Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Actions, resources, and condition keys for Amazon EC2 - Service Authorization Reference

Actions, resources, and condition keys for Amazon EC2

Amazon EC2 (service prefix: ec2) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon EC2

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptAddressTransfer Grants permission to accept an Elastic IP address transfer Write

elastic-ip*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:CreateTags

ec2:Region

AcceptCapacityReservationBillingOwnership Grants permission to accept assign billing of the available capacity of a shared Capacity Reservation to the calling account Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:OutpostArn

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

ec2:Region

AcceptReservedInstancesExchangeQuote Grants permission to accept a Convertible Reserved Instance exchange quote Write

ec2:Region

AcceptTransitGatewayMulticastDomainAssociations Grants permission to accept a request to associate subnets with a transit gateway multicast domain Write

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

AcceptTransitGatewayPeeringAttachment Grants permission to accept a transit gateway peering attachment request Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

AcceptTransitGatewayVpcAttachment Grants permission to accept a request to attach a VPC to a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

AcceptVpcEndpointConnections Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceSupportedRegion

ec2:Region

AcceptVpcPeeringConnection Grants permission to accept a VPC peering connection request Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

AdvertiseByoipCidr Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP) Write

ec2:Region

AllocateAddress Grants permission to allocate an Elastic IP address (EIP) to your account Write

elastic-ip*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AllocateHosts Grants permission to allocate a Dedicated Host to your account Write

dedicated-host*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:HostRecovery

ec2:InstanceType

ec2:Quantity

ec2:CreateTags

ec2:Region

AllocateIpamPoolCidr Grants permission to allocate a CIDR from an Amazon VPC IP Address Manager (IPAM) pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ApplySecurityGroupsToClientVpnTargetNetwork Grants permission to apply a security group to the association between a Client VPN endpoint and a target network Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AssignIpv6Addresses Grants permission to assign one or more IPv6 addresses to a network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssignPrivateIpAddresses Grants permission to assign one or more secondary private IP addresses to a network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssignPrivateNatGatewayAddress Grants permission to assign one or more secondary private IP addresses to a private NAT gateway Write

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateAddress Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface Write

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssociateCapacityReservationBillingOwner Grants permission to assign billing of the unused capacity of a shared Capacity Reservation to a consumer account Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:OutpostArn

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

ec2:Region

AssociateClientVpnTargetNetwork Grants permission to associate a target network with a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

AssociateDhcpOptions Grants permission to associate or disassociate a set of DHCP options with a VPC Write

dhcp-options*

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AssociateEnclaveCertificateIamRole Grants permission to associate an ACM certificate with an IAM role to be used in an EC2 Enclave Write

certificate*

role*

ec2:Region

AssociateIamInstanceProfile Grants permission to associate an IAM instance profile with a running or stopped instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

ec2:Region

AssociateInstanceEventWindow Grants permission to associate one or more targets with an event window Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateIpamByoasn Grants permission to associate an Autonomous System Number (ASN) with a BYOIP CIDR Write

ec2:Region

AssociateIpamResourceDiscovery Grants permission to associate an IPAM resource discovery with an Amazon VPC IPAM Write

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

ipam-resource-discovery*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery-association*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

AssociateNatGatewayAddress Grants permission to associate an Elastic IP address and private IP address with a public Nat gateway Write

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateRouteTable Grants permission to associate a subnet or gateway with a route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateSecurityGroupVpc Grants permission to associate a security group with another VPC in the same Region Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AssociateSubnetCidrBlock Grants permission to associate a CIDR block with a subnet Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateTransitGatewayMulticastDomain Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

AssociateTransitGatewayPolicyTable Grants permission to associate a policy table with a transit gateway attachment Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

ec2:Region

AssociateTransitGatewayRouteTable Grants permission to associate an attachment with a transit gateway route table Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

AssociateTrunkInterface Grants permission to associate a branch network interface with a trunk network interface Write

ec2:Region

AssociateVerifiedAccessInstanceWebAcl [permission only] Grants permission to associate an AWS Web Application Firewall (WAF) web access control list (ACL) with a Verified Access instance Write

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateVpcCidrBlock Grants permission to associate a CIDR block with a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AttachClassicLinkVpc Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AttachInternetGateway Grants permission to attach an internet gateway to a VPC Write

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AttachNetworkInterface Grants permission to attach a network interface to an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AttachVerifiedAccessTrustProvider Grants permission to attach a trust provider to a Verified Access instance Write

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-trust-provider*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AttachVolume Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

AttachVpnGateway Grants permission to attach a virtual private gateway to a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AuthorizeClientVpnIngress Grants permission to add an inbound authorization rule to a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

AuthorizeSecurityGroupEgress Grants permission to add one or more outbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:CreateTags

security-group-rule

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

AuthorizeSecurityGroupIngress Grants permission to add one or more inbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:CreateTags

security-group-rule

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

BundleInstance Grants permission to bundle an instance store-backed Windows instance Write

ec2:Region

CancelBundleTask Grants permission to cancel a bundling operation Write

ec2:Region

CancelCapacityReservation Grants permission to cancel a Capacity Reservation and release the reserved capacity Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:CapacityReservationFleet

ec2:Region

CancelCapacityReservationFleets Grants permission to cancel one or more Capacity Reservation Fleets Write

capacity-reservation-fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CancelCapacityReservation

ec2:Region

CancelConversionTask Grants permission to cancel an active conversion task Write

ec2:Region

CancelDeclarativePoliciesReport Grants permission to cancel a declarative policies report Write

declarative-policies-report*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelExportTask Grants permission to cancel an active export task Write

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelImageLaunchPermission Grants permission to remove your AWS account from the launch permissions for the specified AMI Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

CancelImportTask Grants permission to cancel an in-process import virtual machine or import snapshot task Write

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelReservedInstancesListing Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace Write

ec2:Region

CancelSpotFleetRequests Grants permission to cancel one or more Spot Fleet requests Write

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelSpotInstanceRequests Grants permission to cancel one or more Spot Instance requests Write

spot-instances-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ConfirmProductInstance Grants permission to determine whether an owned product code is associated with an instance Write

ec2:Region

CopyFpgaImage Grants permission to copy a source Amazon FPGA image (AFI) to the current Region. Resource-level permissions specified for this action apply to the new AFI only. They do not apply to the source AFI Write

fpga-image*

ec2:Owner

ec2:Region

CopyImage Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region Write

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageID

ec2:Owner

ec2:CreateTags

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CopySnapshot Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3. Resource-level permissions specified for this action apply to the new snapshot only. They do not apply to the source snapshot Write

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:OutpostArn

ec2:SnapshotID

ec2:CreateTags

ec2:Region

CreateCapacityReservation Grants permission to create a Capacity Reservation Write

capacity-reservation*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CapacityReservationFleet

ec2:CreateTags

ec2:Region

CreateCapacityReservationBySplitting Grants permission to create a new Capacity Reservation by splitting the available capacity of the source Capacity Reservation Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:OutpostArn

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

ec2:CreateTags

ec2:Region

CreateCapacityReservationFleet Grants permission to create a Capacity Reservation Fleet Write

capacity-reservation-fleet*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateCapacityReservation

ec2:CreateTags

ec2:DescribeCapacityReservations

ec2:DescribeInstances

ec2:Region

CreateCarrierGateway Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers Write

carrier-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateClientVpnEndpoint Grants permission to create a Client VPN endpoint Write

client-vpn-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:CreateTags

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpcID

ec2:Region

CreateClientVpnRoute Grants permission to add a network route to a Client VPN endpoint's route table Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

CreateCoipCidr Grants permission to create a range of customer-owned IP (CoIP) addresses Write

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateCoipPool Grants permission to create a pool of customer-owned IP (CoIP) addresses Write

coip-pool*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateCoipPoolPermission [permission only] Grants permission to allow a service to access a customer-owned IP (CoIP) pool Write

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateCustomerGateway Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device Write

customer-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateDefaultSubnet Grants permission to create a default subnet in a specified Availability Zone in a default VPC Write

ec2:Region

CreateDefaultVpc Grants permission to create a default VPC with a default subnet in each Availability Zone Write

ec2:Region

CreateDhcpOptions Grants permission to create a set of DHCP options for a VPC Write

dhcp-options*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:DhcpOptionsID

ec2:CreateTags

ec2:Region

CreateEgressOnlyInternetGateway Grants permission to create an egress-only internet gateway for a VPC Write

egress-only-internet-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateFleet Grants permission to launch an EC2 Fleet. Resource-level permissions for this action do not include the resources specified in a launch template. To specify resource-level permissions for resources specified in a launch template, you must include the resources in the RunInstances action statement Write

fleet*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

instance*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:PlacementGroup

ec2:RootDeviceType

ec2:Tenancy

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

launch-template

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

volume

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:KmsKeyId

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

CreateFlowLogs Grants permission to create one or more flow logs to capture IP traffic for a network interface Write

vpc-flow-log*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ecs:ListClusters

ecs:ListContainerInstances

ecs:ListServices

ecs:ListTaskDefinitions

ecs:ListTasks

iam:PassRole

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateFpgaImage Grants permission to create an Amazon FPGA Image (AFI) from a design checkpoint (DCP) Write

fpga-image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:Public

ec2:CreateTags

ec2:Region

CreateImage Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance Write

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageID

ec2:Owner

ec2:CreateTags

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:OutpostArn

ec2:ParentVolume

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:Region

CreateInstanceConnectEndpoint Grants permission to create an EC2 Instance Connect Endpoint that allows you to connect to an instance without a public IPv4 address Write

instance-connect-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:SubnetID

ec2:CreateTags

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

CreateInstanceEventWindow Grants permission to create an event window in which scheduled events for the associated Amazon EC2 instances can run Write

instance-event-window*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateInstanceExportTask Grants permission to export a running or stopped instance to an Amazon S3 bucket Write

export-instance-task*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

CreateInternetGateway Grants permission to create an internet gateway for a VPC Write

internet-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:InternetGatewayID

ec2:CreateTags

ec2:Region

CreateIpam Grants permission to create an Amazon VPC IP Address Manager (IPAM) Write

ipam*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

iam:CreateServiceLinkedRole

ec2:Region

CreateIpamExternalResourceVerificationToken Grants permission to create a verification token, which proves ownership of an external resource Write

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

ipam-external-resource-verification-token*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateIpamPool Grants permission to create an IP address pool for Amazon VPC IP Address Manager (IPAM), which is a collection of contiguous IP address CIDRs Write

ipam-pool*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateIpamResourceDiscovery Grants permission to create an IPAM resource discovery Write

ipam-resource-discovery*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

iam:CreateServiceLinkedRole

ec2:Region

CreateIpamScope Grants permission to create an Amazon VPC IP Address Manager (IPAM) scope, which is the highest-level container within IPAM Write

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

ipam-scope*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateKeyPair Grants permission to create a 2048-bit RSA key pair Write

key-pair*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:KeyPairType

ec2:CreateTags

ec2:Region

CreateLaunchTemplate Grants permission to create a launch template Write

launch-template*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ManagedResourceOperator

ec2:CreateTags

ssm:GetParameters

ec2:Region

CreateLaunchTemplateVersion Grants permission to create a new version of a launch template Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

ssm:GetParameters

ec2:Region

CreateLocalGatewayRoute Grants permission to create a static route for a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRouteTable Grants permission to create a local gateway route table Write

local-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

local-gateway-route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateLocalGatewayRouteTablePermission [permission only] Grants permission to allow a service to access a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation Grants permission to create a local gateway route table virtual interface group association Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

local-gateway-route-table-virtual-interface-group-association*

aws:RequestTag/${TagKey}

aws:TagKeys

local-gateway-virtual-interface-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRouteTableVpcAssociation Grants permission to associate a VPC with a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

local-gateway-route-table-vpc-association*

aws:RequestTag/${TagKey}

aws:TagKeys

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateManagedPrefixList Grants permission to create a managed prefix list Write

prefix-list*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateNatGateway Grants permission to create a NAT gateway in a subnet Write

natgateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

CreateNetworkAcl Grants permission to create a network ACL in a VPC Write

network-acl*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:NetworkAclID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateNetworkAclEntry Grants permission to create a numbered entry (a rule) in a network ACL Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

CreateNetworkInsightsAccessScope Grants permission to create a Network Access Scope Write

network-insights-access-scope*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateNetworkInsightsPath Grants permission to create a path to analyze for reachability Write

network-insights-path*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateNetworkInterface Grants permission to create a network interface in a subnet Write

network-interface*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:CreateTags

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

CreateNetworkInterfacePermission Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface Permissions management

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

CreatePlacementGroup Grants permission to create a placement group Write

placement-group*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:CreateTags

ec2:Region

CreatePublicIpv4Pool Grants permission to create a public IPv4 address pool for public IPv4 CIDRs that you own and bring to Amazon to manage with Amazon VPC IP Address Manager (IPAM) Write

ipv4pool-ec2*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateReplaceRootVolumeTask Grants permission to create a root volume replacement task Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:CreateTags

replace-root-volume-task*

aws:RequestTag/${TagKey}

aws:TagKeys

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ManagedResourceOperator

ec2:VolumeID

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

CreateReservedInstancesListing Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace Write

ec2:Region

CreateRestoreImageTask Grants permission to start a task that restores an AMI from an S3 object previously created by using CreateStoreImageTask Write

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageID

ec2:Owner

ec2:CreateTags

ec2:Region

CreateRoute Grants permission to create a route in a VPC route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

CreateRouteTable Grants permission to create a route table for a VPC Write

route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:RouteTableID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateSecurityGroup Grants permission to create a security group Write

security-group*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:SecurityGroupID

ec2:CreateTags

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateSnapshot Grants permission to create a snapshot of an EBS volume and store it in Amazon S3 Write

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Location

ec2:OutpostArn

ec2:ParentVolume

ec2:SnapshotID

ec2:SourceAvailabilityZone

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:CreateTags

volume*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

CreateSnapshots Grants permission to create crash-consistent snapshots of multiple EBS volumes and store them in Amazon S3 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:CreateTags

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Location

ec2:OutpostArn

ec2:ParentVolume

ec2:SnapshotID

ec2:SourceAvailabilityZone

ec2:SourceOutpostArn

ec2:VolumeSize

volume*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

CreateSpotDatafeedSubscription Grants permission to create a data feed for Spot Instances to view Spot Instance usage logs Write

ec2:Region

CreateStoreImageTask Grants permission to store an AMI as a single object in an S3 bucket Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

CreateSubnet Grants permission to create a subnet in a VPC Write

subnet*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:SubnetID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateSubnetCidrReservation Grants permission to create a subnet CIDR reservation Write

ec2:Region

CreateTags Grants permission to add or overwrite one or more tags for Amazon EC2 resources Tagging

capacity-reservation

aws:ResourceTag/${TagKey}

capacity-reservation-fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

carrier-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:Vpc

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

coip-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

customer-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

declarative-policies-report

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:HostRecovery

ec2:InstanceType

ec2:Quantity

ec2:ResourceTag/${TagKey}

dhcp-options

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-gpu

aws:ResourceTag/${TagKey}

ec2:ElasticGpuType

ec2:ResourceTag/${TagKey}

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fpga-image

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

host-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

instance-connect-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

instance-event-window

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

ipam

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-external-resource-verification-token

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:KeyPairType

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-virtual-interface-group-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-acl

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

network-insights-access-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-access-scope-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-path

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

replace-root-volume-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

reserved-instances

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceType

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

security-group-rule

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

snapshot

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-instances-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

subnet-cidr-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-connect-peer

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayConnectPeerId

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

transit-gateway-policy-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableAnnouncementId

verified-access-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-endpoint-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-instance

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-policy

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-trust-provider

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

volume

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceServiceRegion

ec2:vpceSupportedRegion

vpc-endpoint-service-permission

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-flow-log

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

vpn-connection

aws:ResourceTag/${TagKey}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:ResourceTag/${TagKey}

ec2:RoutingType

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateAction

ec2:Region

CreateTrafficMirrorFilter Grants permission to create a traffic mirror filter Write

traffic-mirror-filter*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateTrafficMirrorFilterRule Grants permission to create a traffic mirror filter rule Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

traffic-mirror-filter-rule*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTrafficMirrorSession Grants permission to create a traffic mirror session Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:CreateTags

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session*

aws:RequestTag/${TagKey}

aws:TagKeys

traffic-mirror-target*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateTrafficMirrorTarget Grants permission to create a traffic mirror target Write

traffic-mirror-target*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

network-interface

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpceServiceName

ec2:VpceServiceOwner

ec2:Region

CreateTransitGateway Grants permission to create a transit gateway Write

transit-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayId

ec2:CreateTags

ec2:Region

CreateTransitGatewayConnect Grants permission to create a Connect attachment from a specified transit gateway attachment Write

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayAttachmentId

ec2:CreateTags

ec2:Region

CreateTransitGatewayConnectPeer Grants permission to create a Connect peer between a transit gateway and an appliance Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:CreateTags

transit-gateway-connect-peer*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayConnectPeerId

ec2:Region

CreateTransitGatewayMulticastDomain Grants permission to create a multicast domain for a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:CreateTags

transit-gateway-multicast-domain*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayMulticastDomainId

ec2:Region

CreateTransitGatewayPeeringAttachment Grants permission to request a transit gateway peering attachment between a requester and accepter transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:CreateTags

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayAttachmentId

ec2:Region

CreateTransitGatewayPolicyTable Grants permission to create a transit gateway policy table Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:CreateTags

transit-gateway-policy-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayPolicyTableId

ec2:Region

CreateTransitGatewayPrefixListReference Grants permission to create a transit gateway prefix list reference Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

CreateTransitGatewayRoute Grants permission to create a static route for a transit gateway route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

CreateTransitGatewayRouteTable Grants permission to create a route table for a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:CreateTags

transit-gateway-route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayRouteTableId

ec2:Region

CreateTransitGatewayRouteTableAnnouncement Grants permission to create an announcement for a transit gateway route table Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:CreateTags

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-route-table-announcement*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayRouteTableAnnouncementId

ec2:Region

CreateTransitGatewayVpcAttachment Grants permission to attach a VPC to a transit gateway Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:CreateTags

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayAttachmentId

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateVerifiedAccessEndpoint Grants permission to create a Verified Access endpoint Write

verified-access-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

verified-access-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

CreateVerifiedAccessGroup Grants permission to create a Verified Access group Write

verified-access-group*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVerifiedAccessInstance Grants permission to create a Verified Access instance Write

verified-access-instance*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateVerifiedAccessTrustProvider Grants permission to create a verified trust provider Write

verified-access-trust-provider*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateVolume Grants permission to create an EBS volume Write

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:KmsKeyId

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:CreateTags

ec2:Region

CreateVpc Grants permission to create a VPC with a specified CIDR block Write

vpc*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:VpcID

ec2:CreateTags

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpcBlockPublicAccessExclusion Grants permission to create an exclusion list for blocked public access on a VPC Write

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:CreateTags

vpc

aws:ResourceTag/${TagKey}

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateVpcEndpoint Grants permission to create a VPC endpoint for an AWS service Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpcID

ec2:CreateTags

route53:AssociateVPCWithHostedZone

vpc-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:VpceServiceName

ec2:VpceServiceOwner

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

subnet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

CreateVpcEndpointConnectionNotification Grants permission to create a connection notification for a VPC endpoint or VPC endpoint service Write

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceServiceRegion

ec2:Region

CreateVpcEndpointServiceConfiguration Grants permission to create a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect Write

vpc-endpoint-service*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:VpceServicePrivateDnsName

ec2:vpceMultiRegion

ec2:vpceServiceRegion

ec2:CreateTags

ec2:Region

CreateVpcPeeringConnection Grants permission to request a VPC peering connection between two VPCs Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:CreateTags

vpc-peering-connection*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AccepterVpc

ec2:RequesterVpc

ec2:VpcPeeringConnectionID

ec2:Region

CreateVpnConnection Grants permission to create a VPN connection between a virtual private gateway or transit gateway and a customer gateway Write

customer-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

vpn-connection*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:RoutingType

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpnConnectionRoute Grants permission to create a static route for a VPN connection between a virtual private gateway and a customer gateway Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpnGateway Grants permission to create a virtual private gateway Write

vpn-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

DeleteCarrierGateway Grants permission to delete a carrier gateway Write

carrier-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteClientVpnEndpoint Grants permission to delete a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DeleteClientVpnRoute Grants permission to delete a route from a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DeleteCoipCidr Grants permission to delete a range of customer-owned IP (CoIP) addresses Write

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteCoipPool Grants permission to delete a pool of customer-owned IP (CoIP) addresses Write

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteCoipPoolPermission [permission only] Grants permission to deny a service from accessing a customer-owned IP (CoIP) pool Write

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteCustomerGateway Grants permission to delete a customer gateway Write

customer-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteDhcpOptions Grants permission to delete a set of DHCP options Write

dhcp-options*

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteEgressOnlyInternetGateway Grants permission to delete an egress-only internet gateway Write

egress-only-internet-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFleets Grants permission to delete one or more EC2 Fleets Write

fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFlowLogs Grants permission to delete one or more flow logs Write

vpc-flow-log*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFpgaImage Grants permission to delete an Amazon FPGA Image (AFI) Write

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteInstanceConnectEndpoint Grants permission to delete an EC2 Instance Connect Endpoint Write

instance-connect-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

DeleteInstanceEventWindow Grants permission to delete the specified event window Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteInternetGateway Grants permission to delete an internet gateway Write

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpam Grants permission to delete an Amazon VPC IP Address Manager (IPAM) and remove all monitored data associated with the IPAM including the historical data for CIDRs Write

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamExternalResourceVerificationToken Grants permission to delete a verification token, which proves ownership of an external resource Write

ipam-external-resource-verification-token*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamPool Grants permission to delete an Amazon VPC IP Address Manager (IPAM) pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamResourceDiscovery Grants permission to delete an IPAM resource discovery Write

ipam-resource-discovery*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamScope Grants permission to delete the scope for an Amazon VPC IP Address Manager (IPAM) Write

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteKeyPair Grants permission to delete a key pair by removing the public key from Amazon EC2 Write

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:KeyPairType

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLaunchTemplate Grants permission to delete a launch template and its associated versions Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLaunchTemplateVersions Grants permission to delete one or more versions of a launch template Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRoute Grants permission to delete a route from a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTable Grants permission to delete a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTablePermission [permission only] Grants permission to deny a service from accessing a local gateway route table Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation Grants permission to delete a local gateway route table virtual interface group association Write

local-gateway-route-table-virtual-interface-group-association*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTableVpcAssociation Grants permission to delete an association between a VPC and local gateway route table Write

local-gateway-route-table-vpc-association*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteManagedPrefixList Grants permission to delete a managed prefix list Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNatGateway Grants permission to delete a NAT gateway Write

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkAcl Grants permission to delete a network ACL Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

DeleteNetworkAclEntry Grants permission to delete an inbound or outbound entry (rule) from a network ACL Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

DeleteNetworkInsightsAccessScope Grants permission to delete a Network Access Scope Write

network-insights-access-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsAccessScopeAnalysis Grants permission to delete a Network Access Scope analysis Write

network-insights-access-scope-analysis*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsAnalysis Grants permission to delete a network insights analysis Write

network-insights-analysis*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsPath Grants permission to delete a network insights path Write

network-insights-path*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInterface Grants permission to delete a detached network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DeleteNetworkInterfacePermission Grants permission to delete a permission that is associated with a network interface Permissions management

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DeletePlacementGroup Grants permission to delete a placement group Write

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

ec2:Region

DeletePublicIpv4Pool Grants permission to delete a public IPv4 address pool for public IPv4 CIDRs that you own and brought to Amazon to manage with Amazon VPC IP Address Manager (IPAM) Write

ipv4pool-ec2*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteQueuedReservedInstances Grants permission to delete the queued purchases for the specified Reserved Instances Write

ec2:Region

DeleteResourcePolicy [permission only] Grants permission to remove an IAM policy that enables cross-account sharing from a resource Write

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

verified-access-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteRoute Grants permission to delete a route from a route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

DeleteRouteTable Grants permission to delete a route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

DeleteSecurityGroup Grants permission to delete a security group Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

DeleteSnapshot Grants permission to delete a snapshot of an EBS volume Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

DeleteSpotDatafeedSubscription Grants permission to delete a data feed for Spot Instances Write

ec2:Region

DeleteSubnet Grants permission to delete a subnet Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DeleteSubnetCidrReservation Grants permission to delete a subnet CIDR reservation Write

ec2:Region

DeleteTags Grants permission to delete one or more tags from Amazon EC2 resources Tagging

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

capacity-reservation-fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

carrier-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

coip-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

customer-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

declarative-policies-report

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dhcp-options

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-gpu

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-ip

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fpga-image

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

host-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance-connect-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance-event-window

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-external-resource-verification-token

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

key-pair

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-virtual-interface-group-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-acl

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-access-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-access-scope-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-path

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

replace-root-volume-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

reserved-instances

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

security-group-rule

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

snapshot

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-instances-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet-cidr-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-connect-peer

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-policy-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-endpoint-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-instance

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-policy

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-trust-provider

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

volume

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service-permission

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-flow-log

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

DeleteTrafficMirrorFilter Grants permission to delete a traffic mirror filter Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTrafficMirrorFilterRule Grants permission to delete a traffic mirror filter rule Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

aws:ResourceTag/${TagKey}

ec2:Region

DeleteTrafficMirrorSession Grants permission to delete a traffic mirror session Write

traffic-mirror-session*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTrafficMirrorTarget Grants permission to delete a traffic mirror target Write

traffic-mirror-target*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGateway Grants permission to delete a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:Region

DeleteTransitGatewayConnect Grants permission to delete a transit gateway connect attachment Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

DeleteTransitGatewayConnectPeer Grants permission to delete a transit gateway connect peer Write

transit-gateway-connect-peer*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayConnectPeerId

ec2:Region

DeleteTransitGatewayMulticastDomain Grants permission to delete a transit gateway multicast domain Write

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

DeleteTransitGatewayPeeringAttachment Grants permission to delete a peering attachment from a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

DeleteTransitGatewayPolicyTable Grants permission to delete a transit gateway policy table Write

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

ec2:Region

DeleteTransitGatewayPrefixListReference Grants permission to delete a transit gateway prefix list reference Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

DeleteTransitGatewayRoute Grants permission to delete a route from a transit gateway route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

DeleteTransitGatewayRouteTable Grants permission to delete a transit gateway route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

DeleteTransitGatewayRouteTableAnnouncement Grants permission to delete a transit gateway route table announcement Write

transit-gateway-route-table-announcement*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableAnnouncementId

ec2:Region

DeleteTransitGatewayVpcAttachment Grants permission to delete a VPC attachment from a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

DeleteVerifiedAccessEndpoint Grants permission to delete a Verified Access endpoint Write

verified-access-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVerifiedAccessGroup Grants permission to delete a Verified Access group Write

verified-access-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVerifiedAccessInstance Grants permission to delete a Verified Access instance Write

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVerifiedAccessTrustProvider Grants permission to delete a verified trust provider Write

verified-access-trust-provider*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVolume Grants permission to delete an EBS volume Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

DeleteVpc Grants permission to delete a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DeleteVpcBlockPublicAccessExclusion Grants permission to delete an exclusion list for blocked public access on a VPC Write

vpc-block-public-access-exclusion*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpcEndpointConnectionNotifications Grants permission to delete one or more VPC endpoint connection notifications Write

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceSupportedRegion

ec2:Region

DeleteVpcEndpointServiceConfigurations Grants permission to delete one or more VPC endpoint service configurations Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceSupportedRegion

ec2:Region

DeleteVpcEndpoints Grants permission to delete one or more VPC endpoints Write

vpc-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpceServiceName

ec2:Region

DeleteVpcPeeringConnection Grants permission to delete a VPC peering connection Write

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

DeleteVpnConnection Grants permission to delete a VPN connection Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpnConnectionRoute Grants permission to delete a static route for a VPN connection between a virtual private gateway and a customer gateway Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpnGateway Grants permission to delete a virtual private gateway Write

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeprovisionByoipCidr Grants permission to release an IP address range that was provisioned through bring your own IP addresses (BYOIP), and to delete the corresponding address pool Write

ec2:Region

DeprovisionIpamByoasn Grants permission to deprovision an Autonomous System Number (ASN) from an Amazon Web Services account Write

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeprovisionIpamPoolCidr Grants permission to deprovision a CIDR provisioned from an Amazon VPC IP Address Manager (IPAM) pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeprovisionPublicIpv4PoolCidr Grants permission to deprovision a CIDR from a public IPv4 pool Write

ipv4pool-ec2*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeregisterImage Grants permission to deregister an Amazon Machine Image (AMI) Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DeregisterInstanceEventNotificationAttributes Grants permission to remove tags from the set of tags to include in notifications about scheduled events for your instances Write

ec2:Region

DeregisterTransitGatewayMulticastGroupMembers Grants permission to deregister one or more network interface members from a group IP address in a transit gateway multicast domain Write

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

DeregisterTransitGatewayMulticastGroupSources Grants permission to deregister one or more network interface sources from a group IP address in a transit gateway multicast domain Write

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

DescribeAccountAttributes Grants permission to describe the attributes of the AWS account List

ec2:Region

DescribeAddressTransfers Grants permission to describe an Elastic IP address transfer List

ec2:Region

DescribeAddresses Grants permission to describe one or more Elastic IP addresses List

ec2:Region

DescribeAddressesAttribute Grants permission to describe the attributes of the specified Elastic IP addresses List

ec2:Region

DescribeAggregateIdFormat Grants permission to describe the longer ID format settings for all resource types List

ec2:Region

DescribeAvailabilityZones Grants permission to describe one or more of the Availability Zones that are available to you List

ec2:Region

DescribeAwsNetworkPerformanceMetricSubscriptions Grants permission to describe the current infrastructure performance metric subscriptions List

ec2:Region

DescribeBundleTasks Grants permission to describe one or more bundling tasks List

ec2:Region

DescribeByoipCidrs Grants permission to describe the IP address ranges that were provisioned through bring your own IP addresses (BYOIP) List

ec2:Region

DescribeCapacityBlockExtensionHistory Grants permission to describe Capacity Block extensions history List

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:OutpostArn

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

ec2:Region

DescribeCapacityBlockExtensionOfferings Grants permission to describe Capacity Block extensions offerings List

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:OutpostArn

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

ec2:Region

DescribeCapacityBlockOfferings Grants permission to describe Capacity Block offerings available for purchase List

ec2:Region

DescribeCapacityReservationBillingRequests Grants permission to describe one or more requests to assign the billing of the unused capacity of a Capacity Reservation List

ec2:Region

DescribeCapacityReservationFleets Grants permission to describe one or more Capacity Reservation Fleets List

ec2:Region

DescribeCapacityReservations Grants permission to describe one or more Capacity Reservations List

ec2:Region

DescribeCarrierGateways Grants permission to describe one or more Carrier Gateways List

ec2:Region

DescribeClassicLinkInstances Grants permission to describe one or more linked EC2-Classic instances List

ec2:Region

DescribeClientVpnAuthorizationRules Grants permission to describe the authorization rules for a Client VPN endpoint List

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeClientVpnConnections Grants permission to describe active client connections and connections that have been terminated within the last 60 minutes for a Client VPN endpoint List

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnEndpoints Grants permission to describe one or more Client VPN endpoints List

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnRoutes Grants permission to describe the routes for a Client VPN endpoint List

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnTargetNetworks Grants permission to describe the target networks that are associated with a Client VPN endpoint List

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeCoipPools Grants permission to describe the specified customer-owned address pools or all of your customer-owned address pools List

ec2:Region

DescribeConversionTasks Grants permission to describe one or more conversion tasks List

ec2:Region

DescribeCustomerGateways Grants permission to describe one or more customer gateways List

ec2:Region

DescribeDeclarativePoliciesReports Grants permission to describe one or more declarative policies reports List

ec2:Region

DescribeDhcpOptions Grants permission to describe one or more DHCP options sets List

ec2:Region

DescribeEgressOnlyInternetGateways Grants permission to describe one or more egress-only internet gateways List

ec2:Region

DescribeElasticGpus Grants permission to describe an Elastic Graphics accelerator that is associated with an instance List

ec2:Region

DescribeExportImageTasks Grants permission to describe one or more export image tasks List

ec2:Region

DescribeExportTasks Grants permission to describe one or more export instance tasks List

ec2:Region

DescribeFastLaunchImages Grants permission to describe fast-launch enabled Windows AMIs List

ec2:Region

DescribeFastSnapshotRestores Grants permission to describe the state of fast snapshot restores for snapshots List

ec2:Region

DescribeFleetHistory Grants permission to describe the events for an EC2 Fleet during a specified time List

fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFleetInstances Grants permission to describe the running instances for an EC2 Fleet List

fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFleets Grants permission to describe one or more EC2 Fleets List

ec2:Region

DescribeFlowLogs Grants permission to describe one or more flow logs List

ec2:Region

DescribeFpgaImageAttribute Grants permission to describe the attributes of an Amazon FPGA Image (AFI) List

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFpgaImages Grants permission to describe one or more Amazon FPGA Images (AFIs) List

ec2:Region

DescribeHostReservationOfferings Grants permission to describe the Dedicated Host Reservations that are available to purchase List

ec2:Region

DescribeHostReservations Grants permission to describe the Dedicated Host Reservations that are associated with Dedicated Hosts in the AWS account List

ec2:Region

DescribeHosts Grants permission to describe one or more Dedicated Hosts List

ec2:Region

DescribeIamInstanceProfileAssociations Grants permission to describe the IAM instance profile associations List

ec2:Region

DescribeIdFormat Grants permission to describe the ID format settings for resources List

ec2:Region

DescribeIdentityIdFormat Grants permission to describe the ID format settings for resources for an IAM user, IAM role, or root user List

ec2:Region

DescribeImageAttribute Grants permission to describe an attribute of an Amazon Machine Image (AMI) List

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DescribeImages Grants permission to describe one or more images (AMIs, AKIs, and ARIs) List

ec2:Region

DescribeImportImageTasks Grants permission to describe import virtual machine or import snapshot tasks List

ec2:Region

DescribeImportSnapshotTasks Grants permission to describe import snapshot tasks List

ec2:Region

DescribeInstanceAttribute Grants permission to describe the attributes of an instance List

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DescribeInstanceConnectEndpoints Grants permission to describe EC2 Instance Connect Endpoints List

ec2:Region

DescribeInstanceCreditSpecifications Grants permission to describe the credit option for CPU usage of one or more burstable performance instances List

ec2:Region

DescribeInstanceEventNotificationAttributes Grants permission to describe the set of tags to include in notifications about scheduled events for your instances List

ec2:Region

DescribeInstanceEventWindows Grants permission to describe the specified event windows or all event windows List

ec2:Region

DescribeInstanceImageMetadata Grants permission to describe the AMI that was used to launch an instance List

ec2:Region

DescribeInstanceStatus Grants permission to describe the status of one or more instances List

ec2:Region

DescribeInstanceTopology Grants permission to describe a tree-based hierarchy that represents the physical host placement of EC2 instances List

ec2:Region

DescribeInstanceTypeOfferings Grants permission to describe the set of instance types that are offered in a location List

ec2:Region

DescribeInstanceTypes Grants permission to describe the details of instance types that are offered in a location List

ec2:Region

DescribeInstances Grants permission to describe one or more instances List

ec2:Region

DescribeInternetGateways Grants permission to describe one or more internet gateways List

ec2:Region

DescribeIpamByoasn Grants permission to describe a bring your own Autonomous System Number (BYOASN) that you've brought to IPAM List

ec2:Region

DescribeIpamExternalResourceVerificationTokens Grants permission to describe verification tokens, which proves ownership of an external resource List

ec2:Region

DescribeIpamPools Grants permission to describe Amazon VPC IP Address Manager (IPAM) pools List

ec2:Region

DescribeIpamResourceDiscoveries Grants permission to describe IPAM resource discoveries List

ec2:Region

DescribeIpamResourceDiscoveryAssociations Grants permission to describe resource discovery associations with an Amazon VPC IPAM List

ec2:Region

DescribeIpamScopes Grants permission to describe Amazon VPC IP Address Manager (IPAM) scopes List

ec2:Region

DescribeIpams Grants permission to describe an Amazon VPC IP Address Manager (IPAM) List

ec2:Region

DescribeIpv6Pools Grants permission to describe one or more IPv6 address pools List

ec2:Region

DescribeKeyPairs Grants permission to describe one or more key pairs List

ec2:Region

DescribeLaunchTemplateVersions Grants permission to describe one or more launch template versions List

ec2:Region

ssm:GetParameters

DescribeLaunchTemplates Grants permission to describe one or more launch templates List

ec2:Region

DescribeLocalGatewayRouteTablePermissions [permission only] Grants permission to allow a service to describe local gateway route table permissions List

ec2:Region

DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations Grants permission to describe the associations between virtual interface groups and local gateway route tables List

ec2:Region

DescribeLocalGatewayRouteTableVpcAssociations Grants permission to describe an association between VPCs and local gateway route tables List

ec2:Region

DescribeLocalGatewayRouteTables Grants permission to describe one or more local gateway route tables List

ec2:Region

DescribeLocalGatewayVirtualInterfaceGroups Grants permission to describe local gateway virtual interface groups List

ec2:Region

DescribeLocalGatewayVirtualInterfaces Grants permission to describe local gateway virtual interfaces List

ec2:Region

DescribeLocalGateways Grants permission to describe one or more local gateways List

ec2:Region

DescribeLockedSnapshots Grants permission to describe the lock status for a snapshot List

ec2:Region

DescribeMacHosts Grants permission to describe your EC2 Mac Dedicated hosts List

ec2:Region

DescribeManagedPrefixLists Grants permission to describe your managed prefix lists and any AWS-managed prefix lists List

ec2:Region

DescribeMovingAddresses Grants permission to describe Elastic IP addresses that are being moved to the EC2-VPC platform List

ec2:Region

DescribeNatGateways Grants permission to describe one or more NAT gateways List

ec2:Region

DescribeNetworkAcls Grants permission to describe one or more network ACLs List

ec2:Region

DescribeNetworkInsightsAccessScopeAnalyses Grants permission to describe one or more Network Access Scope analyses List

ec2:Region

DescribeNetworkInsightsAccessScopes Grants permission to describe the Network Access Scopes List

ec2:Region

DescribeNetworkInsightsAnalyses Grants permission to describe one or more network insights analyses List

ec2:Region

DescribeNetworkInsightsPaths Grants permission to describe one or more network insights paths List

ec2:Region

DescribeNetworkInterfaceAttribute Grants permission to describe a network interface attribute List

ec2:Region

DescribeNetworkInterfacePermissions Grants permission to describe the permissions that are associated with a network interface List

ec2:Region

DescribeNetworkInterfaces Grants permission to describe one or more network interfaces List

ec2:Region

DescribePlacementGroups Grants permission to describe one or more placement groups List

ec2:Region

DescribePrefixLists Grants permission to describe available AWS services in a prefix list format List

ec2:Region

DescribePrincipalIdFormat Grants permission to describe the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified a longer ID (17-character ID) preference List

ec2:Region

DescribePublicIpv4Pools Grants permission to describe one or more IPv4 address pools List

ec2:Region

DescribeRegions Grants permission to describe one or more AWS Regions that are currently available in your account List

ec2:Region

DescribeReplaceRootVolumeTasks Grants permission to describe a root volume replacement task List

ec2:Region

DescribeReservedInstances Grants permission to describe one or more purchased Reserved Instances in your account List

ec2:Region

DescribeReservedInstancesListings Grants permission to describe your account's Reserved Instance listings in the Reserved Instance Marketplace List

ec2:Region

DescribeReservedInstancesModifications Grants permission to describe the modifications made to one or more Reserved Instances List

ec2:Region

DescribeReservedInstancesOfferings Grants permission to describe the Reserved Instance offerings that are available for purchase List

ec2:Region

DescribeRouteTables Grants permission to describe one or more route tables List

ec2:Region

DescribeScheduledInstanceAvailability Grants permission to find available schedules for Scheduled Instances List

ec2:Region

DescribeScheduledInstances Grants permission to describe one or more Scheduled Instances in your account List

ec2:Region

DescribeSecurityGroupReferences Grants permission to describe the VPCs on the other side of a VPC peering connection that are referencing specified VPC security groups List

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

DescribeSecurityGroupRules Grants permission to describe one or more of your security group rules List

ec2:Region

DescribeSecurityGroupVpcAssociations Grants permission to describe security group VPC associations List

ec2:Region

DescribeSecurityGroups Grants permission to describe one or more security groups List

ec2:Region

DescribeSnapshotAttribute Grants permission to describe an attribute of a snapshot List

snapshot*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:Region

DescribeSnapshotTierStatus Grants permission to describe the storage tier status for Amazon EBS snapshots List

ec2:Region

DescribeSnapshots Grants permission to describe one or more EBS snapshots List

ec2:Region

DescribeSpotDatafeedSubscription Grants permission to describe the data feed for Spot Instances List

ec2:Region

DescribeSpotFleetInstances Grants permission to describe the running instances for a Spot Fleet List

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeSpotFleetRequestHistory Grants permission to describe the events for a Spot Fleet request during a specified time List

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeSpotFleetRequests Grants permission to describe one or more Spot Fleet requests List

ec2:Region

DescribeSpotInstanceRequests Grants permission to describe one or more Spot Instance requests List

ec2:Region

DescribeSpotPriceHistory Grants permission to describe the Spot Instance price history List

ec2:Region

DescribeStaleSecurityGroups Grants permission to describe the stale security group rules for security groups in a specified VPC List

ec2:Region

DescribeStoreImageTasks Grants permission to describe the progress of the AMI store tasks List

ec2:Region

DescribeSubnets Grants permission to describe one or more subnets List

ec2:Region

DescribeTags Grants permission to describe one or more tags for an Amazon EC2 resource List

ec2:Region

DescribeTrafficMirrorFilterRules Grants permission to describe traffic mirror filters that determine the traffic that is mirrored List

ec2:Region

DescribeTrafficMirrorFilters Grants permission to describe one or more traffic mirror filters List

ec2:Region

DescribeTrafficMirrorSessions Grants permission to describe one or more traffic mirror sessions List

ec2:Region

DescribeTrafficMirrorTargets Grants permission to describe one or more traffic mirror targets List

ec2:Region

DescribeTransitGatewayAttachments Grants permission to describe one or more attachments between resources and transit gateways List

ec2:Region

DescribeTransitGatewayConnectPeers Grants permission to describe one or more transit gateway connect peers List

ec2:Region

DescribeTransitGatewayConnects Grants permission to describe one or more transit gateway connect attachments List

ec2:Region

DescribeTransitGatewayMulticastDomains Grants permission to describe one or more transit gateway multicast domains List

ec2:Region

DescribeTransitGatewayPeeringAttachments Grants permission to describe one or more transit gateway peering attachments List

ec2:Region

DescribeTransitGatewayPolicyTables Grants permission to describe a transit gateway policy table List

ec2:Region

DescribeTransitGatewayRouteTableAnnouncements Grants permission to describe a transit gateway route table announcement List

ec2:Region

DescribeTransitGatewayRouteTables Grants permission to describe one or more transit gateway route tables List

ec2:Region

DescribeTransitGatewayVpcAttachments Grants permission to describe one or more VPC attachments on a transit gateway List

ec2:Region

DescribeTransitGateways Grants permission to describe one or more transit gateways List

ec2:Region

DescribeTrunkInterfaceAssociations Grants permission to describe one or more network interface trunk associations List

ec2:Region

DescribeVerifiedAccessEndpoints Grants permission to describe the specified Verified Access endpoints or all Verified Access endpoints List

ec2:Region

DescribeVerifiedAccessGroups Grants permission to describe the specified Verified Access groups or all Verified Access groups List

ec2:Region

DescribeVerifiedAccessInstanceLoggingConfigurations Grants permission to describe the current logging configuration for the Verified Access instances List

ec2:Region

DescribeVerifiedAccessInstanceWebAclAssociations [permission only] Grants permission to describe the AWS Web Application Firewall (WAF) web access control list (ACL) associations for a Verified Access instance List

ec2:Region

DescribeVerifiedAccessInstances Grants permission to describe the specified Verified Access instances or all Verified Access instances List

ec2:Region

DescribeVerifiedAccessTrustProviders Grants permission to describe details of existing Verified Access trust providers List

ec2:Region

DescribeVolumeAttribute Grants permission to describe an attribute of an EBS volume List

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

DescribeVolumeStatus Grants permission to describe the status of one or more EBS volumes List

ec2:Region

DescribeVolumes Grants permission to describe one or more EBS volumes List

ec2:Region

DescribeVolumesModifications Grants permission to describe the current modification status of one or more EBS volumes List

ec2:Region

DescribeVpcAttribute Grants permission to describe an attribute of a VPC List

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DescribeVpcBlockPublicAccessExclusions Grants permission to describe an exclusion list for blocked public access on a VPC List

vpc-block-public-access-exclusion

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeVpcBlockPublicAccessOptions Grants permission to describe options for blocked public access on a VPC List

ec2:Region

Grants permission to describe the ClassicLink status of one or more VPCs List

ec2:Region

DescribeVpcClassicLinkDnsSupport Grants permission to describe the ClassicLink DNS support status of one or more VPCs List

ec2:Region

DescribeVpcEndpointAssociations Grants permission to describe the VPC endpoint associations List

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpceServiceName

ec2:VpceServiceOwner

ec2:Region

DescribeVpcEndpointConnectionNotifications Grants permission to describe the connection notifications for VPC endpoints and VPC endpoint services List

ec2:Region

DescribeVpcEndpointConnections Grants permission to describe the VPC endpoint connections to your VPC endpoint services List

ec2:Region

DescribeVpcEndpointServiceConfigurations Grants permission to describe VPC endpoint service configurations (your services) List

ec2:Region

DescribeVpcEndpointServicePermissions Grants permission to describe the principals (service consumers) that are permitted to discover your VPC endpoint service List

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceSupportedRegion

ec2:Region

DescribeVpcEndpointServices Grants permission to describe all supported AWS services that can be specified when creating a VPC endpoint List

ec2:Region

DescribeVpcEndpoints Grants permission to describe one or more VPC endpoints List

ec2:Region

DescribeVpcPeeringConnections Grants permission to describe one or more VPC peering connections List

ec2:Region

DescribeVpcs Grants permission to describe one or more VPCs List

ec2:Region

DescribeVpnConnections Grants permission to describe one or more VPN connections List

ec2:Region

DescribeVpnGateways Grants permission to describe one or more virtual private gateways List

ec2:Region

DetachClassicLinkVpc Grants permission to unlink (detach) a linked EC2-Classic instance from a VPC Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DetachInternetGateway Grants permission to detach an internet gateway from a VPC Write

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DetachNetworkInterface Grants permission to detach a network interface from an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DetachVerifiedAccessTrustProvider Grants permission to detach a trust provider from a Verified Access instance Write

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-trust-provider*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DetachVolume Grants permission to detach an EBS volume from an instance Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DetachVpnGateway Grants permission to detach a virtual private gateway from a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisableAddressTransfer Grants permission to disable Elastic IP address transfer Write

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

DisableAllowedImagesSettings Grants permission to disable allowed images settings Write

ec2:Region

DisableAwsNetworkPerformanceMetricSubscription Grants permission to disable infrastructure performance metric subscriptions Write

ec2:Region

DisableEbsEncryptionByDefault Grants permission to disable EBS encryption by default for your account Write

ec2:Region

DisableFastLaunch Grants permission to disable faster launching for Windows AMIs Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableFastSnapshotRestores Grants permission to disable fast snapshot restores for one or more snapshots in specified Availability Zones Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

DisableImage Grants permission to disable an AMI Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableImageBlockPublicAccess Grants permission to disable block public access for AMIs at the account level in the specified AWS Region Write

ec2:Region

DisableImageDeprecation Grants permission to cancel the deprecation of the specified AMI Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableImageDeregistrationProtection Grants permission to disable deregistration protection for an AMI. When deregistration protection is disabled, the AMI can be deregistered Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableIpamOrganizationAdminAccount Grants permission to disable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account Write

ec2:Region

organizations:DeregisterDelegatedAdministrator

DisableSerialConsoleAccess Grants permission to disable access to the EC2 serial console of all instances for your account Write

ec2:Region

DisableSnapshotBlockPublicAccess Grants permission to disable the block public access for snapshots setting for a Region Write

ec2:Region

DisableTransitGatewayRouteTablePropagation Grants permission to disable a resource attachment from propagating routes to the specified propagation route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableAnnouncementId

ec2:Region

DisableVgwRoutePropagation Grants permission to disable a virtual private gateway from propagating routes to a specified route table of a VPC Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

Grants permission to disable ClassicLink for a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DisableVpcClassicLinkDnsSupport Grants permission to disable ClassicLink DNS support for a VPC Write

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DisassociateAddress Grants permission to disassociate an Elastic IP address from an instance or network interface Write

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DisassociateCapacityReservationBillingOwner Grants permission to cancel a pending request to assign billing of the unused capacity of a Capacity Reservation to a consumer account Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:OutpostArn

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

ec2:Region

DisassociateClientVpnTargetNetwork Grants permission to disassociate a target network from a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DisassociateEnclaveCertificateIamRole Grants permission to disassociate an ACM certificate from a IAM role Write

certificate*

role*

ec2:Region

DisassociateIamInstanceProfile Grants permission to disassociate an IAM instance profile from a running or stopped instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DisassociateInstanceEventWindow Grants permission to disassociate one or more targets from an event window Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateIpamByoasn Grants permission to disassociate an Autonomous System Number (ASN) from a BYOIP CIDR Write

ec2:Region

DisassociateIpamResourceDiscovery Grants permission to disassociate a resource discovery from an Amazon VPC IPAM Write

ipam-resource-discovery-association*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateNatGatewayAddress Grants permission to disassociate a secondary Elastic IP address from a public NAT gateway Write

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DisassociateRouteTable Grants permission to disassociate a subnet from a route table Write

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateSecurityGroupVpc Grants permission to disassociate a security group from a VPC Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

vpc

aws:ResourceTag/${TagKey}

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DisassociateSubnetCidrBlock Grants permission to disassociate a CIDR block from a subnet Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DisassociateTransitGatewayMulticastDomain Grants permission to disassociate one or more subnets from a transit gateway multicast domain Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

DisassociateTransitGatewayPolicyTable Grants permission to disassociate a policy table from a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

ec2:Region

DisassociateTransitGatewayRouteTable Grants permission to disassociate a resource attachment from a transit gateway route table Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

DisassociateTrunkInterface Grants permission to disassociate a branch network interface to a trunk network interface Write

ec2:Region

DisassociateVerifiedAccessInstanceWebAcl [permission only] Grants permission to disassociate an AWS Web Application Firewall (WAF) web access control list (ACL) from a Verified Access instance Write

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateVpcCidrBlock Grants permission to disassociate a CIDR block from a VPC Write

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

EnableAddressTransfer Grants permission to enable Elastic IP address transfer Write

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

EnableAllowedImagesSettings Grants permission to enable allowed images settings Write

ec2:Region

EnableAwsNetworkPerformanceMetricSubscription Grants permission to enable infrastructure performance subscriptions Write

ec2:Region

EnableEbsEncryptionByDefault Grants permission to enable EBS encryption by default for your account Write

ec2:Region

EnableFastLaunch Grants permission to enable faster launching for Windows AMIs Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:CreateLaunchTemplate

ec2:CreateSnapshot

ec2:CreateTags

ec2:DeleteSnapshot

ec2:DescribeImages

ec2:DescribeInstanceAttribute

ec2:DescribeInstanceStatus

ec2:DescribeInstanceTypeOfferings

ec2:DescribeInstances

ec2:DescribeLaunchTemplateVersions

ec2:DescribeLaunchTemplates

ec2:DescribeSnapshots

ec2:DescribeSubnets

ec2:RunInstances

ec2:StopInstances

ec2:TerminateInstances

iam:PassRole

launch-template

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

ec2:Region

EnableFastSnapshotRestores Grants permission to enable fast snapshot restores for one or more snapshots in specified Availability Zones Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

EnableImage Grants permission to re-enable a disabled AMI Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

EnableImageBlockPublicAccess Grants permission to enable block public access for AMIs at the account level in the specified AWS Region Write

ec2:Region

EnableImageDeprecation Grants permission to enable deprecation of the specified AMI at the specified date and time Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

EnableImageDeregistrationProtection Grants permission to enable deregistration protection for an AMI. When deregistration protection is enabled, the AMI can't be deregistered Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

EnableIpamOrganizationAdminAccount Grants permission to enable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account Write

ec2:Region

iam:CreateServiceLinkedRole

organizations:EnableAWSServiceAccess

organizations:RegisterDelegatedAdministrator

EnableReachabilityAnalyzerOrganizationSharing Grants permission to enable organization sharing of reachability analyzer Write

ec2:Region

iam:CreateServiceLinkedRole

organizations:EnableAWSServiceAccess

EnableSerialConsoleAccess Grants permission to enable access to the EC2 serial console of all instances for your account Write

ec2:Region

EnableSnapshotBlockPublicAccess Grants permission to enable or modify the block public access for snapshots setting for a Region Write

ec2:Region

EnableTransitGatewayRouteTablePropagation Grants permission to enable an attachment to propagate routes to a propagation route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableAnnouncementId

ec2:Region

EnableVgwRoutePropagation Grants permission to enable a virtual private gateway to propagate routes to a VPC route table Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

EnableVolumeIO Grants permission to enable I/O operations for a volume that had I/O operations disabled Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

Grants permission to enable a VPC for ClassicLink Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

EnableVpcClassicLinkDnsSupport Grants permission to enable a VPC to support DNS hostname resolution for ClassicLink Write

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

ExportClientVpnClientCertificateRevocationList Grants permission to download the client certificate revocation list for a Client VPN endpoint Read

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

ExportClientVpnClientConfiguration Grants permission to download the contents of the Client VPN endpoint configuration file for a Client VPN endpoint Read

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

ExportImage Grants permission to export an Amazon Machine Image (AMI) to a VM file Write

export-image-task*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

ExportTransitGatewayRoutes Grants permission to export routes from a transit gateway route table to an Amazon S3 bucket Write

ec2:Region

ExportVerifiedAccessInstanceClientConfiguration Grants permission to export a verified access instance client configuration Read

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetAllowedImagesSettings Grants permission to get the allowed settings for images Read

ec2:Region

GetAssociatedEnclaveCertificateIamRoles Grants permission to get the list of roles associated with an ACM certificate Read

certificate*

ec2:Region

GetAssociatedIpv6PoolCidrs Grants permission to get information about the IPv6 CIDR block associations for a specified IPv6 address pool Read

ec2:Region

GetAwsNetworkPerformanceData Grants permission to get network performance data Read

ec2:Region

GetCapacityReservationUsage Grants permission to get usage information about a Capacity Reservation Read

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:CapacityReservationFleet

ec2:Region

GetCoipPoolUsage Grants permission to describe the allocations from the specified customer-owned address pool Read

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetConsoleOutput Grants permission to get the console output for an instance Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetConsoleScreenshot Grants permission to retrieve a JPG-format screenshot of a running instance Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetDeclarativePoliciesReportSummary Grants permission to get the report summary of declarative policies Read

declarative-policies-report*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetDefaultCreditSpecification Grants permission to get the default credit option for CPU usage of a burstable performance instance family Read

ec2:Region

GetEbsDefaultKmsKeyId Grants permission to get the ID of the default customer master key (CMK) for EBS encryption by default Read

ec2:Region

GetEbsEncryptionByDefault Grants permission to describe whether EBS encryption by default is enabled for your account Read

ec2:Region

GetFlowLogsIntegrationTemplate Grants permission to generate a CloudFormation template to streamline the integration of VPC flow logs with Amazon Athena Read

vpc-flow-log*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetGroupsForCapacityReservation Grants permission to list the resource groups to which a Capacity Reservation has been added List

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:CapacityReservationFleet

ec2:Region

GetHostReservationPurchasePreview Grants permission to preview a reservation purchase with configurations that match those of a Dedicated Host Read

ec2:Region

GetImageBlockPublicAccessState Grants permission to get the current state of block public access for AMIs at the account level in the specified AWS Region Read

ec2:Region

GetInstanceMetadataDefaults Grants permission to view the default instance metadata service (IMDS) settings set for your account in the specified Region List

ec2:Region

GetInstanceTpmEkPub Grants permission to get the public endorsement key associated with the Nitro Trusted Platform Module (NitroTPM) for the specified instance Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetInstanceTypesFromInstanceRequirements Grants permission to view a list of instance types with specified instance attributes List

ec2:Region

GetInstanceUefiData Grants permission to retrieve the binary representation of the UEFI variable store Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetIpamAddressHistory Grants permission to retrieve historical information about a CIDR within an Amazon VPC IP Address Manager (IPAM) scope Read

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamDiscoveredAccounts Grants permission to retrieve IPAM discovered accounts Read

ipam-resource-discovery*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamDiscoveredPublicAddresses Grants permission to retrieve the public IP addresses that have been discovered by IPAM Read

ipam-resource-discovery*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamDiscoveredResourceCidrs Grants permission to retrieve the resource CIDRs that are monitored as part of a resource discovery Read

ipam-resource-discovery*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamPoolAllocations Grants permission to get a list of all the CIDR allocations in an Amazon VPC IP Address Manager (IPAM) pool List

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamPoolCidrs Grants permission to get the CIDRs provisioned to an Amazon VPC IP Address Manager (IPAM) pool Read

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamResourceCidrs Grants permission to get information about the resources in an Amazon VPC IP Address Manager (IPAM) scope Read

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetLaunchTemplateData Grants permission to get the configuration data of the specified instance for use with a new launch template or launch template version Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetManagedPrefixListAssociations Grants permission to get information about the resources that are associated with the specified managed prefix list Read

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetManagedPrefixListEntries Grants permission to get information about the entries for a specified managed prefix list Read

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetNetworkInsightsAccessScopeAnalysisFindings Grants permission to get the findings for one or more Network Access Scope analyses Read

network-insights-access-scope-analysis*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetNetworkInsightsAccessScopeContent Grants permission to get the content for a specified Network Access Scope Read

network-insights-access-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetPasswordData Grants permission to retrieve the encrypted administrator password for a running Windows instance Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetReservedInstancesExchangeQuote Grants permission to return a quote and exchange information for exchanging one or more Convertible Reserved Instances for a new Convertible Reserved Instance Read

ec2:Region

GetResourcePolicy [permission only] Grants permission to describe an IAM policy that enables cross-account sharing Read

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

verified-access-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetSecurityGroupsForVpc Grants permission to retrieve a list of security groups for a specified VPC Read

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

GetSerialConsoleAccessStatus Grants permission to retrieve the access status of your account to the EC2 serial console of all instances Read

ec2:Region

GetSnapshotBlockPublicAccessState Grants permission to retrieve the current state of the block public access for snapshots setting for a Region Read

ec2:Region

GetSpotPlacementScores Grants permission to calculate the Spot placement score for a Region or Availability Zone based on the specified target capacity and compute requirements Read

ec2:Region

GetSubnetCidrReservations Grants permission to retrieve information about the subnet CIDR reservations Read

ec2:Region

GetTransitGatewayAttachmentPropagations Grants permission to list the route tables to which a resource attachment propagates routes List

ec2:Region

GetTransitGatewayMulticastDomainAssociations Grants permission to get information about the associations for a transit gateway multicast domain List

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

GetTransitGatewayPolicyTableAssociations Grants permission to get information about associations for a transit gateway policy table List

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

ec2:Region

GetTransitGatewayPolicyTableEntries Grants permission to get information about associations for a transit gateway policy table entry List

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

ec2:Region

GetTransitGatewayPrefixListReferences Grants permission to get information about prefix list references for a transit gateway route table List

ec2:Region

GetTransitGatewayRouteTableAssociations Grants permission to get information about associations for a transit gateway route table List

ec2:Region

GetTransitGatewayRouteTablePropagations Grants permission to get information about the route table propagations for a transit gateway route table List

ec2:Region

GetVerifiedAccessEndpointPolicy Grants permission to show the Verified Access policy associated with the endpoint List

verified-access-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetVerifiedAccessEndpointTargets Grants permission to get verified access endpoint targets List

verified-access-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetVerifiedAccessGroupPolicy Grants permission to show the contents of the Verified Access policy associated with the group List

verified-access-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetVerifiedAccessInstanceWebAcl [permission only] Grants permission to show the AWS Web Application Firewall (WAF) web access control list (ACL) for a Verified Access instance List

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetVpnConnectionDeviceSampleConfiguration Grants permission to download an AWS-provided sample configuration file to be used with the customer gateway device List

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-connection-device-type*

ec2:Region

GetVpnConnectionDeviceTypes Grants permission to obtain a list of customer gateway devices for which sample configuration files can be provided List

ec2:Region

GetVpnTunnelReplacementStatus Grants permission to view available tunnel endpoint maintenance events List

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ImportByoipCidrToIpam [permission only] Grants permission to transfer existing BYOIP IPv4 CIDRs to IPAM Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ImportClientVpnClientCertificateRevocationList Grants permission to upload a client certificate revocation list to a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

ImportImage Grants permission to import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI) Write

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:RootDeviceType

ec2:CreateTags

import-image-task*

aws:RequestTag/${TagKey}

aws:TagKeys

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

ImportInstance Grants permission to create an import instance task using metadata from a disk image Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:InstanceID

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ImportKeyPair Grants permission to import a public key from an RSA key pair that was created with a third-party tool Write

key-pair*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

ImportSnapshot Grants permission to import a disk into an EBS snapshot Write

import-snapshot-task*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

ImportVolume Grants permission to create an import volume task using metadata from a disk image Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

InjectApiError [permission only] Grants permission to temporarily inject errors for target API requests Write

ec2:FisActionId

ec2:FisTargetArns

ec2:Region

ListImagesInRecycleBin Grants permission to list Amazon Machine Images (AMIs) that are currently in the Recycle Bin List

ec2:Region

ListSnapshotsInRecycleBin Grants permission to list the Amazon EBS snapshots that are currently in the Recycle Bin List

ec2:Region

LockSnapshot Grants permission to lock an Amazon EBS snapshot in either governance or compliance mode to protect it against accidental or malicious deletions Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotCoolOffPeriod

ec2:SnapshotID

ec2:SnapshotLockDuration

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

ModifyAddressAttribute Grants permission to modify an attribute of the specified Elastic IP address Write

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyAvailabilityZoneGroup Grants permission to modify the opt-in status of the Local Zone and Wavelength Zone group for your account Write

ec2:Region

ModifyCapacityReservation Grants permission to modify a Capacity Reservation's capacity and the conditions under which it is to be released Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:CapacityReservationFleet

ec2:Region

ModifyCapacityReservationFleet Grants permission to modify a Capacity Reservation Fleet Write

capacity-reservation-fleet*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:ModifyCapacityReservation

ec2:Region

ModifyClientVpnEndpoint Grants permission to modify a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

ModifyDefaultCreditSpecification Grants permission to change the account level default credit option for CPU usage of burstable performance instances Write

ec2:Region

ModifyEbsDefaultKmsKeyId Grants permission to change the default customer master key (CMK) for EBS encryption by default for your account Write

ec2:Region

ModifyFleet Grants permission to modify an EC2 Fleet Write

fleet*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

launch-template

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ModifyFpgaImageAttribute Grants permission to modify an attribute of an Amazon FPGA Image (AFI) Write

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyHosts Grants permission to modify a Dedicated Host Write

dedicated-host*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIdFormat Grants permission to modify the ID format for a resource Write

ec2:Region

ModifyIdentityIdFormat Grants permission to modify the ID format of a resource for a specific principal in your account Write

ec2:Region

ModifyImageAttribute Grants permission to modify an attribute of an Amazon Machine Image (AMI) Write

image*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

ModifyInstanceAttribute Grants permission to modify an attribute of an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

volume

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

ModifyInstanceCapacityReservationAttributes Grants permission to modify the Capacity Reservation settings for a stopped instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:Region

ModifyInstanceCpuOptions Grants permission to modify the CPU options on an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ModifyInstanceCreditSpecification Grants permission to modify the credit option for CPU usage on an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ModifyInstanceEventStartTime Grants permission to modify the start time for a scheduled EC2 instance event Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ModifyInstanceEventWindow Grants permission to modify the specified event window Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyInstanceMaintenanceOptions Grants permission to modify the recovery behaviour for an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ModifyInstanceMetadataDefaults Grants permission to modify the default instance metadata service (IMDS) settings for your account in the specified Region Write

ec2:Attribute/${AttributeName}

ec2:Region

ModifyInstanceMetadataOptions Grants permission to modify the metadata options for an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ModifyInstancePlacement Grants permission to modify the placement attributes for an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

dedicated-host

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIpam Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) Write

ipam*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIpamPool Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIpamResourceCidr Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) resource CIDR Write

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIpamResourceDiscovery Grants permission to modify a resource discovery Write

ipam-resource-discovery*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIpamScope Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) scope Write

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyLaunchTemplate Grants permission to modify a launch template Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyLocalGatewayRoute Grants permission to modify a local gateway route Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyManagedPrefixList Grants permission to modify a managed prefix list Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyNetworkInterfaceAttribute Grants permission to modify an attribute of a network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

ModifyPrivateDnsNameOptions Grants permission to modify the options for instance hostnames for the specified instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ModifyReservedInstances Grants permission to modify attributes of one or more Reserved Instances Write

reserved-instances*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:InstanceType

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:Region

ModifySecurityGroupRules Grants permission to modify the rules of a security group Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

security-group-rule*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifySnapshotAttribute Grants permission to add or remove permission settings for a snapshot Permissions management

snapshot*

aws:ResourceTag/${TagKey}

ec2:Add/group

ec2:Add/userId

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:Owner

ec2:ParentVolume

ec2:Remove/group

ec2:Remove/userId

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

ModifySnapshotTier Grants permission to archive Amazon EBS snapshots Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

ModifySpotFleetRequest Grants permission to modify a Spot Fleet request Write

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ModifySubnetAttribute Grants permission to modify an attribute of a subnet Write

subnet*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ModifyTrafficMirrorFilterNetworkServices Grants permission to allow or restrict mirroring network services Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyTrafficMirrorFilterRule Grants permission to modify a traffic mirror rule Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ModifyTrafficMirrorSession Grants permission to modify a traffic mirror session Write

traffic-mirror-session*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyTransitGateway Grants permission to modify a transit gateway Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

ModifyTransitGatewayPrefixListReference Grants permission to modify a transit gateway prefix list reference Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

ModifyTransitGatewayVpcAttachment Grants permission to modify a VPC attachment on a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ModifyVerifiedAccessEndpoint Grants permission to modify the configuration of a Verified Access endpoint Write

verified-access-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

verified-access-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVerifiedAccessEndpointPolicy Grants permission to modify the specified Verified Access endpoint policy Write

verified-access-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVerifiedAccessGroup Grants permission to modify the specified Verified Access Group configuration Write

verified-access-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-instance

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVerifiedAccessGroupPolicy Grants permission to modify the specified Verified Access group policy Write

verified-access-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVerifiedAccessInstance Grants permission to modify the configuration of the specified Verified Access instance Write

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVerifiedAccessInstanceLoggingConfiguration Grants permission to modify the logging configuration for the specified Verified Access instance Write

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVerifiedAccessTrustProvider Grants permission to modify the configuration of the specified Verified Access trust provider Write

verified-access-trust-provider*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVolume Grants permission to modify the parameters of an EBS volume Write

volume*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

ModifyVolumeAttribute Grants permission to modify an attribute of a volume Write

volume*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

ModifyVpcAttribute Grants permission to modify an attribute of a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

ModifyVpcBlockPublicAccessExclusion Grants permission to modify an exclusion list for blocked public access on a VPC Write

vpc-block-public-access-exclusion*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVpcBlockPublicAccessOptions Grants permission to modify options for blocked public access on a VPC Write

ec2:Region

ModifyVpcEndpoint Grants permission to modify an attribute of a VPC endpoint Write

vpc-endpoint*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ModifyVpcEndpointConnectionNotification Grants permission to modify a connection notification for a VPC endpoint or VPC endpoint service Write

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceSupportedRegion

ec2:Region

ModifyVpcEndpointServiceConfiguration Grants permission to modify the attributes of a VPC endpoint service configuration Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

ec2:vpceMultiRegion

ec2:vpceSupportedRegion

ec2:Region

ModifyVpcEndpointServicePayerResponsibility Grants permission to modify the payer responsibility for a VPC endpoint service Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceSupportedRegion

ec2:Region

ModifyVpcEndpointServicePermissions Grants permission to modify the permissions for a VPC endpoint service Permissions management

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceSupportedRegion

ec2:Region

ModifyVpcPeeringConnectionOptions Grants permission to modify the VPC peering connection options on one side of a VPC peering connection Write

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

ModifyVpcTenancy Grants permission to modify the instance tenancy attribute of a VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

ModifyVpnConnection Grants permission to modify the target gateway of a Site-to-Site VPN connection Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:ResourceTag/${TagKey}

ec2:RoutingType

ec2:Region

ModifyVpnConnectionOptions Grants permission to modify the connection options for your Site-to-Site VPN connection Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVpnTunnelCertificate Grants permission to modify the certificate for a Site-to-Site VPN connection Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVpnTunnelOptions Grants permission to modify the options for a Site-to-Site VPN connection Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:ResourceTag/${TagKey}

ec2:RoutingType

ec2:Region

MonitorInstances Grants permission to enable detailed monitoring for a running instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

MoveAddressToVpc Grants permission to move an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform Write

ec2:Region

MoveByoipCidrToIpam Grants permission to move a BYOIP IPv4 CIDR to Amazon VPC IP Address Manager (IPAM) from a public IPv4 pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

MoveCapacityReservationInstances Grants permission to move available capacity from a source Capacity Reservation to a destination Capacity Reservation Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:OutpostArn

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

ec2:Region

PauseVolumeIO [permission only] Grants permission to temporarily pause I/O operations for a target Amazon EBS volume Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ProvisionByoipCidr Grants permission to provision an address range for use in AWS through bring your own IP addresses (BYOIP), and to create a corresponding address pool Write

ec2:Region

ProvisionIpamByoasn Grants permission to provision an Autonomous System Number (ASN) for use in an Amazon Web Services account Write

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ProvisionIpamPoolCidr Grants permission to provision a CIDR to an Amazon VPC IP Address Manager (IPAM) pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-external-resource-verification-token

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ProvisionPublicIpv4PoolCidr Grants permission to provision a CIDR to a public IPv4 pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv4pool-ec2*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

PurchaseCapacityBlock Grants permission to purchase a Capacity Block offering Write

capacity-reservation*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CapacityReservationFleet

ec2:CreateTags

ec2:Region

PurchaseCapacityBlockExtension Grants permission to purchase a Capacity Block extension Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:CapacityReservationFleet

ec2:Region

PurchaseHostReservation Grants permission to purchase a reservation with configurations that match those of a Dedicated Host Write

dedicated-host*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

ec2:Region

PurchaseReservedInstancesOffering Grants permission to purchase a Reserved Instance offering Write

ec2:Region

PurchaseScheduledInstances Grants permission to purchase one or more Scheduled Instances with a specified schedule Write

ec2:Region

PutResourcePolicy [permission only] Grants permission to attach an IAM policy that enables cross-account sharing to a resource Write

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

verified-access-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

RebootInstances Grants permission to request a reboot of one or more instances Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

RegisterImage Grants permission to register an Amazon Machine Image (AMI) Write

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageID

ec2:Owner

ec2:CreateTags

snapshot

aws:ResourceTag/${TagKey}

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:Region

RegisterInstanceEventNotificationAttributes Grants permission to add tags to the set of tags to include in notifications about scheduled events for your instances Write

ec2:Region

RegisterTransitGatewayMulticastGroupMembers Grants permission to register one or more network interfaces as a member of a group IP address in a transit gateway multicast domain Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

RegisterTransitGatewayMulticastGroupSources Grants permission to register one or more network interfaces as a source of a group IP address in a transit gateway multicast domain Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

RejectCapacityReservationBillingOwnership Grants permission to reject a request to assign billing of the available capacity of a shared Capacity Reservation to your account Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:OutpostArn

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

ec2:Region

RejectTransitGatewayMulticastDomainAssociations Grants permission to reject requests to associate cross-account subnets with a transit gateway multicast domain Write

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

RejectTransitGatewayPeeringAttachment Grants permission to reject a transit gateway peering attachment request Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

RejectTransitGatewayVpcAttachment Grants permission to reject a request to attach a VPC to a transit gateway Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

RejectVpcEndpointConnections Grants permission to reject one or more VPC endpoint connection requests to a VPC endpoint service Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceSupportedRegion

ec2:Region

RejectVpcPeeringConnection Grants permission to reject a VPC peering connection request Write

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

ReleaseAddress Grants permission to release an Elastic IP address Write

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

ReleaseHosts Grants permission to release one or more On-Demand Dedicated Hosts Write

dedicated-host*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ReleaseIpamPoolAllocation Grants permission to release an allocation within an Amazon VPC IP Address Manager (IPAM) pool Write

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ReplaceIamInstanceProfileAssociation Grants permission to replace an IAM instance profile for an instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

ec2:Region

ReplaceImageCriteriaInAllowedImagesSettings Grants permission to replace image criteria in allowed images settings Write

ec2:Region

ReplaceNetworkAclAssociation Grants permission to change which network ACL a subnet is associated with Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ReplaceNetworkAclEntry Grants permission to replace an entry (rule) in a network ACL Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

ReplaceRoute Grants permission to replace a route within a route table in a VPC Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

ReplaceRouteTableAssociation Grants permission to change the route table that is associated with a subnet Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ReplaceTransitGatewayRoute Grants permission to replace a route in a transit gateway route table Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

ReplaceVpnTunnel Grants permission to replace a VPN tunnel Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ReportInstanceStatus Grants permission to submit feedback about the status of an instance Write

ec2:Region

RequestSpotFleet Grants permission to create a Spot Fleet request Write

spot-fleet-request*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:KeyPairType

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

RequestSpotInstances Grants permission to create a Spot Instance request Write

spot-instances-request*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

iam:PassRole

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:KeyPairType

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ResetAddressAttribute Grants permission to reset the attribute of the specified IP address Write

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

ResetEbsDefaultKmsKeyId Grants permission to reset the default customer master key (CMK) for EBS encryption for your account to use the AWS-managed CMK for EBS Write

ec2:Region

ResetFpgaImageAttribute Grants permission to reset an attribute of an Amazon FPGA Image (AFI) to its default value Write

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:Region

ResetImageAttribute Grants permission to reset an attribute of an Amazon Machine Image (AMI) to its default value Write

image*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

ResetInstanceAttribute Grants permission to reset an attribute of an instance to its default value Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ResetNetworkInterfaceAttribute Grants permission to reset an attribute of a network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

ResetSnapshotAttribute Grants permission to reset permission settings for a snapshot Permissions management

snapshot*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

RestoreAddressToClassic Grants permission to restore an Elastic IP address that was previously moved to the EC2-VPC platform back to the EC2-Classic platform Write

ec2:Region

RestoreImageFromRecycleBin Grants permission to restore an Amazon Machine Image (AMI) from the Recycle Bin Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

RestoreManagedPrefixListVersion Grants permission to restore the entries from a previous version of a managed prefix list to a new version of the prefix list Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

RestoreSnapshotFromRecycleBin Grants permission to restore an Amazon EBS snapshot from the Recycle Bin Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

RestoreSnapshotTier Grants permission to restore an archived Amazon EBS snapshot for use temporarily or permanently, or modify the restore period or restore type for a snapshot that was previously temporarily restored Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

RevokeClientVpnIngress Grants permission to remove an inbound authorization rule from a Client VPN endpoint Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

RevokeSecurityGroupEgress Grants permission to remove one or more outbound rules from a VPC security group Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

RevokeSecurityGroupIngress Grants permission to remove one or more inbound rules from a security group Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

RunInstances Grants permission to launch one or more instances Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:CreateTags

iam:PassRole

ssm:GetParameters

instance*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:RootDeviceType

ec2:Tenancy

network-interface*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AssociatePublicIpAddress

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:Subnet

ec2:Vpc

security-group*

aws:ResourceTag/${TagKey}

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

elastic-gpu

aws:ResourceTag/${TagKey}

ec2:ElasticGpuType

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:ResourceTag/${TagKey}

elastic-inference

group

key-pair

aws:ResourceTag/${TagKey}

ec2:IsLaunchTemplateResource

ec2:KeyPairName

ec2:KeyPairType

ec2:LaunchTemplate

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

license-configuration

placement-group

aws:ResourceTag/${TagKey}

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

snapshot

aws:ResourceTag/${TagKey}

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

volume

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

SCENARIO: EC2-Classic-EBS

image*

instance*

security-group*

volume*

key-pair

placement-group

snapshot

SCENARIO: EC2-Classic-InstanceStore

image*

instance*

security-group*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-EBS

image*

instance*

network-interface*

security-group*

volume*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-EBS-Subnet

image*

instance*

network-interface*

security-group*

subnet*

volume*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-InstanceStore

image*

instance*

network-interface*

security-group*

key-pair

placement-group

snapshot

SCENARIO: EC2-VPC-InstanceStore-Subnet

image*

instance*

network-interface*

security-group*

subnet*

key-pair

placement-group

snapshot

RunScheduledInstances Grants permission to launch one or more Scheduled Instances Write

ec2:Region

SearchLocalGatewayRoutes Grants permission to search for routes in a local gateway route table List

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

SearchTransitGatewayMulticastGroups Grants permission to search for groups, sources, and members in a transit gateway multicast domain List

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

SearchTransitGatewayRoutes Grants permission to search for routes in a transit gateway route table List

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

SendDiagnosticInterrupt Grants permission to send a diagnostic interrupt to an Amazon EC2 instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

SendSpotInstanceInterruptions [permission only] Grants permission to interrupt a Spot Instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

StartDeclarativePoliciesReport Grants permission to start a declarative policies report Read

ec2:Region

StartInstances Grants permission to start a stopped instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

license-configuration

ec2:Region

StartNetworkInsightsAccessScopeAnalysis Grants permission to start a Network Access Scope analysis Write

network-insights-access-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

network-insights-access-scope-analysis*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

StartNetworkInsightsAnalysis Grants permission to start analyzing a specified path Write

network-insights-analysis*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

network-insights-path*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

StartVpcEndpointServicePrivateDnsVerification Grants permission to start the private DNS verification process for a VPC endpoint service Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceSupportedRegion

ec2:Region

StopInstances Grants permission to stop an Amazon EBS-backed instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

TerminateClientVpnConnections Grants permission to terminate active Client VPN endpoint connections Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

TerminateInstances Grants permission to shut down one or more instances Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

UnassignIpv6Addresses Grants permission to unassign one or more IPv6 addresses from a network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

UnassignPrivateIpAddresses Grants permission to unassign one or more secondary private IP addresses from a network interface Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

UnassignPrivateNatGatewayAddress Grants permission to unassign secondary private IPv4 addresses from a private NAT gateway Write

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

UnlockSnapshot Grants permission to unlock a snapshot that is locked in governance mode or in compliance mode while still in the cooling-off period Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotCoolOffPeriod

ec2:SnapshotID

ec2:SnapshotLockDuration

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

UnmonitorInstances Grants permission to disable detailed monitoring for a running instance Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

UpdateSecurityGroupRuleDescriptionsEgress Grants permission to update descriptions for one or more outbound rules in a VPC security group Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

UpdateSecurityGroupRuleDescriptionsIngress Grants permission to update descriptions for one or more inbound rules in a security group Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

WithdrawByoipCidr Grants permission to stop advertising an address range that was provisioned for use in AWS through bring your own IP addresses (BYOIP) Write

ec2:Region

Resource types defined by Amazon EC2

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
elastic-ip arn:${Partition}:ec2:${Region}:${Account}:elastic-ip/${AllocationId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:AllocationId

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Domain

ec2:PublicIpAddress

ec2:Region

ec2:ResourceTag/${TagKey}

capacity-reservation-fleet arn:${Partition}:ec2:${Region}:${Account}:capacity-reservation-fleet/${CapacityReservationFleetId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

capacity-reservation arn:${Partition}:ec2:${Region}:${Account}:capacity-reservation/${CapacityReservationId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:OutpostArn

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

carrier-gateway arn:${Partition}:ec2:${Region}:${Account}:carrier-gateway/${CarrierGatewayId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:Vpc

certificate arn:${Partition}:acm:${Region}:${Account}:certificate/${CertificateId}
client-vpn-endpoint arn:${Partition}:ec2:${Region}:${Account}:client-vpn-endpoint/${ClientVpnEndpointId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

customer-gateway arn:${Partition}:ec2:${Region}:${Account}:customer-gateway/${CustomerGatewayId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

declarative-policies-report arn:${Partition}:ec2:${Region}:${Account}:declarative-policies-report/${DeclarativePoliciesReportId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

dedicated-host arn:${Partition}:ec2:${Region}:${Account}:dedicated-host/${DedicatedHostId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:HostRecovery

ec2:InstanceType

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Quantity

ec2:Region

ec2:ResourceTag/${TagKey}

dhcp-options arn:${Partition}:ec2:${Region}:${Account}:dhcp-options/${DhcpOptionsId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:DhcpOptionsID

ec2:Region

ec2:ResourceTag/${TagKey}

egress-only-internet-gateway arn:${Partition}:ec2:${Region}:${Account}:egress-only-internet-gateway/${EgressOnlyInternetGatewayId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

elastic-gpu arn:${Partition}:ec2:${Region}:${Account}:elastic-gpu/${ElasticGpuId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:ElasticGpuType

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

ec2:ResourceTag/${TagKey}

elastic-inference arn:${Partition}:elastic-inference:${Region}:${Account}:elastic-inference-accelerator/${AcceleratorId}
export-image-task arn:${Partition}:ec2:${Region}:${Account}:export-image-task/${ExportImageTaskId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

export-instance-task arn:${Partition}:ec2:${Region}:${Account}:export-instance-task/${ExportTaskId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

fleet arn:${Partition}:ec2:${Region}:${Account}:fleet/${FleetId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

fpga-image arn:${Partition}:ec2:${Region}:${Account}:fpga-image/${FpgaImageId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

host-reservation arn:${Partition}:ec2:${Region}:${Account}:host-reservation/${HostReservationId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

image arn:${Partition}:ec2:${Region}::image/${ImageId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ImageID

ec2:ImageType

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

import-image-task arn:${Partition}:ec2:${Region}:${Account}:import-image-task/${ImportImageTaskId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

import-snapshot-task arn:${Partition}:ec2:${Region}:${Account}:import-snapshot-task/${ImportSnapshotTaskId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

instance-connect-endpoint arn:${Partition}:ec2:${Region}:${Account}:instance-connect-endpoint/${InstanceConnectEndpointId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SubnetID

instance-event-window arn:${Partition}:ec2:${Region}:${Account}:instance-event-window/${InstanceEventWindowId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

instance arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ProductCode

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway arn:${Partition}:ec2:${Region}:${Account}:internet-gateway/${InternetGatewayId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:InternetGatewayID

ec2:Region

ec2:ResourceTag/${TagKey}

ipam-external-resource-verification-token arn:${Partition}:ec2::${Account}:ipam-external-resource-verification-token/${IpamExternalResourceVerificationTokenId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

ipam arn:${Partition}:ec2::${Account}:ipam/${IpamId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

ipam-pool arn:${Partition}:ec2::${Account}:ipam-pool/${IpamPoolId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

ipam-resource-discovery-association arn:${Partition}:ec2::${Account}:ipam-resource-discovery-association/${IpamResourceDiscoveryAssociationId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ipam-resource-discovery arn:${Partition}:ec2::${Account}:ipam-resource-discovery/${IpamResourceDiscoveryId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ipam-scope arn:${Partition}:ec2::${Account}:ipam-scope/${IpamScopeId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

coip-pool arn:${Partition}:ec2:${Region}:${Account}:coip-pool/${Ipv4PoolCoipId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ipv4pool-ec2 arn:${Partition}:ec2:${Region}:${Account}:ipv4pool-ec2/${Ipv4PoolEc2Id}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ipv6pool-ec2 arn:${Partition}:ec2:${Region}:${Account}:ipv6pool-ec2/${Ipv6PoolEc2Id}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

key-pair arn:${Partition}:ec2:${Region}:${Account}:key-pair/${KeyPairName}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:IsLaunchTemplateResource

ec2:KeyPairName

ec2:KeyPairType

ec2:LaunchTemplate

ec2:Region

ec2:ResourceTag/${TagKey}

launch-template arn:${Partition}:ec2:${Region}:${Account}:launch-template/${LaunchTemplateId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:ManagedResourceOperator

ec2:Region

ec2:ResourceTag/${TagKey}

license-configuration arn:${Partition}:license-manager:${Region}:${Account}:license-configuration:${LicenseConfigurationId}
local-gateway arn:${Partition}:ec2:${Region}:${Account}:local-gateway/${LocalGatewayId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-route-table-virtual-interface-group-association arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table-virtual-interface-group-association/${LocalGatewayRouteTableVirtualInterfaceGroupAssociationId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table-vpc-association/${LocalGatewayRouteTableVpcAssociationId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-route-table arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table/${LocalGatewayRoutetableId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group arn:${Partition}:ec2:${Region}:${Account}:local-gateway-virtual-interface-group/${LocalGatewayVirtualInterfaceGroupId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface arn:${Partition}:ec2:${Region}:${Account}:local-gateway-virtual-interface/${LocalGatewayVirtualInterfaceId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

natgateway arn:${Partition}:ec2:${Region}:${Account}:natgateway/${NatGatewayId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

network-acl arn:${Partition}:ec2:${Region}:${Account}:network-acl/${NaclId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:NetworkAclID

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

network-insights-access-scope-analysis arn:${Partition}:ec2:${Region}:${Account}:network-insights-access-scope-analysis/${NetworkInsightsAccessScopeAnalysisId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

network-insights-access-scope arn:${Partition}:ec2:${Region}:${Account}:network-insights-access-scope/${NetworkInsightsAccessScopeId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

network-insights-analysis arn:${Partition}:ec2:${Region}:${Account}:network-insights-analysis/${NetworkInsightsAnalysisId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

network-insights-path arn:${Partition}:ec2:${Region}:${Account}:network-insights-path/${NetworkInsightsPathId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

network-interface arn:${Partition}:ec2:${Region}:${Account}:network-interface/${NetworkInterfaceId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:AssociatePublicIpAddress

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AuthorizedService

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:Permission

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

placement-group arn:${Partition}:ec2:${Region}:${Account}:placement-group/${PlacementGroupName}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:Region

ec2:ResourceTag/${TagKey}

prefix-list arn:${Partition}:ec2:${Region}:${Account}:prefix-list/${PrefixListId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

replace-root-volume-task arn:${Partition}:ec2:${Region}:${Account}:replace-root-volume-task/${ReplaceRootVolumeTaskId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

reserved-instances arn:${Partition}:ec2:${Region}:${Account}:reserved-instances/${ReservationId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

group arn:${Partition}:resource-groups:${Region}:${Account}:group/${GroupName}
role arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}
route-table arn:${Partition}:ec2:${Region}:${Account}:route-table/${RouteTableId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

security-group arn:${Partition}:ec2:${Region}:${Account}:security-group/${SecurityGroupId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

security-group-rule arn:${Partition}:ec2:${Region}:${Account}:security-group-rule/${SecurityGroupRuleId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

snapshot arn:${Partition}:ec2:${Region}::snapshot/${SnapshotId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Add/group

ec2:Add/userId

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:Encrypted

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Location

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:Remove/group

ec2:Remove/userId

ec2:ResourceTag/${TagKey}

ec2:SnapshotCoolOffPeriod

ec2:SnapshotID

ec2:SnapshotLockDuration

ec2:SnapshotTime

ec2:SourceAvailabilityZone

ec2:SourceOutpostArn

ec2:VolumeSize

spot-fleet-request arn:${Partition}:ec2:${Region}:${Account}:spot-fleet-request/${SpotFleetRequestId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

spot-instances-request arn:${Partition}:ec2:${Region}:${Account}:spot-instances-request/${SpotInstanceRequestId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

subnet-cidr-reservation arn:${Partition}:ec2:${Region}:${Account}:subnet-cidr-reservation/${SubnetCidrReservationId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

subnet arn:${Partition}:ec2:${Region}:${Account}:subnet/${SubnetId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:IsLaunchTemplateResource

ec2:LaunchTemplate

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

traffic-mirror-filter arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter/${TrafficMirrorFilterId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter-rule/${TrafficMirrorFilterRuleId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

traffic-mirror-session arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-session/${TrafficMirrorSessionId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-target arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-target/${TrafficMirrorTargetId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-attachment/${TransitGatewayAttachmentId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-connect-peer arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-connect-peer/${TransitGatewayConnectPeerId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:transitGatewayConnectPeerId

transit-gateway arn:${Partition}:ec2:${Region}:${Account}:transit-gateway/${TransitGatewayId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

transit-gateway-multicast-domain arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-multicast-domain/${TransitGatewayMulticastDomainId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

transit-gateway-policy-table arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-policy-table/${TransitGatewayPolicyTableId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

transit-gateway-route-table-announcement arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-route-table-announcement/${TransitGatewayRouteTableAnnouncementId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableAnnouncementId

transit-gateway-route-table arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-route-table/${TransitGatewayRouteTableId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

verified-access-endpoint arn:${Partition}:ec2:${Region}:${Account}:verified-access-endpoint/${VerifiedAccessEndpointId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

verified-access-endpoint-target arn:${Partition}:ec2:${Region}:${Account}:verified-access-endpoint-target/${VerifiedAccessEndpointTargetId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

verified-access-group arn:${Partition}:ec2:${Region}:${Account}:verified-access-group/${VerifiedAccessGroupId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

verified-access-instance arn:${Partition}:ec2:${Region}:${Account}:verified-access-instance/${VerifiedAccessInstanceId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

verified-access-policy arn:${Partition}:ec2:${Region}:${Account}:verified-access-policy/${VerifiedAccessPolicyId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

verified-access-trust-provider arn:${Partition}:ec2:${Region}:${Account}:verified-access-trust-provider/${VerifiedAccessTrustProviderId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

volume arn:${Partition}:ec2:${Region}:${Account}:volume/${VolumeId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:Encrypted

ec2:IsLaunchTemplateResource

ec2:KmsKeyId

ec2:LaunchTemplate

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

vpc-block-public-access-exclusion arn:${Partition}:ec2:${Region}:${Account}:vpc-block-public-access-exclusion/${VpcBlockPublicAccessExclusionId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-endpoint-connection arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-connection/${VpcEndpointConnectionId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-endpoint arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint/${VpcEndpointId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VpceServiceName

ec2:VpceServiceOwner

vpc-endpoint-service arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-service/${VpcEndpointServiceId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

ec2:vpceMultiRegion

ec2:vpceServiceRegion

ec2:vpceSupportedRegion

vpc-endpoint-service-permission arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-service-permission/${VpcEndpointServicePermissionId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-flow-log arn:${Partition}:ec2:${Region}:${Account}:vpc-flow-log/${VpcFlowLogId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

vpc arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpc-peering-connection arn:${Partition}:ec2:${Region}:${Account}:vpc-peering-connection/${VpcPeeringConnectionId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:AccepterVpc

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

vpn-connection-device-type arn:${Partition}:ec2:${Region}:${Account}:vpn-connection-device-type/${VpnConnectionDeviceTypeId}

ec2:Region

vpn-connection arn:${Partition}:ec2:${Region}:${Account}:vpn-connection/${VpnConnectionId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:Region

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:ResourceTag/${TagKey}

ec2:RoutingType

vpn-gateway arn:${Partition}:ec2:${Region}:${Account}:vpn-gateway/${VpnGatewayId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

Condition keys for Amazon EC2

Amazon EC2 defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by a tag key and value pair that is allowed in the request String
aws:ResourceTag/${TagKey} Filters access by a tag key and value pair of a resource String
aws:TagKeys Filters access by a list of tag keys that are allowed in the request ArrayOfString
ec2:AccepterVpc Filters access by the ARN of an accepter VPC in a VPC peering connection ARN
ec2:Add/group Filters access by the group being added to a snapshot String
ec2:Add/userId Filters access by the account id being added to a snapshot String
ec2:AllocationId Filters access by the allocation ID of the Elastic IP address String
ec2:AssociatePublicIpAddress Filters access by whether the user wants to associate a public IP address with the instance Bool
ec2:Attribute Filters access by an attribute of a resource String
ec2:Attribute/${AttributeName} Filters access by an attribute being set on a resource String
ec2:AuthenticationType Filters access by the authentication type for the VPN tunnel endpoints String
ec2:AuthorizedService Filters access by the AWS service that has permission to use a resource String
ec2:AuthorizedUser Filters access by an IAM principal that has permission to use a resource String
ec2:AutoPlacement Filters access by the Auto Placement properties of a Dedicated Host String
ec2:AvailabilityZone Filters access by the name of an Availability Zone in an AWS Region String
ec2:CapacityReservationFleet Filters access by the ARN of the Capacity Reservation Fleet ARN
ec2:ClientRootCertificateChainArn Filters access by the ARN of the client root certificate chain ARN
ec2:CloudwatchLogGroupArn Filters access by the ARN of the CloudWatch Logs log group ARN
ec2:CloudwatchLogStreamArn Filters access by the ARN of the CloudWatch Logs log stream ARN
ec2:CpuOptionsAmdSevSnp Filters access by the state of AMD SEV-SNP CPU Options. Currently, only US East (Ohio) and Europe (Ireland) are supported String
ec2:CreateAction Filters access by the name of a resource-creating API action String
ec2:CreateDate Filters access by the date and time at which the Capacity Reservation was created Date
ec2:DPDTimeoutSeconds Filters access by the duration after which DPD timeout occurs on a VPN tunnel Numeric
ec2:DestinationCapacityReservationId Filters access by the ID of the Capacity Reservation that you want to move capacity into ARN
ec2:DhcpOptionsID Filters access by the ID of a dynamic host configuration protocol (DHCP) options set String
ec2:DirectoryArn Filters access by the ARN of the directory ARN
ec2:Domain Filters access by the domain of the Elastic IP address String
ec2:EbsOptimized Filters access by whether the instance is enabled for EBS optimization Bool
ec2:ElasticGpuType Filters access by the type of Elastic Graphics accelerator String
ec2:Encrypted Filters access by whether the EBS volume is encrypted Bool
ec2:EndDate Filters access by the date and time at which the Capacity Reservation ends Date
ec2:EndDateType Filters access by the way in which the Capacity Reservation ends String
ec2:FisActionId Filters access by the ID of an AWS FIS action String
ec2:FisTargetArns Filters access by the ARN of an AWS FIS target ArrayOfARN
ec2:GatewayType Filters access by the gateway type for a VPN endpoint on the AWS side of a VPN connection String
ec2:HostRecovery Filters access by whether host recovery is enabled for a Dedicated Host String
ec2:IKEVersions Filters access by the internet key exchange (IKE) versions that are permitted for a VPN tunnel ArrayOfString
ec2:ImageID Filters access by the ID of an image String
ec2:ImageType Filters access by the type of image (machine, aki, or ari) String
ec2:InsideTunnelCidr Filters access by the range of inside IP addresses for a VPN tunnel String
ec2:InsideTunnelIpv6Cidr Filters access by a range of inside IPv6 addresses for a VPN tunnel String
ec2:InstanceAutoRecovery Filters access by whether the instance type supports auto recovery String
ec2:InstanceCount Filters access by the number of instances Numeric
ec2:InstanceID Filters access by the ID of an instance String
ec2:InstanceMarketType Filters access by the market or purchasing option of an instance (capacity-block, on-demand, or spot) String
ec2:InstanceMatchCriteria Filters access by the type of instance launches that the Capacity Reservation accepts String
ec2:InstanceMetadataTags Filters access by whether the instance allows access to instance tags from the instance metadata String
ec2:InstancePlatform Filters access by the type of operating system for which the Capacity Reservation reserves capacity ARN
ec2:InstanceProfile Filters access by the ARN of an instance profile ARN
ec2:InstanceType Filters access by the type of instance String
ec2:InternetGatewayID Filters access by the ID of an internet gateway String
ec2:Ipv4IpamPoolId Filters access by the ID of an IPAM pool provided for IPv4 CIDR block allocation String
ec2:Ipv6IpamPoolId Filters access by the ID of an IPAM pool provided for IPv6 CIDR block allocation String
ec2:IsLaunchTemplateResource Filters access by whether users are able to override resources that are specified in the launch template Bool
ec2:KeyPairName Filters access by the name of a key pair String
ec2:KeyPairType Filters access by the type of a key pair String
ec2:KmsKeyId Filters access by the ID of an AWS KMS key provided in the request String
ec2:LaunchTemplate Filters access by the ARN of a launch template ARN
ec2:Location Filters access by the destination for the snapshot copy String
ec2:ManagedResourceOperator Filters access by the presence of an EC2 operator provisioning a managed resource String
ec2:MetadataHttpEndpoint Filters access by whether the HTTP endpoint is enabled for the instance metadata service String
ec2:MetadataHttpPutResponseHopLimit Filters access by the allowed number of hops when calling the instance metadata service Numeric
ec2:MetadataHttpTokens Filters access by whether tokens are required when calling the instance metadata service (optional or required) String
ec2:NetworkAclID Filters access by the ID of a network access control list (ACL) String
ec2:NetworkInterfaceID Filters access by the ID of an elastic network interface String
ec2:NewInstanceProfile Filters access by the ARN of the instance profile being attached ARN
ec2:OutpostArn Filters access by the ARN of the Outpost ARN
ec2:Owner Filters access by the owner of the resource (amazon, aws-marketplace, or an AWS account ID) String
ec2:ParentSnapshot Filters access by the ARN of the parent snapshot ARN
ec2:ParentVolume Filters access by the ARN of the parent volume from which the snapshot was created ARN
ec2:Permission Filters access by the type of permission for a resource (INSTANCE-ATTACH or EIP-ASSOCIATE) String
ec2:Phase1DHGroup Filters access by the Diffie-Hellman group numbers that are permitted for a VPN tunnel for the phase 1 IKE negotiations ArrayOfString
ec2:Phase1EncryptionAlgorithms Filters access by the encryption algorithms that are permitted for a VPN tunnel for the phase 1 IKE negotiations ArrayOfString
ec2:Phase1IntegrityAlgorithms Filters access by the integrity algorithms that are permitted for a VPN tunnel for the phase 1 IKE negotiations ArrayOfString
ec2:Phase1LifetimeSeconds Filters access by the lifetime in seconds for phase 1 of the IKE negotiations for a VPN tunnel Numeric
ec2:Phase2DHGroup Filters access by the Diffie-Hellman group numbers that are permitted for a VPN tunnel for the phase 2 IKE negotiations ArrayOfString
ec2:Phase2EncryptionAlgorithms Filters access by the encryption algorithms that are permitted for a VPN tunnel for the phase 2 IKE negotiations ArrayOfString
ec2:Phase2IntegrityAlgorithms Filters access by the integrity algorithms that are permitted for a VPN tunnel for the phase 2 IKE negotiations ArrayOfString
ec2:Phase2LifetimeSeconds Filters access by the lifetime in seconds for phase 2 of the IKE negotiations for a VPN tunnel Numeric
ec2:PlacementGroup Filters access by the ARN of the placement group ARN
ec2:PlacementGroupName Filters access by the name of a placement group String
ec2:PlacementGroupStrategy Filters access by the instance placement strategy used by the placement group (cluster, spread, or partition) String
ec2:ProductCode Filters access by the product code that is associated with the AMI String
ec2:Public Filters access by whether the image has public launch permissions Bool
ec2:PublicIpAddress Filters access by a public IP address String
ec2:Quantity Filters access by the number of Dedicated Hosts in a request Numeric
ec2:Region Filters access by the name of the AWS Region String
ec2:RekeyFuzzPercentage Filters access by the percentage of increase of the rekey window (determined by the rekey margin time) within which the rekey time is randomly selected for a VPN tunnel Numeric
ec2:RekeyMarginTimeSeconds Filters access by the margin time before the phase 2 lifetime expires for a VPN tunnel Numeric
ec2:Remove/group Filters access by the group being removed from a snapshot String
ec2:Remove/userId Filters access by the account id being removed from a snapshot String
ec2:ReplayWindowSizePackets Filters access by the number of packets in an IKE replay window String
ec2:RequesterVpc Filters access by the ARN of a requester VPC in a VPC peering connection ARN
ec2:ReservedInstancesOfferingType Filters access by the payment option of the Reserved Instance offering (No Upfront, Partial Upfront, or All Upfront) String
ec2:ResourceTag/${TagKey} Filters access by a tag key and value pair of a resource String
ec2:RoleDelivery Filters access by the version of the instance metadata service for retrieving IAM role credentials for EC2 Numeric
ec2:RootDeviceType Filters access by the root device type of the instance (ebs or instance-store) String
ec2:RouteTableID Filters access by the ID of a route table String
ec2:RoutingType Filters access by the routing type for the VPN connection String
ec2:SamlProviderArn Filters access by the ARN of the IAM SAML identity provider ARN
ec2:SecurityGroupID Filters access by the ID of a security group String
ec2:ServerCertificateArn Filters access by the ARN of the server certificate ARN
ec2:SnapshotCoolOffPeriod Filters access by the compliance mode cooling-off period Numeric
ec2:SnapshotID Filters access by the ID of a snapshot String
ec2:SnapshotLockDuration Filters access by the snapshot lock duration Numeric
ec2:SnapshotTime Filters access by the initiation time of a snapshot String
ec2:SourceAvailabilityZone Filters access by the name of the Availability Zone from which the request originated String
ec2:SourceCapacityReservationId Filters access by the ID of the Capacity Reservation from which you want to move capacity ARN
ec2:SourceInstanceARN Filters access by the ARN of the instance from which the request originated ARN
ec2:SourceOutpostArn Filters access by the ARN of the Outpost from which the request originated ARN
ec2:Subnet Filters access by the ARN of the subnet ARN
ec2:SubnetID Filters access by the ID of a subnet String
ec2:Tenancy Filters access by the tenancy of the VPC or instance (default, dedicated, or host) String
ec2:VolumeID Filters access by the ID of a volume String
ec2:VolumeIops Filters access by the the number of input/output operations per second (IOPS) provisioned for the volume Numeric
ec2:VolumeSize Filters access by the size of the volume, in GiB Numeric
ec2:VolumeThroughput Filters access by the throughput of the volume, in MiBps Numeric
ec2:VolumeType Filters access by the type of volume (gp2, gp3, io1, io2, st1, sc1, or standard) String
ec2:Vpc Filters access by the ARN of the VPC ARN
ec2:VpcID Filters access by the ID of a virtual private cloud (VPC) String
ec2:VpcPeeringConnectionID Filters access by the ID of a VPC peering connection String
ec2:VpceServiceName Filters access by the name of the VPC endpoint service String
ec2:VpceServiceOwner Filters access by the service owner of the VPC endpoint service (amazon, aws-marketplace, or an AWS account ID) String
ec2:VpceServicePrivateDnsName Filters access by the private DNS name of the VPC endpoint service String
ec2:transitGatewayAttachmentId Filters access by the ID of a transit gateway attachment String
ec2:transitGatewayConnectPeerId Filters access by the ID of a transit gateway connect peer String
ec2:transitGatewayId Filters access by the ID of a transit gateway String
ec2:transitGatewayMulticastDomainId Filters access by the ID of a transit gateway multicast domain String
ec2:transitGatewayPolicyTableId Filters access by the ID of a transit gateway policy table String
ec2:transitGatewayRouteTableAnnouncementId Filters access by the ID of a transit gateway route table announcement String
ec2:transitGatewayRouteTableId Filters access by the ID of a transit gateway route table String
ec2:vpceMultiRegion Filters access by multi region of the VPC endpoint service String
ec2:vpceServiceRegion Filters access by the region of the VPC endpoint service String
ec2:vpceSupportedRegion Filters access by the supported region of the VPC endpoint service String
PrivacySite termsCookie preferences
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.