Actions, resources, and condition keys for Amazon EC2 - Service Authorization Reference

Actions, resources, and condition keys for Amazon EC2

Amazon EC2 (service prefix: ec2) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon EC2

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptReservedInstancesExchangeQuote Grants permission to accept a Convertible Reserved Instance exchange quote Write

ec2:Region

AcceptTransitGatewayMulticastDomainAssociations Grants permission to accept a request to associate subnets with a transit gateway multicast domain Write

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AcceptTransitGatewayPeeringAttachment Grants permission to accept a transit gateway peering attachment request Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AcceptTransitGatewayVpcAttachment Grants permission to accept a request to attach a VPC to a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AcceptVpcEndpointConnections Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AcceptVpcPeeringConnection Grants permission to accept a VPC peering connection request Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

AdvertiseByoipCidr Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP) Write

ec2:Region

AllocateAddress Grants permission to allocate an Elastic IP address (EIP) to your account Write

elastic-ip*

ec2:CreateTags

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

AllocateHosts Grants permission to allocate a Dedicated Host to your account Write

dedicated-host*

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:HostRecovery

ec2:InstanceType

ec2:Quantity

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

AllocateIpamPoolCidr Grants permission to allocate a CIDR from an Amazon VPC IP Address Manager (IPAM) pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ApplySecurityGroupsToClientVpnTargetNetwork Grants permission to apply a security group to the association between a Client VPN endpoint and a target network Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpcID

ec2:Region

AssignIpv6Addresses Grants permission to assign one or more IPv6 addresses to a network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssignPrivateIpAddresses Grants permission to assign one or more secondary private IP addresses to a network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssociateAddress Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface Write

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssociateClientVpnTargetNetwork Grants permission to associate a target network with a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

AssociateDhcpOptions Grants permission to associate or disassociate a set of DHCP options with a VPC Write

dhcp-options*

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AssociateEnclaveCertificateIamRole Grants permission to associate an ACM certificate with an IAM role to be used in an EC2 Enclave Write

certificate*

role*

ec2:Region

AssociateIamInstanceProfile Grants permission to associate an IAM instance profile with a running or stopped instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

ec2:Region

AssociateInstanceEventWindow Grants permission to associate one or more targets with an event window Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateRouteTable Grants permission to associate a subnet or gateway with a route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateSubnetCidrBlock Grants permission to associate a CIDR block with a subnet Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

AssociateTransitGatewayMulticastDomain Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateTransitGatewayPolicyTable Grants permission to associate a policy table with a transit gateway attachment Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateTransitGatewayRouteTable Grants permission to associate an attachment with a transit gateway route table Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateTrunkInterface Grants permission to associate a branch network interface with a trunk network interface Write

ec2:Region

AssociateVpcCidrBlock Grants permission to associate a CIDR block with a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AttachClassicLinkVpc Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AttachInternetGateway Grants permission to attach an internet gateway to a VPC Write

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AttachNetworkInterface Grants permission to attach a network interface to an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AttachVolume Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

AttachVpnGateway Grants permission to attach a virtual private gateway to a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AuthorizeClientVpnIngress Grants permission to add an inbound authorization rule to a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

AuthorizeSecurityGroupEgress Grants permission to add one or more outbound rules to a VPC security group Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:CreateTags

security-group-rule*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

AuthorizeSecurityGroupIngress Grants permission to add one or more inbound rules to a security group Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:CreateTags

security-group-rule*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

BundleInstance Grants permission to bundle an instance store-backed Windows instance Write

ec2:Region

CancelBundleTask Grants permission to cancel a bundling operation Write

ec2:Region

CancelCapacityReservation Grants permission to cancel a Capacity Reservation and release the reserved capacity Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:CapacityReservationFleet

ec2:ResourceTag/${TagKey}

ec2:Region

CancelCapacityReservationFleets Grants permission to cancel one or more Capacity Reservation Fleets Write

capacity-reservation-fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelConversionTask Grants permission to cancel an active conversion task Write

ec2:Region

CancelExportTask Grants permission to cancel an active export task Write

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelImportTask Grants permission to cancel an in-process import virtual machine or import snapshot task Write

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelReservedInstancesListing Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace Write

ec2:Region

CancelSpotFleetRequests Grants permission to cancel one or more Spot Fleet requests Write

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelSpotInstanceRequests Grants permission to cancel one or more Spot Instance requests Write

spot-instances-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ConfirmProductInstance Grants permission to determine whether an owned product code is associated with an instance Write

ec2:Region

CopyFpgaImage Grants permission to copy a source Amazon FPGA image (AFI) to the current Region. Resource-level permissions specified for this action apply to the new AFI only. They do not apply to the source AFI Write

fpga-image*

ec2:Owner

ec2:Region

CopyImage Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region. Resource-level permissions specified for this action apply to the new AMI only. They do not apply to the source AMI Write

image*

ec2:ImageID

ec2:Owner

ec2:Region

CopySnapshot Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3. Resource-level permissions specified for this action apply to the new snapshot only. They do not apply to the source snapshot Write

snapshot*

ec2:OutpostArn

ec2:SnapshotID

ec2:SourceOutpostArn

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateCapacityReservation Grants permission to create a Capacity Reservation Write

capacity-reservation*

ec2:CapacityReservationFleet

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateCapacityReservationFleet Grants permission to create a Capacity Reservation Fleet Write

capacity-reservation-fleet*

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateCarrierGateway Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers Write

carrier-gateway*

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateClientVpnEndpoint Grants permission to create a Client VPN endpoint Write

client-vpn-endpoint*

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:CreateTags

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpcID

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateClientVpnRoute Grants permission to add a network route to a Client VPN endpoint's route table Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

CreateCoipPoolPermission [permission only] Grants permission to allow a service to access a customer owned IP (CoIP) pool Write

ec2:Region

CreateCustomerGateway Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device Write

customer-gateway*

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateDefaultSubnet Grants permission to create a default subnet in a specified Availability Zone in a default VPC Write

ec2:Region

CreateDefaultVpc Grants permission to create a default VPC with a default subnet in each Availability Zone Write

ec2:Region

CreateDhcpOptions Grants permission to create a set of DHCP options for a VPC Write

dhcp-options*

ec2:DhcpOptionsID

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateEgressOnlyInternetGateway Grants permission to create an egress-only internet gateway for a VPC Write

egress-only-internet-gateway*

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateFleet Grants permission to launch an EC2 Fleet Write

fleet*

ec2:CreateTags

instance*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:RootDeviceType

ec2:Tenancy

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:KeyPairType

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AssociatePublicIpAddress

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

volume

ec2:AvailabilityZone

ec2:Encrypted

ec2:KmsKeyId

ec2:ParentSnapshot

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateFlowLogs Grants permission to create one or more flow logs to capture IP traffic for a network interface Write

vpc-flow-log*

ec2:CreateTags

iam:PassRole

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateFpgaImage Grants permission to create an Amazon FPGA Image (AFI) from a design checkpoint (DCP) Write

fpga-image*

ec2:Owner

ec2:Public

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateImage Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance Write

image*

ec2:ImageID

ec2:Owner

ec2:CreateTags

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

snapshot*

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateInstanceEventWindow Grants permission to create an event window in which scheduled events for the associated Amazon EC2 instances can run Write

instance-event-window*

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateInstanceExportTask Grants permission to export a running or stopped instance to an Amazon S3 bucket Write

export-instance-task*

ec2:CreateTags

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateInternetGateway Grants permission to create an internet gateway for a VPC Write

internet-gateway*

ec2:InternetGatewayID

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateIpam Grants permission to create an Amazon VPC IP Address Manager (IPAM) Write

ipam*

ec2:CreateTags

iam:CreateServiceLinkedRole

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateIpamPool Grants permission to create an IP address pool for Amazon VPC IP Address Manager (IPAM), which is a collection of contiguous IP address CIDRs Write

ipam-pool*

ec2:CreateTags

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateIpamScope Grants permission to create an Amazon VPC IP Address Manager (IPAM) scope, which is the highest-level container within IPAM Write

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

ipam-scope*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateKeyPair Grants permission to create a 2048-bit RSA key pair Write

key-pair*

ec2:KeyPairType

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateLaunchTemplate Grants permission to create a launch template Write

launch-template*

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateLaunchTemplateVersion Grants permission to create a new version of a launch template Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRoute Grants permission to create a static route for a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRouteTablePermission [permission only] Grants permission to allow a service to access a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRouteTableVpcAssociation Grants permission to associate a VPC with a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

local-gateway-route-table-vpc-association*

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateManagedPrefixList Grants permission to create a managed prefix list Write

prefix-list*

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateNatGateway Grants permission to create a NAT gateway in a subnet Write

natgateway*

ec2:CreateTags

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateNetworkAcl Grants permission to create a network ACL in a VPC Write

network-acl*

ec2:NetworkAclID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateNetworkAclEntry Grants permission to create a numbered entry (a rule) in a network ACL Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

CreateNetworkInsightsAccessScope Grants permission to create a Network Access Scope Write

network-insights-access-scope*

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateNetworkInsightsPath Grants permission to create a path to analyze for reachability Write

network-insights-path*

ec2:CreateTags

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AssociatePublicIpAddress

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateNetworkInterface Grants permission to create a network interface in a subnet Write

network-interface*

ec2:NetworkInterfaceID

ec2:CreateTags

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateNetworkInterfacePermission Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface Permissions management

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

CreatePlacementGroup Grants permission to create a placement group Write

placement-group*

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreatePublicIpv4Pool Grants permission to create a public IPv4 address pool for public IPv4 CIDRs that you own and bring to Amazon to manage with Amazon VPC IP Address Manager (IPAM) Write

network-insights-access-scope*

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateReplaceRootVolumeTask Grants permission to create a root volume replacement task Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:CreateTags

replace-root-volume-task*

volume*

ec2:VolumeID

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateReservedInstancesListing Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace Write

ec2:Region

CreateRestoreImageTask Grants permission to start a task that restores an AMI from an S3 object previously created by using CreateStoreImageTask Write

image*

ec2:ImageID

ec2:Owner

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateRoute Grants permission to create a route in a VPC route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

CreateRouteTable Grants permission to create a route table for a VPC Write

route-table*

ec2:RouteTableID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateSecurityGroup Grants permission to create a security group Write

security-group*

ec2:SecurityGroupID

ec2:CreateTags

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateSnapshot Grants permission to create a snapshot of an EBS volume and store it in Amazon S3 Write

snapshot*

ec2:OutpostArn

ec2:ParentVolume

ec2:SnapshotID

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:CreateTags

volume*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateSnapshots Grants permission to create crash-consistent snapshots of multiple EBS volumes and store them in Amazon S3 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:CreateTags

snapshot*

ec2:OutpostArn

ec2:ParentVolume

ec2:SnapshotID

ec2:SourceOutpostArn

ec2:VolumeSize

volume*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateSpotDatafeedSubscription Grants permission to create a data feed for Spot Instances to view Spot Instance usage logs Write

ec2:Region

CreateStoreImageTask Grants permission to store an AMI as a single object in an S3 bucket Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

CreateSubnet Grants permission to create a subnet in a VPC Write

subnet*

ec2:SubnetID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateSubnetCidrReservation Grants permission to create a subnet CIDR reservation Write

ec2:Region

CreateTags Grants permission to add or overwrite one or more tags for Amazon EC2 resources Tagging

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

capacity-reservation-fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

carrier-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:Vpc

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

customer-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:HostRecovery

ec2:InstanceType

ec2:Quantity

ec2:ResourceTag/${TagKey}

dhcp-options

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-gpu

aws:ResourceTag/${TagKey}

ec2:ElasticGpuType

ec2:ResourceTag/${TagKey}

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fpga-image

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

host-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

instance-event-window

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

ipam

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:KeyPairType

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-virtual-interface-group-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-acl

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

network-insights-access-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-access-scope-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-path

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AssociatePublicIpAddress

ec2:AuthorizedService

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

replace-root-volume-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

reserved-instances

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceType

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

security-group-rule

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

snapshot

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-instances-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

subnet-cidr-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-connect-peer

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-policy-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

volume

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

vpc-flow-log

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

vpn-connection

aws:ResourceTag/${TagKey}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:PreSharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:ResourceTag/${TagKey}

ec2:RoutingType

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateAction

ec2:Region

CreateTrafficMirrorFilter Grants permission to create a traffic mirror filter Write

traffic-mirror-filter*

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTrafficMirrorFilterRule Grants permission to create a traffic mirror filter rule Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateTrafficMirrorSession Grants permission to create a traffic mirror session Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:CreateTags

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session*

traffic-mirror-target*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTrafficMirrorTarget Grants permission to create a traffic mirror target Write

traffic-mirror-target*

ec2:CreateTags

network-interface

aws:ResourceTag/${TagKey}

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpceServiceName

ec2:VpceServiceOwner

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGateway Grants permission to create a transit gateway Write

transit-gateway*

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayConnect Grants permission to create a Connect attachment from a specified transit gateway attachment Write

transit-gateway-attachment*

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayConnectPeer Grants permission to create a Connect peer between a transit gateway and an appliance Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

transit-gateway-connect-peer*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayMulticastDomain Grants permission to create a multicast domain for a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

transit-gateway-multicast-domain*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayPeeringAttachment Grants permission to request a transit gateway peering attachment between a requester and accepter transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayPolicyTable Grants permission to create a transit gateway policy table Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

transit-gateway-policy-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayPrefixListReference Grants permission to create a transit gateway prefix list reference Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateTransitGatewayRoute Grants permission to create a static route for a transit gateway route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateTransitGatewayRouteTable Grants permission to create a route table for a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

transit-gateway-route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayRouteTableAnnouncement Grants permission to create an announcement for a transit gateway route table Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table-announcement*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayVpcAttachment Grants permission to attach a VPC to a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

transit-gateway-attachment*

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateVolume Grants permission to create an EBS volume Write

volume*

ec2:AvailabilityZone

ec2:Encrypted

ec2:KmsKeyId

ec2:ParentSnapshot

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateVpc Grants permission to create a VPC with a specified CIDR block Write

vpc*

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:VpcID

ec2:CreateTags

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateVpcEndpoint Grants permission to create a VPC endpoint for an AWS service Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpcID

ec2:CreateTags

route53:AssociateVPCWithHostedZone

vpc-endpoint*

ec2:VpceServiceName

ec2:VpceServiceOwner

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

subnet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateVpcEndpointConnectionNotification Grants permission to create a connection notification for a VPC endpoint or VPC endpoint service Write

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpcEndpointServiceConfiguration Grants permission to create a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect Write

vpc-endpoint-service*

ec2:VpceServicePrivateDnsName

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateVpcPeeringConnection Grants permission to request a VPC peering connection between two VPCs Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:CreateTags

vpc-peering-connection*

ec2:AccepterVpc

ec2:RequesterVpc

ec2:VpcPeeringConnectionID

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateVpnConnection Grants permission to create a VPN connection between a virtual private gateway or transit gateway and a customer gateway Write

customer-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

vpn-connection*

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:PreSharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:RoutingType

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateVpnConnectionRoute Grants permission to create a static route for a VPN connection between a virtual private gateway and a customer gateway Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpnGateway Grants permission to create a virtual private gateway Write

vpn-gateway*

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

DeleteCarrierGateway Grants permission to delete a carrier gateway Write

carrier-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteClientVpnEndpoint Grants permission to delete a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DeleteClientVpnRoute Grants permission to delete a route from a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DeleteCoipPoolPermission [permission only] Grants permission to deny a service from accessing a customer owned IP (CoIP) pool Write

ec2:Region

DeleteCustomerGateway Grants permission to delete a customer gateway Write

customer-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteDhcpOptions Grants permission to delete a set of DHCP options Write

dhcp-options*

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteEgressOnlyInternetGateway Grants permission to delete an egress-only internet gateway Write

egress-only-internet-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFleets Grants permission to delete one or more EC2 Fleets Write

fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFlowLogs Grants permission to delete one or more flow logs Write

vpc-flow-log*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFpgaImage Grants permission to delete an Amazon FPGA Image (AFI) Write

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteInstanceEventWindow Grants permission to delete the specified event window Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteInternetGateway Grants permission to delete an internet gateway Write

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpam Grants permission to delete an Amazon VPC IP Address Manager (IPAM) and remove all monitored data associated with the IPAM including the historical data for CIDRs Write

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamPool Grants permission to delete an Amazon VPC IP Address Manager (IPAM) pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamScope Grants permission to delete the scope for an Amazon VPC IP Address Manager (IPAM) Write

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteKeyPair Grants permission to delete a key pair by removing the public key from Amazon EC2 Write

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:KeyPairType

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLaunchTemplate Grants permission to delete a launch template and its associated versions Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLaunchTemplateVersions Grants permission to delete one or more versions of a launch template Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRoute Grants permission to delete a route from a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTablePermission [permission only] Grants permission to deny a service from accessing a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTableVpcAssociation Grants permission to delete an association between a VPC and local gateway route table Write

local-gateway-route-table-vpc-association*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteManagedPrefixList Grants permission to delete a managed prefix list Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNatGateway Grants permission to delete a NAT gateway Write

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkAcl Grants permission to delete a network ACL Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

DeleteNetworkAclEntry Grants permission to delete an inbound or outbound entry (rule) from a network ACL Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

DeleteNetworkInsightsAccessScope Grants permission to delete a Network Access Scope Write

network-insights-access-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsAccessScopeAnalysis Grants permission to delete a Network Access Scope analysis Write

network-insights-access-scope-analysis*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsAnalysis Grants permission to delete a network insights analysis Write

network-insights-analysis*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsPath Grants permission to delete a network insights path Write

network-insights-path*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInterface Grants permission to delete a detached network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DeleteNetworkInterfacePermission Grants permission to delete a permission that is associated with a network interface Permissions management

network-interface

aws:ResourceTag/${TagKey}

ec2:AssociatePublicIpAddress

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DeletePlacementGroup Grants permission to delete a placement group Write

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

ec2:Region

DeletePublicIpv4Pool Grants permission to delete a public IPv4 address pool for public IPv4 CIDRs that you own and brought to Amazon to manage with Amazon VPC IP Address Manager (IPAM) Write

ipv4pool-ec2*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteQueuedReservedInstances Grants permission to delete the queued purchases for the specified Reserved Instances Write

ec2:Region

DeleteResourcePolicy [permission only] Grants permission to remove an IAM policy that enables cross-account sharing from a resource Write

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteRoute Grants permission to delete a route from a route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

DeleteRouteTable Grants permission to delete a route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

DeleteSecurityGroup Grants permission to delete a security group Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

DeleteSnapshot Grants permission to delete a snapshot of an EBS volume Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:Region

DeleteSpotDatafeedSubscription Grants permission to delete a data feed for Spot Instances Write

ec2:Region

DeleteSubnet Grants permission to delete a subnet Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DeleteSubnetCidrReservation Grants permission to delete a subnet CIDR reservation Write

ec2:Region

DeleteTags Grants permission to delete one or more tags from Amazon EC2 resources Tagging

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

capacity-reservation-fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

carrier-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

customer-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dhcp-options

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-gpu

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-ip

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fpga-image

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

host-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance-event-window

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

key-pair

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-virtual-interface-group-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-acl

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-access-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-access-scope-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-path

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

replace-root-volume-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

reserved-instances

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

security-group-rule

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

snapshot

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-instances-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet-cidr-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-connect-peer

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-policy-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

volume

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-flow-log

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

DeleteTrafficMirrorFilter Grants permission to delete a traffic mirror filter Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTrafficMirrorFilterRule Grants permission to delete a traffic mirror filter rule Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

ec2:Region

DeleteTrafficMirrorSession Grants permission to delete a traffic mirror session Write

traffic-mirror-session*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTrafficMirrorTarget Grants permission to delete a traffic mirror target Write

traffic-mirror-target*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGateway Grants permission to delete a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayConnect Grants permission to delete a transit gateway connect attachment Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayConnectPeer Grants permission to delete a transit gateway connect peer Write

transit-gateway-connect-peer*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayMulticastDomain Grants permission to delete a transit gateway multicast domain Write

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayPeeringAttachment Grants permission to delete a peering attachment from a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayPolicyTable Grants permission to delete a transit gateway policy table Write

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayPrefixListReference Grants permission to delete a transit gateway prefix list reference Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayRoute Grants permission to delete a route from a transit gateway route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayRouteTable Grants permission to delete a transit gateway route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayRouteTableAnnouncement Grants permission to delete a transit gateway route table announcement Write

transit-gateway-route-table-announcement*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayVpcAttachment Grants permission to delete a VPC attachment from a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVolume Grants permission to delete an EBS volume Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

DeleteVpc Grants permission to delete a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DeleteVpcEndpointConnectionNotifications Grants permission to delete one or more VPC endpoint connection notifications Write

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpcEndpointServiceConfigurations Grants permission to delete one or more VPC endpoint service configurations Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpcEndpoints Grants permission to delete one or more VPC endpoints Write

vpc-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpceServiceName

ec2:Region

DeleteVpcPeeringConnection Grants permission to delete a VPC peering connection Write

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

DeleteVpnConnection Grants permission to delete a VPN connection Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpnConnectionRoute Grants permission to delete a static route for a VPN connection between a virtual private gateway and a customer gateway Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpnGateway Grants permission to delete a virtual private gateway Write

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeprovisionByoipCidr Grants permission to release an IP address range that was provisioned through bring your own IP addresses (BYOIP), and to delete the corresponding address pool Write

ec2:Region

DeprovisionIpamPoolCidr Grants permission to deprovision a CIDR provisioned from an Amazon VPC IP Address Manager (IPAM) pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeprovisionPublicIpv4PoolCidr Grants permission to deprovision a CIDR from a public IPv4 pool Write

ipv4pool-ec2*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeregisterImage Grants permission to deregister an Amazon Machine Image (AMI) Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DeregisterInstanceEventNotificationAttributes Grants permission to remove tags from the set of tags to include in notifications about scheduled events for your instances Write

ec2:Region

DeregisterTransitGatewayMulticastGroupMembers Grants permission to deregister one or more network interface members from a group IP address in a transit gateway multicast domain Write

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeregisterTransitGatewayMulticastGroupSources Grants permission to deregister one or more network interface sources from a group IP address in a transit gateway multicast domain Write

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeAccountAttributes Grants permission to describe the attributes of the AWS account List

ec2:Region

DescribeAddresses Grants permission to describe one or more Elastic IP addresses List

ec2:Region

DescribeAddressesAttribute Grants permission to describe the attributes of the specified Elastic IP addresses List

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeAggregateIdFormat Grants permission to describe the longer ID format settings for all resource types List

ec2:Region

DescribeAvailabilityZones Grants permission to describe one or more of the Availability Zones that are available to you List

ec2:Region

DescribeBundleTasks Grants permission to describe one or more bundling tasks List

ec2:Region

DescribeByoipCidrs Grants permission to describe the IP address ranges that were provisioned through bring your own IP addresses (BYOIP) List

ec2:Region

DescribeCapacityReservationFleets Grants permission to describe one or more Capacity Reservation Fleets List

ec2:Region

DescribeCapacityReservations Grants permission to describe one or more Capacity Reservations List

ec2:Region

DescribeCarrierGateways Grants permission to describe one or more Carrier Gateways List

ec2:Region

DescribeClassicLinkInstances Grants permission to describe one or more linked EC2-Classic instances List

ec2:Region

DescribeClientVpnAuthorizationRules Grants permission to describe the authorization rules for a Client VPN endpoint List

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnConnections Grants permission to describe active client connections and connections that have been terminated within the last 60 minutes for a Client VPN endpoint List

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnEndpoints Grants permission to describe one or more Client VPN endpoints List

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnRoutes Grants permission to describe the routes for a Client VPN endpoint List

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnTargetNetworks Grants permission to describe the target networks that are associated with a Client VPN endpoint List

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeCoipPools Grants permission to describe the specified customer-owned address pools or all of your customer-owned address pools List

ec2:Region

DescribeConversionTasks Grants permission to describe one or more conversion tasks List

ec2:Region

DescribeCustomerGateways Grants permission to describe one or more customer gateways List

ec2:Region

DescribeDhcpOptions Grants permission to describe one or more DHCP options sets List

ec2:Region

DescribeEgressOnlyInternetGateways Grants permission to describe one or more egress-only internet gateways List

ec2:Region

DescribeElasticGpus Grants permission to describe an Elastic Graphics accelerator that is associated with an instance Read

ec2:Region

DescribeExportImageTasks Grants permission to describe one or more export image tasks List

ec2:Region

DescribeExportTasks Grants permission to describe one or more export instance tasks List

ec2:Region

DescribeFastLaunchImages Grants permission to describe fast-launch enabled Windows AMIs Read

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DescribeFastSnapshotRestores Grants permission to describe the state of fast snapshot restores for snapshots Read

ec2:Region

DescribeFleetHistory Grants permission to describe the events for an EC2 Fleet during a specified time List

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFleetInstances Grants permission to describe the running instances for an EC2 Fleet List

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFleets Grants permission to describe one or more EC2 Fleets List

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFlowLogs Grants permission to describe one or more flow logs List

ec2:Region

DescribeFpgaImageAttribute Grants permission to describe the attributes of an Amazon FPGA Image (AFI) List

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Attribute/${AttributeName}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFpgaImages Grants permission to describe one or more Amazon FPGA Images (AFIs) List

ec2:Region

DescribeHostReservationOfferings Grants permission to describe the Dedicated Host Reservations that are available to purchase List

ec2:Region

DescribeHostReservations Grants permission to describe the Dedicated Host Reservations that are associated with Dedicated Hosts in the AWS account List

ec2:Region

DescribeHosts Grants permission to describe one or more Dedicated Hosts List

ec2:Region

DescribeIamInstanceProfileAssociations Grants permission to describe the IAM instance profile associations List

ec2:Region

DescribeIdFormat Grants permission to describe the ID format settings for resources List

ec2:Region

DescribeIdentityIdFormat Grants permission to describe the ID format settings for resources for an IAM user, IAM role, or root user List

ec2:Region

DescribeImageAttribute Grants permission to describe an attribute of an Amazon Machine Image (AMI) List

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DescribeImages Grants permission to describe one or more images (AMIs, AKIs, and ARIs) List

ec2:Region

DescribeImportImageTasks Grants permission to describe import virtual machine or import snapshot tasks List

ec2:Region

DescribeImportSnapshotTasks Grants permission to describe import snapshot tasks List

ec2:Region

DescribeInstanceAttribute Grants permission to describe the attributes of an instance List

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DescribeInstanceCreditSpecifications Grants permission to describe the credit option for CPU usage of one or more burstable performance instances List

ec2:Region

DescribeInstanceEventNotificationAttributes Grants permission to describe the set of tags to include in notifications about scheduled events for your instances List

ec2:Region

DescribeInstanceEventWindows Grants permission to describe the specified event windows or all event windows List

ec2:Region

DescribeInstanceStatus Grants permission to describe the status of one or more instances List

ec2:Region

DescribeInstanceTypeOfferings Grants permission to describe the set of instance types that are offered in a location List

ec2:Region

DescribeInstanceTypes Grants permission to describe the details of instance types that are offered in a location List

ec2:Region

DescribeInstances Grants permission to describe one or more instances List

ec2:Region

DescribeInternetGateways Grants permission to describe one or more internet gateways List

ec2:Region

DescribeIpamPools Grants permission to describe Amazon VPC IP Address Manager (IPAM) pools List

ec2:Region

DescribeIpamScopes Grants permission to describe Amazon VPC IP Address Manager (IPAM) scopes List

ec2:Region

DescribeIpams Grants permission to describe an Amazon VPC IP Address Manager (IPAM) List

ec2:Region

DescribeIpv6Pools Grants permission to describe one or more IPv6 address pools List

ec2:Region

DescribeKeyPairs Grants permission to describe one or more key pairs List

ec2:Region

DescribeLaunchTemplateVersions Grants permission to describe one or more launch template versions List

ec2:Region

DescribeLaunchTemplates Grants permission to describe one or more launch templates List

ec2:Region

DescribeLocalGatewayRouteTablePermissions [permission only] Grants permission to allow a service to describe local gateway route table permissions List

ec2:Region

DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations Grants permission to describe the associations between virtual interface groups and local gateway route tables List

ec2:Region

DescribeLocalGatewayRouteTableVpcAssociations Grants permission to describe an association between VPCs and local gateway route tables List

ec2:Region

DescribeLocalGatewayRouteTables Grants permission to describe one or more local gateway route tables List

ec2:Region

DescribeLocalGatewayVirtualInterfaceGroups Grants permission to describe local gateway virtual interface groups List

ec2:Region

DescribeLocalGatewayVirtualInterfaces Grants permission to describe local gateway virtual interfaces List

ec2:Region

DescribeLocalGateways Grants permission to describe one or more local gateways List

ec2:Region

DescribeManagedPrefixLists Grants permission to describe your managed prefix lists and any AWS-managed prefix lists List

ec2:Region

DescribeMovingAddresses Grants permission to describe Elastic IP addresses that are being moved to the EC2-VPC platform List

ec2:Region

DescribeNatGateways Grants permission to describe one or more NAT gateways List

ec2:Region

DescribeNetworkAcls Grants permission to describe one or more network ACLs List

ec2:Region

DescribeNetworkInsightsAccessScopeAnalyses Grants permission to describe one or more Network Access Scope analyses List

ec2:Region

DescribeNetworkInsightsAccessScopes Grants permission to describe the Network Access Scopes List

ec2:Region

DescribeNetworkInsightsAnalyses Grants permission to describe one or more network insights analyses List

ec2:Region

DescribeNetworkInsightsPaths Grants permission to describe one or more network insights paths List

ec2:Region

DescribeNetworkInterfaceAttribute Grants permission to describe a network interface attribute List

ec2:Region

DescribeNetworkInterfacePermissions Grants permission to describe the permissions that are associated with a network interface List

ec2:Region

DescribeNetworkInterfaces Grants permission to describe one or more network interfaces List

ec2:Region

DescribePlacementGroups Grants permission to describe one or more placement groups List

ec2:Region

DescribePrefixLists Grants permission to describe available AWS services in a prefix list format List

ec2:Region

DescribePrincipalIdFormat Grants permission to describe the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified a longer ID (17-character ID) preference List

ec2:Region

DescribePublicIpv4Pools Grants permission to describe one or more IPv4 address pools List

ec2:Region

DescribeRegions Grants permission to describe one or more AWS Regions that are currently available in your account List

ec2:Region

DescribeReplaceRootVolumeTasks Grants permission to describe a root volume replacement task List

ec2:Region

DescribeReservedInstances Grants permission to describe one or more purchased Reserved Instances in your account List

ec2:Region

DescribeReservedInstancesListings Grants permission to describe your account's Reserved Instance listings in the Reserved Instance Marketplace List

ec2:Region

DescribeReservedInstancesModifications Grants permission to describe the modifications made to one or more Reserved Instances List

ec2:Region

DescribeReservedInstancesOfferings Grants permission to describe the Reserved Instance offerings that are available for purchase List

ec2:Region

DescribeRouteTables Grants permission to describe one or more route tables List

ec2:Region

DescribeScheduledInstanceAvailability Grants permission to find available schedules for Scheduled Instances Read

ec2:Region

DescribeScheduledInstances Grants permission to describe one or more Scheduled Instances in your account Read

ec2:Region

DescribeSecurityGroupReferences Grants permission to describe the VPCs on the other side of a VPC peering connection that are referencing specified VPC security groups List

ec2:Region

DescribeSecurityGroupRules Grants permission to describe one or more of your security group rules List

ec2:Region

DescribeSecurityGroups Grants permission to describe one or more security groups List

ec2:Region

DescribeSnapshotAttribute Grants permission to describe an attribute of a snapshot List

snapshot

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:Region

DescribeSnapshotTierStatus Grants permission to describe the storage tier status for Amazon EBS snapshots List

ec2:Region

DescribeSnapshots Grants permission to describe one or more EBS snapshots List

ec2:Region

DescribeSpotDatafeedSubscription Grants permission to describe the data feed for Spot Instances List

ec2:Region

DescribeSpotFleetInstances Grants permission to describe the running instances for a Spot Fleet List

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeSpotFleetRequestHistory Grants permission to describe the events for a Spot Fleet request during a specified time List

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeSpotFleetRequests Grants permission to describe one or more Spot Fleet requests List

ec2:Region

DescribeSpotInstanceRequests Grants permission to describe one or more Spot Instance requests List

ec2:Region

DescribeSpotPriceHistory Grants permission to describe the Spot Instance price history List

ec2:Region

DescribeStaleSecurityGroups Grants permission to describe the stale security group rules for security groups in a specified VPC List

ec2:Region

DescribeStoreImageTasks Grants permission to describe the progress of the AMI store tasks List

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DescribeSubnets Grants permission to describe one or more subnets List

ec2:Region

DescribeTags Grants permission to describe one or more tags for an Amazon EC2 resource Read

ec2:Region

DescribeTrafficMirrorFilters Grants permission to describe one or more traffic mirror filters List

ec2:Region

DescribeTrafficMirrorSessions Grants permission to describe one or more traffic mirror sessions List

ec2:Region

DescribeTrafficMirrorTargets Grants permission to describe one or more traffic mirror targets List

ec2:Region

DescribeTransitGatewayAttachments Grants permission to describe one or more attachments between resources and transit gateways List

ec2:Region

DescribeTransitGatewayConnectPeers Grants permission to describe one or more transit gateway connect peers List

ec2:Region

DescribeTransitGatewayConnects Grants permission to describe one or more transit gateway connect attachments List

ec2:Region

DescribeTransitGatewayMulticastDomains Grants permission to describe one or more transit gateway multicast domains List

ec2:Region

DescribeTransitGatewayPeeringAttachments Grants permission to describe one or more transit gateway peering attachments List

ec2:Region

DescribeTransitGatewayPolicyTables Grants permission to describe a transit gateway policy table Write

ec2:Region

DescribeTransitGatewayRouteTableAnnouncements Grants permission to describe a transit gateway route table announcement Write

ec2:Region

DescribeTransitGatewayRouteTables Grants permission to describe one or more transit gateway route tables List

ec2:Region

DescribeTransitGatewayVpcAttachments Grants permission to describe one or more VPC attachments on a transit gateway List

ec2:Region

DescribeTransitGateways Grants permission to describe one or more transit gateways List

ec2:Region

DescribeTrunkInterfaceAssociations Grants permission to describe one or more network interface trunk associations List

ec2:Region

DescribeVolumeAttribute Grants permission to describe an attribute of an EBS volume List

volume

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:KmsKeyId

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

DescribeVolumeStatus Grants permission to describe the status of one or more EBS volumes List

ec2:Region

DescribeVolumes Grants permission to describe one or more EBS volumes List

ec2:Region

DescribeVolumesModifications Grants permission to describe the current modification status of one or more EBS volumes Read

ec2:Region

DescribeVpcAttribute Grants permission to describe an attribute of a VPC List

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DescribeVpcClassicLink Grants permission to describe the ClassicLink status of one or more VPCs List

ec2:Region

DescribeVpcClassicLinkDnsSupport Grants permission to describe the ClassicLink DNS support status of one or more VPCs List

ec2:Region

DescribeVpcEndpointConnectionNotifications Grants permission to describe the connection notifications for VPC endpoints and VPC endpoint services List

ec2:Region

DescribeVpcEndpointConnections Grants permission to describe the VPC endpoint connections to your VPC endpoint services List

ec2:Region

DescribeVpcEndpointServiceConfigurations Grants permission to describe VPC endpoint service configurations (your services) List

ec2:Region

DescribeVpcEndpointServicePermissions Grants permission to describe the principals (service consumers) that are permitted to discover your VPC endpoint service List

ec2:Region

DescribeVpcEndpointServices Grants permission to describe all supported AWS services that can be specified when creating a VPC endpoint List

ec2:Region

DescribeVpcEndpoints Grants permission to describe one or more VPC endpoints List

ec2:Region

DescribeVpcPeeringConnections Grants permission to describe one or more VPC peering connections List

ec2:Region

DescribeVpcs Grants permission to describe one or more VPCs List

ec2:Region

DescribeVpnConnections Grants permission to describe one or more VPN connections Read

ec2:Region

DescribeVpnGateways Grants permission to describe one or more virtual private gateways List

ec2:Region

DetachClassicLinkVpc Grants permission to unlink (detach) a linked EC2-Classic instance from a VPC Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DetachInternetGateway Grants permission to detach an internet gateway from a VPC Write

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DetachNetworkInterface Grants permission to detach a network interface from an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DetachVolume Grants permission to detach an EBS volume from an instance Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DetachVpnGateway Grants permission to detach a virtual private gateway from a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisableEbsEncryptionByDefault Grants permission to disable EBS encryption by default for your account Write

ec2:Region

DisableFastLaunch Grants permission to disable faster launching for Windows AMIs Write

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableFastSnapshotRestores Grants permission to disable fast snapshot restores for one or more snapshots in specified Availability Zones Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

DisableImageDeprecation Grants permission to cancel the deprecation of the specified AMI Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableIpamOrganizationAdminAccount Grants permission to disable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account Write

ec2:Region

organizations:DeregisterDelegatedAdministrator

DisableSerialConsoleAccess Grants permission to disable access to the EC2 serial console of all instances for your account Write

ec2:Region

DisableTransitGatewayRouteTablePropagation Grants permission to disable a resource attachment from propagating routes to the specified propagation route table Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisableVgwRoutePropagation Grants permission to disable a virtual private gateway from propagating routes to a specified route table of a VPC Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisableVpcClassicLink Grants permission to disable ClassicLink for a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DisableVpcClassicLinkDnsSupport Grants permission to disable ClassicLink DNS support for a VPC Write

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DisassociateAddress Grants permission to disassociate an Elastic IP address from an instance or network interface Write

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DisassociateClientVpnTargetNetwork Grants permission to disassociate a target network from a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DisassociateEnclaveCertificateIamRole Grants permission to disassociate an ACM certificate from a IAM role Write

certificate*

role*

ec2:Region

DisassociateIamInstanceProfile Grants permission to disassociate an IAM instance profile from a running or stopped instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DisassociateInstanceEventWindow Grants permission to disassociate one or more targets from an event window Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateRouteTable Grants permission to disassociate a subnet from a route table Write

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DisassociateSubnetCidrBlock Grants permission to disassociate a CIDR block from a subnet Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DisassociateTransitGatewayMulticastDomain Grants permission to disassociate one or more subnets from a transit gateway multicast domain Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateTransitGatewayPolicyTable Grants permission to disassociate a policy table from a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateTransitGatewayRouteTable Grants permission to disassociate a resource attachment from a transit gateway route table Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateTrunkInterface Grants permission to disassociate a branch network interface to a trunk network interface Write

ec2:Region

DisassociateVpcCidrBlock Grants permission to disassociate a CIDR block from a VPC Write

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

EnableEbsEncryptionByDefault Grants permission to enable EBS encryption by default for your account Write

ec2:Region

EnableFastLaunch Grants permission to enable faster launching for Windows AMIs Write

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

EnableFastSnapshotRestores Grants permission to enable fast snapshot restores for one or more snapshots in specified Availability Zones Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

EnableImageDeprecation Grants permission to enable deprecation of the specified AMI at the specified date and time Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

EnableIpamOrganizationAdminAccount Grants permission to enable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account Write

ec2:Region

iam:CreateServiceLinkedRole

organizations:EnableAWSServiceAccess

organizations:RegisterDelegatedAdministrator

EnableSerialConsoleAccess Grants permission to enable access to the EC2 serial console of all instances for your account Write

ec2:Region

EnableTransitGatewayRouteTablePropagation Grants permission to enable an attachment to propagate routes to a propagation route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

EnableVgwRoutePropagation Grants permission to enable a virtual private gateway to propagate routes to a VPC route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

EnableVolumeIO Grants permission to enable I/O operations for a volume that had I/O operations disabled Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

EnableVpcClassicLink Grants permission to enable a VPC for ClassicLink Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

EnableVpcClassicLinkDnsSupport Grants permission to enable a VPC to support DNS hostname resolution for ClassicLink Write

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

ExportClientVpnClientCertificateRevocationList Grants permission to download the client certificate revocation list for a Client VPN endpoint Read

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

ExportClientVpnClientConfiguration Grants permission to download the contents of the Client VPN endpoint configuration file for a Client VPN endpoint Read

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

ExportImage Grants permission to export an Amazon Machine Image (AMI) to a VM file Write

export-image-task*

ec2:CreateTags

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ExportTransitGatewayRoutes Grants permission to export routes from a transit gateway route table to an Amazon S3 bucket Write

ec2:Region

GetAssociatedEnclaveCertificateIamRoles Grants permission to get the list of roles associated with an ACM certificate Read

certificate*

ec2:Region

GetAssociatedIpv6PoolCidrs Grants permission to get information about the IPv6 CIDR block associations for a specified IPv6 address pool Read

ec2:Region

GetCapacityReservationUsage Grants permission to get usage information about a Capacity Reservation Read

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:CapacityReservationFleet

ec2:ResourceTag/${TagKey}

ec2:Region

GetCoipPoolUsage Grants permission to describe the allocations from the specified customer-owned address pool Read

ec2:Region

GetConsoleOutput Grants permission to get the console output for an instance Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetConsoleScreenshot Grants permission to retrieve a JPG-format screenshot of a running instance Read

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetDefaultCreditSpecification Grants permission to get the default credit option for CPU usage of a burstable performance instance family Read

ec2:Region

GetEbsDefaultKmsKeyId Grants permission to get the ID of the default customer master key (CMK) for EBS encryption by default Read

ec2:Region

GetEbsEncryptionByDefault Grants permission to describe whether EBS encryption by default is enabled for your account Read

ec2:Region

GetFlowLogsIntegrationTemplate Grants permission to generate a CloudFormation template to streamline the integration of VPC flow logs with Amazon Athena Read

vpc-flow-log*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetGroupsForCapacityReservation Grants permission to list the resource groups to which a Capacity Reservation has been added List

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:CapacityReservationFleet

ec2:ResourceTag/${TagKey}

ec2:Region

GetHostReservationPurchasePreview Grants permission to preview a reservation purchase with configurations that match those of a Dedicated Host Read

ec2:Region

GetInstanceTypesFromInstanceRequirements Grants permission to view a list of instance types with specified instance attributes Read

ec2:Region

GetInstanceUefiData Grants permission to retrieve the binary representation of the UEFI variable store Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetIpamAddressHistory Grants permission to retrieve historical information about a CIDR within an Amazon VPC IP Address Manager (IPAM) scope Read

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamPoolAllocations Grants permission to get a list of all the CIDR allocations in an Amazon VPC IP Address Manager (IPAM) pool Read

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamPoolCidrs Grants permission to get the CIDRs provisioned to an Amazon VPC IP Address Manager (IPAM) pool Read

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamResourceCidrs Grants permission to get information about the resources in an Amazon VPC IP Address Manager (IPAM) scope Read

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetLaunchTemplateData Grants permission to get the configuration data of the specified instance for use with a new launch template or launch template version Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetManagedPrefixListAssociations Grants permission to get information about the resources that are associated with the specified managed prefix list Read

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetManagedPrefixListEntries Grants permission to get information about the entries for a specified managed prefix list Read

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetNetworkInsightsAccessScopeAnalysisFindings Grants permission to get the findings for one or more Network Access Scope analyses Read

ec2:Region

GetNetworkInsightsAccessScopeContent Grants permission to get the content for a specified Network Access Scope Read

ec2:Region

GetPasswordData Grants permission to retrieve the encrypted administrator password for a running Windows instance Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetReservedInstancesExchangeQuote Grants permission to return a quote and exchange information for exchanging one or more Convertible Reserved Instances for a new Convertible Reserved Instance Read

ec2:Region

GetResourcePolicy [permission only] Grants permission to describe an IAM policy that enables cross-account sharing Read

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetSerialConsoleAccessStatus Grants permission to retrieve the access status of your account to the EC2 serial console of all instances Read

ec2:Region

GetSpotPlacementScores Grants permission to calculate the Spot placement score for a Region or Availability Zone based on the specified target capacity and compute requirements Read

ec2:Region

GetSubnetCidrReservations Grants permission to retrieve information about the subnet CIDR reservations Read

ec2:Region

GetTransitGatewayAttachmentPropagations Grants permission to list the route tables to which a resource attachment propagates routes List

ec2:Region

GetTransitGatewayMulticastDomainAssociations Grants permission to get information about the associations for a transit gateway multicast domain List

ec2:Region

GetTransitGatewayPolicyTableAssociations Grants permission to get information about associations for a transit gateway policy table List

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetTransitGatewayPolicyTableEntries Grants permission to get information about associations for a transit gateway policy table entry List

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetTransitGatewayPrefixListReferences Grants permission to get information about prefix list references for a transit gateway route table List

ec2:Region

GetTransitGatewayRouteTableAssociations Grants permission to get information about associations for a transit gateway route table List

ec2:Region

GetTransitGatewayRouteTablePropagations Grants permission to get information about the route table propagations for a transit gateway route table List

ec2:Region

GetVpnConnectionDeviceSampleConfiguration Grants permission to download an AWS-provided sample configuration file to be used with the customer gateway device List

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-connection-device-type

ec2:Region

GetVpnConnectionDeviceTypes Grants permission to obtain a list of customer gateway devices for which sample configuration files can be provided List

ec2:Region

ImportClientVpnClientCertificateRevocationList Grants permission to upload a client certificate revocation list to a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

ImportImage Grants permission to import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI) Write

image*

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:RootDeviceType

ec2:CreateTags

import-image-task*

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ImportInstance Grants permission to create an import instance task using metadata from a disk image Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceID

ec2:ResourceTag/${TagKey}

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ImportKeyPair Grants permission to import a public key from an RSA key pair that was created with a third-party tool Write

key-pair*

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ImportSnapshot Grants permission to import a disk into an EBS snapshot Write

import-snapshot-task*

ec2:CreateTags

snapshot*

ec2:Owner

ec2:ParentVolume

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ImportVolume Grants permission to create an import volume task using metadata from a disk image Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

ListImagesInRecycleBin Grants permission to list Amazon Machine Images (AMIs) that are currently in the Recycle Bin List

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

ListSnapshotsInRecycleBin Grants permission to list the Amazon EBS snapshots that are currently in the Recycle Bin List

snapshot

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

ModifyAddressAttribute Grants permission to modify an attribute of the specified Elastic IP address Write

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyAvailabilityZoneGroup Grants permission to modify the opt-in status of the Local Zone and Wavelength Zone group for your account Write

ec2:Region

ModifyCapacityReservation Grants permission to modify a Capacity Reservation's capacity and the conditions under which it is to be released Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:CapacityReservationFleet

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyCapacityReservationFleet Grants permission to modify a Capacity Reservation Fleet Write

capacity-reservation-fleet*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyClientVpnEndpoint Grants permission to modify a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpcID

ec2:Region

ModifyDefaultCreditSpecification Grants permission to change the account level default credit option for CPU usage of burstable performance instances Write

ec2:Region

ModifyEbsDefaultKmsKeyId Grants permission to change the default customer master key (CMK) for EBS encryption by default for your account Write

ec2:Region

ModifyFleet Grants permission to modify an EC2 Fleet Write

fleet*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AssociatePublicIpAddress

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ModifyFpgaImageAttribute Grants permission to modify an attribute of an Amazon FPGA Image (AFI) Write

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyHosts Grants permission to modify a Dedicated Host Write

dedicated-host*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIdFormat Grants permission to modify the ID format for a resource Write

ec2:Region

ModifyIdentityIdFormat Grants permission to modify the ID format of a resource for a specific principal in your account Write

ec2:Region

ModifyImageAttribute Grants permission to modify an attribute of an Amazon Machine Image (AMI) Write

image*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

ModifyInstanceAttribute Grants permission to modify an attribute of an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

volume

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

ModifyInstanceCapacityReservationAttributes Grants permission to modify the Capacity Reservation settings for a stopped instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyInstanceCreditSpecification Grants permission to modify the credit option for CPU usage on an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ModifyInstanceEventStartTime Grants permission to modify the start time for a scheduled EC2 instance event Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute/${AttributeName}

ec2:InstanceID

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyInstanceEventWindow Grants permission to modify the specified event window Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyInstanceMaintenanceOptions Grants permission to modify the recovery behaviour for an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ModifyInstanceMetadataOptions Grants permission to modify the metadata options for an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ModifyInstancePlacement Grants permission to modify the placement attributes for an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

dedicated-host

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIpam Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) Write

ipam*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIpamPool Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIpamResourceCidr Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) resource CIDR Write

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIpamScope Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) scope Write

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyLaunchTemplate Grants permission to modify a launch template Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyManagedPrefixList Grants permission to modify a managed prefix list Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyNetworkInterfaceAttribute Grants permission to modify an attribute of a network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

ModifyPrivateDnsNameOptions Grants permission to modify the options for instance hostnames for the specified instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ModifyReservedInstances Grants permission to modify attributes of one or more Reserved Instances Write

reserved-instances*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:InstanceType

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:Region

ModifySecurityGroupRules Grants permission to modify the rules of a security group Write

security-group*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

security-group-rule

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifySnapshotAttribute Grants permission to add or remove permission settings for a snapshot Permissions management

snapshot*

aws:ResourceTag/${TagKey}

ec2:Add/group

ec2:Add/userId

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Owner

ec2:ParentVolume

ec2:Remove/group

ec2:Remove/userId

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

ModifySnapshotTier Grants permission to archive Amazon EBS snapshots Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

ModifySpotFleetRequest Grants permission to modify a Spot Fleet request Write

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ModifySubnetAttribute Grants permission to modify an attribute of a subnet Write

subnet*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ModifyTrafficMirrorFilterNetworkServices Grants permission to allow or restrict mirroring network services Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyTrafficMirrorFilterRule Grants permission to modify a traffic mirror rule Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ModifyTrafficMirrorSession Grants permission to modify a traffic mirror session Write

traffic-mirror-session*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyTransitGateway Grants permission to modify a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyTransitGatewayPrefixListReference Grants permission to modify a transit gateway prefix list reference Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyTransitGatewayVpcAttachment Grants permission to modify a VPC attachment on a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

ModifyVolume Grants permission to modify the parameters of an EBS volume Write

volume*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

ModifyVolumeAttribute Grants permission to modify an attribute of a volume Write

volume*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

ModifyVpcAttribute Grants permission to modify an attribute of a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

ModifyVpcEndpoint Grants permission to modify an attribute of a VPC endpoint Write

vpc-endpoint*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

subnet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

ModifyVpcEndpointConnectionNotification Grants permission to modify a connection notification for a VPC endpoint or VPC endpoint service Write

vpc-endpoint*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVpcEndpointServiceConfiguration Grants permission to modify the attributes of a VPC endpoint service configuration Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

ec2:Region

ModifyVpcEndpointServicePayerResponsibility Grants permission to modify the payer responsibility for a VPC endpoint service Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVpcEndpointServicePermissions Grants permission to modify the permissions for a VPC endpoint service Permissions management

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVpcPeeringConnectionOptions Grants permission to modify the VPC peering connection options on one side of a VPC peering connection Write

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

ModifyVpcTenancy Grants permission to modify the instance tenancy attribute of a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

ModifyVpnConnection Grants permission to modify the target gateway of a Site-to-Site VPN connection Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:PreSharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:ResourceTag/${TagKey}

ec2:RoutingType

ec2:Region

ModifyVpnConnectionOptions Grants permission to modify the connection options for your Site-to-Site VPN connection Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVpnTunnelCertificate Grants permission to modify the certificate for a Site-to-Site VPN connection Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVpnTunnelOptions Grants permission to modify the options for a Site-to-Site VPN connection Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:PreSharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:ResourceTag/${TagKey}

ec2:RoutingType

ec2:Region

MonitorInstances Grants permission to enable detailed monitoring for a running instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

MoveAddressToVpc Grants permission to move an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform Write

ec2:Region