Actions |
Description |
Access level |
Resource types (*required) |
Condition keys |
Dependent actions |
AcceptReservedInstancesExchangeQuote
|
Grants permission to accept a Convertible Reserved Instance exchange quote |
Write |
|
ec2:Region
|
|
AcceptTransitGatewayMulticastDomainAssociations
|
Grants permission to accept a request to associate subnets with a transit gateway multicast domain |
Write |
transit-gateway-attachment
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-multicast-domain
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
AcceptTransitGatewayPeeringAttachment
|
Grants permission to accept a transit gateway peering attachment request |
Write |
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
AcceptTransitGatewayVpcAttachment
|
Grants permission to accept a request to attach a VPC to a transit gateway |
Write |
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
AcceptVpcEndpointConnections
|
Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service |
Write |
vpc-endpoint-service*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
AcceptVpcPeeringConnection
|
Grants permission to accept a VPC peering connection request |
Write |
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
vpc-peering-connection*
|
aws:ResourceTag/${TagKey}
ec2:AccepterVpc
ec2:RequesterVpc
ec2:ResourceTag/${TagKey}
ec2:VpcPeeringConnectionID
|
|
|
ec2:Region
|
|
AdvertiseByoipCidr
|
Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP) |
Write |
|
ec2:Region
|
|
AllocateAddress
|
Grants permission to allocate an Elastic IP address (EIP) to your account |
Write |
elastic-ip*
|
|
ec2:CreateTags
|
ipv4pool-ec2
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
AllocateHosts
|
Grants permission to allocate a Dedicated Host to your account |
Write |
dedicated-host*
|
ec2:AutoPlacement
ec2:AvailabilityZone
ec2:HostRecovery
ec2:InstanceType
ec2:Quantity
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
AllocateIpamPoolCidr
|
Grants permission to allocate a CIDR from an Amazon VPC IP Address Manager (IPAM) pool |
Write |
ipam-pool*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ApplySecurityGroupsToClientVpnTargetNetwork
|
Grants permission to apply a security group to the association between a Client VPN endpoint and a target network |
Write |
client-vpn-endpoint*
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
security-group*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
|
|
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:VpcID
|
|
|
ec2:Region
|
|
AssignIpv6Addresses
|
Grants permission to assign one or more IPv6 addresses to a network interface |
Write |
network-interface*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
|
ec2:Region
|
|
AssignPrivateIpAddresses
|
Grants permission to assign one or more secondary private IP addresses to a network interface |
Write |
network-interface*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
|
ec2:Region
|
|
AssociateAddress
|
Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface |
Write |
elastic-ip
|
aws:ResourceTag/${TagKey}
ec2:AllocationId
ec2:Domain
ec2:PublicIpAddress
ec2:ResourceTag/${TagKey}
|
|
instance
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
network-interface
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
|
ec2:Region
|
|
AssociateClientVpnTargetNetwork
|
Grants permission to associate a target network with a Client VPN endpoint |
Write |
client-vpn-endpoint*
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
subnet*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SubnetID
|
|
|
ec2:Region
|
|
AssociateDhcpOptions
|
Grants permission to associate or disassociate a set of DHCP options with a VPC |
Write |
dhcp-options*
|
aws:ResourceTag/${TagKey}
ec2:DhcpOptionsID
ec2:ResourceTag/${TagKey}
|
|
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
ec2:Region
|
|
AssociateEnclaveCertificateIamRole
|
Grants permission to associate an ACM certificate with an IAM role to be used in an EC2 Enclave |
Write |
certificate*
|
|
|
role*
|
|
|
|
ec2:Region
|
|
AssociateIamInstanceProfile
|
Grants permission to associate an IAM instance profile with a running or stopped instance |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:NewInstanceProfile
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
iam:PassRole
|
|
ec2:Region
|
|
AssociateInstanceEventWindow
|
Grants permission to associate one or more targets with an event window |
Write |
instance-event-window*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
AssociateRouteTable
|
Grants permission to associate a subnet or gateway with a route table |
Write |
route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:RouteTableID
ec2:Vpc
|
|
internet-gateway
|
aws:ResourceTag/${TagKey}
ec2:InternetGatewayID
ec2:ResourceTag/${TagKey}
|
|
subnet
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
vpn-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
AssociateSubnetCidrBlock
|
Grants permission to associate a CIDR block with a subnet |
Write |
subnet*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
|
ec2:Region
|
|
AssociateTransitGatewayMulticastDomain
|
Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain |
Write |
subnet*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-multicast-domain*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
AssociateTransitGatewayPolicyTable
|
Grants permission to associate a policy table with a transit gateway attachment |
Write |
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-policy-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
AssociateTransitGatewayRouteTable
|
Grants permission to associate an attachment with a transit gateway route table |
Write |
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
AssociateTrunkInterface
|
Grants permission to associate a branch network interface with a trunk network interface |
Write |
|
ec2:Region
|
|
AssociateVpcCidrBlock
|
Grants permission to associate a CIDR block with a VPC |
Write |
vpc*
|
aws:ResourceTag/${TagKey}
ec2:Ipv4IpamPoolId
ec2:Ipv6IpamPoolId
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
ipam-pool
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
ipv6pool-ec2
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
AttachClassicLinkVpc
|
Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
security-group*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
ec2:Vpc
|
|
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
ec2:Region
|
|
AttachInternetGateway
|
Grants permission to attach an internet gateway to a VPC |
Write |
internet-gateway*
|
aws:ResourceTag/${TagKey}
ec2:InternetGatewayID
ec2:ResourceTag/${TagKey}
|
|
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
ec2:Region
|
|
AttachNetworkInterface
|
Grants permission to attach a network interface to an instance |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
network-interface*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
|
ec2:Region
|
|
AttachVolume
|
Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
volume*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:Encrypted
ec2:ParentSnapshot
ec2:ResourceTag/${TagKey}
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
|
|
ec2:Region
|
|
AttachVpnGateway
|
Grants permission to attach a virtual private gateway to a VPC |
Write |
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
vpn-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
AuthorizeClientVpnIngress
|
Grants permission to add an inbound authorization rule to a Client VPN endpoint |
Write |
client-vpn-endpoint*
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
|
ec2:Region
|
|
AuthorizeSecurityGroupEgress
|
Grants permission to add one or more outbound rules to a VPC security group |
Write |
security-group*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
ec2:Vpc
|
ec2:CreateTags
|
security-group-rule*
|
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
AuthorizeSecurityGroupIngress
|
Grants permission to add one or more inbound rules to a security group |
Write |
security-group*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
ec2:Vpc
|
ec2:CreateTags
|
security-group-rule*
|
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
BundleInstance
|
Grants permission to bundle an instance store-backed Windows instance |
Write |
|
ec2:Region
|
|
CancelBundleTask
|
Grants permission to cancel a bundling operation |
Write |
|
ec2:Region
|
|
CancelCapacityReservation
|
Grants permission to cancel a Capacity Reservation and release the reserved capacity |
Write |
capacity-reservation*
|
aws:ResourceTag/${TagKey}
ec2:CapacityReservationFleet
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
CancelCapacityReservationFleets
|
Grants permission to cancel one or more Capacity Reservation Fleets |
Write |
capacity-reservation-fleet*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
CancelConversionTask
|
Grants permission to cancel an active conversion task |
Write |
|
ec2:Region
|
|
CancelExportTask
|
Grants permission to cancel an active export task |
Write |
export-image-task
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
export-instance-task
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
CancelImportTask
|
Grants permission to cancel an in-process import virtual machine or import snapshot task |
Write |
import-image-task
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
import-snapshot-task
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
CancelReservedInstancesListing
|
Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace |
Write |
|
ec2:Region
|
|
CancelSpotFleetRequests
|
Grants permission to cancel one or more Spot Fleet requests |
Write |
spot-fleet-request*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
CancelSpotInstanceRequests
|
Grants permission to cancel one or more Spot Instance requests |
Write |
spot-instances-request*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ConfirmProductInstance
|
Grants permission to determine whether an owned product code is associated with an instance |
Write |
|
ec2:Region
|
|
CopyFpgaImage
|
Grants permission to copy a source Amazon FPGA image (AFI) to the current Region. Resource-level permissions specified for this action apply to the new AFI only. They do not apply to the source AFI |
Write |
fpga-image*
|
ec2:Owner
|
|
|
ec2:Region
|
|
CopyImage
|
Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region. Resource-level permissions specified for this action apply to the new AMI only. They do not apply to the source AMI |
Write |
image*
|
ec2:ImageID
ec2:Owner
|
|
|
ec2:Region
|
|
CopySnapshot
|
Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3. Resource-level permissions specified for this action apply to the new snapshot only. They do not apply to the source snapshot |
Write |
snapshot*
|
ec2:OutpostArn
ec2:SnapshotID
ec2:SourceOutpostArn
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateCapacityReservation
|
Grants permission to create a Capacity Reservation |
Write |
capacity-reservation*
|
ec2:CapacityReservationFleet
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateCapacityReservationFleet
|
Grants permission to create a Capacity Reservation Fleet |
Write |
capacity-reservation-fleet*
|
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateCarrierGateway
|
Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers |
Write |
carrier-gateway*
|
|
ec2:CreateTags
|
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateClientVpnEndpoint
|
Grants permission to create a Client VPN endpoint |
Write |
client-vpn-endpoint*
|
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
ec2:CreateTags
|
security-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
|
|
vpc
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:VpcID
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateClientVpnRoute
|
Grants permission to add a network route to a Client VPN endpoint's route table |
Write |
client-vpn-endpoint*
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
subnet*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SubnetID
|
|
|
ec2:Region
|
|
CreateCoipPoolPermission [permission only] |
Grants permission to allow a service to access a customer owned IP (CoIP) pool |
Write |
|
ec2:Region
|
|
CreateCustomerGateway
|
Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device |
Write |
customer-gateway*
|
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateDefaultSubnet
|
Grants permission to create a default subnet in a specified Availability Zone in a default VPC |
Write |
|
ec2:Region
|
|
CreateDefaultVpc
|
Grants permission to create a default VPC with a default subnet in each Availability Zone |
Write |
|
ec2:Region
|
|
CreateDhcpOptions
|
Grants permission to create a set of DHCP options for a VPC |
Write |
dhcp-options*
|
ec2:DhcpOptionsID
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateEgressOnlyInternetGateway
|
Grants permission to create an egress-only internet gateway for a VPC |
Write |
egress-only-internet-gateway*
|
|
ec2:CreateTags
|
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateFleet
|
Grants permission to launch an EC2 Fleet |
Write |
fleet*
|
|
ec2:CreateTags
|
instance*
|
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceID
ec2:InstanceProfile
ec2:InstanceType
ec2:PlacementGroup
ec2:RootDeviceType
ec2:Tenancy
|
|
image
|
aws:ResourceTag/${TagKey}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
key-pair
|
aws:ResourceTag/${TagKey}
ec2:KeyPairName
ec2:KeyPairType
ec2:ResourceTag/${TagKey}
|
|
launch-template
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
network-interface
|
aws:ResourceTag/${TagKey}
ec2:AssociatePublicIpAddress
ec2:AuthorizedService
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
placement-group
|
aws:ResourceTag/${TagKey}
ec2:PlacementGroupName
ec2:PlacementGroupStrategy
ec2:ResourceTag/${TagKey}
|
|
security-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
ec2:Vpc
|
|
snapshot
|
aws:ResourceTag/${TagKey}
ec2:Owner
ec2:ParentVolume
ec2:ResourceTag/${TagKey}
ec2:SnapshotID
ec2:SnapshotTime
ec2:VolumeSize
|
|
subnet
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
volume
|
ec2:AvailabilityZone
ec2:Encrypted
ec2:KmsKeyId
ec2:ParentSnapshot
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateFlowLogs
|
Grants permission to create one or more flow logs to capture IP traffic for a network interface |
Write |
vpc-flow-log*
|
|
ec2:CreateTags
iam:PassRole
|
network-interface
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
subnet
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
vpc
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateFpgaImage
|
Grants permission to create an Amazon FPGA Image (AFI) from a design checkpoint (DCP) |
Write |
fpga-image*
|
ec2:Owner
ec2:Public
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateImage
|
Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance |
Write |
image*
|
ec2:ImageID
ec2:Owner
|
ec2:CreateTags
|
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
snapshot*
|
ec2:OutpostArn
ec2:Owner
ec2:ParentVolume
ec2:SnapshotID
ec2:SnapshotTime
ec2:SourceOutpostArn
ec2:VolumeSize
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateInstanceEventWindow
|
Grants permission to create an event window in which scheduled events for the associated Amazon EC2 instances can run |
Write |
instance-event-window*
|
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateInstanceExportTask
|
Grants permission to export a running or stopped instance to an Amazon S3 bucket |
Write |
export-instance-task*
|
|
ec2:CreateTags
|
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateInternetGateway
|
Grants permission to create an internet gateway for a VPC |
Write |
internet-gateway*
|
ec2:InternetGatewayID
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateIpam
|
Grants permission to create an Amazon VPC IP Address Manager (IPAM) |
Write |
ipam*
|
|
ec2:CreateTags
iam:CreateServiceLinkedRole
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateIpamPool
|
Grants permission to create an IP address pool for Amazon VPC IP Address Manager (IPAM), which is a collection of contiguous IP address CIDRs |
Write |
ipam-pool*
|
|
ec2:CreateTags
|
ipam-scope*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateIpamScope
|
Grants permission to create an Amazon VPC IP Address Manager (IPAM) scope, which is the highest-level container within IPAM |
Write |
ipam*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
ec2:CreateTags
|
ipam-scope*
|
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateKeyPair
|
Grants permission to create a 2048-bit RSA key pair |
Write |
key-pair*
|
ec2:KeyPairType
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateLaunchTemplate
|
Grants permission to create a launch template |
Write |
launch-template*
|
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateLaunchTemplateVersion
|
Grants permission to create a new version of a launch template |
Write |
launch-template*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
CreateLocalGatewayRoute
|
Grants permission to create a static route for a local gateway route table |
Write |
local-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
local-gateway-virtual-interface-group*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
CreateLocalGatewayRouteTablePermission [permission only] |
Grants permission to allow a service to access a local gateway route table |
Write |
local-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
CreateLocalGatewayRouteTableVpcAssociation
|
Grants permission to associate a VPC with a local gateway route table |
Write |
local-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
ec2:CreateTags
|
local-gateway-route-table-vpc-association*
|
|
|
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateManagedPrefixList
|
Grants permission to create a managed prefix list |
Write |
prefix-list*
|
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateNatGateway
|
Grants permission to create a NAT gateway in a subnet |
Write |
natgateway*
|
|
ec2:CreateTags
|
subnet*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
elastic-ip
|
aws:ResourceTag/${TagKey}
ec2:AllocationId
ec2:Domain
ec2:PublicIpAddress
ec2:ResourceTag/${TagKey}
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateNetworkAcl
|
Grants permission to create a network ACL in a VPC |
Write |
network-acl*
|
ec2:NetworkAclID
|
ec2:CreateTags
|
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateNetworkAclEntry
|
Grants permission to create a numbered entry (a rule) in a network ACL |
Write |
network-acl*
|
aws:ResourceTag/${TagKey}
ec2:NetworkAclID
ec2:ResourceTag/${TagKey}
ec2:Vpc
|
|
|
ec2:Region
|
|
CreateNetworkInsightsAccessScope
|
Grants permission to create a Network Access Scope |
Write |
network-insights-access-scope*
|
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateNetworkInsightsPath
|
Grants permission to create a path to analyze for reachability |
Write |
network-insights-path*
|
|
ec2:CreateTags
|
instance
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceID
ec2:InstanceProfile
ec2:InstanceType
ec2:PlacementGroup
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
internet-gateway
|
aws:ResourceTag/${TagKey}
ec2:InternetGatewayID
ec2:ResourceTag/${TagKey}
|
|
network-interface
|
aws:ResourceTag/${TagKey}
ec2:AssociatePublicIpAddress
ec2:AuthorizedService
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
transit-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
vpc-endpoint
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
vpc-peering-connection
|
aws:ResourceTag/${TagKey}
ec2:AccepterVpc
ec2:RequesterVpc
ec2:ResourceTag/${TagKey}
ec2:VpcPeeringConnectionID
|
|
vpn-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateNetworkInterface
|
Grants permission to create a network interface in a subnet |
Write |
network-interface*
|
ec2:NetworkInterfaceID
|
ec2:CreateTags
|
subnet*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
security-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
ec2:Vpc
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateNetworkInterfacePermission
|
Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface |
Permissions management |
network-interface*
|
aws:ResourceTag/${TagKey}
ec2:AuthorizedService
ec2:AuthorizedUser
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:Permission
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
|
ec2:Region
|
|
CreatePlacementGroup
|
Grants permission to create a placement group |
Write |
placement-group*
|
ec2:PlacementGroupName
ec2:PlacementGroupStrategy
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreatePublicIpv4Pool
|
Grants permission to create a public IPv4 address pool for public IPv4 CIDRs that you own and bring to Amazon to manage with Amazon VPC IP Address Manager (IPAM) |
Write |
network-insights-access-scope*
|
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateReplaceRootVolumeTask
|
Grants permission to create a root volume replacement task |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
ec2:CreateTags
|
replace-root-volume-task*
|
|
|
volume*
|
ec2:VolumeID
|
|
snapshot
|
aws:ResourceTag/${TagKey}
ec2:Owner
ec2:ParentVolume
ec2:ResourceTag/${TagKey}
ec2:SnapshotID
ec2:SnapshotTime
ec2:VolumeSize
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateReservedInstancesListing
|
Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace |
Write |
|
ec2:Region
|
|
CreateRestoreImageTask
|
Grants permission to start a task that restores an AMI from an S3 object previously created by using CreateStoreImageTask |
Write |
image*
|
ec2:ImageID
ec2:Owner
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateRoute
|
Grants permission to create a route in a VPC route table |
Write |
route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:RouteTableID
ec2:Vpc
|
|
|
ec2:Region
|
|
CreateRouteTable
|
Grants permission to create a route table for a VPC |
Write |
route-table*
|
ec2:RouteTableID
|
ec2:CreateTags
|
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateSecurityGroup
|
Grants permission to create a security group |
Write |
security-group*
|
ec2:SecurityGroupID
|
ec2:CreateTags
|
vpc
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateSnapshot
|
Grants permission to create a snapshot of an EBS volume and store it in Amazon S3 |
Write |
snapshot*
|
ec2:OutpostArn
ec2:ParentVolume
ec2:SnapshotID
ec2:SourceOutpostArn
ec2:VolumeSize
|
ec2:CreateTags
|
volume*
|
aws:ResourceTag/${TagKey}
ec2:Encrypted
ec2:ResourceTag/${TagKey}
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateSnapshots
|
Grants permission to create crash-consistent snapshots of multiple EBS volumes and store them in Amazon S3 |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceID
ec2:InstanceProfile
ec2:InstanceType
ec2:PlacementGroup
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
ec2:CreateTags
|
snapshot*
|
ec2:OutpostArn
ec2:ParentVolume
ec2:SnapshotID
ec2:SourceOutpostArn
ec2:VolumeSize
|
|
volume*
|
aws:ResourceTag/${TagKey}
ec2:Encrypted
ec2:ResourceTag/${TagKey}
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateSpotDatafeedSubscription
|
Grants permission to create a data feed for Spot Instances to view Spot Instance usage logs |
Write |
|
ec2:Region
|
|
CreateStoreImageTask
|
Grants permission to store an AMI as a single object in an S3 bucket |
Write |
image*
|
aws:ResourceTag/${TagKey}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
|
ec2:Region
|
|
CreateSubnet
|
Grants permission to create a subnet in a VPC |
Write |
subnet*
|
ec2:SubnetID
|
ec2:CreateTags
|
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateSubnetCidrReservation
|
Grants permission to create a subnet CIDR reservation |
Write |
|
ec2:Region
|
|
CreateTags
|
Grants permission to add or overwrite one or more tags for Amazon EC2 resources |
Tagging |
capacity-reservation
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
capacity-reservation-fleet
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
carrier-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:Vpc
|
|
client-vpn-endpoint
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
customer-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
dedicated-host
|
aws:ResourceTag/${TagKey}
ec2:AutoPlacement
ec2:AvailabilityZone
ec2:HostRecovery
ec2:InstanceType
ec2:Quantity
ec2:ResourceTag/${TagKey}
|
|
dhcp-options
|
aws:ResourceTag/${TagKey}
ec2:DhcpOptionsID
ec2:ResourceTag/${TagKey}
|
|
egress-only-internet-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
elastic-gpu
|
aws:ResourceTag/${TagKey}
ec2:ElasticGpuType
ec2:ResourceTag/${TagKey}
|
|
elastic-ip
|
aws:ResourceTag/${TagKey}
ec2:AllocationId
ec2:Domain
ec2:PublicIpAddress
ec2:ResourceTag/${TagKey}
|
|
export-image-task
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
export-instance-task
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
fleet
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
fpga-image
|
aws:ResourceTag/${TagKey}
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
|
|
host-reservation
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
image
|
aws:ResourceTag/${TagKey}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
import-image-task
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
import-snapshot-task
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
instance
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
instance-event-window
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
internet-gateway
|
aws:ResourceTag/${TagKey}
ec2:InternetGatewayID
ec2:ResourceTag/${TagKey}
|
|
ipam
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
ipam-pool
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
ipam-scope
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
ipv4pool-ec2
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
ipv6pool-ec2
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
key-pair
|
aws:ResourceTag/${TagKey}
ec2:KeyPairName
ec2:KeyPairType
ec2:ResourceTag/${TagKey}
|
|
launch-template
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
local-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
local-gateway-route-table
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
local-gateway-route-table-virtual-interface-group-association
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
local-gateway-route-table-vpc-association
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
local-gateway-virtual-interface
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
local-gateway-virtual-interface-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
natgateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
network-acl
|
aws:ResourceTag/${TagKey}
ec2:NetworkAclID
ec2:ResourceTag/${TagKey}
ec2:Vpc
|
|
network-insights-access-scope
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
network-insights-access-scope-analysis
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
network-insights-analysis
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
network-insights-path
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
network-interface
|
aws:ResourceTag/${TagKey}
ec2:AssociatePublicIpAddress
ec2:AuthorizedService
ec2:AuthorizedUser
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:Permission
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
placement-group
|
aws:ResourceTag/${TagKey}
ec2:PlacementGroupName
ec2:PlacementGroupStrategy
ec2:ResourceTag/${TagKey}
|
|
prefix-list
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
replace-root-volume-task
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
reserved-instances
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:InstanceType
ec2:ReservedInstancesOfferingType
ec2:ResourceTag/${TagKey}
ec2:Tenancy
|
|
route-table
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:RouteTableID
ec2:Vpc
|
|
security-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
ec2:Vpc
|
|
security-group-rule
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
snapshot
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:Encrypted
ec2:Owner
ec2:ParentVolume
ec2:ResourceTag/${TagKey}
ec2:SnapshotID
ec2:SnapshotTime
ec2:VolumeSize
|
|
spot-fleet-request
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
spot-instances-request
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
subnet
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
subnet-cidr-reservation
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
traffic-mirror-filter
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
traffic-mirror-session
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
traffic-mirror-target
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-attachment
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-connect-peer
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-multicast-domain
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-policy-table
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-route-table
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-route-table-announcement
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
volume
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:Encrypted
ec2:ParentSnapshot
ec2:ResourceTag/${TagKey}
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
|
vpc
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
vpc-endpoint
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
vpc-endpoint-service
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:VpceServicePrivateDnsName
|
|
vpc-flow-log
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
vpc-peering-connection
|
aws:ResourceTag/${TagKey}
ec2:AccepterVpc
ec2:RequesterVpc
ec2:ResourceTag/${TagKey}
ec2:VpcPeeringConnectionID
|
|
vpn-connection
|
aws:ResourceTag/${TagKey}
ec2:AuthenticationType
ec2:DPDTimeoutSeconds
ec2:GatewayType
ec2:IKEVersions
ec2:InsideTunnelCidr
ec2:InsideTunnelIpv6Cidr
ec2:Phase1DHGroup
ec2:Phase1EncryptionAlgorithms
ec2:Phase1IntegrityAlgorithms
ec2:Phase1LifetimeSeconds
ec2:Phase2DHGroup
ec2:Phase2EncryptionAlgorithms
ec2:Phase2IntegrityAlgorithms
ec2:Phase2LifetimeSeconds
ec2:PreSharedKeys
ec2:RekeyFuzzPercentage
ec2:RekeyMarginTimeSeconds
ec2:ReplayWindowSizePackets
ec2:ResourceTag/${TagKey}
ec2:RoutingType
|
|
vpn-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:CreateAction
ec2:Region
|
|
CreateTrafficMirrorFilter
|
Grants permission to create a traffic mirror filter |
Write |
traffic-mirror-filter*
|
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateTrafficMirrorFilterRule
|
Grants permission to create a traffic mirror filter rule |
Write |
traffic-mirror-filter*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
CreateTrafficMirrorSession
|
Grants permission to create a traffic mirror session |
Write |
network-interface*
|
aws:ResourceTag/${TagKey}
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
|
ec2:CreateTags
|
traffic-mirror-filter*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
traffic-mirror-session*
|
|
|
traffic-mirror-target*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateTrafficMirrorTarget
|
Grants permission to create a traffic mirror target |
Write |
traffic-mirror-target*
|
|
ec2:CreateTags
|
network-interface
|
aws:ResourceTag/${TagKey}
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
|
|
vpc-endpoint
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:VpceServiceName
ec2:VpceServiceOwner
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateTransitGateway
|
Grants permission to create a transit gateway |
Write |
transit-gateway*
|
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateTransitGatewayConnect
|
Grants permission to create a Connect attachment from a specified transit gateway attachment |
Write |
transit-gateway-attachment*
|
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateTransitGatewayConnectPeer
|
Grants permission to create a Connect peer between a transit gateway and an appliance |
Write |
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
ec2:CreateTags
|
transit-gateway-connect-peer*
|
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateTransitGatewayMulticastDomain
|
Grants permission to create a multicast domain for a transit gateway |
Write |
transit-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
ec2:CreateTags
|
transit-gateway-multicast-domain*
|
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateTransitGatewayPeeringAttachment
|
Grants permission to request a transit gateway peering attachment between a requester and accepter transit gateway |
Write |
transit-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
ec2:CreateTags
|
transit-gateway-attachment*
|
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateTransitGatewayPolicyTable
|
Grants permission to create a transit gateway policy table |
Write |
transit-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
ec2:CreateTags
|
transit-gateway-policy-table*
|
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateTransitGatewayPrefixListReference
|
Grants permission to create a transit gateway prefix list reference |
Write |
prefix-list*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-attachment
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
CreateTransitGatewayRoute
|
Grants permission to create a static route for a transit gateway route table |
Write |
transit-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-attachment
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
CreateTransitGatewayRouteTable
|
Grants permission to create a route table for a transit gateway |
Write |
transit-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
ec2:CreateTags
|
transit-gateway-route-table*
|
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateTransitGatewayRouteTableAnnouncement
|
Grants permission to create an announcement for a transit gateway route table |
Write |
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
ec2:CreateTags
|
transit-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-route-table-announcement*
|
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateTransitGatewayVpcAttachment
|
Grants permission to attach a VPC to a transit gateway |
Write |
transit-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
ec2:CreateTags
|
transit-gateway-attachment*
|
|
|
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
subnet
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateVolume
|
Grants permission to create an EBS volume |
Write |
volume*
|
ec2:AvailabilityZone
ec2:Encrypted
ec2:KmsKeyId
ec2:ParentSnapshot
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateVpc
|
Grants permission to create a VPC with a specified CIDR block |
Write |
vpc*
|
ec2:Ipv4IpamPoolId
ec2:Ipv6IpamPoolId
ec2:VpcID
|
ec2:CreateTags
|
ipam-pool
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
ipv6pool-ec2
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateVpcEndpoint
|
Grants permission to create a VPC endpoint for an AWS service |
Write |
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:VpcID
|
ec2:CreateTags
route53:AssociateVPCWithHostedZone
|
vpc-endpoint*
|
ec2:VpceServiceName
ec2:VpceServiceOwner
|
|
route-table
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:RouteTableID
|
|
security-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
|
|
subnet
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SubnetID
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateVpcEndpointConnectionNotification
|
Grants permission to create a connection notification for a VPC endpoint or VPC endpoint service |
Write |
vpc-endpoint
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
CreateVpcEndpointServiceConfiguration
|
Grants permission to create a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect |
Write |
vpc-endpoint-service*
|
ec2:VpceServicePrivateDnsName
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateVpcPeeringConnection
|
Grants permission to request a VPC peering connection between two VPCs |
Write |
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
ec2:CreateTags
|
vpc-peering-connection*
|
ec2:AccepterVpc
ec2:RequesterVpc
ec2:VpcPeeringConnectionID
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateVpnConnection
|
Grants permission to create a VPN connection between a virtual private gateway or transit gateway and a customer gateway |
Write |
customer-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
ec2:CreateTags
|
vpn-connection*
|
ec2:AuthenticationType
ec2:DPDTimeoutSeconds
ec2:GatewayType
ec2:IKEVersions
ec2:InsideTunnelCidr
ec2:InsideTunnelIpv6Cidr
ec2:Phase1DHGroup
ec2:Phase1EncryptionAlgorithms
ec2:Phase1IntegrityAlgorithms
ec2:Phase1LifetimeSeconds
ec2:Phase2DHGroup
ec2:Phase2EncryptionAlgorithms
ec2:Phase2IntegrityAlgorithms
ec2:Phase2LifetimeSeconds
ec2:PreSharedKeys
ec2:RekeyFuzzPercentage
ec2:RekeyMarginTimeSeconds
ec2:ReplayWindowSizePackets
ec2:RoutingType
|
|
transit-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-attachment
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
vpn-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
CreateVpnConnectionRoute
|
Grants permission to create a static route for a VPN connection between a virtual private gateway and a customer gateway |
Write |
vpn-connection*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
CreateVpnGateway
|
Grants permission to create a virtual private gateway |
Write |
vpn-gateway*
|
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
DeleteCarrierGateway
|
Grants permission to delete a carrier gateway |
Write |
carrier-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteClientVpnEndpoint
|
Grants permission to delete a Client VPN endpoint |
Write |
client-vpn-endpoint*
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
|
ec2:Region
|
|
DeleteClientVpnRoute
|
Grants permission to delete a route from a Client VPN endpoint |
Write |
client-vpn-endpoint*
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
subnet
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
|
ec2:Region
|
|
DeleteCoipPoolPermission [permission only] |
Grants permission to deny a service from accessing a customer owned IP (CoIP) pool |
Write |
|
ec2:Region
|
|
DeleteCustomerGateway
|
Grants permission to delete a customer gateway |
Write |
customer-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteDhcpOptions
|
Grants permission to delete a set of DHCP options |
Write |
dhcp-options*
|
aws:ResourceTag/${TagKey}
ec2:DhcpOptionsID
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteEgressOnlyInternetGateway
|
Grants permission to delete an egress-only internet gateway |
Write |
egress-only-internet-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteFleets
|
Grants permission to delete one or more EC2 Fleets |
Write |
fleet*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteFlowLogs
|
Grants permission to delete one or more flow logs |
Write |
vpc-flow-log*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteFpgaImage
|
Grants permission to delete an Amazon FPGA Image (AFI) |
Write |
fpga-image*
|
aws:ResourceTag/${TagKey}
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteInstanceEventWindow
|
Grants permission to delete the specified event window |
Write |
instance-event-window*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteInternetGateway
|
Grants permission to delete an internet gateway |
Write |
internet-gateway*
|
aws:ResourceTag/${TagKey}
ec2:InternetGatewayID
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteIpam
|
Grants permission to delete an Amazon VPC IP Address Manager (IPAM) and remove all monitored data associated with the IPAM including the historical data for CIDRs |
Write |
ipam*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteIpamPool
|
Grants permission to delete an Amazon VPC IP Address Manager (IPAM) pool |
Write |
ipam-pool*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteIpamScope
|
Grants permission to delete the scope for an Amazon VPC IP Address Manager (IPAM) |
Write |
ipam-scope*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteKeyPair
|
Grants permission to delete a key pair by removing the public key from Amazon EC2 |
Write |
key-pair
|
aws:ResourceTag/${TagKey}
ec2:KeyPairName
ec2:KeyPairType
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteLaunchTemplate
|
Grants permission to delete a launch template and its associated versions |
Write |
launch-template*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteLaunchTemplateVersions
|
Grants permission to delete one or more versions of a launch template |
Write |
launch-template*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteLocalGatewayRoute
|
Grants permission to delete a route from a local gateway route table |
Write |
local-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteLocalGatewayRouteTablePermission [permission only] |
Grants permission to deny a service from accessing a local gateway route table |
Write |
local-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteLocalGatewayRouteTableVpcAssociation
|
Grants permission to delete an association between a VPC and local gateway route table |
Write |
local-gateway-route-table-vpc-association*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteManagedPrefixList
|
Grants permission to delete a managed prefix list |
Write |
prefix-list*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteNatGateway
|
Grants permission to delete a NAT gateway |
Write |
natgateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteNetworkAcl
|
Grants permission to delete a network ACL |
Write |
network-acl*
|
aws:ResourceTag/${TagKey}
ec2:NetworkAclID
ec2:ResourceTag/${TagKey}
ec2:Vpc
|
|
|
ec2:Region
|
|
DeleteNetworkAclEntry
|
Grants permission to delete an inbound or outbound entry (rule) from a network ACL |
Write |
network-acl*
|
aws:ResourceTag/${TagKey}
ec2:NetworkAclID
ec2:ResourceTag/${TagKey}
ec2:Vpc
|
|
|
ec2:Region
|
|
DeleteNetworkInsightsAccessScope
|
Grants permission to delete a Network Access Scope |
Write |
network-insights-access-scope*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteNetworkInsightsAccessScopeAnalysis
|
Grants permission to delete a Network Access Scope analysis |
Write |
network-insights-access-scope-analysis*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteNetworkInsightsAnalysis
|
Grants permission to delete a network insights analysis |
Write |
network-insights-analysis*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteNetworkInsightsPath
|
Grants permission to delete a network insights path |
Write |
network-insights-path*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteNetworkInterface
|
Grants permission to delete a detached network interface |
Write |
network-interface*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
|
ec2:Region
|
|
DeleteNetworkInterfacePermission
|
Grants permission to delete a permission that is associated with a network interface |
Permissions management |
network-interface
|
aws:ResourceTag/${TagKey}
ec2:AssociatePublicIpAddress
ec2:AuthorizedService
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
|
ec2:Region
|
|
DeletePlacementGroup
|
Grants permission to delete a placement group |
Write |
placement-group
|
aws:ResourceTag/${TagKey}
ec2:PlacementGroupName
ec2:PlacementGroupStrategy
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeletePublicIpv4Pool
|
Grants permission to delete a public IPv4 address pool for public IPv4 CIDRs that you own and brought to Amazon to manage with Amazon VPC IP Address Manager (IPAM) |
Write |
ipv4pool-ec2*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteQueuedReservedInstances
|
Grants permission to delete the queued purchases for the specified Reserved Instances |
Write |
|
ec2:Region
|
|
DeleteResourcePolicy [permission only] |
Grants permission to remove an IAM policy that enables cross-account sharing from a resource |
Write |
ipam-pool
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteRoute
|
Grants permission to delete a route from a route table |
Write |
route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:RouteTableID
ec2:Vpc
|
|
|
ec2:Region
|
|
DeleteRouteTable
|
Grants permission to delete a route table |
Write |
route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:RouteTableID
ec2:Vpc
|
|
|
ec2:Region
|
|
DeleteSecurityGroup
|
Grants permission to delete a security group |
Write |
security-group*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
ec2:Vpc
|
|
|
ec2:Region
|
|
DeleteSnapshot
|
Grants permission to delete a snapshot of an EBS volume |
Write |
snapshot*
|
aws:ResourceTag/${TagKey}
ec2:OutpostArn
ec2:Owner
ec2:ParentVolume
ec2:ResourceTag/${TagKey}
ec2:SnapshotID
ec2:SnapshotTime
ec2:SourceOutpostArn
ec2:VolumeSize
|
|
|
ec2:Region
|
|
DeleteSpotDatafeedSubscription
|
Grants permission to delete a data feed for Spot Instances |
Write |
|
ec2:Region
|
|
DeleteSubnet
|
Grants permission to delete a subnet |
Write |
subnet*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
|
ec2:Region
|
|
DeleteSubnetCidrReservation
|
Grants permission to delete a subnet CIDR reservation |
Write |
|
ec2:Region
|
|
DeleteTags
|
Grants permission to delete one or more tags from Amazon EC2 resources |
Tagging |
capacity-reservation
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
capacity-reservation-fleet
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
carrier-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
client-vpn-endpoint
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
customer-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
dedicated-host
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
dhcp-options
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
egress-only-internet-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
elastic-gpu
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
elastic-ip
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
export-image-task
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
export-instance-task
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
fleet
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
fpga-image
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
host-reservation
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
image
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
import-image-task
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
import-snapshot-task
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
instance
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
instance-event-window
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
internet-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
ipam
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
ipam-pool
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
ipam-scope
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
ipv4pool-ec2
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
ipv6pool-ec2
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
key-pair
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
launch-template
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
local-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
local-gateway-route-table
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
local-gateway-route-table-virtual-interface-group-association
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
local-gateway-route-table-vpc-association
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
local-gateway-virtual-interface
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
local-gateway-virtual-interface-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
natgateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
network-acl
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
network-insights-access-scope
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
network-insights-access-scope-analysis
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
network-insights-analysis
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
network-insights-path
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
network-interface
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
placement-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
prefix-list
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
replace-root-volume-task
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
reserved-instances
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
route-table
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
security-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
security-group-rule
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
snapshot
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
spot-fleet-request
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
spot-instances-request
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
subnet
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
subnet-cidr-reservation
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
traffic-mirror-filter
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
traffic-mirror-session
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
traffic-mirror-target
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-attachment
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-connect-peer
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-multicast-domain
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-policy-table
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-route-table
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-route-table-announcement
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
volume
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
vpc
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
vpc-endpoint
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
vpc-endpoint-service
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
vpc-flow-log
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
vpc-peering-connection
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
vpn-connection
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
vpn-gateway
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
aws:TagKeys
ec2:Region
|
|
DeleteTrafficMirrorFilter
|
Grants permission to delete a traffic mirror filter |
Write |
traffic-mirror-filter*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteTrafficMirrorFilterRule
|
Grants permission to delete a traffic mirror filter rule |
Write |
traffic-mirror-filter*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
traffic-mirror-filter-rule*
|
|
|
|
ec2:Region
|
|
DeleteTrafficMirrorSession
|
Grants permission to delete a traffic mirror session |
Write |
traffic-mirror-session*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteTrafficMirrorTarget
|
Grants permission to delete a traffic mirror target |
Write |
traffic-mirror-target*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteTransitGateway
|
Grants permission to delete a transit gateway |
Write |
transit-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteTransitGatewayConnect
|
Grants permission to delete a transit gateway connect attachment |
Write |
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteTransitGatewayConnectPeer
|
Grants permission to delete a transit gateway connect peer |
Write |
transit-gateway-connect-peer*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteTransitGatewayMulticastDomain
|
Grants permission to delete a transit gateway multicast domain |
Write |
transit-gateway-multicast-domain*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteTransitGatewayPeeringAttachment
|
Grants permission to delete a peering attachment from a transit gateway |
Write |
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteTransitGatewayPolicyTable
|
Grants permission to delete a transit gateway policy table |
Write |
transit-gateway-policy-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteTransitGatewayPrefixListReference
|
Grants permission to delete a transit gateway prefix list reference |
Write |
prefix-list*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteTransitGatewayRoute
|
Grants permission to delete a route from a transit gateway route table |
Write |
transit-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteTransitGatewayRouteTable
|
Grants permission to delete a transit gateway route table |
Write |
transit-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteTransitGatewayRouteTableAnnouncement
|
Grants permission to delete a transit gateway route table announcement |
Write |
transit-gateway-route-table-announcement*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteTransitGatewayVpcAttachment
|
Grants permission to delete a VPC attachment from a transit gateway |
Write |
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteVolume
|
Grants permission to delete an EBS volume |
Write |
volume*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:Encrypted
ec2:ParentSnapshot
ec2:ResourceTag/${TagKey}
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
|
|
ec2:Region
|
|
DeleteVpc
|
Grants permission to delete a VPC |
Write |
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
ec2:Region
|
|
DeleteVpcEndpointConnectionNotifications
|
Grants permission to delete one or more VPC endpoint connection notifications |
Write |
vpc-endpoint
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
vpc-endpoint-service
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteVpcEndpointServiceConfigurations
|
Grants permission to delete one or more VPC endpoint service configurations |
Write |
vpc-endpoint-service*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteVpcEndpoints
|
Grants permission to delete one or more VPC endpoints |
Write |
vpc-endpoint*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:VpceServiceName
|
|
|
ec2:Region
|
|
DeleteVpcPeeringConnection
|
Grants permission to delete a VPC peering connection |
Write |
vpc-peering-connection*
|
aws:ResourceTag/${TagKey}
ec2:AccepterVpc
ec2:RequesterVpc
ec2:ResourceTag/${TagKey}
ec2:VpcPeeringConnectionID
|
|
|
ec2:Region
|
|
DeleteVpnConnection
|
Grants permission to delete a VPN connection |
Write |
vpn-connection*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteVpnConnectionRoute
|
Grants permission to delete a static route for a VPN connection between a virtual private gateway and a customer gateway |
Write |
vpn-connection*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeleteVpnGateway
|
Grants permission to delete a virtual private gateway |
Write |
vpn-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeprovisionByoipCidr
|
Grants permission to release an IP address range that was provisioned through bring your own IP addresses (BYOIP), and to delete the corresponding address pool |
Write |
|
ec2:Region
|
|
DeprovisionIpamPoolCidr
|
Grants permission to deprovision a CIDR provisioned from an Amazon VPC IP Address Manager (IPAM) pool |
Write |
ipam-pool*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeprovisionPublicIpv4PoolCidr
|
Grants permission to deprovision a CIDR from a public IPv4 pool |
Write |
ipv4pool-ec2*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeregisterImage
|
Grants permission to deregister an Amazon Machine Image (AMI) |
Write |
image*
|
aws:ResourceTag/${TagKey}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
|
ec2:Region
|
|
DeregisterInstanceEventNotificationAttributes
|
Grants permission to remove tags from the set of tags to include in notifications about scheduled events for your instances |
Write |
|
ec2:Region
|
|
DeregisterTransitGatewayMulticastGroupMembers
|
Grants permission to deregister one or more network interface members from a group IP address in a transit gateway multicast domain |
Write |
network-interface
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
transit-gateway-multicast-domain
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DeregisterTransitGatewayMulticastGroupSources
|
Grants permission to deregister one or more network interface sources from a group IP address in a transit gateway multicast domain |
Write |
network-interface
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
transit-gateway-multicast-domain
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DescribeAccountAttributes
|
Grants permission to describe the attributes of the AWS account |
List |
|
ec2:Region
|
|
DescribeAddresses
|
Grants permission to describe one or more Elastic IP addresses |
List |
|
ec2:Region
|
|
DescribeAddressesAttribute
|
Grants permission to describe the attributes of the specified Elastic IP addresses |
List |
elastic-ip
|
aws:ResourceTag/${TagKey}
ec2:AllocationId
ec2:Domain
ec2:PublicIpAddress
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DescribeAggregateIdFormat
|
Grants permission to describe the longer ID format settings for all resource types |
List |
|
ec2:Region
|
|
DescribeAvailabilityZones
|
Grants permission to describe one or more of the Availability Zones that are available to you |
List |
|
ec2:Region
|
|
DescribeBundleTasks
|
Grants permission to describe one or more bundling tasks |
List |
|
ec2:Region
|
|
DescribeByoipCidrs
|
Grants permission to describe the IP address ranges that were provisioned through bring your own IP addresses (BYOIP) |
List |
|
ec2:Region
|
|
DescribeCapacityReservationFleets
|
Grants permission to describe one or more Capacity Reservation Fleets |
List |
|
ec2:Region
|
|
DescribeCapacityReservations
|
Grants permission to describe one or more Capacity Reservations |
List |
|
ec2:Region
|
|
DescribeCarrierGateways
|
Grants permission to describe one or more Carrier Gateways |
List |
|
ec2:Region
|
|
DescribeClassicLinkInstances
|
Grants permission to describe one or more linked EC2-Classic instances |
List |
|
ec2:Region
|
|
DescribeClientVpnAuthorizationRules
|
Grants permission to describe the authorization rules for a Client VPN endpoint |
List |
client-vpn-endpoint
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
|
ec2:Region
|
|
DescribeClientVpnConnections
|
Grants permission to describe active client connections and connections that have been terminated within the last 60 minutes for a Client VPN endpoint |
List |
client-vpn-endpoint
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
|
ec2:Region
|
|
DescribeClientVpnEndpoints
|
Grants permission to describe one or more Client VPN endpoints |
List |
client-vpn-endpoint
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
|
ec2:Region
|
|
DescribeClientVpnRoutes
|
Grants permission to describe the routes for a Client VPN endpoint |
List |
client-vpn-endpoint
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
|
ec2:Region
|
|
DescribeClientVpnTargetNetworks
|
Grants permission to describe the target networks that are associated with a Client VPN endpoint |
List |
client-vpn-endpoint
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
|
ec2:Region
|
|
DescribeCoipPools
|
Grants permission to describe the specified customer-owned address pools or all of your customer-owned address pools |
List |
|
ec2:Region
|
|
DescribeConversionTasks
|
Grants permission to describe one or more conversion tasks |
List |
|
ec2:Region
|
|
DescribeCustomerGateways
|
Grants permission to describe one or more customer gateways |
List |
|
ec2:Region
|
|
DescribeDhcpOptions
|
Grants permission to describe one or more DHCP options sets |
List |
|
ec2:Region
|
|
DescribeEgressOnlyInternetGateways
|
Grants permission to describe one or more egress-only internet gateways |
List |
|
ec2:Region
|
|
DescribeElasticGpus
|
Grants permission to describe an Elastic Graphics accelerator that is associated with an instance |
Read |
|
ec2:Region
|
|
DescribeExportImageTasks
|
Grants permission to describe one or more export image tasks |
List |
|
ec2:Region
|
|
DescribeExportTasks
|
Grants permission to describe one or more export instance tasks |
List |
|
ec2:Region
|
|
DescribeFastLaunchImages
|
Grants permission to describe fast-launch enabled Windows AMIs |
Read |
image
|
aws:ResourceTag/${TagKey}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
|
ec2:Region
|
|
DescribeFastSnapshotRestores
|
Grants permission to describe the state of fast snapshot restores for snapshots |
Read |
|
ec2:Region
|
|
DescribeFleetHistory
|
Grants permission to describe the events for an EC2 Fleet during a specified time |
List |
fleet
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DescribeFleetInstances
|
Grants permission to describe the running instances for an EC2 Fleet |
List |
fleet
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DescribeFleets
|
Grants permission to describe one or more EC2 Fleets |
List |
fleet
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DescribeFlowLogs
|
Grants permission to describe one or more flow logs |
List |
|
ec2:Region
|
|
DescribeFpgaImageAttribute
|
Grants permission to describe the attributes of an Amazon FPGA Image (AFI) |
List |
fpga-image*
|
aws:ResourceTag/${TagKey}
ec2:Attribute/${AttributeName}
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DescribeFpgaImages
|
Grants permission to describe one or more Amazon FPGA Images (AFIs) |
List |
|
ec2:Region
|
|
DescribeHostReservationOfferings
|
Grants permission to describe the Dedicated Host Reservations that are available to purchase |
List |
|
ec2:Region
|
|
DescribeHostReservations
|
Grants permission to describe the Dedicated Host Reservations that are associated with Dedicated Hosts in the AWS account |
List |
|
ec2:Region
|
|
DescribeHosts
|
Grants permission to describe one or more Dedicated Hosts |
List |
|
ec2:Region
|
|
DescribeIamInstanceProfileAssociations
|
Grants permission to describe the IAM instance profile associations |
List |
|
ec2:Region
|
|
DescribeIdFormat
|
Grants permission to describe the ID format settings for resources |
List |
|
ec2:Region
|
|
DescribeIdentityIdFormat
|
Grants permission to describe the ID format settings for resources for an IAM user, IAM role, or root user |
List |
|
ec2:Region
|
|
DescribeImageAttribute
|
Grants permission to describe an attribute of an Amazon Machine Image (AMI) |
List |
image
|
aws:ResourceTag/${TagKey}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
|
ec2:Region
|
|
DescribeImages
|
Grants permission to describe one or more images (AMIs, AKIs, and ARIs) |
List |
|
ec2:Region
|
|
DescribeImportImageTasks
|
Grants permission to describe import virtual machine or import snapshot tasks |
List |
|
ec2:Region
|
|
DescribeImportSnapshotTasks
|
Grants permission to describe import snapshot tasks |
List |
|
ec2:Region
|
|
DescribeInstanceAttribute
|
Grants permission to describe the attributes of an instance |
List |
instance
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
|
ec2:Region
|
|
DescribeInstanceCreditSpecifications
|
Grants permission to describe the credit option for CPU usage of one or more burstable performance instances |
List |
|
ec2:Region
|
|
DescribeInstanceEventNotificationAttributes
|
Grants permission to describe the set of tags to include in notifications about scheduled events for your instances |
List |
|
ec2:Region
|
|
DescribeInstanceEventWindows
|
Grants permission to describe the specified event windows or all event windows |
List |
|
ec2:Region
|
|
DescribeInstanceStatus
|
Grants permission to describe the status of one or more instances |
List |
|
ec2:Region
|
|
DescribeInstanceTypeOfferings
|
Grants permission to describe the set of instance types that are offered in a location |
List |
|
ec2:Region
|
|
DescribeInstanceTypes
|
Grants permission to describe the details of instance types that are offered in a location |
List |
|
ec2:Region
|
|
DescribeInstances
|
Grants permission to describe one or more instances |
List |
|
ec2:Region
|
|
DescribeInternetGateways
|
Grants permission to describe one or more internet gateways |
List |
|
ec2:Region
|
|
DescribeIpamPools
|
Grants permission to describe Amazon VPC IP Address Manager (IPAM) pools |
List |
|
ec2:Region
|
|
DescribeIpamScopes
|
Grants permission to describe Amazon VPC IP Address Manager (IPAM) scopes |
List |
|
ec2:Region
|
|
DescribeIpams
|
Grants permission to describe an Amazon VPC IP Address Manager (IPAM) |
List |
|
ec2:Region
|
|
DescribeIpv6Pools
|
Grants permission to describe one or more IPv6 address pools |
List |
|
ec2:Region
|
|
DescribeKeyPairs
|
Grants permission to describe one or more key pairs |
List |
|
ec2:Region
|
|
DescribeLaunchTemplateVersions
|
Grants permission to describe one or more launch template versions |
List |
|
ec2:Region
|
|
DescribeLaunchTemplates
|
Grants permission to describe one or more launch templates |
List |
|
ec2:Region
|
|
DescribeLocalGatewayRouteTablePermissions [permission only] |
Grants permission to allow a service to describe local gateway route table permissions |
List |
|
ec2:Region
|
|
DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations
|
Grants permission to describe the associations between virtual interface groups and local gateway route tables |
List |
|
ec2:Region
|
|
DescribeLocalGatewayRouteTableVpcAssociations
|
Grants permission to describe an association between VPCs and local gateway route tables |
List |
|
ec2:Region
|
|
DescribeLocalGatewayRouteTables
|
Grants permission to describe one or more local gateway route tables |
List |
|
ec2:Region
|
|
DescribeLocalGatewayVirtualInterfaceGroups
|
Grants permission to describe local gateway virtual interface groups |
List |
|
ec2:Region
|
|
DescribeLocalGatewayVirtualInterfaces
|
Grants permission to describe local gateway virtual interfaces |
List |
|
ec2:Region
|
|
DescribeLocalGateways
|
Grants permission to describe one or more local gateways |
List |
|
ec2:Region
|
|
DescribeManagedPrefixLists
|
Grants permission to describe your managed prefix lists and any AWS-managed prefix lists |
List |
|
ec2:Region
|
|
DescribeMovingAddresses
|
Grants permission to describe Elastic IP addresses that are being moved to the EC2-VPC platform |
List |
|
ec2:Region
|
|
DescribeNatGateways
|
Grants permission to describe one or more NAT gateways |
List |
|
ec2:Region
|
|
DescribeNetworkAcls
|
Grants permission to describe one or more network ACLs |
List |
|
ec2:Region
|
|
DescribeNetworkInsightsAccessScopeAnalyses
|
Grants permission to describe one or more Network Access Scope analyses |
List |
|
ec2:Region
|
|
DescribeNetworkInsightsAccessScopes
|
Grants permission to describe the Network Access Scopes |
List |
|
ec2:Region
|
|
DescribeNetworkInsightsAnalyses
|
Grants permission to describe one or more network insights analyses |
List |
|
ec2:Region
|
|
DescribeNetworkInsightsPaths
|
Grants permission to describe one or more network insights paths |
List |
|
ec2:Region
|
|
DescribeNetworkInterfaceAttribute
|
Grants permission to describe a network interface attribute |
List |
|
ec2:Region
|
|
DescribeNetworkInterfacePermissions
|
Grants permission to describe the permissions that are associated with a network interface |
List |
|
ec2:Region
|
|
DescribeNetworkInterfaces
|
Grants permission to describe one or more network interfaces |
List |
|
ec2:Region
|
|
DescribePlacementGroups
|
Grants permission to describe one or more placement groups |
List |
|
ec2:Region
|
|
DescribePrefixLists
|
Grants permission to describe available AWS services in a prefix list format |
List |
|
ec2:Region
|
|
DescribePrincipalIdFormat
|
Grants permission to describe the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified a longer ID (17-character ID) preference |
List |
|
ec2:Region
|
|
DescribePublicIpv4Pools
|
Grants permission to describe one or more IPv4 address pools |
List |
|
ec2:Region
|
|
DescribeRegions
|
Grants permission to describe one or more AWS Regions that are currently available in your account |
List |
|
ec2:Region
|
|
DescribeReplaceRootVolumeTasks
|
Grants permission to describe a root volume replacement task |
List |
|
ec2:Region
|
|
DescribeReservedInstances
|
Grants permission to describe one or more purchased Reserved Instances in your account |
List |
|
ec2:Region
|
|
DescribeReservedInstancesListings
|
Grants permission to describe your account's Reserved Instance listings in the Reserved Instance Marketplace |
List |
|
ec2:Region
|
|
DescribeReservedInstancesModifications
|
Grants permission to describe the modifications made to one or more Reserved Instances |
List |
|
ec2:Region
|
|
DescribeReservedInstancesOfferings
|
Grants permission to describe the Reserved Instance offerings that are available for purchase |
List |
|
ec2:Region
|
|
DescribeRouteTables
|
Grants permission to describe one or more route tables |
List |
|
ec2:Region
|
|
DescribeScheduledInstanceAvailability
|
Grants permission to find available schedules for Scheduled Instances |
Read |
|
ec2:Region
|
|
DescribeScheduledInstances
|
Grants permission to describe one or more Scheduled Instances in your account |
Read |
|
ec2:Region
|
|
DescribeSecurityGroupReferences
|
Grants permission to describe the VPCs on the other side of a VPC peering connection that are referencing specified VPC security groups |
List |
|
ec2:Region
|
|
DescribeSecurityGroupRules
|
Grants permission to describe one or more of your security group rules |
List |
|
ec2:Region
|
|
DescribeSecurityGroups
|
Grants permission to describe one or more security groups |
List |
|
ec2:Region
|
|
DescribeSnapshotAttribute
|
Grants permission to describe an attribute of a snapshot |
List |
snapshot
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:Encrypted
ec2:OutpostArn
ec2:Owner
ec2:ParentVolume
ec2:ResourceTag/${TagKey}
ec2:SnapshotID
ec2:SnapshotTime
ec2:SourceOutpostArn
ec2:VolumeSize
|
|
|
ec2:Region
|
|
DescribeSnapshotTierStatus
|
Grants permission to describe the storage tier status for Amazon EBS snapshots |
List |
|
ec2:Region
|
|
DescribeSnapshots
|
Grants permission to describe one or more EBS snapshots |
List |
|
ec2:Region
|
|
DescribeSpotDatafeedSubscription
|
Grants permission to describe the data feed for Spot Instances |
List |
|
ec2:Region
|
|
DescribeSpotFleetInstances
|
Grants permission to describe the running instances for a Spot Fleet |
List |
spot-fleet-request
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DescribeSpotFleetRequestHistory
|
Grants permission to describe the events for a Spot Fleet request during a specified time |
List |
spot-fleet-request
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DescribeSpotFleetRequests
|
Grants permission to describe one or more Spot Fleet requests |
List |
|
ec2:Region
|
|
DescribeSpotInstanceRequests
|
Grants permission to describe one or more Spot Instance requests |
List |
|
ec2:Region
|
|
DescribeSpotPriceHistory
|
Grants permission to describe the Spot Instance price history |
List |
|
ec2:Region
|
|
DescribeStaleSecurityGroups
|
Grants permission to describe the stale security group rules for security groups in a specified VPC |
List |
|
ec2:Region
|
|
DescribeStoreImageTasks
|
Grants permission to describe the progress of the AMI store tasks |
List |
image
|
aws:ResourceTag/${TagKey}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
|
ec2:Region
|
|
DescribeSubnets
|
Grants permission to describe one or more subnets |
List |
|
ec2:Region
|
|
DescribeTags
|
Grants permission to describe one or more tags for an Amazon EC2 resource |
Read |
|
ec2:Region
|
|
DescribeTrafficMirrorFilters
|
Grants permission to describe one or more traffic mirror filters |
List |
|
ec2:Region
|
|
DescribeTrafficMirrorSessions
|
Grants permission to describe one or more traffic mirror sessions |
List |
|
ec2:Region
|
|
DescribeTrafficMirrorTargets
|
Grants permission to describe one or more traffic mirror targets |
List |
|
ec2:Region
|
|
DescribeTransitGatewayAttachments
|
Grants permission to describe one or more attachments between resources and transit gateways |
List |
|
ec2:Region
|
|
DescribeTransitGatewayConnectPeers
|
Grants permission to describe one or more transit gateway connect peers |
List |
|
ec2:Region
|
|
DescribeTransitGatewayConnects
|
Grants permission to describe one or more transit gateway connect attachments |
List |
|
ec2:Region
|
|
DescribeTransitGatewayMulticastDomains
|
Grants permission to describe one or more transit gateway multicast domains |
List |
|
ec2:Region
|
|
DescribeTransitGatewayPeeringAttachments
|
Grants permission to describe one or more transit gateway peering attachments |
List |
|
ec2:Region
|
|
DescribeTransitGatewayPolicyTables
|
Grants permission to describe a transit gateway policy table |
Write |
|
ec2:Region
|
|
DescribeTransitGatewayRouteTableAnnouncements
|
Grants permission to describe a transit gateway route table announcement |
Write |
|
ec2:Region
|
|
DescribeTransitGatewayRouteTables
|
Grants permission to describe one or more transit gateway route tables |
List |
|
ec2:Region
|
|
DescribeTransitGatewayVpcAttachments
|
Grants permission to describe one or more VPC attachments on a transit gateway |
List |
|
ec2:Region
|
|
DescribeTransitGateways
|
Grants permission to describe one or more transit gateways |
List |
|
ec2:Region
|
|
DescribeTrunkInterfaceAssociations
|
Grants permission to describe one or more network interface trunk associations |
List |
|
ec2:Region
|
|
DescribeVolumeAttribute
|
Grants permission to describe an attribute of an EBS volume |
List |
volume
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:Encrypted
ec2:KmsKeyId
ec2:ParentSnapshot
ec2:ResourceTag/${TagKey}
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
|
|
ec2:Region
|
|
DescribeVolumeStatus
|
Grants permission to describe the status of one or more EBS volumes |
List |
|
ec2:Region
|
|
DescribeVolumes
|
Grants permission to describe one or more EBS volumes |
List |
|
ec2:Region
|
|
DescribeVolumesModifications
|
Grants permission to describe the current modification status of one or more EBS volumes |
Read |
|
ec2:Region
|
|
DescribeVpcAttribute
|
Grants permission to describe an attribute of a VPC |
List |
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
ec2:Region
|
|
DescribeVpcClassicLink
|
Grants permission to describe the ClassicLink status of one or more VPCs |
List |
|
ec2:Region
|
|
DescribeVpcClassicLinkDnsSupport
|
Grants permission to describe the ClassicLink DNS support status of one or more VPCs |
List |
|
ec2:Region
|
|
DescribeVpcEndpointConnectionNotifications
|
Grants permission to describe the connection notifications for VPC endpoints and VPC endpoint services |
List |
|
ec2:Region
|
|
DescribeVpcEndpointConnections
|
Grants permission to describe the VPC endpoint connections to your VPC endpoint services |
List |
|
ec2:Region
|
|
DescribeVpcEndpointServiceConfigurations
|
Grants permission to describe VPC endpoint service configurations (your services) |
List |
|
ec2:Region
|
|
DescribeVpcEndpointServicePermissions
|
Grants permission to describe the principals (service consumers) that are permitted to discover your VPC endpoint service |
List |
|
ec2:Region
|
|
DescribeVpcEndpointServices
|
Grants permission to describe all supported AWS services that can be specified when creating a VPC endpoint |
List |
|
ec2:Region
|
|
DescribeVpcEndpoints
|
Grants permission to describe one or more VPC endpoints |
List |
|
ec2:Region
|
|
DescribeVpcPeeringConnections
|
Grants permission to describe one or more VPC peering connections |
List |
|
ec2:Region
|
|
DescribeVpcs
|
Grants permission to describe one or more VPCs |
List |
|
ec2:Region
|
|
DescribeVpnConnections
|
Grants permission to describe one or more VPN connections |
Read |
|
ec2:Region
|
|
DescribeVpnGateways
|
Grants permission to describe one or more virtual private gateways |
List |
|
ec2:Region
|
|
DetachClassicLinkVpc
|
Grants permission to unlink (detach) a linked EC2-Classic instance from a VPC |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
ec2:Region
|
|
DetachInternetGateway
|
Grants permission to detach an internet gateway from a VPC |
Write |
internet-gateway*
|
aws:ResourceTag/${TagKey}
ec2:InternetGatewayID
ec2:ResourceTag/${TagKey}
|
|
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
ec2:Region
|
|
DetachNetworkInterface
|
Grants permission to detach a network interface from an instance |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
network-interface*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
|
ec2:Region
|
|
DetachVolume
|
Grants permission to detach an EBS volume from an instance |
Write |
volume*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:Encrypted
ec2:ParentSnapshot
ec2:ResourceTag/${TagKey}
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
|
instance
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
|
ec2:Region
|
|
DetachVpnGateway
|
Grants permission to detach a virtual private gateway from a VPC |
Write |
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
vpn-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DisableEbsEncryptionByDefault
|
Grants permission to disable EBS encryption by default for your account |
Write |
|
ec2:Region
|
|
DisableFastLaunch
|
Grants permission to disable faster launching for Windows AMIs |
Write |
image
|
aws:ResourceTag/${TagKey}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
|
ec2:Region
|
|
DisableFastSnapshotRestores
|
Grants permission to disable fast snapshot restores for one or more snapshots in specified Availability Zones |
Write |
snapshot*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:Encrypted
ec2:Owner
ec2:ParentVolume
ec2:ResourceTag/${TagKey}
ec2:SnapshotID
ec2:SnapshotTime
ec2:VolumeSize
|
|
|
ec2:Region
|
|
DisableImageDeprecation
|
Grants permission to cancel the deprecation of the specified AMI |
Write |
image*
|
aws:ResourceTag/${TagKey}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
|
ec2:Region
|
|
DisableIpamOrganizationAdminAccount
|
Grants permission to disable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account |
Write |
|
ec2:Region
|
organizations:DeregisterDelegatedAdministrator
|
DisableSerialConsoleAccess
|
Grants permission to disable access to the EC2 serial console of all instances for your account |
Write |
|
ec2:Region
|
|
DisableTransitGatewayRouteTablePropagation
|
Grants permission to disable a resource attachment from propagating routes to the specified propagation route table |
Write |
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-route-table-announcement
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DisableVgwRoutePropagation
|
Grants permission to disable a virtual private gateway from propagating routes to a specified route table of a VPC |
Write |
route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:RouteTableID
ec2:Vpc
|
|
vpn-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DisableVpcClassicLink
|
Grants permission to disable ClassicLink for a VPC |
Write |
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
ec2:Region
|
|
DisableVpcClassicLinkDnsSupport
|
Grants permission to disable ClassicLink DNS support for a VPC |
Write |
vpc
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
ec2:Region
|
|
DisassociateAddress
|
Grants permission to disassociate an Elastic IP address from an instance or network interface |
Write |
elastic-ip
|
aws:ResourceTag/${TagKey}
ec2:AllocationId
ec2:Domain
ec2:PublicIpAddress
ec2:ResourceTag/${TagKey}
|
|
network-interface
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
|
ec2:Region
|
|
DisassociateClientVpnTargetNetwork
|
Grants permission to disassociate a target network from a Client VPN endpoint |
Write |
client-vpn-endpoint*
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
|
ec2:Region
|
|
DisassociateEnclaveCertificateIamRole
|
Grants permission to disassociate an ACM certificate from a IAM role |
Write |
certificate*
|
|
|
role*
|
|
|
|
ec2:Region
|
|
DisassociateIamInstanceProfile
|
Grants permission to disassociate an IAM instance profile from a running or stopped instance |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
|
ec2:Region
|
|
DisassociateInstanceEventWindow
|
Grants permission to disassociate one or more targets from an event window |
Write |
instance-event-window*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DisassociateRouteTable
|
Grants permission to disassociate a subnet from a route table |
Write |
route-table
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:RouteTableID
ec2:Vpc
|
|
subnet
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
|
ec2:Region
|
|
DisassociateSubnetCidrBlock
|
Grants permission to disassociate a CIDR block from a subnet |
Write |
subnet*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
|
ec2:Region
|
|
DisassociateTransitGatewayMulticastDomain
|
Grants permission to disassociate one or more subnets from a transit gateway multicast domain |
Write |
subnet*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-multicast-domain*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DisassociateTransitGatewayPolicyTable
|
Grants permission to disassociate a policy table from a transit gateway |
Write |
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-policy-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DisassociateTransitGatewayRouteTable
|
Grants permission to disassociate a resource attachment from a transit gateway route table |
Write |
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
DisassociateTrunkInterface
|
Grants permission to disassociate a branch network interface to a trunk network interface |
Write |
|
ec2:Region
|
|
DisassociateVpcCidrBlock
|
Grants permission to disassociate a CIDR block from a VPC |
Write |
vpc
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
ec2:Region
|
|
EnableEbsEncryptionByDefault
|
Grants permission to enable EBS encryption by default for your account |
Write |
|
ec2:Region
|
|
EnableFastLaunch
|
Grants permission to enable faster launching for Windows AMIs |
Write |
image
|
aws:ResourceTag/${TagKey}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
launch-template
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
EnableFastSnapshotRestores
|
Grants permission to enable fast snapshot restores for one or more snapshots in specified Availability Zones |
Write |
snapshot*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:Encrypted
ec2:Owner
ec2:ParentVolume
ec2:ResourceTag/${TagKey}
ec2:SnapshotID
ec2:SnapshotTime
ec2:VolumeSize
|
|
|
ec2:Region
|
|
EnableImageDeprecation
|
Grants permission to enable deprecation of the specified AMI at the specified date and time |
Write |
image*
|
aws:ResourceTag/${TagKey}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
|
ec2:Region
|
|
EnableIpamOrganizationAdminAccount
|
Grants permission to enable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account |
Write |
|
ec2:Region
|
iam:CreateServiceLinkedRole
organizations:EnableAWSServiceAccess
organizations:RegisterDelegatedAdministrator
|
EnableSerialConsoleAccess
|
Grants permission to enable access to the EC2 serial console of all instances for your account |
Write |
|
ec2:Region
|
|
EnableTransitGatewayRouteTablePropagation
|
Grants permission to enable an attachment to propagate routes to a propagation route table |
Write |
transit-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-attachment
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-route-table-announcement
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
EnableVgwRoutePropagation
|
Grants permission to enable a virtual private gateway to propagate routes to a VPC route table |
Write |
route-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:RouteTableID
ec2:Vpc
|
|
vpn-gateway*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
EnableVolumeIO
|
Grants permission to enable I/O operations for a volume that had I/O operations disabled |
Write |
volume*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:Encrypted
ec2:ParentSnapshot
ec2:ResourceTag/${TagKey}
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
|
|
ec2:Region
|
|
EnableVpcClassicLink
|
Grants permission to enable a VPC for ClassicLink |
Write |
vpc*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
ec2:Region
|
|
EnableVpcClassicLinkDnsSupport
|
Grants permission to enable a VPC to support DNS hostname resolution for ClassicLink |
Write |
vpc
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
ec2:Region
|
|
ExportClientVpnClientCertificateRevocationList
|
Grants permission to download the client certificate revocation list for a Client VPN endpoint |
Read |
client-vpn-endpoint*
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
|
ec2:Region
|
|
ExportClientVpnClientConfiguration
|
Grants permission to download the contents of the Client VPN endpoint configuration file for a Client VPN endpoint |
Read |
client-vpn-endpoint*
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
|
ec2:Region
|
|
ExportImage
|
Grants permission to export an Amazon Machine Image (AMI) to a VM file |
Write |
export-image-task*
|
|
ec2:CreateTags
|
image*
|
aws:ResourceTag/${TagKey}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
ExportTransitGatewayRoutes
|
Grants permission to export routes from a transit gateway route table to an Amazon S3 bucket |
Write |
|
ec2:Region
|
|
GetAssociatedEnclaveCertificateIamRoles
|
Grants permission to get the list of roles associated with an ACM certificate |
Read |
certificate*
|
|
|
|
ec2:Region
|
|
GetAssociatedIpv6PoolCidrs
|
Grants permission to get information about the IPv6 CIDR block associations for a specified IPv6 address pool |
Read |
|
ec2:Region
|
|
GetCapacityReservationUsage
|
Grants permission to get usage information about a Capacity Reservation |
Read |
capacity-reservation*
|
aws:ResourceTag/${TagKey}
ec2:CapacityReservationFleet
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
GetCoipPoolUsage
|
Grants permission to describe the allocations from the specified customer-owned address pool |
Read |
|
ec2:Region
|
|
GetConsoleOutput
|
Grants permission to get the console output for an instance |
Read |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
|
ec2:Region
|
|
GetConsoleScreenshot
|
Grants permission to retrieve a JPG-format screenshot of a running instance |
Read |
instance
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:NewInstanceProfile
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
|
ec2:Region
|
|
GetDefaultCreditSpecification
|
Grants permission to get the default credit option for CPU usage of a burstable performance instance family |
Read |
|
ec2:Region
|
|
GetEbsDefaultKmsKeyId
|
Grants permission to get the ID of the default customer master key (CMK) for EBS encryption by default |
Read |
|
ec2:Region
|
|
GetEbsEncryptionByDefault
|
Grants permission to describe whether EBS encryption by default is enabled for your account |
Read |
|
ec2:Region
|
|
GetFlowLogsIntegrationTemplate
|
Grants permission to generate a CloudFormation template to streamline the integration of VPC flow logs with Amazon Athena |
Read |
vpc-flow-log*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
GetGroupsForCapacityReservation
|
Grants permission to list the resource groups to which a Capacity Reservation has been added |
List |
capacity-reservation*
|
aws:ResourceTag/${TagKey}
ec2:CapacityReservationFleet
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
GetHostReservationPurchasePreview
|
Grants permission to preview a reservation purchase with configurations that match those of a Dedicated Host |
Read |
|
ec2:Region
|
|
GetInstanceTypesFromInstanceRequirements
|
Grants permission to view a list of instance types with specified instance attributes |
Read |
|
ec2:Region
|
|
GetInstanceUefiData
|
Grants permission to retrieve the binary representation of the UEFI variable store |
Read |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:NewInstanceProfile
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
|
ec2:Region
|
|
GetIpamAddressHistory
|
Grants permission to retrieve historical information about a CIDR within an Amazon VPC IP Address Manager (IPAM) scope |
Read |
ipam-scope*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
GetIpamPoolAllocations
|
Grants permission to get a list of all the CIDR allocations in an Amazon VPC IP Address Manager (IPAM) pool |
Read |
ipam-pool*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
GetIpamPoolCidrs
|
Grants permission to get the CIDRs provisioned to an Amazon VPC IP Address Manager (IPAM) pool |
Read |
ipam-pool*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
GetIpamResourceCidrs
|
Grants permission to get information about the resources in an Amazon VPC IP Address Manager (IPAM) scope |
Read |
ipam-pool*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
ipam-scope*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
GetLaunchTemplateData
|
Grants permission to get the configuration data of the specified instance for use with a new launch template or launch template version |
Read |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
|
ec2:Region
|
|
GetManagedPrefixListAssociations
|
Grants permission to get information about the resources that are associated with the specified managed prefix list |
Read |
prefix-list*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
GetManagedPrefixListEntries
|
Grants permission to get information about the entries for a specified managed prefix list |
Read |
prefix-list*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
GetNetworkInsightsAccessScopeAnalysisFindings
|
Grants permission to get the findings for one or more Network Access Scope analyses |
Read |
|
ec2:Region
|
|
GetNetworkInsightsAccessScopeContent
|
Grants permission to get the content for a specified Network Access Scope |
Read |
|
ec2:Region
|
|
GetPasswordData
|
Grants permission to retrieve the encrypted administrator password for a running Windows instance |
Read |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
|
ec2:Region
|
|
GetReservedInstancesExchangeQuote
|
Grants permission to return a quote and exchange information for exchanging one or more Convertible Reserved Instances for a new Convertible Reserved Instance |
Read |
|
ec2:Region
|
|
GetResourcePolicy [permission only] |
Grants permission to describe an IAM policy that enables cross-account sharing |
Read |
ipam-pool
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
GetSerialConsoleAccessStatus
|
Grants permission to retrieve the access status of your account to the EC2 serial console of all instances |
Read |
|
ec2:Region
|
|
GetSpotPlacementScores
|
Grants permission to calculate the Spot placement score for a Region or Availability Zone based on the specified target capacity and compute requirements |
Read |
|
ec2:Region
|
|
GetSubnetCidrReservations
|
Grants permission to retrieve information about the subnet CIDR reservations |
Read |
|
ec2:Region
|
|
GetTransitGatewayAttachmentPropagations
|
Grants permission to list the route tables to which a resource attachment propagates routes |
List |
|
ec2:Region
|
|
GetTransitGatewayMulticastDomainAssociations
|
Grants permission to get information about the associations for a transit gateway multicast domain |
List |
|
ec2:Region
|
|
GetTransitGatewayPolicyTableAssociations
|
Grants permission to get information about associations for a transit gateway policy table |
List |
transit-gateway-policy-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
GetTransitGatewayPolicyTableEntries
|
Grants permission to get information about associations for a transit gateway policy table entry |
List |
transit-gateway-policy-table*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
GetTransitGatewayPrefixListReferences
|
Grants permission to get information about prefix list references for a transit gateway route table |
List |
|
ec2:Region
|
|
GetTransitGatewayRouteTableAssociations
|
Grants permission to get information about associations for a transit gateway route table |
List |
|
ec2:Region
|
|
GetTransitGatewayRouteTablePropagations
|
Grants permission to get information about the route table propagations for a transit gateway route table |
List |
|
ec2:Region
|
|
GetVpnConnectionDeviceSampleConfiguration
|
Grants permission to download an AWS-provided sample configuration file to be used with the customer gateway device |
List |
vpn-connection*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
vpn-connection-device-type
|
|
|
|
ec2:Region
|
|
GetVpnConnectionDeviceTypes
|
Grants permission to obtain a list of customer gateway devices for which sample configuration files can be provided |
List |
|
ec2:Region
|
|
ImportClientVpnClientCertificateRevocationList
|
Grants permission to upload a client certificate revocation list to a Client VPN endpoint |
Write |
client-vpn-endpoint*
|
aws:ResourceTag/${TagKey}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
|
ec2:Region
|
|
ImportImage
|
Grants permission to import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI) |
Write |
image*
|
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:RootDeviceType
|
ec2:CreateTags
|
import-image-task*
|
|
|
snapshot
|
aws:ResourceTag/${TagKey}
ec2:Owner
ec2:ParentVolume
ec2:ResourceTag/${TagKey}
ec2:SnapshotID
ec2:SnapshotTime
ec2:VolumeSize
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
ImportInstance
|
Grants permission to create an import instance task using metadata from a disk image |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:InstanceID
ec2:ResourceTag/${TagKey}
|
|
volume*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:Encrypted
ec2:ParentSnapshot
ec2:ResourceTag/${TagKey}
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
|
security-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
ec2:Vpc
|
|
subnet
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
|
ec2:Region
|
|
ImportKeyPair
|
Grants permission to import a public key from an RSA key pair that was created with a third-party tool |
Write |
key-pair*
|
|
ec2:CreateTags
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
ImportSnapshot
|
Grants permission to import a disk into an EBS snapshot |
Write |
import-snapshot-task*
|
|
ec2:CreateTags
|
snapshot*
|
ec2:Owner
ec2:ParentVolume
ec2:SnapshotID
ec2:SnapshotTime
ec2:VolumeSize
|
|
|
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
|
|
ImportVolume
|
Grants permission to create an import volume task using metadata from a disk image |
Write |
volume*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:Encrypted
ec2:ParentSnapshot
ec2:ResourceTag/${TagKey}
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
|
|
ec2:Region
|
|
ListImagesInRecycleBin
|
Grants permission to list Amazon Machine Images (AMIs) that are currently in the Recycle Bin |
List |
image
|
aws:ResourceTag/${TagKey}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
|
ec2:Region
|
|
ListSnapshotsInRecycleBin
|
Grants permission to list the Amazon EBS snapshots that are currently in the Recycle Bin |
List |
snapshot
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:Encrypted
ec2:Owner
ec2:ParentVolume
ec2:ResourceTag/${TagKey}
ec2:SnapshotID
ec2:SnapshotTime
ec2:VolumeSize
|
|
|
ec2:Region
|
|
ModifyAddressAttribute
|
Grants permission to modify an attribute of the specified Elastic IP address |
Write |
elastic-ip*
|
aws:ResourceTag/${TagKey}
ec2:AllocationId
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:Domain
ec2:PublicIpAddress
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyAvailabilityZoneGroup
|
Grants permission to modify the opt-in status of the Local Zone and Wavelength Zone group for your account |
Write |
|
ec2:Region
|
|
ModifyCapacityReservation
|
Grants permission to modify a Capacity Reservation's capacity and the conditions under which it is to be released |
Write |
capacity-reservation*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:CapacityReservationFleet
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyCapacityReservationFleet
|
Grants permission to modify a Capacity Reservation Fleet |
Write |
capacity-reservation-fleet*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyClientVpnEndpoint
|
Grants permission to modify a Client VPN endpoint |
Write |
client-vpn-endpoint*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ClientRootCertificateChainArn
ec2:CloudwatchLogGroupArn
ec2:CloudwatchLogStreamArn
ec2:DirectoryArn
ec2:ResourceTag/${TagKey}
ec2:SamlProviderArn
ec2:ServerCertificateArn
|
|
security-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
|
|
vpc
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:VpcID
|
|
|
ec2:Region
|
|
ModifyDefaultCreditSpecification
|
Grants permission to change the account level default credit option for CPU usage of burstable performance instances |
Write |
|
ec2:Region
|
|
ModifyEbsDefaultKmsKeyId
|
Grants permission to change the default customer master key (CMK) for EBS encryption by default for your account |
Write |
|
ec2:Region
|
|
ModifyFleet
|
Grants permission to modify an EC2 Fleet |
Write |
fleet*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
image
|
aws:ResourceTag/${TagKey}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
key-pair
|
aws:ResourceTag/${TagKey}
ec2:KeyPairName
ec2:ResourceTag/${TagKey}
|
|
launch-template
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
network-interface
|
aws:ResourceTag/${TagKey}
ec2:AssociatePublicIpAddress
ec2:AuthorizedService
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
security-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
ec2:Vpc
|
|
snapshot
|
aws:ResourceTag/${TagKey}
ec2:Owner
ec2:ParentVolume
ec2:ResourceTag/${TagKey}
ec2:SnapshotID
ec2:SnapshotTime
ec2:VolumeSize
|
|
subnet
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
|
ec2:Region
|
|
ModifyFpgaImageAttribute
|
Grants permission to modify an attribute of an Amazon FPGA Image (AFI) |
Write |
fpga-image*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyHosts
|
Grants permission to modify a Dedicated Host |
Write |
dedicated-host*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyIdFormat
|
Grants permission to modify the ID format for a resource |
Write |
|
ec2:Region
|
|
ModifyIdentityIdFormat
|
Grants permission to modify the ID format of a resource for a specific principal in your account |
Write |
|
ec2:Region
|
|
ModifyImageAttribute
|
Grants permission to modify an attribute of an Amazon Machine Image (AMI) |
Write |
image*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ImageID
ec2:ImageType
ec2:Owner
ec2:Public
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
|
|
|
ec2:Region
|
|
ModifyInstanceAttribute
|
Grants permission to modify an attribute of an instance |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
security-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
ec2:Vpc
|
|
volume
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:Encrypted
ec2:ParentSnapshot
ec2:ResourceTag/${TagKey}
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
|
|
ec2:Region
|
|
ModifyInstanceCapacityReservationAttributes
|
Grants permission to modify the Capacity Reservation settings for a stopped instance |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
capacity-reservation
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyInstanceCreditSpecification
|
Grants permission to modify the credit option for CPU usage on an instance |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
|
ec2:Region
|
|
ModifyInstanceEventStartTime
|
Grants permission to modify the start time for a scheduled EC2 instance event |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:Attribute/${AttributeName}
ec2:InstanceID
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyInstanceEventWindow
|
Grants permission to modify the specified event window |
Write |
instance-event-window*
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyInstanceMaintenanceOptions
|
Grants permission to modify the recovery behaviour for an instance |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
|
ec2:Region
|
|
ModifyInstanceMetadataOptions
|
Grants permission to modify the metadata options for an instance |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
|
ec2:Region
|
|
ModifyInstancePlacement
|
Grants permission to modify the placement attributes for an instance |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
dedicated-host
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
placement-group
|
aws:ResourceTag/${TagKey}
ec2:PlacementGroupName
ec2:PlacementGroupStrategy
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyIpam
|
Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) |
Write |
ipam*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyIpamPool
|
Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) pool |
Write |
ipam-pool*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyIpamResourceCidr
|
Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) resource CIDR |
Write |
ipam-scope*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyIpamScope
|
Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) scope |
Write |
ipam-scope*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyLaunchTemplate
|
Grants permission to modify a launch template |
Write |
launch-template*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyManagedPrefixList
|
Grants permission to modify a managed prefix list |
Write |
prefix-list*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyNetworkInterfaceAttribute
|
Grants permission to modify an attribute of a network interface |
Write |
network-interface*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:ResourceTag/${TagKey}
ec2:Subnet
ec2:Vpc
|
|
instance
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
security-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
ec2:Vpc
|
|
|
ec2:Region
|
|
ModifyPrivateDnsNameOptions
|
Grants permission to modify the options for instance hostnames for the specified instance |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:NewInstanceProfile
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
|
ec2:Region
|
|
ModifyReservedInstances
|
Grants permission to modify attributes of one or more Reserved Instances |
Write |
reserved-instances*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AvailabilityZone
ec2:InstanceType
ec2:ReservedInstancesOfferingType
ec2:ResourceTag/${TagKey}
ec2:Tenancy
|
|
|
ec2:Region
|
|
ModifySecurityGroupRules
|
Grants permission to modify the rules of a security group |
Write |
security-group*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
ec2:Vpc
|
|
prefix-list
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
security-group-rule
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifySnapshotAttribute
|
Grants permission to add or remove permission settings for a snapshot |
Permissions management |
snapshot*
|
aws:ResourceTag/${TagKey}
ec2:Add/group
ec2:Add/userId
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:Owner
ec2:ParentVolume
ec2:Remove/group
ec2:Remove/userId
ec2:ResourceTag/${TagKey}
ec2:SnapshotID
ec2:SnapshotTime
ec2:VolumeSize
|
|
|
ec2:Region
|
|
ModifySnapshotTier
|
Grants permission to archive Amazon EBS snapshots |
Write |
snapshot*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AvailabilityZone
ec2:Encrypted
ec2:Owner
ec2:ParentVolume
ec2:ResourceTag/${TagKey}
ec2:SnapshotID
ec2:SnapshotTime
ec2:VolumeSize
|
|
|
ec2:Region
|
|
ModifySpotFleetRequest
|
Grants permission to modify a Spot Fleet request |
Write |
spot-fleet-request*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
launch-template
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
subnet
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
|
ec2:Region
|
|
ModifySubnetAttribute
|
Grants permission to modify an attribute of a subnet |
Write |
subnet*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AvailabilityZone
ec2:ResourceTag/${TagKey}
ec2:SubnetID
ec2:Vpc
|
|
|
ec2:Region
|
|
ModifyTrafficMirrorFilterNetworkServices
|
Grants permission to allow or restrict mirroring network services |
Write |
traffic-mirror-filter*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyTrafficMirrorFilterRule
|
Grants permission to modify a traffic mirror rule |
Write |
traffic-mirror-filter*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
traffic-mirror-filter-rule*
|
ec2:Attribute
ec2:Attribute/${AttributeName}
|
|
|
ec2:Region
|
|
ModifyTrafficMirrorSession
|
Grants permission to modify a traffic mirror session |
Write |
traffic-mirror-session*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
traffic-mirror-filter
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
traffic-mirror-target
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyTransitGateway
|
Grants permission to modify a transit gateway |
Write |
transit-gateway*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-route-table
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyTransitGatewayPrefixListReference
|
Grants permission to modify a transit gateway prefix list reference |
Write |
prefix-list*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-route-table*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
transit-gateway-attachment
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyTransitGatewayVpcAttachment
|
Grants permission to modify a VPC attachment on a transit gateway |
Write |
transit-gateway-attachment*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
subnet
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SubnetID
|
|
|
ec2:Region
|
|
ModifyVolume
|
Grants permission to modify the parameters of an EBS volume |
Write |
volume*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AvailabilityZone
ec2:Encrypted
ec2:ParentSnapshot
ec2:ResourceTag/${TagKey}
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
|
|
ec2:Region
|
|
ModifyVolumeAttribute
|
Grants permission to modify an attribute of a volume |
Write |
volume*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AvailabilityZone
ec2:Encrypted
ec2:ParentSnapshot
ec2:ResourceTag/${TagKey}
ec2:VolumeID
ec2:VolumeIops
ec2:VolumeSize
ec2:VolumeThroughput
ec2:VolumeType
|
|
|
ec2:Region
|
|
ModifyVpcAttribute
|
Grants permission to modify an attribute of a VPC |
Write |
vpc*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
ec2:Region
|
|
ModifyVpcEndpoint
|
Grants permission to modify an attribute of a VPC endpoint |
Write |
vpc-endpoint*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
route-table
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:RouteTableID
|
|
security-group
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SecurityGroupID
|
|
subnet
|
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:SubnetID
|
|
|
ec2:Region
|
|
ModifyVpcEndpointConnectionNotification
|
Grants permission to modify a connection notification for a VPC endpoint or VPC endpoint service |
Write |
vpc-endpoint*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
vpc-endpoint-service*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyVpcEndpointServiceConfiguration
|
Grants permission to modify the attributes of a VPC endpoint service configuration |
Write |
vpc-endpoint-service*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
ec2:VpceServicePrivateDnsName
|
|
|
ec2:Region
|
|
ModifyVpcEndpointServicePayerResponsibility
|
Grants permission to modify the payer responsibility for a VPC endpoint service |
Write |
vpc-endpoint-service*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyVpcEndpointServicePermissions
|
Grants permission to modify the permissions for a VPC endpoint service |
Permissions management |
vpc-endpoint-service*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyVpcPeeringConnectionOptions
|
Grants permission to modify the VPC peering connection options on one side of a VPC peering connection |
Write |
vpc-peering-connection*
|
aws:ResourceTag/${TagKey}
ec2:AccepterVpc
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:RequesterVpc
ec2:ResourceTag/${TagKey}
ec2:VpcPeeringConnectionID
|
|
|
ec2:Region
|
|
ModifyVpcTenancy
|
Grants permission to modify the instance tenancy attribute of a VPC |
Write |
vpc*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
ec2:Tenancy
ec2:VpcID
|
|
|
ec2:Region
|
|
ModifyVpnConnection
|
Grants permission to modify the target gateway of a Site-to-Site VPN connection |
Write |
vpn-connection*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AuthenticationType
ec2:DPDTimeoutSeconds
ec2:GatewayType
ec2:IKEVersions
ec2:InsideTunnelCidr
ec2:InsideTunnelIpv6Cidr
ec2:Phase1DHGroup
ec2:Phase1EncryptionAlgorithms
ec2:Phase1IntegrityAlgorithms
ec2:Phase1LifetimeSeconds
ec2:Phase2DHGroup
ec2:Phase2EncryptionAlgorithms
ec2:Phase2IntegrityAlgorithms
ec2:Phase2LifetimeSeconds
ec2:PreSharedKeys
ec2:RekeyFuzzPercentage
ec2:RekeyMarginTimeSeconds
ec2:ReplayWindowSizePackets
ec2:ResourceTag/${TagKey}
ec2:RoutingType
|
|
|
ec2:Region
|
|
ModifyVpnConnectionOptions
|
Grants permission to modify the connection options for your Site-to-Site VPN connection |
Write |
vpn-connection*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyVpnTunnelCertificate
|
Grants permission to modify the certificate for a Site-to-Site VPN connection |
Write |
vpn-connection*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:ResourceTag/${TagKey}
|
|
|
ec2:Region
|
|
ModifyVpnTunnelOptions
|
Grants permission to modify the options for a Site-to-Site VPN connection |
Write |
vpn-connection*
|
aws:ResourceTag/${TagKey}
ec2:Attribute
ec2:Attribute/${AttributeName}
ec2:AuthenticationType
ec2:DPDTimeoutSeconds
ec2:GatewayType
ec2:IKEVersions
ec2:InsideTunnelCidr
ec2:InsideTunnelIpv6Cidr
ec2:Phase1DHGroup
ec2:Phase1EncryptionAlgorithms
ec2:Phase1IntegrityAlgorithms
ec2:Phase1LifetimeSeconds
ec2:Phase2DHGroup
ec2:Phase2EncryptionAlgorithms
ec2:Phase2IntegrityAlgorithms
ec2:Phase2LifetimeSeconds
ec2:PreSharedKeys
ec2:RekeyFuzzPercentage
ec2:RekeyMarginTimeSeconds
ec2:ReplayWindowSizePackets
ec2:ResourceTag/${TagKey}
ec2:RoutingType
|
|
|
ec2:Region
|
|
MonitorInstances
|
Grants permission to enable detailed monitoring for a running instance |
Write |
instance*
|
aws:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceAutoRecovery
ec2:InstanceID
ec2:InstanceMarketType
ec2:InstanceMetadataTags
ec2:InstanceProfile
ec2:InstanceType
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:ProductCode
ec2:ResourceTag/${TagKey}
ec2:RootDeviceType
ec2:Tenancy
|
|
|
ec2:Region
|
|
MoveAddressToVpc
|
Grants permission to move an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform |
Write |
|
ec2:Region
|