Service: Amazon EC2
Short Name:
ec2
ARN Format:
arn:aws:ec2:${Region}:${Account}:${ResourceType}/${ResourcePath}ARN Regex:
^arn:aws:ec2:.+ReadOnlyAccess
…
AmazonDMSVPCManagementRoleAction | Access | Reference | Description |
|---|---|---|---|
| ec2:DescribeAccountAttributes | Docs | Grants permission to describe the attributes of the AWS account | |
| ec2:DescribeAddresses | Docs | Grants permission to describe one or more Elastic IP addresses | |
| ec2:DescribeAddressesAttribute | Docs | Grants permission to describe the attributes of the specified Elastic IP addresses | |
| ec2:DescribeAddressTransfers | Docs | Grants permission to describe an Elastic IP address transfer | |
| ec2:DescribeAggregateIdFormat | Docs | Grants permission to describe the longer ID format settings for all resource types | |
| ec2:DescribeAvailabilityZones | Docs | Grants permission to describe one or more of the Availability Zones that are available to you | |
| ec2:DescribeAwsNetworkPerformanceMetricSubscriptions | Docs | Grants permission to describe the current infrastructure performance metric subscriptions | |
| ec2:DescribeBundleTasks | Docs | Grants permission to describe one or more bundling tasks | |
| ec2:DescribeByoipCidrs | Docs | Grants permission to describe the IP address ranges that were provisioned through bring your own IP addresses (BYOIP) | |
| ec2:DescribeCapacityBlockOfferings | Docs | Grants permission to describe Capacity Block offerings available for purchase | |
| ec2:DescribeCapacityReservationFleets | Docs | Grants permission to describe one or more Capacity Reservation Fleets | |
| ec2:DescribeCapacityReservations | Docs | Grants permission to describe one or more Capacity Reservations | |
| ec2:DescribeCarrierGateways | Docs | Grants permission to describe one or more Carrier Gateways | |
| ec2:DescribeClassicLinkInstances | Docs | Grants permission to describe one or more linked EC2-Classic instances | |
| ec2:DescribeClientVpnAuthorizationRules | Docs | Grants permission to describe the authorization rules for a Client VPN endpoint | |
| ec2:DescribeClientVpnConnections | Docs | Grants permission to describe active client connections and connections that have been terminated within the last 60 minutes for a Client VPN endpoint | |
| ec2:DescribeClientVpnEndpoints | Docs | Grants permission to describe one or more Client VPN endpoints | |
| ec2:DescribeClientVpnRoutes | Docs | Grants permission to describe the routes for a Client VPN endpoint | |
| ec2:DescribeClientVpnTargetNetworks | Docs | Grants permission to describe the target networks that are associated with a Client VPN endpoint | |
| ec2:DescribeCoipPools | Docs | Grants permission to describe the specified customer-owned address pools or all of your customer-owned address pools | |
| ec2:DescribeConversionTasks | Docs | Grants permission to describe one or more conversion tasks | |
| ec2:DescribeCustomerGateways | Docs | Grants permission to describe one or more customer gateways | |
| ec2:DescribeDhcpOptions | Docs | Grants permission to describe one or more DHCP options sets | |
| ec2:DescribeEgressOnlyInternetGateways | Docs | Grants permission to describe one or more egress-only internet gateways | |
| ec2:DescribeElasticGpus | Docs | Grants permission to describe an Elastic Graphics accelerator that is associated with an instance | |
| ec2:DescribeExportImageTasks | Docs | Grants permission to describe one or more export image tasks | |
| ec2:DescribeExportTasks | Docs | Grants permission to describe one or more export instance tasks | |
| ec2:DescribeFastLaunchImages | Docs | Grants permission to describe fast-launch enabled Windows AMIs | |
| ec2:DescribeFastSnapshotRestores | Docs | Grants permission to describe the state of fast snapshot restores for snapshots | |
| ec2:DescribeFleetHistory | Docs | Grants permission to describe the events for an EC2 Fleet during a specified time | |
| ec2:DescribeFleetInstances | Docs | Grants permission to describe the running instances for an EC2 Fleet | |
| ec2:DescribeFleets | Docs | Grants permission to describe one or more EC2 Fleets | |
| ec2:DescribeFlowLogs | Docs | Grants permission to describe one or more flow logs | |
| ec2:DescribeFpgaImageAttribute | Docs | Grants permission to describe the attributes of an Amazon FPGA Image (AFI) | |
| ec2:DescribeFpgaImages | Docs | Grants permission to describe one or more Amazon FPGA Images (AFIs) | |
| ec2:DescribeHostReservationOfferings | Docs | Grants permission to describe the Dedicated Host Reservations that are available to purchase | |
| ec2:DescribeHostReservations | Docs | Grants permission to describe the Dedicated Host Reservations that are associated with Dedicated Hosts in the AWS account | |
| ec2:DescribeHosts | Docs | Grants permission to describe one or more Dedicated Hosts | |
| ec2:DescribeIamInstanceProfileAssociations | Docs | Grants permission to describe the IAM instance profile associations | |
| ec2:DescribeIdentityIdFormat | Docs | Grants permission to describe the ID format settings for resources for an IAM user, IAM role, or root user | |
| ec2:DescribeIdFormat | Docs | Grants permission to describe the ID format settings for resources | |
| ec2:DescribeImageAttribute | Docs | Grants permission to describe an attribute of an Amazon Machine Image (AMI) | |
| ec2:DescribeImages | Docs | Grants permission to describe one or more images (AMIs, AKIs, and ARIs) | |
| ec2:DescribeImportImageTasks | Docs | Grants permission to describe import virtual machine or import snapshot tasks | |
| ec2:DescribeImportSnapshotTasks | Docs | Grants permission to describe import snapshot tasks | |
| ec2:DescribeInstanceAttribute | Docs | Grants permission to describe the attributes of an instance | |
| ec2:DescribeInstanceConnectEndpoints | Docs | Grants permission to describe EC2 Instance Connect Endpoints | |
| ec2:DescribeInstanceCreditSpecifications | Docs | Grants permission to describe the credit option for CPU usage of one or more burstable performance instances | |
| ec2:DescribeInstanceEventNotificationAttributes | Docs | Grants permission to describe the set of tags to include in notifications about scheduled events for your instances | |
| ec2:DescribeInstanceEventWindows | Docs | Grants permission to describe the specified event windows or all event windows | |
| ec2:DescribeInstances | Docs | Grants permission to describe one or more instances | |
| ec2:DescribeInstanceStatus | Docs | Grants permission to describe the status of one or more instances | |
| ec2:DescribeInstanceTopology | Docs | Grants permission to describe a tree-based hierarchy that represents the physical host placement of EC2 instances | |
| ec2:DescribeInstanceTypeOfferings | Docs | Grants permission to describe the set of instance types that are offered in a location | |
| ec2:DescribeInstanceTypes | Docs | Grants permission to describe the details of instance types that are offered in a location | |
| ec2:DescribeInternetGateways | Docs | Grants permission to describe one or more internet gateways | |
| ec2:DescribeIpamByoasn | Docs | Grants permission to describe a bring your own Autonomous System Number (BYOASN) that you've brought to IPAM | |
| ec2:DescribeIpamPools | Docs | Grants permission to describe Amazon VPC IP Address Manager (IPAM) pools | |
| ec2:DescribeIpamResourceDiscoveries | Docs | Grants permission to describe IPAM resource discoveries | |
| ec2:DescribeIpamResourceDiscoveryAssociations | Docs | Grants permission to describe resource discovery associations with an Amazon VPC IPAM | |
| ec2:DescribeIpams | Docs | Grants permission to describe an Amazon VPC IP Address Manager (IPAM) | |
| ec2:DescribeIpamScopes | Docs | Grants permission to describe Amazon VPC IP Address Manager (IPAM) scopes | |
| ec2:DescribeIpv6Pools | Docs | Grants permission to describe one or more IPv6 address pools | |
| ec2:DescribeKeyPairs | Docs | Grants permission to describe one or more key pairs | |
| ec2:DescribeLaunchTemplates | Docs | Grants permission to describe one or more launch templates | |
| ec2:DescribeLaunchTemplateVersions | Docs | Grants permission to describe one or more launch template versions | |
| ec2:DescribeLocalGatewayRouteTablePermissions | Docs | Grants permission to allow a service to describe local gateway route table permissions | |
| ec2:DescribeLocalGatewayRouteTables | Docs | Grants permission to describe one or more local gateway route tables | |
| ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations | Docs | Grants permission to describe the associations between virtual interface groups and local gateway route tables | |
| ec2:DescribeLocalGatewayRouteTableVpcAssociations | Docs | Grants permission to describe an association between VPCs and local gateway route tables | |
| ec2:DescribeLocalGateways | Docs | Grants permission to describe one or more local gateways | |
| ec2:DescribeLocalGatewayVirtualInterfaceGroups | Docs | Grants permission to describe local gateway virtual interface groups | |
| ec2:DescribeLocalGatewayVirtualInterfaces | Docs | Grants permission to describe local gateway virtual interfaces | |
| ec2:DescribeLockedSnapshots | Docs | Grants permission to describe the lock status for a snapshot | |
| ec2:DescribeManagedPrefixLists | Docs | Grants permission to describe your managed prefix lists and any AWS-managed prefix lists | |
| ec2:DescribeMovingAddresses | Docs | Grants permission to describe Elastic IP addresses that are being moved to the EC2-VPC platform | |
| ec2:DescribeNatGateways | Docs | Grants permission to describe one or more NAT gateways | |
| ec2:DescribeNetworkAcls | Docs | Grants permission to describe one or more network ACLs | |
| ec2:DescribeNetworkInsightsAccessScopeAnalyses | Docs | Grants permission to describe one or more Network Access Scope analyses | |
| ec2:DescribeNetworkInsightsAccessScopes | Docs | Grants permission to describe the Network Access Scopes | |
| ec2:DescribeNetworkInsightsAnalyses | Docs | Grants permission to describe one or more network insights analyses | |
| ec2:DescribeNetworkInsightsPaths | Docs | Grants permission to describe one or more network insights paths | |
| ec2:DescribeNetworkInterfaceAttribute | Docs | Grants permission to describe a network interface attribute | |
| ec2:DescribeNetworkInterfacePermissions | Docs | Grants permission to describe the permissions that are associated with a network interface | |
| ec2:DescribeNetworkInterfaces | Docs | Grants permission to describe one or more network interfaces | |
| ec2:DescribePlacementGroups | Docs | Grants permission to describe one or more placement groups | |
| ec2:DescribePrefixLists | Docs | Grants permission to describe available AWS services in a prefix list format | |
| ec2:DescribePrincipalIdFormat | Docs | Grants permission to describe the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified a longer ID (17-character ID) preference | |
| ec2:DescribePublicIpv4Pools | Docs | Grants permission to describe one or more IPv4 address pools | |
| ec2:DescribeRegions | Docs | Grants permission to describe one or more AWS Regions that are currently available in your account | |
| ec2:DescribeReplaceRootVolumeTasks | Docs | Grants permission to describe a root volume replacement task | |
| ec2:DescribeReservedInstances | Docs | Grants permission to describe one or more purchased Reserved Instances in your account | |
| ec2:DescribeReservedInstancesListings | Docs | Grants permission to describe your account's Reserved Instance listings in the Reserved Instance Marketplace | |
| ec2:DescribeReservedInstancesModifications | Docs | Grants permission to describe the modifications made to one or more Reserved Instances | |
| ec2:DescribeReservedInstancesOfferings | Docs | Grants permission to describe the Reserved Instance offerings that are available for purchase | |
| ec2:DescribeRouteTables | Docs | Grants permission to describe one or more route tables | |
| ec2:DescribeScheduledInstanceAvailability | Docs | Grants permission to find available schedules for Scheduled Instances | |
| ec2:DescribeScheduledInstances | Docs | Grants permission to describe one or more Scheduled Instances in your account | |
| ec2:DescribeSecurityGroupReferences | Docs | Grants permission to describe the VPCs on the other side of a VPC peering connection that are referencing specified VPC security groups | |
| ec2:DescribeSecurityGroupRules | Docs | Grants permission to describe one or more of your security group rules | |
| ec2:DescribeSecurityGroups | Docs | Grants permission to describe one or more security groups | |
| ec2:DescribeSnapshotAttribute | Docs | Grants permission to describe an attribute of a snapshot | |
| ec2:DescribeSnapshots | Docs | Grants permission to describe one or more EBS snapshots | |
| ec2:DescribeSnapshotTierStatus | Docs | Grants permission to describe the storage tier status for Amazon EBS snapshots | |
| ec2:DescribeSpotDatafeedSubscription | Docs | Grants permission to describe the data feed for Spot Instances | |
| ec2:DescribeSpotFleetInstances | Docs | Grants permission to describe the running instances for a Spot Fleet | |
| ec2:DescribeSpotFleetRequestHistory | Docs | Grants permission to describe the events for a Spot Fleet request during a specified time | |
| ec2:DescribeSpotFleetRequests | Docs | Grants permission to describe one or more Spot Fleet requests | |
| ec2:DescribeSpotInstanceRequests | Docs | Grants permission to describe one or more Spot Instance requests | |
| ec2:DescribeSpotPriceHistory | Docs | Grants permission to describe the Spot Instance price history | |
| ec2:DescribeStaleSecurityGroups | Docs | Grants permission to describe the stale security group rules for security groups in a specified VPC | |
| ec2:DescribeStoreImageTasks | Docs | Grants permission to describe the progress of the AMI store tasks | |
| ec2:DescribeSubnets | Docs | Grants permission to describe one or more subnets | |
| ec2:DescribeTags | Docs | Grants permission to describe one or more tags for an Amazon EC2 resource | |
| ec2:DescribeTrafficMirrorFilters | Docs | Grants permission to describe one or more traffic mirror filters | |
| ec2:DescribeTrafficMirrorSessions | Docs | Grants permission to describe one or more traffic mirror sessions | |
| ec2:DescribeTrafficMirrorTargets | Docs | Grants permission to describe one or more traffic mirror targets | |
| ec2:DescribeTransitGatewayAttachments | Docs | Grants permission to describe one or more attachments between resources and transit gateways | |
| ec2:DescribeTransitGatewayConnectPeers | Docs | Grants permission to describe one or more transit gateway connect peers | |
| ec2:DescribeTransitGatewayConnects | Docs | Grants permission to describe one or more transit gateway connect attachments | |
| ec2:DescribeTransitGatewayMulticastDomains | Docs | Grants permission to describe one or more transit gateway multicast domains | |
| ec2:DescribeTransitGatewayPeeringAttachments | Docs | Grants permission to describe one or more transit gateway peering attachments | |
| ec2:DescribeTransitGatewayPolicyTables | Docs | Grants permission to describe a transit gateway policy table | |
| ec2:DescribeTransitGatewayRouteTableAnnouncements | Docs | Grants permission to describe a transit gateway route table announcement | |
| ec2:DescribeTransitGatewayRouteTables | Docs | Grants permission to describe one or more transit gateway route tables | |
| ec2:DescribeTransitGateways | Docs | Grants permission to describe one or more transit gateways | |
| ec2:DescribeTransitGatewayVpcAttachments | Docs | Grants permission to describe one or more VPC attachments on a transit gateway | |
| ec2:DescribeTrunkInterfaceAssociations | Docs | Grants permission to describe one or more network interface trunk associations | |
| ec2:DescribeVerifiedAccessEndpoints | Docs | Grants permission to describe the specified Verified Access endpoints or all Verified Access endpoints | |
| ec2:DescribeVerifiedAccessGroups | Docs | Grants permission to describe the specified Verified Access groups or all Verified Access groups | |
| ec2:DescribeVerifiedAccessInstanceLoggingConfigurations | Docs | Grants permission to describe the current logging configuration for the Verified Access instances | |
| ec2:DescribeVerifiedAccessInstances | Docs | Grants permission to describe the specified Verified Access instances or all Verified Access instances | |
| ec2:DescribeVerifiedAccessInstanceWebAclAssociations | Docs | Grants permission to describe the AWS Web Application Firewall (WAF) web access control list (ACL) associations for a Verified Access instance | |
| ec2:DescribeVerifiedAccessTrustProviders | Docs | Grants permission to describe details of existing Verified Access trust providers | |
| ec2:DescribeVolumeAttribute | Docs | Grants permission to describe an attribute of an EBS volume | |
| ec2:DescribeVolumes | Docs | Grants permission to describe one or more EBS volumes | |
| ec2:DescribeVolumesModifications | Docs | Grants permission to describe the current modification status of one or more EBS volumes | |
| ec2:DescribeVolumeStatus | Docs | Grants permission to describe the status of one or more EBS volumes | |
| ec2:DescribeVpcAttribute | Docs | Grants permission to describe an attribute of a VPC | |
| ec2:DescribeVpcClassicLink | Docs | Grants permission to describe the ClassicLink status of one or more VPCs | |
| ec2:DescribeVpcClassicLinkDnsSupport | Docs | Grants permission to describe the ClassicLink DNS support status of one or more VPCs | |
| ec2:DescribeVpcEndpointConnectionNotifications | Docs | Grants permission to describe the connection notifications for VPC endpoints and VPC endpoint services | |
| ec2:DescribeVpcEndpointConnections | Docs | Grants permission to describe the VPC endpoint connections to your VPC endpoint services | |
| ec2:DescribeVpcEndpoints | Docs | Grants permission to describe one or more VPC endpoints | |
| ec2:DescribeVpcEndpointServiceConfigurations | Docs | Grants permission to describe VPC endpoint service configurations (your services) | |
| ec2:DescribeVpcEndpointServicePermissions | Docs | Grants permission to describe the principals (service consumers) that are permitted to discover your VPC endpoint service | |
| ec2:DescribeVpcEndpointServices | Docs | Grants permission to describe all supported AWS services that can be specified when creating a VPC endpoint | |
| ec2:DescribeVpcPeeringConnections | Docs | Grants permission to describe one or more VPC peering connections | |
| ec2:DescribeVpcs | Docs | Grants permission to describe one or more VPCs | |
| ec2:DescribeVpnConnections | Docs | Grants permission to describe one or more VPN connections | |
| ec2:DescribeVpnGateways | Docs | Grants permission to describe one or more virtual private gateways | |
| ec2:GetGroupsForCapacityReservation | Docs | Grants permission to list the resource groups to which a Capacity Reservation has been added | |
| ec2:GetInstanceTypesFromInstanceRequirements | Docs | Grants permission to view a list of instance types with specified instance attributes | |
| ec2:GetIpamPoolAllocations | Docs | Grants permission to get a list of all the CIDR allocations in an Amazon VPC IP Address Manager (IPAM) pool | |
| ec2:GetTransitGatewayAttachmentPropagations | Docs | Grants permission to list the route tables to which a resource attachment propagates routes | |
| ec2:GetTransitGatewayMulticastDomainAssociations | Docs | Grants permission to get information about the associations for a transit gateway multicast domain | |
| ec2:GetTransitGatewayPolicyTableAssociations | Docs | Grants permission to get information about associations for a transit gateway policy table | |
| ec2:GetTransitGatewayPolicyTableEntries | Docs | Grants permission to get information about associations for a transit gateway policy table entry | |
| ec2:GetTransitGatewayPrefixListReferences | Docs | Grants permission to get information about prefix list references for a transit gateway route table | |
| ec2:GetTransitGatewayRouteTableAssociations | Docs | Grants permission to get information about associations for a transit gateway route table | |
| ec2:GetTransitGatewayRouteTablePropagations | Docs | Grants permission to get information about the route table propagations for a transit gateway route table | |
| ec2:GetVerifiedAccessEndpointPolicy | Docs | Grants permission to show the Verified Access policy associated with the endpoint | |
| ec2:GetVerifiedAccessGroupPolicy | Docs | Grants permission to show the contents of the Verified Access policy associated with the group | |
| ec2:GetVerifiedAccessInstanceWebAcl | Docs | Grants permission to show the AWS Web Application Firewall (WAF) web access control list (ACL) for a Verified Access instance | |
| ec2:GetVpnConnectionDeviceSampleConfiguration | Docs | Grants permission to download an AWS-provided sample configuration file to be used with the customer gateway device | |
| ec2:GetVpnConnectionDeviceTypes | Docs | Grants permission to obtain a list of customer gateway devices for which sample configuration files can be provided | |
| ec2:GetVpnTunnelReplacementStatus | Docs | Grants permission to view available tunnel endpoint maintenance events | |
| ec2:ListImagesInRecycleBin | Docs | Grants permission to list Amazon Machine Images (AMIs) that are currently in the Recycle Bin | |
| ec2:ListSnapshotsInRecycleBin | Docs | Grants permission to list the Amazon EBS snapshots that are currently in the Recycle Bin | |
| ec2:SearchLocalGatewayRoutes | Docs | Grants permission to search for routes in a local gateway route table | |
| ec2:SearchTransitGatewayMulticastGroups | Docs | Grants permission to search for groups, sources, and members in a transit gateway multicast domain | |
| ec2:SearchTransitGatewayRoutes | Docs | Grants permission to search for routes in a transit gateway route table | |
| ec2:CreateNetworkInterfacePermission | Docs | Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface | |
| ec2:DeleteNetworkInterfacePermission | Docs | Grants permission to delete a permission that is associated with a network interface | |
| ec2:ModifySnapshotAttribute | Docs | Grants permission to add or remove permission settings for a snapshot | |
| ec2:ModifyVpcEndpointServicePermissions | Docs | Grants permission to modify the permissions for a VPC endpoint service | |
| ec2:ResetSnapshotAttribute | Docs | Grants permission to reset permission settings for a snapshot | |
| ec2:ExportClientVpnClientCertificateRevocationList | Docs | Grants permission to download the client certificate revocation list for a Client VPN endpoint | |
| ec2:ExportClientVpnClientConfiguration | Docs | Grants permission to download the contents of the Client VPN endpoint configuration file for a Client VPN endpoint | |
| ec2:GetAssociatedEnclaveCertificateIamRoles | Docs | Grants permission to get the list of roles associated with an ACM certificate | |
| ec2:GetAssociatedIpv6PoolCidrs | Docs | Grants permission to get information about the IPv6 CIDR block associations for a specified IPv6 address pool | |
| ec2:GetAwsNetworkPerformanceData | Docs | Grants permission to get network performance data | |
| ec2:GetCapacityReservationUsage | Docs | Grants permission to get usage information about a Capacity Reservation | |
| ec2:GetCoipPoolUsage | Docs | Grants permission to describe the allocations from the specified customer-owned address pool | |
| ec2:GetConsoleOutput | Docs | Grants permission to get the console output for an instance | |
| ec2:GetConsoleScreenshot | Docs | Grants permission to retrieve a JPG-format screenshot of a running instance | |
| ec2:GetDefaultCreditSpecification | Docs | Grants permission to get the default credit option for CPU usage of a burstable performance instance family | |
| ec2:GetEbsDefaultKmsKeyId | Docs | Grants permission to get the ID of the default customer master key (CMK) for EBS encryption by default | |
| ec2:GetEbsEncryptionByDefault | Docs | Grants permission to describe whether EBS encryption by default is enabled for your account | |
| ec2:GetFlowLogsIntegrationTemplate | Docs | Grants permission to generate a CloudFormation template to streamline the integration of VPC flow logs with Amazon Athena | |
| ec2:GetHostReservationPurchasePreview | Docs | Grants permission to preview a reservation purchase with configurations that match those of a Dedicated Host | |
| ec2:GetImageBlockPublicAccessState | Docs | Grants permission to get the current state of block public access for AMIs at the account level in the specified AWS Region | |
| ec2:GetInstanceUefiData | Docs | Grants permission to retrieve the binary representation of the UEFI variable store | |
| ec2:GetIpamAddressHistory | Docs | Grants permission to retrieve historical information about a CIDR within an Amazon VPC IP Address Manager (IPAM) scope | |
| ec2:GetIpamDiscoveredAccounts | Docs | Grants permission to retrieve IPAM discovered accounts | |
| ec2:GetIpamDiscoveredPublicAddresses | Docs | Grants permission to retrieve the public IP addresses that have been discovered by IPAM | |
| ec2:GetIpamDiscoveredResourceCidrs | Docs | Grants permission to retrieve the resource CIDRs that are monitored as part of a resource discovery | |
| ec2:GetIpamPoolCidrs | Docs | Grants permission to get the CIDRs provisioned to an Amazon VPC IP Address Manager (IPAM) pool | |
| ec2:GetIpamResourceCidrs | Docs | Grants permission to get information about the resources in an Amazon VPC IP Address Manager (IPAM) scope | |
| ec2:GetLaunchTemplateData | Docs | Grants permission to get the configuration data of the specified instance for use with a new launch template or launch template version | |
| ec2:GetManagedPrefixListAssociations | Docs | Grants permission to get information about the resources that are associated with the specified managed prefix list | |
| ec2:GetManagedPrefixListEntries | Docs | Grants permission to get information about the entries for a specified managed prefix list | |
| ec2:GetNetworkInsightsAccessScopeAnalysisFindings | Docs | Grants permission to get the findings for one or more Network Access Scope analyses | |
| ec2:GetNetworkInsightsAccessScopeContent | Docs | Grants permission to get the content for a specified Network Access Scope | |
| ec2:GetPasswordData | Docs | Grants permission to retrieve the encrypted administrator password for a running Windows instance | |
| ec2:GetReservedInstancesExchangeQuote | Docs | Grants permission to return a quote and exchange information for exchanging one or more Convertible Reserved Instances for a new Convertible Reserved Instance | |
| ec2:GetResourcePolicy | Docs | Grants permission to describe an IAM policy that enables cross-account sharing | |
| ec2:GetSecurityGroupsForVpc | Docs | Grants permission to retrieve a list of security groups for a specified VPC | |
| ec2:GetSerialConsoleAccessStatus | Docs | Grants permission to retrieve the access status of your account to the EC2 serial console of all instances | |
| ec2:GetSnapshotBlockPublicAccessState | Docs | Grants permission to retrieve the current state of the block public access for snapshots setting for a Region | |
| ec2:GetSpotPlacementScores | Docs | Grants permission to calculate the Spot placement score for a Region or Availability Zone based on the specified target capacity and compute requirements | |
| ec2:GetSubnetCidrReservations | Docs | Grants permission to retrieve information about the subnet CIDR reservations | |
| ec2:CreateTags | Docs | Grants permission to add or overwrite one or more tags for Amazon EC2 resources | |
| ec2:DeleteTags | Docs | Grants permission to delete one or more tags from Amazon EC2 resources | |
| ec2:AcceptAddressTransfer | Docs | Grants permission to accept an Elastic IP address transfer | |
| ec2:AcceptReservedInstancesExchangeQuote | Docs | Grants permission to accept a Convertible Reserved Instance exchange quote | |
| ec2:AcceptTransitGatewayMulticastDomainAssociations | Docs | Grants permission to accept a request to associate subnets with a transit gateway multicast domain | |
| ec2:AcceptTransitGatewayPeeringAttachment | Docs | Grants permission to accept a transit gateway peering attachment request | |
| ec2:AcceptTransitGatewayVpcAttachment | Docs | Grants permission to accept a request to attach a VPC to a transit gateway | |
| ec2:AcceptVpcEndpointConnections | Docs | Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service | |
| ec2:AcceptVpcPeeringConnection | Docs | Grants permission to accept a VPC peering connection request | |
| ec2:AdvertiseByoipCidr | Docs | Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP) | |
| ec2:AllocateAddress | Docs | Grants permission to allocate an Elastic IP address (EIP) to your account | |
| ec2:AllocateHosts | Docs | Grants permission to allocate a Dedicated Host to your account | |
| ec2:AllocateIpamPoolCidr | Docs | Grants permission to allocate a CIDR from an Amazon VPC IP Address Manager (IPAM) pool | |
| ec2:ApplySecurityGroupsToClientVpnTargetNetwork | Docs | Grants permission to apply a security group to the association between a Client VPN endpoint and a target network | |
| ec2:AssignIpv6Addresses | Docs | Grants permission to assign one or more IPv6 addresses to a network interface | |
| ec2:AssignPrivateIpAddresses | Docs | Grants permission to assign one or more secondary private IP addresses to a network interface | |
| ec2:AssignPrivateNatGatewayAddress | Docs | Grants permission to assign one or more secondary private IP addresses to a private NAT gateway | |
| ec2:AssociateAddress | Docs | Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface | |
| ec2:AssociateClientVpnTargetNetwork | Docs | Grants permission to associate a target network with a Client VPN endpoint | |
| ec2:AssociateDhcpOptions | Docs | Grants permission to associate or disassociate a set of DHCP options with a VPC | |
| ec2:AssociateEnclaveCertificateIamRole | Docs | Grants permission to associate an ACM certificate with an IAM role to be used in an EC2 Enclave | |
| ec2:AssociateIamInstanceProfile | Docs | Grants permission to associate an IAM instance profile with a running or stopped instance | |
| ec2:AssociateInstanceEventWindow | Docs | Grants permission to associate one or more targets with an event window | |
| ec2:AssociateIpamByoasn | Docs | Grants permission to associate an Autonomous System Number (ASN) with a BYOIP CIDR | |
| ec2:AssociateIpamResourceDiscovery | Docs | Grants permission to associate an IPAM resource discovery with an Amazon VPC IPAM | |
| ec2:AssociateNatGatewayAddress | Docs | Grants permission to associate an Elastic IP address and private IP address with a public Nat gateway | |
| ec2:AssociateRouteTable | Docs | Grants permission to associate a subnet or gateway with a route table | |
| ec2:AssociateSubnetCidrBlock | Docs | Grants permission to associate a CIDR block with a subnet | |
| ec2:AssociateTransitGatewayMulticastDomain | Docs | Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain | |
| ec2:AssociateTransitGatewayPolicyTable | Docs | Grants permission to associate a policy table with a transit gateway attachment | |
| ec2:AssociateTransitGatewayRouteTable | Docs | Grants permission to associate an attachment with a transit gateway route table | |
| ec2:AssociateTrunkInterface | Docs | Grants permission to associate a branch network interface with a trunk network interface | |
| ec2:AssociateVerifiedAccessInstanceWebAcl | Docs | Grants permission to associate an AWS Web Application Firewall (WAF) web access control list (ACL) with a Verified Access instance | |
| ec2:AssociateVpcCidrBlock | Docs | Grants permission to associate a CIDR block with a VPC | |
| ec2:AttachClassicLinkVpc | Docs | Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups | |
| ec2:AttachInternetGateway | Docs | Grants permission to attach an internet gateway to a VPC | |
| ec2:AttachNetworkInterface | Docs | Grants permission to attach a network interface to an instance | |
| ec2:AttachVerifiedAccessTrustProvider | Docs | Grants permission to attach a trust provider to a Verified Access instance | |
| ec2:AttachVolume | Docs | Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name | |
| ec2:AttachVpnGateway | Docs | Grants permission to attach a virtual private gateway to a VPC | |
| ec2:AuthorizeClientVpnIngress | Docs | Grants permission to add an inbound authorization rule to a Client VPN endpoint | |
| ec2:AuthorizeSecurityGroupEgress | Docs | Grants permission to add one or more outbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications | |
| ec2:AuthorizeSecurityGroupIngress | Docs | Grants permission to add one or more inbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications | |
| ec2:BundleInstance | Docs | Grants permission to bundle an instance store-backed Windows instance | |
| ec2:CancelBundleTask | Docs | Grants permission to cancel a bundling operation | |
| ec2:CancelCapacityReservation | Docs | Grants permission to cancel a Capacity Reservation and release the reserved capacity | |
| ec2:CancelCapacityReservationFleets | Docs | Grants permission to cancel one or more Capacity Reservation Fleets | |
| ec2:CancelConversionTask | Docs | Grants permission to cancel an active conversion task | |
| ec2:CancelExportTask | Docs | Grants permission to cancel an active export task | |
| ec2:CancelImageLaunchPermission | Docs | Grants permission to remove your AWS account from the launch permissions for the specified AMI | |
| ec2:CancelImportTask | Docs | Grants permission to cancel an in-process import virtual machine or import snapshot task | |
| ec2:CancelReservedInstancesListing | Docs | Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace | |
| ec2:CancelSpotFleetRequests | Docs | Grants permission to cancel one or more Spot Fleet requests | |
| ec2:CancelSpotInstanceRequests | Docs | Grants permission to cancel one or more Spot Instance requests | |
| ec2:ConfirmProductInstance | Docs | Grants permission to determine whether an owned product code is associated with an instance | |
| ec2:CopyFpgaImage | Docs | Grants permission to copy a source Amazon FPGA image (AFI) to the current Region. Resource-level permissions specified for this action apply to the new AFI only. They do not apply to the source AFI | |
| ec2:CopyImage | Docs | Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region. Resource-level permissions specified for this action apply to the new AMI only. They do not apply to the source AMI | |
| ec2:CopySnapshot | Docs | Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3. Resource-level permissions specified for this action apply to the new snapshot only. They do not apply to the source snapshot | |
| ec2:CreateCapacityReservation | Docs | Grants permission to create a Capacity Reservation | |
| ec2:CreateCapacityReservationFleet | Docs | Grants permission to create a Capacity Reservation Fleet | |
| ec2:CreateCarrierGateway | Docs | Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers | |
| ec2:CreateClientVpnEndpoint | Docs | Grants permission to create a Client VPN endpoint | |
| ec2:CreateClientVpnRoute | Docs | Grants permission to add a network route to a Client VPN endpoint's route table | |
| ec2:CreateCoipCidr | Docs | Grants permission to create a range of customer-owned IP (CoIP) addresses | |
| ec2:CreateCoipPool | Docs | Grants permission to create a pool of customer-owned IP (CoIP) addresses | |
| ec2:CreateCoipPoolPermission | Docs | Grants permission to allow a service to access a customer-owned IP (CoIP) pool | |
| ec2:CreateCustomerGateway | Docs | Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device | |
| ec2:CreateDefaultSubnet | Docs | Grants permission to create a default subnet in a specified Availability Zone in a default VPC | |
| ec2:CreateDefaultVpc | Docs | Grants permission to create a default VPC with a default subnet in each Availability Zone | |
| ec2:CreateDhcpOptions | Docs | Grants permission to create a set of DHCP options for a VPC | |
| ec2:CreateEgressOnlyInternetGateway | Docs | Grants permission to create an egress-only internet gateway for a VPC | |
| ec2:CreateFleet | Docs | Grants permission to launch an EC2 Fleet. Resource-level permissions for this action do not include the resources specified in a launch template. To specify resource-level permissions for resources specified in a launch template, you must include the resources in the RunInstances action statement | |
| ec2:CreateFlowLogs | Docs | Grants permission to create one or more flow logs to capture IP traffic for a network interface | |
| ec2:CreateFpgaImage | Docs | Grants permission to create an Amazon FPGA Image (AFI) from a design checkpoint (DCP) | |
| ec2:CreateImage | Docs | Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance | |
| ec2:CreateInstanceConnectEndpoint | Docs | Grants permission to create an EC2 Instance Connect Endpoint that allows you to connect to an instance without a public IPv4 address | |
| ec2:CreateInstanceEventWindow | Docs | Grants permission to create an event window in which scheduled events for the associated Amazon EC2 instances can run | |
| ec2:CreateInstanceExportTask | Docs | Grants permission to export a running or stopped instance to an Amazon S3 bucket | |
| ec2:CreateInternetGateway | Docs | Grants permission to create an internet gateway for a VPC | |
| ec2:CreateIpam | Docs | Grants permission to create an Amazon VPC IP Address Manager (IPAM) | |
| ec2:CreateIpamPool | Docs | Grants permission to create an IP address pool for Amazon VPC IP Address Manager (IPAM), which is a collection of contiguous IP address CIDRs | |
| ec2:CreateIpamResourceDiscovery | Docs | Grants permission to create an IPAM resource discovery | |
| ec2:CreateIpamScope | Docs | Grants permission to create an Amazon VPC IP Address Manager (IPAM) scope, which is the highest-level container within IPAM | |
| ec2:CreateKeyPair | Docs | Grants permission to create a 2048-bit RSA key pair | |
| ec2:CreateLaunchTemplate | Docs | Grants permission to create a launch template | |
| ec2:CreateLaunchTemplateVersion | Docs | Grants permission to create a new version of a launch template | |
| ec2:CreateLocalGatewayRoute | Docs | Grants permission to create a static route for a local gateway route table | |
| ec2:CreateLocalGatewayRouteTable | Docs | Grants permission to create a local gateway route table | |
| ec2:CreateLocalGatewayRouteTablePermission | Docs | Grants permission to allow a service to access a local gateway route table | |
| ec2:CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation | Docs | Grants permission to create a local gateway route table virtual interface group association | |
| ec2:CreateLocalGatewayRouteTableVpcAssociation | Docs | Grants permission to associate a VPC with a local gateway route table | |
| ec2:CreateManagedPrefixList | Docs | Grants permission to create a managed prefix list | |
| ec2:CreateNatGateway | Docs | Grants permission to create a NAT gateway in a subnet | |
| ec2:CreateNetworkAcl | Docs | Grants permission to create a network ACL in a VPC | |
| ec2:CreateNetworkAclEntry | Docs | Grants permission to create a numbered entry (a rule) in a network ACL | |
| ec2:CreateNetworkInsightsAccessScope | Docs | Grants permission to create a Network Access Scope | |
| ec2:CreateNetworkInsightsPath | Docs | Grants permission to create a path to analyze for reachability | |
| ec2:CreateNetworkInterface | Docs | Grants permission to create a network interface in a subnet | |
| ec2:CreatePlacementGroup | Docs | Grants permission to create a placement group | |
| ec2:CreatePublicIpv4Pool | Docs | Grants permission to create a public IPv4 address pool for public IPv4 CIDRs that you own and bring to Amazon to manage with Amazon VPC IP Address Manager (IPAM) | |
| ec2:CreateReplaceRootVolumeTask | Docs | Grants permission to create a root volume replacement task | |
| ec2:CreateReservedInstancesListing | Docs | Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace | |
| ec2:CreateRestoreImageTask | Docs | Grants permission to start a task that restores an AMI from an S3 object previously created by using CreateStoreImageTask | |
| ec2:CreateRoute | Docs | Grants permission to create a route in a VPC route table | |
| ec2:CreateRouteTable | Docs | Grants permission to create a route table for a VPC | |
| ec2:CreateSecurityGroup | Docs | Grants permission to create a security group | |
| ec2:CreateSnapshot | Docs | Grants permission to create a snapshot of an EBS volume and store it in Amazon S3 | |
| ec2:CreateSnapshots | Docs | Grants permission to create crash-consistent snapshots of multiple EBS volumes and store them in Amazon S3 | |
| ec2:CreateSpotDatafeedSubscription | Docs | Grants permission to create a data feed for Spot Instances to view Spot Instance usage logs | |
| ec2:CreateStoreImageTask | Docs | Grants permission to store an AMI as a single object in an S3 bucket | |
| ec2:CreateSubnet | Docs | Grants permission to create a subnet in a VPC | |
| ec2:CreateSubnetCidrReservation | Docs | Grants permission to create a subnet CIDR reservation | |
| ec2:CreateTrafficMirrorFilter | Docs | Grants permission to create a traffic mirror filter | |
| ec2:CreateTrafficMirrorFilterRule | Docs | Grants permission to create a traffic mirror filter rule | |
| ec2:CreateTrafficMirrorSession | Docs | Grants permission to create a traffic mirror session | |
| ec2:CreateTrafficMirrorTarget | Docs | Grants permission to create a traffic mirror target | |
| ec2:CreateTransitGateway | Docs | Grants permission to create a transit gateway | |
| ec2:CreateTransitGatewayConnect | Docs | Grants permission to create a Connect attachment from a specified transit gateway attachment | |
| ec2:CreateTransitGatewayConnectPeer | Docs | Grants permission to create a Connect peer between a transit gateway and an appliance | |
| ec2:CreateTransitGatewayMulticastDomain | Docs | Grants permission to create a multicast domain for a transit gateway | |
| ec2:CreateTransitGatewayPeeringAttachment | Docs | Grants permission to request a transit gateway peering attachment between a requester and accepter transit gateway | |
| ec2:CreateTransitGatewayPolicyTable | Docs | Grants permission to create a transit gateway policy table | |
| ec2:CreateTransitGatewayPrefixListReference | Docs | Grants permission to create a transit gateway prefix list reference | |
| ec2:CreateTransitGatewayRoute | Docs | Grants permission to create a static route for a transit gateway route table | |
| ec2:CreateTransitGatewayRouteTable | Docs | Grants permission to create a route table for a transit gateway | |
| ec2:CreateTransitGatewayRouteTableAnnouncement | Docs | Grants permission to create an announcement for a transit gateway route table | |
| ec2:CreateTransitGatewayVpcAttachment | Docs | Grants permission to attach a VPC to a transit gateway | |
| ec2:CreateVerifiedAccessEndpoint | Docs | Grants permission to create a Verified Access endpoint | |
| ec2:CreateVerifiedAccessGroup | Docs | Grants permission to create a Verified Access group | |
| ec2:CreateVerifiedAccessInstance | Docs | Grants permission to create a Verified Access instance | |
| ec2:CreateVerifiedAccessTrustProvider | Docs | Grants permission to create a verified trust provider | |
| ec2:CreateVolume | Docs | Grants permission to create an EBS volume | |
| ec2:CreateVpc | Docs | Grants permission to create a VPC with a specified CIDR block | |
| ec2:CreateVpcEndpoint | Docs | Grants permission to create a VPC endpoint for an AWS service | |
| ec2:CreateVpcEndpointConnectionNotification | Docs | Grants permission to create a connection notification for a VPC endpoint or VPC endpoint service | |
| ec2:CreateVpcEndpointServiceConfiguration | Docs | Grants permission to create a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect | |
| ec2:CreateVpcPeeringConnection | Docs | Grants permission to request a VPC peering connection between two VPCs | |
| ec2:CreateVpnConnection | Docs | Grants permission to create a VPN connection between a virtual private gateway or transit gateway and a customer gateway | |
| ec2:CreateVpnConnectionRoute | Docs | Grants permission to create a static route for a VPN connection between a virtual private gateway and a customer gateway | |
| ec2:CreateVpnGateway | Docs | Grants permission to create a virtual private gateway | |
| ec2:DeleteCarrierGateway | Docs | Grants permission to delete a carrier gateway | |
| ec2:DeleteClientVpnEndpoint | Docs | Grants permission to delete a Client VPN endpoint | |
| ec2:DeleteClientVpnRoute | Docs | Grants permission to delete a route from a Client VPN endpoint | |
| ec2:DeleteCoipCidr | Docs | Grants permission to delete a range of customer-owned IP (CoIP) addresses | |
| ec2:DeleteCoipPool | Docs | Grants permission to delete a pool of customer-owned IP (CoIP) addresses | |
| ec2:DeleteCoipPoolPermission | Docs | Grants permission to deny a service from accessing a customer-owned IP (CoIP) pool | |
| ec2:DeleteCustomerGateway | Docs | Grants permission to delete a customer gateway | |
| ec2:DeleteDhcpOptions | Docs | Grants permission to delete a set of DHCP options | |
| ec2:DeleteEgressOnlyInternetGateway | Docs | Grants permission to delete an egress-only internet gateway | |
| ec2:DeleteFleets | Docs | Grants permission to delete one or more EC2 Fleets | |
| ec2:DeleteFlowLogs | Docs | Grants permission to delete one or more flow logs | |
| ec2:DeleteFpgaImage | Docs | Grants permission to delete an Amazon FPGA Image (AFI) | |
| ec2:DeleteInstanceConnectEndpoint | Docs | Grants permission to delete an EC2 Instance Connect Endpoint | |
| ec2:DeleteInstanceEventWindow | Docs | Grants permission to delete the specified event window | |
| ec2:DeleteInternetGateway | Docs | Grants permission to delete an internet gateway | |
| ec2:DeleteIpam | Docs | Grants permission to delete an Amazon VPC IP Address Manager (IPAM) and remove all monitored data associated with the IPAM including the historical data for CIDRs | |
| ec2:DeleteIpamPool | Docs | Grants permission to delete an Amazon VPC IP Address Manager (IPAM) pool | |
| ec2:DeleteIpamResourceDiscovery | Docs | Grants permission to delete an IPAM resource discovery | |
| ec2:DeleteIpamScope | Docs | Grants permission to delete the scope for an Amazon VPC IP Address Manager (IPAM) | |
| ec2:DeleteKeyPair | Docs | Grants permission to delete a key pair by removing the public key from Amazon EC2 | |
| ec2:DeleteLaunchTemplate | Docs | Grants permission to delete a launch template and its associated versions | |
| ec2:DeleteLaunchTemplateVersions | Docs | Grants permission to delete one or more versions of a launch template | |
| ec2:DeleteLocalGatewayRoute | Docs | Grants permission to delete a route from a local gateway route table | |
| ec2:DeleteLocalGatewayRouteTable | Docs | Grants permission to delete a local gateway route table | |
| ec2:DeleteLocalGatewayRouteTablePermission | Docs | Grants permission to deny a service from accessing a local gateway route table | |
| ec2:DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation | Docs | Grants permission to delete a local gateway route table virtual interface group association | |
| ec2:DeleteLocalGatewayRouteTableVpcAssociation | Docs | Grants permission to delete an association between a VPC and local gateway route table | |
| ec2:DeleteManagedPrefixList | Docs | Grants permission to delete a managed prefix list | |
| ec2:DeleteNatGateway | Docs | Grants permission to delete a NAT gateway | |
| ec2:DeleteNetworkAcl | Docs | Grants permission to delete a network ACL | |
| ec2:DeleteNetworkAclEntry | Docs | Grants permission to delete an inbound or outbound entry (rule) from a network ACL | |
| ec2:DeleteNetworkInsightsAccessScope | Docs | Grants permission to delete a Network Access Scope | |
| ec2:DeleteNetworkInsightsAccessScopeAnalysis | Docs | Grants permission to delete a Network Access Scope analysis | |
| ec2:DeleteNetworkInsightsAnalysis | Docs | Grants permission to delete a network insights analysis | |
| ec2:DeleteNetworkInsightsPath | Docs | Grants permission to delete a network insights path | |
| ec2:DeleteNetworkInterface | Docs | Grants permission to delete a detached network interface | |
| ec2:DeletePlacementGroup | Docs | Grants permission to delete a placement group | |
| ec2:DeletePublicIpv4Pool | Docs | Grants permission to delete a public IPv4 address pool for public IPv4 CIDRs that you own and brought to Amazon to manage with Amazon VPC IP Address Manager (IPAM) | |
| ec2:DeleteQueuedReservedInstances | Docs | Grants permission to delete the queued purchases for the specified Reserved Instances | |
| ec2:DeleteResourcePolicy | Docs | Grants permission to remove an IAM policy that enables cross-account sharing from a resource | |
| ec2:DeleteRoute | Docs | Grants permission to delete a route from a route table | |
| ec2:DeleteRouteTable | Docs | Grants permission to delete a route table | |
| ec2:DeleteSecurityGroup | Docs | Grants permission to delete a security group | |
| ec2:DeleteSnapshot | Docs | Grants permission to delete a snapshot of an EBS volume | |
| ec2:DeleteSpotDatafeedSubscription | Docs | Grants permission to delete a data feed for Spot Instances | |
| ec2:DeleteSubnet | Docs | Grants permission to delete a subnet | |
| ec2:DeleteSubnetCidrReservation | Docs | Grants permission to delete a subnet CIDR reservation | |
| ec2:DeleteTrafficMirrorFilter | Docs | Grants permission to delete a traffic mirror filter | |
| ec2:DeleteTrafficMirrorFilterRule | Docs | Grants permission to delete a traffic mirror filter rule | |
| ec2:DeleteTrafficMirrorSession | Docs | Grants permission to delete a traffic mirror session | |
| ec2:DeleteTrafficMirrorTarget | Docs | Grants permission to delete a traffic mirror target | |
| ec2:DeleteTransitGateway | Docs | Grants permission to delete a transit gateway | |
| ec2:DeleteTransitGatewayConnect | Docs | Grants permission to delete a transit gateway connect attachment | |
| ec2:DeleteTransitGatewayConnectPeer | Docs | Grants permission to delete a transit gateway connect peer | |
| ec2:DeleteTransitGatewayMulticastDomain | Docs | Grants permission to delete a transit gateway multicast domain | |
| ec2:DeleteTransitGatewayPeeringAttachment | Docs | Grants permission to delete a peering attachment from a transit gateway | |
| ec2:DeleteTransitGatewayPolicyTable | Docs | Grants permission to delete a transit gateway policy table | |
| ec2:DeleteTransitGatewayPrefixListReference | Docs | Grants permission to delete a transit gateway prefix list reference | |
| ec2:DeleteTransitGatewayRoute | Docs | Grants permission to delete a route from a transit gateway route table | |
| ec2:DeleteTransitGatewayRouteTable | Docs | Grants permission to delete a transit gateway route table | |
| ec2:DeleteTransitGatewayRouteTableAnnouncement | Docs | Grants permission to delete a transit gateway route table announcement | |
| ec2:DeleteTransitGatewayVpcAttachment | Docs | Grants permission to delete a VPC attachment from a transit gateway | |
| ec2:DeleteVerifiedAccessEndpoint | Docs | Grants permission to delete a Verified Access endpoint | |
| ec2:DeleteVerifiedAccessGroup | Docs | Grants permission to delete a Verified Access group | |
| ec2:DeleteVerifiedAccessInstance | Docs | Grants permission to delete a Verified Access instance | |
| ec2:DeleteVerifiedAccessTrustProvider | Docs | Grants permission to delete a verified trust provider | |
| ec2:DeleteVolume | Docs | Grants permission to delete an EBS volume | |
| ec2:DeleteVpc | Docs | Grants permission to delete a VPC | |
| ec2:DeleteVpcEndpointConnectionNotifications | Docs | Grants permission to delete one or more VPC endpoint connection notifications | |
| ec2:DeleteVpcEndpoints | Docs | Grants permission to delete one or more VPC endpoints | |
| ec2:DeleteVpcEndpointServiceConfigurations | Docs | Grants permission to delete one or more VPC endpoint service configurations | |
| ec2:DeleteVpcPeeringConnection | Docs | Grants permission to delete a VPC peering connection | |
| ec2:DeleteVpnConnection | Docs | Grants permission to delete a VPN connection | |
| ec2:DeleteVpnConnectionRoute | Docs | Grants permission to delete a static route for a VPN connection between a virtual private gateway and a customer gateway | |
| ec2:DeleteVpnGateway | Docs | Grants permission to delete a virtual private gateway | |
| ec2:DeprovisionByoipCidr | Docs | Grants permission to release an IP address range that was provisioned through bring your own IP addresses (BYOIP), and to delete the corresponding address pool | |
| ec2:DeprovisionIpamByoasn | Docs | Grants permission to deprovision an Autonomous System Number (ASN) from an Amazon Web Services account | |
| ec2:DeprovisionIpamPoolCidr | Docs | Grants permission to deprovision a CIDR provisioned from an Amazon VPC IP Address Manager (IPAM) pool | |
| ec2:DeprovisionPublicIpv4PoolCidr | Docs | Grants permission to deprovision a CIDR from a public IPv4 pool | |
| ec2:DeregisterImage | Docs | Grants permission to deregister an Amazon Machine Image (AMI) | |
| ec2:DeregisterInstanceEventNotificationAttributes | Docs | Grants permission to remove tags from the set of tags to include in notifications about scheduled events for your instances | |
| ec2:DeregisterTransitGatewayMulticastGroupMembers | Docs | Grants permission to deregister one or more network interface members from a group IP address in a transit gateway multicast domain | |
| ec2:DeregisterTransitGatewayMulticastGroupSources | Docs | Grants permission to deregister one or more network interface sources from a group IP address in a transit gateway multicast domain | |
| ec2:DetachClassicLinkVpc | Docs | Grants permission to unlink (detach) a linked EC2-Classic instance from a VPC | |
| ec2:DetachInternetGateway | Docs | Grants permission to detach an internet gateway from a VPC | |
| ec2:DetachNetworkInterface | Docs | Grants permission to detach a network interface from an instance | |
| ec2:DetachVerifiedAccessTrustProvider | Docs | Grants permission to detach a trust provider from a Verified Access instance | |
| ec2:DetachVolume | Docs | Grants permission to detach an EBS volume from an instance | |
| ec2:DetachVpnGateway | Docs | Grants permission to detach a virtual private gateway from a VPC | |
| ec2:DisableAddressTransfer | Docs | Grants permission to disable Elastic IP address transfer | |
| ec2:DisableAwsNetworkPerformanceMetricSubscription | Docs | Grants permission to disable infrastructure performance metric subscriptions | |
| ec2:DisableEbsEncryptionByDefault | Docs | Grants permission to disable EBS encryption by default for your account | |
| ec2:DisableFastLaunch | Docs | Grants permission to disable faster launching for Windows AMIs | |
| ec2:DisableFastSnapshotRestores | Docs | Grants permission to disable fast snapshot restores for one or more snapshots in specified Availability Zones | |
| ec2:DisableImage | Docs | Grants permission to disable an AMI | |
| ec2:DisableImageBlockPublicAccess | Docs | Grants permission to disable block public access for AMIs at the account level in the specified AWS Region | |
| ec2:DisableImageDeprecation | Docs | Grants permission to cancel the deprecation of the specified AMI | |
| ec2:DisableIpamOrganizationAdminAccount | Docs | Grants permission to disable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account | |
| ec2:DisableSerialConsoleAccess | Docs | Grants permission to disable access to the EC2 serial console of all instances for your account | |
| ec2:DisableSnapshotBlockPublicAccess | Docs | Grants permission to disable the block public access for snapshots setting for a Region | |
| ec2:DisableTransitGatewayRouteTablePropagation | Docs | Grants permission to disable a resource attachment from propagating routes to the specified propagation route table | |
| ec2:DisableVgwRoutePropagation | Docs | Grants permission to disable a virtual private gateway from propagating routes to a specified route table of a VPC | |
| ec2:DisableVpcClassicLink | Docs | Grants permission to disable ClassicLink for a VPC | |
| ec2:DisableVpcClassicLinkDnsSupport | Docs | Grants permission to disable ClassicLink DNS support for a VPC | |
| ec2:DisassociateAddress | Docs | Grants permission to disassociate an Elastic IP address from an instance or network interface | |
| ec2:DisassociateClientVpnTargetNetwork | Docs | Grants permission to disassociate a target network from a Client VPN endpoint | |
| ec2:DisassociateEnclaveCertificateIamRole | Docs | Grants permission to disassociate an ACM certificate from a IAM role | |
| ec2:DisassociateIamInstanceProfile | Docs | Grants permission to disassociate an IAM instance profile from a running or stopped instance | |
| ec2:DisassociateInstanceEventWindow | Docs | Grants permission to disassociate one or more targets from an event window | |
| ec2:DisassociateIpamByoasn | Docs | Grants permission to disassociate an Autonomous System Number (ASN) from a BYOIP CIDR | |
| ec2:DisassociateIpamResourceDiscovery | Docs | Grants permission to disassociate a resource discovery from an Amazon VPC IPAM | |
| ec2:DisassociateNatGatewayAddress | Docs | Grants permission to disassociate a secondary Elastic IP address from a public NAT gateway | |
| ec2:DisassociateRouteTable | Docs | Grants permission to disassociate a subnet from a route table | |
| ec2:DisassociateSubnetCidrBlock | Docs | Grants permission to disassociate a CIDR block from a subnet | |
| ec2:DisassociateTransitGatewayMulticastDomain | Docs | Grants permission to disassociate one or more subnets from a transit gateway multicast domain | |
| ec2:DisassociateTransitGatewayPolicyTable | Docs | Grants permission to disassociate a policy table from a transit gateway | |
| ec2:DisassociateTransitGatewayRouteTable | Docs | Grants permission to disassociate a resource attachment from a transit gateway route table | |
| ec2:DisassociateTrunkInterface | Docs | Grants permission to disassociate a branch network interface to a trunk network interface | |
| ec2:DisassociateVerifiedAccessInstanceWebAcl | Docs | Grants permission to disassociate an AWS Web Application Firewall (WAF) web access control list (ACL) from a Verified Access instance | |
| ec2:DisassociateVpcCidrBlock | Docs | Grants permission to disassociate a CIDR block from a VPC | |
| ec2:EnableAddressTransfer | Docs | Grants permission to enable Elastic IP address transfer | |
| ec2:EnableAwsNetworkPerformanceMetricSubscription | Docs | Grants permission to enable infrastructure performance subscriptions | |
| ec2:EnableEbsEncryptionByDefault | Docs | Grants permission to enable EBS encryption by default for your account | |
| ec2:EnableFastLaunch | Docs | Grants permission to enable faster launching for Windows AMIs | |
| ec2:EnableFastSnapshotRestores | Docs | Grants permission to enable fast snapshot restores for one or more snapshots in specified Availability Zones | |
| ec2:EnableImage | Docs | Grants permission to re-enable a disabled AMI | |
| ec2:EnableImageBlockPublicAccess | Docs | Grants permission to enable block public access for AMIs at the account level in the specified AWS Region | |
| ec2:EnableImageDeprecation | Docs | Grants permission to enable deprecation of the specified AMI at the specified date and time | |
| ec2:EnableIpamOrganizationAdminAccount | Docs | Grants permission to enable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account | |
| ec2:EnableReachabilityAnalyzerOrganizationSharing | Docs | Grants permission to enable organization sharing of reachability analyzer | |
| ec2:EnableSerialConsoleAccess | Docs | Grants permission to enable access to the EC2 serial console of all instances for your account | |
| ec2:EnableSnapshotBlockPublicAccess | Docs | Grants permission to enable or modify the block public access for snapshots setting for a Region | |
| ec2:EnableTransitGatewayRouteTablePropagation | Docs | Grants permission to enable an attachment to propagate routes to a propagation route table | |
| ec2:EnableVgwRoutePropagation | Docs | Grants permission to enable a virtual private gateway to propagate routes to a VPC route table | |
| ec2:EnableVolumeIO | Docs | Grants permission to enable I/O operations for a volume that had I/O operations disabled | |
| ec2:EnableVpcClassicLink | Docs | Grants permission to enable a VPC for ClassicLink | |
| ec2:EnableVpcClassicLinkDnsSupport | Docs | Grants permission to enable a VPC to support DNS hostname resolution for ClassicLink | |
| ec2:ExportImage | Docs | Grants permission to export an Amazon Machine Image (AMI) to a VM file | |
| ec2:ExportTransitGatewayRoutes | Docs | Grants permission to export routes from a transit gateway route table to an Amazon S3 bucket | |
| ec2:ImportByoipCidrToIpam | Docs | Grants permission to transfer existing BYOIP IPv4 CIDRs to IPAM | |
| ec2:ImportClientVpnClientCertificateRevocationList | Docs | Grants permission to upload a client certificate revocation list to a Client VPN endpoint | |
| ec2:ImportImage | Docs | Grants permission to import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI) | |
| ec2:ImportInstance | Docs | Grants permission to create an import instance task using metadata from a disk image | |
| ec2:ImportKeyPair | Docs | Grants permission to import a public key from an RSA key pair that was created with a third-party tool | |
| ec2:ImportSnapshot | Docs | Grants permission to import a disk into an EBS snapshot | |
| ec2:ImportVolume | Docs | Grants permission to create an import volume task using metadata from a disk image | |
| ec2:InjectApiError | Docs | Grants permission to temporarily inject errors for target API requests | |
| ec2:LockSnapshot | Docs | Grants permission to lock an Amazon EBS snapshot in either governance or compliance mode to protect it against accidental or malicious deletions | |
| ec2:ModifyAddressAttribute | Docs | Grants permission to modify an attribute of the specified Elastic IP address | |
| ec2:ModifyAvailabilityZoneGroup | Docs | Grants permission to modify the opt-in status of the Local Zone and Wavelength Zone group for your account | |
| ec2:ModifyCapacityReservation | Docs | Grants permission to modify a Capacity Reservation's capacity and the conditions under which it is to be released | |
| ec2:ModifyCapacityReservationFleet | Docs | Grants permission to modify a Capacity Reservation Fleet | |
| ec2:ModifyClientVpnEndpoint | Docs | Grants permission to modify a Client VPN endpoint | |
| ec2:ModifyDefaultCreditSpecification | Docs | Grants permission to change the account level default credit option for CPU usage of burstable performance instances | |
| ec2:ModifyEbsDefaultKmsKeyId | Docs | Grants permission to change the default customer master key (CMK) for EBS encryption by default for your account | |
| ec2:ModifyFleet | Docs | Grants permission to modify an EC2 Fleet | |
| ec2:ModifyFpgaImageAttribute | Docs | Grants permission to modify an attribute of an Amazon FPGA Image (AFI) | |
| ec2:ModifyHosts | Docs | Grants permission to modify a Dedicated Host | |
| ec2:ModifyIdentityIdFormat | Docs | Grants permission to modify the ID format of a resource for a specific principal in your account | |
| ec2:ModifyIdFormat | Docs | Grants permission to modify the ID format for a resource | |
| ec2:ModifyImageAttribute | Docs | Grants permission to modify an attribute of an Amazon Machine Image (AMI) | |
| ec2:ModifyInstanceAttribute | Docs | Grants permission to modify an attribute of an instance | |
| ec2:ModifyInstanceCapacityReservationAttributes | Docs | Grants permission to modify the Capacity Reservation settings for a stopped instance | |
| ec2:ModifyInstanceCreditSpecification | Docs | Grants permission to modify the credit option for CPU usage on an instance | |
| ec2:ModifyInstanceEventStartTime | Docs | Grants permission to modify the start time for a scheduled EC2 instance event | |
| ec2:ModifyInstanceEventWindow | Docs | Grants permission to modify the specified event window | |
| ec2:ModifyInstanceMaintenanceOptions | Docs | Grants permission to modify the recovery behaviour for an instance | |
| ec2:ModifyInstanceMetadataOptions | Docs | Grants permission to modify the metadata options for an instance | |
| ec2:ModifyInstancePlacement | Docs | Grants permission to modify the placement attributes for an instance | |
| ec2:ModifyIpam | Docs | Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) | |
| ec2:ModifyIpamPool | Docs | Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) pool | |
| ec2:ModifyIpamResourceCidr | Docs | Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) resource CIDR | |
| ec2:ModifyIpamResourceDiscovery | Docs | Grants permission to modify a resource discovery | |
| ec2:ModifyIpamScope | Docs | Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) scope | |
| ec2:ModifyLaunchTemplate | Docs | Grants permission to modify a launch template | |
| ec2:ModifyLocalGatewayRoute | Docs | Grants permission to modify a local gateway route | |
| ec2:ModifyManagedPrefixList | Docs | Grants permission to modify a managed prefix list | |
| ec2:ModifyNetworkInterfaceAttribute | Docs | Grants permission to modify an attribute of a network interface | |
| ec2:ModifyPrivateDnsNameOptions | Docs | Grants permission to modify the options for instance hostnames for the specified instance | |
| ec2:ModifyReservedInstances | Docs | Grants permission to modify attributes of one or more Reserved Instances | |
| ec2:ModifySecurityGroupRules | Docs | Grants permission to modify the rules of a security group | |
| ec2:ModifySnapshotTier | Docs | Grants permission to archive Amazon EBS snapshots | |
| ec2:ModifySpotFleetRequest | Docs | Grants permission to modify a Spot Fleet request | |
| ec2:ModifySubnetAttribute | Docs | Grants permission to modify an attribute of a subnet | |
| ec2:ModifyTrafficMirrorFilterNetworkServices | Docs | Grants permission to allow or restrict mirroring network services | |
| ec2:ModifyTrafficMirrorFilterRule | Docs | Grants permission to modify a traffic mirror rule | |
| ec2:ModifyTrafficMirrorSession | Docs | Grants permission to modify a traffic mirror session | |
| ec2:ModifyTransitGateway | Docs | Grants permission to modify a transit gateway | |
| ec2:ModifyTransitGatewayPrefixListReference | Docs | Grants permission to modify a transit gateway prefix list reference | |
| ec2:ModifyTransitGatewayVpcAttachment | Docs | Grants permission to modify a VPC attachment on a transit gateway | |
| ec2:ModifyVerifiedAccessEndpoint | Docs | Grants permission to modify the configuration of a Verified Access endpoint | |
| ec2:ModifyVerifiedAccessEndpointPolicy | Docs | Grants permission to modify the specified Verified Access endpoint policy | |
| ec2:ModifyVerifiedAccessGroup | Docs | Grants permission to modify the specified Verified Access Group configuration | |
| ec2:ModifyVerifiedAccessGroupPolicy | Docs | Grants permission to modify the specified Verified Access group policy | |
| ec2:ModifyVerifiedAccessInstance | Docs | Grants permission to modify the configuration of the specified Verified Access instance | |
| ec2:ModifyVerifiedAccessInstanceLoggingConfiguration | Docs | Grants permission to modify the logging configuration for the specified Verified Access instance | |
| ec2:ModifyVerifiedAccessTrustProvider | Docs | Grants permission to modify the configuration of the specified Verified Access trust provider | |
| ec2:ModifyVolume | Docs | Grants permission to modify the parameters of an EBS volume | |
| ec2:ModifyVolumeAttribute | Docs | Grants permission to modify an attribute of a volume | |
| ec2:ModifyVpcAttribute | Docs | Grants permission to modify an attribute of a VPC | |
| ec2:ModifyVpcEndpoint | Docs | Grants permission to modify an attribute of a VPC endpoint | |
| ec2:ModifyVpcEndpointConnectionNotification | Docs | Grants permission to modify a connection notification for a VPC endpoint or VPC endpoint service | |
| ec2:ModifyVpcEndpointServiceConfiguration | Docs | Grants permission to modify the attributes of a VPC endpoint service configuration | |
| ec2:ModifyVpcEndpointServicePayerResponsibility | Docs | Grants permission to modify the payer responsibility for a VPC endpoint service | |
| ec2:ModifyVpcPeeringConnectionOptions | Docs | Grants permission to modify the VPC peering connection options on one side of a VPC peering connection | |
| ec2:ModifyVpcTenancy | Docs | Grants permission to modify the instance tenancy attribute of a VPC | |
| ec2:ModifyVpnConnection | Docs | Grants permission to modify the target gateway of a Site-to-Site VPN connection | |
| ec2:ModifyVpnConnectionOptions | Docs | Grants permission to modify the connection options for your Site-to-Site VPN connection | |
| ec2:ModifyVpnTunnelCertificate | Docs | Grants permission to modify the certificate for a Site-to-Site VPN connection | |
| ec2:ModifyVpnTunnelOptions | Docs | Grants permission to modify the options for a Site-to-Site VPN connection | |
| ec2:MonitorInstances | Docs | Grants permission to enable detailed monitoring for a running instance | |
| ec2:MoveAddressToVpc | Docs | Grants permission to move an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform | |
| ec2:MoveByoipCidrToIpam | Docs | Grants permission to move a BYOIP IPv4 CIDR to Amazon VPC IP Address Manager (IPAM) from a public IPv4 pool | |
| ec2:PauseVolumeIO | Docs | Grants permission to temporarily pause I/O operations for a target Amazon EBS volume | |
| ec2:ProvisionByoipCidr | Docs | Grants permission to provision an address range for use in AWS through bring your own IP addresses (BYOIP), and to create a corresponding address pool | |
| ec2:ProvisionIpamByoasn | Docs | Grants permission to provision an Autonomous System Number (ASN) for use in an Amazon Web Services account | |
| ec2:ProvisionIpamPoolCidr | Docs | Grants permission to provision a CIDR to an Amazon VPC IP Address Manager (IPAM) pool | |
| ec2:ProvisionPublicIpv4PoolCidr | Docs | Grants permission to provision a CIDR to a public IPv4 pool | |
| ec2:PurchaseCapacityBlock | Docs | Grants permission to purchase a Capacity Block offering | |
| ec2:PurchaseHostReservation | Docs | Grants permission to purchase a reservation with configurations that match those of a Dedicated Host | |
| ec2:PurchaseReservedInstancesOffering | Docs | Grants permission to purchase a Reserved Instance offering | |
| ec2:PurchaseScheduledInstances | Docs | Grants permission to purchase one or more Scheduled Instances with a specified schedule | |
| ec2:PutResourcePolicy | Docs | Grants permission to attach an IAM policy that enables cross-account sharing to a resource | |
| ec2:RebootInstances | Docs | Grants permission to request a reboot of one or more instances | |
| ec2:RegisterImage | Docs | Grants permission to register an Amazon Machine Image (AMI) | |
| ec2:RegisterInstanceEventNotificationAttributes | Docs | Grants permission to add tags to the set of tags to include in notifications about scheduled events for your instances | |
| ec2:RegisterTransitGatewayMulticastGroupMembers | Docs | Grants permission to register one or more network interfaces as a member of a group IP address in a transit gateway multicast domain | |
| ec2:RegisterTransitGatewayMulticastGroupSources | Docs | Grants permission to register one or more network interfaces as a source of a group IP address in a transit gateway multicast domain | |
| ec2:RejectTransitGatewayMulticastDomainAssociations | Docs | Grants permission to reject requests to associate cross-account subnets with a transit gateway multicast domain | |
| ec2:RejectTransitGatewayPeeringAttachment | Docs | Grants permission to reject a transit gateway peering attachment request | |
| ec2:RejectTransitGatewayVpcAttachment | Docs | Grants permission to reject a request to attach a VPC to a transit gateway | |
| ec2:RejectVpcEndpointConnections | Docs | Grants permission to reject one or more VPC endpoint connection requests to a VPC endpoint service | |
| ec2:RejectVpcPeeringConnection | Docs | Grants permission to reject a VPC peering connection request | |
| ec2:ReleaseAddress | Docs | Grants permission to release an Elastic IP address | |
| ec2:ReleaseHosts | Docs | Grants permission to release one or more On-Demand Dedicated Hosts | |
| ec2:ReleaseIpamPoolAllocation | Docs | Grants permission to release an allocation within an Amazon VPC IP Address Manager (IPAM) pool | |
| ec2:ReplaceIamInstanceProfileAssociation | Docs | Grants permission to replace an IAM instance profile for an instance | |
| ec2:ReplaceNetworkAclAssociation | Docs | Grants permission to change which network ACL a subnet is associated with | |
| ec2:ReplaceNetworkAclEntry | Docs | Grants permission to replace an entry (rule) in a network ACL | |
| ec2:ReplaceRoute | Docs | Grants permission to replace a route within a route table in a VPC | |
| ec2:ReplaceRouteTableAssociation | Docs | Grants permission to change the route table that is associated with a subnet | |
| ec2:ReplaceTransitGatewayRoute | Docs | Grants permission to replace a route in a transit gateway route table | |
| ec2:ReplaceVpnTunnel | Docs | Grants permission to replace a VPN tunnel | |
| ec2:ReportInstanceStatus | Docs | Grants permission to submit feedback about the status of an instance | |
| ec2:RequestSpotFleet | Docs | Grants permission to create a Spot Fleet request | |
| ec2:RequestSpotInstances | Docs | Grants permission to create a Spot Instance request | |
| ec2:ResetAddressAttribute | Docs | Grants permission to reset the attribute of the specified IP address | |
| ec2:ResetEbsDefaultKmsKeyId | Docs | Grants permission to reset the default customer master key (CMK) for EBS encryption for your account to use the AWS-managed CMK for EBS | |
| ec2:ResetFpgaImageAttribute | Docs | Grants permission to reset an attribute of an Amazon FPGA Image (AFI) to its default value | |
| ec2:ResetImageAttribute | Docs | Grants permission to reset an attribute of an Amazon Machine Image (AMI) to its default value | |
| ec2:ResetInstanceAttribute | Docs | Grants permission to reset an attribute of an instance to its default value | |
| ec2:ResetNetworkInterfaceAttribute | Docs | Grants permission to reset an attribute of a network interface | |
| ec2:RestoreAddressToClassic | Docs | Grants permission to restore an Elastic IP address that was previously moved to the EC2-VPC platform back to the EC2-Classic platform | |
| ec2:RestoreImageFromRecycleBin | Docs | Grants permission to restore an Amazon Machine Image (AMI) from the Recycle Bin | |
| ec2:RestoreManagedPrefixListVersion | Docs | Grants permission to restore the entries from a previous version of a managed prefix list to a new version of the prefix list | |
| ec2:RestoreSnapshotFromRecycleBin | Docs | Grants permission to restore an Amazon EBS snapshot from the Recycle Bin | |
| ec2:RestoreSnapshotTier | Docs | Grants permission to restore an archived Amazon EBS snapshot for use temporarily or permanently, or modify the restore period or restore type for a snapshot that was previously temporarily restored | |
| ec2:RevokeClientVpnIngress | Docs | Grants permission to remove an inbound authorization rule from a Client VPN endpoint | |
| ec2:RevokeSecurityGroupEgress | Docs | Grants permission to remove one or more outbound rules from a VPC security group | |
| ec2:RevokeSecurityGroupIngress | Docs | Grants permission to remove one or more inbound rules from a security group | |
| ec2:RunInstances | Docs | Grants permission to launch one or more instances | |
| ec2:RunScheduledInstances | Docs | Grants permission to launch one or more Scheduled Instances | |
| ec2:SendDiagnosticInterrupt | Docs | Grants permission to send a diagnostic interrupt to an Amazon EC2 instance | |
| ec2:SendSpotInstanceInterruptions | Docs | Grants permission to interrupt a Spot Instance | |
| ec2:StartInstances | Docs | Grants permission to start a stopped instance | |
| ec2:StartNetworkInsightsAccessScopeAnalysis | Docs | Grants permission to start a Network Access Scope analysis | |
| ec2:StartNetworkInsightsAnalysis | Docs | Grants permission to start analyzing a specified path | |
| ec2:StartVpcEndpointServicePrivateDnsVerification | Docs | Grants permission to start the private DNS verification process for a VPC endpoint service | |
| ec2:StopInstances | Docs | Grants permission to stop an Amazon EBS-backed instance | |
| ec2:TerminateClientVpnConnections | Docs | Grants permission to terminate active Client VPN endpoint connections | |
| ec2:TerminateInstances | Docs | Grants permission to shut down one or more instances | |
| ec2:UnassignIpv6Addresses | Docs | Grants permission to unassign one or more IPv6 addresses from a network interface | |
| ec2:UnassignPrivateIpAddresses | Docs | Grants permission to unassign one or more secondary private IP addresses from a network interface | |
| ec2:UnassignPrivateNatGatewayAddress | Docs | Grants permission to unassign secondary private IPv4 addresses from a private NAT gateway | |
| ec2:UnlockSnapshot | Docs | Grants permission to unlock a snapshot that is locked in governance mode or in compliance mode while still in the cooling-off period | |
| ec2:UnmonitorInstances | Docs | Grants permission to disable detailed monitoring for a running instance | |
| ec2:UpdateSecurityGroupRuleDescriptionsEgress | Docs | Grants permission to update descriptions for one or more outbound rules in a VPC security group | |
| ec2:UpdateSecurityGroupRuleDescriptionsIngress | Docs | Grants permission to update descriptions for one or more inbound rules in a security group | |
| ec2:WithdrawByoipCidr | Docs | Grants permission to stop advertising an address range that was provisioned for use in AWS through bring your own IP addresses (BYOIP) |
aws:RequestTag/${TagKey}aws:ResourceTag/${TagKey}aws:TagKeysec2:AccepterVpcec2:Add/groupec2:Add/userIdec2:AllocationIdec2:AssociatePublicIpAddressec2:Attributeec2:Attribute/${AttributeName}ec2:AuthenticationTypeec2:AuthorizedServiceec2:AuthorizedUserec2:AutoPlacementec2:AvailabilityZoneec2:CapacityReservationFleetec2:ClientRootCertificateChainArnec2:CloudwatchLogGroupArnec2:CloudwatchLogStreamArnec2:CreateActionec2:DPDTimeoutSecondsec2:DhcpOptionsIDec2:DirectoryArnec2:Domainec2:EbsOptimizedec2:ElasticGpuTypeec2:Encryptedec2:FisActionIdec2:FisTargetArnsec2:GatewayTypeec2:HostRecoveryec2:IKEVersionsec2:ImageIDec2:ImageTypeec2:InsideTunnelCidrec2:InsideTunnelIpv6Cidrec2:InstanceAutoRecoveryec2:InstanceIDec2:InstanceMarketTypeec2:InstanceMetadataTagsec2:InstanceProfileec2:InstanceTypeec2:InternetGatewayIDec2:Ipv4IpamPoolIdec2:Ipv6IpamPoolIdec2:IsLaunchTemplateResourceec2:KeyPairNameec2:KeyPairTypeec2:KmsKeyIdec2:LaunchTemplateec2:MetadataHttpEndpointec2:MetadataHttpPutResponseHopLimitec2:MetadataHttpTokensec2:NetworkAclIDec2:NetworkInterfaceIDec2:NewInstanceProfileec2:OutpostArnec2:Ownerec2:ParentSnapshotec2:ParentVolumeec2:Permissionec2:Phase1DHGroupec2:Phase1EncryptionAlgorithmsec2:Phase1IntegrityAlgorithmsec2:Phase1LifetimeSecondsec2:Phase2DHGroupec2:Phase2EncryptionAlgorithmsec2:Phase2IntegrityAlgorithmsec2:Phase2LifetimeSecondsec2:PlacementGroupec2:PlacementGroupNameec2:PlacementGroupStrategyec2:PreSharedKeysec2:ProductCodeec2:Publicec2:PublicIpAddressec2:Quantityec2:Regionec2:RekeyFuzzPercentageec2:RekeyMarginTimeSecondsec2:Remove/groupec2:Remove/userIdec2:ReplayWindowSizePacketsec2:RequesterVpcec2:ReservedInstancesOfferingTypeec2:ResourceTag/${TagKey}ec2:RoleDeliveryec2:RootDeviceTypeec2:RouteTableIDec2:RoutingTypeec2:SamlProviderArnec2:SecurityGroupIDec2:ServerCertificateArnec2:SnapshotCoolOffPeriodec2:SnapshotIDec2:SnapshotLockDurationec2:SnapshotTimeec2:SourceInstanceARNec2:SourceOutpostArnec2:Subnetec2:SubnetIDec2:Tenancyec2:VolumeIDec2:VolumeIopsec2:VolumeSizeec2:VolumeThroughputec2:VolumeTypeec2:Vpcec2:VpcIDec2:VpcPeeringConnectionIDec2:VpceServiceNameec2:VpceServiceOwnerec2:VpceServicePrivateDnsName