Actions, resources, and condition keys for Amazon EC2
Amazon EC2 (service prefix: ec2
) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon EC2
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource
element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource
element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition
element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
AcceptAddressTransfer | Grants permission to accept an Elastic IP address transfer | Write |
ec2:CreateTags |
||
AcceptCapacityReservationBillingOwnership | Grants permission to accept assign billing of the available capacity of a shared Capacity Reservation to the calling account | Write |
ec2:DestinationCapacityReservationId |
||
AcceptReservedInstancesExchangeQuote | Grants permission to accept a Convertible Reserved Instance exchange quote | Write | |||
AcceptTransitGatewayMulticastDomainAssociations | Grants permission to accept a request to associate subnets with a transit gateway multicast domain | Write | |||
AcceptTransitGatewayPeeringAttachment | Grants permission to accept a transit gateway peering attachment request | Write | |||
AcceptTransitGatewayVpcAttachment | Grants permission to accept a request to attach a VPC to a transit gateway | Write | |||
AcceptVpcEndpointConnections | Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service | Write | |||
AcceptVpcPeeringConnection | Grants permission to accept a VPC peering connection request | Write | |||
AdvertiseByoipCidr | Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP) | Write | |||
AllocateAddress | Grants permission to allocate an Elastic IP address (EIP) to your account | Write |
ec2:CreateTags |
||
AllocateHosts | Grants permission to allocate a Dedicated Host to your account | Write |
ec2:CreateTags |
||
AllocateIpamPoolCidr | Grants permission to allocate a CIDR from an Amazon VPC IP Address Manager (IPAM) pool | Write | |||
ApplySecurityGroupsToClientVpnTargetNetwork | Grants permission to apply a security group to the association between a Client VPN endpoint and a target network | Write | |||
AssignIpv6Addresses | Grants permission to assign one or more IPv6 addresses to a network interface | Write | |||
AssignPrivateIpAddresses | Grants permission to assign one or more secondary private IP addresses to a network interface | Write | |||
AssignPrivateNatGatewayAddress | Grants permission to assign one or more secondary private IP addresses to a private NAT gateway | Write | |||
AssociateAddress | Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface | Write | |||
AssociateCapacityReservationBillingOwner | Grants permission to assign billing of the unused capacity of a shared Capacity Reservation to a consumer account | Write |
ec2:DestinationCapacityReservationId |
||
AssociateClientVpnTargetNetwork | Grants permission to associate a target network with a Client VPN endpoint | Write | |||
AssociateDhcpOptions | Grants permission to associate or disassociate a set of DHCP options with a VPC | Write | |||
AssociateEnclaveCertificateIamRole | Grants permission to associate an ACM certificate with an IAM role to be used in an EC2 Enclave | Write | |||
AssociateIamInstanceProfile | Grants permission to associate an IAM instance profile with a running or stopped instance | Write |
iam:PassRole |
||
AssociateInstanceEventWindow | Grants permission to associate one or more targets with an event window | Write | |||
AssociateIpamByoasn | Grants permission to associate an Autonomous System Number (ASN) with a BYOIP CIDR | Write | |||
AssociateIpamResourceDiscovery | Grants permission to associate an IPAM resource discovery with an Amazon VPC IPAM | Write |
ec2:CreateTags |
||
AssociateNatGatewayAddress | Grants permission to associate an Elastic IP address and private IP address with a public Nat gateway | Write | |||
AssociateRouteTable | Grants permission to associate a subnet or gateway with a route table | Write | |||
AssociateSecurityGroupVpc | Grants permission to associate a security group with another VPC in the same Region | Write | |||
AssociateSubnetCidrBlock | Grants permission to associate a CIDR block with a subnet | Write | |||
AssociateTransitGatewayMulticastDomain | Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain | Write | |||
AssociateTransitGatewayPolicyTable | Grants permission to associate a policy table with a transit gateway attachment | Write | |||
AssociateTransitGatewayRouteTable | Grants permission to associate an attachment with a transit gateway route table | Write | |||
AssociateTrunkInterface | Grants permission to associate a branch network interface with a trunk network interface | Write | |||
AssociateVerifiedAccessInstanceWebAcl [permission only] | Grants permission to associate an AWS Web Application Firewall (WAF) web access control list (ACL) with a Verified Access instance | Write | |||
AssociateVpcCidrBlock | Grants permission to associate a CIDR block with a VPC | Write | |||
AttachClassicLinkVpc | Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups | Write | |||
AttachInternetGateway | Grants permission to attach an internet gateway to a VPC | Write | |||
AttachNetworkInterface | Grants permission to attach a network interface to an instance | Write | |||
AttachVerifiedAccessTrustProvider | Grants permission to attach a trust provider to a Verified Access instance | Write | |||
AttachVolume | Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name | Write | |||
AttachVpnGateway | Grants permission to attach a virtual private gateway to a VPC | Write | |||
AuthorizeClientVpnIngress | Grants permission to add an inbound authorization rule to a Client VPN endpoint | Write | |||
AuthorizeSecurityGroupEgress | Grants permission to add one or more outbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications | Write |
ec2:CreateTags |
||
AuthorizeSecurityGroupIngress | Grants permission to add one or more inbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications | Write |
ec2:CreateTags |
||
BundleInstance | Grants permission to bundle an instance store-backed Windows instance | Write | |||
CancelBundleTask | Grants permission to cancel a bundling operation | Write | |||
CancelCapacityReservation | Grants permission to cancel a Capacity Reservation and release the reserved capacity | Write | |||
CancelCapacityReservationFleets | Grants permission to cancel one or more Capacity Reservation Fleets | Write |
ec2:CancelCapacityReservation |
||
CancelConversionTask | Grants permission to cancel an active conversion task | Write | |||
CancelExportTask | Grants permission to cancel an active export task | Write | |||
CancelImageLaunchPermission | Grants permission to remove your AWS account from the launch permissions for the specified AMI | Write | |||
CancelImportTask | Grants permission to cancel an in-process import virtual machine or import snapshot task | Write | |||
CancelReservedInstancesListing | Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace | Write | |||
CancelSpotFleetRequests | Grants permission to cancel one or more Spot Fleet requests | Write | |||
CancelSpotInstanceRequests | Grants permission to cancel one or more Spot Instance requests | Write | |||
ConfirmProductInstance | Grants permission to determine whether an owned product code is associated with an instance | Write | |||
CopyFpgaImage | Grants permission to copy a source Amazon FPGA image (AFI) to the current Region. Resource-level permissions specified for this action apply to the new AFI only. They do not apply to the source AFI | Write | |||
CopyImage | Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region | Write |
ec2:CreateTags |
||
CopySnapshot | Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3. Resource-level permissions specified for this action apply to the new snapshot only. They do not apply to the source snapshot | Write |
ec2:CreateTags |
||
CreateCapacityReservation | Grants permission to create a Capacity Reservation | Write |
ec2:CreateTags |
||
CreateCapacityReservationBySplitting | Grants permission to create a new Capacity Reservation by splitting the available capacity of the source Capacity Reservation | Write |
ec2:DestinationCapacityReservationId |
ec2:CreateTags |
|
CreateCapacityReservationFleet | Grants permission to create a Capacity Reservation Fleet | Write |
ec2:CreateCapacityReservation ec2:CreateTags ec2:DescribeCapacityReservations ec2:DescribeInstances |
||
CreateCarrierGateway | Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers | Write |
ec2:CreateTags |
||
CreateClientVpnEndpoint | Grants permission to create a Client VPN endpoint | Write |
ec2:CreateTags |
||
CreateClientVpnRoute | Grants permission to add a network route to a Client VPN endpoint's route table | Write | |||
CreateCoipCidr | Grants permission to create a range of customer-owned IP (CoIP) addresses | Write | |||
CreateCoipPool | Grants permission to create a pool of customer-owned IP (CoIP) addresses | Write |
ec2:CreateTags |
||
CreateCoipPoolPermission [permission only] | Grants permission to allow a service to access a customer-owned IP (CoIP) pool | Write | |||
CreateCustomerGateway | Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device | Write |
ec2:CreateTags |
||
CreateDefaultSubnet | Grants permission to create a default subnet in a specified Availability Zone in a default VPC | Write | |||
CreateDefaultVpc | Grants permission to create a default VPC with a default subnet in each Availability Zone | Write | |||
CreateDhcpOptions | Grants permission to create a set of DHCP options for a VPC | Write |
ec2:CreateTags |
||
CreateEgressOnlyInternetGateway | Grants permission to create an egress-only internet gateway for a VPC | Write |
ec2:CreateTags |
||
CreateFleet | Grants permission to launch an EC2 Fleet. Resource-level permissions for this action do not include the resources specified in a launch template. To specify resource-level permissions for resources specified in a launch template, you must include the resources in the RunInstances action statement | Write |
ec2:CreateTags |
||
CreateFlowLogs | Grants permission to create one or more flow logs to capture IP traffic for a network interface | Write |
ec2:CreateTags ecs:ListClusters ecs:ListContainerInstances ecs:ListServices ecs:ListTaskDefinitions ecs:ListTasks iam:PassRole |
||
CreateFpgaImage | Grants permission to create an Amazon FPGA Image (AFI) from a design checkpoint (DCP) | Write |
ec2:CreateTags |
||
CreateImage | Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance | Write |
ec2:CreateTags |
||
CreateInstanceConnectEndpoint | Grants permission to create an EC2 Instance Connect Endpoint that allows you to connect to an instance without a public IPv4 address | Write |
ec2:CreateTags |
||
CreateInstanceEventWindow | Grants permission to create an event window in which scheduled events for the associated Amazon EC2 instances can run | Write |
ec2:CreateTags |
||
CreateInstanceExportTask | Grants permission to export a running or stopped instance to an Amazon S3 bucket | Write |
ec2:CreateTags |
||
CreateInternetGateway | Grants permission to create an internet gateway for a VPC | Write |
ec2:CreateTags |
||
CreateIpam | Grants permission to create an Amazon VPC IP Address Manager (IPAM) | Write |
ec2:CreateTags iam:CreateServiceLinkedRole |
||
CreateIpamExternalResourceVerificationToken | Grants permission to create a verification token, which proves ownership of an external resource | Write |
ec2:CreateTags |
||
CreateIpamPool | Grants permission to create an IP address pool for Amazon VPC IP Address Manager (IPAM), which is a collection of contiguous IP address CIDRs | Write |
ec2:CreateTags |
||
CreateIpamResourceDiscovery | Grants permission to create an IPAM resource discovery | Write |
ec2:CreateTags iam:CreateServiceLinkedRole |
||
CreateIpamScope | Grants permission to create an Amazon VPC IP Address Manager (IPAM) scope, which is the highest-level container within IPAM | Write |
ec2:CreateTags |
||
CreateKeyPair | Grants permission to create a 2048-bit RSA key pair | Write |
ec2:CreateTags |
||
CreateLaunchTemplate | Grants permission to create a launch template | Write |
ec2:CreateTags ssm:GetParameters |
||
CreateLaunchTemplateVersion | Grants permission to create a new version of a launch template | Write |
ssm:GetParameters |
||
CreateLocalGatewayRoute | Grants permission to create a static route for a local gateway route table | Write | |||
CreateLocalGatewayRouteTable | Grants permission to create a local gateway route table | Write |
ec2:CreateTags |
||
CreateLocalGatewayRouteTablePermission [permission only] | Grants permission to allow a service to access a local gateway route table | Write | |||
CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation | Grants permission to create a local gateway route table virtual interface group association | Write |
ec2:CreateTags |
||
local-gateway-route-table-virtual-interface-group-association* |
|||||
CreateLocalGatewayRouteTableVpcAssociation | Grants permission to associate a VPC with a local gateway route table | Write |
ec2:CreateTags |
||
CreateManagedPrefixList | Grants permission to create a managed prefix list | Write |
ec2:CreateTags |
||
CreateNatGateway | Grants permission to create a NAT gateway in a subnet | Write |
ec2:CreateTags |
||
CreateNetworkAcl | Grants permission to create a network ACL in a VPC | Write |
ec2:CreateTags |
||
CreateNetworkAclEntry | Grants permission to create a numbered entry (a rule) in a network ACL | Write | |||
CreateNetworkInsightsAccessScope | Grants permission to create a Network Access Scope | Write |
ec2:CreateTags |
||
CreateNetworkInsightsPath | Grants permission to create a path to analyze for reachability | Write |
ec2:CreateTags |
||
CreateNetworkInterface | Grants permission to create a network interface in a subnet | Write |
ec2:CreateTags |
||
CreateNetworkInterfacePermission | Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface | Permissions management | |||
CreatePlacementGroup | Grants permission to create a placement group | Write |
ec2:CreateTags |
||
CreatePublicIpv4Pool | Grants permission to create a public IPv4 address pool for public IPv4 CIDRs that you own and bring to Amazon to manage with Amazon VPC IP Address Manager (IPAM) | Write |
ec2:CreateTags |
||
CreateReplaceRootVolumeTask | Grants permission to create a root volume replacement task | Write |
ec2:CreateTags |
||
CreateReservedInstancesListing | Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace | Write | |||
CreateRestoreImageTask | Grants permission to start a task that restores an AMI from an S3 object previously created by using CreateStoreImageTask | Write |
ec2:CreateTags |
||
CreateRoute | Grants permission to create a route in a VPC route table | Write | |||
CreateRouteTable | Grants permission to create a route table for a VPC | Write |
ec2:CreateTags |
||
CreateSecurityGroup | Grants permission to create a security group | Write |
ec2:CreateTags |
||
CreateSnapshot | Grants permission to create a snapshot of an EBS volume and store it in Amazon S3 | Write |
ec2:CreateTags |
||
CreateSnapshots | Grants permission to create crash-consistent snapshots of multiple EBS volumes and store them in Amazon S3 | Write |
ec2:CreateTags |
||
CreateSpotDatafeedSubscription | Grants permission to create a data feed for Spot Instances to view Spot Instance usage logs | Write | |||
CreateStoreImageTask | Grants permission to store an AMI as a single object in an S3 bucket | Write | |||
CreateSubnet | Grants permission to create a subnet in a VPC | Write |
ec2:CreateTags |
||
CreateSubnetCidrReservation | Grants permission to create a subnet CIDR reservation | Write | |||
CreateTags | Grants permission to add or overwrite one or more tags for Amazon EC2 resources | Tagging | |||
local-gateway-route-table-virtual-interface-group-association |
|||||
ec2:Phase1EncryptionAlgorithms |
|||||
CreateTrafficMirrorFilter | Grants permission to create a traffic mirror filter | Write |
ec2:CreateTags |
||
CreateTrafficMirrorFilterRule | Grants permission to create a traffic mirror filter rule | Write |
ec2:CreateTags |
||
CreateTrafficMirrorSession | Grants permission to create a traffic mirror session | Write |
ec2:CreateTags |
||
CreateTrafficMirrorTarget | Grants permission to create a traffic mirror target | Write |
ec2:CreateTags |
||
CreateTransitGateway | Grants permission to create a transit gateway | Write |
ec2:CreateTags |
||
CreateTransitGatewayConnect | Grants permission to create a Connect attachment from a specified transit gateway attachment | Write |
ec2:CreateTags |
||
CreateTransitGatewayConnectPeer | Grants permission to create a Connect peer between a transit gateway and an appliance | Write |
ec2:CreateTags |
||
CreateTransitGatewayMulticastDomain | Grants permission to create a multicast domain for a transit gateway | Write |
ec2:CreateTags |
||
CreateTransitGatewayPeeringAttachment | Grants permission to request a transit gateway peering attachment between a requester and accepter transit gateway | Write |
ec2:CreateTags |
||
CreateTransitGatewayPolicyTable | Grants permission to create a transit gateway policy table | Write |
ec2:CreateTags |
||
CreateTransitGatewayPrefixListReference | Grants permission to create a transit gateway prefix list reference | Write | |||
CreateTransitGatewayRoute | Grants permission to create a static route for a transit gateway route table | Write | |||
CreateTransitGatewayRouteTable | Grants permission to create a route table for a transit gateway | Write |
ec2:CreateTags |
||
CreateTransitGatewayRouteTableAnnouncement | Grants permission to create an announcement for a transit gateway route table | Write |
ec2:CreateTags |
||
CreateTransitGatewayVpcAttachment | Grants permission to attach a VPC to a transit gateway | Write |
ec2:CreateTags |
||
CreateVerifiedAccessEndpoint | Grants permission to create a Verified Access endpoint | Write |
ec2:CreateTags |
||
CreateVerifiedAccessGroup | Grants permission to create a Verified Access group | Write |
ec2:CreateTags |
||
CreateVerifiedAccessInstance | Grants permission to create a Verified Access instance | Write |
ec2:CreateTags |
||
CreateVerifiedAccessTrustProvider | Grants permission to create a verified trust provider | Write |
ec2:CreateTags |
||
CreateVolume | Grants permission to create an EBS volume | Write |
ec2:CreateTags |
||
CreateVpc | Grants permission to create a VPC with a specified CIDR block | Write |
ec2:CreateTags |
||
CreateVpcEndpoint | Grants permission to create a VPC endpoint for an AWS service | Write |
ec2:CreateTags route53:AssociateVPCWithHostedZone |
||
CreateVpcEndpointConnectionNotification | Grants permission to create a connection notification for a VPC endpoint or VPC endpoint service | Write | |||
CreateVpcEndpointServiceConfiguration | Grants permission to create a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect | Write |
ec2:CreateTags |
||
CreateVpcPeeringConnection | Grants permission to request a VPC peering connection between two VPCs | Write |
ec2:CreateTags |
||
CreateVpnConnection | Grants permission to create a VPN connection between a virtual private gateway or transit gateway and a customer gateway | Write |
ec2:CreateTags |
||
ec2:Phase1EncryptionAlgorithms |
|||||
CreateVpnConnectionRoute | Grants permission to create a static route for a VPN connection between a virtual private gateway and a customer gateway | Write | |||
CreateVpnGateway | Grants permission to create a virtual private gateway | Write |
ec2:CreateTags |
||
DeleteCarrierGateway | Grants permission to delete a carrier gateway | Write | |||
DeleteClientVpnEndpoint | Grants permission to delete a Client VPN endpoint | Write | |||
DeleteClientVpnRoute | Grants permission to delete a route from a Client VPN endpoint | Write | |||
DeleteCoipCidr | Grants permission to delete a range of customer-owned IP (CoIP) addresses | Write | |||
DeleteCoipPool | Grants permission to delete a pool of customer-owned IP (CoIP) addresses | Write | |||
DeleteCoipPoolPermission [permission only] | Grants permission to deny a service from accessing a customer-owned IP (CoIP) pool | Write | |||
DeleteCustomerGateway | Grants permission to delete a customer gateway | Write | |||
DeleteDhcpOptions | Grants permission to delete a set of DHCP options | Write | |||
DeleteEgressOnlyInternetGateway | Grants permission to delete an egress-only internet gateway | Write | |||
DeleteFleets | Grants permission to delete one or more EC2 Fleets | Write | |||
DeleteFlowLogs | Grants permission to delete one or more flow logs | Write | |||
DeleteFpgaImage | Grants permission to delete an Amazon FPGA Image (AFI) | Write | |||
DeleteInstanceConnectEndpoint | Grants permission to delete an EC2 Instance Connect Endpoint | Write | |||
DeleteInstanceEventWindow | Grants permission to delete the specified event window | Write | |||
DeleteInternetGateway | Grants permission to delete an internet gateway | Write | |||
DeleteIpam | Grants permission to delete an Amazon VPC IP Address Manager (IPAM) and remove all monitored data associated with the IPAM including the historical data for CIDRs | Write | |||
DeleteIpamExternalResourceVerificationToken | Grants permission to delete a verification token, which proves ownership of an external resource | Write | |||
DeleteIpamPool | Grants permission to delete an Amazon VPC IP Address Manager (IPAM) pool | Write | |||
DeleteIpamResourceDiscovery | Grants permission to delete an IPAM resource discovery | Write | |||
DeleteIpamScope | Grants permission to delete the scope for an Amazon VPC IP Address Manager (IPAM) | Write | |||
DeleteKeyPair | Grants permission to delete a key pair by removing the public key from Amazon EC2 | Write | |||
DeleteLaunchTemplate | Grants permission to delete a launch template and its associated versions | Write | |||
DeleteLaunchTemplateVersions | Grants permission to delete one or more versions of a launch template | Write | |||
DeleteLocalGatewayRoute | Grants permission to delete a route from a local gateway route table | Write | |||
DeleteLocalGatewayRouteTable | Grants permission to delete a local gateway route table | Write | |||
DeleteLocalGatewayRouteTablePermission [permission only] | Grants permission to deny a service from accessing a local gateway route table | Write | |||
DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation | Grants permission to delete a local gateway route table virtual interface group association | Write |
local-gateway-route-table-virtual-interface-group-association* |
||
DeleteLocalGatewayRouteTableVpcAssociation | Grants permission to delete an association between a VPC and local gateway route table | Write | |||
DeleteManagedPrefixList | Grants permission to delete a managed prefix list | Write | |||
DeleteNatGateway | Grants permission to delete a NAT gateway | Write | |||
DeleteNetworkAcl | Grants permission to delete a network ACL | Write | |||
DeleteNetworkAclEntry | Grants permission to delete an inbound or outbound entry (rule) from a network ACL | Write | |||
DeleteNetworkInsightsAccessScope | Grants permission to delete a Network Access Scope | Write | |||
DeleteNetworkInsightsAccessScopeAnalysis | Grants permission to delete a Network Access Scope analysis | Write | |||
DeleteNetworkInsightsAnalysis | Grants permission to delete a network insights analysis | Write | |||
DeleteNetworkInsightsPath | Grants permission to delete a network insights path | Write | |||
DeleteNetworkInterface | Grants permission to delete a detached network interface | Write | |||
DeleteNetworkInterfacePermission | Grants permission to delete a permission that is associated with a network interface | Permissions management | |||
DeletePlacementGroup | Grants permission to delete a placement group | Write | |||
DeletePublicIpv4Pool | Grants permission to delete a public IPv4 address pool for public IPv4 CIDRs that you own and brought to Amazon to manage with Amazon VPC IP Address Manager (IPAM) | Write | |||
DeleteQueuedReservedInstances | Grants permission to delete the queued purchases for the specified Reserved Instances | Write | |||
DeleteResourcePolicy [permission only] | Grants permission to remove an IAM policy that enables cross-account sharing from a resource | Write | |||
DeleteRoute | Grants permission to delete a route from a route table | Write | |||
DeleteRouteTable | Grants permission to delete a route table | Write | |||
DeleteSecurityGroup | Grants permission to delete a security group | Write | |||
DeleteSnapshot | Grants permission to delete a snapshot of an EBS volume | Write | |||
DeleteSpotDatafeedSubscription | Grants permission to delete a data feed for Spot Instances | Write | |||
DeleteSubnet | Grants permission to delete a subnet | Write | |||
DeleteSubnetCidrReservation | Grants permission to delete a subnet CIDR reservation | Write | |||
DeleteTags | Grants permission to delete one or more tags from Amazon EC2 resources | Tagging | |||
local-gateway-route-table-virtual-interface-group-association |
|||||
DeleteTrafficMirrorFilter | Grants permission to delete a traffic mirror filter | Write | |||
DeleteTrafficMirrorFilterRule | Grants permission to delete a traffic mirror filter rule | Write | |||
DeleteTrafficMirrorSession | Grants permission to delete a traffic mirror session | Write | |||
DeleteTrafficMirrorTarget | Grants permission to delete a traffic mirror target | Write | |||
DeleteTransitGateway | Grants permission to delete a transit gateway | Write | |||
DeleteTransitGatewayConnect | Grants permission to delete a transit gateway connect attachment | Write | |||
DeleteTransitGatewayConnectPeer | Grants permission to delete a transit gateway connect peer | Write | |||
DeleteTransitGatewayMulticastDomain | Grants permission to delete a transit gateway multicast domain | Write | |||
DeleteTransitGatewayPeeringAttachment | Grants permission to delete a peering attachment from a transit gateway | Write | |||
DeleteTransitGatewayPolicyTable | Grants permission to delete a transit gateway policy table | Write | |||
DeleteTransitGatewayPrefixListReference | Grants permission to delete a transit gateway prefix list reference | Write | |||
DeleteTransitGatewayRoute | Grants permission to delete a route from a transit gateway route table | Write | |||
DeleteTransitGatewayRouteTable | Grants permission to delete a transit gateway route table | Write | |||
DeleteTransitGatewayRouteTableAnnouncement | Grants permission to delete a transit gateway route table announcement | Write | |||
DeleteTransitGatewayVpcAttachment | Grants permission to delete a VPC attachment from a transit gateway | Write | |||
DeleteVerifiedAccessEndpoint | Grants permission to delete a Verified Access endpoint | Write | |||
DeleteVerifiedAccessGroup | Grants permission to delete a Verified Access group | Write | |||
DeleteVerifiedAccessInstance | Grants permission to delete a Verified Access instance | Write | |||
DeleteVerifiedAccessTrustProvider | Grants permission to delete a verified trust provider | Write | |||
DeleteVolume | Grants permission to delete an EBS volume | Write | |||
DeleteVpc | Grants permission to delete a VPC | Write | |||
DeleteVpcEndpointConnectionNotifications | Grants permission to delete one or more VPC endpoint connection notifications | Write | |||
DeleteVpcEndpointServiceConfigurations | Grants permission to delete one or more VPC endpoint service configurations | Write | |||
DeleteVpcEndpoints | Grants permission to delete one or more VPC endpoints | Write | |||
DeleteVpcPeeringConnection | Grants permission to delete a VPC peering connection | Write | |||
DeleteVpnConnection | Grants permission to delete a VPN connection | Write | |||
DeleteVpnConnectionRoute | Grants permission to delete a static route for a VPN connection between a virtual private gateway and a customer gateway | Write | |||
DeleteVpnGateway | Grants permission to delete a virtual private gateway | Write | |||
DeprovisionByoipCidr | Grants permission to release an IP address range that was provisioned through bring your own IP addresses (BYOIP), and to delete the corresponding address pool | Write | |||
DeprovisionIpamByoasn | Grants permission to deprovision an Autonomous System Number (ASN) from an Amazon Web Services account | Write | |||
DeprovisionIpamPoolCidr | Grants permission to deprovision a CIDR provisioned from an Amazon VPC IP Address Manager (IPAM) pool | Write | |||
DeprovisionPublicIpv4PoolCidr | Grants permission to deprovision a CIDR from a public IPv4 pool | Write | |||
DeregisterImage | Grants permission to deregister an Amazon Machine Image (AMI) | Write | |||
DeregisterInstanceEventNotificationAttributes | Grants permission to remove tags from the set of tags to include in notifications about scheduled events for your instances | Write | |||
DeregisterTransitGatewayMulticastGroupMembers | Grants permission to deregister one or more network interface members from a group IP address in a transit gateway multicast domain | Write | |||
DeregisterTransitGatewayMulticastGroupSources | Grants permission to deregister one or more network interface sources from a group IP address in a transit gateway multicast domain | Write | |||
DescribeAccountAttributes | Grants permission to describe the attributes of the AWS account | List | |||
DescribeAddressTransfers | Grants permission to describe an Elastic IP address transfer | List | |||
DescribeAddresses | Grants permission to describe one or more Elastic IP addresses | List | |||
DescribeAddressesAttribute | Grants permission to describe the attributes of the specified Elastic IP addresses | List | |||
DescribeAggregateIdFormat | Grants permission to describe the longer ID format settings for all resource types | List | |||
DescribeAvailabilityZones | Grants permission to describe one or more of the Availability Zones that are available to you | List | |||
DescribeAwsNetworkPerformanceMetricSubscriptions | Grants permission to describe the current infrastructure performance metric subscriptions | List | |||
DescribeBundleTasks | Grants permission to describe one or more bundling tasks | List | |||
DescribeByoipCidrs | Grants permission to describe the IP address ranges that were provisioned through bring your own IP addresses (BYOIP) | List | |||
DescribeCapacityBlockOfferings | Grants permission to describe Capacity Block offerings available for purchase | List | |||
DescribeCapacityReservationBillingRequests | Grants permission to describe one or more requests to assign the billing of the unused capacity of a Capacity Reservation | List | |||
DescribeCapacityReservationFleets | Grants permission to describe one or more Capacity Reservation Fleets | List | |||
DescribeCapacityReservations | Grants permission to describe one or more Capacity Reservations | List | |||
DescribeCarrierGateways | Grants permission to describe one or more Carrier Gateways | List | |||
DescribeClassicLinkInstances | Grants permission to describe one or more linked EC2-Classic instances | List | |||
DescribeClientVpnAuthorizationRules | Grants permission to describe the authorization rules for a Client VPN endpoint | List | |||
DescribeClientVpnConnections | Grants permission to describe active client connections and connections that have been terminated within the last 60 minutes for a Client VPN endpoint | List | |||
DescribeClientVpnEndpoints | Grants permission to describe one or more Client VPN endpoints | List | |||
DescribeClientVpnRoutes | Grants permission to describe the routes for a Client VPN endpoint | List | |||
DescribeClientVpnTargetNetworks | Grants permission to describe the target networks that are associated with a Client VPN endpoint | List | |||
DescribeCoipPools | Grants permission to describe the specified customer-owned address pools or all of your customer-owned address pools | List | |||
DescribeConversionTasks | Grants permission to describe one or more conversion tasks | List | |||
DescribeCustomerGateways | Grants permission to describe one or more customer gateways | List | |||
DescribeDhcpOptions | Grants permission to describe one or more DHCP options sets | List | |||
DescribeEgressOnlyInternetGateways | Grants permission to describe one or more egress-only internet gateways | List | |||
DescribeElasticGpus | Grants permission to describe an Elastic Graphics accelerator that is associated with an instance | List | |||
DescribeExportImageTasks | Grants permission to describe one or more export image tasks | List | |||
DescribeExportTasks | Grants permission to describe one or more export instance tasks | List | |||
DescribeFastLaunchImages | Grants permission to describe fast-launch enabled Windows AMIs | List | |||
DescribeFastSnapshotRestores | Grants permission to describe the state of fast snapshot restores for snapshots | List | |||
DescribeFleetHistory | Grants permission to describe the events for an EC2 Fleet during a specified time | List | |||
DescribeFleetInstances | Grants permission to describe the running instances for an EC2 Fleet | List | |||
DescribeFleets | Grants permission to describe one or more EC2 Fleets | List | |||
DescribeFlowLogs | Grants permission to describe one or more flow logs | List | |||
DescribeFpgaImageAttribute | Grants permission to describe the attributes of an Amazon FPGA Image (AFI) | List | |||
DescribeFpgaImages | Grants permission to describe one or more Amazon FPGA Images (AFIs) | List | |||
DescribeHostReservationOfferings | Grants permission to describe the Dedicated Host Reservations that are available to purchase | List | |||
DescribeHostReservations | Grants permission to describe the Dedicated Host Reservations that are associated with Dedicated Hosts in the AWS account | List | |||
DescribeHosts | Grants permission to describe one or more Dedicated Hosts | List | |||
DescribeIamInstanceProfileAssociations | Grants permission to describe the IAM instance profile associations | List | |||
DescribeIdFormat | Grants permission to describe the ID format settings for resources | List | |||
DescribeIdentityIdFormat | Grants permission to describe the ID format settings for resources for an IAM user, IAM role, or root user | List | |||
DescribeImageAttribute | Grants permission to describe an attribute of an Amazon Machine Image (AMI) | List | |||
DescribeImages | Grants permission to describe one or more images (AMIs, AKIs, and ARIs) | List | |||
DescribeImportImageTasks | Grants permission to describe import virtual machine or import snapshot tasks | List | |||
DescribeImportSnapshotTasks | Grants permission to describe import snapshot tasks | List | |||
DescribeInstanceAttribute | Grants permission to describe the attributes of an instance | List | |||
DescribeInstanceConnectEndpoints | Grants permission to describe EC2 Instance Connect Endpoints | List | |||
DescribeInstanceCreditSpecifications | Grants permission to describe the credit option for CPU usage of one or more burstable performance instances | List | |||
DescribeInstanceEventNotificationAttributes | Grants permission to describe the set of tags to include in notifications about scheduled events for your instances | List | |||
DescribeInstanceEventWindows | Grants permission to describe the specified event windows or all event windows | List | |||
DescribeInstanceImageMetadata | Grants permission to describe the AMI that was used to launch an instance | List | |||
DescribeInstanceStatus | Grants permission to describe the status of one or more instances | List | |||
DescribeInstanceTopology | Grants permission to describe a tree-based hierarchy that represents the physical host placement of EC2 instances | List | |||
DescribeInstanceTypeOfferings | Grants permission to describe the set of instance types that are offered in a location | List | |||
DescribeInstanceTypes | Grants permission to describe the details of instance types that are offered in a location | List | |||
DescribeInstances | Grants permission to describe one or more instances | List | |||
DescribeInternetGateways | Grants permission to describe one or more internet gateways | List | |||
DescribeIpamByoasn | Grants permission to describe a bring your own Autonomous System Number (BYOASN) that you've brought to IPAM | List | |||
DescribeIpamExternalResourceVerificationTokens | Grants permission to describe verification tokens, which proves ownership of an external resource | List | |||
DescribeIpamPools | Grants permission to describe Amazon VPC IP Address Manager (IPAM) pools | List | |||
DescribeIpamResourceDiscoveries | Grants permission to describe IPAM resource discoveries | List | |||
DescribeIpamResourceDiscoveryAssociations | Grants permission to describe resource discovery associations with an Amazon VPC IPAM | List | |||
DescribeIpamScopes | Grants permission to describe Amazon VPC IP Address Manager (IPAM) scopes | List | |||
DescribeIpams | Grants permission to describe an Amazon VPC IP Address Manager (IPAM) | List | |||
DescribeIpv6Pools | Grants permission to describe one or more IPv6 address pools | List | |||
DescribeKeyPairs | Grants permission to describe one or more key pairs | List | |||
DescribeLaunchTemplateVersions | Grants permission to describe one or more launch template versions | List |
ssm:GetParameters |
||
DescribeLaunchTemplates | Grants permission to describe one or more launch templates | List | |||
DescribeLocalGatewayRouteTablePermissions [permission only] | Grants permission to allow a service to describe local gateway route table permissions | List | |||
DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations | Grants permission to describe the associations between virtual interface groups and local gateway route tables | List | |||
DescribeLocalGatewayRouteTableVpcAssociations | Grants permission to describe an association between VPCs and local gateway route tables | List | |||
DescribeLocalGatewayRouteTables | Grants permission to describe one or more local gateway route tables | List | |||
DescribeLocalGatewayVirtualInterfaceGroups | Grants permission to describe local gateway virtual interface groups | List | |||
DescribeLocalGatewayVirtualInterfaces | Grants permission to describe local gateway virtual interfaces | List | |||
DescribeLocalGateways | Grants permission to describe one or more local gateways | List | |||
DescribeLockedSnapshots | Grants permission to describe the lock status for a snapshot | List | |||
DescribeMacHosts | Grants permission to describe your EC2 Mac Dedicated hosts | List | |||
DescribeManagedPrefixLists | Grants permission to describe your managed prefix lists and any AWS-managed prefix lists | List | |||
DescribeMovingAddresses | Grants permission to describe Elastic IP addresses that are being moved to the EC2-VPC platform | List | |||
DescribeNatGateways | Grants permission to describe one or more NAT gateways | List | |||
DescribeNetworkAcls | Grants permission to describe one or more network ACLs | List | |||
DescribeNetworkInsightsAccessScopeAnalyses | Grants permission to describe one or more Network Access Scope analyses | List | |||
DescribeNetworkInsightsAccessScopes | Grants permission to describe the Network Access Scopes | List | |||
DescribeNetworkInsightsAnalyses | Grants permission to describe one or more network insights analyses | List | |||
DescribeNetworkInsightsPaths | Grants permission to describe one or more network insights paths | List | |||
DescribeNetworkInterfaceAttribute | Grants permission to describe a network interface attribute | List | |||
DescribeNetworkInterfacePermissions | Grants permission to describe the permissions that are associated with a network interface | List | |||
DescribeNetworkInterfaces | Grants permission to describe one or more network interfaces | List | |||
DescribePlacementGroups | Grants permission to describe one or more placement groups | List | |||
DescribePrefixLists | Grants permission to describe available AWS services in a prefix list format | List | |||
DescribePrincipalIdFormat | Grants permission to describe the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified a longer ID (17-character ID) preference | List | |||
DescribePublicIpv4Pools | Grants permission to describe one or more IPv4 address pools | List | |||
DescribeRegions | Grants permission to describe one or more AWS Regions that are currently available in your account | List | |||
DescribeReplaceRootVolumeTasks | Grants permission to describe a root volume replacement task | List | |||
DescribeReservedInstances | Grants permission to describe one or more purchased Reserved Instances in your account | List | |||
DescribeReservedInstancesListings | Grants permission to describe your account's Reserved Instance listings in the Reserved Instance Marketplace | List | |||
DescribeReservedInstancesModifications | Grants permission to describe the modifications made to one or more Reserved Instances | List | |||
DescribeReservedInstancesOfferings | Grants permission to describe the Reserved Instance offerings that are available for purchase | List | |||
DescribeRouteTables | Grants permission to describe one or more route tables | List | |||
DescribeScheduledInstanceAvailability | Grants permission to find available schedules for Scheduled Instances | List | |||
DescribeScheduledInstances | Grants permission to describe one or more Scheduled Instances in your account | List | |||
DescribeSecurityGroupReferences | Grants permission to describe the VPCs on the other side of a VPC peering connection that are referencing specified VPC security groups | List | |||
DescribeSecurityGroupRules | Grants permission to describe one or more of your security group rules | List | |||
DescribeSecurityGroupVpcAssociations | Grants permission to describe security group VPC associations | List | |||
DescribeSecurityGroups | Grants permission to describe one or more security groups | List | |||
DescribeSnapshotAttribute | Grants permission to describe an attribute of a snapshot | List | |||
DescribeSnapshotTierStatus | Grants permission to describe the storage tier status for Amazon EBS snapshots | List | |||
DescribeSnapshots | Grants permission to describe one or more EBS snapshots | List | |||
DescribeSpotDatafeedSubscription | Grants permission to describe the data feed for Spot Instances | List | |||
DescribeSpotFleetInstances | Grants permission to describe the running instances for a Spot Fleet | List | |||
DescribeSpotFleetRequestHistory | Grants permission to describe the events for a Spot Fleet request during a specified time | List | |||
DescribeSpotFleetRequests | Grants permission to describe one or more Spot Fleet requests | List | |||
DescribeSpotInstanceRequests | Grants permission to describe one or more Spot Instance requests | List | |||
DescribeSpotPriceHistory | Grants permission to describe the Spot Instance price history | List | |||
DescribeStaleSecurityGroups | Grants permission to describe the stale security group rules for security groups in a specified VPC | List | |||
DescribeStoreImageTasks | Grants permission to describe the progress of the AMI store tasks | List | |||
DescribeSubnets | Grants permission to describe one or more subnets | List | |||
DescribeTags | Grants permission to describe one or more tags for an Amazon EC2 resource | List | |||
DescribeTrafficMirrorFilterRules | Grants permission to describe traffic mirror filters that determine the traffic that is mirrored | List | |||
DescribeTrafficMirrorFilters | Grants permission to describe one or more traffic mirror filters | List | |||
DescribeTrafficMirrorSessions | Grants permission to describe one or more traffic mirror sessions | List | |||
DescribeTrafficMirrorTargets | Grants permission to describe one or more traffic mirror targets | List | |||
DescribeTransitGatewayAttachments | Grants permission to describe one or more attachments between resources and transit gateways | List | |||
DescribeTransitGatewayConnectPeers | Grants permission to describe one or more transit gateway connect peers | List | |||
DescribeTransitGatewayConnects | Grants permission to describe one or more transit gateway connect attachments | List | |||
DescribeTransitGatewayMulticastDomains | Grants permission to describe one or more transit gateway multicast domains | List | |||
DescribeTransitGatewayPeeringAttachments | Grants permission to describe one or more transit gateway peering attachments | List | |||
DescribeTransitGatewayPolicyTables | Grants permission to describe a transit gateway policy table | List | |||
DescribeTransitGatewayRouteTableAnnouncements | Grants permission to describe a transit gateway route table announcement | List | |||
DescribeTransitGatewayRouteTables | Grants permission to describe one or more transit gateway route tables | List | |||
DescribeTransitGatewayVpcAttachments | Grants permission to describe one or more VPC attachments on a transit gateway | List | |||
DescribeTransitGateways | Grants permission to describe one or more transit gateways | List | |||
DescribeTrunkInterfaceAssociations | Grants permission to describe one or more network interface trunk associations | List | |||
DescribeVerifiedAccessEndpoints | Grants permission to describe the specified Verified Access endpoints or all Verified Access endpoints | List | |||
DescribeVerifiedAccessGroups | Grants permission to describe the specified Verified Access groups or all Verified Access groups | List | |||
DescribeVerifiedAccessInstanceLoggingConfigurations | Grants permission to describe the current logging configuration for the Verified Access instances | List | |||
DescribeVerifiedAccessInstanceWebAclAssociations [permission only] | Grants permission to describe the AWS Web Application Firewall (WAF) web access control list (ACL) associations for a Verified Access instance | List | |||
DescribeVerifiedAccessInstances | Grants permission to describe the specified Verified Access instances or all Verified Access instances | List | |||
DescribeVerifiedAccessTrustProviders | Grants permission to describe details of existing Verified Access trust providers | List | |||
DescribeVolumeAttribute | Grants permission to describe an attribute of an EBS volume | List | |||
DescribeVolumeStatus | Grants permission to describe the status of one or more EBS volumes | List | |||
DescribeVolumes | Grants permission to describe one or more EBS volumes | List | |||
DescribeVolumesModifications | Grants permission to describe the current modification status of one or more EBS volumes | List | |||
DescribeVpcAttribute | Grants permission to describe an attribute of a VPC | List | |||
DescribeVpcClassicLink | Grants permission to describe the ClassicLink status of one or more VPCs | List | |||
DescribeVpcClassicLinkDnsSupport | Grants permission to describe the ClassicLink DNS support status of one or more VPCs | List | |||
DescribeVpcEndpointConnectionNotifications | Grants permission to describe the connection notifications for VPC endpoints and VPC endpoint services | List | |||
DescribeVpcEndpointConnections | Grants permission to describe the VPC endpoint connections to your VPC endpoint services | List | |||
DescribeVpcEndpointServiceConfigurations | Grants permission to describe VPC endpoint service configurations (your services) | List | |||
DescribeVpcEndpointServicePermissions | Grants permission to describe the principals (service consumers) that are permitted to discover your VPC endpoint service | List | |||
DescribeVpcEndpointServices | Grants permission to describe all supported AWS services that can be specified when creating a VPC endpoint | List | |||
DescribeVpcEndpoints | Grants permission to describe one or more VPC endpoints | List | |||
DescribeVpcPeeringConnections | Grants permission to describe one or more VPC peering connections | List | |||
DescribeVpcs | Grants permission to describe one or more VPCs | List | |||
DescribeVpnConnections | Grants permission to describe one or more VPN connections | List | |||
DescribeVpnGateways | Grants permission to describe one or more virtual private gateways | List | |||
DetachClassicLinkVpc | Grants permission to unlink (detach) a linked EC2-Classic instance from a VPC | Write | |||
DetachInternetGateway | Grants permission to detach an internet gateway from a VPC | Write | |||
DetachNetworkInterface | Grants permission to detach a network interface from an instance | Write | |||
DetachVerifiedAccessTrustProvider | Grants permission to detach a trust provider from a Verified Access instance | Write | |||
DetachVolume | Grants permission to detach an EBS volume from an instance | Write | |||
DetachVpnGateway | Grants permission to detach a virtual private gateway from a VPC | Write | |||
DisableAddressTransfer | Grants permission to disable Elastic IP address transfer | Write | |||
DisableAwsNetworkPerformanceMetricSubscription | Grants permission to disable infrastructure performance metric subscriptions | Write | |||
DisableEbsEncryptionByDefault | Grants permission to disable EBS encryption by default for your account | Write | |||
DisableFastLaunch | Grants permission to disable faster launching for Windows AMIs | Write | |||
DisableFastSnapshotRestores | Grants permission to disable fast snapshot restores for one or more snapshots in specified Availability Zones | Write | |||
DisableImage | Grants permission to disable an AMI | Write | |||
DisableImageBlockPublicAccess | Grants permission to disable block public access for AMIs at the account level in the specified AWS Region | Write | |||
DisableImageDeprecation | Grants permission to cancel the deprecation of the specified AMI | Write | |||
DisableImageDeregistrationProtection | Grants permission to disable deregistration protection for an AMI. When deregistration protection is disabled, the AMI can be deregistered | Write | |||
DisableIpamOrganizationAdminAccount | Grants permission to disable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account | Write |
organizations:DeregisterDelegatedAdministrator |
||
DisableSerialConsoleAccess | Grants permission to disable access to the EC2 serial console of all instances for your account | Write | |||
DisableSnapshotBlockPublicAccess | Grants permission to disable the block public access for snapshots setting for a Region | Write | |||
DisableTransitGatewayRouteTablePropagation | Grants permission to disable a resource attachment from propagating routes to the specified propagation route table | Write | |||
DisableVgwRoutePropagation | Grants permission to disable a virtual private gateway from propagating routes to a specified route table of a VPC | Write | |||
DisableVpcClassicLink | Grants permission to disable ClassicLink for a VPC | Write | |||
DisableVpcClassicLinkDnsSupport | Grants permission to disable ClassicLink DNS support for a VPC | Write | |||
DisassociateAddress | Grants permission to disassociate an Elastic IP address from an instance or network interface | Write | |||
DisassociateCapacityReservationBillingOwner | Grants permission to cancel a pending request to assign billing of the unused capacity of a Capacity Reservation to a consumer account | Write |
ec2:DestinationCapacityReservationId |
||
DisassociateClientVpnTargetNetwork | Grants permission to disassociate a target network from a Client VPN endpoint | Write | |||
DisassociateEnclaveCertificateIamRole | Grants permission to disassociate an ACM certificate from a IAM role | Write | |||
DisassociateIamInstanceProfile | Grants permission to disassociate an IAM instance profile from a running or stopped instance | Write | |||
DisassociateInstanceEventWindow | Grants permission to disassociate one or more targets from an event window | Write | |||
DisassociateIpamByoasn | Grants permission to disassociate an Autonomous System Number (ASN) from a BYOIP CIDR | Write | |||
DisassociateIpamResourceDiscovery | Grants permission to disassociate a resource discovery from an Amazon VPC IPAM | Write | |||
DisassociateNatGatewayAddress | Grants permission to disassociate a secondary Elastic IP address from a public NAT gateway | Write | |||
DisassociateRouteTable | Grants permission to disassociate a subnet from a route table | Write | |||
DisassociateSecurityGroupVpc | Grants permission to disassociate a security group from a VPC | Write | |||
DisassociateSubnetCidrBlock | Grants permission to disassociate a CIDR block from a subnet | Write | |||
DisassociateTransitGatewayMulticastDomain | Grants permission to disassociate one or more subnets from a transit gateway multicast domain | Write | |||
DisassociateTransitGatewayPolicyTable | Grants permission to disassociate a policy table from a transit gateway | Write | |||
DisassociateTransitGatewayRouteTable | Grants permission to disassociate a resource attachment from a transit gateway route table | Write | |||
DisassociateTrunkInterface | Grants permission to disassociate a branch network interface to a trunk network interface | Write | |||
DisassociateVerifiedAccessInstanceWebAcl [permission only] | Grants permission to disassociate an AWS Web Application Firewall (WAF) web access control list (ACL) from a Verified Access instance | Write | |||
DisassociateVpcCidrBlock | Grants permission to disassociate a CIDR block from a VPC | Write | |||
EnableAddressTransfer | Grants permission to enable Elastic IP address transfer | Write | |||
EnableAwsNetworkPerformanceMetricSubscription | Grants permission to enable infrastructure performance subscriptions | Write | |||
EnableEbsEncryptionByDefault | Grants permission to enable EBS encryption by default for your account | Write | |||
EnableFastLaunch | Grants permission to enable faster launching for Windows AMIs | Write |
ec2:CreateLaunchTemplate ec2:CreateSnapshot ec2:CreateTags ec2:DeleteSnapshot ec2:DescribeImages ec2:DescribeInstanceAttribute ec2:DescribeInstanceStatus ec2:DescribeInstanceTypeOfferings ec2:DescribeInstances ec2:DescribeLaunchTemplateVersions ec2:DescribeLaunchTemplates ec2:DescribeSnapshots ec2:DescribeSubnets ec2:RunInstances ec2:StopInstances ec2:TerminateInstances iam:PassRole |
||
EnableFastSnapshotRestores | Grants permission to enable fast snapshot restores for one or more snapshots in specified Availability Zones | Write | |||
EnableImage | Grants permission to re-enable a disabled AMI | Write | |||
EnableImageBlockPublicAccess | Grants permission to enable block public access for AMIs at the account level in the specified AWS Region | Write | |||
EnableImageDeprecation | Grants permission to enable deprecation of the specified AMI at the specified date and time | Write | |||
EnableImageDeregistrationProtection | Grants permission to enable deregistration protection for an AMI. When deregistration protection is enabled, the AMI can't be deregistered | Write | |||
EnableIpamOrganizationAdminAccount | Grants permission to enable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account | Write |
iam:CreateServiceLinkedRole organizations:EnableAWSServiceAccess organizations:RegisterDelegatedAdministrator |
||
EnableReachabilityAnalyzerOrganizationSharing | Grants permission to enable organization sharing of reachability analyzer | Write |
iam:CreateServiceLinkedRole organizations:EnableAWSServiceAccess |
||
EnableSerialConsoleAccess | Grants permission to enable access to the EC2 serial console of all instances for your account | Write | |||
EnableSnapshotBlockPublicAccess | Grants permission to enable or modify the block public access for snapshots setting for a Region | Write | |||
EnableTransitGatewayRouteTablePropagation | Grants permission to enable an attachment to propagate routes to a propagation route table | Write | |||
EnableVgwRoutePropagation | Grants permission to enable a virtual private gateway to propagate routes to a VPC route table | Write | |||
EnableVolumeIO | Grants permission to enable I/O operations for a volume that had I/O operations disabled | Write | |||
EnableVpcClassicLink | Grants permission to enable a VPC for ClassicLink | Write | |||
EnableVpcClassicLinkDnsSupport | Grants permission to enable a VPC to support DNS hostname resolution for ClassicLink | Write | |||
ExportClientVpnClientCertificateRevocationList | Grants permission to download the client certificate revocation list for a Client VPN endpoint | Read | |||
ExportClientVpnClientConfiguration | Grants permission to download the contents of the Client VPN endpoint configuration file for a Client VPN endpoint | Read |