtual private gateway	Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
DeleteCarrierGateway	Grants permission to delete a carrier gateway	Write	carrier-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteCarrierGateway	Grants permission to delete a carrier gateway	Write		ec2:Region
DeleteClientVpnEndpoint	Grants permission to delete a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
DeleteClientVpnEndpoint	Grants permission to delete a Client VPN endpoint	Write		ec2:Region
DeleteClientVpnRoute	Grants permission to delete a route from a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
DeleteCoipPoolPermission [permission only]	Grants permission to deny a service from accessing a customer owned IP (CoIP) pool	Write		ec2:Region
DeleteCustomerGateway	Grants permission to delete a customer gateway	Write	customer-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteCustomerGateway	Grants permission to delete a customer gateway	Write		ec2:Region
DeleteDhcpOptions	Grants permission to delete a set of DHCP options	Write	dhcp-options*	aws:ResourceTag/${TagKey} ec2:DhcpOptionsID ec2:ResourceTag/${TagKey}
DeleteDhcpOptions	Grants permission to delete a set of DHCP options	Write		ec2:Region
DeleteEgressOnlyInternetGateway	Grants permission to delete an egress-only internet gateway	Write	egress-only-internet-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteEgressOnlyInternetGateway	Grants permission to delete an egress-only internet gateway	Write		ec2:Region
DeleteFleets	Grants permission to delete one or more EC2 Fleets	Write	fleet*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteFleets	Grants permission to delete one or more EC2 Fleets	Write		ec2:Region
DeleteFlowLogs	Grants permission to delete one or more flow logs	Write	vpc-flow-log*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteFlowLogs	Grants permission to delete one or more flow logs	Write		ec2:Region
DeleteFpgaImage	Grants permission to delete an Amazon FPGA Image (AFI)	Write	fpga-image*	aws:ResourceTag/${TagKey} ec2:Owner ec2:Public ec2:ResourceTag/${TagKey}
DeleteFpgaImage	Grants permission to delete an Amazon FPGA Image (AFI)	Write		ec2:Region
DeleteInstanceEventWindow	Grants permission to delete the specified event window	Write	instance-event-window*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteInstanceEventWindow	Grants permission to delete the specified event window	Write		ec2:Region
DeleteInternetGateway	Grants permission to delete an internet gateway	Write	internet-gateway*	aws:ResourceTag/${TagKey} ec2:InternetGatewayID ec2:ResourceTag/${TagKey}
DeleteInternetGateway	Grants permission to delete an internet gateway	Write		ec2:Region
DeleteIpam	Grants permission to delete an Amazon VPC IP Address Manager (IPAM) and remove all monitored data associated with the IPAM including the historical data for CIDRs	Write	ipam*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteIpam		Write		ec2:Region
DeleteIpamPool	Grants permission to delete an Amazon VPC IP Address Manager (IPAM) pool	Write	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteIpamPool		Write		ec2:Region
DeleteIpamScope	Grants permission to delete the scope for an Amazon VPC IP Address Manager (IPAM)	Write	ipam-scope*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteIpamScope		Write		ec2:Region
DeleteKeyPair	Grants permission to delete a key pair by removing the public key from Amazon EC2	Write	key-pair	aws:ResourceTag/${TagKey} ec2:KeyPairName ec2:KeyPairType ec2:ResourceTag/${TagKey}
DeleteKeyPair		Write		ec2:Region
DeleteLaunchTemplate	Grants permission to delete a launch template and its associated versions	Write	launch-template*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteLaunchTemplate		Write		ec2:Region
DeleteLaunchTemplateVersions	Grants permission to delete one or more versions of a launch template	Write	launch-template*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteLaunchTemplateVersions		Write		ec2:Region
DeleteLocalGatewayRoute	Grants permission to delete a route from a local gateway route table	Write	local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteLocalGatewayRoute		Write		ec2:Region
DeleteLocalGatewayRouteTablePermission [permission only]	Grants permission to deny a service from accessing a local gateway route table	Write	local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteLocalGatewayRouteTablePermission [permission only]		Write		ec2:Region
DeleteLocalGatewayRouteTableVpcAssociation	Grants permission to delete an association between a VPC and local gateway route table	Write	local-gateway-route-table-vpc-association*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteLocalGatewayRouteTableVpcAssociation		Write		ec2:Region
DeleteManagedPrefixList	Grants permission to delete a managed prefix list	Write	prefix-list*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteManagedPrefixList	Grants permission to delete a managed prefix list	Write		ec2:Region
DeleteNatGateway	Grants permission to delete a NAT gateway	Write	natgateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteNatGateway	Grants permission to delete a NAT gateway	Write		ec2:Region
DeleteNetworkAcl	Grants permission to delete a network ACL	Write	network-acl*	aws:ResourceTag/${TagKey} ec2:NetworkAclID ec2:ResourceTag/${TagKey} ec2:Vpc
DeleteNetworkAcl	Grants permission to delete a network ACL	Write		ec2:Region
DeleteNetworkAclEntry	Grants permission to delete an inbound or outbound entry (rule) from a network ACL	Write	network-acl*	aws:ResourceTag/${TagKey} ec2:NetworkAclID ec2:ResourceTag/${TagKey} ec2:Vpc
DeleteNetworkAclEntry		Write		ec2:Region
DeleteNetworkInsightsAccessScope	Grants permission to delete a Network Access Scope	Write	network-insights-access-scope*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteNetworkInsightsAccessScope	Grants permission to delete a Network Access Scope	Write		ec2:Region
DeleteNetworkInsightsAccessScopeAnalysis	Grants permission to delete a Network Access Scope analysis	Write	network-insights-access-scope-analysis*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteNetworkInsightsAccessScopeAnalysis	Grants permission to delete a Network Access Scope analysis	Write		ec2:Region
DeleteNetworkInsightsAnalysis	Grants permission to delete a network insights analysis	Write	network-insights-analysis*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteNetworkInsightsAnalysis	Grants permission to delete a network insights analysis	Write		ec2:Region
DeleteNetworkInsightsPath	Grants permission to delete a network insights path	Write	network-insights-path*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteNetworkInsightsPath	Grants permission to delete a network insights path	Write		ec2:Region
DeleteNetworkInterface	Grants permission to delete a detached network interface	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
DeleteNetworkInterface	Grants permission to delete a detached network interface	Write		ec2:Region
DeleteNetworkInterfacePermission	Grants permission to delete a permission that is associated with a network interface	Permissions management	network-interface	aws:ResourceTag/${TagKey} ec2:AssociatePublicIpAddress ec2:AuthorizedService ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
DeleteNetworkInterfacePermission		Permissions management		ec2:Region
DeletePlacementGroup	Grants permission to delete a placement group	Write	placement-group	aws:ResourceTag/${TagKey} ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:ResourceTag/${TagKey}
DeletePlacementGroup	Grants permission to delete a placement group	Write		ec2:Region
DeletePublicIpv4Pool	Grants permission to delete a public IPv4 address pool for public IPv4 CIDRs that you own and brought to Amazon to manage with Amazon VPC IP Address Manager (IPAM)	Write	ipv4pool-ec2*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeletePublicIpv4Pool		Write		ec2:Region
DeleteQueuedReservedInstances	Grants permission to delete the queued purchases for the specified Reserved Instances	Write		ec2:Region
DeleteResourcePolicy [permission only]	Grants permission to remove an IAM policy that enables cross-account sharing from a resource	Write	ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteResourcePolicy [permission only]		Write		ec2:Region
DeleteRoute	Grants permission to delete a route from a route table	Write	route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
DeleteRoute	Grants permission to delete a route from a route table	Write		ec2:Region
DeleteRouteTable	Grants permission to delete a route table	Write	route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
DeleteRouteTable	Grants permission to delete a route table	Write		ec2:Region
DeleteSecurityGroup	Grants permission to delete a security group	Write	security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
DeleteSecurityGroup	Grants permission to delete a security group	Write		ec2:Region
DeleteSnapshot	Grants permission to delete a snapshot of an EBS volume	Write	snapshot*	aws:ResourceTag/${TagKey} ec2:OutpostArn ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:SourceOutpostArn ec2:VolumeSize
DeleteSnapshot	Grants permission to delete a snapshot of an EBS volume	Write		ec2:Region
DeleteSpotDatafeedSubscription	Grants permission to delete a data feed for Spot Instances	Write		ec2:Region
DeleteSubnet	Grants permission to delete a subnet	Write	subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
DeleteSubnet	Grants permission to delete a subnet	Write		ec2:Region
DeleteSubnetCidrReservation	Grants permission to delete a subnet CIDR reservation	Write		ec2:Region
DeleteTags	Grants permission to delete one or more tags from Amazon EC2 resources	Tagging	capacity-reservation	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			capacity-reservation-fleet	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			carrier-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			client-vpn-endpoint	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			customer-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			dedicated-host	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			dhcp-options	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			egress-only-internet-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			elastic-gpu	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			elastic-ip	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			export-image-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			export-instance-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			fleet	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			fpga-image	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			host-reservation	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			image	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			import-image-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			import-snapshot-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			instance	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			instance-event-window	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			internet-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipam	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipam-scope	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipv4pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipv6pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			key-pair	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			launch-template	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			local-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			local-gateway-route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			local-gateway-route-table-virtual-interface-group-association	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			local-gateway-route-table-vpc-association	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			local-gateway-virtual-interface	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			local-gateway-virtual-interface-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			natgateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-acl	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-insights-access-scope	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-insights-access-scope-analysis	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-insights-analysis	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-insights-path	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-interface	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			placement-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			prefix-list	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			replace-root-volume-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			reserved-instances	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			security-group-rule	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			snapshot	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			spot-fleet-request	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			spot-instances-request	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			subnet	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			subnet-cidr-reservation	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			traffic-mirror-filter	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			traffic-mirror-session	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			traffic-mirror-target	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-connect-peer	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-multicast-domain	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-policy-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table-announcement	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			volume	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
vpc-endpoint	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
vpc-endpoint-service	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
vpc-flow-log	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
vpc-peering-connection	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
vpn-connection	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
vpn-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
	aws:TagKeys ec2:Region
DeleteTrafficMirrorFilter	Grants permission to delete a traffic mirror filter	Write	traffic-mirror-filter*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTrafficMirrorFilter	Grants permission to delete a traffic mirror filter	Write		ec2:Region
DeleteTrafficMirrorFilterRule	Grants permission to delete a traffic mirror filter rule	Write	traffic-mirror-filter*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			traffic-mirror-filter-rule*
				ec2:Region
DeleteTrafficMirrorSession	Grants permission to delete a traffic mirror session	Write	traffic-mirror-session*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTrafficMirrorSession	Grants permission to delete a traffic mirror session	Write		ec2:Region
DeleteTrafficMirrorTarget	Grants permission to delete a traffic mirror target	Write	traffic-mirror-target*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTrafficMirrorTarget	Grants permission to delete a traffic mirror target	Write		ec2:Region
DeleteTransitGateway	Grants permission to delete a transit gateway	Write	transit-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTransitGateway	Grants permission to delete a transit gateway	Write		ec2:Region
DeleteTransitGatewayConnect	Grants permission to delete a transit gateway connect attachment	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTransitGatewayConnect		Write		ec2:Region
DeleteTransitGatewayConnectPeer	Grants permission to delete a transit gateway connect peer	Write	transit-gateway-connect-peer*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTransitGatewayConnectPeer	Grants permission to delete a transit gateway connect peer	Write		ec2:Region
DeleteTransitGatewayMulticastDomain	Grants permission to delete a transit gateway multicast domain	Write	transit-gateway-multicast-domain*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTransitGatewayMulticastDomain		Write		ec2:Region
DeleteTransitGatewayPeeringAttachment	Grants permission to delete a peering attachment from a transit gateway	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTransitGatewayPeeringAttachment		Write		ec2:Region
DeleteTransitGatewayPolicyTable	Grants permission to delete a transit gateway policy table	Write	transit-gateway-policy-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTransitGatewayPolicyTable	Grants permission to delete a transit gateway policy table	Write		ec2:Region
DeleteTransitGatewayPrefixListReference	Grants permission to delete a transit gateway prefix list reference	Write	prefix-list*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DeleteTransitGatewayRoute	Grants permission to delete a route from a transit gateway route table	Write	transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTransitGatewayRoute		Write		ec2:Region
DeleteTransitGatewayRouteTable	Grants permission to delete a transit gateway route table	Write	transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTransitGatewayRouteTable	Grants permission to delete a transit gateway route table	Write		ec2:Region
DeleteTransitGatewayRouteTableAnnouncement	Grants permission to delete a transit gateway route table announcement	Write	transit-gateway-route-table-announcement*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTransitGatewayRouteTableAnnouncement		Write		ec2:Region
DeleteTransitGatewayVpcAttachment	Grants permission to delete a VPC attachment from a transit gateway	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTransitGatewayVpcAttachment		Write		ec2:Region
DeleteVolume	Grants permission to delete an EBS volume	Write	volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
DeleteVolume	Grants permission to delete an EBS volume	Write		ec2:Region
DeleteVpc	Grants permission to delete a VPC	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
DeleteVpc	Grants permission to delete a VPC	Write		ec2:Region
DeleteVpcEndpointConnectionNotifications	Grants permission to delete one or more VPC endpoint connection notifications	Write	vpc-endpoint	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			vpc-endpoint-service	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DeleteVpcEndpointServiceConfigurations	Grants permission to delete one or more VPC endpoint service configurations	Write	vpc-endpoint-service*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteVpcEndpointServiceConfigurations		Write		ec2:Region
DeleteVpcEndpoints	Grants permission to delete one or more VPC endpoints	Write	vpc-endpoint*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpceServiceName
DeleteVpcEndpoints	Grants permission to delete one or more VPC endpoints	Write		ec2:Region
DeleteVpcPeeringConnection	Grants permission to delete a VPC peering connection	Write	vpc-peering-connection*	aws:ResourceTag/${TagKey} ec2:AccepterVpc ec2:RequesterVpc ec2:ResourceTag/${TagKey} ec2:VpcPeeringConnectionID
DeleteVpcPeeringConnection	Grants permission to delete a VPC peering connection	Write		ec2:Region
DeleteVpnConnection	Grants permission to delete a VPN connection	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteVpnConnection	Grants permission to delete a VPN connection	Write		ec2:Region
DeleteVpnConnectionRoute	Grants permission to delete a static route for a VPN connection between a virtual private gateway and a customer gateway	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteVpnConnectionRoute		Write		ec2:Region
DeleteVpnGateway	Grants permission to delete a virtual private gateway	Write	vpn-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteVpnGateway	Grants permission to delete a virtual private gateway	Write		ec2:Region
DeprovisionByoipCidr	Grants permission to release an IP address range that was provisioned through bring your own IP addresses (BYOIP), and to delete the corresponding address pool	Write		ec2:Region
DeprovisionIpamPoolCidr	Grants permission to deprovision a CIDR provisioned from an Amazon VPC IP Address Manager (IPAM) pool	Write	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeprovisionIpamPoolCidr		Write		ec2:Region
DeprovisionPublicIpv4PoolCidr	Grants permission to deprovision a CIDR from a public IPv4 pool	Write	ipv4pool-ec2*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeprovisionPublicIpv4PoolCidr		Write		ec2:Region
DeregisterImage	Grants permission to deregister an Amazon Machine Image (AMI)	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
DeregisterImage		Write		ec2:Region
DeregisterInstanceEventNotificationAttributes	Grants permission to remove tags from the set of tags to include in notifications about scheduled events for your instances	Write		ec2:Region
DeregisterTransitGatewayMulticastGroupMembers	Grants permission to deregister one or more network interface members from a group IP address in a transit gateway multicast domain	Write	network-interface	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			transit-gateway-multicast-domain	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DeregisterTransitGatewayMulticastGroupSources	Grants permission to deregister one or more network interface sources from a group IP address in a transit gateway multicast domain	Write	network-interface	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			transit-gateway-multicast-domain	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DescribeAccountAttributes	Grants permission to describe the attributes of the AWS account	List		ec2:Region
DescribeAddresses	Grants permission to describe one or more Elastic IP addresses	List		ec2:Region
DescribeAddressesAttribute	Grants permission to describe the attributes of the specified Elastic IP addresses	List	elastic-ip	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
DescribeAddressesAttribute		List		ec2:Region
DescribeAggregateIdFormat	Grants permission to describe the longer ID format settings for all resource types	List		ec2:Region
DescribeAvailabilityZones	Grants permission to describe one or more of the Availability Zones that are available to you	List		ec2:Region
DescribeBundleTasks	Grants permission to describe one or more bundling tasks	List		ec2:Region
DescribeByoipCidrs	Grants permission to describe the IP address ranges that were provisioned through bring your own IP addresses (BYOIP)	List		ec2:Region
DescribeCapacityReservationFleets	Grants permission to describe one or more Capacity Reservation Fleets	List		ec2:Region
DescribeCapacityReservations	Grants permission to describe one or more Capacity Reservations	List		ec2:Region
DescribeCarrierGateways	Grants permission to describe one or more Carrier Gateways	List		ec2:Region
DescribeClassicLinkInstances	Grants permission to describe one or more linked EC2-Classic instances	List		ec2:Region
DescribeClientVpnAuthorizationRules	Grants permission to describe the authorization rules for a Client VPN endpoint	List	client-vpn-endpoint	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
DescribeClientVpnAuthorizationRules		List		ec2:Region
DescribeClientVpnConnections	Grants permission to describe active client connections and connections that have been terminated within the last 60 minutes for a Client VPN endpoint	List	client-vpn-endpoint	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
DescribeClientVpnConnections		List		ec2:Region
DescribeClientVpnEndpoints	Grants permission to describe one or more Client VPN endpoints	List	client-vpn-endpoint	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
DescribeClientVpnEndpoints		List		ec2:Region
DescribeClientVpnRoutes	Grants permission to describe the routes for a Client VPN endpoint	List	client-vpn-endpoint	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
DescribeClientVpnRoutes		List		ec2:Region
DescribeClientVpnTargetNetworks	Grants permission to describe the target networks that are associated with a Client VPN endpoint	List	client-vpn-endpoint	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
DescribeClientVpnTargetNetworks		List		ec2:Region
DescribeCoipPools	Grants permission to describe the specified customer-owned address pools or all of your customer-owned address pools	List		ec2:Region
DescribeConversionTasks	Grants permission to describe one or more conversion tasks	List		ec2:Region
DescribeCustomerGateways	Grants permission to describe one or more customer gateways	List		ec2:Region
DescribeDhcpOptions	Grants permission to describe one or more DHCP options sets	List		ec2:Region
DescribeEgressOnlyInternetGateways	Grants permission to describe one or more egress-only internet gateways	List		ec2:Region
DescribeElasticGpus	Grants permission to describe an Elastic Graphics accelerator that is associated with an instance	Read		ec2:Region
DescribeExportImageTasks	Grants permission to describe one or more export image tasks	List		ec2:Region
DescribeExportTasks	Grants permission to describe one or more export instance tasks	List		ec2:Region
DescribeFastLaunchImages	Grants permission to describe fast-launch enabled Windows AMIs	Read	image	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
DescribeFastLaunchImages		Read		ec2:Region
DescribeFastSnapshotRestores	Grants permission to describe the state of fast snapshot restores for snapshots	Read		ec2:Region
DescribeFleetHistory	Grants permission to describe the events for an EC2 Fleet during a specified time	List	fleet	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DescribeFleetHistory		List		ec2:Region
DescribeFleetInstances	Grants permission to describe the running instances for an EC2 Fleet	List	fleet	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DescribeFleetInstances		List		ec2:Region
DescribeFleets	Grants permission to describe one or more EC2 Fleets	List	fleet	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DescribeFleets	Grants permission to describe one or more EC2 Fleets	List		ec2:Region
DescribeFlowLogs	Grants permission to describe one or more flow logs	List		ec2:Region
DescribeFpgaImageAttribute	Grants permission to describe the attributes of an Amazon FPGA Image (AFI)	List	fpga-image*	aws:ResourceTag/${TagKey} ec2:Attribute/${AttributeName} ec2:Owner ec2:Public ec2:ResourceTag/${TagKey}
DescribeFpgaImageAttribute		List		ec2:Region
DescribeFpgaImages	Grants permission to describe one or more Amazon FPGA Images (AFIs)	List		ec2:Region
DescribeHostReservationOfferings	Grants permission to describe the Dedicated Host Reservations that are available to purchase	List		ec2:Region
DescribeHostReservations	Grants permission to describe the Dedicated Host Reservations that are associated with Dedicated Hosts in the AWS account	List		ec2:Region
DescribeHosts	Grants permission to describe one or more Dedicated Hosts	List		ec2:Region
DescribeIamInstanceProfileAssociations	Grants permission to describe the IAM instance profile associations	List		ec2:Region
DescribeIdFormat	Grants permission to describe the ID format settings for resources	List		ec2:Region
DescribeIdentityIdFormat	Grants permission to describe the ID format settings for resources for an IAM user, IAM role, or root user	List		ec2:Region
DescribeImageAttribute	Grants permission to describe an attribute of an Amazon Machine Image (AMI)	List	image	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
DescribeImageAttribute		List		ec2:Region
DescribeImages	Grants permission to describe one or more images (AMIs, AKIs, and ARIs)	List		ec2:Region
DescribeImportImageTasks	Grants permission to describe import virtual machine or import snapshot tasks	List		ec2:Region
DescribeImportSnapshotTasks	Grants permission to describe import snapshot tasks	List		ec2:Region
DescribeInstanceAttribute	Grants permission to describe the attributes of an instance	List	instance	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
DescribeInstanceAttribute	Grants permission to describe the attributes of an instance	List		ec2:Region
DescribeInstanceCreditSpecifications	Grants permission to describe the credit option for CPU usage of one or more burstable performance instances	List		ec2:Region
DescribeInstanceEventNotificationAttributes	Grants permission to describe the set of tags to include in notifications about scheduled events for your instances	List		ec2:Region
DescribeInstanceEventWindows	Grants permission to describe the specified event windows or all event windows	List		ec2:Region
DescribeInstanceStatus	Grants permission to describe the status of one or more instances	List		ec2:Region
DescribeInstanceTypeOfferings	Grants permission to describe the set of instance types that are offered in a location	List		ec2:Region
DescribeInstanceTypes	Grants permission to describe the details of instance types that are offered in a location	List		ec2:Region
DescribeInstances	Grants permission to describe one or more instances	List		ec2:Region
DescribeInternetGateways	Grants permission to describe one or more internet gateways	List		ec2:Region
DescribeIpamPools	Grants permission to describe Amazon VPC IP Address Manager (IPAM) pools	List		ec2:Region
DescribeIpamScopes	Grants permission to describe Amazon VPC IP Address Manager (IPAM) scopes	List		ec2:Region
DescribeIpams	Grants permission to describe an Amazon VPC IP Address Manager (IPAM)	List		ec2:Region
DescribeIpv6Pools	Grants permission to describe one or more IPv6 address pools	List		ec2:Region
DescribeKeyPairs	Grants permission to describe one or more key pairs	List		ec2:Region
DescribeLaunchTemplateVersions	Grants permission to describe one or more launch template versions	List		ec2:Region
DescribeLaunchTemplates	Grants permission to describe one or more launch templates	List		ec2:Region
DescribeLocalGatewayRouteTablePermissions [permission only]	Grants permission to allow a service to describe local gateway route table permissions	List		ec2:Region
DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations	Grants permission to describe the associations between virtual interface groups and local gateway route tables	List		ec2:Region
DescribeLocalGatewayRouteTableVpcAssociations	Grants permission to describe an association between VPCs and local gateway route tables	List		ec2:Region
DescribeLocalGatewayRouteTables	Grants permission to describe one or more local gateway route tables	List		ec2:Region
DescribeLocalGatewayVirtualInterfaceGroups	Grants permission to describe local gateway virtual interface groups	List		ec2:Region
DescribeLocalGatewayVirtualInterfaces	Grants permission to describe local gateway virtual interfaces	List		ec2:Region
DescribeLocalGateways	Grants permission to describe one or more local gateways	List		ec2:Region
DescribeManagedPrefixLists	Grants permission to describe your managed prefix lists and any AWS-managed prefix lists	List		ec2:Region
DescribeMovingAddresses	Grants permission to describe Elastic IP addresses that are being moved to the EC2-VPC platform	List		ec2:Region
DescribeNatGateways	Grants permission to describe one or more NAT gateways	List		ec2:Region
DescribeNetworkAcls	Grants permission to describe one or more network ACLs	List		ec2:Region
DescribeNetworkInsightsAccessScopeAnalyses	Grants permission to describe one or more Network Access Scope analyses	List		ec2:Region
DescribeNetworkInsightsAccessScopes	Grants permission to describe the Network Access Scopes	List		ec2:Region
DescribeNetworkInsightsAnalyses	Grants permission to describe one or more network insights analyses	List		ec2:Region
DescribeNetworkInsightsPaths	Grants permission to describe one or more network insights paths	List		ec2:Region
DescribeNetworkInterfaceAttribute	Grants permission to describe a network interface attribute	List		ec2:Region
DescribeNetworkInterfacePermissions	Grants permission to describe the permissions that are associated with a network interface	List		ec2:Region
DescribeNetworkInterfaces	Grants permission to describe one or more network interfaces	List		ec2:Region
DescribePlacementGroups	Grants permission to describe one or more placement groups	List		ec2:Region
DescribePrefixLists	Grants permission to describe available AWS services in a prefix list format	List		ec2:Region
DescribePrincipalIdFormat	Grants permission to describe the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified a longer ID (17-character ID) preference	List		ec2:Region
DescribePublicIpv4Pools	Grants permission to describe one or more IPv4 address pools	List		ec2:Region
DescribeRegions	Grants permission to describe one or more AWS Regions that are currently available in your account	List		ec2:Region
DescribeReplaceRootVolumeTasks	Grants permission to describe a root volume replacement task	List		ec2:Region
DescribeReservedInstances	Grants permission to describe one or more purchased Reserved Instances in your account	List		ec2:Region
DescribeReservedInstancesListings	Grants permission to describe your account's Reserved Instance listings in the Reserved Instance Marketplace	List		ec2:Region
DescribeReservedInstancesModifications	Grants permission to describe the modifications made to one or more Reserved Instances	List		ec2:Region
DescribeReservedInstancesOfferings	Grants permission to describe the Reserved Instance offerings that are available for purchase	List		ec2:Region
DescribeRouteTables	Grants permission to describe one or more route tables	List		ec2:Region
DescribeScheduledInstanceAvailability	Grants permission to find available schedules for Scheduled Instances	Read		ec2:Region
DescribeScheduledInstances	Grants permission to describe one or more Scheduled Instances in your account	Read		ec2:Region
DescribeSecurityGroupReferences	Grants permission to describe the VPCs on the other side of a VPC peering connection that are referencing specified VPC security groups	List		ec2:Region
DescribeSecurityGroupRules	Grants permission to describe one or more of your security group rules	List		ec2:Region
DescribeSecurityGroups	Grants permission to describe one or more security groups	List		ec2:Region
DescribeSnapshotAttribute	Grants permission to describe an attribute of a snapshot	List	snapshot	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:OutpostArn ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:SourceOutpostArn ec2:VolumeSize
DescribeSnapshotAttribute	Grants permission to describe an attribute of a snapshot	List		ec2:Region
DescribeSnapshotTierStatus	Grants permission to describe the storage tier status for Amazon EBS snapshots	List		ec2:Region
DescribeSnapshots	Grants permission to describe one or more EBS snapshots	List		ec2:Region
DescribeSpotDatafeedSubscription	Grants permission to describe the data feed for Spot Instances	List		ec2:Region
DescribeSpotFleetInstances	Grants permission to describe the running instances for a Spot Fleet	List	spot-fleet-request	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DescribeSpotFleetInstances		List		ec2:Region
DescribeSpotFleetRequestHistory	Grants permission to describe the events for a Spot Fleet request during a specified time	List	spot-fleet-request	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DescribeSpotFleetRequestHistory		List		ec2:Region
DescribeSpotFleetRequests	Grants permission to describe one or more Spot Fleet requests	List		ec2:Region
DescribeSpotInstanceRequests	Grants permission to describe one or more Spot Instance requests	List		ec2:Region
DescribeSpotPriceHistory	Grants permission to describe the Spot Instance price history	List		ec2:Region
DescribeStaleSecurityGroups	Grants permission to describe the stale security group rules for security groups in a specified VPC	List		ec2:Region
DescribeStoreImageTasks	Grants permission to describe the progress of the AMI store tasks	List	image	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
DescribeStoreImageTasks		List		ec2:Region
DescribeSubnets	Grants permission to describe one or more subnets	List		ec2:Region
DescribeTags	Grants permission to describe one or more tags for an Amazon EC2 resource	Read		ec2:Region
DescribeTrafficMirrorFilters	Grants permission to describe one or more traffic mirror filters	List		ec2:Region
DescribeTrafficMirrorSessions	Grants permission to describe one or more traffic mirror sessions	List		ec2:Region
DescribeTrafficMirrorTargets	Grants permission to describe one or more traffic mirror targets	List		ec2:Region
DescribeTransitGatewayAttachments	Grants permission to describe one or more attachments between resources and transit gateways	List		ec2:Region
DescribeTransitGatewayConnectPeers	Grants permission to describe one or more transit gateway connect peers	List		ec2:Region
DescribeTransitGatewayConnects	Grants permission to describe one or more transit gateway connect attachments	List		ec2:Region
DescribeTransitGatewayMulticastDomains	Grants permission to describe one or more transit gateway multicast domains	List		ec2:Region
DescribeTransitGatewayPeeringAttachments	Grants permission to describe one or more transit gateway peering attachments	List		ec2:Region
DescribeTransitGatewayPolicyTables	Grants permission to describe a transit gateway policy table	Write		ec2:Region
DescribeTransitGatewayRouteTableAnnouncements	Grants permission to describe a transit gateway route table announcement	Write		ec2:Region
DescribeTransitGatewayRouteTables	Grants permission to describe one or more transit gateway route tables	List		ec2:Region
DescribeTransitGatewayVpcAttachments	Grants permission to describe one or more VPC attachments on a transit gateway	List		ec2:Region
DescribeTransitGateways	Grants permission to describe one or more transit gateways	List		ec2:Region
DescribeTrunkInterfaceAssociations	Grants permission to describe one or more network interface trunk associations	List		ec2:Region
DescribeVolumeAttribute	Grants permission to describe an attribute of an EBS volume	List	volume	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:KmsKeyId ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
DescribeVolumeAttribute	Grants permission to describe an attribute of an EBS volume	List		ec2:Region
DescribeVolumeStatus	Grants permission to describe the status of one or more EBS volumes	List		ec2:Region
DescribeVolumes	Grants permission to describe one or more EBS volumes	List		ec2:Region
DescribeVolumesModifications	Grants permission to describe the current modification status of one or more EBS volumes	Read		ec2:Region
DescribeVpcAttribute	Grants permission to describe an attribute of a VPC	List	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
DescribeVpcAttribute	Grants permission to describe an attribute of a VPC	List		ec2:Region
DescribeVpcClassicLink	Grants permission to describe the ClassicLink status of one or more VPCs	List		ec2:Region
DescribeVpcClassicLinkDnsSupport	Grants permission to describe the ClassicLink DNS support status of one or more VPCs	List		ec2:Region
DescribeVpcEndpointConnectionNotifications	Grants permission to describe the connection notifications for VPC endpoints and VPC endpoint services	List		ec2:Region
DescribeVpcEndpointConnections	Grants permission to describe the VPC endpoint connections to your VPC endpoint services	List		ec2:Region
DescribeVpcEndpointServiceConfigurations	Grants permission to describe VPC endpoint service configurations (your services)	List		ec2:Region
DescribeVpcEndpointServicePermissions	Grants permission to describe the principals (service consumers) that are permitted to discover your VPC endpoint service	List		ec2:Region
DescribeVpcEndpointServices	Grants permission to describe all supported AWS services that can be specified when creating a VPC endpoint	List		ec2:Region
DescribeVpcEndpoints	Grants permission to describe one or more VPC endpoints	List		ec2:Region
DescribeVpcPeeringConnections	Grants permission to describe one or more VPC peering connections	List		ec2:Region
DescribeVpcs	Grants permission to describe one or more VPCs	List		ec2:Region
DescribeVpnConnections	Grants permission to describe one or more VPN connections	Read		ec2:Region
DescribeVpnGateways	Grants permission to describe one or more virtual private gateways	List		ec2:Region
DetachClassicLinkVpc	Grants permission to unlink (detach) a linked EC2-Classic instance from a VPC	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceID ec2:InstanceMarketType ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
DetachInternetGateway	Grants permission to detach an internet gateway from a VPC	Write	internet-gateway*	aws:ResourceTag/${TagKey} ec2:InternetGatewayID ec2:ResourceTag/${TagKey}
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
DetachNetworkInterface	Grants permission to detach a network interface from an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
				ec2:Region
DetachVolume	Grants permission to detach an EBS volume from an instance	Write	volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
			instance	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceID ec2:InstanceMarketType ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
				ec2:Region
DetachVpnGateway	Grants permission to detach a virtual private gateway from a VPC	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
			vpn-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DisableEbsEncryptionByDefault	Grants permission to disable EBS encryption by default for your account	Write		ec2:Region
DisableFastLaunch	Grants permission to disable faster launching for Windows AMIs	Write	image	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
DisableFastLaunch		Write		ec2:Region
DisableFastSnapshotRestores	Grants permission to disable fast snapshot restores for one or more snapshots in specified Availability Zones	Write	snapshot*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
DisableFastSnapshotRestores		Write		ec2:Region
DisableImageDeprecation	Grants permission to cancel the deprecation of the specified AMI	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
DisableImageDeprecation		Write		ec2:Region
DisableIpamOrganizationAdminAccount	Grants permission to disable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account	Write		ec2:Region	organizations:DeregisterDelegatedAdministrator
DisableSerialConsoleAccess	Grants permission to disable access to the EC2 serial console of all instances for your account	Write		ec2:Region
DisableTransitGatewayRouteTablePropagation	Grants permission to disable a resource attachment from propagating routes to the specified propagation route table	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table-announcement	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DisableVgwRoutePropagation	Grants permission to disable a virtual private gateway from propagating routes to a specified route table of a VPC	Write	route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
			vpn-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DisableVpcClassicLink	Grants permission to disable ClassicLink for a VPC	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
DisableVpcClassicLink	Grants permission to disable ClassicLink for a VPC	Write		ec2:Region
DisableVpcClassicLinkDnsSupport	Grants permission to disable ClassicLink DNS support for a VPC	Write	vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
DisableVpcClassicLinkDnsSupport		Write		ec2:Region
DisassociateAddress	Grants permission to disassociate an Elastic IP address from an instance or network interface	Write	elastic-ip	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
			network-interface	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
				ec2:Region
DisassociateClientVpnTargetNetwork	Grants permission to disassociate a target network from a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
DisassociateClientVpnTargetNetwork		Write		ec2:Region
DisassociateEnclaveCertificateIamRole	Grants permission to disassociate an ACM certificate from a IAM role	Write	certificate*
			role*
				ec2:Region
DisassociateIamInstanceProfile	Grants permission to disassociate an IAM instance profile from a running or stopped instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
DisassociateIamInstanceProfile		Write		ec2:Region
DisassociateInstanceEventWindow	Grants permission to disassociate one or more targets from an event window	Write	instance-event-window*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DisassociateInstanceEventWindow		Write		ec2:Region
DisassociateRouteTable	Grants permission to disassociate a subnet from a route table	Write	route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
DisassociateSubnetCidrBlock	Grants permission to disassociate a CIDR block from a subnet	Write	subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
DisassociateSubnetCidrBlock		Write		ec2:Region
DisassociateTransitGatewayMulticastDomain	Grants permission to disassociate one or more subnets from a transit gateway multicast domain	Write	subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-multicast-domain*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DisassociateTransitGatewayPolicyTable	Grants permission to disassociate a policy table from a transit gateway	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-policy-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DisassociateTransitGatewayRouteTable	Grants permission to disassociate a resource attachment from a transit gateway route table	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DisassociateTrunkInterface	Grants permission to disassociate a branch network interface to a trunk network interface	Write		ec2:Region
DisassociateVpcCidrBlock	Grants permission to disassociate a CIDR block from a VPC	Write	vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
DisassociateVpcCidrBlock	Grants permission to disassociate a CIDR block from a VPC	Write		ec2:Region
EnableEbsEncryptionByDefault	Grants permission to enable EBS encryption by default for your account	Write		ec2:Region
EnableFastLaunch	Grants permission to enable faster launching for Windows AMIs	Write	image	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
			launch-template	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
EnableFastSnapshotRestores	Grants permission to enable fast snapshot restores for one or more snapshots in specified Availability Zones	Write	snapshot*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
EnableFastSnapshotRestores		Write		ec2:Region
EnableImageDeprecation	Grants permission to enable deprecation of the specified AMI at the specified date and time	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
EnableImageDeprecation		Write		ec2:Region
EnableIpamOrganizationAdminAccount	Grants permission to enable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account	Write		ec2:Region	iam:CreateServiceLinkedRole organizations:EnableAWSServiceAccess organizations:RegisterDelegatedAdministrator
EnableSerialConsoleAccess	Grants permission to enable access to the EC2 serial console of all instances for your account	Write		ec2:Region
EnableTransitGatewayRouteTablePropagation	Grants permission to enable an attachment to propagate routes to a propagation route table	Write	transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table-announcement	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
EnableVgwRoutePropagation	Grants permission to enable a virtual private gateway to propagate routes to a VPC route table	Write	route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
			vpn-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
EnableVolumeIO	Grants permission to enable I/O operations for a volume that had I/O operations disabled	Write	volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
EnableVolumeIO		Write		ec2:Region
EnableVpcClassicLink	Grants permission to enable a VPC for ClassicLink	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
EnableVpcClassicLink	Grants permission to enable a VPC for ClassicLink	Write		ec2:Region
EnableVpcClassicLinkDnsSupport	Grants permission to enable a VPC to support DNS hostname resolution for ClassicLink	Write	vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
EnableVpcClassicLinkDnsSupport		Write		ec2:Region
ExportClientVpnClientCertificateRevocationList	Grants permission to download the client certificate revocation list for a Client VPN endpoint	Read	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
ExportClientVpnClientCertificateRevocationList		Read		ec2:Region
ExportClientVpnClientConfiguration	Grants permission to download the contents of the Client VPN endpoint configuration file for a Client VPN endpoint	Read	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
ExportClientVpnClientConfiguration		Read		ec2:Region
ExportImage	Grants permission to export an Amazon Machine Image (AMI) to a VM file	Write	export-image-task*		ec2:CreateTags
			image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
ExportTransitGatewayRoutes	Grants permission to export routes from a transit gateway route table to an Amazon S3 bucket	Write		ec2:Region
GetAssociatedEnclaveCertificateIamRoles	Grants permission to get the list of roles associated with an ACM certificate	Read	certificate*
GetAssociatedEnclaveCertificateIamRoles		Read		ec2:Region
GetAssociatedIpv6PoolCidrs	Grants permission to get information about the IPv6 CIDR block associations for a specified IPv6 address pool	Read		ec2:Region
GetCapacityReservationUsage	Grants permission to get usage information about a Capacity Reservation	Read	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:CapacityReservationFleet ec2:ResourceTag/${TagKey}
GetCapacityReservationUsage		Read		ec2:Region
GetCoipPoolUsage	Grants permission to describe the allocations from the specified customer-owned address pool	Read		ec2:Region
GetConsoleOutput	Grants permission to get the console output for an instance	Read	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
GetConsoleOutput	Grants permission to get the console output for an instance	Read		ec2:Region
GetConsoleScreenshot	Grants permission to retrieve a JPG-format screenshot of a running instance	Read	instance	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:NewInstanceProfile ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
GetConsoleScreenshot		Read		ec2:Region
GetDefaultCreditSpecification	Grants permission to get the default credit option for CPU usage of a burstable performance instance family	Read		ec2:Region
GetEbsDefaultKmsKeyId	Grants permission to get the ID of the default customer master key (CMK) for EBS encryption by default	Read		ec2:Region
GetEbsEncryptionByDefault	Grants permission to describe whether EBS encryption by default is enabled for your account	Read		ec2:Region
GetFlowLogsIntegrationTemplate	Grants permission to generate a CloudFormation template to streamline the integration of VPC flow logs with Amazon Athena	Read	vpc-flow-log*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetFlowLogsIntegrationTemplate		Read		ec2:Region
GetGroupsForCapacityReservation	Grants permission to list the resource groups to which a Capacity Reservation has been added	List	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:CapacityReservationFleet ec2:ResourceTag/${TagKey}
GetGroupsForCapacityReservation		List		ec2:Region
GetHostReservationPurchasePreview	Grants permission to preview a reservation purchase with configurations that match those of a Dedicated Host	Read		ec2:Region
GetInstanceTypesFromInstanceRequirements	Grants permission to view a list of instance types with specified instance attributes	Read		ec2:Region
GetInstanceUefiData	Grants permission to retrieve the binary representation of the UEFI variable store	Read	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:NewInstanceProfile ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
GetInstanceUefiData		Read		ec2:Region
GetIpamAddressHistory	Grants permission to retrieve historical information about a CIDR within an Amazon VPC IP Address Manager (IPAM) scope	Read	ipam-scope*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetIpamAddressHistory		Read		ec2:Region
GetIpamPoolAllocations	Grants permission to get a list of all the CIDR allocations in an Amazon VPC IP Address Manager (IPAM) pool	Read	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetIpamPoolAllocations		Read		ec2:Region
GetIpamPoolCidrs	Grants permission to get the CIDRs provisioned to an Amazon VPC IP Address Manager (IPAM) pool	Read	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetIpamPoolCidrs		Read		ec2:Region
GetIpamResourceCidrs	Grants permission to get information about the resources in an Amazon VPC IP Address Manager (IPAM) scope	Read	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipam-scope*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
GetLaunchTemplateData	Grants permission to get the configuration data of the specified instance for use with a new launch template or launch template version	Read	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
GetLaunchTemplateData		Read		ec2:Region
GetManagedPrefixListAssociations	Grants permission to get information about the resources that are associated with the specified managed prefix list	Read	prefix-list*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetManagedPrefixListAssociations		Read		ec2:Region
GetManagedPrefixListEntries	Grants permission to get information about the entries for a specified managed prefix list	Read	prefix-list*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetManagedPrefixListEntries		Read		ec2:Region
GetNetworkInsightsAccessScopeAnalysisFindings	Grants permission to get the findings for one or more Network Access Scope analyses	Read		ec2:Region
GetNetworkInsightsAccessScopeContent	Grants permission to get the content for a specified Network Access Scope	Read		ec2:Region
GetPasswordData	Grants permission to retrieve the encrypted administrator password for a running Windows instance	Read	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
GetPasswordData		Read		ec2:Region
GetReservedInstancesExchangeQuote	Grants permission to return a quote and exchange information for exchanging one or more Convertible Reserved Instances for a new Convertible Reserved Instance	Read		ec2:Region
GetResourcePolicy [permission only]	Grants permission to describe an IAM policy that enables cross-account sharing	Read	ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetResourcePolicy [permission only]		Read		ec2:Region
GetSerialConsoleAccessStatus	Grants permission to retrieve the access status of your account to the EC2 serial console of all instances	Read		ec2:Region
GetSpotPlacementScores	Grants permission to calculate the Spot placement score for a Region or Availability Zone based on the specified target capacity and compute requirements	Read		ec2:Region
GetSubnetCidrReservations	Grants permission to retrieve information about the subnet CIDR reservations	Read		ec2:Region
GetTransitGatewayAttachmentPropagations	Grants permission to list the route tables to which a resource attachment propagates routes	List		ec2:Region
GetTransitGatewayMulticastDomainAssociations	Grants permission to get information about the associations for a transit gateway multicast domain	List		ec2:Region
GetTransitGatewayPolicyTableAssociations	Grants permission to get information about associations for a transit gateway policy table	List	transit-gateway-policy-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetTransitGatewayPolicyTableAssociations		List		ec2:Region
GetTransitGatewayPolicyTableEntries	Grants permission to get information about associations for a transit gateway policy table entry	List	transit-gateway-policy-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetTransitGatewayPolicyTableEntries		List		ec2:Region
GetTransitGatewayPrefixListReferences	Grants permission to get information about prefix list references for a transit gateway route table	List		ec2:Region
GetTransitGatewayRouteTableAssociations	Grants permission to get information about associations for a transit gateway route table	List		ec2:Region
GetTransitGatewayRouteTablePropagations	Grants permission to get information about the route table propagations for a transit gateway route table	List		ec2:Region
GetVpnConnectionDeviceSampleConfiguration	Grants permission to download an AWS-provided sample configuration file to be used with the customer gateway device	List	vpn-connection*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			vpn-connection-device-type
				ec2:Region
GetVpnConnectionDeviceTypes	Grants permission to obtain a list of customer gateway devices for which sample configuration files can be provided	List		ec2:Region
ImportClientVpnClientCertificateRevocationList	Grants permission to upload a client certificate revocation list to a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
ImportClientVpnClientCertificateRevocationList		Write		ec2:Region
ImportImage	Grants permission to import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI)	Write	image*	ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:RootDeviceType	ec2:CreateTags
			import-image-task*
			snapshot	aws:ResourceTag/${TagKey} ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
ImportInstance	Grants permission to create an import instance task using metadata from a disk image	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:InstanceID ec2:ResourceTag/${TagKey}
			volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
ImportKeyPair	Grants permission to import a public key from an RSA key pair that was created with a third-party tool	Write	key-pair*		ec2:CreateTags
ImportKeyPair		Write		aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
ImportSnapshot	Grants permission to import a disk into an EBS snapshot	Write	import-snapshot-task*		ec2:CreateTags
			snapshot*	ec2:Owner ec2:ParentVolume ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
				aws:RequestTag/${TagKey} aws:TagKeys ec2:Region
ImportVolume	Grants permission to create an import volume task using metadata from a disk image	Write	volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
ImportVolume		Write		ec2:Region
ListImagesInRecycleBin	Grants permission to list Amazon Machine Images (AMIs) that are currently in the Recycle Bin	List	image	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
ListImagesInRecycleBin		List		ec2:Region
ListSnapshotsInRecycleBin	Grants permission to list the Amazon EBS snapshots that are currently in the Recycle Bin	List	snapshot	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
ListSnapshotsInRecycleBin		List		ec2:Region
ModifyAddressAttribute	Grants permission to modify an attribute of the specified Elastic IP address	Write	elastic-ip*	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Attribute ec2:Attribute/${AttributeName} ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
ModifyAddressAttribute		Write		ec2:Region
ModifyAvailabilityZoneGroup	Grants permission to modify the opt-in status of the Local Zone and Wavelength Zone group for your account	Write		ec2:Region
ModifyCapacityReservation	Grants permission to modify a Capacity Reservation's capacity and the conditions under which it is to be released	Write	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:CapacityReservationFleet ec2:ResourceTag/${TagKey}
ModifyCapacityReservation		Write		ec2:Region
ModifyCapacityReservationFleet	Grants permission to modify a Capacity Reservation Fleet	Write	capacity-reservation-fleet*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyCapacityReservationFleet	Grants permission to modify a Capacity Reservation Fleet	Write		ec2:Region
ModifyClientVpnEndpoint	Grants permission to modify a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID
			vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpcID
				ec2:Region
ModifyDefaultCreditSpecification	Grants permission to change the account level default credit option for CPU usage of burstable performance instances	Write		ec2:Region
ModifyEbsDefaultKmsKeyId	Grants permission to change the default customer master key (CMK) for EBS encryption by default for your account	Write		ec2:Region
ModifyFleet	Grants permission to modify an EC2 Fleet	Write	fleet*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			image	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
			key-pair	aws:ResourceTag/${TagKey} ec2:KeyPairName ec2:ResourceTag/${TagKey}
			launch-template	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-interface	aws:ResourceTag/${TagKey} ec2:AssociatePublicIpAddress ec2:AuthorizedService ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			snapshot	aws:ResourceTag/${TagKey} ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
ModifyFpgaImageAttribute	Grants permission to modify an attribute of an Amazon FPGA Image (AFI)	Write	fpga-image*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:Owner ec2:Public ec2:ResourceTag/${TagKey}
ModifyFpgaImageAttribute		Write		ec2:Region
ModifyHosts	Grants permission to modify a Dedicated Host	Write	dedicated-host*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyHosts	Grants permission to modify a Dedicated Host	Write		ec2:Region
ModifyIdFormat	Grants permission to modify the ID format for a resource	Write		ec2:Region
ModifyIdentityIdFormat	Grants permission to modify the ID format of a resource for a specific principal in your account	Write		ec2:Region
ModifyImageAttribute	Grants permission to modify an attribute of an Amazon Machine Image (AMI)	Write	image*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
ModifyImageAttribute		Write		ec2:Region
ModifyInstanceAttribute	Grants permission to modify an attribute of an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			volume	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
				ec2:Region
ModifyInstanceCapacityReservationAttributes	Grants permission to modify the Capacity Reservation settings for a stopped instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			capacity-reservation	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
ModifyInstanceCreditSpecification	Grants permission to modify the credit option for CPU usage on an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
ModifyInstanceCreditSpecification		Write		ec2:Region
ModifyInstanceEventStartTime	Grants permission to modify the start time for a scheduled EC2 instance event	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute/${AttributeName} ec2:InstanceID ec2:ResourceTag/${TagKey}
ModifyInstanceEventStartTime		Write		ec2:Region
ModifyInstanceEventWindow	Grants permission to modify the specified event window	Write	instance-event-window*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
ModifyInstanceEventWindow	Grants permission to modify the specified event window	Write		ec2:Region
ModifyInstanceMaintenanceOptions	Grants permission to modify the recovery behaviour for an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
ModifyInstanceMaintenanceOptions		Write		ec2:Region
ModifyInstanceMetadataOptions	Grants permission to modify the metadata options for an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
ModifyInstanceMetadataOptions		Write		ec2:Region
ModifyInstancePlacement	Grants permission to modify the placement attributes for an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			dedicated-host	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			placement-group	aws:ResourceTag/${TagKey} ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:ResourceTag/${TagKey}
				ec2:Region
ModifyIpam	Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM)	Write	ipam*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyIpam		Write		ec2:Region
ModifyIpamPool	Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) pool	Write	ipam-pool*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyIpamPool		Write		ec2:Region
ModifyIpamResourceCidr	Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) resource CIDR	Write	ipam-scope*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyIpamResourceCidr		Write		ec2:Region
ModifyIpamScope	Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) scope	Write	ipam-scope*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyIpamScope		Write		ec2:Region
ModifyLaunchTemplate	Grants permission to modify a launch template	Write	launch-template*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyLaunchTemplate	Grants permission to modify a launch template	Write		ec2:Region
ModifyManagedPrefixList	Grants permission to modify a managed prefix list	Write	prefix-list*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyManagedPrefixList	Grants permission to modify a managed prefix list	Write		ec2:Region
ModifyNetworkInterfaceAttribute	Grants permission to modify an attribute of a network interface	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			instance	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
				ec2:Region
ModifyPrivateDnsNameOptions	Grants permission to modify the options for instance hostnames for the specified instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:NewInstanceProfile ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
ModifyPrivateDnsNameOptions		Write		ec2:Region
ModifyReservedInstances	Grants permission to modify attributes of one or more Reserved Instances	Write	reserved-instances*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:InstanceType ec2:ReservedInstancesOfferingType ec2:ResourceTag/${TagKey} ec2:Tenancy
ModifyReservedInstances		Write		ec2:Region
ModifySecurityGroupRules	Grants permission to modify the rules of a security group	Write	security-group*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			prefix-list	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			security-group-rule	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
ModifySnapshotAttribute	Grants permission to add or remove permission settings for a snapshot	Permissions management	snapshot*	aws:ResourceTag/${TagKey} ec2:Add/group ec2:Add/userId ec2:Attribute ec2:Attribute/${AttributeName} ec2:Owner ec2:ParentVolume ec2:Remove/group ec2:Remove/userId ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
ModifySnapshotAttribute		Permissions management		ec2:Region
ModifySnapshotTier	Grants permission to archive Amazon EBS snapshots	Write	snapshot*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:Encrypted ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
ModifySnapshotTier	Grants permission to archive Amazon EBS snapshots	Write		ec2:Region
ModifySpotFleetRequest	Grants permission to modify a Spot Fleet request	Write	spot-fleet-request*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			launch-template	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
ModifySubnetAttribute	Grants permission to modify an attribute of a subnet	Write	subnet*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
ModifySubnetAttribute	Grants permission to modify an attribute of a subnet	Write		ec2:Region
ModifyTrafficMirrorFilterNetworkServices	Grants permission to allow or restrict mirroring network services	Write	traffic-mirror-filter*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyTrafficMirrorFilterNetworkServices		Write		ec2:Region
ModifyTrafficMirrorFilterRule	Grants permission to modify a traffic mirror rule	Write	traffic-mirror-filter*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			traffic-mirror-filter-rule*	ec2:Attribute ec2:Attribute/${AttributeName}
				ec2:Region
ModifyTrafficMirrorSession	Grants permission to modify a traffic mirror session	Write	traffic-mirror-session*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			traffic-mirror-filter	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			traffic-mirror-target	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
ModifyTransitGateway	Grants permission to modify a transit gateway	Write	transit-gateway*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
ModifyTransitGatewayPrefixListReference	Grants permission to modify a transit gateway prefix list reference	Write	prefix-list*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
ModifyTransitGatewayVpcAttachment	Grants permission to modify a VPC attachment on a transit gateway	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			subnet	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SubnetID
				ec2:Region
ModifyVolume	Grants permission to modify the parameters of an EBS volume	Write	volume*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:Encrypted ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
ModifyVolume	Grants permission to modify the parameters of an EBS volume	Write		ec2:Region
ModifyVolumeAttribute	Grants permission to modify an attribute of a volume	Write	volume*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:Encrypted ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
ModifyVolumeAttribute	Grants permission to modify an attribute of a volume	Write		ec2:Region
ModifyVpcAttribute	Grants permission to modify an attribute of a VPC	Write	vpc*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
ModifyVpcAttribute	Grants permission to modify an attribute of a VPC	Write		ec2:Region
ModifyVpcEndpoint	Grants permission to modify an attribute of a VPC endpoint	Write	vpc-endpoint*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID
			subnet	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SubnetID
				ec2:Region
ModifyVpcEndpointConnectionNotification	Grants permission to modify a connection notification for a VPC endpoint or VPC endpoint service	Write	vpc-endpoint*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			vpc-endpoint-service*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
				ec2:Region
ModifyVpcEndpointServiceConfiguration	Grants permission to modify the attributes of a VPC endpoint service configuration	Write	vpc-endpoint-service*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey} ec2:VpceServicePrivateDnsName
ModifyVpcEndpointServiceConfiguration		Write		ec2:Region
ModifyVpcEndpointServicePayerResponsibility	Grants permission to modify the payer responsibility for a VPC endpoint service	Write	vpc-endpoint-service*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyVpcEndpointServicePayerResponsibility		Write		ec2:Region
ModifyVpcEndpointServicePermissions	Grants permission to modify the permissions for a VPC endpoint service	Permissions management	vpc-endpoint-service*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyVpcEndpointServicePermissions		Permissions management		ec2:Region
ModifyVpcPeeringConnectionOptions	Grants permission to modify the VPC peering connection options on one side of a VPC peering connection	Write	vpc-peering-connection*	aws:ResourceTag/${TagKey} ec2:AccepterVpc ec2:Attribute ec2:Attribute/${AttributeName} ec2:RequesterVpc ec2:ResourceTag/${TagKey} ec2:VpcPeeringConnectionID
ModifyVpcPeeringConnectionOptions		Write		ec2:Region
ModifyVpcTenancy	Grants permission to modify the instance tenancy attribute of a VPC	Write	vpc*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
ModifyVpcTenancy		Write		ec2:Region
ModifyVpnConnection	Grants permission to modify the target gateway of a Site-to-Site VPN connection	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AuthenticationType ec2:DPDTimeoutSeconds ec2:GatewayType ec2:IKEVersions ec2:InsideTunnelCidr ec2:InsideTunnelIpv6Cidr ec2:Phase1DHGroup ec2:Phase1EncryptionAlgorithms ec2:Phase1IntegrityAlgorithms ec2:Phase1LifetimeSeconds ec2:Phase2DHGroup ec2:Phase2EncryptionAlgorithms ec2:Phase2IntegrityAlgorithms ec2:Phase2LifetimeSeconds ec2:PreSharedKeys ec2:RekeyFuzzPercentage ec2:RekeyMarginTimeSeconds ec2:ReplayWindowSizePackets ec2:ResourceTag/${TagKey} ec2:RoutingType
ModifyVpnConnection		Write		ec2:Region
ModifyVpnConnectionOptions	Grants permission to modify the connection options for your Site-to-Site VPN connection	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyVpnConnectionOptions		Write		ec2:Region
ModifyVpnTunnelCertificate	Grants permission to modify the certificate for a Site-to-Site VPN connection	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyVpnTunnelCertificate		Write		ec2:Region
ModifyVpnTunnelOptions	Grants permission to modify the options for a Site-to-Site VPN connection	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AuthenticationType ec2:DPDTimeoutSeconds ec2:GatewayType ec2:IKEVersions ec2:InsideTunnelCidr ec2:InsideTunnelIpv6Cidr ec2:Phase1DHGroup ec2:Phase1EncryptionAlgorithms ec2:Phase1IntegrityAlgorithms ec2:Phase1LifetimeSeconds ec2:Phase2DHGroup ec2:Phase2EncryptionAlgorithms ec2:Phase2IntegrityAlgorithms ec2:Phase2LifetimeSeconds ec2:PreSharedKeys ec2:RekeyFuzzPercentage ec2:RekeyMarginTimeSeconds ec2:ReplayWindowSizePackets ec2:ResourceTag/${TagKey} ec2:RoutingType
ModifyVpnTunnelOptions		Write		ec2:Region
MonitorInstances	Grants permission to enable detailed monitoring for a running instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
MonitorInstances		Write		ec2:Region
MoveAddressToVpc	Grants permission to move an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform	Write		ec2:Region