Actions, resources, and condition keys for Amazon EC2 - Service Authorization Reference

Actions, resources, and condition keys for Amazon EC2

Amazon EC2 (service prefix: ec2) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon EC2

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptAddressTransfer Grants permission to accept an Elastic IP address transfer Write

elastic-ip*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:CreateTags

ec2:Region

AcceptReservedInstancesExchangeQuote Grants permission to accept a Convertible Reserved Instance exchange quote Write

ec2:Region

AcceptTransitGatewayMulticastDomainAssociations Grants permission to accept a request to associate subnets with a transit gateway multicast domain Write

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

AcceptTransitGatewayPeeringAttachment Grants permission to accept a transit gateway peering attachment request Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

AcceptTransitGatewayVpcAttachment Grants permission to accept a request to attach a VPC to a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

AcceptVpcEndpointConnections Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AcceptVpcPeeringConnection Grants permission to accept a VPC peering connection request Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

AdvertiseByoipCidr Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP) Write

ec2:Region

AllocateAddress Grants permission to allocate an Elastic IP address (EIP) to your account Write

elastic-ip*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AllocateHosts Grants permission to allocate a Dedicated Host to your account Write

dedicated-host*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:HostRecovery

ec2:InstanceType

ec2:Quantity

ec2:CreateTags

ec2:Region

AllocateIpamPoolCidr Grants permission to allocate a CIDR from an Amazon VPC IP Address Manager (IPAM) pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ApplySecurityGroupsToClientVpnTargetNetwork Grants permission to apply a security group to the association between a Client VPN endpoint and a target network Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AssignIpv6Addresses Grants permission to assign one or more IPv6 addresses to a network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssignPrivateIpAddresses Grants permission to assign one or more secondary private IP addresses to a network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssignPrivateNatGatewayAddress Grants permission to assign one or more secondary private IP addresses to a private NAT gateway Write

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateAddress Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface Write

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssociateClientVpnTargetNetwork Grants permission to associate a target network with a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

AssociateDhcpOptions Grants permission to associate or disassociate a set of DHCP options with a VPC Write

dhcp-options*

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AssociateEnclaveCertificateIamRole Grants permission to associate an ACM certificate with an IAM role to be used in an EC2 Enclave Write

certificate*

role*

ec2:Region

AssociateIamInstanceProfile Grants permission to associate an IAM instance profile with a running or stopped instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

ec2:Region

AssociateInstanceEventWindow Grants permission to associate one or more targets with an event window Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateIpamByoasn Grants permission to associate an Autonomous System Number (ASN) with a BYOIP CIDR Write

ec2:Region

AssociateIpamResourceDiscovery Grants permission to associate an IPAM resource discovery with an Amazon VPC IPAM Write

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

ipam-resource-discovery*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery-association*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

AssociateNatGatewayAddress Grants permission to associate an Elastic IP address and private IP address with a public Nat gateway Write

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateRouteTable Grants permission to associate a subnet or gateway with a route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateSubnetCidrBlock Grants permission to associate a CIDR block with a subnet Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateTransitGatewayMulticastDomain Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

AssociateTransitGatewayPolicyTable Grants permission to associate a policy table with a transit gateway attachment Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

ec2:Region

AssociateTransitGatewayRouteTable Grants permission to associate an attachment with a transit gateway route table Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

AssociateTrunkInterface Grants permission to associate a branch network interface with a trunk network interface Write

ec2:Region

AssociateVerifiedAccessInstanceWebAcl [permission only] Grants permission to associate an AWS Web Application Firewall (WAF) web access control list (ACL) with a Verified Access instance Write

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateVpcCidrBlock Grants permission to associate a CIDR block with a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AttachClassicLinkVpc Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AttachInternetGateway Grants permission to attach an internet gateway to a VPC Write

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AttachNetworkInterface Grants permission to attach a network interface to an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AttachVerifiedAccessTrustProvider Grants permission to attach a trust provider to a Verified Access instance Write

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-trust-provider*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AttachVolume Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

AttachVpnGateway Grants permission to attach a virtual private gateway to a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AuthorizeClientVpnIngress Grants permission to add an inbound authorization rule to a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

AuthorizeSecurityGroupEgress Grants permission to add one or more outbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:CreateTags

security-group-rule

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

AuthorizeSecurityGroupIngress Grants permission to add one or more inbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:CreateTags

security-group-rule

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

BundleInstance Grants permission to bundle an instance store-backed Windows instance Write

ec2:Region

CancelBundleTask Grants permission to cancel a bundling operation Write

ec2:Region

CancelCapacityReservation Grants permission to cancel a Capacity Reservation and release the reserved capacity Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:CapacityReservationFleet

ec2:ResourceTag/${TagKey}

ec2:Region

CancelCapacityReservationFleets Grants permission to cancel one or more Capacity Reservation Fleets Write

capacity-reservation-fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CancelCapacityReservation

ec2:Region

CancelConversionTask Grants permission to cancel an active conversion task Write

ec2:Region

CancelExportTask Grants permission to cancel an active export task Write

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelImageLaunchPermission Grants permission to remove your AWS account from the launch permissions for the specified AMI Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

CancelImportTask Grants permission to cancel an in-process import virtual machine or import snapshot task Write

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelReservedInstancesListing Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace Write

ec2:Region

CancelSpotFleetRequests Grants permission to cancel one or more Spot Fleet requests Write

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelSpotInstanceRequests Grants permission to cancel one or more Spot Instance requests Write

spot-instances-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ConfirmProductInstance Grants permission to determine whether an owned product code is associated with an instance Write

ec2:Region

CopyFpgaImage Grants permission to copy a source Amazon FPGA image (AFI) to the current Region. Resource-level permissions specified for this action apply to the new AFI only. They do not apply to the source AFI Write

fpga-image*

ec2:Owner

ec2:Region

CopyImage Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region. Resource-level permissions specified for this action apply to the new AMI only. They do not apply to the source AMI Write

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageID

ec2:Owner

ec2:CreateTags

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CopySnapshot Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3. Resource-level permissions specified for this action apply to the new snapshot only. They do not apply to the source snapshot Write

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:OutpostArn

ec2:SnapshotID

ec2:CreateTags

ec2:Region

CreateCapacityReservation Grants permission to create a Capacity Reservation Write

capacity-reservation*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CapacityReservationFleet

ec2:CreateTags

ec2:Region

CreateCapacityReservationFleet Grants permission to create a Capacity Reservation Fleet Write

capacity-reservation-fleet*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateCapacityReservation

ec2:CreateTags

ec2:DescribeCapacityReservations

ec2:DescribeInstances

ec2:Region

CreateCarrierGateway Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers Write

carrier-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateClientVpnEndpoint Grants permission to create a Client VPN endpoint Write

client-vpn-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:CreateTags

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpcID

ec2:Region

CreateClientVpnRoute Grants permission to add a network route to a Client VPN endpoint's route table Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

CreateCoipCidr Grants permission to create a range of customer-owned IP (CoIP) addresses Write

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateCoipPool Grants permission to create a pool of customer-owned IP (CoIP) addresses Write

coip-pool*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateCoipPoolPermission [permission only] Grants permission to allow a service to access a customer-owned IP (CoIP) pool Write

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateCustomerGateway Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device Write

customer-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateDefaultSubnet Grants permission to create a default subnet in a specified Availability Zone in a default VPC Write

ec2:Region

CreateDefaultVpc Grants permission to create a default VPC with a default subnet in each Availability Zone Write

ec2:Region

CreateDhcpOptions Grants permission to create a set of DHCP options for a VPC Write

dhcp-options*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:DhcpOptionsID

ec2:CreateTags

ec2:Region

CreateEgressOnlyInternetGateway Grants permission to create an egress-only internet gateway for a VPC Write

egress-only-internet-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateFleet Grants permission to launch an EC2 Fleet. Resource-level permissions for this action do not include the resources specified in a launch template. To specify resource-level permissions for resources specified in a launch template, you must include the resources in the RunInstances action statement Write

fleet*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

instance*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:RootDeviceType

ec2:Tenancy

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

volume

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:KmsKeyId

ec2:ParentSnapshot

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

CreateFlowLogs Grants permission to create one or more flow logs to capture IP traffic for a network interface Write

vpc-flow-log*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ecs:ListClusters

ecs:ListContainerInstances

ecs:ListServices

ecs:ListTaskDefinitions

ecs:ListTasks

iam:PassRole

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateFpgaImage Grants permission to create an Amazon FPGA Image (AFI) from a design checkpoint (DCP) Write

fpga-image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:Public

ec2:CreateTags

ec2:Region

CreateImage Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance Write

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageID

ec2:Owner

ec2:CreateTags

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:OutpostArn

ec2:ParentVolume

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:Region

CreateInstanceConnectEndpoint Grants permission to create an EC2 Instance Connect Endpoint that allows you to connect to an instance without a public IPv4 address Write

instance-connect-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:SubnetID

ec2:CreateTags

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

CreateInstanceEventWindow Grants permission to create an event window in which scheduled events for the associated Amazon EC2 instances can run Write

instance-event-window*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateInstanceExportTask Grants permission to export a running or stopped instance to an Amazon S3 bucket Write

export-instance-task*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

CreateInternetGateway Grants permission to create an internet gateway for a VPC Write

internet-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:InternetGatewayID

ec2:CreateTags

ec2:Region

CreateIpam Grants permission to create an Amazon VPC IP Address Manager (IPAM) Write

ipam*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

iam:CreateServiceLinkedRole

ec2:Region

CreateIpamPool Grants permission to create an IP address pool for Amazon VPC IP Address Manager (IPAM), which is a collection of contiguous IP address CIDRs Write

ipam-pool*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateIpamResourceDiscovery Grants permission to create an IPAM resource discovery Write

ipam-resource-discovery*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

iam:CreateServiceLinkedRole

ec2:Region

CreateIpamScope Grants permission to create an Amazon VPC IP Address Manager (IPAM) scope, which is the highest-level container within IPAM Write

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

ipam-scope*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateKeyPair Grants permission to create a 2048-bit RSA key pair Write

key-pair*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:KeyPairType

ec2:CreateTags

ec2:Region

CreateLaunchTemplate Grants permission to create a launch template Write

launch-template*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ssm:GetParameters

ec2:Region

CreateLaunchTemplateVersion Grants permission to create a new version of a launch template Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ssm:GetParameters

ec2:Region

CreateLocalGatewayRoute Grants permission to create a static route for a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRouteTable Grants permission to create a local gateway route table Write

local-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

local-gateway-route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateLocalGatewayRouteTablePermission [permission only] Grants permission to allow a service to access a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation Grants permission to create a local gateway route table virtual interface group association Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

local-gateway-route-table-virtual-interface-group-association*

aws:RequestTag/${TagKey}

aws:TagKeys

local-gateway-virtual-interface-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRouteTableVpcAssociation Grants permission to associate a VPC with a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

local-gateway-route-table-vpc-association*

aws:RequestTag/${TagKey}

aws:TagKeys

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateManagedPrefixList Grants permission to create a managed prefix list Write

prefix-list*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateNatGateway Grants permission to create a NAT gateway in a subnet Write

natgateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

CreateNetworkAcl Grants permission to create a network ACL in a VPC Write

network-acl*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:NetworkAclID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateNetworkAclEntry Grants permission to create a numbered entry (a rule) in a network ACL Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

CreateNetworkInsightsAccessScope Grants permission to create a Network Access Scope Write

network-insights-access-scope*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateNetworkInsightsPath Grants permission to create a path to analyze for reachability Write

network-insights-path*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateNetworkInterface Grants permission to create a network interface in a subnet Write

network-interface*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:NetworkInterfaceID

ec2:CreateTags

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

CreateNetworkInterfacePermission Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface Permissions management

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

CreatePlacementGroup Grants permission to create a placement group Write

placement-group*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:CreateTags

ec2:Region

CreatePublicIpv4Pool Grants permission to create a public IPv4 address pool for public IPv4 CIDRs that you own and bring to Amazon to manage with Amazon VPC IP Address Manager (IPAM) Write

ipv4pool-ec2*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateReplaceRootVolumeTask Grants permission to create a root volume replacement task Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:CreateTags

replace-root-volume-task*

aws:RequestTag/${TagKey}

aws:TagKeys

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:VolumeID

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

CreateReservedInstancesListing Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace Write

ec2:Region

CreateRestoreImageTask Grants permission to start a task that restores an AMI from an S3 object previously created by using CreateStoreImageTask Write

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageID

ec2:Owner

ec2:CreateTags

ec2:Region

CreateRoute Grants permission to create a route in a VPC route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

CreateRouteTable Grants permission to create a route table for a VPC Write

route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:RouteTableID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateSecurityGroup Grants permission to create a security group Write

security-group*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:SecurityGroupID

ec2:CreateTags

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateSnapshot Grants permission to create a snapshot of an EBS volume and store it in Amazon S3 Write

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:OutpostArn

ec2:ParentVolume

ec2:SnapshotID

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:CreateTags

volume*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

CreateSnapshots Grants permission to create crash-consistent snapshots of multiple EBS volumes and store them in Amazon S3 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:CreateTags

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:OutpostArn

ec2:ParentVolume

ec2:SnapshotID

ec2:SourceOutpostArn

ec2:VolumeSize

volume*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

CreateSpotDatafeedSubscription Grants permission to create a data feed for Spot Instances to view Spot Instance usage logs Write

ec2:Region

CreateStoreImageTask Grants permission to store an AMI as a single object in an S3 bucket Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

CreateSubnet Grants permission to create a subnet in a VPC Write

subnet*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:SubnetID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateSubnetCidrReservation Grants permission to create a subnet CIDR reservation Write

ec2:Region

CreateTags Grants permission to add or overwrite one or more tags for Amazon EC2 resources Tagging

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

capacity-reservation-fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

carrier-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:Vpc

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

coip-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

customer-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:HostRecovery

ec2:InstanceType

ec2:Quantity

ec2:ResourceTag/${TagKey}

dhcp-options

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-gpu

aws:ResourceTag/${TagKey}

ec2:ElasticGpuType

ec2:ResourceTag/${TagKey}

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fpga-image

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

host-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

instance-connect-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

instance-event-window

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

ipam

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:KeyPairType

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-virtual-interface-group-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-acl

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

network-insights-access-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-access-scope-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-path

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

replace-root-volume-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

reserved-instances

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceType

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

security-group-rule

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

snapshot

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-instances-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

subnet-cidr-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-connect-peer

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayConnectPeerId

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

transit-gateway-policy-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableAnnouncementId

verified-access-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-instance

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-policy

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-trust-provider

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

volume

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service-permission

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-flow-log

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

vpn-connection

aws:ResourceTag/${TagKey}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:ResourceTag/${TagKey}

ec2:RoutingType

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateAction

ec2:Region

CreateTrafficMirrorFilter Grants permission to create a traffic mirror filter Write

traffic-mirror-filter*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateTrafficMirrorFilterRule Grants permission to create a traffic mirror filter rule Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

traffic-mirror-filter-rule*

ec2:Region

CreateTrafficMirrorSession Grants permission to create a traffic mirror session Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:CreateTags

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session*

aws:RequestTag/${TagKey}

aws:TagKeys

traffic-mirror-target*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateTrafficMirrorTarget Grants permission to create a traffic mirror target Write

traffic-mirror-target*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

network-interface

aws:ResourceTag/${TagKey}

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpceServiceName

ec2:VpceServiceOwner

ec2:Region

CreateTransitGateway Grants permission to create a transit gateway Write

transit-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayId

ec2:CreateTags

ec2:Region

CreateTransitGatewayConnect Grants permission to create a Connect attachment from a specified transit gateway attachment Write

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayAttachmentId

ec2:CreateTags

ec2:Region

CreateTransitGatewayConnectPeer Grants permission to create a Connect peer between a transit gateway and an appliance Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:CreateTags

transit-gateway-connect-peer*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayConnectPeerId

ec2:Region

CreateTransitGatewayMulticastDomain Grants permission to create a multicast domain for a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:CreateTags

transit-gateway-multicast-domain*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayMulticastDomainId

ec2:Region

CreateTransitGatewayPeeringAttachment Grants permission to request a transit gateway peering attachment between a requester and accepter transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:CreateTags

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayAttachmentId

ec2:Region

CreateTransitGatewayPolicyTable Grants permission to create a transit gateway policy table Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:CreateTags

transit-gateway-policy-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayPolicyTableId

ec2:Region

CreateTransitGatewayPrefixListReference Grants permission to create a transit gateway prefix list reference Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

CreateTransitGatewayRoute Grants permission to create a static route for a transit gateway route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

CreateTransitGatewayRouteTable Grants permission to create a route table for a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:CreateTags

transit-gateway-route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayRouteTableId

ec2:Region

CreateTransitGatewayRouteTableAnnouncement Grants permission to create an announcement for a transit gateway route table Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:CreateTags

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-route-table-announcement*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayRouteTableAnnouncementId

ec2:Region

CreateTransitGatewayVpcAttachment Grants permission to attach a VPC to a transit gateway Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:CreateTags

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayAttachmentId

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateVerifiedAccessEndpoint Grants permission to create a Verified Access endpoint Write

verified-access-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

verified-access-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

CreateVerifiedAccessGroup Grants permission to create a Verified Access group Write

verified-access-group*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVerifiedAccessInstance Grants permission to create a Verified Access instance Write

verified-access-instance*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateVerifiedAccessTrustProvider Grants permission to create a verified trust provider Write

verified-access-trust-provider*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateVolume Grants permission to create an EBS volume Write

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:KmsKeyId

ec2:ParentSnapshot

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:CreateTags

ec2:Region

CreateVpc Grants permission to create a VPC with a specified CIDR block Write

vpc*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:VpcID

ec2:CreateTags

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpcEndpoint Grants permission to create a VPC endpoint for an AWS service Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpcID

ec2:CreateTags

route53:AssociateVPCWithHostedZone

vpc-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:VpceServiceName

ec2:VpceServiceOwner

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

subnet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

CreateVpcEndpointConnectionNotification Grants permission to create a connection notification for a VPC endpoint or VPC endpoint service Write

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpcEndpointServiceConfiguration Grants permission to create a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect Write

vpc-endpoint-service*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:VpceServicePrivateDnsName

ec2:CreateTags

ec2:Region

CreateVpcPeeringConnection Grants permission to request a VPC peering connection between two VPCs Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:CreateTags

vpc-peering-connection*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AccepterVpc

ec2:RequesterVpc

ec2:VpcPeeringConnectionID

ec2:Region

CreateVpnConnection Grants permission to create a VPN connection between a virtual private gateway or transit gateway and a customer gateway Write

customer-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

vpn-connection*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:RoutingType

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpnConnectionRoute Grants permission to create a static route for a VPN connection between a virtual private gateway and a customer gateway Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpnGateway Grants permission to create a virtual private gateway Write

vpn-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

DeleteCarrierGateway Grants permission to delete a carrier gateway Write

carrier-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteClientVpnEndpoint Grants permission to delete a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DeleteClientVpnRoute Grants permission to delete a route from a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DeleteCoipCidr Grants permission to delete a range of customer-owned IP (CoIP) addresses Write

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteCoipPool Grants permission to delete a pool of customer-owned IP (CoIP) addresses Write

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteCoipPoolPermission [permission only] Grants permission to deny a service from accessing a customer-owned IP (CoIP) pool Write

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteCustomerGateway Grants permission to delete a customer gateway Write

customer-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteDhcpOptions Grants permission to delete a set of DHCP options Write

dhcp-options*

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteEgressOnlyInternetGateway Grants permission to delete an egress-only internet gateway Write

egress-only-internet-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFleets Grants permission to delete one or more EC2 Fleets Write

fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFlowLogs Grants permission to delete one or more flow logs Write

vpc-flow-log*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFpgaImage Grants permission to delete an Amazon FPGA Image (AFI) Write

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteInstanceConnectEndpoint Grants permission to delete an EC2 Instance Connect Endpoint Write

instance-connect-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

DeleteInstanceEventWindow Grants permission to delete the specified event window Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteInternetGateway Grants permission to delete an internet gateway Write

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpam Grants permission to delete an Amazon VPC IP Address Manager (IPAM) and remove all monitored data associated with the IPAM including the historical data for CIDRs Write

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamPool Grants permission to delete an Amazon VPC IP Address Manager (IPAM) pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamResourceDiscovery Grants permission to delete an IPAM resource discovery Write

ipam-resource-discovery*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamScope Grants permission to delete the scope for an Amazon VPC IP Address Manager (IPAM) Write

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteKeyPair Grants permission to delete a key pair by removing the public key from Amazon EC2 Write

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:KeyPairType

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLaunchTemplate Grants permission to delete a launch template and its associated versions Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLaunchTemplateVersions Grants permission to delete one or more versions of a launch template Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRoute Grants permission to delete a route from a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTable Grants permission to delete a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTablePermission [permission only] Grants permission to deny a service from accessing a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation Grants permission to delete a local gateway route table virtual interface group association Write

local-gateway-route-table-virtual-interface-group-association*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTableVpcAssociation Grants permission to delete an association between a VPC and local gateway route table Write

local-gateway-route-table-vpc-association*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteManagedPrefixList Grants permission to delete a managed prefix list Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNatGateway Grants permission to delete a NAT gateway Write

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkAcl Grants permission to delete a network ACL Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

DeleteNetworkAclEntry Grants permission to delete an inbound or outbound entry (rule) from a network ACL Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

DeleteNetworkInsightsAccessScope Grants permission to delete a Network Access Scope Write

network-insights-access-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsAccessScopeAnalysis Grants permission to delete a Network Access Scope analysis Write

network-insights-access-scope-analysis*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsAnalysis Grants permission to delete a network insights analysis Write

network-insights-analysis*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsPath Grants permission to delete a network insights path Write

network-insights-path*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInterface Grants permission to delete a detached network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DeleteNetworkInterfacePermission Grants permission to delete a permission that is associated with a network interface Permissions management

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DeletePlacementGroup Grants permission to delete a placement group Write

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

ec2:Region

DeletePublicIpv4Pool Grants permission to delete a public IPv4 address pool for public IPv4 CIDRs that you own and brought to Amazon to manage with Amazon VPC IP Address Manager (IPAM) Write

ipv4pool-ec2*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteQueuedReservedInstances Grants permission to delete the queued purchases for the specified Reserved Instances Write

ec2:Region

DeleteResourcePolicy [permission only] Grants permission to remove an IAM policy that enables cross-account sharing from a resource Write

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

verified-access-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteRoute Grants permission to delete a route from a route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

DeleteRouteTable Grants permission to delete a route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

DeleteSecurityGroup Grants permission to delete a security group Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

DeleteSnapshot Grants permission to delete a snapshot of an EBS volume Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

DeleteSpotDatafeedSubscription Grants permission to delete a data feed for Spot Instances Write

ec2:Region

DeleteSubnet Grants permission to delete a subnet Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DeleteSubnetCidrReservation Grants permission to delete a subnet CIDR reservation Write

ec2:Region

DeleteTags Grants permission to delete one or more tags from Amazon EC2 resources Tagging

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

capacity-reservation-fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

carrier-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

coip-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

customer-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dhcp-options

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-gpu

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-ip

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fpga-image

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

host-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance-connect-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance-event-window

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

key-pair

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-virtual-interface-group-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-acl

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-access-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-access-scope-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-path

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

replace-root-volume-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

reserved-instances

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

security-group-rule

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

snapshot

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-instances-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet-cidr-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-connect-peer

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-policy-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-instance

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-policy

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-trust-provider

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

volume

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service-permission

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-flow-log

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

DeleteTrafficMirrorFilter Grants permission to delete a traffic mirror filter Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTrafficMirrorFilterRule Grants permission to delete a traffic mirror filter rule Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

ec2:Region

DeleteTrafficMirrorSession Grants permission to delete a traffic mirror session Write

traffic-mirror-session*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTrafficMirrorTarget Grants permission to delete a traffic mirror target Write

traffic-mirror-target*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGateway Grants permission to delete a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:Region

DeleteTransitGatewayConnect Grants permission to delete a transit gateway connect attachment Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

DeleteTransitGatewayConnectPeer Grants permission to delete a transit gateway connect peer Write

transit-gateway-connect-peer*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayConnectPeerId

ec2:Region

DeleteTransitGatewayMulticastDomain Grants permission to delete a transit gateway multicast domain Write

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

DeleteTransitGatewayPeeringAttachment Grants permission to delete a peering attachment from a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

DeleteTransitGatewayPolicyTable Grants permission to delete a transit gateway policy table Write

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

ec2:Region

DeleteTransitGatewayPrefixListReference Grants permission to delete a transit gateway prefix list reference Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

DeleteTransitGatewayRoute Grants permission to delete a route from a transit gateway route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

DeleteTransitGatewayRouteTable Grants permission to delete a transit gateway route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

DeleteTransitGatewayRouteTableAnnouncement Grants permission to delete a transit gateway route table announcement Write

transit-gateway-route-table-announcement*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableAnnouncementId

ec2:Region

DeleteTransitGatewayVpcAttachment Grants permission to delete a VPC attachment from a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

DeleteVerifiedAccessEndpoint Grants permission to delete a Verified Access endpoint Write

verified-access-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVerifiedAccessGroup Grants permission to delete a Verified Access group Write

verified-access-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVerifiedAccessInstance Grants permission to delete a Verified Access instance Write

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVerifiedAccessTrustProvider Grants permission to delete a verified trust provider Write

verified-access-trust-provider*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVolume Grants permission to delete an EBS volume Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

DeleteVpc Grants permission to delete a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DeleteVpcEndpointConnectionNotifications Grants permission to delete one or more VPC endpoint connection notifications Write

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpcEndpointServiceConfigurations Grants permission to delete one or more VPC endpoint service configurations Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpcEndpoints Grants permission to delete one or more VPC endpoints Write

vpc-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpceServiceName

ec2:Region

DeleteVpcPeeringConnection Grants permission to delete a VPC peering connection Write

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

DeleteVpnConnection Grants permission to delete a VPN connection Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpnConnectionRoute Grants permission to delete a static route for a VPN connection between a virtual private gateway and a customer gateway Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpnGateway Grants permission to delete a virtual private gateway Write

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeprovisionByoipCidr Grants permission to release an IP address range that was provisioned through bring your own IP addresses (BYOIP), and to delete the corresponding address pool Write

ec2:Region

DeprovisionIpamByoasn Grants permission to deprovision an Autonomous System Number (ASN) from an Amazon Web Services account Write

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeprovisionIpamPoolCidr Grants permission to deprovision a CIDR provisioned from an Amazon VPC IP Address Manager (IPAM) pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeprovisionPublicIpv4PoolCidr Grants permission to deprovision a CIDR from a public IPv4 pool Write

ipv4pool-ec2*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeregisterImage Grants permission to deregister an Amazon Machine Image (AMI) Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DeregisterInstanceEventNotificationAttributes Grants permission to remove tags from the set of tags to include in notifications about scheduled events for your instances Write

ec2:Region

DeregisterTransitGatewayMulticastGroupMembers Grants permission to deregister one or more network interface members from a group IP address in a transit gateway multicast domain Write

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

DeregisterTransitGatewayMulticastGroupSources Grants permission to deregister one or more network interface sources from a group IP address in a transit gateway multicast domain Write

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

DescribeAccountAttributes Grants permission to describe the attributes of the AWS account List

ec2:Region

DescribeAddressTransfers Grants permission to describe an Elastic IP address transfer List

ec2:Region

DescribeAddresses Grants permission to describe one or more Elastic IP addresses List

ec2:Region

DescribeAddressesAttribute Grants permission to describe the attributes of the specified Elastic IP addresses List

ec2:Region

DescribeAggregateIdFormat Grants permission to describe the longer ID format settings for all resource types List

ec2:Region

DescribeAvailabilityZones Grants permission to describe one or more of the Availability Zones that are available to you List

ec2:Region

DescribeAwsNetworkPerformanceMetricSubscriptions Grants permission to describe the current infrastructure performance metric subscriptions List

ec2:Region

DescribeBundleTasks Grants permission to describe one or more bundling tasks List

ec2:Region

DescribeByoipCidrs Grants permission to describe the IP address ranges that were provisioned through bring your own IP addresses (BYOIP) List

ec2:Region

DescribeCapacityBlockOfferings Grants permission to describe Capacity Block offerings available for purchase List

ec2:Region

DescribeCapacityReservationFleets Grants permission to describe one or more Capacity Reservation Fleets List

ec2:Region

DescribeCapacityReservations Grants permission to describe one or more Capacity Reservations List

ec2:Region

DescribeCarrierGateways Grants permission to describe one or more Carrier Gateways List

ec2:Region

DescribeClassicLinkInstances Grants permission to describe one or more linked EC2-Classic instances List

ec2:Region

DescribeClientVpnAuthorizationRules Grants permission to describe the authorization rules for a Client VPN endpoint List

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeClientVpnConnections Grants permission to describe active client connections and connections that have been terminated within the last 60 minutes for a Client VPN endpoint List

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnEndpoints Grants permission to describe one or more Client VPN endpoints List

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnRoutes Grants permission to describe the routes for a Client VPN endpoint List

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnTargetNetworks Grants permission to describe the target networks that are associated with a Client VPN endpoint List

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeCoipPools Grants permission to describe the specified customer-owned address pools or all of your customer-owned address pools List

ec2:Region

DescribeConversionTasks Grants permission to describe one or more conversion tasks List

ec2:Region

DescribeCustomerGateways Grants permission to describe one or more customer gateways List

ec2:Region

DescribeDhcpOptions Grants permission to describe one or more DHCP options sets List

ec2:Region

DescribeEgressOnlyInternetGateways Grants permission to describe one or more egress-only internet gateways List

ec2:Region

DescribeElasticGpus Grants permission to describe an Elastic Graphics accelerator that is associated with an instance List

ec2:Region

DescribeExportImageTasks Grants permission to describe one or more export image tasks List

ec2:Region

DescribeExportTasks Grants permission to describe one or more export instance tasks List

ec2:Region

DescribeFastLaunchImages Grants permission to describe fast-launch enabled Windows AMIs List

ec2:Region

DescribeFastSnapshotRestores Grants permission to describe the state of fast snapshot restores for snapshots List

ec2:Region

DescribeFleetHistory Grants permission to describe the events for an EC2 Fleet during a specified time List

fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFleetInstances Grants permission to describe the running instances for an EC2 Fleet List

fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFleets Grants permission to describe one or more EC2 Fleets List

ec2:Region

DescribeFlowLogs Grants permission to describe one or more flow logs List

ec2:Region

DescribeFpgaImageAttribute Grants permission to describe the attributes of an Amazon FPGA Image (AFI) List

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFpgaImages Grants permission to describe one or more Amazon FPGA Images (AFIs) List

ec2:Region

DescribeHostReservationOfferings Grants permission to describe the Dedicated Host Reservations that are available to purchase List

ec2:Region

DescribeHostReservations Grants permission to describe the Dedicated Host Reservations that are associated with Dedicated Hosts in the AWS account List

ec2:Region

DescribeHosts Grants permission to describe one or more Dedicated Hosts List

ec2:Region

DescribeIamInstanceProfileAssociations Grants permission to describe the IAM instance profile associations List

ec2:Region

DescribeIdFormat Grants permission to describe the ID format settings for resources List

ec2:Region

DescribeIdentityIdFormat Grants permission to describe the ID format settings for resources for an IAM user, IAM role, or root user List

ec2:Region

DescribeImageAttribute Grants permission to describe an attribute of an Amazon Machine Image (AMI) List

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DescribeImages Grants permission to describe one or more images (AMIs, AKIs, and ARIs) List

ec2:Region

DescribeImportImageTasks Grants permission to describe import virtual machine or import snapshot tasks List

ec2:Region

DescribeImportSnapshotTasks Grants permission to describe import snapshot tasks List

ec2:Region

DescribeInstanceAttribute Grants permission to describe the attributes of an instance List

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DescribeInstanceConnectEndpoints Grants permission to describe EC2 Instance Connect Endpoints List

ec2:Region

DescribeInstanceCreditSpecifications Grants permission to describe the credit option for CPU usage of one or more burstable performance instances List

ec2:Region

DescribeInstanceEventNotificationAttributes Grants permission to describe the set of tags to include in notifications about scheduled events for your instances List

ec2:Region

DescribeInstanceEventWindows Grants permission to describe the specified event windows or all event windows List

ec2:Region

DescribeInstanceStatus Grants permission to describe the status of one or more instances List

ec2:Region

DescribeInstanceTopology Grants permission to describe a tree-based hierarchy that represents the physical host placement of EC2 instances List

ec2:Region

DescribeInstanceTypeOfferings Grants permission to describe the set of instance types that are offered in a location List

ec2:Region

DescribeInstanceTypes Grants permission to describe the details of instance types that are offered in a location List

ec2:Region

DescribeInstances Grants permission to describe one or more instances List

ec2:Region

DescribeInternetGateways Grants permission to describe one or more internet gateways List

ec2:Region

DescribeIpamByoasn Grants permission to describe a bring your own Autonomous System Number (BYOASN) that you've brought to IPAM List

ec2:Region

DescribeIpamPools Grants permission to describe Amazon VPC IP Address Manager (IPAM) pools List

ec2:Region

DescribeIpamResourceDiscoveries Grants permission to describe IPAM resource discoveries List

ec2:Region

DescribeIpamResourceDiscoveryAssociations Grants permission to describe resource discovery associations with an Amazon VPC IPAM List

ec2:Region

DescribeIpamScopes Grants permission to describe Amazon VPC IP Address Manager (IPAM) scopes List

ec2:Region

DescribeIpams Grants permission to describe an Amazon VPC IP Address Manager (IPAM) List

ec2:Region

DescribeIpv6Pools Grants permission to describe one or more IPv6 address pools List

ec2:Region

DescribeKeyPairs Grants permission to describe one or more key pairs List

ec2:Region

DescribeLaunchTemplateVersions Grants permission to describe one or more launch template versions List

ec2:Region

ssm:GetParameters

DescribeLaunchTemplates Grants permission to describe one or more launch templates List

ec2:Region

DescribeLocalGatewayRouteTablePermissions [permission only] Grants permission to allow a service to describe local gateway route table permissions List

ec2:Region

DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations Grants permission to describe the associations between virtual interface groups and local gateway route tables List

ec2:Region

DescribeLocalGatewayRouteTableVpcAssociations Grants permission to describe an association between VPCs and local gateway route tables List

ec2:Region

DescribeLocalGatewayRouteTables Grants permission to describe one or more local gateway route tables List

ec2:Region

DescribeLocalGatewayVirtualInterfaceGroups Grants permission to describe local gateway virtual interface groups List

ec2:Region

DescribeLocalGatewayVirtualInterfaces Grants permission to describe local gateway virtual interfaces List

ec2:Region

DescribeLocalGateways Grants permission to describe one or more local gateways List

ec2:Region

DescribeLockedSnapshots Grants permission to describe the lock status for a snapshot List

ec2:Region

DescribeMacHosts Grants permission to describe your EC2 Mac Dedicated hosts List

ec2:Region

DescribeManagedPrefixLists Grants permission to describe your managed prefix lists and any AWS-managed prefix lists List

ec2:Region

DescribeMovingAddresses Grants permission to describe Elastic IP addresses that are being moved to the EC2-VPC platform List

ec2:Region

DescribeNatGateways Grants permission to describe one or more NAT gateways List

ec2:Region

DescribeNetworkAcls Grants permission to describe one or more network ACLs List

ec2:Region

DescribeNetworkInsightsAccessScopeAnalyses Grants permission to describe one or more Network Access Scope analyses List

ec2:Region

DescribeNetworkInsightsAccessScopes Grants permission to describe the Network Access Scopes List

ec2:Region

DescribeNetworkInsightsAnalyses Grants permission to describe one or more network insights analyses List

ec2:Region

DescribeNetworkInsightsPaths Grants permission to describe one or more network insights paths List

ec2:Region

DescribeNetworkInterfaceAttribute Grants permission to describe a network interface attribute List

ec2:Region

DescribeNetworkInterfacePermissions Grants permission to describe the permissions that are associated with a network interface List

ec2:Region

DescribeNetworkInterfaces Grants permission to describe one or more network interfaces List

ec2:Region

DescribePlacementGroups Grants permission to describe one or more placement groups List

ec2:Region

DescribePrefixLists Grants permission to describe available AWS services in a prefix list format List

ec2:Region

DescribePrincipalIdFormat Grants permission to describe the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified a longer ID (17-character ID) preference List

ec2:Region

DescribePublicIpv4Pools Grants permission to describe one or more IPv4 address pools List

ec2:Region

DescribeRegions Grants permission to describe one or more AWS Regions that are currently available in your account List

ec2:Region

DescribeReplaceRootVolumeTasks Grants permission to describe a root volume replacement task List

ec2:Region

DescribeReservedInstances Grants permission to describe one or more purchased Reserved Instances in your account List

ec2:Region

DescribeReservedInstancesListings Grants permission to describe your account's Reserved Instance listings in the Reserved Instance Marketplace List

ec2:Region

DescribeReservedInstancesModifications Grants permission to describe the modifications made to one or more Reserved Instances List

ec2:Region

DescribeReservedInstancesOfferings Grants permission to describe the Reserved Instance offerings that are available for purchase List

ec2:Region

DescribeRouteTables Grants permission to describe one or more route tables List

ec2:Region

DescribeScheduledInstanceAvailability Grants permission to find available schedules for Scheduled Instances List

ec2:Region

DescribeScheduledInstances Grants permission to describe one or more Scheduled Instances in your account List

ec2:Region

DescribeSecurityGroupReferences Grants permission to describe the VPCs on the other side of a VPC peering connection that are referencing specified VPC security groups List

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

DescribeSecurityGroupRules Grants permission to describe one or more of your security group rules List

ec2:Region

DescribeSecurityGroups Grants permission to describe one or more security groups List

ec2:Region

DescribeSnapshotAttribute Grants permission to describe an attribute of a snapshot List

snapshot*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:Region

DescribeSnapshotTierStatus Grants permission to describe the storage tier status for Amazon EBS snapshots List

ec2:Region

DescribeSnapshots Grants permission to describe one or more EBS snapshots List

ec2:Region

DescribeSpotDatafeedSubscription Grants permission to describe the data feed for Spot Instances List

ec2:Region

DescribeSpotFleetInstances Grants permission to describe the running instances for a Spot Fleet List

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeSpotFleetRequestHistory Grants permission to describe the events for a Spot Fleet request during a specified time List

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeSpotFleetRequests Grants permission to describe one or more Spot Fleet requests List

ec2:Region

DescribeSpotInstanceRequests Grants permission to describe one or more Spot Instance requests List

ec2:Region

DescribeSpotPriceHistory Grants permission to describe the Spot Instance price history List

ec2:Region

DescribeStaleSecurityGroups Grants permission to describe the stale security group rules for security groups in a specified VPC List

ec2:Region

DescribeStoreImageTasks Grants permission to describe the progress of the AMI store tasks List

ec2:Region

DescribeSubnets Grants permission to describe one or more subnets List

ec2:Region

DescribeTags Grants permission to describe one or more tags for an Amazon EC2 resource List

ec2:Region

DescribeTrafficMirrorFilterRules Grants permission to describe traffic mirror filters that determine the traffic that is mirrored List

ec2:Region

DescribeTrafficMirrorFilters Grants permission to describe one or more traffic mirror filters List

ec2:Region

DescribeTrafficMirrorSessions Grants permission to describe one or more traffic mirror sessions List

ec2:Region

DescribeTrafficMirrorTargets Grants permission to describe one or more traffic mirror targets List

ec2:Region

DescribeTransitGatewayAttachments Grants permission to describe one or more attachments between resources and transit gateways List

ec2:Region

DescribeTransitGatewayConnectPeers Grants permission to describe one or more transit gateway connect peers List

ec2:Region

DescribeTransitGatewayConnects Grants permission to describe one or more transit gateway connect attachments List

ec2:Region

DescribeTransitGatewayMulticastDomains Grants permission to describe one or more transit gateway multicast domains List

ec2:Region

DescribeTransitGatewayPeeringAttachments Grants permission to describe one or more transit gateway peering attachments List

ec2:Region

DescribeTransitGatewayPolicyTables Grants permission to describe a transit gateway policy table List

ec2:Region

DescribeTransitGatewayRouteTableAnnouncements Grants permission to describe a transit gateway route table announcement List

ec2:Region

DescribeTransitGatewayRouteTables Grants permission to describe one or more transit gateway route tables List

ec2:Region

DescribeTransitGatewayVpcAttachments Grants permission to describe one or more VPC attachments on a transit gateway List

ec2:Region

DescribeTransitGateways Grants permission to describe one or more transit gateways List

ec2:Region

DescribeTrunkInterfaceAssociations Grants permission to describe one or more network interface trunk associations List

ec2:Region

DescribeVerifiedAccessEndpoints Grants permission to describe the specified Verified Access endpoints or all Verified Access endpoints List

ec2:Region

DescribeVerifiedAccessGroups Grants permission to describe the specified Verified Access groups or all Verified Access groups List

ec2:Region

DescribeVerifiedAccessInstanceLoggingConfigurations Grants permission to describe the current logging configuration for the Verified Access instances List

ec2:Region

DescribeVerifiedAccessInstanceWebAclAssociations [permission only] Grants permission to describe the AWS Web Application Firewall (WAF) web access control list (ACL) associations for a Verified Access instance List

ec2:Region

DescribeVerifiedAccessInstances Grants permission to describe the specified Verified Access instances or all Verified Access instances List

ec2:Region

DescribeVerifiedAccessTrustProviders Grants permission to describe details of existing Verified Access trust providers List

ec2:Region

DescribeVolumeAttribute Grants permission to describe an attribute of an EBS volume List

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

DescribeVolumeStatus Grants permission to describe the status of one or more EBS volumes List

ec2:Region

DescribeVolumes Grants permission to describe one or more EBS volumes List

ec2:Region

DescribeVolumesModifications Grants permission to describe the current modification status of one or more EBS volumes List

ec2:Region

DescribeVpcAttribute Grants permission to describe an attribute of a VPC List

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

Grants permission to describe the ClassicLink status of one or more VPCs List

ec2:Region

DescribeVpcClassicLinkDnsSupport Grants permission to describe the ClassicLink DNS support status of one or more VPCs List

ec2:Region

DescribeVpcEndpointConnectionNotifications Grants permission to describe the connection notifications for VPC endpoints and VPC endpoint services List

ec2:Region

DescribeVpcEndpointConnections Grants permission to describe the VPC endpoint connections to your VPC endpoint services List

ec2:Region

DescribeVpcEndpointServiceConfigurations Grants permission to describe VPC endpoint service configurations (your services) List

ec2:Region

DescribeVpcEndpointServicePermissions Grants permission to describe the principals (service consumers) that are permitted to discover your VPC endpoint service List

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeVpcEndpointServices Grants permission to describe all supported AWS services that can be specified when creating a VPC endpoint List

ec2:Region

DescribeVpcEndpoints Grants permission to describe one or more VPC endpoints List

ec2:Region

DescribeVpcPeeringConnections Grants permission to describe one or more VPC peering connections List

ec2:Region

DescribeVpcs Grants permission to describe one or more VPCs List

ec2:Region

DescribeVpnConnections Grants permission to describe one or more VPN connections List

ec2:Region

DescribeVpnGateways Grants permission to describe one or more virtual private gateways List

ec2:Region

DetachClassicLinkVpc Grants permission to unlink (detach) a linked EC2-Classic instance from a VPC Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DetachInternetGateway Grants permission to detach an internet gateway from a VPC Write

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DetachNetworkInterface Grants permission to detach a network interface from an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DetachVerifiedAccessTrustProvider Grants permission to detach a trust provider from a Verified Access instance Write

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-trust-provider*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DetachVolume Grants permission to detach an EBS volume from an instance Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DetachVpnGateway Grants permission to detach a virtual private gateway from a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisableAddressTransfer Grants permission to disable Elastic IP address transfer Write

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

DisableAwsNetworkPerformanceMetricSubscription Grants permission to disable infrastructure performance metric subscriptions Write

ec2:Region

DisableEbsEncryptionByDefault Grants permission to disable EBS encryption by default for your account Write

ec2:Region

DisableFastLaunch Grants permission to disable faster launching for Windows AMIs Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableFastSnapshotRestores Grants permission to disable fast snapshot restores for one or more snapshots in specified Availability Zones Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

DisableImage Grants permission to disable an AMI Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableImageBlockPublicAccess Grants permission to disable block public access for AMIs at the account level in the specified AWS Region Write

ec2:Region

DisableImageDeprecation Grants permission to cancel the deprecation of the specified AMI Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableImageDeregistrationProtection Grants permission to disable deregistration protection for an AMI. When deregistration protection is disabled, the AMI can be deregistered Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableIpamOrganizationAdminAccount Grants permission to disable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account Write

ec2:Region

organizations:DeregisterDelegatedAdministrator

DisableSerialConsoleAccess Grants permission to disable access to the EC2 serial console of all instances for your account Write

ec2:Region

DisableSnapshotBlockPublicAccess Grants permission to disable the block public access for snapshots setting for a Region Write

ec2:Region

DisableTransitGatewayRouteTablePropagation Grants permission to disable a resource attachment from propagating routes to the specified propagation route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableAnnouncementId

ec2:Region

DisableVgwRoutePropagation Grants permission to disable a virtual private gateway from propagating routes to a specified route table of a VPC Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

Grants permission to disable ClassicLink for a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DisableVpcClassicLinkDnsSupport Grants permission to disable ClassicLink DNS support for a VPC Write

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DisassociateAddress Grants permission to disassociate an Elastic IP address from an instance or network interface Write

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DisassociateClientVpnTargetNetwork Grants permission to disassociate a target network from a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DisassociateEnclaveCertificateIamRole Grants permission to disassociate an ACM certificate from a IAM role Write

certificate*

role*

ec2:Region

DisassociateIamInstanceProfile Grants permission to disassociate an IAM instance profile from a running or stopped instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DisassociateInstanceEventWindow Grants permission to disassociate one or more targets from an event window Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateIpamByoasn Grants permission to disassociate an Autonomous System Number (ASN) from a BYOIP CIDR Write

ec2:Region

DisassociateIpamResourceDiscovery Grants permission to disassociate a resource discovery from an Amazon VPC IPAM Write

ipam-resource-discovery-association*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateNatGatewayAddress Grants permission to disassociate a secondary Elastic IP address from a public NAT gateway Write

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DisassociateRouteTable Grants permission to disassociate a subnet from a route table Write

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateSubnetCidrBlock Grants permission to disassociate a CIDR block from a subnet Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DisassociateTransitGatewayMulticastDomain Grants permission to disassociate one or more subnets from a transit gateway multicast domain Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

DisassociateTransitGatewayPolicyTable Grants permission to disassociate a policy table from a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

ec2:Region

DisassociateTransitGatewayRouteTable Grants permission to disassociate a resource attachment from a transit gateway route table Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

DisassociateTrunkInterface Grants permission to disassociate a branch network interface to a trunk network interface Write

ec2:Region

DisassociateVerifiedAccessInstanceWebAcl [permission only] Grants permission to disassociate an AWS Web Application Firewall (WAF) web access control list (ACL) from a Verified Access instance Write

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateVpcCidrBlock Grants permission to disassociate a CIDR block from a VPC Write

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

EnableAddressTransfer Grants permission to enable Elastic IP address transfer Write

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

EnableAwsNetworkPerformanceMetricSubscription Grants permission to enable infrastructure performance subscriptions Write

ec2:Region

EnableEbsEncryptionByDefault Grants permission to enable EBS encryption by default for your account Write

ec2:Region

EnableFastLaunch Grants permission to enable faster launching for Windows AMIs Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

EnableFastSnapshotRestores Grants permission to enable fast snapshot restores for one or more snapshots in specified Availability Zones Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

EnableImage Grants permission to re-enable a disabled AMI Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

EnableImageBlockPublicAccess Grants permission to enable block public access for AMIs at the account level in the specified AWS Region Write

ec2:Region

EnableImageDeprecation Grants permission to enable deprecation of the specified AMI at the specified date and time Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

EnableImageDeregistrationProtection Grants permission to enable deregistration protection for an AMI. When deregistration protection is enabled, the AMI can't be deregistered Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

EnableIpamOrganizationAdminAccount Grants permission to enable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account Write

ec2:Region

iam:CreateServiceLinkedRole

organizations:EnableAWSServiceAccess

organizations:RegisterDelegatedAdministrator

EnableReachabilityAnalyzerOrganizationSharing Grants permission to enable organization sharing of reachability analyzer Write

ec2:Region

iam:CreateServiceLinkedRole

organizations:EnableAWSServiceAccess

EnableSerialConsoleAccess Grants permission to enable access to the EC2 serial console of all instances for your account Write

ec2:Region

EnableSnapshotBlockPublicAccess Grants permission to enable or modify the block public access for snapshots setting for a Region Write

ec2:Region

EnableTransitGatewayRouteTablePropagation Grants permission to enable an attachment to propagate routes to a propagation route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableAnnouncementId

ec2:Region

EnableVgwRoutePropagation Grants permission to enable a virtual private gateway to propagate routes to a VPC route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

EnableVolumeIO Grants permission to enable I/O operations for a volume that had I/O operations disabled Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

Grants permission to enable a VPC for ClassicLink Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

EnableVpcClassicLinkDnsSupport Grants permission to enable a VPC to support DNS hostname resolution for ClassicLink Write

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

ExportClientVpnClientCertificateRevocationList Grants permission to download the client certificate revocation list for a Client VPN endpoint Read

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

ExportClientVpnClientConfiguration Grants permission to download the contents of the Client VPN endpoint configuration file for a Client VPN endpoint Read

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

ExportImage Grants permission to export an Amazon Machine Image (AMI) to a VM file Write

export-image-task*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

ExportTransitGatewayRoutes Grants permission to export routes from a transit gateway route table to an Amazon S3 bucket Write

ec2:Region

GetAssociatedEnclaveCertificateIamRoles Grants permission to get the list of roles associated with an ACM certificate Read

certificate*

ec2:Region

GetAssociatedIpv6PoolCidrs Grants permission to get information about the IPv6 CIDR block associations for a specified IPv6 address pool Read

ec2:Region

GetAwsNetworkPerformanceData Grants permission to get network performance data Read

ec2:Region

GetCapacityReservationUsage Grants permission to get usage information about a Capacity Reservation Read

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:CapacityReservationFleet

ec2:ResourceTag/${TagKey}

ec2:Region

GetCoipPoolUsage Grants permission to describe the allocations from the specified customer-owned address pool Read

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetConsoleOutput Grants permission to get the console output for an instance Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetConsoleScreenshot Grants permission to retrieve a JPG-format screenshot of a running instance Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetDefaultCreditSpecification Grants permission to get the default credit option for CPU usage of a burstable performance instance family Read

ec2:Region

GetEbsDefaultKmsKeyId Grants permission to get the ID of the default customer master key (CMK) for EBS encryption by default Read

ec2:Region

GetEbsEncryptionByDefault Grants permission to describe whether EBS encryption by default is enabled for your account Read

ec2:Region

GetFlowLogsIntegrationTemplate Grants permission to generate a CloudFormation template to streamline the integration of VPC flow logs with Amazon Athena Read

vpc-flow-log*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetGroupsForCapacityReservation Grants permission to list the resource groups to which a Capacity Reservation has been added List

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:CapacityReservationFleet

ec2:ResourceTag/${TagKey}

ec2:Region

GetHostReservationPurchasePreview Grants permission to preview a reservation purchase with configurations that match those of a Dedicated Host Read

ec2:Region

GetImageBlockPublicAccessState Grants permission to get the current state of block public access for AMIs at the account level in the specified AWS Region Read

ec2:Region

GetInstanceMetadataDefaults Grants permission to view the default instance metadata service (IMDS) settings set for your account in the specified Region List

ec2:Region

GetInstanceTpmEkPub Grants permission to get the public endorsement key associated with the Nitro Trusted Platform Module (NitroTPM) for the specified instance Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetInstanceTypesFromInstanceRequirements Grants permission to view a list of instance types with specified instance attributes List

ec2:Region

GetInstanceUefiData Grants permission to retrieve the binary representation of the UEFI variable store Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetIpamAddressHistory Grants permission to retrieve historical information about a CIDR within an Amazon VPC IP Address Manager (IPAM) scope Read

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamDiscoveredAccounts Grants permission to retrieve IPAM discovered accounts Read

ipam-resource-discovery*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamDiscoveredPublicAddresses Grants permission to retrieve the public IP addresses that have been discovered by IPAM Read

ipam-resource-discovery*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamDiscoveredResourceCidrs Grants permission to retrieve the resource CIDRs that are monitored as part of a resource discovery Read

ipam-resource-discovery*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamPoolAllocations Grants permission to get a list of all the CIDR allocations in an Amazon VPC IP Address Manager (IPAM) pool List

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamPoolCidrs Grants permission to get the CIDRs provisioned to an Amazon VPC IP Address Manager (IPAM) pool Read

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTa