Actions, resources, and condition keys for Amazon EC2
Amazon EC2 (service prefix: ec2
) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon EC2
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource
element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource
element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition
element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
AcceptAddressTransfer | Grants permission to accept an Elastic IP address transfer | Write |
ec2:CreateTags |
||
AcceptCapacityReservationBillingOwnership | Grants permission to accept assign billing of the available capacity of a shared Capacity Reservation to the calling account | Write |
ec2:DestinationCapacityReservationId |
||
AcceptReservedInstancesExchangeQuote | Grants permission to accept a Convertible Reserved Instance exchange quote | Write | |||
AcceptTransitGatewayMulticastDomainAssociations | Grants permission to accept a request to associate subnets with a transit gateway multicast domain | Write | |||
AcceptTransitGatewayPeeringAttachment | Grants permission to accept a transit gateway peering attachment request | Write | |||
AcceptTransitGatewayVpcAttachment | Grants permission to accept a request to attach a VPC to a transit gateway | Write | |||
AcceptVpcEndpointConnections | Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service | Write | |||
AcceptVpcPeeringConnection | Grants permission to accept a VPC peering connection request | Write | |||
AdvertiseByoipCidr | Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP) | Write | |||
AllocateAddress | Grants permission to allocate an Elastic IP address (EIP) to your account | Write |
ec2:CreateTags |
||
AllocateHosts | Grants permission to allocate a Dedicated Host to your account | Write |
ec2:CreateTags |
||
AllocateIpamPoolCidr | Grants permission to allocate a CIDR from an Amazon VPC IP Address Manager (IPAM) pool | Write | |||
ApplySecurityGroupsToClientVpnTargetNetwork | Grants permission to apply a security group to the association between a Client VPN endpoint and a target network | Write | |||
AssignIpv6Addresses | Grants permission to assign one or more IPv6 addresses to a network interface | Write | |||
AssignPrivateIpAddresses | Grants permission to assign one or more secondary private IP addresses to a network interface | Write | |||
AssignPrivateNatGatewayAddress | Grants permission to assign one or more secondary private IP addresses to a private NAT gateway | Write | |||
AssociateAddress | Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface | Write | |||
AssociateCapacityReservationBillingOwner | Grants permission to assign billing of the unused capacity of a shared Capacity Reservation to a consumer account | Write |
ec2:DestinationCapacityReservationId |
||
AssociateClientVpnTargetNetwork | Grants permission to associate a target network with a Client VPN endpoint | Write | |||
AssociateDhcpOptions | Grants permission to associate or disassociate a set of DHCP options with a VPC | Write | |||
AssociateEnclaveCertificateIamRole | Grants permission to associate an ACM certificate with an IAM role to be used in an EC2 Enclave | Write | |||
AssociateIamInstanceProfile | Grants permission to associate an IAM instance profile with a running or stopped instance | Write |
iam:PassRole |
||
AssociateInstanceEventWindow | Grants permission to associate one or more targets with an event window | Write | |||
AssociateIpamByoasn | Grants permission to associate an Autonomous System Number (ASN) with a BYOIP CIDR | Write | |||
AssociateIpamResourceDiscovery | Grants permission to associate an IPAM resource discovery with an Amazon VPC IPAM | Write |
ec2:CreateTags |
||
AssociateNatGatewayAddress | Grants permission to associate an Elastic IP address and private IP address with a public Nat gateway | Write | |||
AssociateRouteTable | Grants permission to associate a subnet or gateway with a route table | Write | |||
AssociateSecurityGroupVpc | Grants permission to associate a security group with another VPC in the same Region | Write | |||
AssociateSubnetCidrBlock | Grants permission to associate a CIDR block with a subnet | Write | |||
AssociateTransitGatewayMulticastDomain | Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain | Write | |||
AssociateTransitGatewayPolicyTable | Grants permission to associate a policy table with a transit gateway attachment | Write | |||
AssociateTransitGatewayRouteTable | Grants permission to associate an attachment with a transit gateway route table | Write | |||
AssociateTrunkInterface | Grants permission to associate a branch network interface with a trunk network interface | Write | |||
AssociateVerifiedAccessInstanceWebAcl [permission only] | Grants permission to associate an AWS Web Application Firewall (WAF) web access control list (ACL) with a Verified Access instance | Write | |||
AssociateVpcCidrBlock | Grants permission to associate a CIDR block with a VPC | Write | |||
AttachClassicLinkVpc | Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups | Write | |||
AttachInternetGateway | Grants permission to attach an internet gateway to a VPC | Write | |||
AttachNetworkInterface | Grants permission to attach a network interface to an instance | Write | |||
AttachVerifiedAccessTrustProvider | Grants permission to attach a trust provider to a Verified Access instance | Write | |||
AttachVolume | Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name | Write | |||
AttachVpnGateway | Grants permission to attach a virtual private gateway to a VPC | Write | |||
AuthorizeClientVpnIngress | Grants permission to add an inbound authorization rule to a Client VPN endpoint | Write | |||
AuthorizeSecurityGroupEgress | Grants permission to add one or more outbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications | Write |
ec2:CreateTags |
||
AuthorizeSecurityGroupIngress | Grants permission to add one or more inbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications | Write |
ec2:CreateTags |
||
BundleInstance | Grants permission to bundle an instance store-backed Windows instance | Write | |||
CancelBundleTask | Grants permission to cancel a bundling operation | Write | |||
CancelCapacityReservation | Grants permission to cancel a Capacity Reservation and release the reserved capacity | Write | |||
CancelCapacityReservationFleets | Grants permission to cancel one or more Capacity Reservation Fleets | Write |
ec2:CancelCapacityReservation |
||
CancelConversionTask | Grants permission to cancel an active conversion task | Write | |||
CancelDeclarativePoliciesReport | Grants permission to cancel a declarative policies report | Write | |||
CancelExportTask | Grants permission to cancel an active export task | Write | |||
CancelImageLaunchPermission | Grants permission to remove your AWS account from the launch permissions for the specified AMI | Write | |||
CancelImportTask | Grants permission to cancel an in-process import virtual machine or import snapshot task | Write | |||
CancelReservedInstancesListing | Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace | Write | |||
CancelSpotFleetRequests | Grants permission to cancel one or more Spot Fleet requests | Write | |||
CancelSpotInstanceRequests | Grants permission to cancel one or more Spot Instance requests | Write | |||
ConfirmProductInstance | Grants permission to determine whether an owned product code is associated with an instance | Write | |||
CopyFpgaImage | Grants permission to copy a source Amazon FPGA image (AFI) to the current Region. Resource-level permissions specified for this action apply to the new AFI only. They do not apply to the source AFI | Write | |||
CopyImage | Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region | Write |
ec2:CreateTags |
||
CopySnapshot | Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3. Resource-level permissions specified for this action apply to the new snapshot only. They do not apply to the source snapshot | Write |
ec2:CreateTags |
||
CreateCapacityReservation | Grants permission to create a Capacity Reservation | Write |
ec2:CreateTags |
||
CreateCapacityReservationBySplitting | Grants permission to create a new Capacity Reservation by splitting the available capacity of the source Capacity Reservation | Write |
ec2:DestinationCapacityReservationId |
ec2:CreateTags |
|
CreateCapacityReservationFleet | Grants permission to create a Capacity Reservation Fleet | Write |
ec2:CreateCapacityReservation ec2:CreateTags ec2:DescribeCapacityReservations ec2:DescribeInstances |
||
CreateCarrierGateway | Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers | Write |
ec2:CreateTags |
||
CreateClientVpnEndpoint | Grants permission to create a Client VPN endpoint | Write |
ec2:CreateTags |
||
CreateClientVpnRoute | Grants permission to add a network route to a Client VPN endpoint's route table | Write | |||
CreateCoipCidr | Grants permission to create a range of customer-owned IP (CoIP) addresses | Write | |||
CreateCoipPool | Grants permission to create a pool of customer-owned IP (CoIP) addresses | Write |
ec2:CreateTags |
||
CreateCoipPoolPermission [permission only] | Grants permission to allow a service to access a customer-owned IP (CoIP) pool | Write | |||
CreateCustomerGateway | Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device | Write |
ec2:CreateTags |
||
CreateDefaultSubnet | Grants permission to create a default subnet in a specified Availability Zone in a default VPC | Write | |||
CreateDefaultVpc | Grants permission to create a default VPC with a default subnet in each Availability Zone | Write | |||
CreateDhcpOptions | Grants permission to create a set of DHCP options for a VPC | Write |
ec2:CreateTags |
||
CreateEgressOnlyInternetGateway | Grants permission to create an egress-only internet gateway for a VPC | Write |
ec2:CreateTags |
||
CreateFleet | Grants permission to launch an EC2 Fleet. Resource-level permissions for this action do not include the resources specified in a launch template. To specify resource-level permissions for resources specified in a launch template, you must include the resources in the RunInstances action statement | Write |
ec2:CreateTags |
||
CreateFlowLogs | Grants permission to create one or more flow logs to capture IP traffic for a network interface | Write |
ec2:CreateTags ecs:ListClusters ecs:ListContainerInstances ecs:ListServices ecs:ListTaskDefinitions ecs:ListTasks iam:PassRole |
||
CreateFpgaImage | Grants permission to create an Amazon FPGA Image (AFI) from a design checkpoint (DCP) | Write |
ec2:CreateTags |
||
CreateImage | Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance | Write |
ec2:CreateTags |
||
CreateInstanceConnectEndpoint | Grants permission to create an EC2 Instance Connect Endpoint that allows you to connect to an instance without a public IPv4 address | Write |
ec2:CreateTags |
||
CreateInstanceEventWindow | Grants permission to create an event window in which scheduled events for the associated Amazon EC2 instances can run | Write |
ec2:CreateTags |
||
CreateInstanceExportTask | Grants permission to export a running or stopped instance to an Amazon S3 bucket | Write |
ec2:CreateTags |
||
CreateInternetGateway | Grants permission to create an internet gateway for a VPC | Write |
ec2:CreateTags |
||
CreateIpam | Grants permission to create an Amazon VPC IP Address Manager (IPAM) | Write |
ec2:CreateTags iam:CreateServiceLinkedRole |
||
CreateIpamExternalResourceVerificationToken | Grants permission to create a verification token, which proves ownership of an external resource | Write |
ec2:CreateTags |
||
CreateIpamPool | Grants permission to create an IP address pool for Amazon VPC IP Address Manager (IPAM), which is a collection of contiguous IP address CIDRs | Write |
ec2:CreateTags |
||
CreateIpamResourceDiscovery | Grants permission to create an IPAM resource discovery | Write |
ec2:CreateTags iam:CreateServiceLinkedRole |
||
CreateIpamScope | Grants permission to create an Amazon VPC IP Address Manager (IPAM) scope, which is the highest-level container within IPAM | Write |
ec2:CreateTags |
||
CreateKeyPair | Grants permission to create a 2048-bit RSA key pair | Write |
ec2:CreateTags |
||
CreateLaunchTemplate | Grants permission to create a launch template | Write |
ec2:CreateTags ssm:GetParameters |
||
CreateLaunchTemplateVersion | Grants permission to create a new version of a launch template | Write |
ssm:GetParameters |
||
CreateLocalGatewayRoute | Grants permission to create a static route for a local gateway route table | Write | |||
CreateLocalGatewayRouteTable | Grants permission to create a local gateway route table | Write |
ec2:CreateTags |
||
CreateLocalGatewayRouteTablePermission [permission only] | Grants permission to allow a service to access a local gateway route table | Write | |||
CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation | Grants permission to create a local gateway route table virtual interface group association | Write |
ec2:CreateTags |
||
local-gateway-route-table-virtual-interface-group-association* |
|||||
CreateLocalGatewayRouteTableVpcAssociation | Grants permission to associate a VPC with a local gateway route table | Write |
ec2:CreateTags |
||
CreateManagedPrefixList | Grants permission to create a managed prefix list | Write |
ec2:CreateTags |
||
CreateNatGateway | Grants permission to create a NAT gateway in a subnet | Write |
ec2:CreateTags |
||
CreateNetworkAcl | Grants permission to create a network ACL in a VPC | Write |
ec2:CreateTags |
||
CreateNetworkAclEntry | Grants permission to create a numbered entry (a rule) in a network ACL | Write | |||
CreateNetworkInsightsAccessScope | Grants permission to create a Network Access Scope | Write |
ec2:CreateTags |
||
CreateNetworkInsightsPath | Grants permission to create a path to analyze for reachability | Write |
ec2:CreateTags |
||
CreateNetworkInterface | Grants permission to create a network interface in a subnet | Write |
ec2:CreateTags |
||
CreateNetworkInterfacePermission | Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface | Permissions management | |||
CreatePlacementGroup | Grants permission to create a placement group | Write |
ec2:CreateTags |
||
CreatePublicIpv4Pool | Grants permission to create a public IPv4 address pool for public IPv4 CIDRs that you own and bring to Amazon to manage with Amazon VPC IP Address Manager (IPAM) | Write |
ec2:CreateTags |
||
CreateReplaceRootVolumeTask | Grants permission to create a root volume replacement task | Write |
ec2:CreateTags |
||
CreateReservedInstancesListing | Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace | Write | |||
CreateRestoreImageTask | Grants permission to start a task that restores an AMI from an S3 object previously created by using CreateStoreImageTask | Write |
ec2:CreateTags |
||
CreateRoute | Grants permission to create a route in a VPC route table | Write | |||
CreateRouteTable | Grants permission to create a route table for a VPC | Write |
ec2:CreateTags |
||
CreateSecurityGroup | Grants permission to create a security group | Write |
ec2:CreateTags |
||
CreateSnapshot | Grants permission to create a snapshot of an EBS volume and store it in Amazon S3 | Write |
ec2:CreateTags |
||
CreateSnapshots | Grants permission to create crash-consistent snapshots of multiple EBS volumes and store them in Amazon S3 | Write |
ec2:CreateTags |
||
CreateSpotDatafeedSubscription | Grants permission to create a data feed for Spot Instances to view Spot Instance usage logs | Write | |||
CreateStoreImageTask | Grants permission to store an AMI as a single object in an S3 bucket | Write | |||
CreateSubnet | Grants permission to create a subnet in a VPC | Write |
ec2:CreateTags |
||
CreateSubnetCidrReservation | Grants permission to create a subnet CIDR reservation | Write | |||
CreateTags | Grants permission to add or overwrite one or more tags for Amazon EC2 resources | Tagging | |||
local-gateway-route-table-virtual-interface-group-association |
|||||
ec2:Phase1EncryptionAlgorithms |
|||||
CreateTrafficMirrorFilter | Grants permission to create a traffic mirror filter | Write |
ec2:CreateTags |
||
CreateTrafficMirrorFilterRule | Grants permission to create a traffic mirror filter rule | Write |
ec2:CreateTags |
||
CreateTrafficMirrorSession | Grants permission to create a traffic mirror session | Write |
ec2:CreateTags |
||
CreateTrafficMirrorTarget | Grants permission to create a traffic mirror target | Write |
ec2:CreateTags |
||
CreateTransitGateway | Grants permission to create a transit gateway | Write |
ec2:CreateTags |
||
CreateTransitGatewayConnect | Grants permission to create a Connect attachment from a specified transit gateway attachment | Write |
ec2:CreateTags |
||
CreateTransitGatewayConnectPeer | Grants permission to create a Connect peer between a transit gateway and an appliance | Write |
ec2:CreateTags |
||
CreateTransitGatewayMulticastDomain | Grants permission to create a multicast domain for a transit gateway | Write |
ec2:CreateTags |
||
CreateTransitGatewayPeeringAttachment | Grants permission to request a transit gateway peering attachment between a requester and accepter transit gateway | Write |
ec2:CreateTags |
||
CreateTransitGatewayPolicyTable | Grants permission to create a transit gateway policy table | Write |
ec2:CreateTags |
||
CreateTransitGatewayPrefixListReference | Grants permission to create a transit gateway prefix list reference | Write | |||
CreateTransitGatewayRoute | Grants permission to create a static route for a transit gateway route table | Write | |||
CreateTransitGatewayRouteTable | Grants permission to create a route table for a transit gateway | Write |
ec2:CreateTags |
||
CreateTransitGatewayRouteTableAnnouncement | Grants permission to create an announcement for a transit gateway route table | Write |
ec2:CreateTags |
||
CreateTransitGatewayVpcAttachment | Grants permission to attach a VPC to a transit gateway | Write |
ec2:CreateTags |
||
CreateVerifiedAccessEndpoint | Grants permission to create a Verified Access endpoint | Write |
ec2:CreateTags |
||
CreateVerifiedAccessGroup | Grants permission to create a Verified Access group | Write |
ec2:CreateTags |
||
CreateVerifiedAccessInstance | Grants permission to create a Verified Access instance | Write |
ec2:CreateTags |
||
CreateVerifiedAccessTrustProvider | Grants permission to create a verified trust provider | Write |
ec2:CreateTags |
||
CreateVolume | Grants permission to create an EBS volume | Write |
ec2:CreateTags |
||
CreateVpc | Grants permission to create a VPC with a specified CIDR block | Write |
ec2:CreateTags |
||
CreateVpcBlockPublicAccessExclusion | Grants permission to create an exclusion list for blocked public access on a VPC | Write |
ec2:CreateTags |
||
CreateVpcEndpoint | Grants permission to create a VPC endpoint for an AWS service | Write |
ec2:CreateTags route53:AssociateVPCWithHostedZone |
||
CreateVpcEndpointConnectionNotification | Grants permission to create a connection notification for a VPC endpoint or VPC endpoint service | Write | |||
CreateVpcEndpointServiceConfiguration | Grants permission to create a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect | Write |
ec2:CreateTags |
||
CreateVpcPeeringConnection | Grants permission to request a VPC peering connection between two VPCs | Write |
ec2:CreateTags |
||
CreateVpnConnection | Grants permission to create a VPN connection between a virtual private gateway or transit gateway and a customer gateway | Write |
ec2:CreateTags |
||
ec2:Phase1EncryptionAlgorithms |
|||||
CreateVpnConnectionRoute | Grants permission to create a static route for a VPN connection between a virtual private gateway and a customer gateway | Write | |||
CreateVpnGateway | Grants permission to create a virtual private gateway | Write |
ec2:CreateTags |
||
DeleteCarrierGateway | Grants permission to delete a carrier gateway | Write | |||
DeleteClientVpnEndpoint | Grants permission to delete a Client VPN endpoint | Write | |||
DeleteClientVpnRoute | Grants permission to delete a route from a Client VPN endpoint | Write | |||
DeleteCoipCidr | Grants permission to delete a range of customer-owned IP (CoIP) addresses | Write | |||
DeleteCoipPool | Grants permission to delete a pool of customer-owned IP (CoIP) addresses | Write | |||
DeleteCoipPoolPermission [permission only] | Grants permission to deny a service from accessing a customer-owned IP (CoIP) pool | Write | |||
DeleteCustomerGateway | Grants permission to delete a customer gateway | Write | |||
DeleteDhcpOptions | Grants permission to delete a set of DHCP options | Write | |||
DeleteEgressOnlyInternetGateway | Grants permission to delete an egress-only internet gateway | Write | |||
DeleteFleets | Grants permission to delete one or more EC2 Fleets | Write | |||
DeleteFlowLogs | Grants permission to delete one or more flow logs | Write | |||
DeleteFpgaImage | Grants permission to delete an Amazon FPGA Image (AFI) | Write | |||
DeleteInstanceConnectEndpoint | Grants permission to delete an EC2 Instance Connect Endpoint | Write | |||
DeleteInstanceEventWindow | Grants permission to delete the specified event window | Write | |||
DeleteInternetGateway | Grants permission to delete an internet gateway | Write | |||
DeleteIpam | Grants permission to delete an Amazon VPC IP Address Manager (IPAM) and remove all monitored data associated with the IPAM including the historical data for CIDRs | Write | |||
DeleteIpamExternalResourceVerificationToken | Grants permission to delete a verification token, which proves ownership of an external resource | Write | |||
DeleteIpamPool | Grants permission to delete an Amazon VPC IP Address Manager (IPAM) pool | Write | |||
DeleteIpamResourceDiscovery | Grants permission to delete an IPAM resource discovery | Write | |||
DeleteIpamScope | Grants permission to delete the scope for an Amazon VPC IP Address Manager (IPAM) | Write | |||
DeleteKeyPair | Grants permission to delete a key pair by removing the public key from Amazon EC2 | Write | |||
DeleteLaunchTemplate | Grants permission to delete a launch template and its associated versions | Write | |||
DeleteLaunchTemplateVersions | Grants permission to delete one or more versions of a launch template | Write | |||
DeleteLocalGatewayRoute | Grants permission to delete a route from a local gateway route table | Write | |||
DeleteLocalGatewayRouteTable | Grants permission to delete a local gateway route table | Write | |||
DeleteLocalGatewayRouteTablePermission [permission only] | Grants permission to deny a service from accessing a local gateway route table | Write | |||
DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation | Grants permission to delete a local gateway route table virtual interface group association | Write |
local-gateway-route-table-virtual-interface-group-association* |
||
DeleteLocalGatewayRouteTableVpcAssociation | Grants permission to delete an association between a VPC and local gateway route table | Write | |||
DeleteManagedPrefixList | Grants permission to delete a managed prefix list | Write | |||
DeleteNatGateway | Grants permission to delete a NAT gateway | Write | |||
DeleteNetworkAcl | Grants permission to delete a network ACL | Write | |||
DeleteNetworkAclEntry | Grants permission to delete an inbound or outbound entry (rule) from a network ACL | Write | |||
DeleteNetworkInsightsAccessScope | Grants permission to delete a Network Access Scope | Write | |||
DeleteNetworkInsightsAccessScopeAnalysis | Grants permission to delete a Network Access Scope analysis | Write | |||
DeleteNetworkInsightsAnalysis | Grants permission to delete a network insights analysis | Write | |||
DeleteNetworkInsightsPath | Grants permission to delete a network insights path | Write | |||
DeleteNetworkInterface | Grants permission to delete a detached network interface | Write | |||
DeleteNetworkInterfacePermission | Grants permission to delete a permission that is associated with a network interface | Permissions management | |||
DeletePlacementGroup | Grants permission to delete a placement group | Write | |||
DeletePublicIpv4Pool | Grants permission to delete a public IPv4 address pool for public IPv4 CIDRs that you own and brought to Amazon to manage with Amazon VPC IP Address Manager (IPAM) | Write | |||
DeleteQueuedReservedInstances | Grants permission to delete the queued purchases for the specified Reserved Instances | Write | |||
DeleteResourcePolicy [permission only] | Grants permission to remove an IAM policy that enables cross-account sharing from a resource | Write | |||
DeleteRoute | Grants permission to delete a route from a route table | Write | |||
DeleteRouteTable | Grants permission to delete a route table | Write | |||
DeleteSecurityGroup | Grants permission to delete a security group | Write | |||
DeleteSnapshot | Grants permission to delete a snapshot of an EBS volume | Write | |||
DeleteSpotDatafeedSubscription | Grants permission to delete a data feed for Spot Instances | Write | |||
DeleteSubnet | Grants permission to delete a subnet | Write | |||
DeleteSubnetCidrReservation | Grants permission to delete a subnet CIDR reservation | Write | |||
DeleteTags | Grants permission to delete one or more tags from Amazon EC2 resources | Tagging | |||
local-gateway-route-table-virtual-interface-group-association |
|||||
DeleteTrafficMirrorFilter | Grants permission to delete a traffic mirror filter | Write | |||
DeleteTrafficMirrorFilterRule | Grants permission to delete a traffic mirror filter rule | Write | |||
DeleteTrafficMirrorSession | Grants permission to delete a traffic mirror session | Write | |||
DeleteTrafficMirrorTarget | Grants permission to delete a traffic mirror target | Write | |||
DeleteTransitGateway | Grants permission to delete a transit gateway | Write | |||
DeleteTransitGatewayConnect | Grants permission to delete a transit gateway connect attachment | Write | |||
DeleteTransitGatewayConnectPeer | Grants permission to delete a transit gateway connect peer | Write | |||
DeleteTransitGatewayMulticastDomain | Grants permission to delete a transit gateway multicast domain | Write | |||
DeleteTransitGatewayPeeringAttachment | Grants permission to delete a peering attachment from a transit gateway | Write | |||
DeleteTransitGatewayPolicyTable | Grants permission to delete a transit gateway policy table | Write | |||
DeleteTransitGatewayPrefixListReference | Grants permission to delete a transit gateway prefix list reference | Write | |||
DeleteTransitGatewayRoute | Grants permission to delete a route from a transit gateway route table | Write | |||
DeleteTransitGatewayRouteTable | Grants permission to delete a transit gateway route table | Write | |||
DeleteTransitGatewayRouteTableAnnouncement | Grants permission to delete a transit gateway route table announcement | Write | |||
DeleteTransitGatewayVpcAttachment | Grants permission to delete a VPC attachment from a transit gateway | Write | |||
DeleteVerifiedAccessEndpoint | Grants permission to delete a Verified Access endpoint | Write | |||
DeleteVerifiedAccessGroup | Grants permission to delete a Verified Access group | Write | |||
DeleteVerifiedAccessInstance | Grants permission to delete a Verified Access instance | Write | |||
DeleteVerifiedAccessTrustProvider | Grants permission to delete a verified trust provider | Write | |||
DeleteVolume | Grants permission to delete an EBS volume | Write | |||
DeleteVpc | Grants permission to delete a VPC | Write | |||
DeleteVpcBlockPublicAccessExclusion | Grants permission to delete an exclusion list for blocked public access on a VPC | Write | |||
DeleteVpcEndpointConnectionNotifications | Grants permission to delete one or more VPC endpoint connection notifications | Write | |||
DeleteVpcEndpointServiceConfigurations | Grants permission to delete one or more VPC endpoint service configurations | Write | |||
DeleteVpcEndpoints | Grants permission to delete one or more VPC endpoints | Write | |||
DeleteVpcPeeringConnection | Grants permission to delete a VPC peering connection | Write | |||
DeleteVpnConnection | Grants permission to delete a VPN connection | Write | |||
DeleteVpnConnectionRoute | Grants permission to delete a static route for a VPN connection between a virtual private gateway and a customer gateway | Write | |||
DeleteVpnGateway | Grants permission to delete a virtual private gateway | Write | |||
DeprovisionByoipCidr | Grants permission to release an IP address range that was provisioned through bring your own IP addresses (BYOIP), and to delete the corresponding address pool | Write | |||
DeprovisionIpamByoasn | Grants permission to deprovision an Autonomous System Number (ASN) from an Amazon Web Services account | Write | |||
DeprovisionIpamPoolCidr | Grants permission to deprovision a CIDR provisioned from an Amazon VPC IP Address Manager (IPAM) pool | Write | |||
DeprovisionPublicIpv4PoolCidr | Grants permission to deprovision a CIDR from a public IPv4 pool | Write | |||
DeregisterImage | Grants permission to deregister an Amazon Machine Image (AMI) | Write | |||
DeregisterInstanceEventNotificationAttributes | Grants permission to remove tags from the set of tags to include in notifications about scheduled events for your instances | Write | |||
DeregisterTransitGatewayMulticastGroupMembers | Grants permission to deregister one or more network interface members from a group IP address in a transit gateway multicast domain | Write | |||
DeregisterTransitGatewayMulticastGroupSources | Grants permission to deregister one or more network interface sources from a group IP address in a transit gateway multicast domain | Write | |||
DescribeAccountAttributes | Grants permission to describe the attributes of the AWS account | List | |||
DescribeAddressTransfers | Grants permission to describe an Elastic IP address transfer | List | |||
DescribeAddresses | Grants permission to describe one or more Elastic IP addresses | List | |||
DescribeAddressesAttribute | Grants permission to describe the attributes of the specified Elastic IP addresses | List | |||
DescribeAggregateIdFormat | Grants permission to describe the longer ID format settings for all resource types | List | |||
DescribeAvailabilityZones | Grants permission to describe one or more of the Availability Zones that are available to you | List | |||
DescribeAwsNetworkPerformanceMetricSubscriptions | Grants permission to describe the current infrastructure performance metric subscriptions | List | |||
DescribeBundleTasks | Grants permission to describe one or more bundling tasks | List | |||
DescribeByoipCidrs | Grants permission to describe the IP address ranges that were provisioned through bring your own IP addresses (BYOIP) | List | |||
DescribeCapacityBlockExtensionHistory | Grants permission to describe Capacity Block extensions history | List |
ec2:DestinationCapacityReservationId |
||
DescribeCapacityBlockExtensionOfferings | Grants permission to describe Capacity Block extensions offerings | List |
ec2:DestinationCapacityReservationId |
||
DescribeCapacityBlockOfferings | Grants permission to describe Capacity Block offerings available for purchase | List | |||
DescribeCapacityReservationBillingRequests | Grants permission to describe one or more requests to assign the billing of the unused capacity of a Capacity Reservation | List | |||
DescribeCapacityReservationFleets | Grants permission to describe one or more Capacity Reservation Fleets | List | |||
DescribeCapacityReservations | Grants permission to describe one or more Capacity Reservations | List | |||
DescribeCarrierGateways | Grants permission to describe one or more Carrier Gateways | List | |||
DescribeClassicLinkInstances | Grants permission to describe one or more linked EC2-Classic instances | List | |||
DescribeClientVpnAuthorizationRules | Grants permission to describe the authorization rules for a Client VPN endpoint | List | |||
DescribeClientVpnConnections | Grants permission to describe active client connections and connections that have been terminated within the last 60 minutes for a Client VPN endpoint | List | |||
DescribeClientVpnEndpoints | Grants permission to describe one or more Client VPN endpoints | List | |||
DescribeClientVpnRoutes | Grants permission to describe the routes for a Client VPN endpoint | List | |||
DescribeClientVpnTargetNetworks | Grants permission to describe the target networks that are associated with a Client VPN endpoint | List | |||
DescribeCoipPools | Grants permission to describe the specified customer-owned address pools or all of your customer-owned address pools | List | |||
DescribeConversionTasks | Grants permission to describe one or more conversion tasks | List | |||
DescribeCustomerGateways | Grants permission to describe one or more customer gateways | List | |||
DescribeDeclarativePoliciesReports | Grants permission to describe one or more declarative policies reports | List | |||
DescribeDhcpOptions | Grants permission to describe one or more DHCP options sets | List | |||
DescribeEgressOnlyInternetGateways | Grants permission to describe one or more egress-only internet gateways | List | |||
DescribeElasticGpus | Grants permission to describe an Elastic Graphics accelerator that is associated with an instance | List | |||
DescribeExportImageTasks | Grants permission to describe one or more export image tasks | List | |||
DescribeExportTasks | Grants permission to describe one or more export instance tasks | List | |||
DescribeFastLaunchImages | Grants permission to describe fast-launch enabled Windows AMIs | List | |||
DescribeFastSnapshotRestores | Grants permission to describe the state of fast snapshot restores for snapshots | List | |||
DescribeFleetHistory | Grants permission to describe the events for an EC2 Fleet during a specified time | List | |||
DescribeFleetInstances | Grants permission to describe the running instances for an EC2 Fleet | List | |||
DescribeFleets | Grants permission to describe one or more EC2 Fleets | List | |||
DescribeFlowLogs | Grants permission to describe one or more flow logs | List | |||
DescribeFpgaImageAttribute | Grants permission to describe the attributes of an Amazon FPGA Image (AFI) | List | |||
DescribeFpgaImages | Grants permission to describe one or more Amazon FPGA Images (AFIs) | List | |||
DescribeHostReservationOfferings | Grants permission to describe the Dedicated Host Reservations that are available to purchase | List | |||
DescribeHostReservations | Grants permission to describe the Dedicated Host Reservations that are associated with Dedicated Hosts in the AWS account | List | |||
DescribeHosts | Grants permission to describe one or more Dedicated Hosts | List | |||
DescribeIamInstanceProfileAssociations | Grants permission to describe the IAM instance profile associations | List | |||
DescribeIdFormat | Grants permission to describe the ID format settings for resources | List | |||
DescribeIdentityIdFormat | Grants permission to describe the ID format settings for resources for an IAM user, IAM role, or root user | List | |||
DescribeImageAttribute | Grants permission to describe an attribute of an Amazon Machine Image (AMI) | List | |||
DescribeImages | Grants permission to describe one or more images (AMIs, AKIs, and ARIs) | List | |||
DescribeImportImageTasks | Grants permission to describe import virtual machine or import snapshot tasks | List | |||
DescribeImportSnapshotTasks | Grants permission to describe import snapshot tasks | List | |||
DescribeInstanceAttribute | Grants permission to describe the attributes of an instance | List | |||
DescribeInstanceConnectEndpoints | Grants permission to describe EC2 Instance Connect Endpoints | List | |||
DescribeInstanceCreditSpecifications | Grants permission to describe the credit option for CPU usage of one or more burstable performance instances | List | |||
DescribeInstanceEventNotificationAttributes | Grants permission to describe the set of tags to include in notifications about scheduled events for your instances | List | |||
DescribeInstanceEventWindows | Grants permission to describe the specified event windows or all event windows | List | |||
DescribeInstanceImageMetadata | Grants permission to describe the AMI that was used to launch an instance | List | |||
DescribeInstanceStatus | Grants permission to describe the status of one or more instances | List | |||
DescribeInstanceTopology | Grants permission to describe a tree-based hierarchy that represents the physical host placement of EC2 instances | List | |||
DescribeInstanceTypeOfferings | Grants permission to describe the set of instance types that are offered in a location | List | |||
DescribeInstanceTypes | Grants permission to describe the details of instance types that are offered in a location | List | |||
DescribeInstances | Grants permission to describe one or more instances | List | |||
DescribeInternetGateways | Grants permission to describe one or more internet gateways | List | |||
DescribeIpamByoasn | Grants permission to describe a bring your own Autonomous System Number (BYOASN) that you've brought to IPAM | List | |||
DescribeIpamExternalResourceVerificationTokens | Grants permission to describe verification tokens, which proves ownership of an external resource | List | |||
DescribeIpamPools | Grants permission to describe Amazon VPC IP Address Manager (IPAM) pools | List | |||
DescribeIpamResourceDiscoveries | Grants permission to describe IPAM resource discoveries | List | |||
DescribeIpamResourceDiscoveryAssociations | Grants permission to describe resource discovery associations with an Amazon VPC IPAM | List | |||
DescribeIpamScopes | Grants permission to describe Amazon VPC IP Address Manager (IPAM) scopes | List | |||
DescribeIpams | Grants permission to describe an Amazon VPC IP Address Manager (IPAM) | List | |||
DescribeIpv6Pools | Grants permission to describe one or more IPv6 address pools | List | |||
DescribeKeyPairs | Grants permission to describe one or more key pairs | List | |||
DescribeLaunchTemplateVersions | Grants permission to describe one or more launch template versions | List |
ssm:GetParameters |
||
DescribeLaunchTemplates | Grants permission to describe one or more launch templates | List | |||
DescribeLocalGatewayRouteTablePermissions [permission only] | Grants permission to allow a service to describe local gateway route table permissions | List | |||
DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations | Grants permission to describe the associations between virtual interface groups and local gateway route tables | List | |||
DescribeLocalGatewayRouteTableVpcAssociations | Grants permission to describe an association between VPCs and local gateway route tables | List | |||
DescribeLocalGatewayRouteTables | Grants permission to describe one or more local gateway route tables | List | |||
DescribeLocalGatewayVirtualInterfaceGroups | Grants permission to describe local gateway virtual interface groups | List | |||
DescribeLocalGatewayVirtualInterfaces | Grants permission to describe local gateway virtual interfaces | List | |||
DescribeLocalGateways | Grants permission to describe one or more local gateways | List | |||
DescribeLockedSnapshots | Grants permission to describe the lock status for a snapshot | List | |||
DescribeMacHosts | Grants permission to describe your EC2 Mac Dedicated hosts | List | |||
DescribeManagedPrefixLists | Grants permission to describe your managed prefix lists and any AWS-managed prefix lists | List | |||
DescribeMovingAddresses | Grants permission to describe Elastic IP addresses that are being moved to the EC2-VPC platform | List | |||
DescribeNatGateways | Grants permission to describe one or more NAT gateways | List | |||
DescribeNetworkAcls | Grants permission to describe one or more network ACLs | List | |||
DescribeNetworkInsightsAccessScopeAnalyses | Grants permission to describe one or more Network Access Scope analyses | List | |||
DescribeNetworkInsightsAccessScopes | Grants permission to describe the Network Access Scopes | List | |||
DescribeNetworkInsightsAnalyses | Grants permission to describe one or more network insights analyses | List | |||
DescribeNetworkInsightsPaths | Grants permission to describe one or more network insights paths | List | |||
DescribeNetworkInterfaceAttribute | Grants permission to describe a network interface attribute | List | |||
DescribeNetworkInterfacePermissions | Grants permission to describe the permissions that are associated with a network interface | List | |||
DescribeNetworkInterfaces | Grants permission to describe one or more network interfaces | List | |||
DescribePlacementGroups | Grants permission to describe one or more placement groups | List | |||
DescribePrefixLists | Grants permission to describe available AWS services in a prefix list format | List | |||
DescribePrincipalIdFormat | Grants permission to describe the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified a longer ID (17-character ID) preference | List | |||
DescribePublicIpv4Pools | Grants permission to describe one or more IPv4 address pools | List | |||
DescribeRegions | Grants permission to describe one or more AWS Regions that are currently available in your account | List | |||
DescribeReplaceRootVolumeTasks | Grants permission to describe a root volume replacement task | List | |||
DescribeReservedInstances | Grants permission to describe one or more purchased Reserved Instances in your account | List | |||
DescribeReservedInstancesListings | Grants permission to describe your account's Reserved Instance listings in the Reserved Instance Marketplace | List | |||
DescribeReservedInstancesModifications | Grants permission to describe the modifications made to one or more Reserved Instances | List | |||
DescribeReservedInstancesOfferings | Grants permission to describe the Reserved Instance offerings that are available for purchase | List | |||
DescribeRouteTables | Grants permission to describe one or more route tables | List | |||
DescribeScheduledInstanceAvailability | Grants permission to find available schedules for Scheduled Instances | List | |||
DescribeScheduledInstances | Grants permission to describe one or more Scheduled Instances in your account | List | |||
DescribeSecurityGroupReferences | Grants permission to describe the VPCs on the other side of a VPC peering connection that are referencing specified VPC security groups | List | |||
DescribeSecurityGroupRules | Grants permission to describe one or more of your security group rules | List | |||
DescribeSecurityGroupVpcAssociations | Grants permission to describe security group VPC associations | List | |||
DescribeSecurityGroups | Grants permission to describe one or more security groups | List | |||
DescribeSnapshotAttribute | Grants permission to describe an attribute of a snapshot | List | |||
DescribeSnapshotTierStatus | Grants permission to describe the storage tier status for Amazon EBS snapshots | List | |||
DescribeSnapshots | Grants permission to describe one or more EBS snapshots | List | |||
DescribeSpotDatafeedSubscription | Grants permission to describe the data feed for Spot Instances | List | |||
DescribeSpotFleetInstances | Grants permission to describe the running instances for a Spot Fleet | List | |||
DescribeSpotFleetRequestHistory | Grants permission to describe the events for a Spot Fleet request during a specified time | List | |||
DescribeSpotFleetRequests | Grants permission to describe one or more Spot Fleet requests | List | |||
DescribeSpotInstanceRequests | Grants permission to describe one or more Spot Instance requests | List | |||
DescribeSpotPriceHistory | Grants permission to describe the Spot Instance price history | List | |||
DescribeStaleSecurityGroups | Grants permission to describe the stale security group rules for security groups in a specified VPC | List | |||
DescribeStoreImageTasks | Grants permission to describe the progress of the AMI store tasks | List | |||
DescribeSubnets | Grants permission to describe one or more subnets | List | |||
DescribeTags | Grants permission to describe one or more tags for an Amazon EC2 resource | List | |||
DescribeTrafficMirrorFilterRules | Grants permission to describe traffic mirror filters that determine the traffic that is mirrored | List | |||
DescribeTrafficMirrorFilters | Grants permission to describe one or more traffic mirror filters | List | |||
DescribeTrafficMirrorSessions | Grants permission to describe one or more traffic mirror sessions | List | |||
DescribeTrafficMirrorTargets | Grants permission to describe one or more traffic mirror targets | List | |||
DescribeTransitGatewayAttachments | Grants permission to describe one or more attachments between resources and transit gateways | List | |||
DescribeTransitGatewayConnectPeers | Grants permission to describe one or more transit gateway connect peers | List | |||
DescribeTransitGatewayConnects | Grants permission to describe one or more transit gateway connect attachments | List | |||
DescribeTransitGatewayMulticastDomains | Grants permission to describe one or more transit gateway multicast domains | List | |||
DescribeTransitGatewayPeeringAttachments | Grants permission to describe one or more transit gateway peering attachments | List | |||
DescribeTransitGatewayPolicyTables | Grants permission to describe a transit gateway policy table | List | |||
DescribeTransitGatewayRouteTableAnnouncements | Grants permission to describe a transit gateway route table announcement | List | |||
DescribeTransitGatewayRouteTables | Grants permission to describe one or more transit gateway route tables | List | |||
DescribeTransitGatewayVpcAttachments | Grants permission to describe one or more VPC attachments on a transit gateway | List | |||
DescribeTransitGateways | Grants permission to describe one or more transit gateways | List | |||
DescribeTrunkInterfaceAssociations | Grants permission to describe one or more network interface trunk associations | List | |||
DescribeVerifiedAccessEndpoints | Grants permission to describe the specified Verified Access endpoints or all Verified Access endpoints | List | |||
DescribeVerifiedAccessGroups | Grants permission to describe the specified Verified Access groups or all Verified Access groups | List | |||
DescribeVerifiedAccessInstanceLoggingConfigurations | Grants permission to describe the current logging configuration for the Verified Access instances | List | |||
DescribeVerifiedAccessInstanceWebAclAssociations [permission only] | Grants permission to describe the AWS Web Application Firewall (WAF) web access control list (ACL) associations for a Verified Access instance | List | |||
DescribeVerifiedAccessInstances | Grants permission to describe the specified Verified Access instances or all Verified Access instances | List | |||
DescribeVerifiedAccessTrustProviders | Grants permission to describe details of existing Verified Access trust providers | List | |||
DescribeVolumeAttribute | Grants permission to describe an attribute of an EBS volume | List | |||
DescribeVolumeStatus | Grants permission to describe the status of one or more EBS volumes | List | |||
DescribeVolumes | Grants permission to describe one or more EBS volumes | List | |||
DescribeVolumesModifications | Grants permission to describe the current modification status of one or more EBS volumes | List | |||
DescribeVpcAttribute | Grants permission to describe an attribute of a VPC | List | |||
DescribeVpcBlockPublicAccessExclusions | Grants permission to describe an exclusion list for blocked public access on a VPC | List | |||
DescribeVpcBlockPublicAccessOptions | Grants permission to describe options for blocked public access on a VPC | List | |||
DescribeVpcClassicLink | Grants permission to describe the ClassicLink status of one or more VPCs | List | |||
DescribeVpcClassicLinkDnsSupport | Grants permission to describe the ClassicLink DNS support status of one or more VPCs | List | |||
DescribeVpcEndpointAssociations | Grants permission to describe the VPC endpoint associations | List | |||
DescribeVpcEndpointConnectionNotifications | Grants permission to describe the connection notifications for VPC endpoints and VPC endpoint services | List | |||
DescribeVpcEndpointConnections | Grants permission to describe the VPC endpoint connections to your VPC endpoint services | List | |||
DescribeVpcEndpointServiceConfigurations | Grants permission to describe VPC endpoint service configurations (your services) | List | |||
DescribeVpcEndpointServicePermissions | Grants permission to describe the principals (service consumers) that are permitted to discover your VPC endpoint service | List | |||
DescribeVpcEndpointServices | Grants permission to describe all supported AWS services that can be specified when creating a VPC endpoint | List | |||
DescribeVpcEndpoints | Grants permission to describe one or more VPC endpoints | List | |||
DescribeVpcPeeringConnections | Grants permission to describe one or more VPC peering connections | List | |||
DescribeVpcs | Grants permission to describe one or more VPCs | List | |||
DescribeVpnConnections | Grants permission to describe one or more VPN connections | List | |||
DescribeVpnGateways | Grants permission to describe one or more virtual private gateways | List | |||
DetachClassicLinkVpc | Grants permission to unlink (detach) a linked EC2-Classic instance from a VPC | Write | |||
DetachInternetGateway | Grants permission to detach an internet gateway from a VPC | Write | |||
DetachNetworkInterface | Grants permission to detach a network interface from an instance | Write | |||
DetachVerifiedAccessTrustProvider | Grants permission to detach a trust provider from a Verified Access instance | Write | |||
DetachVolume | Grants permission to detach an EBS volume from an instance | Write | |||
DetachVpnGateway | Grants permission to detach a virtual private gateway from a VPC | Write | |||
DisableAddressTransfer | Grants permission to disable Elastic IP address transfer | Write | |||
DisableAllowedImagesSettings | Grants permission to disable allowed images settings | Write | |||
DisableAwsNetworkPerformanceMetricSubscription | Grants permission to disable infrastructure performance metric subscriptions | Write | |||
DisableEbsEncryptionByDefault | Grants permission to disable EBS encryption by default for your account | Write | |||
DisableFastLaunch | Grants permission to disable faster launching for Windows AMIs | Write | |||
DisableFastSnapshotRestores | Grants permission to disable fast snapshot restores for one or more snapshots in specified Availability Zones | Write | |||
DisableImage | Grants permission to disable an AMI | Write | |||
DisableImageBlockPublicAccess | Grants permission to disable block public access for AMIs at the account level in the specified AWS Region | Write | |||
DisableImageDeprecation | Grants permission to cancel the deprecation of the specified AMI | Write | |||
DisableImageDeregistrationProtection | Grants permission to disable deregistration protection for an AMI. When deregistration protection is disabled, the AMI can be deregistered | Write | |||
DisableIpamOrganizationAdminAccount | Grants permission to disable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account | Write |
organizations:DeregisterDelegatedAdministrator |
||
DisableSerialConsoleAccess | Grants permission to disable access to the EC2 serial console of all instances for your account | Write | |||
DisableSnapshotBlockPublicAccess | Grants permission to disable the block public access for snapshots setting for a Region | Write | |||
DisableTransitGatewayRouteTablePropagation | Grants permission to disable a resource attachment from propagating routes to the specified propagation route table | Write | |||
DisableVgwRoutePropagation | Grants permission to disable a virtual private gateway from propagating routes to a specified route table of a VPC | Write | |||
DisableVpcClassicLink | Grants permission to disable ClassicLink for a VPC | Write | |||
DisableVpcClassicLinkDnsSupport | Grants permission to disable ClassicLink DNS support for a VPC | Write | |||
DisassociateAddress | Grants permission to disassociate an Elastic IP address from an instance or network interface | Write | |||
DisassociateCapacityReservationBillingOwner | Grants permission to cancel a pending request to assign billing of the unused capacity of a Capacity Reservation to a consumer account | Write |
ec2:DestinationCapacityReservationId |
||
DisassociateClientVpnTargetNetwork | Grants permission to disassociate a target network from a Client VPN endpoint | Write | |||
DisassociateEnclaveCertificateIamRole | Grants permission to disassociate an ACM certificate from a IAM role | Write | |||
DisassociateIamInstanceProfile | Grants permission to disassociate an IAM instance profile from a running or stopped instance | Write | |||
DisassociateInstanceEventWindow | Grants permission to disassociate one or more targets from an event window | Write | |||
DisassociateIpamByoasn | Grants permission to disassociate an Autonomous System Number (ASN) from a BYOIP CIDR | Write | |||
DisassociateIpamResourceDiscovery | Grants permission to disassociate a resource discovery from an Amazon VPC IPAM | Write | |||
DisassociateNatGatewayAddress | Grants permission to disassociate a secondary Elastic IP address from a public NAT gateway | Write | |||
DisassociateRouteTable | Grants permission to disassociate a subnet from a route table | Write | |||
DisassociateSecurityGroupVpc | Grants permission to disassociate a security group from a VPC | Write | |||
DisassociateSubnetCidrBlock | Grants permission to disassociate a CIDR block from a subnet | Write | |||
DisassociateTransitGatewayMulticastDomain | Grants permission to disassociate one or more subnets from a transit gateway multicast domain | Write | |||
DisassociateTransitGatewayPolicyTable | Grants permission to disassociate a policy table from a transit gateway | Write | |||
DisassociateTransitGatewayRouteTable | Grants permission to disassociate a resource attachment from a transit gateway route table | Write | |||
DisassociateTrunkInterface | Grants permission to disassociate a branch network interface to a trunk network interface | Write | |||
DisassociateVerifiedAccessInstanceWebAcl [permission only] | Grants permission to disassociate an AWS Web Application Firewall (WAF) web access control list (ACL) from a Verified Access instance | Write | |||
DisassociateVpcCidrBlock | Grants permission to disassociate a CIDR block from a VPC | Write | |||
EnableAddressTransfer | Grants permission to enable Elastic IP address transfer | Write | |||
EnableAllowedImagesSettings | Grants permission to enable allowed images settings | Write | |||
EnableAwsNetworkPerformanceMetricSubscription | Grants permission to enable infrastructure performance subscriptions | Write | |||
EnableEbsEncryptionByDefault | Grants permission to enable EBS encryption by default for your account | Write | |||
EnableFastLaunch | Grants permission to enable faster launching for Windows AMIs | Write |
ec2:CreateLaunchTemplate ec2:CreateSnapshot ec2:CreateTags ec2:DeleteSnapshot ec2:DescribeImages ec2:DescribeInstanceAttribute ec2:DescribeInstanceStatus ec2:DescribeInstanceTypeOfferings ec2:DescribeInstances ec2:DescribeLaunchTemplateVersions ec2:DescribeLaunchTemplates ec2:DescribeSnapshots ec2:DescribeSubnets ec2:RunInstances ec2:StopInstances ec2:TerminateInstances iam:PassRole |
||
EnableFastSnapshotRestores | Grants permission to enable fast snapshot restores for one or more snapshots in specified Availability Zones | Write | |||
EnableImage | Grants permission to re-enable a disabled AMI | Write | |||
EnableImageBlockPublicAccess | Grants permission to enable block public access for AMIs at the account level in the specified AWS Region | Write | |||
EnableImageDeprecation | Grants permission to enable deprecation of the specified AMI at the specified date and time | Write | |||
EnableImageDeregistrationProtection | Grants permission to enable deregistration protection for an AMI. When deregistration protection is enabled, the AMI can't be deregistered | Write | |||
EnableIpamOrganizationAdminAccount | Grants permission to enable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account | Write |
iam:CreateServiceLinkedRole organizations:EnableAWSServiceAccess organizations:RegisterDelegatedAdministrator |
||
EnableReachabilityAnalyzerOrganizationSharing | Grants permission to enable organization sharing of reachability analyzer | Write |
iam:CreateServiceLinkedRole organizations:EnableAWSServiceAccess |
||
EnableSerialConsoleAccess | Grants permission to enable access to the EC2 serial console of all instances for your account | Write | |||
EnableSnapshotBlockPublicAccess | Grants permission to enable or modify the block public access for snapshots setting for a Region | Write | |||
EnableTransitGatewayRouteTablePropagation | Grants permission to enable an attachment to propagate routes to a propagation route table | Write | |||
EnableVgwRoutePropagation | Grants permission to enable a virtual private gateway to propagate routes to a VPC route table | Write | |||
EnableVolumeIO | Grants permission to enable I/O operations for a volume that had I/O operations disabled | Write | |||
EnableVpcClassicLink | Grants permission to enable a VPC for ClassicLink | Write | |||
EnableVpcClassicLinkDnsSupport | Grants permission to enable a VPC to support DNS hostname resolution for ClassicLink | Write | |||
ExportClientVpnClientCertificateRevocationList | Grants permission to download the client certificate revocation list for a Client VPN endpoint | Read | |||
ExportClientVpnClientConfiguration | Grants permission to download the contents of the Client VPN endpoint configuration file for a Client VPN endpoint | Read | |||
ExportImage | Grants permission to export an Amazon Machine Image (AMI) to a VM file | Write |
ec2:CreateTags |
||
ExportTransitGatewayRoutes | Grants permission to export routes from a transit gateway route table to an Amazon S3 bucket | Write | |||
ExportVerifiedAccessInstanceClientConfiguration | Grants permission to export a verified access instance client configuration | Read | |||
GetAllowedImagesSettings | Grants permission to get the allowed settings for images | Read | |||
GetAssociatedEnclaveCertificateIamRoles | Grants permission to get the list of roles associated with an ACM certificate | Read | |||
GetAssociatedIpv6PoolCidrs | Grants permission to get information about the IPv6 CIDR block associations for a specified IPv6 address pool | Read | |||
GetAwsNetworkPerformanceData | Grants permission to get network performance data | Read | |||
GetCapacityReservationUsage | Grants permission to get usage information about a Capacity Reservation | Read | |||
GetCoipPoolUsage | Grants permission to describe the allocations from the specified customer-owned address pool | Read | |||
GetConsoleOutput | Grants permission to get the console output for an instance | Read | |||
GetConsoleScreenshot | Grants permission to retrieve a JPG-format screenshot of a running instance | Read | |||
GetDeclarativePoliciesReportSummary | Grants permission to get the report summary of declarative policies | Read | |||
GetDefaultCreditSpecification | Grants permission to get the default credit option for CPU usage of a burstable performance instance family | Read | |||
GetEbsDefaultKmsKeyId | Grants permission to get the ID of the default customer master key (CMK) for EBS encryption by default | Read | |||
GetEbsEncryptionByDefault | Grants permission to describe whether EBS encryption by default is enabled for your account | Read | |||
GetFlowLogsIntegrationTemplate | Grants permission to generate a CloudFormation template to streamline the integration of VPC flow logs with Amazon Athena | Read | |||
GetGroupsForCapacityReservation | Grants permission to list the resource groups to which a Capacity Reservation has been added | List | |||
GetHostReservationPurchasePreview | Grants permission to preview a reservation purchase with configurations that match those of a Dedicated Host | Read | |||
GetImageBlockPublicAccessState | Grants permission to get the current state of block public access for AMIs at the account level in the specified AWS Region | Read | |||
GetInstanceMetadataDefaults | Grants permission to view the default instance metadata service (IMDS) settings set for your account in the specified Region | List | |||
GetInstanceTpmEkPub | Grants permission to get the public endorsement key associated with the Nitro Trusted Platform Module (NitroTPM) for the specified instance | Read | |||
GetInstanceTypesFromInstanceRequirements | Grants permission to view a list of instance types with specified instance attributes | List | |||
GetInstanceUefiData | Grants permission to retrieve the binary representation of the UEFI variable store | Read | |||
GetIpamAddressHistory | Grants permission to retrieve historical information about a CIDR within an Amazon VPC IP Address Manager (IPAM) scope | Read | |||
GetIpamDiscoveredAccounts | Grants permission to retrieve IPAM discovered accounts | Read | |||
GetIpamDiscoveredPublicAddresses | Grants permission to retrieve the public IP addresses that have been discovered by IPAM | Read | |||
GetIpamDiscoveredResourceCidrs | Grants permission to retrieve the resource CIDRs that are monitored as part of a resource discovery | Read | |||
GetIpamPoolAllocations | Grants permission to get a list of all the CIDR allocations in an Amazon VPC IP Address Manager (IPAM) pool | List | |||
GetIpamPoolCidrs | Grants permission to get the CIDRs provisioned to an Amazon VPC IP Address Manager (IPAM) pool | Read | |||
GetIpamResourceCidrs | Grants permission to get information about the resources in an Amazon VPC IP Address Manager (IPAM) scope | Read | |||
GetLaunchTemplateData | Grants permission to get the configuration data of the specified instance for use with a new launch template or launch template version | Read | |||
GetManagedPrefixListAssociations | Grants permission to get information about the resources that are associated with the specified managed prefix list | Read | |||
GetManagedPrefixListEntries | Grants permission to get information about the entries for a specified managed prefix list | Read | |||
GetNetworkInsightsAccessScopeAnalysisFindings | Grants permission to get the findings for one or more Network Access Scope analyses | Read | |||
GetNetworkInsightsAccessScopeContent | Grants permission to get the content for a specified Network Access Scope | Read | |||
GetPasswordData | Grants permission to retrieve the encrypted administrator password for a running Windows instance | Read | |||
GetReservedInstancesExchangeQuote | Grants permission to return a quote and exchange information for exchanging one or more Convertible Reserved Instances for a new Convertible Reserved Instance | Read | |||
GetResourcePolicy [permission only] | Grants permission to describe an IAM policy that enables cross-account sharing | Read | |||
GetSecurityGroupsForVpc | Grants permission to retrieve a list of security groups for a specified VPC | Read | |||
GetSerialConsoleAccessStatus | Grants permission to retrieve the access status of your account to the EC2 serial console of all instances | Read | |||
GetSnapshotBlockPublicAccessState | Grants permission to retrieve the current state of the block public access for snapshots setting for a Region | Read | |||
GetSpotPlacementScores | Grants permission to calculate the Spot placement score for a Region or Availability Zone based on the specified target capacity and compute requirements | Read | |||
GetSubnetCidrReservations | Grants permission to retrieve information about the subnet CIDR reservations | Read | |||
GetTransitGatewayAttachmentPropagations | Grants permission to list the route tables to which a resource attachment propagates routes | List | |||
GetTransitGatewayMulticastDomainAssociations | Grants permission to get information about the associations for a transit gateway multicast domain | List | |||
GetTransitGatewayPolicyTableAssociations | Grants permission to get information about associations for a transit gateway policy table | List | |||
GetTransitGatewayPolicyTableEntries | Grants permission to get information about associations for a transit gateway policy table entry | List | |||
GetTransitGatewayPrefixListReferences | Grants permission to get information about prefix list references for a transit gateway route table | List | |||
GetTransitGatewayRouteTableAssociations | Grants permission to get information about associations for a transit gateway route table | List | |||
GetTransitGatewayRouteTablePropagations | Grants permission to get information about the route table propagations for a transit gateway route table | List | |||
GetVerifiedAccessEndpointPolicy | Grants permission to show the Verified Access policy associated with the endpoint | List | |||
GetVerifiedAccessEndpointTargets | Grants permission to get verified access endpoint targets | List | |||
GetVerifiedAccessGroupPolicy | Grants permission to show the contents of the Verified Access policy associated with the group | List | |||
GetVerifiedAccessInstanceWebAcl [permission only] | Grants permission to show the AWS Web Application Firewall (WAF) web access control list (ACL) for a Verified Access instance | List | |||
GetVpnConnectionDeviceSampleConfiguration | Grants permission to download an AWS-provided sample configuration file to be used with the customer gateway device | List | |||
GetVpnConnectionDeviceTypes | Grants permission to obtain a list of customer gateway devices for which sample configuration files can be provided | List | |||
GetVpnTunnelReplacementStatus | Grants permission to view available tunnel endpoint maintenance events | List | |||
ImportByoipCidrToIpam [permission only] | Grants permission to transfer existing BYOIP IPv4 CIDRs to IPAM | Write | |||
ImportClientVpnClientCertificateRevocationList | Grants permission to upload a client certificate revocation list to a Client VPN endpoint | Write | |||
ImportImage | Grants permission to import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI) | Write |
ec2:CreateTags |
||
ImportInstance | Grants permission to create an import instance task using metadata from a disk image | Write | |||
ImportKeyPair | Grants permission to import a public key from an RSA key pair that was created with a third-party tool | Write |
ec2:CreateTags |
||
ImportSnapshot | Grants permission to import a disk into an EBS snapshot | Write |
ec2:CreateTags |
||
ImportVolume | Grants permission to create an import volume task using metadata from a disk image | Write | |||
InjectApiError [permission only] | Grants permission to temporarily inject errors for target API requests | Write | |||
ListImagesInRecycleBin | Grants permission to list Amazon Machine Images (AMIs) that are currently in the Recycle Bin | List | |||
ListSnapshotsInRecycleBin | Grants permission to list the Amazon EBS snapshots that are currently in the Recycle Bin | List | |||
LockSnapshot | Grants permission to lock an Amazon EBS snapshot in either governance or compliance mode to protect it against accidental or malicious deletions | Write | |||
ModifyAddressAttribute | Grants permission to modify an attribute of the specified Elastic IP address | Write | |||
ModifyAvailabilityZoneGroup | Grants permission to modify the opt-in status of the Local Zone and Wavelength Zone group for your account | Write | |||
ModifyCapacityReservation | Grants permission to modify a Capacity Reservation's capacity and the conditions under which it is to be released | Write | |||
ModifyCapacityReservationFleet | Grants permission to modify a Capacity Reservation Fleet | Write |
ec2:ModifyCapacityReservation |
||
ModifyClientVpnEndpoint | Grants permission to modify a Client VPN endpoint | Write |
ec2:Attribute/${AttributeName} |
||
ModifyDefaultCreditSpecification | Grants permission to change the account level default credit option for CPU usage of burstable performance instances | Write | |||
ModifyEbsDefaultKmsKeyId | Grants permission to change the default customer master key (CMK) for EBS encryption by default for your account | Write | |||
ModifyFleet | Grants permission to modify an EC2 Fleet | Write | |||
ModifyFpgaImageAttribute | Grants permission to modify an attribute of an Amazon FPGA Image (AFI) | Write | |||
ModifyHosts | Grants permission to modify a Dedicated Host | Write | |||
ModifyIdFormat | Grants permission to modify the ID format for a resource | Write | |||
ModifyIdentityIdFormat | Grants permission to modify the ID format of a resource for a specific principal in your account | Write | |||
ModifyImageAttribute | Grants permission to modify an attribute of an Amazon Machine Image (AMI) | Write | |||
ModifyInstanceAttribute | Grants permission to modify an attribute of an instance | Write |
ec2:Attribute/${AttributeName} |
||
ModifyInstanceCapacityReservationAttributes | Grants permission to modify the Capacity Reservation settings for a stopped instance | Write |
ec2:Attribute/${AttributeName} |
||
ModifyInstanceCpuOptions | Grants permission to modify the CPU options on an instance | Write |
ec2:Attribute/${AttributeName} |
||
ModifyInstanceCreditSpecification | Grants permission to modify the credit option for CPU usage on an instance | Write |
ec2:Attribute/${AttributeName} |
||
ModifyInstanceEventStartTime | Grants permission to modify the start time for a scheduled EC2 instance event | Write |
ec2:Attribute/${AttributeName} |
||
ModifyInstanceEventWindow | Grants permission to modify the specified event window | Write | |||
ModifyInstanceMaintenanceOptions | Grants permission to modify the recovery behaviour for an instance | Write |
ec2:Attribute/${AttributeName} |
||
ModifyInstanceMetadataDefaults | Grants permission to modify the default instance metadata service (IMDS) settings for your account in the specified Region | Write | |||
ModifyInstanceMetadataOptions | Grants permission to modify the metadata options for an instance | Write |
ec2:Attribute/${AttributeName} |
||
ModifyInstancePlacement | Grants permission to modify the placement attributes for an instance | Write |
ec2:Attribute/${AttributeName} |
||
ModifyIpam | Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) | Write | |||
ModifyIpamPool | Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) pool | Write | |||
ModifyIpamResourceCidr | Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) resource CIDR | Write | |||
ModifyIpamResourceDiscovery | Grants permission to modify a resource discovery | Write | |||
ModifyIpamScope | Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) scope | Write | |||
ModifyLaunchTemplate | Grants permission to modify a launch template | Write | |||
ModifyLocalGatewayRoute | Grants permission to modify a local gateway route | Write | |||
ModifyManagedPrefixList | Grants permission to modify a managed prefix list | Write | |||
ModifyNetworkInterfaceAttribute | Grants permission to modify an attribute of a network interface | Write | |||
ModifyPrivateDnsNameOptions | Grants permission to modify the options for instance hostnames for the specified instance | Write |
ec2:Attribute/${AttributeName} |
||
ModifyReservedInstances | Grants permission to modify attributes of one or more Reserved Instances | Write |
ec2:Attribute/${AttributeName} |
||
ModifySecurityGroupRules | Grants permission to modify the rules of a security group | Write | |||
ModifySnapshotAttribute | Grants permission to add or remove permission settings for a snapshot | Permissions management | |||
ModifySnapshotTier | Grants permission to archive Amazon EBS snapshots | Write | |||
ModifySpotFleetRequest | Grants permission to modify a Spot Fleet request | Write | |||
ModifySubnetAttribute | Grants permission to modify an attribute of a subnet | Write | |||
ModifyTrafficMirrorFilterNetworkServices | Grants permission to allow or restrict mirroring network services | Write | |||
ModifyTrafficMirrorFilterRule | Grants permission to modify a traffic mirror rule | Write | |||
ModifyTrafficMirrorSession | Grants permission to modify a traffic mirror session | Write | |||
ModifyTransitGateway | Grants permission to modify a transit gateway | Write | |||
ModifyTransitGatewayPrefixListReference | Grants permission to modify a transit gateway prefix list reference | Write | |||
ModifyTransitGatewayVpcAttachment | Grants permission to modify a VPC attachment on a transit gateway | Write | |||
ModifyVerifiedAccessEndpoint | Grants permission to modify the configuration of a Verified Access endpoint | Write | |||
ModifyVerifiedAccessEndpointPolicy | Grants permission to modify the specified Verified Access endpoint policy | Write | |||
ModifyVerifiedAccessGroup | Grants permission to modify the specified Verified Access Group configuration | Write | |||
ModifyVerifiedAccessGroupPolicy | Grants permission to modify the specified Verified Access group policy | Write | |||
ModifyVerifiedAccessInstance | Grants permission to modify the configuration of the specified Verified Access instance | Write | |||
ModifyVerifiedAccessInstanceLoggingConfiguration | Grants permission to modify the logging configuration for the specified Verified Access instance | Write | |||
ModifyVerifiedAccessTrustProvider | Grants permission to modify the configuration of the specified Verified Access trust provider | Write | |||
ModifyVolume | Grants permission to modify the parameters of an EBS volume | Write | |||
ModifyVolumeAttribute | Grants permission to modify an attribute of a volume | Write | |||
ModifyVpcAttribute | Grants permission to modify an attribute of a VPC | Write | |||
ModifyVpcBlockPublicAccessExclusion | Grants permission to modify an exclusion list for blocked public access on a VPC | Write | |||
ModifyVpcBlockPublicAccessOptions | Grants permission to modify options for blocked public access on a VPC | Write | |||
ModifyVpcEndpoint | Grants permission to modify an attribute of a VPC endpoint | Write | |||
ModifyVpcEndpointConnectionNotification | Grants permission to modify a connection notification for a VPC endpoint or VPC endpoint service | Write | |||
ModifyVpcEndpointServiceConfiguration | Grants permission to modify the attributes of a VPC endpoint service configuration | Write | |||
ModifyVpcEndpointServicePayerResponsibility | Grants permission to modify the payer responsibility for a VPC endpoint service | Write | |||
ModifyVpcEndpointServicePermissions | Grants permission to modify the permissions for a VPC endpoint service | Permissions management | |||
ModifyVpcPeeringConnectionOptions | Grants permission to modify the VPC peering connection options on one side of a VPC peering connection | Write | |||
ModifyVpcTenancy | Grants permission to modify the instance tenancy attribute of a VPC | Write | |||
ModifyVpnConnection | Grants permission to modify the target gateway of a Site-to-Site VPN connection | Write |
ec2:Attribute/${AttributeName} ec2:Phase1EncryptionAlgorithms |
||
ModifyVpnConnectionOptions | Grants permission to modify the connection options for your Site-to-Site VPN connection | Write | |||
ModifyVpnTunnelCertificate | Grants permission to modify the certificate for a Site-to-Site VPN connection | Write | |||
ModifyVpnTunnelOptions | Grants permission to modify the options for a Site-to-Site VPN connection | Write |
ec2:Attribute/${AttributeName} ec2:Phase1EncryptionAlgorithms |
||
MonitorInstances | Grants permission to enable detailed monitoring for a running instance | Write | |||
MoveAddressToVpc | Grants permission to move an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform | Write | |||
MoveByoipCidrToIpam | Grants permission to move a BYOIP IPv4 CIDR to Amazon VPC IP Address Manager (IPAM) from a public IPv4 pool | Write | |||
MoveCapacityReservationInstances | Grants permission to move available capacity from a source Capacity Reservation to a destination Capacity Reservation | Write |
ec2:DestinationCapacityReservationId |
||
PauseVolumeIO [permission only] | Grants permission to temporarily pause I/O operations for a target Amazon EBS volume | Write | |||
ProvisionByoipCidr | Grants permission to provision an address range for use in AWS through bring your own IP addresses (BYOIP), and to create a corresponding address pool | Write | |||
ProvisionIpamByoasn | Grants permission to provision an Autonomous System Number (ASN) for use in an Amazon Web Services account | Write | |||
ProvisionIpamPoolCidr | Grants permission to provision a CIDR to an Amazon VPC IP Address Manager (IPAM) pool | Write | |||
ProvisionPublicIpv4PoolCidr | Grants permission to provision a CIDR to a public IPv4 pool | Write | |||
PurchaseCapacityBlock | Grants permission to purchase a Capacity Block offering | Write |
ec2:CreateTags |
||
PurchaseCapacityBlockExtension | Grants permission to purchase a Capacity Block extension | Write | |||
PurchaseHostReservation | Grants permission to purchase a reservation with configurations that match those of a Dedicated Host | Write |
ec2:CreateTags |
||
PurchaseReservedInstancesOffering | Grants permission to purchase a Reserved Instance offering | Write | |||
PurchaseScheduledInstances | Grants permission to purchase one or more Scheduled Instances with a specified schedule | Write | |||
PutResourcePolicy [permission only] | Grants permission to attach an IAM policy that enables cross-account sharing to a resource | Write | |||
RebootInstances | Grants permission to request a reboot of one or more instances | Write | |||
RegisterImage | Grants permission to register an Amazon Machine Image (AMI) | Write |
ec2:CreateTags |
||
RegisterInstanceEventNotificationAttributes | Grants permission to add tags to the set of tags to include in notifications about scheduled events for your instances | Write | |||
RegisterTransitGatewayMulticastGroupMembers | Grants permission to register one or more network interfaces as a member of a group IP address in a transit gateway multicast domain | Write | |||
RegisterTransitGatewayMulticastGroupSources | Grants permission to register one or more network interfaces as a source of a group IP address in a transit gateway multicast domain | Write | |||
RejectCapacityReservationBillingOwnership | Grants permission to reject a request to assign billing of the available capacity of a shared Capacity Reservation to your account | Write |
ec2:DestinationCapacityReservationId |
||
RejectTransitGatewayMulticastDomainAssociations | Grants permission to reject requests to associate cross-account subnets with a transit gateway multicast domain | Write | |||
RejectTransitGatewayPeeringAttachment | Grants permission to reject a transit gateway peering attachment request | Write | |||
RejectTransitGatewayVpcAttachment | Grants permission to reject a request to attach a VPC to a transit gateway | Write | |||
RejectVpcEndpointConnections | Grants permission to reject one or more VPC endpoint connection requests to a VPC endpoint service | Write | |||
RejectVpcPeeringConnection | Grants permission to reject a VPC peering connection request | Write | |||
ReleaseAddress | Grants permission to release an Elastic IP address | Write | |||
ReleaseHosts | Grants permission to release one or more On-Demand Dedicated Hosts | Write | |||
ReleaseIpamPoolAllocation | Grants permission to release an allocation within an Amazon VPC IP Address Manager (IPAM) pool | Write | |||
ReplaceIamInstanceProfileAssociation | Grants permission to replace an IAM instance profile for an instance | Write |
iam:PassRole |
||
ReplaceImageCriteriaInAllowedImagesSettings | Grants permission to replace image criteria in allowed images settings | Write | |||
ReplaceNetworkAclAssociation | Grants permission to change which network ACL a subnet is associated with | Write | |||
ReplaceNetworkAclEntry | Grants permission to replace an entry (rule) in a network ACL | Write | |||
ReplaceRoute | Grants permission to replace a route within a route table in a VPC | Write | |||
ReplaceRouteTableAssociation | Grants permission to change the route table that is associated with a subnet | Write | |||
ReplaceTransitGatewayRoute | Grants permission to replace a route in a transit gateway route table | Write | |||
ReplaceVpnTunnel | Grants permission to replace a VPN tunnel | Write | |||
ReportInstanceStatus | Grants permission to submit feedback about the status of an instance | Write | |||
RequestSpotFleet | Grants permission to create a Spot Fleet request | Write |
ec2:CreateTags |
||
RequestSpotInstances | Grants permission to create a Spot Instance request | Write |
ec2:CreateTags iam:PassRole |
||
ResetAddressAttribute | Grants permission to reset the attribute of the specified IP address | Write | |||
ResetEbsDefaultKmsKeyId | Grants permission to reset the default customer master key (CMK) for EBS encryption for your account to use the AWS-managed CMK for EBS | Write | |||
ResetFpgaImageAttribute | Grants permission to reset an attribute of an Amazon FPGA Image (AFI) to its default value | Write | |||
ResetImageAttribute | Grants permission to reset an attribute of an Amazon Machine Image (AMI) to its default value | Write | |||
ResetInstanceAttribute | Grants permission to reset an attribute of an instance to its default value | Write | |||
ResetNetworkInterfaceAttribute | Grants permission to reset an attribute of a network interface | Write | |||
ResetSnapshotAttribute | Grants permission to reset permission settings for a snapshot | Permissions management | |||
RestoreAddressToClassic | Grants permission to restore an Elastic IP address that was previously moved to the EC2-VPC platform back to the EC2-Classic platform | Write | |||
RestoreImageFromRecycleBin | Grants permission to restore an Amazon Machine Image (AMI) from the Recycle Bin | Write | |||
RestoreManagedPrefixListVersion | Grants permission to restore the entries from a previous version of a managed prefix list to a new version of the prefix list | Write | |||
RestoreSnapshotFromRecycleBin | Grants permission to restore an Amazon EBS snapshot from the Recycle Bin | Write | |||
RestoreSnapshotTier | Grants permission to restore an archived Amazon EBS snapshot for use temporarily or permanently, or modify the restore period or restore type for a snapshot that was previously temporarily restored | Write | |||
RevokeClientVpnIngress | Grants permission to remove an inbound authorization rule from a Client VPN endpoint | Write | |||
RevokeSecurityGroupEgress | Grants permission to remove one or more outbound rules from a VPC security group | Write | |||
RevokeSecurityGroupIngress | Grants permission to remove one or more inbound rules from a security group | Write | |||
RunInstances | Grants permission to launch one or more instances | Write |
ec2:CreateTags iam:PassRole ssm:GetParameters |
||
SCENARIO: EC2-Classic-EBS |
|||||
SCENARIO: EC2-Classic-InstanceStore |
|||||
SCENARIO: EC2-VPC-EBS |
|||||
SCENARIO: EC2-VPC-EBS-Subnet |
|||||
SCENARIO: EC2-VPC-InstanceStore |
|||||
SCENARIO: EC2-VPC-InstanceStore-Subnet |
|||||
RunScheduledInstances | Grants permission to launch one or more Scheduled Instances | Write | |||
SearchLocalGatewayRoutes | Grants permission to search for routes in a local gateway route table | List | |||
SearchTransitGatewayMulticastGroups | Grants permission to search for groups, sources, and members in a transit gateway multicast domain | List | |||
SearchTransitGatewayRoutes | Grants permission to search for routes in a transit gateway route table | List | |||
SendDiagnosticInterrupt | Grants permission to send a diagnostic interrupt to an Amazon EC2 instance | Write | |||
SendSpotInstanceInterruptions [permission only] | Grants permission to interrupt a Spot Instance | Write | |||
StartDeclarativePoliciesReport | Grants permission to start a declarative policies report | Read | |||
StartInstances | Grants permission to start a stopped instance | Write | |||
StartNetworkInsightsAccessScopeAnalysis | Grants permission to start a Network Access Scope analysis | Write |
ec2:CreateTags |
||
StartNetworkInsightsAnalysis | Grants permission to start analyzing a specified path | Write |
ec2:CreateTags |
||
StartVpcEndpointServicePrivateDnsVerification | Grants permission to start the private DNS verification process for a VPC endpoint service | Write | |||
StopInstances | Grants permission to stop an Amazon EBS-backed instance | Write | |||
TerminateClientVpnConnections | Grants permission to terminate active Client VPN endpoint connections | Write | |||
TerminateInstances | Grants permission to shut down one or more instances | Write | |||
UnassignIpv6Addresses | Grants permission to unassign one or more IPv6 addresses from a network interface | Write | |||
UnassignPrivateIpAddresses | Grants permission to unassign one or more secondary private IP addresses from a network interface | Write | |||
UnassignPrivateNatGatewayAddress | Grants permission to unassign secondary private IPv4 addresses from a private NAT gateway | Write | |||
UnlockSnapshot | Grants permission to unlock a snapshot that is locked in governance mode or in compliance mode while still in the cooling-off period | Write | |||
UnmonitorInstances | Grants permission to disable detailed monitoring for a running instance | Write | |||
UpdateSecurityGroupRuleDescriptionsEgress | Grants permission to update descriptions for one or more outbound rules in a VPC security group | Write | |||
UpdateSecurityGroupRuleDescriptionsIngress | Grants permission to update descriptions for one or more inbound rules in a security group | Write | |||
WithdrawByoipCidr | Grants permission to stop advertising an address range that was provisioned for use in AWS through bring your own IP addresses (BYOIP) | Write |
Resource types defined by Amazon EC2
The following resource types are defined by this service and can be used in the Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.
Resource types | ARN | Condition keys |
---|---|---|
elastic-ip |
arn:${Partition}:ec2:${Region}:${Account}:elastic-ip/${AllocationId}
|
|
capacity-reservation-fleet |
arn:${Partition}:ec2:${Region}:${Account}:capacity-reservation-fleet/${CapacityReservationFleetId}
|
|
capacity-reservation |
arn:${Partition}:ec2:${Region}:${Account}:capacity-reservation/${CapacityReservationId}
|
ec2:Attribute/${AttributeName} ec2:DestinationCapacityReservationId |
carrier-gateway |
arn:${Partition}:ec2:${Region}:${Account}:carrier-gateway/${CarrierGatewayId}
|
|
certificate |
arn:${Partition}:acm:${Region}:${Account}:certificate/${CertificateId}
|
|
client-vpn-endpoint |
arn:${Partition}:ec2:${Region}:${Account}:client-vpn-endpoint/${ClientVpnEndpointId}
|
ec2:Attribute/${AttributeName} |
customer-gateway |
arn:${Partition}:ec2:${Region}:${Account}:customer-gateway/${CustomerGatewayId}
|
|
declarative-policies-report |
arn:${Partition}:ec2:${Region}:${Account}:declarative-policies-report/${DeclarativePoliciesReportId}
|
|
dedicated-host |
arn:${Partition}:ec2:${Region}:${Account}:dedicated-host/${DedicatedHostId}
|
|
dhcp-options |
arn:${Partition}:ec2:${Region}:${Account}:dhcp-options/${DhcpOptionsId}
|
|
egress-only-internet-gateway |
arn:${Partition}:ec2:${Region}:${Account}:egress-only-internet-gateway/${EgressOnlyInternetGatewayId}
|
|
elastic-gpu |
arn:${Partition}:ec2:${Region}:${Account}:elastic-gpu/${ElasticGpuId}
|
|
elastic-inference |
arn:${Partition}:elastic-inference:${Region}:${Account}:elastic-inference-accelerator/${AcceleratorId}
|
|
export-image-task |
arn:${Partition}:ec2:${Region}:${Account}:export-image-task/${ExportImageTaskId}
|
|
export-instance-task |
arn:${Partition}:ec2:${Region}:${Account}:export-instance-task/${ExportTaskId}
|
|
fleet |
arn:${Partition}:ec2:${Region}:${Account}:fleet/${FleetId}
|
|
fpga-image |
arn:${Partition}:ec2:${Region}:${Account}:fpga-image/${FpgaImageId}
|
|
host-reservation |
arn:${Partition}:ec2:${Region}:${Account}:host-reservation/${HostReservationId}
|
|
image |
arn:${Partition}:ec2:${Region}::image/${ImageId}
|
|
import-image-task |
arn:${Partition}:ec2:${Region}:${Account}:import-image-task/${ImportImageTaskId}
|
|
import-snapshot-task |
arn:${Partition}:ec2:${Region}:${Account}:import-snapshot-task/${ImportSnapshotTaskId}
|
|
instance-connect-endpoint |
arn:${Partition}:ec2:${Region}:${Account}:instance-connect-endpoint/${InstanceConnectEndpointId}
|
|
instance-event-window |
arn:${Partition}:ec2:${Region}:${Account}:instance-event-window/${InstanceEventWindowId}
|
|
instance |
arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}
|
ec2:Attribute/${AttributeName} |
internet-gateway |
arn:${Partition}:ec2:${Region}:${Account}:internet-gateway/${InternetGatewayId}
|
|
ipam-external-resource-verification-token |
arn:${Partition}:ec2::${Account}:ipam-external-resource-verification-token/${IpamExternalResourceVerificationTokenId}
|
|
ipam |
arn:${Partition}:ec2::${Account}:ipam/${IpamId}
|
|
ipam-pool |
arn:${Partition}:ec2::${Account}:ipam-pool/${IpamPoolId}
|
|
ipam-resource-discovery-association |
arn:${Partition}:ec2::${Account}:ipam-resource-discovery-association/${IpamResourceDiscoveryAssociationId}
|
|
ipam-resource-discovery |
arn:${Partition}:ec2::${Account}:ipam-resource-discovery/${IpamResourceDiscoveryId}
|
|
ipam-scope |
arn:${Partition}:ec2::${Account}:ipam-scope/${IpamScopeId}
|
|
coip-pool |
arn:${Partition}:ec2:${Region}:${Account}:coip-pool/${Ipv4PoolCoipId}
|
|
ipv4pool-ec2 |
arn:${Partition}:ec2:${Region}:${Account}:ipv4pool-ec2/${Ipv4PoolEc2Id}
|
|
ipv6pool-ec2 |
arn:${Partition}:ec2:${Region}:${Account}:ipv6pool-ec2/${Ipv6PoolEc2Id}
|
|
key-pair |
arn:${Partition}:ec2:${Region}:${Account}:key-pair/${KeyPairName}
|
|
launch-template |
arn:${Partition}:ec2:${Region}:${Account}:launch-template/${LaunchTemplateId}
|
|
license-configuration |
arn:${Partition}:license-manager:${Region}:${Account}:license-configuration:${LicenseConfigurationId}
|
|
local-gateway |
arn:${Partition}:ec2:${Region}:${Account}:local-gateway/${LocalGatewayId}
|
|
local-gateway-route-table-virtual-interface-group-association |
arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table-virtual-interface-group-association/${LocalGatewayRouteTableVirtualInterfaceGroupAssociationId}
|
|
local-gateway-route-table-vpc-association |
arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table-vpc-association/${LocalGatewayRouteTableVpcAssociationId}
|
|
local-gateway-route-table |
arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table/${LocalGatewayRoutetableId}
|
|
local-gateway-virtual-interface-group |
arn:${Partition}:ec2:${Region}:${Account}:local-gateway-virtual-interface-group/${LocalGatewayVirtualInterfaceGroupId}
|
|
local-gateway-virtual-interface |
arn:${Partition}:ec2:${Region}:${Account}:local-gateway-virtual-interface/${LocalGatewayVirtualInterfaceId}
|
|
natgateway |
arn:${Partition}:ec2:${Region}:${Account}:natgateway/${NatGatewayId}
|
|
network-acl |
arn:${Partition}:ec2:${Region}:${Account}:network-acl/${NaclId}
|
|
network-insights-access-scope-analysis |
arn:${Partition}:ec2:${Region}:${Account}:network-insights-access-scope-analysis/${NetworkInsightsAccessScopeAnalysisId}
|
|
network-insights-access-scope |
arn:${Partition}:ec2:${Region}:${Account}:network-insights-access-scope/${NetworkInsightsAccessScopeId}
|
|
network-insights-analysis |
arn:${Partition}:ec2:${Region}:${Account}:network-insights-analysis/${NetworkInsightsAnalysisId}
|
|
network-insights-path |
arn:${Partition}:ec2:${Region}:${Account}:network-insights-path/${NetworkInsightsPathId}
|
|
network-interface |
arn:${Partition}:ec2:${Region}:${Account}:network-interface/${NetworkInterfaceId}
|
|
placement-group |
arn:${Partition}:ec2:${Region}:${Account}:placement-group/${PlacementGroupName}
|
|
prefix-list |
arn:${Partition}:ec2:${Region}:${Account}:prefix-list/${PrefixListId}
|
|
replace-root-volume-task |
arn:${Partition}:ec2:${Region}:${Account}:replace-root-volume-task/${ReplaceRootVolumeTaskId}
|
|
reserved-instances |
arn:${Partition}:ec2:${Region}:${Account}:reserved-instances/${ReservationId}
|
ec2:Attribute/${AttributeName} |
group |
arn:${Partition}:resource-groups:${Region}:${Account}:group/${GroupName}
|
|
role |
arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}
|
|
route-table |
arn:${Partition}:ec2:${Region}:${Account}:route-table/${RouteTableId}
|
|
security-group |
arn:${Partition}:ec2:${Region}:${Account}:security-group/${SecurityGroupId}
|
|
security-group-rule |
arn:${Partition}:ec2:${Region}:${Account}:security-group-rule/${SecurityGroupRuleId}
|
|
snapshot |
arn:${Partition}:ec2:${Region}::snapshot/${SnapshotId}
|
|
spot-fleet-request |
arn:${Partition}:ec2:${Region}:${Account}:spot-fleet-request/${SpotFleetRequestId}
|
|
spot-instances-request |
arn:${Partition}:ec2:${Region}:${Account}:spot-instances-request/${SpotInstanceRequestId}
|
|
subnet-cidr-reservation |
arn:${Partition}:ec2:${Region}:${Account}:subnet-cidr-reservation/${SubnetCidrReservationId}
|
|
subnet |
arn:${Partition}:ec2:${Region}:${Account}:subnet/${SubnetId}
|
|
traffic-mirror-filter |
arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter/${TrafficMirrorFilterId}
|
|
traffic-mirror-filter-rule |
arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter-rule/${TrafficMirrorFilterRuleId}
|
|
traffic-mirror-session |
arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-session/${TrafficMirrorSessionId}
|
|
traffic-mirror-target |
arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-target/${TrafficMirrorTargetId}
|
|
transit-gateway-attachment |
arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-attachment/${TransitGatewayAttachmentId}
|
|
transit-gateway-connect-peer |
arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-connect-peer/${TransitGatewayConnectPeerId}
|
|
transit-gateway |
arn:${Partition}:ec2:${Region}:${Account}:transit-gateway/${TransitGatewayId}
|
|
transit-gateway-multicast-domain |
arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-multicast-domain/${TransitGatewayMulticastDomainId}
|
|
transit-gateway-policy-table |
arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-policy-table/${TransitGatewayPolicyTableId}
|
|
transit-gateway-route-table-announcement |
arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-route-table-announcement/${TransitGatewayRouteTableAnnouncementId}
|
|
transit-gateway-route-table |
arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-route-table/${TransitGatewayRouteTableId}
|
|
verified-access-endpoint |
arn:${Partition}:ec2:${Region}:${Account}:verified-access-endpoint/${VerifiedAccessEndpointId}
|
|
verified-access-endpoint-target |
arn:${Partition}:ec2:${Region}:${Account}:verified-access-endpoint-target/${VerifiedAccessEndpointTargetId}
|
|
verified-access-group |
arn:${Partition}:ec2:${Region}:${Account}:verified-access-group/${VerifiedAccessGroupId}
|
|
verified-access-instance |
arn:${Partition}:ec2:${Region}:${Account}:verified-access-instance/${VerifiedAccessInstanceId}
|
|
verified-access-policy |
arn:${Partition}:ec2:${Region}:${Account}:verified-access-policy/${VerifiedAccessPolicyId}
|
|
verified-access-trust-provider |
arn:${Partition}:ec2:${Region}:${Account}:verified-access-trust-provider/${VerifiedAccessTrustProviderId}
|
|
volume |
arn:${Partition}:ec2:${Region}:${Account}:volume/${VolumeId}
|
|
vpc-block-public-access-exclusion |
arn:${Partition}:ec2:${Region}:${Account}:vpc-block-public-access-exclusion/${VpcBlockPublicAccessExclusionId}
|
|
vpc-endpoint-connection |
arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-connection/${VpcEndpointConnectionId}
|
|
vpc-endpoint |
arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint/${VpcEndpointId}
|
|
vpc-endpoint-service |
arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-service/${VpcEndpointServiceId}
|
|
vpc-endpoint-service-permission |
arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-service-permission/${VpcEndpointServicePermissionId}
|
|
vpc-flow-log |
arn:${Partition}:ec2:${Region}:${Account}:vpc-flow-log/${VpcFlowLogId}
|
|
vpc |
arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId}
|
|
vpc-peering-connection |
arn:${Partition}:ec2:${Region}:${Account}:vpc-peering-connection/${VpcPeeringConnectionId}
|
|
vpn-connection-device-type |
arn:${Partition}:ec2:${Region}:${Account}:vpn-connection-device-type/${VpnConnectionDeviceTypeId}
|
|
vpn-connection |
arn:${Partition}:ec2:${Region}:${Account}:vpn-connection/${VpnConnectionId}
|
ec2:Attribute/${AttributeName} ec2:Phase1EncryptionAlgorithms |
vpn-gateway |
arn:${Partition}:ec2:${Region}:${Account}:vpn-gateway/${VpnGatewayId}
|
Condition keys for Amazon EC2
Amazon EC2 defines the following condition keys that can be used in the Condition
element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | Filters access by a tag key and value pair that is allowed in the request | String |
aws:ResourceTag/${TagKey} | Filters access by a tag key and value pair of a resource | String |
aws:TagKeys | Filters access by a list of tag keys that are allowed in the request | ArrayOfString |
ec2:AccepterVpc | Filters access by the ARN of an accepter VPC in a VPC peering connection | ARN |
ec2:Add/group | Filters access by the group being added to a snapshot | String |
ec2:Add/userId | Filters access by the account id being added to a snapshot | String |
ec2:AllocationId | Filters access by the allocation ID of the Elastic IP address | String |
ec2:AssociatePublicIpAddress | Filters access by whether the user wants to associate a public IP address with the instance | Bool |
ec2:Attribute | Filters access by an attribute of a resource | String |
ec2:Attribute/${AttributeName} | Filters access by an attribute being set on a resource | String |
ec2:AuthenticationType | Filters access by the authentication type for the VPN tunnel endpoints | String |
ec2:AuthorizedService | Filters access by the AWS service that has permission to use a resource | String |
ec2:AuthorizedUser | Filters access by an IAM principal that has permission to use a resource | String |
ec2:AutoPlacement | Filters access by the Auto Placement properties of a Dedicated Host | String |
ec2:AvailabilityZone | Filters access by the name of an Availability Zone in an AWS Region | String |
ec2:CapacityReservationFleet | Filters access by the ARN of the Capacity Reservation Fleet | ARN |
ec2:ClientRootCertificateChainArn | Filters access by the ARN of the client root certificate chain | ARN |
ec2:CloudwatchLogGroupArn | Filters access by the ARN of the CloudWatch Logs log group | ARN |
ec2:CloudwatchLogStreamArn | Filters access by the ARN of the CloudWatch Logs log stream | ARN |
ec2:CpuOptionsAmdSevSnp | Filters access by the state of AMD SEV-SNP CPU Options. Currently, only US East (Ohio) and Europe (Ireland) are supported | String |
ec2:CreateAction | Filters access by the name of a resource-creating API action | String |
ec2:CreateDate | Filters access by the date and time at which the Capacity Reservation was created | Date |
ec2:DPDTimeoutSeconds | Filters access by the duration after which DPD timeout occurs on a VPN tunnel | Numeric |
ec2:DestinationCapacityReservationId | Filters access by the ID of the Capacity Reservation that you want to move capacity into | ARN |
ec2:DhcpOptionsID | Filters access by the ID of a dynamic host configuration protocol (DHCP) options set | String |
ec2:DirectoryArn | Filters access by the ARN of the directory | ARN |
ec2:Domain | Filters access by the domain of the Elastic IP address | String |
ec2:EbsOptimized | Filters access by whether the instance is enabled for EBS optimization | Bool |
ec2:ElasticGpuType | Filters access by the type of Elastic Graphics accelerator | String |
ec2:Encrypted | Filters access by whether the EBS volume is encrypted | Bool |
ec2:EndDate | Filters access by the date and time at which the Capacity Reservation ends | Date |
ec2:EndDateType | Filters access by the way in which the Capacity Reservation ends | String |
ec2:FisActionId | Filters access by the ID of an AWS FIS action | String |
ec2:FisTargetArns | Filters access by the ARN of an AWS FIS target | ArrayOfARN |
ec2:GatewayType | Filters access by the gateway type for a VPN endpoint on the AWS side of a VPN connection | String |
ec2:HostRecovery | Filters access by whether host recovery is enabled for a Dedicated Host | String |
ec2:IKEVersions | Filters access by the internet key exchange (IKE) versions that are permitted for a VPN tunnel | ArrayOfString |
ec2:ImageID | Filters access by the ID of an image | String |
ec2:ImageType | Filters access by the type of image (machine, aki, or ari) | String |
ec2:InsideTunnelCidr | Filters access by the range of inside IP addresses for a VPN tunnel | String |
ec2:InsideTunnelIpv6Cidr | Filters access by a range of inside IPv6 addresses for a VPN tunnel | String |
ec2:InstanceAutoRecovery | Filters access by whether the instance type supports auto recovery | String |
ec2:InstanceCount | Filters access by the number of instances | Numeric |
ec2:InstanceID | Filters access by the ID of an instance | String |
ec2:InstanceMarketType | Filters access by the market or purchasing option of an instance (capacity-block, on-demand, or spot) | String |
ec2:InstanceMatchCriteria | Filters access by the type of instance launches that the Capacity Reservation accepts | String |
ec2:InstanceMetadataTags | Filters access by whether the instance allows access to instance tags from the instance metadata | String |
ec2:InstancePlatform | Filters access by the type of operating system for which the Capacity Reservation reserves capacity | ARN |
ec2:InstanceProfile | Filters access by the ARN of an instance profile | ARN |
ec2:InstanceType | Filters access by the type of instance | String |
ec2:InternetGatewayID | Filters access by the ID of an internet gateway | String |
ec2:Ipv4IpamPoolId | Filters access by the ID of an IPAM pool provided for IPv4 CIDR block allocation | String |
ec2:Ipv6IpamPoolId | Filters access by the ID of an IPAM pool provided for IPv6 CIDR block allocation | String |
ec2:IsLaunchTemplateResource | Filters access by whether users are able to override resources that are specified in the launch template | Bool |
ec2:KeyPairName | Filters access by the name of a key pair | String |
ec2:KeyPairType | Filters access by the type of a key pair | String |
ec2:KmsKeyId | Filters access by the ID of an AWS KMS key provided in the request | String |
ec2:LaunchTemplate | Filters access by the ARN of a launch template | ARN |
ec2:Location | Filters access by the destination for the snapshot copy | String |
ec2:ManagedResourceOperator | Filters access by the presence of an EC2 operator provisioning a managed resource | String |
ec2:MetadataHttpEndpoint | Filters access by whether the HTTP endpoint is enabled for the instance metadata service | String |
ec2:MetadataHttpPutResponseHopLimit | Filters access by the allowed number of hops when calling the instance metadata service | Numeric |
ec2:MetadataHttpTokens | Filters access by whether tokens are required when calling the instance metadata service (optional or required) | String |
ec2:NetworkAclID | Filters access by the ID of a network access control list (ACL) | String |
ec2:NetworkInterfaceID | Filters access by the ID of an elastic network interface | String |
ec2:NewInstanceProfile | Filters access by the ARN of the instance profile being attached | ARN |
ec2:OutpostArn | Filters access by the ARN of the Outpost | ARN |
ec2:Owner | Filters access by the owner of the resource (amazon, aws-marketplace, or an AWS account ID) | String |
ec2:ParentSnapshot | Filters access by the ARN of the parent snapshot | ARN |
ec2:ParentVolume | Filters access by the ARN of the parent volume from which the snapshot was created | ARN |
ec2:Permission | Filters access by the type of permission for a resource (INSTANCE-ATTACH or EIP-ASSOCIATE) | String |
ec2:Phase1DHGroup | Filters access by the Diffie-Hellman group numbers that are permitted for a VPN tunnel for the phase 1 IKE negotiations | ArrayOfString |
ec2:Phase1EncryptionAlgorithms | Filters access by the encryption algorithms that are permitted for a VPN tunnel for the phase 1 IKE negotiations | ArrayOfString |
ec2:Phase1IntegrityAlgorithms | Filters access by the integrity algorithms that are permitted for a VPN tunnel for the phase 1 IKE negotiations | ArrayOfString |
ec2:Phase1LifetimeSeconds | Filters access by the lifetime in seconds for phase 1 of the IKE negotiations for a VPN tunnel | Numeric |
ec2:Phase2DHGroup | Filters access by the Diffie-Hellman group numbers that are permitted for a VPN tunnel for the phase 2 IKE negotiations | ArrayOfString |
ec2:Phase2EncryptionAlgorithms | Filters access by the encryption algorithms that are permitted for a VPN tunnel for the phase 2 IKE negotiations | ArrayOfString |
ec2:Phase2IntegrityAlgorithms | Filters access by the integrity algorithms that are permitted for a VPN tunnel for the phase 2 IKE negotiations | ArrayOfString |
ec2:Phase2LifetimeSeconds | Filters access by the lifetime in seconds for phase 2 of the IKE negotiations for a VPN tunnel | Numeric |
ec2:PlacementGroup | Filters access by the ARN of the placement group | ARN |
ec2:PlacementGroupName | Filters access by the name of a placement group | String |
ec2:PlacementGroupStrategy | Filters access by the instance placement strategy used by the placement group (cluster, spread, or partition) | String |
ec2:ProductCode | Filters access by the product code that is associated with the AMI | String |
ec2:Public | Filters access by whether the image has public launch permissions | Bool |
ec2:PublicIpAddress | Filters access by a public IP address | String |
ec2:Quantity | Filters access by the number of Dedicated Hosts in a request | Numeric |
ec2:Region | Filters access by the name of the AWS Region | String |
ec2:RekeyFuzzPercentage | Filters access by the percentage of increase of the rekey window (determined by the rekey margin time) within which the rekey time is randomly selected for a VPN tunnel | Numeric |
ec2:RekeyMarginTimeSeconds | Filters access by the margin time before the phase 2 lifetime expires for a VPN tunnel | Numeric |
ec2:Remove/group | Filters access by the group being removed from a snapshot | String |
ec2:Remove/userId | Filters access by the account id being removed from a snapshot | String |
ec2:ReplayWindowSizePackets | Filters access by the number of packets in an IKE replay window | String |
ec2:RequesterVpc | Filters access by the ARN of a requester VPC in a VPC peering connection | ARN |
ec2:ReservedInstancesOfferingType | Filters access by the payment option of the Reserved Instance offering (No Upfront, Partial Upfront, or All Upfront) | String |
ec2:ResourceTag/${TagKey} | Filters access by a tag key and value pair of a resource | String |
ec2:RoleDelivery | Filters access by the version of the instance metadata service for retrieving IAM role credentials for EC2 | Numeric |
ec2:RootDeviceType | Filters access by the root device type of the instance (ebs or instance-store) | String |
ec2:RouteTableID | Filters access by the ID of a route table | String |
ec2:RoutingType | Filters access by the routing type for the VPN connection | String |
ec2:SamlProviderArn | Filters access by the ARN of the IAM SAML identity provider | ARN |
ec2:SecurityGroupID | Filters access by the ID of a security group | String |
ec2:ServerCertificateArn | Filters access by the ARN of the server certificate | ARN |
ec2:SnapshotCoolOffPeriod | Filters access by the compliance mode cooling-off period | Numeric |
ec2:SnapshotID | Filters access by the ID of a snapshot | String |
ec2:SnapshotLockDuration | Filters access by the snapshot lock duration | Numeric |
ec2:SnapshotTime | Filters access by the initiation time of a snapshot | String |
ec2:SourceAvailabilityZone | Filters access by the name of the Availability Zone from which the request originated | String |
ec2:SourceCapacityReservationId | Filters access by the ID of the Capacity Reservation from which you want to move capacity | ARN |
ec2:SourceInstanceARN | Filters access by the ARN of the instance from which the request originated | ARN |
ec2:SourceOutpostArn | Filters access by the ARN of the Outpost from which the request originated | ARN |
ec2:Subnet | Filters access by the ARN of the subnet | ARN |
ec2:SubnetID | Filters access by the ID of a subnet | String |
ec2:Tenancy | Filters access by the tenancy of the VPC or instance (default, dedicated, or host) | String |
ec2:VolumeID | Filters access by the ID of a volume | String |
ec2:VolumeIops | Filters access by the the number of input/output operations per second (IOPS) provisioned for the volume | Numeric |
ec2:VolumeSize | Filters access by the size of the volume, in GiB | Numeric |
ec2:VolumeThroughput | Filters access by the throughput of the volume, in MiBps | Numeric |
ec2:VolumeType | Filters access by the type of volume (gp2, gp3, io1, io2, st1, sc1, or standard) | String |
ec2:Vpc | Filters access by the ARN of the VPC | ARN |
ec2:VpcID | Filters access by the ID of a virtual private cloud (VPC) | String |
ec2:VpcPeeringConnectionID | Filters access by the ID of a VPC peering connection | String |
ec2:VpceServiceName | Filters access by the name of the VPC endpoint service | String |
ec2:VpceServiceOwner | Filters access by the service owner of the VPC endpoint service (amazon, aws-marketplace, or an AWS account ID) | String |
ec2:VpceServicePrivateDnsName | Filters access by the private DNS name of the VPC endpoint service | String |
ec2:transitGatewayAttachmentId | Filters access by the ID of a transit gateway attachment | String |
ec2:transitGatewayConnectPeerId | Filters access by the ID of a transit gateway connect peer | String |
ec2:transitGatewayId | Filters access by the ID of a transit gateway | String |
ec2:transitGatewayMulticastDomainId | Filters access by the ID of a transit gateway multicast domain | String |
ec2:transitGatewayPolicyTableId | Filters access by the ID of a transit gateway policy table | String |
ec2:transitGatewayRouteTableAnnouncementId | Filters access by the ID of a transit gateway route table announcement | String |
ec2:transitGatewayRouteTableId | Filters access by the ID of a transit gateway route table | String |
ec2:vpceMultiRegion | Filters access by multi region of the VPC endpoint service | String |
ec2:vpceServiceRegion | Filters access by the region of the VPC endpoint service | String |
ec2:vpceSupportedRegion | Filters access by the supported region of the VPC endpoint service | String |