Actions, resources, and condition keys for Amazon EC2
Amazon EC2 (service prefix: ec2) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon EC2
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The Resource types column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AcceptReservedInstancesExchangeQuote | Grants permission to accept a Convertible Reserved Instance exchange quote | Write | |||
| AcceptTransitGatewayMulticastDomainAssociations | Grants permission to accept a request to associate subnets with a transit gateway multicast domain | Write | |||
| AcceptTransitGatewayPeeringAttachment | Grants permission to accept a transit gateway peering attachment request | Write | |||
| AcceptTransitGatewayVpcAttachment | Grants permission to accept a request to attach a VPC to a transit gateway | Write | |||
| AcceptVpcEndpointConnections | Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service | Write | |||
| AcceptVpcPeeringConnection | Grants permission to accept a VPC peering connection request | Write | |||
| AdvertiseByoipCidr | Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP) | Write | |||
| AllocateAddress | Grants permission to allocate an Elastic IP address (EIP) to your account | Write | |||
| AllocateHosts | Grants permission to allocate a Dedicated Host to your account | Write | |||
| ApplySecurityGroupsToClientVpnTargetNetwork | Grants permission to apply a security group to the association between a Client VPN endpoint and a target network | Write | |||
| AssignIpv6Addresses | Grants permission to assign one or more IPv6 addresses to a network interface | Write | |||
| AssignPrivateIpAddresses | Grants permission to assign one or more secondary private IP addresses to a network interface | Write | |||
| AssociateAddress | Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface | Write | |||
| AssociateClientVpnTargetNetwork | Grants permission to associate a target network with a Client VPN endpoint | Write | |||
| AssociateDhcpOptions | Grants permission to associate or disassociate a set of DHCP options with a VPC | Write | |||
| AssociateEnclaveCertificateIamRole | Grants permission to associate an ACM certificate with an IAM role to be used in an EC2 Enclave | Write | |||
| AssociateIamInstanceProfile | Grants permission to associate an IAM instance profile with a running or stopped instance | Write |
iam:PassRole |
||
| AssociateRouteTable | Grants permission to associate a subnet or gateway with a route table | Write | |||
| AssociateSubnetCidrBlock | Grants permission to associate a CIDR block with a subnet | Write | |||
| AssociateTransitGatewayMulticastDomain | Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain | Write | |||
| AssociateTransitGatewayRouteTable | Grants permission to associate an attachment with a transit gateway route table | Write | |||
| AssociateVpcCidrBlock | Grants permission to associate a CIDR block with a VPC | Write | |||
| AttachClassicLinkVpc | Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups | Write | |||
| AttachInternetGateway | Grants permission to attach an internet gateway to a VPC | Write | |||
| AttachNetworkInterface | Grants permission to attach a network interface to an instance | Write | |||
| AttachVolume | Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name | Write | |||
| AttachVpnGateway | Grants permission to attach a virtual private gateway to a VPC | Write | |||
| AuthorizeClientVpnIngress | Grants permission to add an inbound authorization rule to a Client VPN endpoint | Write | |||
| AuthorizeSecurityGroupEgress | Grants permission to add one or more outbound rules to a VPC security group | Write | |||
| AuthorizeSecurityGroupIngress | Grants permission to add one or more inbound rules to a security group | Write | |||
| BundleInstance | Grants permission to bundle an instance store-backed Windows instance | Write | |||
| CancelBundleTask | Grants permission to cancel a bundling operation | Write | |||
| CancelCapacityReservation | Grants permission to cancel a Capacity Reservation and release the reserved capacity | Write | |||
| CancelConversionTask | Grants permission to cancel an active conversion task | Write | |||
| CancelExportTask | Grants permission to cancel an active export task | Write | |||
| CancelImportTask | Grants permission to cancel an in-process import virtual machine or import snapshot task | Write | |||
| CancelReservedInstancesListing | Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace | Write | |||
| CancelSpotFleetRequests | Grants permission to cancel one or more Spot Fleet requests | Write | |||
| CancelSpotInstanceRequests | Grants permission to cancel one or more Spot Instance requests | Write | |||
| ConfirmProductInstance | Grants permission to determine whether an owned product code is associated with an instance | Write | |||
| CopyFpgaImage | Grants permission to copy a source Amazon FPGA image (AFI) to the current Region. Resource-level permissions specified for this action apply to the new AFI only. They do not apply to the source AFI | Write | |||
| CopyImage | Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region. Resource-level permissions specified for this action apply to the new AMI only. They do not apply to the source AMI | Write | |||
| CopySnapshot | Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3. Resource-level permissions specified for this action apply to the new snapshot only. They do not apply to the source snapshot | Write | |||
| CreateCapacityReservation | Grants permission to create a Capacity Reservation | Write | |||
| CreateCarrierGateway | Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers | Write | |||
| CreateClientVpnEndpoint | Grants permission to create a Client VPN endpoint | Write | |||
| CreateClientVpnRoute | Grants permission to add a network route to a Client VPN endpoint's route table | Write | |||
| CreateCustomerGateway | Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device | Write | |||
| CreateDefaultSubnet | Grants permission to create a default subnet in a specified Availability Zone in a default VPC | Write | |||
| CreateDefaultVpc | Grants permission to create a default VPC with a default subnet in each Availability Zone | Write | |||
| CreateDhcpOptions | Grants permission to create a set of DHCP options for a VPC | Write | |||
| CreateEgressOnlyInternetGateway | Grants permission to create an egress-only internet gateway for a VPC | Write | |||
| CreateFleet | Grants permission to launch an EC2 Fleet | Write | |||
| CreateFlowLogs | Grants permission to create one or more flow logs to capture IP traffic for a network interface | Write |
iam:PassRole |
||
| CreateFpgaImage | Grants permission to create an Amazon FPGA Image (AFI) from a design checkpoint (DCP) | Write | |||
| CreateImage | Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance | Write | |||
| CreateInstanceExportTask | Grants permission to export a running or stopped instance to an Amazon S3 bucket | Write | |||
| CreateInternetGateway | Grants permission to create an internet gateway for a VPC | Write | |||
| CreateKeyPair | Grants permission to create a 2048-bit RSA key pair | Write | |||
| CreateLaunchTemplate | Grants permission to create a launch template | Write | |||
| CreateLaunchTemplateVersion | Grants permission to create a new version of a launch template | Write | |||
| CreateLocalGatewayRoute | Grants permission to create a static route for a local gateway route table | Write | |||
| CreateLocalGatewayRouteTableVpcAssociation | Grants permission to associate a VPC with a local gateway route table | Write | |||
| CreateManagedPrefixList | Grants permission to create a managed prefix list | Write | |||
| CreateNatGateway | Grants permission to create a NAT gateway in a subnet | Write | |||
| CreateNetworkAcl | Grants permission to create a network ACL in a VPC | Write | |||
| CreateNetworkAclEntry | Grants permission to create a numbered entry (a rule) in a network ACL | Write | |||
| CreateNetworkInsightsPath | Grants permission to create a path to analyze for reachability | Write | |||
| CreateNetworkInterface | Grants permission to create a network interface in a subnet | Write | |||
| CreateNetworkInterfacePermission | Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface | Permissions management | |||
| CreatePlacementGroup | Grants permission to create a placement group | Write | |||
| CreateReplaceRootVolumeTask | Grants permission to create a root volume replacement task | Write | |||
| CreateReservedInstancesListing | Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace | Write | |||
| CreateRestoreImageTask | Grants permission to start a task that restores an AMI from an S3 object previously created by using CreateStoreImageTask | Write | |||
| CreateRoute | Grants permission to create a route in a VPC route table | Write | |||
| CreateRouteTable | Grants permission to create a route table for a VPC | Write | |||
| CreateSecurityGroup | Grants permission to create a security group | Write | |||
| CreateSnapshot | Grants permission to create a snapshot of an EBS volume and store it in Amazon S3 | Write | |||
| CreateSnapshots | Grants permission to create crash-consistent snapshots of multiple EBS volumes and store them in Amazon S3 | Write | |||
| CreateSpotDatafeedSubscription | Grants permission to create a data feed for Spot Instances to view Spot Instance usage logs | Write | |||
| CreateStoreImageTask | Grants permission to store an AMI as a single object in an S3 bucket | Write | |||
| CreateSubnet | Grants permission to create a subnet in a VPC | Write | |||
| CreateTags | Grants permission to add or overwrite one or more tags for Amazon EC2 resources | Tagging | |||
|
local-gateway-route-table-virtual-interface-group-association |
|||||
|
ec2:Phase1EncryptionAlgorithms |
|||||
| CreateTrafficMirrorFilter | Grants permission to create a traffic mirror filter | Write | |||
| CreateTrafficMirrorFilterRule | Grants permission to create a traffic mirror filter rule | Write | |||
| CreateTrafficMirrorSession | Grants permission to create a traffic mirror session | Write | |||
| CreateTrafficMirrorTarget | Grants permission to create a traffic mirror target | Write | |||
| CreateTransitGateway | Grants permission to create a transit gateway | Write | |||
| CreateTransitGatewayConnect | Grants permission to create a Connect attachment from a specified transit gateway attachment | Write | |||
| CreateTransitGatewayConnectPeer | Grants permission to create a Connect peer between a transit gateway and an appliance | Write | |||
| CreateTransitGatewayMulticastDomain | Grants permission to create a multicast domain for a transit gateway | Write | |||
| CreateTransitGatewayPeeringAttachment | Grants permission to request a transit gateway peering attachment between a requester and accepter transit gateway | Write | |||
| CreateTransitGatewayPrefixListReference | Grants permission to create a transit gateway prefix list reference | Write | |||
| CreateTransitGatewayRoute | Grants permission to create a static route for a transit gateway route table | Write | |||
| CreateTransitGatewayRouteTable | Grants permission to create a route table for a transit gateway | Write | |||
| CreateTransitGatewayVpcAttachment | Grants permission to attach a VPC to a transit gateway | Write | |||
| CreateVolume | Grants permission to create an EBS volume | Write | |||
| CreateVpc | Grants permission to create a VPC with a specified CIDR block | Write | |||
| CreateVpcEndpoint | Grants permission to create a VPC endpoint for an AWS service | Write |
route53:AssociateVPCWithHostedZone |
||
| CreateVpcEndpointConnectionNotification | Grants permission to create a connection notification for a VPC endpoint or VPC endpoint service | Write | |||
| CreateVpcEndpointServiceConfiguration | Grants permission to create a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect | Write | |||
| CreateVpcPeeringConnection | Grants permission to request a VPC peering connection between two VPCs | Write | |||
| CreateVpnConnection | Grants permission to create a VPN connection between a virtual private gateway or transit gateway and a customer gateway | Write | |||
|
ec2:Phase1EncryptionAlgorithms |
|||||
| CreateVpnConnectionRoute | Grants permission to create a static route for a VPN connection between a virtual private gateway and a customer gateway | Write |
ec2:Phase1EncryptionAlgorithms |
||
| CreateVpnGateway | Grants permission to create a virtual private gateway | Write | |||
| DeleteCarrierGateway | Grants permission to delete a carrier gateway | Write | |||
| DeleteClientVpnEndpoint | Grants permission to delete a Client VPN endpoint | Write | |||
| DeleteClientVpnRoute | Grants permission to delete a route from a Client VPN endpoint | Write | |||
| DeleteCustomerGateway | Grants permission to delete a customer gateway | Write | |||
| DeleteDhcpOptions | Grants permission to delete a set of DHCP options | Write | |||
| DeleteEgressOnlyInternetGateway | Grants permission to delete an egress-only internet gateway | Write | |||
| DeleteFleets | Grants permission to delete one or more EC2 Fleets | Write | |||
| DeleteFlowLogs | Grants permission to delete one or more flow logs | Write | |||
| DeleteFpgaImage | Grants permission to delete an Amazon FPGA Image (AFI) | Write | |||
| DeleteInternetGateway | Grants permission to delete an internet gateway | Write | |||
| DeleteKeyPair | Grants permission to delete a key pair by removing the public key from Amazon EC2 | Write | |||
| DeleteLaunchTemplate | Grants permission to delete a launch template and its associated versions | Write | |||
| DeleteLaunchTemplateVersions | Grants permission to delete one or more versions of a launch template | Write | |||
| DeleteLocalGatewayRoute | Grants permission to delete a route from a local gateway route table | Write | |||
| DeleteLocalGatewayRouteTableVpcAssociation | Grants permission to delete an association between a VPC and local gateway route table | Write | |||
| DeleteManagedPrefixList | Grants permission to delete a managed prefix list | Write | |||
| DeleteNatGateway | Grants permission to delete a NAT gateway | Write | |||
| DeleteNetworkAcl | Grants permission to delete a network ACL | Write | |||
| DeleteNetworkAclEntry | Grants permission to delete an inbound or outbound entry (rule) from a network ACL | Write | |||
| DeleteNetworkInsightsAnalysis | Grants permission to delete a network insights analysis | Write | |||
| DeleteNetworkInsightsPath | Grants permission to delete a network insights path | Write | |||
| DeleteNetworkInterface | Grants permission to delete a detached network interface | Write | |||
| DeleteNetworkInterfacePermission | Grants permission to delete a permission that is associated with a network interface | Permissions management | |||
| DeletePlacementGroup | Grants permission to delete a placement group | Write | |||
| DeleteQueuedReservedInstances | Grants permission to delete the queued purchases for the specified Reserved Instances | Write |