Actions, resources, and condition keys for Amazon EC2 - Service Authorization Reference

Actions, resources, and condition keys for Amazon EC2

Amazon EC2 (service prefix: ec2) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon EC2

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptReservedInstancesExchangeQuote Grants permission to accept a Convertible Reserved Instance exchange quote Write

reserved-instances

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

AcceptTransitGatewayMulticastDomainAssociations Grants permission to accept a request to associate subnets with a transit gateway multicast domain Write

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AcceptTransitGatewayPeeringAttachment Grants permission to accept a transit gateway peering attachment request Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AcceptTransitGatewayVpcAttachment Grants permission to accept a request to attach a VPC to a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AcceptVpcEndpointConnections Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service Write

vpc-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

AcceptVpcPeeringConnection Grants permission to accept a VPC peering connection request Write

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

AdvertiseByoipCidr Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP) Write
AllocateAddress Grants permission to allocate an Elastic IP address (EIP) to your account Write

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AllocateHosts Grants permission to allocate a Dedicated Host to your account Write

dedicated-host*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:InstanceType

ec2:Quantity

ec2:HostRecovery

ApplySecurityGroupsToClientVpnTargetNetwork Grants permission to apply a security group to the association between a Client VPN endpoint and a target network Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

security-group*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

AssignIpv6Addresses Grants permission to assign one or more IPv6 addresses to a network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

AssignPrivateIpAddresses Grants permission to assign one or more secondary private IP addresses to a network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

AssociateAddress Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface Write

elastic-ip

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

AssociateClientVpnTargetNetwork Grants permission to associate a target network with a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

AssociateDhcpOptions Grants permission to associate or disassociate a set of DHCP options with a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

AssociateEnclaveCertificateIamRole Grants permission to associate an ACM certificate with an IAM role to be used in an EC2 Enclave Write

certificate*

role*

AssociateIamInstanceProfile Grants permission to associate an IAM instance profile with a running or stopped instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

AssociateRouteTable Grants permission to associate a subnet or gateway with a route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

internet-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AssociateSubnetCidrBlock Grants permission to associate a CIDR block with a subnet Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

AssociateTransitGatewayMulticastDomain Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AssociateTransitGatewayRouteTable Grants permission to associate an attachment with a transit gateway route table Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AssociateVpcCidrBlock Grants permission to associate a CIDR block with a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AttachClassicLinkVpc Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

AttachInternetGateway Grants permission to attach an internet gateway to a VPC Write

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

AttachNetworkInterface Grants permission to attach a network interface to an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

AttachVolume Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

AttachVpnGateway Grants permission to attach a virtual private gateway to a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AuthorizeClientVpnIngress Grants permission to add an inbound authorization rule to a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

AuthorizeSecurityGroupEgress Grants permission to add one or more outbound rules to a VPC security group Write

security-group*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

AuthorizeSecurityGroupIngress Grants permission to add one or more inbound rules to a security group Write

security-group*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

BundleInstance Grants permission to bundle an instance store-backed Windows instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

CancelBundleTask Grants permission to cancel a bundling operation Write
CancelCapacityReservation Grants permission to cancel a Capacity Reservation and release the reserved capacity Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CancelConversionTask Grants permission to cancel an active conversion task Write
CancelExportTask Grants permission to cancel an active export task Write

export-image-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CancelImportTask Grants permission to cancel an in-process import virtual machine or import snapshot task Write

import-image-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CancelReservedInstancesListing Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace Write
CancelSpotFleetRequests Grants permission to cancel one or more Spot Fleet requests Write

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CancelSpotInstanceRequests Grants permission to cancel one or more Spot Instance requests Write

spot-instances-request*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ConfirmProductInstance Grants permission to determine whether an owned product code is associated with an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

CopyFpgaImage Grants permission to copy a source Amazon FPGA image (AFI) to the current Region Write
CopyImage Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region Write
CopySnapshot Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3 Write

snapshot*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

CreateCapacityReservation Grants permission to create a Capacity Reservation Write

capacity-reservation*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

CreateCarrierGateway Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers. Write

carrier-gateway*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Tenancy

vpc*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateClientVpnEndpoint Grants permission to create a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

security-group

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpc

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateClientVpnRoute Grants permission to add a network route to a Client VPN endpoint's route table Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateCustomerGateway Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device Write
CreateDefaultSubnet Grants permission to create a default subnet in a specified Availability Zone in a default VPC Write
CreateDefaultVpc Grants permission to create a default VPC with a default subnet in each Availability Zone Write
CreateDhcpOptions Grants permission to create a set of DHCP options for a VPC Write

dhcp-options*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

CreateEgressOnlyInternetGateway Grants permission to create an egress-only internet gateway for a VPC Write

egress-only-internet-gateway*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateFleet Grants permission to launch an EC2 Fleet Write

fleet*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

key-pair

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

security-group

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

subnet

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateFlowLogs Grants permission to create one or more flow logs to capture IP traffic for a network interface Write

vpc-flow-log*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

iam:PassRole

network-interface

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

subnet

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpc

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateFpgaImage Grants permission to create an Amazon FPGA Image (AFI) from a design checkpoint (DCP) Write

fpga-image*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

CreateImage Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

CreateInstanceExportTask Grants permission to export a running or stopped instance to an Amazon S3 bucket Write

export-instance-task*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

instance*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

CreateInternetGateway Grants permission to create an internet gateway for a VPC Write

internet-gateway*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

CreateKeyPair Grants permission to create a 2048-bit RSA key pair Write

key-pair*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

CreateLaunchTemplate Grants permission to create a launch template Write

launch-template*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

capacity-reservation

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:InstanceType

ec2:Quantity

ec2:HostRecovery

image

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

key-pair

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

placement-group

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:PlacementGroupStrategy

ec2:Region

ec2:ResourceTag/${TagKey}

security-group

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

subnet

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateLaunchTemplateVersion Grants permission to create a new version of a launch template Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:InstanceType

ec2:Quantity

ec2:HostRecovery

image

aws:ResourceTag/${TagKey}

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

key-pair

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupStrategy

ec2:Region

ec2:ResourceTag/${TagKey}

security-group

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateLocalGatewayRoute Grants permission to create a static route for a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CreateLocalGatewayRouteTableVpcAssociation Grants permission to associate a VPC with a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpc*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateManagedPrefixList Grants permission to create a managed prefix list Write

prefix-list*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

CreateNatGateway Grants permission to create a NAT gateway in a subnet Write

elastic-ip*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

natgateway*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

subnet*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateNetworkAcl Grants permission to create a network ACL in a VPC Write

network-acl*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateNetworkAclEntry Grants permission to create a numbered entry (a rule) in a network ACL Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateNetworkInsightsPath Grants permission to create a path to analyze for reachability Write

network-insights-path*

CreateNetworkInterface Grants permission to create a network interface in a subnet Write

network-interface*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

subnet*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateNetworkInterfacePermission Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface Permissions management

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

CreatePlacementGroup Grants permission to create a placement group Write

placement-group*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:PlacementGroupStrategy

ec2:Region

ec2:ResourceTag/${TagKey}

CreateReservedInstancesListing Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace Write

reserved-instances*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateRoute Grants permission to create a route in a VPC route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

carrier-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Tenancy

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

prefix-list

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CreateRouteTable Grants permission to create a route table for a VPC Write

vpc*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateSecurityGroup Grants permission to create a security group Write

security-group*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpc

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateSnapshot Grants permission to create a snapshot of an EBS volume and store it in Amazon S3 Write

snapshot*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

volume*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

CreateSnapshots Grants permission to create crash-consistent snapshots of multiple EBS volumes and store them in Amazon S3 Write

instance*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

snapshot*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

volume*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

CreateSpotDatafeedSubscription Grants permission to create a data feed for Spot Instances to view Spot Instance usage logs Write
CreateSubnet Grants permission to create a subnet in a VPC Write

subnet*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateTags Grants permission to add or overwrite one or more tags for Amazon EC2 resources Tagging

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

customer-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:InstanceType

ec2:Quantity

ec2:HostRecovery

dhcp-options

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

elastic-gpu

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ElasticGpuType

elastic-ip

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

export-image-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

fleet

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

fpga-image

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

host-reservation

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

import-image-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

key-pair

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-route-table-virtual-interface-group-association

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

local-gateway-virtual-interface

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

network-acl

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupStrategy

ec2:Region

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

reserved-instances

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

route-table

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

spot-instances-request

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-connect-peer

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

volume

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

vpc

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

vpc-flow-log

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

vpn-connection

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:Phase1DHGroupNumbers

ec2:Phase2DHGroupNumbers

ec2:Phase1EncryptionAlgorithms

ec2:Phase2EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2LifetimeSeconds

ec2:PresharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:RoutingType

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:CreateAction

CreateTrafficMirrorFilter Grants permission to create a traffic mirror filter Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTrafficMirrorFilterRule Grants permission to create a traffic mirror filter rule Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

ec2:Region

CreateTrafficMirrorSession Grants permission to create a traffic mirror session Write

network-interface*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-session*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-target*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTrafficMirrorTarget Grants permission to create a traffic mirror target Write

traffic-mirror-target*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

CreateTransitGateway Grants permission to create a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTransitGatewayConnect Grants permission to create a Connect attachment from a specified transit gateway attachment Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTransitGatewayConnectPeer Grants permission to create a Connect peer between a transit gateway and an appliance Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTransitGatewayMulticastDomain Grants permission to create a multicast domain for a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTransitGatewayPeeringAttachment Grants permission to request a transit gateway peering attachment between a requester and accepter transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTransitGatewayPrefixListReference Grants permission to create a transit gateway prefix list reference Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTransitGatewayRoute Grants permission to create a static route for a transit gateway route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTransitGatewayRouteTable Grants permission to create a route table for a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTransitGatewayVpcAttachment Grants permission to attach a VPC to a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

subnet

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateVolume Grants permission to create an EBS volume Write

volume*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

snapshot

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

CreateVpc Grants permission to create a VPC with a specified CIDR block Write

vpc*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ipv6pool-ec2

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

CreateVpcEndpoint Grants permission to create a VPC endpoint for an AWS service Write

vpc*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

route53:AssociateVPCWithHostedZone

vpc-endpoint*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

route-table

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateVpcEndpointConnectionNotification Grants permission to create a connection notification for a VPC endpoint or VPC endpoint service Write

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

CreateVpcEndpointServiceConfiguration Grants permission to create a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

CreateVpcPeeringConnection Grants permission to request a VPC peering connection between two VPCs Write

vpc*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

CreateVpnConnection Grants permission to create a VPN connection between a virtual private gateway or transit gateway and a customer gateway Write

customer-gateway*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpn-connection*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:Phase1DHGroupNumbers

ec2:Phase2DHGroupNumbers

ec2:Phase1EncryptionAlgorithms

ec2:Phase2EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2LifetimeSeconds

ec2:PresharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:RoutingType

transit-gateway

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

CreateVpnConnectionRoute Grants permission to create a static route for a VPN connection between a virtual private gateway and a customer gateway Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:Phase1DHGroupNumbers

ec2:Phase2DHGroupNumbers

ec2:Phase1EncryptionAlgorithms

ec2:Phase2EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2LifetimeSeconds

ec2:PresharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:RoutingType

CreateVpnGateway Grants permission to create a virtual private gateway Write

vpn-gateway*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteCarrierGateway Grants permission to delete a carrier gateway Write

carrier-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Tenancy

DeleteClientVpnEndpoint Grants permission to delete a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

DeleteClientVpnRoute Grants permission to delete a route from a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteCustomerGateway Grants permission to delete a customer gateway Write

customer-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteDhcpOptions Grants permission to delete a set of DHCP options Write

dhcp-options*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteEgressOnlyInternetGateway Grants permission to delete an egress-only internet gateway Write

egress-only-internet-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteFleets Grants permission to delete one or more EC2 Fleets Write

fleet*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteFlowLogs Grants permission to delete one or more flow logs Write

vpc-flow-log*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteFpgaImage Grants permission to delete an Amazon FPGA Image (AFI) Write

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteInternetGateway Grants permission to delete an internet gateway Write

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteKeyPair Grants permission to delete a key pair by removing the public key from Amazon EC2 Write

key-pair

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteLaunchTemplate Grants permission to delete a launch template and its associated versions Write

launch-template

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteLaunchTemplateVersions Grants permission to delete one or more versions of a launch template Write

launch-template

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteLocalGatewayRoute Grants permission to delete a route from a local gateway route table Write