Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Amazon EC2 (service prefix:
ec2
) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
Learn how to configure this service .
View a list of the API operations available for this service .
Learn how to secure this service and its resources by using IAM permission policies.
You can specify the following actions in the
Action
element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The
Resource
column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource
element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The Actions Table .
Actions | Description | Access Level | Resource Types (*required) | Condition Keys | Dependent Actions |
---|---|---|---|---|---|
AcceptReservedInstancesExchangeQuote | Accepts the Convertible Reserved Instance exchange quote described in the GetReservedInstancesExchangeQuote call. | Write | |||
AcceptTransitGatewayVpcAttachment | Accepts a request to attach a VPC to a transit gateway | Write | |||
AcceptVpcEndpointConnections | Accepts one or more interface VPC endpoint connection requests to your VPC endpoint service. | Write | |||
AcceptVpcPeeringConnection | Accept a VPC peering connection request. | Write | |||
AdvertiseByoipCidr | Advertises an IPv4 address range that is provisioned for use with your AWS resources through bring your own IP addresses (BYOIP) | Write | |||
AllocateAddress | Acquires an Elastic IP address. | Write | |||
AllocateHosts | Allocates a Dedicated Host to your account. | Write | |||
ApplySecurityGroupsToClientVpnTargetNetwork | Applies a security group to the association between the target network and the Client VPN endpoint. | Write | |||
AssignIpv6Addresses | Assigns one or more IPv6 addresses to the specified network interface. | Write | |||
AssignPrivateIpAddresses | Assigns one or more secondary private IP addresses to the specified network interface. | Write | |||
AssociateAddress | Associates an Elastic IP address with an instance or a network interface. | Write | |||
AssociateClientVpnTargetNetwork | Associates a target network with a Client VPN endpoint. | Write | |||
AssociateDhcpOptions | Associates a set of DHCP options (that you've previously created) with the specified VPC, or associates no DHCP options with the VPC. | Write | |||
AssociateIamInstanceProfile | Associates an IAM instance profile with a running or stopped instance. | Write |
iam:PassRole |
||
AssociateRouteTable | Associates a subnet with a route table. | Write | |||
AssociateSubnetCidrBlock | Associates a CIDR block with your subnet. | Write | |||
AssociateTransitGatewayRouteTable | Associates the specified attachment with the specified transit gateway route table | Write | |||
AssociateVpcCidrBlock | Associates a CIDR block with your VPC. | Write | |||
AttachClassicLinkVpc | Links an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups. | Write | |||
AttachInternetGateway | Attaches an Internet gateway to a VPC, enabling connectivity between the Internet and the VPC. | Write | |||
AttachNetworkInterface | Attaches a network interface to an instance. | Write | |||
AttachVolume | Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name. | Write | |||
AttachVpnGateway | Attaches a virtual private gateway to a VPC. | Write | |||
AuthorizeClientVpnIngress | Adds an ingress authorization rule to a Client VPN endpoint. | Write | |||
AuthorizeSecurityGroupEgress | [EC2-VPC only] Adds one or more egress rules to a security group for use with a VPC. | Write | |||
AuthorizeSecurityGroupIngress | Adds one or more ingress rules to a security group. | Write | |||
BundleInstance | Bundles an Amazon instance store-backed Windows instance. | Write | |||
CancelBundleTask | Cancels a bundling operation for an instance store-backed Windows instance. | Write | |||
CancelCapacityReservation | Cancels the specified Capacity Reservation, releases the reserved capacity, and changes the Capacity Reservation's state to cancelled. | Write | |||
CancelConversionTask | Cancels an active conversion task. | Write | |||
CancelExportTask | Cancels an active export task. | Write | |||
CancelImportTask | Cancels an in-process import virtual machine or import snapshot task. | Write | |||
CancelReservedInstancesListing | Cancels the specified Reserved Instance listing in the Reserved Instance Marketplace. | Write | |||
CancelSpotFleetRequests | Cancels the specified Spot fleet requests. | Write | |||
CancelSpotInstanceRequests | Cancels one or more Spot instance requests. | Write | |||
ConfirmProductInstance | Determines whether a product code is associated with an instance. | Write | |||
CopyFpgaImage | Initiates the copy of an Amazon FPGA Image (AFI) from the specified source region to the current region. | Write | |||
CopyImage | Initiates the copy of an AMI from the specified source region to the current region. | Write | |||
CopySnapshot | Copies a point-in-time snapshot of an EBS volume and stores it in Amazon S3. | Write | |||
CreateCapacityReservation | Creates a new Capacity Reservation with the specified attributes. | Write | |||
CreateClientVpnEndpoint | Creates a Client VPN endpoint. | Write | |||
CreateClientVpnRoute | Adds a route to a network to a Client VPN endpoint. | Write | |||
CreateCustomerGateway | Provides information to AWS about your VPN customer gateway device. | Write | |||
CreateDefaultSubnet | Creates a default subnet with a size /20 IPv4 CIDR block in the specified Availability Zone in your default VPC. | Write | |||
CreateDefaultVpc | Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone. | Write | |||
CreateDhcpOptions | Creates a set of DHCP options for your VPC. | Write | |||
CreateEgressOnlyInternetGateway | Creates an egress-only Internet gateway for your VPC. | Write | |||
CreateFleet | Launches an EC2 Fleet. | Write | |||
CreateFlowLogs | Creates one or more flow logs to capture IP traffic for a specific network interface, subnet, or VPC. | Write | |||
CreateFpgaImage | Creates an Amazon FPGA Image (AFI) from the specified design checkpoint (DCP). | Write | |||
CreateImage | Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped. | Write | |||
CreateInstanceExportTask | Exports a running or stopped instance to an S3 bucket. | Write | |||
CreateInternetGateway | Creates an Internet gateway for use with a VPC. | Write | |||
CreateKeyPair | Creates a 2048-bit RSA key pair with the specified name. | Write | |||
CreateLaunchTemplate | Creates a new launch template. | Write | |||
CreateLaunchTemplateVersion | Creates a new version for the specified launch template. | Write | |||
CreateNatGateway | Creates a NAT gateway in the specified subnet. | Write | |||
CreateNetworkAcl | Creates a network ACL in a VPC. | Write | |||
CreateNetworkAclEntry | Creates an entry (a rule) in a network ACL with the specified rule number. | Write | |||
CreateNetworkInterface | Creates a network interface in the specified subnet. | Write | |||
CreateNetworkInterfacePermission | Creates a permission for a network interface that grants certain operations to another authorized user. | Permissions management | |||
CreatePlacementGroup | Creates a placement group that you launch cluster instances into. | Write | |||
CreateReservedInstancesListing | Creates a listing for Amazon EC2 Standard Reserved Instances to be sold in the Reserved Instance Marketplace. | Write | |||
CreateRoute | Creates a route in a route table within a VPC. | Write | |||
CreateRouteTable | Creates a route table for the specified VPC. | Write | |||
CreateSecurityGroup | Creates a security group. | Write | |||
CreateSnapshot | Creates a snapshot of an EBS volume and stores it in Amazon S3. | Write | |||
CreateSnapshots | Creates a snapshots of an EBS volumes which attached to an EC2 instance and stores them in Amazon S3. | Write | |||
CreateSpotDatafeedSubscription | Creates a data feed for Spot instances, enabling you to view Spot instance usage logs. You can create one data feed per AWS account. | Write | |||
CreateSubnet | Creates a subnet in an existing VPC. | Write | |||
CreateTags | Adds or overwrites one or more tags for the specified Amazon EC2 resource or resources. | Tagging | |||
CreateTrafficMirrorFilter | Creates a Traffic Mirror filter. | Write | |||
CreateTrafficMirrorFilterRule | Creates a Traffic Mirror filter rule. | Write | |||
CreateTrafficMirrorSession | Creates a Traffic Mirror session. | Write | |||
CreateTrafficMirrorTarget | Creates a Traffic Mirror target. | Write | |||
CreateTransitGateway | Creates a transit gateway. | Write | |||
CreateTransitGatewayRoute | Creates a static route for the specified transit gateway route table. | Write | |||
CreateTransitGatewayRouteTable | Creates a route table for the specified transit gateway. | Write | |||
CreateTransitGatewayVpcAttachment | Attaches the specified VPC to the specified transit gateway. | Write | |||
CreateVolume | Creates an EBS volume that can be attached to an instance in the same Availability Zone. | Write | |||
CreateVpc | Creates a VPC with the specified CIDR block. | Write | |||
CreateVpcEndpoint | Creates a VPC endpoint for a specified AWS service. | Write |
route53:AssociateVPCWithHostedZone |
||
CreateVpcEndpointConnectionNotification | Creates a connection notification for a specified VPC endpoint or VPC endpoint service. | Write | |||
CreateVpcEndpointServiceConfiguration | Creates a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect. | Write | |||
CreateVpcPeeringConnection | Requests a VPC peering connection between two VPCs: a requester VPC that you own and a peer VPC with which to create the connection. | Write | |||
CreateVpnConnection | Creates a VPN connection between an existing virtual private gateway and a VPN customer gateway. | Write |
ec2:Phase1EncryptionAlgorithms |
||
CreateVpnConnectionRoute | Creates a static route associated with a VPN connection between an existing virtual private gateway and a VPN customer gateway. | Write | |||
CreateVpnGateway | Creates a virtual private gateway. | Write | |||
DeleteClientVpnEndpoint | Deletes the specified Client VPN endpoint. | Write | |||
DeleteClientVpnRoute | Deletes a route from a Client VPN endpoint. | Write | |||
DeleteCustomerGateway | Deletes the specified customer gateway. | Write | |||
DeleteDhcpOptions | Deletes the specified set of DHCP options. | Write | |||
DeleteEgressOnlyInternetGateway | Deletes the specified egress-only Internet gateway. | Write | |||
DeleteFleets | Deletes the specified EC2 Fleet. | Write | |||
DeleteFlowLogs | Deletes one or more flow logs. | Write | |||
DeleteFpgaImage | Deletes the specified Amazon FPGA Image (AFI). | Write | |||
DeleteInternetGateway | Deletes the specified Internet gateway. | Write | |||
DeleteKeyPair | Deletes the specified key pair, by removing the public key from Amazon EC2. | Write | |||
DeleteLaunchTemplate | Deletes the specified launch template and all associated versions. | Write | |||
DeleteLaunchTemplateVersions | Deletes the specified versions for the specified launch template. | Write | |||
DeleteNatGateway | Deletes the specified NAT gateway. | Write | |||
DeleteNetworkAcl | Deletes the specified network ACL. | Write | |||
DeleteNetworkAclEntry | Deletes the specified ingress or egress entry (rule) from the specified network ACL. | Write | |||
DeleteNetworkInterface | Deletes the specified network interface. You must detach the network interface before you can delete it. | Write | |||
DeleteNetworkInterfacePermission | Deletes a permission associated with a network interface. | Permissions management | |||
DeletePlacementGroup | Deletes the specified placement group. | Write | |||
DeleteRoute | Deletes the specified route from the specified route table. | Write | |||
DeleteRouteTable | Deletes the specified route table. | Write | |||
DeleteSecurityGroup | Deletes a security group. | Write | |||
DeleteSnapshot | Deletes the specified snapshot. | Write | |||
DeleteSpotDatafeedSubscription | Deletes the data feed for Spot instances. | Write | |||
DeleteSubnet | Deletes the specified subnet. | Write | |||
DeleteTags | Deletes the specified set of tags from the specified set of resources. | Tagging | |||
DeleteTrafficMirrorFilter | Deletes the specified Traffic Mirror filter. | Write | |||
DeleteTrafficMirrorFilterRule | Deletes the specified Traffic Mirror rule. | Write | |||
DeleteTrafficMirrorSession | Deletes the specified Traffic Mirror session. | Write | |||
DeleteTrafficMirrorTarget | Deletes the specified Traffic Mirror target. | Write | |||
DeleteTransitGateway | Deletes the specified transit gateway. | Write | |||
DeleteTransitGatewayRoute | Deletes the specified route from the specified transit gateway route table. | Write | |||
DeleteTransitGatewayRouteTable | Deletes the specified transit gateway route table. | Write | |||
DeleteTransitGatewayVpcAttachment | Deletes the specified VPC attachment. | Write | |||
DeleteVolume | Deletes the specified EBS volume. | Write | |||
DeleteVpc | Deletes the specified VPC. You must detach or delete all gateways and resources that are associated with the VPC before you can delete it. | Write | |||
DeleteVpcEndpointConnectionNotifications | Deletes one or more VPC endpoint connection notifications. | Write | |||
DeleteVpcEndpointServiceConfigurations | Deletes one or more VPC endpoint service configurations in your account. | Write | |||
DeleteVpcEndpoints | Deletes one or more specified VPC endpoints. | Write | |||
DeleteVpcPeeringConnection | Deletes a VPC peering connection. | Write | |||
DeleteVpnConnection | Deletes a VPC peering connection. | Write | |||
DeleteVpnConnectionRoute | Deletes the specified static route associated with a VPN connection between an existing virtual private gateway and a VPN customer gateway. | Write | |||
DeleteVpnGateway | Deletes the specified virtual private gateway. | Write | |||
DeprovisionByoipCidr | Releases the specified address range that you provisioned for use with your AWS resources through bring your own IP addresses (BYOIP) and deletes the corresponding address pool. | Write | |||
DeregisterImage | Deregisters the specified AMI. | Write | |||
DescribeAccountAttributes | Describes attributes of your AWS account. | List | |||
DescribeAddresses | Describes one or more of your Elastic IP addresses. | List | |||
DescribeAggregateIdFormat | Describes the longer ID format settings for all resource types in a specific region. | List | |||
DescribeAvailabilityZones | Describes one or more of the Availability Zones that are available to you. | List | |||
DescribeBundleTasks | Describes one or more of your bundling tasks. | List | |||
DescribeByoipCidrs | Describes the IP address ranges that were specified in calls to ProvisionByoipCidr. | List | |||
DescribeCapacityReservations | Describes one or more of your Capacity Reservations. | List | |||
DescribeClassicLinkInstances | Describes one or more of your linked EC2-Classic instances. | List | |||
DescribeClientVpnAuthorizationRules | Describes the authorization rules for a specified Client VPN endpoint. | List | |||
DescribeClientVpnConnections | Describes active client connections and connections that have been terminated within the last 60 minutes for the specified Client VPN endpoint. | List | |||
DescribeClientVpnEndpoints | Describes one or more Client VPN endpoints in the account. | List | |||
DescribeClientVpnRoutes | Describes the routes for the specified Client VPN endpoint. | List | |||
DescribeClientVpnTargetNetworks | Describes the target networks associated with the specified Client VPN endpoint. | List | |||
DescribeConversionTasks | Describes one or more of your conversion tasks. | List | |||
DescribeCustomerGateways | Describes one or more of your VPN customer gateways. | List | |||
DescribeDhcpOptions | Describes one or more of your DHCP options sets. | List | |||
DescribeEgressOnlyInternetGateways | Describes one or more of your egress-only Internet gateways. | List | |||
DescribeElasticGpus | Describes the Elastic GPUs associated with your instances. | Read | |||
DescribeExportImageTasks | Describes the specified export image tasks or all your export image tasks. | List | |||
DescribeExportTasks | Describes one or more of your export tasks. | List | |||
DescribeFastSnapshotRestores | Describes the state of fast snapshot restores for your snapshots | Read | |||
DescribeFleetHistory | Describes the events for the specified EC2 Fleet during the specified time. | List | |||
DescribeFleetInstances | Describes the running instances for the specified EC2 Fleet. | List | |||
DescribeFleets | Describes one or more of your EC2 Fleet. | List | |||
DescribeFlowLogs | Describes one or more flow logs. | List | |||
DescribeFpgaImageAttribute | Describes the specified attribute of the specified Amazon FPGA Images (AFI). | List | |||
DescribeFpgaImages | Describes one or more of the Amazon FPGA Images (AFIs) available to you. | List | |||
DescribeHostReservationOfferings | Describes the Dedicated Host Reservations that are available to purchase. | List | |||
DescribeHostReservations | Describes Dedicated Host Reservations which are associated with Dedicated Hosts in your account. | List | |||
DescribeHosts | Describes one or more of your Dedicated Hosts. | List | |||
DescribeIamInstanceProfileAssociations | Describes your IAM instance profile associations. | List | |||
DescribeIdFormat | Describes the ID format settings for your resources on a per-region basis, for example, to view which resource types are enabled for longer IDs. | List | |||
DescribeIdentityIdFormat | Describes the ID format settings for resources for the specified IAM user, IAM role, or root user. | List | |||
DescribeImageAttribute | Describes the specified attribute of the specified AMI. | List | |||
DescribeImages | Describes one or more of the images (AMIs, AKIs, and ARIs) available to you. | List | |||
DescribeImportImageTasks | Displays details about an import virtual machine or import snapshot tasks that are already created. | List | |||
DescribeImportSnapshotTasks | Describes your import snapshot tasks. | List | |||
DescribeInstanceAttribute | Describes the specified attribute of the specified instance. | List | |||
DescribeInstanceCreditSpecifications | Describes the credit option for CPU usage of one or more of your instances. | List | |||
DescribeInstanceStatus | Describes the status of one or more instances. | List | |||
DescribeInstances | Describes one or more of your instances. | List | |||
DescribeInternetGateways | Describes one or more of your Internet gateways. | List | |||
DescribeKeyPairs | Describes one or more of your key pairs. | List | |||
DescribeLaunchTemplateVersions | Describes one or more of your launch template versions. | List | |||
DescribeLaunchTemplates | Describes one or more of your launch templates. | List | |||
DescribeMovingAddresses | Describes your Elastic IP addresses that are being moved to the EC2-VPC platform, or that are being restored to the EC2-Classic platform. | List | |||
DescribeNatGateways | Describes one or more of the your NAT gateways. | List | |||
DescribeNetworkAcls | Describes one or more of your network ACLs. | List | |||
DescribeNetworkInterfaceAttribute | Describes a network interface attribute. You can specify only one attribute at a time. | List | |||
DescribeNetworkInterfacePermissions | Describes the permissions associated with a network interface. | List | |||
DescribeNetworkInterfaces | Describes one or more of your network interfaces. | List | |||
DescribePlacementGroups | Describes one or more of your placement groups. | List | |||
DescribePrefixLists | Describes available AWS services in a prefix list format, which includes the prefix list name and prefix list ID of the service and the IP address range for the service. | List | |||
DescribePrincipalIdFormat | Describes the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified a longer ID (17-character ID) preference. | List | |||
DescribePublicIpv4Pools | Describes the specified IPv4 address pools. | List | |||
DescribeRegions | Describes one or more regions that are currently available to you. | List | |||
DescribeReservedInstances | Describes one or more of the Reserved Instances that you purchased. | List | |||
DescribeReservedInstancesListings | Describes your account's Reserved Instance listings in the Reserved Instance Marketplace. | List | |||
DescribeReservedInstancesModifications | Describes the modifications made to your Reserved Instances. | List | |||
DescribeReservedInstancesOfferings | Describes Reserved Instance offerings that are available for purchase. | List | |||
DescribeRouteTables | Describes one or more of your route tables. | List | |||
DescribeScheduledInstanceAvailability | Finds available schedules that meet the specified criteria. | Read | |||
DescribeScheduledInstances | Describes one or more of your Scheduled Instances. | Read | |||
DescribeSecurityGroupReferences | [EC2-VPC only] Describes the VPCs on the other side of a VPC peering connection that are referencing the security groups you've specified in this request. | List | |||
DescribeSecurityGroups | Describes one or more of your security groups. | List | |||
DescribeSnapshotAttribute | Describes the specified attribute of the specified snapshot. | List | |||
DescribeSnapshots | Describes one or more of the EBS snapshots available to you. | List | |||
DescribeSpotDatafeedSubscription | Describes the data feed for Spot instances. | List | |||
DescribeSpotFleetInstances | Describes the running instances for the specified Spot fleet. | List | |||
DescribeSpotFleetRequestHistory | Describes the events for the specified Spot fleet request during the specified time. | List | |||
DescribeSpotFleetRequests | Describes your Spot fleet requests. | List | |||
DescribeSpotInstanceRequests | Describes the Spot instance requests that belong to your account. | List | |||
DescribeSpotPriceHistory | Describes the Spot price history. | List | |||
DescribeStaleSecurityGroups | [EC2-VPC only] Describes the stale security group rules for security groups in a specified VPC. | List | |||
DescribeSubnets | Describes one or more of your subnets. | List | |||
DescribeTags | Describes one or more of the tags for your EC2 resources. | Read | |||
DescribeTrafficMirrorFilters | Describes one or more Traffic Mirror filters. | List | |||
DescribeTrafficMirrorSessions | Describes one or more Traffic Mirror sessions. | List | |||
DescribeTrafficMirrorTargets | Describes one or more Traffic Mirror targets. | List | |||
DescribeTransitGatewayAttachments | Describes one or more attachments between resources and transit gateways. | List | |||
DescribeTransitGatewayRouteTables | Describes one or more transit gateway route tables. | List | |||
DescribeTransitGatewayVpcAttachments | Describes one or more VPC attachments. | List | |||
DescribeTransitGateways | Describes one or more transit gateways. | List | |||
DescribeVolumeAttribute | Describes the specified attribute of the specified volume. | List | |||
DescribeVolumeStatus | Describes the status of the specified volumes. | List | |||
DescribeVolumes | Describes the specified EBS volumes. | List | |||
DescribeVolumesModifications | Reports the current modification status of EBS volumes. | Read | |||
DescribeVpcAttribute | Describes the specified attribute of the specified VPC. | List | |||
DescribeVpcClassicLink | Describes the ClassicLink status of one or more VPCs. | List | |||
DescribeVpcClassicLinkDnsSupport | Describes the ClassicLink DNS support status of one or more VPCs. | List | |||
DescribeVpcEndpointConnectionNotifications | Describes the connection notifications for VPC endpoints and VPC endpoint services. | List | |||
DescribeVpcEndpointConnections | Describes the VPC endpoint connections to your VPC endpoint services, including any endpoints that are pending your acceptance. | List | |||
DescribeVpcEndpointServiceConfigurations | Describes the VPC endpoint service configurations in your account (your services). | List | |||
DescribeVpcEndpointServicePermissions | Describes the principals (service consumers) that are permitted to discover your VPC endpoint service. | List | |||
DescribeVpcEndpointServices | Describes all supported AWS services that can be specified when creating a VPC endpoint. | List | |||
DescribeVpcEndpoints | Describes one or more of your VPC endpoints. | List | |||
DescribeVpcPeeringConnections | Describes one or more of your VPC peering connections. | List | |||
DescribeVpcs | Describes one or more of your VPCs. | List | |||
DescribeVpnConnections | Describes one or more of your VPN connections. | Read | |||
DescribeVpnGateways | Describes one or more of your virtual private gateways. | List | |||
DetachClassicLinkVpc | Unlinks (detaches) a linked EC2-Classic instance from a VPC. | Write | |||
DetachInternetGateway | Detaches an Internet gateway from a VPC, disabling connectivity between the Internet and the VPC. | Write | |||
DetachNetworkInterface | Detaches a network interface from an instance. | Write | |||
DetachVolume | Detaches an EBS volume from an instance. | Write | |||
DetachVpnGateway | Detaches a virtual private gateway from a VPC. | Write | |||
DisableEbsEncryptionByDefault | Disable the default EBS encryption by enabled for your account in the current region | Write | |||
DisableFastSnapshotRestores | Disables fast snapshot restores for the specified snapshots in the specified Availability Zones | Write | |||
DisableTransitGatewayRouteTablePropagation | Disables the specified resource attachment from propagating routes to the specified propagation route table. | Write | |||
DisableVgwRoutePropagation | Disables a virtual private gateway (VGW) from propagating routes to a specified route table of a VPC. | Write | |||
DisableVpcClassicLink | Disables ClassicLink for a VPC. | Write | |||
DisableVpcClassicLinkDnsSupport | Disables ClassicLink DNS support for a VPC. | Write | |||
DisassociateAddress | Disassociates an Elastic IP address from the instance or network interface it's associated with. | Write | |||
DisassociateClientVpnTargetNetwork | Disassociates a target network from the specified Client VPN endpoint. | Write | |||
DisassociateIamInstanceProfile | Disassociates an IAM instance profile from a running or stopped instance. | Write | |||
DisassociateRouteTable | Disassociates a subnet from a route table. | Write | |||
DisassociateSubnetCidrBlock | Disassociates a CIDR block from a subnet. | Write | |||
DisassociateTransitGatewayRouteTable | Disassociates a resource attachment from a transit gateway route table. | Write | |||
DisassociateVpcCidrBlock | Disassociates a CIDR block from a VPC. | Write | |||
EnableEbsEncryptionByDefault | Enables EBS encryption by default for your account in the current Region | Write | |||
EnableFastSnapshotRestores | Enables fast snapshot restores for the specified snapshots in the specified Availability Zones | Write | |||
EnableTransitGatewayRouteTablePropagation | Enables the specified attachment to propagate routes to the specified propagation route table. | Write | |||
EnableVgwRoutePropagation | Enables a virtual private gateway (VGW) to propagate routes to the specified route table of a VPC. | Write | |||
EnableVolumeIO | Enables I/O operations for a volume that had I/O operations disabled because the data on the volume was potentially inconsistent. | Write | |||
EnableVpcClassicLink | Enables a VPC for ClassicLink. | Write | |||
EnableVpcClassicLinkDnsSupport | Enables a VPC to support DNS hostname resolution for ClassicLink. | Write | |||
ExportClientVpnClientCertificateRevocationList | Downloads the client certificate revocation list for the specified Client VPN endpoint. | List | |||
ExportClientVpnClientConfiguration | Downloads the contents of the Client VPN endpoint configuration file for the specified Client VPN endpoint. | List | |||
ExportImage | Exports an Amazon Machine Image (AMI) to a VM file. | Write | |||
ExportTransitGatewayRoutes | Exports routes from the specified transit gateway route table to the specified S3 bucket. | Write | |||
GetCapacityReservationUsage | Gets usage information about a Capacity Reservation. | Read | |||
GetConsoleOutput | Gets the console output for the specified instance. | Read | |||
GetConsoleScreenshot | Retrieve a JPG-format screenshot of a running instance to help with troubleshooting. | Read | |||
GetEbsDefaultKmsKeyId | Get EBS Default Kms Key Id | Read | |||
GetEbsEncryptionByDefault | Describes whether EBS encryption by default is enabled for your account in the current Region | Read | |||
GetHostReservationPurchasePreview | Preview a reservation purchase with configurations that match those of your Dedicated Host. | Read | |||
GetLaunchTemplateData | Retrieves the configuration data of the specified instance. | Read | |||
GetPasswordData | Retrieves the encrypted administrator password for an instance running Windows. | Read | |||
GetReservedInstancesExchangeQuote | Returns details about the values and term of your specified Convertible Reserved Instances. | Read | |||
GetTransitGatewayAttachmentPropagations | Lists the route tables to which the specified resource attachment propagates routes. | List | |||
GetTransitGatewayRouteTableAssociations | Gets information about the associations for the specified transit gateway route table. | List | |||
GetTransitGatewayRouteTablePropagations | Gets information about the route table propagations for the specified transit gateway route table. | List | |||
ImportClientVpnClientCertificateRevocationList | Uploads a client certificate revocation list to the specified Client VPN endpoint. | Write | |||
ImportImage | Import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI). | Write | |||
ImportInstance | Creates an import instance task using metadata from the specified disk image. | Write | |||
ImportKeyPair | Imports the public key from an RSA key pair that you created with a third-party tool. | Write | |||
ImportSnapshot | Imports a disk into an EBS snapshot. | Write | |||
ImportVolume | Creates an import volume task using metadata from the specified disk image. | Write | |||
ModifyCapacityReservation | Modifies a Capacity Reservation's capacity and the conditions under which it is to be released. | Write | |||
ModifyClientVpnEndpoint | Modifies the specified Client VPN endpoint. | Write | |||
ModifyEbsDefaultKmsKeyId | Changes the default customer master key (CMK) for EBS encryption by default for your account in this Region | Write | |||
ModifyFleet | Modifies the specified EC2 Fleet. | Write | |||
ModifyFpgaImageAttribute | Modifies the specified attribute of the specified Amazon FPGA Image (AFI). | Write | |||
ModifyHosts | Modify the auto-placement setting of a Dedicated Host. | Write | |||
ModifyIdFormat | Modifies the ID format for the specified resource on a per-region basis. | Write | |||
ModifyIdentityIdFormat | Modifies the ID format of a resource for a specified IAM user, IAM role, or the root user for an account; or all IAM users, IAM roles, and the root user for an account. | Write | |||
ModifyImageAttribute | Modifies the specified attribute of the specified AMI. | Write | |||
ModifyInstanceAttribute | Modifies the specified attribute of the specified instance. | Write | |||
ModifyInstanceCapacityReservationAttributes | Modifies the Capacity Reservation settings for a stopped instance. | Write | |||
ModifyInstanceCreditSpecification | Modifies the credit option for CPU usage on an instance. | Write | |||
ModifyInstanceEventStartTime | Modifies the start time for a scheduled EC2 instance event. | Write | |||
ModifyInstanceMetadataOptions | Modifies the metadata options for an instance. | Write | |||
ModifyInstancePlacement | Set the instance affinity value for a specific stopped instance and modify the instance tenancy setting. | Write | |||
ModifyLaunchTemplate | Modifies the specified launch template. | Write | |||
ModifyNetworkInterfaceAttribute | Modifies the specified network interface attribute. You can specify only one attribute at a time. | Write | |||
ModifyReservedInstances | Modifies the Availability Zone, instance count, instance type, or network platform (EC2-Classic or EC2-VPC) of your Standard Reserved Instances. | Write | |||
ModifySnapshotAttribute | Adds or removes permission settings for the specified snapshot. | Permissions management | |||
ModifySpotFleetRequest | Modifies the specified Spot fleet request. | Write | |||
ModifySubnetAttribute | Modifies a subnet attribute. | Write | |||
ModifyTrafficMirrorFilterNetworkServices | Allows or restricts mirroring network services. | Write | |||
ModifyTrafficMirrorFilterRule | Modifies the specified Traffic Mirror rule. | Write | |||
ModifyTrafficMirrorSession | Modifies a Traffic Mirror session. | Write | |||
ModifyTransitGatewayVpcAttachment | Modifies the specified VPC attachment. | Write | |||
ModifyVolume | You can modify several parameters of an existing EBS volume, including volume size, volume type, and IOPS capacity. | Write | |||
ModifyVolumeAttribute | Modifies a volume attribute. | Write | |||
ModifyVpcAttribute | Modifies the specified attribute of the specified VPC. | Write | |||
ModifyVpcEndpoint | Modifies attributes of a specified VPC endpoint. | Write | |||
ModifyVpcEndpointConnectionNotification | Modifies a connection notification for VPC endpoint or VPC endpoint service. | Write | |||
ModifyVpcEndpointServiceConfiguration | Modifies the attributes of your VPC endpoint service configuration. | Write | |||
ModifyVpcEndpointServicePermissions | Modifies the permissions for your VPC endpoint service. | Permissions management | |||
ModifyVpcPeeringConnectionOptions | Modifies the VPC peering connection options on one side of a VPC peering connection. | Write | |||
ModifyVpcTenancy | Modifies the instance tenancy attribute of the specified VPC. | Write | |||
ModifyVpnConnection | Modifies the target gateway of a AWS Site-to-Site VPN connection | Write | |||
ModifyVpnTunnelOptions | Modifies the options for an AWS Site-to-Site VPN connection. | Write |
ec2:Phase1EncryptionAlgorithms |
||
MonitorInstances | Enables detailed monitoring for a running instance. | Write | |||
MoveAddressToVpc | Moves an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform. | Write | |||
ProvisionByoipCidr | Provisions an address range for use with your AWS resources through bring your own IP addresses (BYOIP) and creates a corresponding address pool. | Write | |||
PurchaseHostReservation | Purchase a reservation with configurations that match those of your Dedicated Host. | Write | |||
PurchaseReservedInstancesOffering | Purchases a Reserved Instance for use with your account. | Write | |||
PurchaseScheduledInstances | Purchases one or more Scheduled Instances with the specified schedule. | Write | |||
RebootInstances | Requests a reboot of one or more instances. | Write | |||
RegisterImage | Registers an AMI. | Write | |||
RejectTransitGatewayVpcAttachment | Rejects a request to attach a VPC to a transit gateway. | Write | |||
RejectVpcEndpointConnections | Rejects one or more VPC endpoint connection requests to your VPC endpoint service. | Write | |||
RejectVpcPeeringConnection | Rejects a VPC peering connection request. | Write | |||
ReleaseAddress | Releases the specified Elastic IP address. | Write | |||
ReleaseHosts | When you no longer want to use an On-Demand Dedicated Host it can be released | Write | |||
ReplaceIamInstanceProfileAssociation | Replaces an IAM instance profile for the specified instance. | Write |
iam:PassRole |
||
ReplaceNetworkAclAssociation | Changes which network ACL a subnet is associated with. | Write | |||
ReplaceNetworkAclEntry | Replaces an entry (rule) in a network ACL. | Write | |||
ReplaceRoute | Replaces an existing route within a route table in a VPC. | Write | |||
ReplaceRouteTableAssociation | Changes the route table associated with a given subnet in a VPC. | Write | |||
ReplaceTransitGatewayRoute | Replaces the specified route in the specified transit gateway route table. | Write | |||
ReportInstanceStatus | Submits feedback about the status of an instance | Write | |||
RequestSpotFleet | Creates a Spot fleet request | Write | |||
RequestSpotInstances | Creates a Spot instance request | Write | |||
ResetEbsDefaultKmsKeyId | Resets the default customer master key (CMK) for EBS encryption for your account in this Region to the AWS managed CMK for EBS | Write | |||
ResetFpgaImageAttribute | Resets an attribute of an Amazon FPGA Image (AFI) to its default value. | Write | |||
ResetImageAttribute | Resets an attribute of an AMI to its default value | Write | |||
ResetInstanceAttribute | Resets an attribute of an instance to its default value | Write | |||
ResetNetworkInterfaceAttribute | Resets a network interface attribute. You can specify only one attribute at a time. | Write | |||
ResetSnapshotAttribute | Resets permission settings for the specified snapshot. | Permissions management | |||
RestoreAddressToClassic | Restores an Elastic IP address that was previously moved to the EC2-VPC platform back to the EC2-Classic platform. | Write | |||
RevokeClientVpnIngress | Removes an ingress authorization rule from a Client VPN endpoint. | Write | |||
RevokeSecurityGroupEgress | [EC2-VPC only] Removes one or more egress rules from a security group for EC2-VPC. This action doesn't apply to security groups for use in EC2-Classic. | Write | |||
RevokeSecurityGroupIngress | Removes one or more ingress rules from a security group. | Write | |||
RunInstances | Launches the specified number of instances using an AMI for which you have permissions. | Write | |||
SCENARIO: EC2-Classic-EBS |
|||||
SCENARIO: EC2-Classic-InstanceStore |
|||||
SCENARIO: EC2-VPC-EBS |
|||||
SCENARIO: EC2-VPC-EBS-Subnet |
|||||
SCENARIO: EC2-VPC-InstanceStore |
|||||
SCENARIO: EC2-VPC-InstanceStore-Subnet |
|||||
RunScheduledInstances | Launches the specified Scheduled Instances. | Write | |||
SearchTransitGatewayRoutes | Searches for routes in the specified transit gateway route table. | List | |||
SendDiagnosticInterrupt | Sends a diagnostic interrupt to the specified Amazon EC2 instance. | Write | |||
StartInstances | Starts an Amazon EBS-backed AMI that you've previously stopped. | Write | |||
StopInstances | Stops an Amazon EBS-backed instance. | Write | |||
TerminateClientVpnConnections | Terminates active Client VPN endpoint connections. | Write | |||
TerminateInstances | Shuts down one or more instances. | Write | |||
UnassignIpv6Addresses | Unassigns one or more IPv6 addresses from the specified network interface. | Write | |||
UnassignPrivateIpAddresses | Unassigns one or more secondary private IP addresses from a network interface. | Write | |||
UnmonitorInstances | Disables detailed monitoring for a running instance. | Write | |||
UpdateSecurityGroupRuleDescriptionsEgress | [EC2-VPC only] Update descriptions for one or more egress rules of a security group. This action doesn't apply to security groups for use in EC2-Classic. | Write | |||
UpdateSecurityGroupRuleDescriptionsIngress | Update descriptions for one or more ingress rules of a security group. | Write | |||
WithdrawByoipCidr | Stops advertising an IPv4 address range that is provisioned as an address pool. | Write |
The following resource types are defined by this service and can be used in the
Resource
element of IAM permission policy statements. Each action in the
Actions table
identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see
The Resource Types Table
.
Resource Types | ARN | Condition Keys |
---|---|---|
capacity-reservation |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:capacity-reservation/$
{
CapacityReservationId}
|
|
client-vpn-endpoint |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:client-vpn-endpoint/$
{
ClientVpnEndpointId}
|
|
customer-gateway |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:customer-gateway/$
{
CustomerGatewayId}
|
|
dhcp-options |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:dhcp-options/$
{
DhcpOptionsId}
|
|
elastic-gpu |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:elasticGpu/$
{
ElasticGpuId}
|
|
fpga-image |
arn:$
{
Partition}:ec2:$
{
Region}::fpga-image/$
{
FpgaImageId}
|
|
image |
arn:$
{
Partition}:ec2:$
{
Region}::image/$
{
ImageId}
|
|
instance |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:instance/$
{
InstanceId}
|
|
internet-gateway |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:internet-gateway/$
{
InternetGatewayId}
|
|
key-pair |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:key-pair/$
{
KeyPairName}
|
|
launch-template |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:launch-template/$
{
LaunchTemplateId}
|
|
network-acl |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:network-acl/$
{
NaclId}
|
|
network-interface |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:network-interface/$
{
NetworkInterfaceId}
|
|
placement-group |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:placement-group/$
{
PlacementGroupName}
|
|
reserved-instances |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:reserved-instances/$
{
ReservationId}
|
|
route-table |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:route-table/$
{
RouteTableId}
|
|
security-group |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:security-group/$
{
SecurityGroupId}
|
|
snapshot |
arn:$
{
Partition}:ec2:$
{
Region}::snapshot/$
{
SnapshotId}
|
|
spot-instance-request |
arn:$
{
Partition}:ec2:$
{
Region}::spot-instance-request/$
{
SpotInstanceRequestId}
|
|
subnet |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:subnet/$
{
SubnetId}
|
|
traffic-mirror-session |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:traffic-mirror-session/$
{
TrafficMirrorSessionId}
|
|
traffic-mirror-target |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:traffic-mirror-target/$
{
TrafficMirrorTargetId}
|
|
traffic-mirror-filter |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:traffic-mirror-filter/$
{
TrafficMirrorFilterId}
|
|
traffic-mirror-filter-rule |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:traffic-mirror-filter-rule/$
{
TrafficMirrorFilterRuleId}
|
|
transit-gateway-attachment |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:transit-gateway-attachment/$
{
TransitGatewayAttachmentId}
|
|
transit-gateway-route-table |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:transit-gateway-route-table/$
{
TransitGatewayRouteTableId}
|
|
transit-gateway |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:transit-gateway/$
{
TransitGatewayId}
|
|
volume |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:volume/$
{
VolumeId}
|
|
vpc |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:vpc/$
{
VpcId}
|
|
vpc-peering-connection |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:vpc-peering-connection/$
{
VpcPeeringConnectionId}
|
|
vpn-connection |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:vpn-connection/$
{
VpnConnectionId}
|
ec2:Phase1EncryptionAlgorithms |
vpn-gateway |
arn:$
{
Partition}:ec2:$
{
Region}:$
{
Account}:vpn-gateway/$
{
VpnGatewayId}
|
Amazon EC2 defines the following condition keys that can be used in the
Condition
element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see
The Condition Keys Table
.
To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference .
Condition Keys | Description | Type |
---|---|---|
aws:RequestTag/$ { TagKey} | A key that is present in the request the user makes to the EC2 service. | String |
aws:TagKeys | The list of all the tag key names associated with the resource in the request. | String |
ec2:AccepterVpc | The ARN of an accepter VPC in a VPC peering connection. | ARN |
ec2:AuthenticationType | The authentication type for the VPN tunnel endpoints. | String |
ec2:AuthorizedService | The AWS service that has permission to use a resource. | String |
ec2:AuthorizedUser | The IAM principal that has permission to use a resource. | String |
ec2:AvailabilityZone | The name of an Availability Zone in a region. | String |
ec2:CreateAction | The name of a resource-creating API action. | String |
ec2:DPDTimeoutSeconds | The duration after which DPD timeout occur. | Numeric |
ec2:EbsOptimized | Whether the instance is enabled for EBS-optimization. | Bool |
ec2:ElasticGpuType | The name of the type of ElasticGpu. | String |
ec2:Encrypted | Whether the volume is encrypted. | Bool |
ec2:GatewayType | The gateway type for the VPN endpoint on the AWS side of the VPN connection. | String |
ec2:IKEVersions | The internet key exchange (IKE) versions that are permitted for the VPN tunnel. | String |
ec2:ImageType | The name of the type of image. | String |
ec2:InsideTunnelCidr | The range of inside IP addresses for the VPN tunnel. | String |
ec2:InstanceMarketType | The name of the market type. | String |
ec2:InstanceProfile | The ARN of the instance profile. | ARN |
ec2:InstanceType | The name of the instance type. | String |
ec2:IsLaunchTemplateResource | Launch template resource flag. | Bool |
ec2:LaunchTemplate | The ARN of the launch template. | ARN |
ec2:MetadataHttpEndpoint | Whether the http endpoint is enabled in instance metadata service. | String |
ec2:MetadataHttpPutResponseHopLimit | Allowed number of hops when calling instance metadata service. | Numeric |
ec2:MetadataHttpTokens | Whether tokens are required when calling instance metadata service. | String |
ec2:Owner | The name or account ID of the owner. | String |
ec2:ParentSnapshot | The ARN of the parent snapshot. | ARN |
ec2:ParentVolume | The ARN of the parent volume. | ARN |
ec2:Permission | The type of permission for a resource. | String |
ec2:Phase1DHGroupNumbers | The Diffie-Hellman groups that are permitted for the VPN tunnel for the phase 1 IKE negotiations. | Numeric |
ec2:Phase1EncryptionAlgorithms | The encryption algorithms that are permitted for the VPN tunnel for the phase 1 IKE negotiations. | String |
ec2:Phase1IntegrityAlgorithms | The integrity algorithms that are permitted for the VPN tunnel for the phase 1 IKE negotiations. | String |
ec2:Phase1LifetimeSeconds | The lifetime in seconds for phase 1 of the IKE negotiation. | Numeric |
ec2:Phase2DHGroupNumbers | The Diffie-Hellman groups that are permitted for the VPN tunnel for the phase 2 IKE negotiations. | Numeric |
ec2:Phase2EncryptionAlgorithms | The encryption algorithms that are permitted for the VPN tunnel for the phase 2 IKE negotiations. | String |
ec2:Phase2IntegrityAlgorithms | The integrity algorithms that are permitted for the VPN tunnel for the phase 2 IKE negotiations. | String |
ec2:Phase2LifetimeSeconds | The lifetime in seconds for phase 2 of the IKE negotiation. | Numeric |
ec2:PlacementGroup | The ARN of the placement group. | ARN |
ec2:PlacementGroupStrategy | The name of the placement group strategy. | String |
ec2:PresharedKeys | The pre-shared key (PSK) to establish the initial IKE security association between the virtual private gateway and customer gateway. | String |
ec2:ProductCode | The product code of the product. | String |
ec2:Public | Whether the image is public. | Bool |
ec2:Region | The name of the region. | String |
ec2:RekeyFuzzPercentage | The percentage of the rekey window (determined by the rekey margin time) within which the rekey time is randomly selected. | Numeric |
ec2:RekeyMarginTimeSeconds | The margin time before the phase 2 lifetime expires, during which AWS performs an IKE rekey. | Numeric |
ec2:RequesterVpc | The ARN of a requester VPC in a VPC peering connection. | ARN |
ec2:ReservedInstancesOfferingType | The payment option for a Reserved Instance. | String |
ec2:ResourceTag/ | The preface string for a tag key and value pair attached to a resource. | String |
ec2:ResourceTag/$ { TagKey} | A tag key and value pair. | String |
ec2:RoleDelivery | The IMDS version of IAM role credential for EC2. | Numeric |
ec2:RootDeviceType | The root device type: ebs or instance-store. | String |
ec2:RoutingType | The routing type for the VPN connection. | String |
ec2:SnapshotTime | The snapshot creation time. | String |
ec2:SourceInstanceARN | The ARN of the instance from which the request originated. | ARN |
ec2:Subnet | The ARN of the subnet. | ARN |
ec2:Tenancy | The tenancy of the instance or VPC. | String |
ec2:VolumeIops | The number of input/output operations per second. | Numeric |
ec2:VolumeSize | The size of the volume, in GiB. | Numeric |
ec2:VolumeType | The name of the type of volume. | String |
ec2:Vpc | The ARN of the VPC. | ARN |