{ "acceptaddresstransfer": { "name": "AcceptAddressTransfer", "description": "Grants permission to accept an Elastic IP address transfer", "accessLevel": "Write", "resourceTypes": [ { "name": "elastic-ip", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "acceptcapacityreservationbillingownership": { "name": "AcceptCapacityReservationBillingOwnership", "description": "Grants permission to accept assign billing of the available capacity of a shared Capacity Reservation to the calling account", "accessLevel": "Write", "resourceTypes": [ { "name": "capacity-reservation", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CapacityReservationFleet", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "acceptreservedinstancesexchangequote": { "name": "AcceptReservedInstancesExchangeQuote", "description": "Grants permission to accept a Convertible Reserved Instance exchange quote", "accessLevel": "Write", "resourceTypes": [ { "name": "reserved-instances", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:InstanceType", "ec2:ReservedInstancesOfferingType", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "accepttransitgatewaymulticastdomainassociations": { "name": "AcceptTransitGatewayMulticastDomainAssociations", "description": "Grants permission to accept a request to associate subnets with a transit gateway multicast domain", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "transit-gateway-multicast-domain", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "accepttransitgatewaypeeringattachment": { "name": "AcceptTransitGatewayPeeringAttachment", "description": "Grants permission to accept a transit gateway peering attachment request", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "accepttransitgatewayvpcattachment": { "name": "AcceptTransitGatewayVpcAttachment", "description": "Grants permission to accept a request to attach a VPC to a transit gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "acceptvpcendpointconnections": { "name": "AcceptVpcEndpointConnections", "description": "Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-endpoint-service", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:vpceMultiRegion", "ec2:vpceSupportedRegion" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "acceptvpcpeeringconnection": { "name": "AcceptVpcPeeringConnection", "description": "Grants permission to accept a VPC peering connection request", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] }, { "name": "vpc-peering-connection", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", "ec2:RequesterVpc", "ec2:ResourceTag/${TagKey}", "ec2:VpcPeeringConnectionID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "advertisebyoipcidr": { "name": "AdvertiseByoipCidr", "description": "Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP)", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "allocateaddress": { "name": "AllocateAddress", "description": "Grants permission to allocate an Elastic IP address (EIP) to your account", "accessLevel": "Write", "resourceTypes": [ { "name": "elastic-ip", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "ipam-pool", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipv4pool-ec2", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "allocatehosts": { "name": "AllocateHosts", "description": "Grants permission to allocate a Dedicated Host to your account", "accessLevel": "Write", "resourceTypes": [ { "name": "dedicated-host", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AutoPlacement", "ec2:AvailabilityZone", "ec2:HostRecovery", "ec2:InstanceType", "ec2:Quantity" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "allocateipampoolcidr": { "name": "AllocateIpamPoolCidr", "description": "Grants permission to allocate a CIDR from an Amazon VPC IP Address Manager (IPAM) pool", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "applysecuritygroupstoclientvpntargetnetwork": { "name": "ApplySecurityGroupsToClientVpnTargetNetwork", "description": "Grants permission to apply a security group to the association between a Client VPN endpoint and a target network", "accessLevel": "Write", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] }, { "name": "security-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "assignipv6addresses": { "name": "AssignIpv6Addresses", "description": "Grants permission to assign one or more IPv6 addresses to a network interface", "accessLevel": "Write", "resourceTypes": [ { "name": "network-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "assignprivateipaddresses": { "name": "AssignPrivateIpAddresses", "description": "Grants permission to assign one or more secondary private IP addresses to a network interface", "accessLevel": "Write", "resourceTypes": [ { "name": "network-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "assignprivatenatgatewayaddress": { "name": "AssignPrivateNatGatewayAddress", "description": "Grants permission to assign one or more secondary private IP addresses to a private NAT gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "natgateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associateaddress": { "name": "AssociateAddress", "description": "Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface", "accessLevel": "Write", "resourceTypes": [ { "name": "elastic-ip", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "instance", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "network-interface", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associatecapacityreservationbillingowner": { "name": "AssociateCapacityReservationBillingOwner", "description": "Grants permission to assign billing of the unused capacity of a shared Capacity Reservation to a consumer account", "accessLevel": "Write", "resourceTypes": [ { "name": "capacity-reservation", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CapacityReservationFleet", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associateclientvpntargetnetwork": { "name": "AssociateClientVpnTargetNetwork", "description": "Grants permission to associate a target network with a Client VPN endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] }, { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associatedhcpoptions": { "name": "AssociateDhcpOptions", "description": "Grants permission to associate or disassociate a set of DHCP options with a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "dhcp-options", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:DhcpOptionsID", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associateenclavecertificateiamrole": { "name": "AssociateEnclaveCertificateIamRole", "description": "Grants permission to associate an ACM certificate with an IAM role to be used in an EC2 Enclave", "accessLevel": "Write", "resourceTypes": [ { "name": "certificate", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "role", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associateiaminstanceprofile": { "name": "AssociateIamInstanceProfile", "description": "Grants permission to associate an IAM instance profile with a running or stopped instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:NewInstanceProfile", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [ "iam:PassRole" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associateinstanceeventwindow": { "name": "AssociateInstanceEventWindow", "description": "Grants permission to associate one or more targets with an event window", "accessLevel": "Write", "resourceTypes": [ { "name": "instance-event-window", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associateipambyoasn": { "name": "AssociateIpamByoasn", "description": "Grants permission to associate an Autonomous System Number (ASN) with a BYOIP CIDR", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associateipamresourcediscovery": { "name": "AssociateIpamResourceDiscovery", "description": "Grants permission to associate an IPAM resource discovery with an Amazon VPC IPAM", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "ipam-resource-discovery", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam-resource-discovery-association", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associatenatgatewayaddress": { "name": "AssociateNatGatewayAddress", "description": "Grants permission to associate an Elastic IP address and private IP address with a public Nat gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "elastic-ip", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "natgateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associaterouteserver": { "name": "AssociateRouteServer", "description": "Grants permission to associate a route server with a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "route-server", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associateroutetable": { "name": "AssociateRouteTable", "description": "Grants permission to associate a subnet or gateway with a route table", "accessLevel": "Write", "resourceTypes": [ { "name": "route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "internet-gateway", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "vpn-gateway", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associatesecuritygroupvpc": { "name": "AssociateSecurityGroupVpc", "description": "Grants permission to associate a security group with another VPC in the same Region", "accessLevel": "Write", "resourceTypes": [ { "name": "security-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associatesubnetcidrblock": { "name": "AssociateSubnetCidrBlock", "description": "Grants permission to associate a CIDR block with a subnet", "accessLevel": "Write", "resourceTypes": [ { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Ipv6IpamPoolId", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "ipam-pool", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associatetransitgatewaymulticastdomain": { "name": "AssociateTransitGatewayMulticastDomain", "description": "Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain", "accessLevel": "Write", "resourceTypes": [ { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "transit-gateway-multicast-domain", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associatetransitgatewaypolicytable": { "name": "AssociateTransitGatewayPolicyTable", "description": "Grants permission to associate a policy table with a transit gateway attachment", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "transit-gateway-policy-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayPolicyTableId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associatetransitgatewayroutetable": { "name": "AssociateTransitGatewayRouteTable", "description": "Grants permission to associate an attachment with a transit gateway route table", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "transit-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associatetrunkinterface": { "name": "AssociateTrunkInterface", "description": "Grants permission to associate a branch network interface with a trunk network interface", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associateverifiedaccessinstancewebacl": { "name": "AssociateVerifiedAccessInstanceWebAcl", "isPermissionOnly": true, "description": "Grants permission to associate an AWS Web Application Firewall (WAF) web access control list (ACL) with a Verified Access instance", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "associatevpccidrblock": { "name": "AssociateVpcCidrBlock", "description": "Grants permission to associate a CIDR block with a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] }, { "name": "ipam-pool", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipv6pool-ec2", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "attachclassiclinkvpc": { "name": "AttachClassicLinkVpc", "description": "Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "security-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "attachinternetgateway": { "name": "AttachInternetGateway", "description": "Grants permission to attach an internet gateway to a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "internet-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "attachnetworkinterface": { "name": "AttachNetworkInterface", "description": "Grants permission to attach a network interface to an instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "network-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "attachverifiedaccesstrustprovider": { "name": "AttachVerifiedAccessTrustProvider", "description": "Grants permission to attach a trust provider to a Verified Access instance", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-trust-provider", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "attachvolume": { "name": "AttachVolume", "description": "Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "volume", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "attachvpngateway": { "name": "AttachVpnGateway", "description": "Grants permission to attach a virtual private gateway to a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] }, { "name": "vpn-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "authorizeclientvpningress": { "name": "AuthorizeClientVpnIngress", "description": "Grants permission to add an inbound authorization rule to a Client VPN endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "authorizesecuritygroupegress": { "name": "AuthorizeSecurityGroupEgress", "description": "Grants permission to add one or more outbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications", "accessLevel": "Write", "resourceTypes": [ { "name": "security-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "security-group-rule", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "authorizesecuritygroupingress": { "name": "AuthorizeSecurityGroupIngress", "description": "Grants permission to add one or more inbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications", "accessLevel": "Write", "resourceTypes": [ { "name": "security-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "security-group-rule", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "bundleinstance": { "name": "BundleInstance", "description": "Grants permission to bundle an instance store-backed Windows instance", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "cancelbundletask": { "name": "CancelBundleTask", "description": "Grants permission to cancel a bundling operation", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "cancelcapacityreservation": { "name": "CancelCapacityReservation", "description": "Grants permission to cancel a Capacity Reservation and release the reserved capacity", "accessLevel": "Write", "resourceTypes": [ { "name": "capacity-reservation", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:CapacityReservationFleet" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "cancelcapacityreservationfleets": { "name": "CancelCapacityReservationFleets", "description": "Grants permission to cancel one or more Capacity Reservation Fleets", "accessLevel": "Write", "resourceTypes": [ { "name": "capacity-reservation-fleet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:CancelCapacityReservation" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "cancelconversiontask": { "name": "CancelConversionTask", "description": "Grants permission to cancel an active conversion task", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "canceldeclarativepoliciesreport": { "name": "CancelDeclarativePoliciesReport", "description": "Grants permission to cancel a declarative policies report", "accessLevel": "Write", "resourceTypes": [ { "name": "declarative-policies-report", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "cancelexporttask": { "name": "CancelExportTask", "description": "Grants permission to cancel an active export task", "accessLevel": "Write", "resourceTypes": [ { "name": "export-image-task", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "export-instance-task", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "cancelimagelaunchpermission": { "name": "CancelImageLaunchPermission", "description": "Grants permission to remove your AWS account from the launch permissions for the specified AMI", "accessLevel": "Permissions management", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "cancelimporttask": { "name": "CancelImportTask", "description": "Grants permission to cancel an in-process import virtual machine or import snapshot task", "accessLevel": "Write", "resourceTypes": [ { "name": "import-image-task", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "import-snapshot-task", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "cancelreservedinstanceslisting": { "name": "CancelReservedInstancesListing", "description": "Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "cancelspotfleetrequests": { "name": "CancelSpotFleetRequests", "description": "Grants permission to cancel one or more Spot Fleet requests", "accessLevel": "Write", "resourceTypes": [ { "name": "spot-fleet-request", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "cancelspotinstancerequests": { "name": "CancelSpotInstanceRequests", "description": "Grants permission to cancel one or more Spot Instance requests", "accessLevel": "Write", "resourceTypes": [ { "name": "spot-instances-request", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "confirmproductinstance": { "name": "ConfirmProductInstance", "description": "Grants permission to determine whether an owned product code is associated with an instance", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "copyfpgaimage": { "name": "CopyFpgaImage", "description": "Grants permission to copy a source Amazon FPGA image (AFI) to the current Region. Resource-level permissions specified for this action apply to the new AFI only. They do not apply to the source AFI", "accessLevel": "Write", "resourceTypes": [ { "name": "fpga-image", "required": true, "conditionKeys": [ "ec2:Owner" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "copyimage": { "name": "CopyImage", "description": "Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:ImageID", "ec2:Owner" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "snapshot", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "copysnapshot": { "name": "CopySnapshot", "description": "Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3. Resource-level permissions specified for this action apply to both the snapshot copy and the source snapshot", "accessLevel": "Write", "resourceTypes": [ { "name": "snapshot", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Encrypted", "ec2:OutpostArn", "ec2:Owner", "ec2:ParentSnapshot", "ec2:ParentVolume", "ec2:ProductCode", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createcapacityreservation": { "name": "CreateCapacityReservation", "description": "Grants permission to create a Capacity Reservation", "accessLevel": "Write", "resourceTypes": [ { "name": "capacity-reservation", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CapacityReservationFleet", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:EphemeralStorage", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:Tenancy" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createcapacityreservationbysplitting": { "name": "CreateCapacityReservationBySplitting", "description": "Grants permission to create a new Capacity Reservation by splitting the available capacity of the source Capacity Reservation", "accessLevel": "Write", "resourceTypes": [ { "name": "capacity-reservation", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CapacityReservationFleet", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:Tenancy" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createcapacityreservationfleet": { "name": "CreateCapacityReservationFleet", "description": "Grants permission to create a Capacity Reservation Fleet", "accessLevel": "Write", "resourceTypes": [ { "name": "capacity-reservation-fleet", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateCapacityReservation", "ec2:CreateTags", "ec2:DescribeCapacityReservations", "ec2:DescribeInstances" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createcarriergateway": { "name": "CreateCarrierGateway", "description": "Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers", "accessLevel": "Write", "resourceTypes": [ { "name": "carrier-gateway", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createclientvpnendpoint": { "name": "CreateClientVpnEndpoint", "description": "Grants permission to create a Client VPN endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "security-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID" ], "dependentActions": [] }, { "name": "vpc", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createclientvpnroute": { "name": "CreateClientVpnRoute", "description": "Grants permission to add a network route to a Client VPN endpoint's route table", "accessLevel": "Write", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] }, { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createcoipcidr": { "name": "CreateCoipCidr", "description": "Grants permission to create a range of customer-owned IP (CoIP) addresses", "accessLevel": "Write", "resourceTypes": [ { "name": "coip-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createcoippool": { "name": "CreateCoipPool", "description": "Grants permission to create a pool of customer-owned IP (CoIP) addresses", "accessLevel": "Write", "resourceTypes": [ { "name": "coip-pool", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "local-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createcoippoolpermission": { "name": "CreateCoipPoolPermission", "isPermissionOnly": true, "description": "Grants permission to allow a service to access a customer-owned IP (CoIP) pool", "accessLevel": "Permissions management", "resourceTypes": [ { "name": "coip-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createcustomergateway": { "name": "CreateCustomerGateway", "description": "Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device", "accessLevel": "Write", "resourceTypes": [ { "name": "customer-gateway", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createdefaultsubnet": { "name": "CreateDefaultSubnet", "description": "Grants permission to create a default subnet in a specified Availability Zone in a default VPC", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createdefaultvpc": { "name": "CreateDefaultVpc", "description": "Grants permission to create a default VPC with a default subnet in each Availability Zone", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createdelegatemacvolumeownershiptask": { "name": "CreateDelegateMacVolumeOwnershipTask", "description": "Grants permission to create a volume ownership delegation task for an Apple silicon Mac instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "mac-modification-task", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createdhcpoptions": { "name": "CreateDhcpOptions", "description": "Grants permission to create a set of DHCP options for a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "dhcp-options", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:DhcpOptionsID" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createegressonlyinternetgateway": { "name": "CreateEgressOnlyInternetGateway", "description": "Grants permission to create an egress-only internet gateway for a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "egress-only-internet-gateway", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createfleet": { "name": "CreateFleet", "description": "Grants permission to launch an EC2 Fleet. Resource-level permissions for this action do not include the resources specified in a launch template. To specify resource-level permissions for resources specified in a launch template, you must include the resources in the RunInstances action statement", "accessLevel": "Write", "resourceTypes": [ { "name": "fleet", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "instance", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:PlacementGroup", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "image", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] }, { "name": "launch-template", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "placement-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "volume", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:KmsKeyId", "ec2:ParentSnapshot", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createflowlogs": { "name": "CreateFlowLogs", "description": "Grants permission to create one or more flow logs to capture IP traffic for a network interface", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-flow-log", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListServices", "ecs:ListTaskDefinitions", "ecs:ListTasks", "iam:PassRole" ] }, { "name": "network-interface", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "transit-gateway", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId" ], "dependentActions": [] }, { "name": "transit-gateway-attachment", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "vpc", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createfpgaimage": { "name": "CreateFpgaImage", "description": "Grants permission to create an Amazon FPGA Image (AFI) from a design checkpoint (DCP)", "accessLevel": "Write", "resourceTypes": [ { "name": "fpga-image", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Owner", "ec2:Public" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createimage": { "name": "CreateImage", "description": "Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:ImageID", "ec2:Owner" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "snapshot", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:OutpostArn", "ec2:ParentVolume", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createinstanceconnectendpoint": { "name": "CreateInstanceConnectEndpoint", "description": "Grants permission to create an EC2 Instance Connect Endpoint that allows you to connect to an instance without a public IPv4 address", "accessLevel": "Write", "resourceTypes": [ { "name": "instance-connect-endpoint", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:SubnetID" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "security-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createinstanceeventwindow": { "name": "CreateInstanceEventWindow", "description": "Grants permission to create an event window in which scheduled events for the associated Amazon EC2 instances can run", "accessLevel": "Write", "resourceTypes": [ { "name": "instance-event-window", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createinstanceexporttask": { "name": "CreateInstanceExportTask", "description": "Grants permission to export a running or stopped instance to an Amazon S3 bucket", "accessLevel": "Write", "resourceTypes": [ { "name": "export-instance-task", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createinternetgateway": { "name": "CreateInternetGateway", "description": "Grants permission to create an internet gateway for a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "internet-gateway", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:InternetGatewayID" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createipam": { "name": "CreateIpam", "description": "Grants permission to create an Amazon VPC IP Address Manager (IPAM)", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags", "iam:CreateServiceLinkedRole" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createipamexternalresourceverificationtoken": { "name": "CreateIpamExternalResourceVerificationToken", "description": "Grants permission to create a verification token, which proves ownership of an external resource", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "ipam-external-resource-verification-token", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createipampool": { "name": "CreateIpamPool", "description": "Grants permission to create an IP address pool for Amazon VPC IP Address Manager (IPAM), which is a collection of contiguous IP address CIDRs", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-pool", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "ipam-scope", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createipamresourcediscovery": { "name": "CreateIpamResourceDiscovery", "description": "Grants permission to create an IPAM resource discovery", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-resource-discovery", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags", "iam:CreateServiceLinkedRole" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createipamscope": { "name": "CreateIpamScope", "description": "Grants permission to create an Amazon VPC IP Address Manager (IPAM) scope, which is the highest-level container within IPAM", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "ipam-scope", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createkeypair": { "name": "CreateKeyPair", "description": "Grants permission to create a 2048-bit RSA key pair", "accessLevel": "Write", "resourceTypes": [ { "name": "key-pair", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:KeyPairType" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createlaunchtemplate": { "name": "CreateLaunchTemplate", "description": "Grants permission to create a launch template", "accessLevel": "Write", "resourceTypes": [ { "name": "launch-template", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags", "ssm:GetParameters" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createlaunchtemplateversion": { "name": "CreateLaunchTemplateVersion", "description": "Grants permission to create a new version of a launch template", "accessLevel": "Write", "resourceTypes": [ { "name": "launch-template", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ssm:GetParameters" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createlocalgatewayroute": { "name": "CreateLocalGatewayRoute", "description": "Grants permission to create a static route for a local gateway route table", "accessLevel": "Write", "resourceTypes": [ { "name": "local-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "local-gateway-virtual-interface-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-interface", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] }, { "name": "prefix-list", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createlocalgatewayroutetable": { "name": "CreateLocalGatewayRouteTable", "description": "Grants permission to create a local gateway route table", "accessLevel": "Write", "resourceTypes": [ { "name": "local-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "local-gateway-route-table", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createlocalgatewayroutetablepermission": { "name": "CreateLocalGatewayRouteTablePermission", "isPermissionOnly": true, "description": "Grants permission to allow a service to access a local gateway route table", "accessLevel": "Permissions management", "resourceTypes": [ { "name": "local-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createlocalgatewayroutetablevirtualinterfacegroupassociation": { "name": "CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation", "description": "Grants permission to create a local gateway route table virtual interface group association", "accessLevel": "Write", "resourceTypes": [ { "name": "local-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "local-gateway-route-table-virtual-interface-group-association", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] }, { "name": "local-gateway-virtual-interface-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createlocalgatewayroutetablevpcassociation": { "name": "CreateLocalGatewayRouteTableVpcAssociation", "description": "Grants permission to associate a VPC with a local gateway route table", "accessLevel": "Write", "resourceTypes": [ { "name": "local-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "local-gateway-route-table-vpc-association", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createlocalgatewayvirtualinterface": { "name": "CreateLocalGatewayVirtualInterface", "description": "Grants permission to create a local gateway virtual interface", "accessLevel": "Write", "resourceTypes": [ { "name": "local-gateway-virtual-interface", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "local-gateway-virtual-interface-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "outpost-lag", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createlocalgatewayvirtualinterfacegroup": { "name": "CreateLocalGatewayVirtualInterfaceGroup", "description": "Grants permission to create a local gateway virtual interface group", "accessLevel": "Write", "resourceTypes": [ { "name": "local-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "local-gateway-virtual-interface-group", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createmacsystemintegrityprotectionmodificationtask": { "name": "CreateMacSystemIntegrityProtectionModificationTask", "description": "Grants permission to create a System Integrity Protection (SIP) modification task for an Amazon EC2 Mac instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "mac-modification-task", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createmanagedprefixlist": { "name": "CreateManagedPrefixList", "description": "Grants permission to create a managed prefix list", "accessLevel": "Write", "resourceTypes": [ { "name": "prefix-list", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createnatgateway": { "name": "CreateNatGateway", "description": "Grants permission to create a NAT gateway in a subnet", "accessLevel": "Write", "resourceTypes": [ { "name": "natgateway", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "elastic-ip", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createnetworkacl": { "name": "CreateNetworkAcl", "description": "Grants permission to create a network ACL in a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "network-acl", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:NetworkAclID" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createnetworkaclentry": { "name": "CreateNetworkAclEntry", "description": "Grants permission to create a numbered entry (a rule) in a network ACL", "accessLevel": "Write", "resourceTypes": [ { "name": "network-acl", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createnetworkinsightsaccessscope": { "name": "CreateNetworkInsightsAccessScope", "description": "Grants permission to create a Network Access Scope", "accessLevel": "Write", "resourceTypes": [ { "name": "network-insights-access-scope", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createnetworkinsightspath": { "name": "CreateNetworkInsightsPath", "description": "Grants permission to create a path to analyze for reachability", "accessLevel": "Write", "resourceTypes": [ { "name": "network-insights-path", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "instance", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "internet-gateway", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-interface", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] }, { "name": "transit-gateway", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId" ], "dependentActions": [] }, { "name": "vpc-endpoint", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-endpoint-service", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-peering-connection", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", "ec2:RequesterVpc", "ec2:ResourceTag/${TagKey}", "ec2:VpcPeeringConnectionID" ], "dependentActions": [] }, { "name": "vpn-gateway", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createnetworkinterface": { "name": "CreateNetworkInterface", "description": "Grants permission to create a network interface in a subnet", "accessLevel": "Write", "resourceTypes": [ { "name": "network-interface", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:NetworkInterfaceID" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "security-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createnetworkinterfacepermission": { "name": "CreateNetworkInterfacePermission", "description": "Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface", "accessLevel": "Permissions management", "resourceTypes": [ { "name": "network-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AuthorizedService", "ec2:AuthorizedUser", "ec2:AvailabilityZone", "ec2:NetworkInterfaceID", "ec2:Permission", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createplacementgroup": { "name": "CreatePlacementGroup", "description": "Grants permission to create a placement group", "accessLevel": "Write", "resourceTypes": [ { "name": "placement-group", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createpublicipv4pool": { "name": "CreatePublicIpv4Pool", "description": "Grants permission to create a public IPv4 address pool for public IPv4 CIDRs that you own and bring to Amazon to manage with Amazon VPC IP Address Manager (IPAM)", "accessLevel": "Write", "resourceTypes": [ { "name": "ipv4pool-ec2", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createreplacerootvolumetask": { "name": "CreateReplaceRootVolumeTask", "description": "Grants permission to create a root volume replacement task", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "replace-root-volume-task", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] }, { "name": "volume", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:VolumeID" ], "dependentActions": [] }, { "name": "image", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] }, { "name": "snapshot", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createreservedinstanceslisting": { "name": "CreateReservedInstancesListing", "description": "Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createrestoreimagetask": { "name": "CreateRestoreImageTask", "description": "Grants permission to start a task that restores an AMI from an S3 object previously created by using CreateStoreImageTask", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:ImageID", "ec2:Owner" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createroute": { "name": "CreateRoute", "description": "Grants permission to create a route in a VPC route table", "accessLevel": "Write", "resourceTypes": [ { "name": "route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createrouteserver": { "name": "CreateRouteServer", "description": "Grants permission to create a route server", "accessLevel": "Write", "resourceTypes": [ { "name": "route-server", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags", "sns:CreateTopic" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createrouteserverendpoint": { "name": "CreateRouteServerEndpoint", "description": "Grants permission to create a route server endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "route-server", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DescribeSecurityGroups" ] }, { "name": "route-server-endpoint", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone" ], "dependentActions": [] }, { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createrouteserverpeer": { "name": "CreateRouteServerPeer", "description": "Grants permission to create a route server peer", "accessLevel": "Write", "resourceTypes": [ { "name": "route-server-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateTags" ] }, { "name": "route-server-peer", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createroutetable": { "name": "CreateRouteTable", "description": "Grants permission to create a route table for a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "route-table", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:RouteTableID" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createsecuritygroup": { "name": "CreateSecurityGroup", "description": "Grants permission to create a security group", "accessLevel": "Write", "resourceTypes": [ { "name": "security-group", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:SecurityGroupID" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "vpc", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createsnapshot": { "name": "CreateSnapshot", "description": "Grants permission to create a snapshot of an EBS volume and store it in Amazon S3", "accessLevel": "Write", "resourceTypes": [ { "name": "snapshot", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Location", "ec2:OutpostArn", "ec2:ParentVolume", "ec2:SnapshotID", "ec2:SourceAvailabilityZone", "ec2:SourceOutpostArn", "ec2:VolumeSize" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "volume", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createsnapshots": { "name": "CreateSnapshots", "description": "Grants permission to create crash-consistent snapshots of multiple EBS volumes and store them in Amazon S3", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "snapshot", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Location", "ec2:OutpostArn", "ec2:ParentVolume", "ec2:SnapshotID", "ec2:SourceAvailabilityZone", "ec2:SourceOutpostArn", "ec2:VolumeSize" ], "dependentActions": [] }, { "name": "volume", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createspotdatafeedsubscription": { "name": "CreateSpotDatafeedSubscription", "description": "Grants permission to create a data feed for Spot Instances to view Spot Instance usage logs", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createstoreimagetask": { "name": "CreateStoreImageTask", "description": "Grants permission to store an AMI as a single object in an S3 bucket", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createsubnet": { "name": "CreateSubnet", "description": "Grants permission to create a subnet in a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "subnet", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:SubnetID" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] }, { "name": "ipam-pool", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createsubnetcidrreservation": { "name": "CreateSubnetCidrReservation", "description": "Grants permission to create a subnet CIDR reservation", "accessLevel": "Write", "resourceTypes": [ { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtags": { "name": "CreateTags", "description": "Grants permission to add or overwrite one or more tags for Amazon EC2 resources", "accessLevel": "Tagging", "resourceTypes": [ { "name": "capacity-reservation", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] }, { "name": "capacity-reservation-fleet", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "carrier-gateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:Vpc" ], "dependentActions": [] }, { "name": "client-vpn-endpoint", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] }, { "name": "coip-pool", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "customer-gateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "declarative-policies-report", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "dedicated-host", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AutoPlacement", "ec2:AvailabilityZone", "ec2:HostRecovery", "ec2:InstanceType", "ec2:Quantity", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "dhcp-options", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:DhcpOptionsID", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "egress-only-internet-gateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "elastic-gpu", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ElasticGpuType", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "elastic-ip", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "export-image-task", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "export-instance-task", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "fleet", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "fpga-image", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "host-reservation", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "image", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] }, { "name": "import-image-task", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "import-snapshot-task", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "instance", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "instance-connect-endpoint", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID" ], "dependentActions": [] }, { "name": "instance-event-window", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "internet-gateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam-external-resource-verification-token", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam-pool", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam-resource-discovery", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam-resource-discovery-association", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam-scope", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipv4pool-ec2", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipv6pool-ec2", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "key-pair", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:KeyPairName", "ec2:KeyPairType", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "launch-template", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "local-gateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "local-gateway-route-table", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "local-gateway-route-table-virtual-interface-group-association", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "local-gateway-route-table-vpc-association", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "local-gateway-virtual-interface", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "local-gateway-virtual-interface-group", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "natgateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-acl", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], "dependentActions": [] }, { "name": "network-insights-access-scope", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-insights-access-scope-analysis", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-insights-analysis", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-insights-path", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-interface", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AuthorizedUser", "ec2:AvailabilityZone", "ec2:NetworkInterfaceID", "ec2:Permission", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] }, { "name": "placement-group", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "prefix-list", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "replace-root-volume-task", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "reserved-instances", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:InstanceType", "ec2:ReservedInstancesOfferingType", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "route-server", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "route-server-endpoint", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "route-server-peer", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "route-table", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "security-group", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "security-group-rule", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "snapshot", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] }, { "name": "spot-fleet-request", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "spot-instances-request", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "subnet-cidr-reservation", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "traffic-mirror-filter", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "traffic-mirror-filter-rule", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "traffic-mirror-session", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "traffic-mirror-target", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "transit-gateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId" ], "dependentActions": [] }, { "name": "transit-gateway-attachment", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "transit-gateway-connect-peer", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayConnectPeerId" ], "dependentActions": [] }, { "name": "transit-gateway-multicast-domain", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId" ], "dependentActions": [] }, { "name": "transit-gateway-policy-table", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayPolicyTableId" ], "dependentActions": [] }, { "name": "transit-gateway-route-table", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] }, { "name": "transit-gateway-route-table-announcement", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableAnnouncementId" ], "dependentActions": [] }, { "name": "verified-access-endpoint", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-endpoint-target", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-group", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-instance", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-policy", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-trust-provider", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "volume", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] }, { "name": "vpc", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] }, { "name": "vpc-block-public-access-exclusion", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-endpoint", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-endpoint-connection", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-endpoint-service", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:vpceMultiRegion", "ec2:vpceServiceRegion", "ec2:vpceSupportedRegion" ], "dependentActions": [] }, { "name": "vpc-endpoint-service-permission", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-flow-log", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-peering-connection", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AccepterVpc", "ec2:RequesterVpc", "ec2:ResourceTag/${TagKey}", "ec2:VpcPeeringConnectionID" ], "dependentActions": [] }, { "name": "vpn-connection", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:InsideTunnelIpv6Cidr", "ec2:Phase1DHGroup", "ec2:Phase1EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", "ec2:Phase2DHGroup", "ec2:Phase2EncryptionAlgorithms", "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", "ec2:ReplayWindowSizePackets", "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependentActions": [] }, { "name": "vpn-gateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:CreateAction", "ec2:Region" ], "dependentActions": [] }, "createtrafficmirrorfilter": { "name": "CreateTrafficMirrorFilter", "description": "Grants permission to create a traffic mirror filter", "accessLevel": "Write", "resourceTypes": [ { "name": "traffic-mirror-filter", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtrafficmirrorfilterrule": { "name": "CreateTrafficMirrorFilterRule", "description": "Grants permission to create a traffic mirror filter rule", "accessLevel": "Write", "resourceTypes": [ { "name": "traffic-mirror-filter", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "traffic-mirror-filter-rule", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtrafficmirrorsession": { "name": "CreateTrafficMirrorSession", "description": "Grants permission to create a traffic mirror session", "accessLevel": "Write", "resourceTypes": [ { "name": "network-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "traffic-mirror-filter", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "traffic-mirror-session", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] }, { "name": "traffic-mirror-target", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtrafficmirrortarget": { "name": "CreateTrafficMirrorTarget", "description": "Grants permission to create a traffic mirror target", "accessLevel": "Write", "resourceTypes": [ { "name": "traffic-mirror-target", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "network-interface", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-endpoint", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:VpceServiceName", "ec2:VpceServiceOwner" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtransitgateway": { "name": "CreateTransitGateway", "description": "Grants permission to create a transit gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayId" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtransitgatewayconnect": { "name": "CreateTransitGatewayConnect", "description": "Grants permission to create a Connect attachment from a specified transit gateway attachment", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayAttachmentId" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtransitgatewayconnectpeer": { "name": "CreateTransitGatewayConnectPeer", "description": "Grants permission to create a Connect peer between a transit gateway and an appliance", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "transit-gateway-connect-peer", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayConnectPeerId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtransitgatewaymulticastdomain": { "name": "CreateTransitGatewayMulticastDomain", "description": "Grants permission to create a multicast domain for a transit gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "transit-gateway-multicast-domain", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayMulticastDomainId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtransitgatewaypeeringattachment": { "name": "CreateTransitGatewayPeeringAttachment", "description": "Grants permission to request a transit gateway peering attachment between a requester and accepter transit gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtransitgatewaypolicytable": { "name": "CreateTransitGatewayPolicyTable", "description": "Grants permission to create a transit gateway policy table", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "transit-gateway-policy-table", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayPolicyTableId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtransitgatewayprefixlistreference": { "name": "CreateTransitGatewayPrefixListReference", "description": "Grants permission to create a transit gateway prefix list reference", "accessLevel": "Write", "resourceTypes": [ { "name": "prefix-list", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "transit-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] }, { "name": "transit-gateway-attachment", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtransitgatewayroute": { "name": "CreateTransitGatewayRoute", "description": "Grants permission to create a static route for a transit gateway route table", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] }, { "name": "transit-gateway-attachment", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtransitgatewayroutetable": { "name": "CreateTransitGatewayRouteTable", "description": "Grants permission to create a route table for a transit gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "transit-gateway-route-table", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtransitgatewayroutetableannouncement": { "name": "CreateTransitGatewayRouteTableAnnouncement", "description": "Grants permission to create an announcement for a transit gateway route table", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "transit-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] }, { "name": "transit-gateway-route-table-announcement", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayRouteTableAnnouncementId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createtransitgatewayvpcattachment": { "name": "CreateTransitGatewayVpcAttachment", "description": "Grants permission to attach a VPC to a transit gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "transit-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId" ], "dependentActions": [] }, { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createverifiedaccessendpoint": { "name": "CreateVerifiedAccessEndpoint", "description": "Grants permission to create a Verified Access endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-endpoint", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "verified-access-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-interface", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AuthorizedUser", "ec2:AvailabilityZone", "ec2:NetworkInterfaceID", "ec2:Permission", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] }, { "name": "security-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createverifiedaccessgroup": { "name": "CreateVerifiedAccessGroup", "description": "Grants permission to create a Verified Access group", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-group", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "verified-access-instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createverifiedaccessinstance": { "name": "CreateVerifiedAccessInstance", "description": "Grants permission to create a Verified Access instance", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-instance", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createverifiedaccesstrustprovider": { "name": "CreateVerifiedAccessTrustProvider", "description": "Grants permission to create a verified trust provider", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-trust-provider", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createvolume": { "name": "CreateVolume", "description": "Grants permission to create an EBS volume", "accessLevel": "Write", "resourceTypes": [ { "name": "volume", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:KmsKeyId", "ec2:ParentSnapshot", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "snapshot", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createvpc": { "name": "CreateVpc", "description": "Grants permission to create a VPC with a specified CIDR block", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:VpcID" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "ipam-pool", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipv6pool-ec2", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createvpcblockpublicaccessexclusion": { "name": "CreateVpcBlockPublicAccessExclusion", "description": "Grants permission to create an exclusion list for blocked public access on a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-block-public-access-exclusion", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "vpc", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createvpcendpoint": { "name": "CreateVpcEndpoint", "description": "Grants permission to create a VPC endpoint for an AWS service", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:VpcID" ], "dependentActions": [ "ec2:CreateTags", "route53:AssociateVPCWithHostedZone" ] }, { "name": "vpc-endpoint", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:VpceServiceName", "ec2:VpceServiceOwner", "ec2:vpceMultiRegion", "ec2:vpceServiceRegion" ], "dependentActions": [] }, { "name": "route-table", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID" ], "dependentActions": [] }, { "name": "security-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createvpcendpointconnectionnotification": { "name": "CreateVpcEndpointConnectionNotification", "description": "Grants permission to create a connection notification for a VPC endpoint or VPC endpoint service", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-endpoint", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-endpoint-service", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:vpceMultiRegion", "ec2:vpceServiceRegion" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createvpcendpointserviceconfiguration": { "name": "CreateVpcEndpointServiceConfiguration", "description": "Grants permission to create a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-endpoint-service", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:VpceServicePrivateDnsName", "ec2:vpceMultiRegion", "ec2:vpceServiceRegion" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createvpcpeeringconnection": { "name": "CreateVpcPeeringConnection", "description": "Grants permission to request a VPC peering connection between two VPCs", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "vpc-peering-connection", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AccepterVpc", "ec2:RequesterVpc", "ec2:VpcPeeringConnectionID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createvpnconnection": { "name": "CreateVpnConnection", "description": "Grants permission to create a VPN connection between a virtual private gateway or transit gateway and a customer gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "customer-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "vpn-connection", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:InsideTunnelIpv6Cidr", "ec2:Phase1DHGroup", "ec2:Phase1EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", "ec2:Phase2DHGroup", "ec2:Phase2EncryptionAlgorithms", "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", "ec2:ReplayWindowSizePackets", "ec2:RoutingType" ], "dependentActions": [] }, { "name": "transit-gateway", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId" ], "dependentActions": [] }, { "name": "transit-gateway-attachment", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "vpn-gateway", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createvpnconnectionroute": { "name": "CreateVpnConnectionRoute", "description": "Grants permission to create a static route for a VPN connection between a virtual private gateway and a customer gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "vpn-connection", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "createvpngateway": { "name": "CreateVpnGateway", "description": "Grants permission to create a virtual private gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "vpn-gateway", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletecarriergateway": { "name": "DeleteCarrierGateway", "description": "Grants permission to delete a carrier gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "carrier-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteclientvpnendpoint": { "name": "DeleteClientVpnEndpoint", "description": "Grants permission to delete a Client VPN endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteclientvpnroute": { "name": "DeleteClientVpnRoute", "description": "Grants permission to delete a route from a Client VPN endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletecoipcidr": { "name": "DeleteCoipCidr", "description": "Grants permission to delete a range of customer-owned IP (CoIP) addresses", "accessLevel": "Write", "resourceTypes": [ { "name": "coip-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletecoippool": { "name": "DeleteCoipPool", "description": "Grants permission to delete a pool of customer-owned IP (CoIP) addresses", "accessLevel": "Write", "resourceTypes": [ { "name": "coip-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletecoippoolpermission": { "name": "DeleteCoipPoolPermission", "isPermissionOnly": true, "description": "Grants permission to deny a service from accessing a customer-owned IP (CoIP) pool", "accessLevel": "Permissions management", "resourceTypes": [ { "name": "coip-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletecustomergateway": { "name": "DeleteCustomerGateway", "description": "Grants permission to delete a customer gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "customer-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletedhcpoptions": { "name": "DeleteDhcpOptions", "description": "Grants permission to delete a set of DHCP options", "accessLevel": "Write", "resourceTypes": [ { "name": "dhcp-options", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:DhcpOptionsID", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteegressonlyinternetgateway": { "name": "DeleteEgressOnlyInternetGateway", "description": "Grants permission to delete an egress-only internet gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "egress-only-internet-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletefleets": { "name": "DeleteFleets", "description": "Grants permission to delete one or more EC2 Fleets", "accessLevel": "Write", "resourceTypes": [ { "name": "fleet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteflowlogs": { "name": "DeleteFlowLogs", "description": "Grants permission to delete one or more flow logs", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-flow-log", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletefpgaimage": { "name": "DeleteFpgaImage", "description": "Grants permission to delete an Amazon FPGA Image (AFI)", "accessLevel": "Write", "resourceTypes": [ { "name": "fpga-image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteinstanceconnectendpoint": { "name": "DeleteInstanceConnectEndpoint", "description": "Grants permission to delete an EC2 Instance Connect Endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "instance-connect-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteinstanceeventwindow": { "name": "DeleteInstanceEventWindow", "description": "Grants permission to delete the specified event window", "accessLevel": "Write", "resourceTypes": [ { "name": "instance-event-window", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteinternetgateway": { "name": "DeleteInternetGateway", "description": "Grants permission to delete an internet gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "internet-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteipam": { "name": "DeleteIpam", "description": "Grants permission to delete an Amazon VPC IP Address Manager (IPAM) and remove all monitored data associated with the IPAM including the historical data for CIDRs", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteipamexternalresourceverificationtoken": { "name": "DeleteIpamExternalResourceVerificationToken", "description": "Grants permission to delete a verification token, which proves ownership of an external resource", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-external-resource-verification-token", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteipampool": { "name": "DeleteIpamPool", "description": "Grants permission to delete an Amazon VPC IP Address Manager (IPAM) pool", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteipamresourcediscovery": { "name": "DeleteIpamResourceDiscovery", "description": "Grants permission to delete an IPAM resource discovery", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-resource-discovery", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteipamscope": { "name": "DeleteIpamScope", "description": "Grants permission to delete the scope for an Amazon VPC IP Address Manager (IPAM)", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-scope", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletekeypair": { "name": "DeleteKeyPair", "description": "Grants permission to delete a key pair by removing the public key from Amazon EC2", "accessLevel": "Write", "resourceTypes": [ { "name": "key-pair", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:KeyPairName", "ec2:KeyPairType", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletelaunchtemplate": { "name": "DeleteLaunchTemplate", "description": "Grants permission to delete a launch template and its associated versions", "accessLevel": "Write", "resourceTypes": [ { "name": "launch-template", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletelaunchtemplateversions": { "name": "DeleteLaunchTemplateVersions", "description": "Grants permission to delete one or more versions of a launch template", "accessLevel": "Write", "resourceTypes": [ { "name": "launch-template", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletelocalgatewayroute": { "name": "DeleteLocalGatewayRoute", "description": "Grants permission to delete a route from a local gateway route table", "accessLevel": "Write", "resourceTypes": [ { "name": "local-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "prefix-list", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletelocalgatewayroutetable": { "name": "DeleteLocalGatewayRouteTable", "description": "Grants permission to delete a local gateway route table", "accessLevel": "Write", "resourceTypes": [ { "name": "local-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletelocalgatewayroutetablepermission": { "name": "DeleteLocalGatewayRouteTablePermission", "isPermissionOnly": true, "description": "Grants permission to deny a service from accessing a local gateway route table", "accessLevel": "Permissions management", "resourceTypes": [ { "name": "local-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletelocalgatewayroutetablevirtualinterfacegroupassociation": { "name": "DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation", "description": "Grants permission to delete a local gateway route table virtual interface group association", "accessLevel": "Write", "resourceTypes": [ { "name": "local-gateway-route-table-virtual-interface-group-association", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletelocalgatewayroutetablevpcassociation": { "name": "DeleteLocalGatewayRouteTableVpcAssociation", "description": "Grants permission to delete an association between a VPC and local gateway route table", "accessLevel": "Write", "resourceTypes": [ { "name": "local-gateway-route-table-vpc-association", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletelocalgatewayvirtualinterface": { "name": "DeleteLocalGatewayVirtualInterface", "description": "Grants permission to delete a local gateway virtual interface", "accessLevel": "Write", "resourceTypes": [ { "name": "local-gateway-virtual-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletelocalgatewayvirtualinterfacegroup": { "name": "DeleteLocalGatewayVirtualInterfaceGroup", "description": "Grants permission to delete a local gateway virtual interface group", "accessLevel": "Write", "resourceTypes": [ { "name": "local-gateway-virtual-interface-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletemanagedprefixlist": { "name": "DeleteManagedPrefixList", "description": "Grants permission to delete a managed prefix list", "accessLevel": "Write", "resourceTypes": [ { "name": "prefix-list", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletenatgateway": { "name": "DeleteNatGateway", "description": "Grants permission to delete a NAT gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "natgateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletenetworkacl": { "name": "DeleteNetworkAcl", "description": "Grants permission to delete a network ACL", "accessLevel": "Write", "resourceTypes": [ { "name": "network-acl", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletenetworkaclentry": { "name": "DeleteNetworkAclEntry", "description": "Grants permission to delete an inbound or outbound entry (rule) from a network ACL", "accessLevel": "Write", "resourceTypes": [ { "name": "network-acl", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletenetworkinsightsaccessscope": { "name": "DeleteNetworkInsightsAccessScope", "description": "Grants permission to delete a Network Access Scope", "accessLevel": "Write", "resourceTypes": [ { "name": "network-insights-access-scope", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletenetworkinsightsaccessscopeanalysis": { "name": "DeleteNetworkInsightsAccessScopeAnalysis", "description": "Grants permission to delete a Network Access Scope analysis", "accessLevel": "Write", "resourceTypes": [ { "name": "network-insights-access-scope-analysis", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletenetworkinsightsanalysis": { "name": "DeleteNetworkInsightsAnalysis", "description": "Grants permission to delete a network insights analysis", "accessLevel": "Write", "resourceTypes": [ { "name": "network-insights-analysis", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletenetworkinsightspath": { "name": "DeleteNetworkInsightsPath", "description": "Grants permission to delete a network insights path", "accessLevel": "Write", "resourceTypes": [ { "name": "network-insights-path", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletenetworkinterface": { "name": "DeleteNetworkInterface", "description": "Grants permission to delete a detached network interface", "accessLevel": "Write", "resourceTypes": [ { "name": "network-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletenetworkinterfacepermission": { "name": "DeleteNetworkInterfacePermission", "description": "Grants permission to delete a permission that is associated with a network interface", "accessLevel": "Permissions management", "resourceTypes": [ { "name": "network-interface", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteplacementgroup": { "name": "DeletePlacementGroup", "description": "Grants permission to delete a placement group", "accessLevel": "Write", "resourceTypes": [ { "name": "placement-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletepublicipv4pool": { "name": "DeletePublicIpv4Pool", "description": "Grants permission to delete a public IPv4 address pool for public IPv4 CIDRs that you own and brought to Amazon to manage with Amazon VPC IP Address Manager (IPAM)", "accessLevel": "Write", "resourceTypes": [ { "name": "ipv4pool-ec2", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletequeuedreservedinstances": { "name": "DeleteQueuedReservedInstances", "description": "Grants permission to delete the queued purchases for the specified Reserved Instances", "accessLevel": "Write", "resourceTypes": [ { "name": "reserved-instances", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:InstanceType", "ec2:ReservedInstancesOfferingType", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteresourcepolicy": { "name": "DeleteResourcePolicy", "isPermissionOnly": true, "description": "Grants permission to remove an IAM policy that enables cross-account sharing from a resource", "accessLevel": "Permissions management", "resourceTypes": [ { "name": "ipam-pool", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "placement-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteroute": { "name": "DeleteRoute", "description": "Grants permission to delete a route from a route table", "accessLevel": "Write", "resourceTypes": [ { "name": "route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleterouteserver": { "name": "DeleteRouteServer", "description": "Grants permission to delete a route server", "accessLevel": "Write", "resourceTypes": [ { "name": "route-server", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "sns:DeleteTopic" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleterouteserverendpoint": { "name": "DeleteRouteServerEndpoint", "description": "Grants permission to delete a route server endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "route-server-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:DeleteNetworkInterface", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupIngress" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleterouteserverpeer": { "name": "DeleteRouteServerPeer", "description": "Grants permission to delete a route server peer", "accessLevel": "Write", "resourceTypes": [ { "name": "route-server-peer", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:RevokeSecurityGroupIngress" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteroutetable": { "name": "DeleteRouteTable", "description": "Grants permission to delete a route table", "accessLevel": "Write", "resourceTypes": [ { "name": "route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletesecuritygroup": { "name": "DeleteSecurityGroup", "description": "Grants permission to delete a security group", "accessLevel": "Write", "resourceTypes": [ { "name": "security-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletesnapshot": { "name": "DeleteSnapshot", "description": "Grants permission to delete a snapshot of an EBS volume", "accessLevel": "Write", "resourceTypes": [ { "name": "snapshot", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletespotdatafeedsubscription": { "name": "DeleteSpotDatafeedSubscription", "description": "Grants permission to delete a data feed for Spot Instances", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletesubnet": { "name": "DeleteSubnet", "description": "Grants permission to delete a subnet", "accessLevel": "Write", "resourceTypes": [ { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletesubnetcidrreservation": { "name": "DeleteSubnetCidrReservation", "description": "Grants permission to delete a subnet CIDR reservation", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetags": { "name": "DeleteTags", "description": "Grants permission to delete one or more tags from Amazon EC2 resources", "accessLevel": "Tagging", "resourceTypes": [ { "name": "capacity-reservation", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "capacity-reservation-fleet", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "carrier-gateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "client-vpn-endpoint", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "coip-pool", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "customer-gateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "declarative-policies-report", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "dedicated-host", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "dhcp-options", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "egress-only-internet-gateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "elastic-gpu", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "elastic-ip", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "export-image-task", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "export-instance-task", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "fleet", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "fpga-image", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "host-reservation", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "image", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "import-image-task", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "import-snapshot-task", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "instance", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "instance-connect-endpoint", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "instance-event-window", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "internet-gateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam-external-resource-verification-token", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam-pool", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam-resource-discovery", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam-resource-discovery-association", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam-scope", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipv4pool-ec2", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipv6pool-ec2", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "key-pair", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "launch-template", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "local-gateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "local-gateway-route-table", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "local-gateway-route-table-virtual-interface-group-association", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "local-gateway-route-table-vpc-association", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "local-gateway-virtual-interface", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "local-gateway-virtual-interface-group", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "natgateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-acl", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-insights-access-scope", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-insights-access-scope-analysis", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-insights-analysis", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-insights-path", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-interface", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "placement-group", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "prefix-list", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "replace-root-volume-task", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "reserved-instances", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "route-server", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "route-server-endpoint", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "route-server-peer", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "route-table", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "security-group", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "security-group-rule", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "snapshot", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "spot-fleet-request", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "spot-instances-request", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "subnet-cidr-reservation", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "traffic-mirror-filter", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "traffic-mirror-filter-rule", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "traffic-mirror-session", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "traffic-mirror-target", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "transit-gateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "transit-gateway-attachment", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "transit-gateway-connect-peer", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "transit-gateway-multicast-domain", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "transit-gateway-policy-table", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "transit-gateway-route-table", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "transit-gateway-route-table-announcement", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-endpoint", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-endpoint-target", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-group", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-instance", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-policy", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-trust-provider", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "volume", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-block-public-access-exclusion", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-endpoint", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-endpoint-connection", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-endpoint-service", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-endpoint-service-permission", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-flow-log", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-peering-connection", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpn-connection", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpn-gateway", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "aws:TagKeys", "ec2:Region" ], "dependentActions": [] }, "deletetrafficmirrorfilter": { "name": "DeleteTrafficMirrorFilter", "description": "Grants permission to delete a traffic mirror filter", "accessLevel": "Write", "resourceTypes": [ { "name": "traffic-mirror-filter", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetrafficmirrorfilterrule": { "name": "DeleteTrafficMirrorFilterRule", "description": "Grants permission to delete a traffic mirror filter rule", "accessLevel": "Write", "resourceTypes": [ { "name": "traffic-mirror-filter", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "traffic-mirror-filter-rule", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetrafficmirrorsession": { "name": "DeleteTrafficMirrorSession", "description": "Grants permission to delete a traffic mirror session", "accessLevel": "Write", "resourceTypes": [ { "name": "traffic-mirror-session", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetrafficmirrortarget": { "name": "DeleteTrafficMirrorTarget", "description": "Grants permission to delete a traffic mirror target", "accessLevel": "Write", "resourceTypes": [ { "name": "traffic-mirror-target", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetransitgateway": { "name": "DeleteTransitGateway", "description": "Grants permission to delete a transit gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetransitgatewayconnect": { "name": "DeleteTransitGatewayConnect", "description": "Grants permission to delete a transit gateway connect attachment", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetransitgatewayconnectpeer": { "name": "DeleteTransitGatewayConnectPeer", "description": "Grants permission to delete a transit gateway connect peer", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-connect-peer", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayConnectPeerId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetransitgatewaymulticastdomain": { "name": "DeleteTransitGatewayMulticastDomain", "description": "Grants permission to delete a transit gateway multicast domain", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-multicast-domain", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetransitgatewaypeeringattachment": { "name": "DeleteTransitGatewayPeeringAttachment", "description": "Grants permission to delete a peering attachment from a transit gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetransitgatewaypolicytable": { "name": "DeleteTransitGatewayPolicyTable", "description": "Grants permission to delete a transit gateway policy table", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-policy-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayPolicyTableId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetransitgatewayprefixlistreference": { "name": "DeleteTransitGatewayPrefixListReference", "description": "Grants permission to delete a transit gateway prefix list reference", "accessLevel": "Write", "resourceTypes": [ { "name": "prefix-list", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "transit-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetransitgatewayroute": { "name": "DeleteTransitGatewayRoute", "description": "Grants permission to delete a route from a transit gateway route table", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetransitgatewayroutetable": { "name": "DeleteTransitGatewayRouteTable", "description": "Grants permission to delete a transit gateway route table", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetransitgatewayroutetableannouncement": { "name": "DeleteTransitGatewayRouteTableAnnouncement", "description": "Grants permission to delete a transit gateway route table announcement", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-route-table-announcement", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableAnnouncementId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletetransitgatewayvpcattachment": { "name": "DeleteTransitGatewayVpcAttachment", "description": "Grants permission to delete a VPC attachment from a transit gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteverifiedaccessendpoint": { "name": "DeleteVerifiedAccessEndpoint", "description": "Grants permission to delete a Verified Access endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteverifiedaccessgroup": { "name": "DeleteVerifiedAccessGroup", "description": "Grants permission to delete a Verified Access group", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteverifiedaccessinstance": { "name": "DeleteVerifiedAccessInstance", "description": "Grants permission to delete a Verified Access instance", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deleteverifiedaccesstrustprovider": { "name": "DeleteVerifiedAccessTrustProvider", "description": "Grants permission to delete a verified trust provider", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-trust-provider", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletevolume": { "name": "DeleteVolume", "description": "Grants permission to delete an EBS volume", "accessLevel": "Write", "resourceTypes": [ { "name": "volume", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletevpc": { "name": "DeleteVpc", "description": "Grants permission to delete a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletevpcblockpublicaccessexclusion": { "name": "DeleteVpcBlockPublicAccessExclusion", "description": "Grants permission to delete an exclusion list for blocked public access on a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-block-public-access-exclusion", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletevpcendpointconnectionnotifications": { "name": "DeleteVpcEndpointConnectionNotifications", "description": "Grants permission to delete one or more VPC endpoint connection notifications", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-endpoint", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-endpoint-service", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:vpceMultiRegion", "ec2:vpceSupportedRegion" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletevpcendpointserviceconfigurations": { "name": "DeleteVpcEndpointServiceConfigurations", "description": "Grants permission to delete one or more VPC endpoint service configurations", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-endpoint-service", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:vpceMultiRegion", "ec2:vpceSupportedRegion" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletevpcendpoints": { "name": "DeleteVpcEndpoints", "description": "Grants permission to delete one or more VPC endpoints", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:VpceServiceName", "ec2:vpceMultiRegion", "ec2:vpceServiceRegion" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletevpcpeeringconnection": { "name": "DeleteVpcPeeringConnection", "description": "Grants permission to delete a VPC peering connection", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-peering-connection", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", "ec2:RequesterVpc", "ec2:ResourceTag/${TagKey}", "ec2:VpcPeeringConnectionID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletevpnconnection": { "name": "DeleteVpnConnection", "description": "Grants permission to delete a VPN connection", "accessLevel": "Write", "resourceTypes": [ { "name": "vpn-connection", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletevpnconnectionroute": { "name": "DeleteVpnConnectionRoute", "description": "Grants permission to delete a static route for a VPN connection between a virtual private gateway and a customer gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "vpn-connection", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deletevpngateway": { "name": "DeleteVpnGateway", "description": "Grants permission to delete a virtual private gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "vpn-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deprovisionbyoipcidr": { "name": "DeprovisionByoipCidr", "description": "Grants permission to release an IP address range that was provisioned through bring your own IP addresses (BYOIP), and to delete the corresponding address pool", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deprovisionipambyoasn": { "name": "DeprovisionIpamByoasn", "description": "Grants permission to deprovision an Autonomous System Number (ASN) from an Amazon Web Services account", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deprovisionipampoolcidr": { "name": "DeprovisionIpamPoolCidr", "description": "Grants permission to deprovision a CIDR provisioned from an Amazon VPC IP Address Manager (IPAM) pool", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deprovisionpublicipv4poolcidr": { "name": "DeprovisionPublicIpv4PoolCidr", "description": "Grants permission to deprovision a CIDR from a public IPv4 pool", "accessLevel": "Write", "resourceTypes": [ { "name": "ipv4pool-ec2", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deregisterimage": { "name": "DeregisterImage", "description": "Grants permission to deregister an Amazon Machine Image (AMI)", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deregisterinstanceeventnotificationattributes": { "name": "DeregisterInstanceEventNotificationAttributes", "description": "Grants permission to remove tags from the set of tags to include in notifications about scheduled events for your instances", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deregistertransitgatewaymulticastgroupmembers": { "name": "DeregisterTransitGatewayMulticastGroupMembers", "description": "Grants permission to deregister one or more network interface members from a group IP address in a transit gateway multicast domain", "accessLevel": "Write", "resourceTypes": [ { "name": "network-interface", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] }, { "name": "transit-gateway-multicast-domain", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "deregistertransitgatewaymulticastgroupsources": { "name": "DeregisterTransitGatewayMulticastGroupSources", "description": "Grants permission to deregister one or more network interface sources from a group IP address in a transit gateway multicast domain", "accessLevel": "Write", "resourceTypes": [ { "name": "network-interface", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] }, { "name": "transit-gateway-multicast-domain", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeaccountattributes": { "name": "DescribeAccountAttributes", "description": "Grants permission to describe the attributes of the AWS account", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeaddresstransfers": { "name": "DescribeAddressTransfers", "description": "Grants permission to describe an Elastic IP address transfer", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeaddresses": { "name": "DescribeAddresses", "description": "Grants permission to describe one or more Elastic IP addresses", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeaddressesattribute": { "name": "DescribeAddressesAttribute", "description": "Grants permission to describe the attributes of the specified Elastic IP addresses", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeaggregateidformat": { "name": "DescribeAggregateIdFormat", "description": "Grants permission to describe the longer ID format settings for all resource types", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeavailabilityzones": { "name": "DescribeAvailabilityZones", "description": "Grants permission to describe one or more of the Availability Zones that are available to you", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeawsnetworkperformancemetricsubscriptions": { "name": "DescribeAwsNetworkPerformanceMetricSubscriptions", "description": "Grants permission to describe the current infrastructure performance metric subscriptions", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describebundletasks": { "name": "DescribeBundleTasks", "description": "Grants permission to describe one or more bundling tasks", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describebyoipcidrs": { "name": "DescribeByoipCidrs", "description": "Grants permission to describe the IP address ranges that were provisioned through bring your own IP addresses (BYOIP)", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describecapacityblockextensionhistory": { "name": "DescribeCapacityBlockExtensionHistory", "description": "Grants permission to describe Capacity Block extensions history", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describecapacityblockextensionofferings": { "name": "DescribeCapacityBlockExtensionOfferings", "description": "Grants permission to describe Capacity Block extensions offerings", "accessLevel": "List", "resourceTypes": [ { "name": "capacity-reservation", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CapacityReservationFleet", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describecapacityblockofferings": { "name": "DescribeCapacityBlockOfferings", "description": "Grants permission to describe Capacity Block offerings available for purchase", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describecapacityreservationbillingrequests": { "name": "DescribeCapacityReservationBillingRequests", "description": "Grants permission to describe one or more requests to assign the billing of the unused capacity of a Capacity Reservation", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describecapacityreservationfleets": { "name": "DescribeCapacityReservationFleets", "description": "Grants permission to describe one or more Capacity Reservation Fleets", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describecapacityreservations": { "name": "DescribeCapacityReservations", "description": "Grants permission to describe one or more Capacity Reservations", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describecarriergateways": { "name": "DescribeCarrierGateways", "description": "Grants permission to describe one or more Carrier Gateways", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeclassiclinkinstances": { "name": "DescribeClassicLinkInstances", "description": "Grants permission to describe one or more linked EC2-Classic instances", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeclientvpnauthorizationrules": { "name": "DescribeClientVpnAuthorizationRules", "description": "Grants permission to describe the authorization rules for a Client VPN endpoint", "accessLevel": "List", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeclientvpnconnections": { "name": "DescribeClientVpnConnections", "description": "Grants permission to describe active client connections and connections that have been terminated within the last 60 minutes for a Client VPN endpoint", "accessLevel": "List", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeclientvpnendpoints": { "name": "DescribeClientVpnEndpoints", "description": "Grants permission to describe one or more Client VPN endpoints", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeclientvpnroutes": { "name": "DescribeClientVpnRoutes", "description": "Grants permission to describe the routes for a Client VPN endpoint", "accessLevel": "List", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeclientvpntargetnetworks": { "name": "DescribeClientVpnTargetNetworks", "description": "Grants permission to describe the target networks that are associated with a Client VPN endpoint", "accessLevel": "List", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describecoippools": { "name": "DescribeCoipPools", "description": "Grants permission to describe the specified customer-owned address pools or all of your customer-owned address pools", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeconversiontasks": { "name": "DescribeConversionTasks", "description": "Grants permission to describe one or more conversion tasks", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describecustomergateways": { "name": "DescribeCustomerGateways", "description": "Grants permission to describe one or more customer gateways", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describedeclarativepoliciesreports": { "name": "DescribeDeclarativePoliciesReports", "description": "Grants permission to describe one or more declarative policies reports", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describedhcpoptions": { "name": "DescribeDhcpOptions", "description": "Grants permission to describe one or more DHCP options sets", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeegressonlyinternetgateways": { "name": "DescribeEgressOnlyInternetGateways", "description": "Grants permission to describe one or more egress-only internet gateways", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeelasticgpus": { "name": "DescribeElasticGpus", "description": "Grants permission to describe an Elastic Graphics accelerator that is associated with an instance", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeexportimagetasks": { "name": "DescribeExportImageTasks", "description": "Grants permission to describe one or more export image tasks", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeexporttasks": { "name": "DescribeExportTasks", "description": "Grants permission to describe one or more export instance tasks", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describefastlaunchimages": { "name": "DescribeFastLaunchImages", "description": "Grants permission to describe fast-launch enabled Windows AMIs", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describefastsnapshotrestores": { "name": "DescribeFastSnapshotRestores", "description": "Grants permission to describe the state of fast snapshot restores for snapshots", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describefleethistory": { "name": "DescribeFleetHistory", "description": "Grants permission to describe the events for an EC2 Fleet during a specified time", "accessLevel": "List", "resourceTypes": [ { "name": "fleet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describefleetinstances": { "name": "DescribeFleetInstances", "description": "Grants permission to describe the running instances for an EC2 Fleet", "accessLevel": "List", "resourceTypes": [ { "name": "fleet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describefleets": { "name": "DescribeFleets", "description": "Grants permission to describe one or more EC2 Fleets", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeflowlogs": { "name": "DescribeFlowLogs", "description": "Grants permission to describe one or more flow logs", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describefpgaimageattribute": { "name": "DescribeFpgaImageAttribute", "description": "Grants permission to describe the attributes of an Amazon FPGA Image (AFI)", "accessLevel": "List", "resourceTypes": [ { "name": "fpga-image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describefpgaimages": { "name": "DescribeFpgaImages", "description": "Grants permission to describe one or more Amazon FPGA Images (AFIs)", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describehostreservationofferings": { "name": "DescribeHostReservationOfferings", "description": "Grants permission to describe the Dedicated Host Reservations that are available to purchase", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describehostreservations": { "name": "DescribeHostReservations", "description": "Grants permission to describe the Dedicated Host Reservations that are associated with Dedicated Hosts in the AWS account", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describehosts": { "name": "DescribeHosts", "description": "Grants permission to describe one or more Dedicated Hosts", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeiaminstanceprofileassociations": { "name": "DescribeIamInstanceProfileAssociations", "description": "Grants permission to describe the IAM instance profile associations", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeidformat": { "name": "DescribeIdFormat", "description": "Grants permission to describe the ID format settings for resources", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeidentityidformat": { "name": "DescribeIdentityIdFormat", "description": "Grants permission to describe the ID format settings for resources for an IAM user, IAM role, or root user", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeimageattribute": { "name": "DescribeImageAttribute", "description": "Grants permission to describe an attribute of an Amazon Machine Image (AMI)", "accessLevel": "List", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeimages": { "name": "DescribeImages", "description": "Grants permission to describe one or more images (AMIs, AKIs, and ARIs)", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeimportimagetasks": { "name": "DescribeImportImageTasks", "description": "Grants permission to describe import virtual machine or import snapshot tasks", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeimportsnapshottasks": { "name": "DescribeImportSnapshotTasks", "description": "Grants permission to describe import snapshot tasks", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeinstanceattribute": { "name": "DescribeInstanceAttribute", "description": "Grants permission to describe the attributes of an instance", "accessLevel": "List", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeinstanceconnectendpoints": { "name": "DescribeInstanceConnectEndpoints", "description": "Grants permission to describe EC2 Instance Connect Endpoints", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeinstancecreditspecifications": { "name": "DescribeInstanceCreditSpecifications", "description": "Grants permission to describe the credit option for CPU usage of one or more burstable performance instances", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeinstanceeventnotificationattributes": { "name": "DescribeInstanceEventNotificationAttributes", "description": "Grants permission to describe the set of tags to include in notifications about scheduled events for your instances", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeinstanceeventwindows": { "name": "DescribeInstanceEventWindows", "description": "Grants permission to describe the specified event windows or all event windows", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeinstanceimagemetadata": { "name": "DescribeInstanceImageMetadata", "description": "Grants permission to describe the AMI that was used to launch an instance", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeinstancestatus": { "name": "DescribeInstanceStatus", "description": "Grants permission to describe the status of one or more instances", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeinstancetopology": { "name": "DescribeInstanceTopology", "description": "Grants permission to describe a tree-based hierarchy that represents the physical host placement of EC2 instances", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeinstancetypeofferings": { "name": "DescribeInstanceTypeOfferings", "description": "Grants permission to describe the set of instance types that are offered in a location", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeinstancetypes": { "name": "DescribeInstanceTypes", "description": "Grants permission to describe the details of instance types that are offered in a location", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeinstances": { "name": "DescribeInstances", "description": "Grants permission to describe one or more instances", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeinternetgateways": { "name": "DescribeInternetGateways", "description": "Grants permission to describe one or more internet gateways", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeipambyoasn": { "name": "DescribeIpamByoasn", "description": "Grants permission to describe a bring your own Autonomous System Number (BYOASN) that you've brought to IPAM", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeipamexternalresourceverificationtokens": { "name": "DescribeIpamExternalResourceVerificationTokens", "description": "Grants permission to describe verification tokens, which proves ownership of an external resource", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeipampools": { "name": "DescribeIpamPools", "description": "Grants permission to describe Amazon VPC IP Address Manager (IPAM) pools", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeipamresourcediscoveries": { "name": "DescribeIpamResourceDiscoveries", "description": "Grants permission to describe IPAM resource discoveries", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeipamresourcediscoveryassociations": { "name": "DescribeIpamResourceDiscoveryAssociations", "description": "Grants permission to describe resource discovery associations with an Amazon VPC IPAM", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeipamscopes": { "name": "DescribeIpamScopes", "description": "Grants permission to describe Amazon VPC IP Address Manager (IPAM) scopes", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeipams": { "name": "DescribeIpams", "description": "Grants permission to describe an Amazon VPC IP Address Manager (IPAM)", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeipv6pools": { "name": "DescribeIpv6Pools", "description": "Grants permission to describe one or more IPv6 address pools", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describekeypairs": { "name": "DescribeKeyPairs", "description": "Grants permission to describe one or more key pairs", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describelaunchtemplateversions": { "name": "DescribeLaunchTemplateVersions", "description": "Grants permission to describe one or more launch template versions", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [ "ssm:GetParameters" ] }, "describelaunchtemplates": { "name": "DescribeLaunchTemplates", "description": "Grants permission to describe one or more launch templates", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describelocalgatewayroutetablepermissions": { "name": "DescribeLocalGatewayRouteTablePermissions", "isPermissionOnly": true, "description": "Grants permission to allow a service to describe local gateway route table permissions", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describelocalgatewayroutetablevirtualinterfacegroupassociations": { "name": "DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations", "description": "Grants permission to describe the associations between virtual interface groups and local gateway route tables", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describelocalgatewayroutetablevpcassociations": { "name": "DescribeLocalGatewayRouteTableVpcAssociations", "description": "Grants permission to describe an association between VPCs and local gateway route tables", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describelocalgatewayroutetables": { "name": "DescribeLocalGatewayRouteTables", "description": "Grants permission to describe one or more local gateway route tables", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describelocalgatewayvirtualinterfacegroups": { "name": "DescribeLocalGatewayVirtualInterfaceGroups", "description": "Grants permission to describe local gateway virtual interface groups", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describelocalgatewayvirtualinterfaces": { "name": "DescribeLocalGatewayVirtualInterfaces", "description": "Grants permission to describe local gateway virtual interfaces", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describelocalgateways": { "name": "DescribeLocalGateways", "description": "Grants permission to describe one or more local gateways", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describelockedsnapshots": { "name": "DescribeLockedSnapshots", "description": "Grants permission to describe the lock status for a snapshot", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describemachosts": { "name": "DescribeMacHosts", "description": "Grants permission to describe your EC2 Mac Dedicated hosts", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describemacmodificationtasks": { "name": "DescribeMacModificationTasks", "description": "Grants permission to describe a System Integrity Protection (SIP) modification task or volume ownership delegation task for an Amazon EC2 Mac instance", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describemanagedprefixlists": { "name": "DescribeManagedPrefixLists", "description": "Grants permission to describe your managed prefix lists and any AWS-managed prefix lists", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describemovingaddresses": { "name": "DescribeMovingAddresses", "description": "Grants permission to describe Elastic IP addresses that are being moved to the EC2-VPC platform", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describenatgateways": { "name": "DescribeNatGateways", "description": "Grants permission to describe one or more NAT gateways", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describenetworkacls": { "name": "DescribeNetworkAcls", "description": "Grants permission to describe one or more network ACLs", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describenetworkinsightsaccessscopeanalyses": { "name": "DescribeNetworkInsightsAccessScopeAnalyses", "description": "Grants permission to describe one or more Network Access Scope analyses", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describenetworkinsightsaccessscopes": { "name": "DescribeNetworkInsightsAccessScopes", "description": "Grants permission to describe the Network Access Scopes", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describenetworkinsightsanalyses": { "name": "DescribeNetworkInsightsAnalyses", "description": "Grants permission to describe one or more network insights analyses", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describenetworkinsightspaths": { "name": "DescribeNetworkInsightsPaths", "description": "Grants permission to describe one or more network insights paths", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describenetworkinterfaceattribute": { "name": "DescribeNetworkInterfaceAttribute", "description": "Grants permission to describe a network interface attribute", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describenetworkinterfacepermissions": { "name": "DescribeNetworkInterfacePermissions", "description": "Grants permission to describe the permissions that are associated with a network interface", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describenetworkinterfaces": { "name": "DescribeNetworkInterfaces", "description": "Grants permission to describe one or more network interfaces", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeoutpostlags": { "name": "DescribeOutpostLags", "description": "Grants permission to describe Outpost LAGs", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeplacementgroups": { "name": "DescribePlacementGroups", "description": "Grants permission to describe one or more placement groups", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeprefixlists": { "name": "DescribePrefixLists", "description": "Grants permission to describe available AWS services in a prefix list format", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeprincipalidformat": { "name": "DescribePrincipalIdFormat", "description": "Grants permission to describe the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified a longer ID (17-character ID) preference", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describepublicipv4pools": { "name": "DescribePublicIpv4Pools", "description": "Grants permission to describe one or more IPv4 address pools", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeregions": { "name": "DescribeRegions", "description": "Grants permission to describe one or more AWS Regions that are currently available in your account", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describereplacerootvolumetasks": { "name": "DescribeReplaceRootVolumeTasks", "description": "Grants permission to describe a root volume replacement task", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describereservedinstances": { "name": "DescribeReservedInstances", "description": "Grants permission to describe one or more purchased Reserved Instances in your account", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describereservedinstanceslistings": { "name": "DescribeReservedInstancesListings", "description": "Grants permission to describe your account's Reserved Instance listings in the Reserved Instance Marketplace", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describereservedinstancesmodifications": { "name": "DescribeReservedInstancesModifications", "description": "Grants permission to describe the modifications made to one or more Reserved Instances", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describereservedinstancesofferings": { "name": "DescribeReservedInstancesOfferings", "description": "Grants permission to describe the Reserved Instance offerings that are available for purchase", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describerouteserverendpoints": { "name": "DescribeRouteServerEndpoints", "description": "Grants permission to describe one or more route server endpoints", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describerouteserverpeers": { "name": "DescribeRouteServerPeers", "description": "Grants permission to describe one or more route server peers", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describerouteservers": { "name": "DescribeRouteServers", "description": "Grants permission to describe one or more route servers", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeroutetables": { "name": "DescribeRouteTables", "description": "Grants permission to describe one or more route tables", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describescheduledinstanceavailability": { "name": "DescribeScheduledInstanceAvailability", "description": "Grants permission to find available schedules for Scheduled Instances", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describescheduledinstances": { "name": "DescribeScheduledInstances", "description": "Grants permission to describe one or more Scheduled Instances in your account", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describesecuritygroupreferences": { "name": "DescribeSecurityGroupReferences", "description": "Grants permission to describe the VPCs on the other side of a VPC peering connection that are referencing specified VPC security groups", "accessLevel": "List", "resourceTypes": [ { "name": "security-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describesecuritygrouprules": { "name": "DescribeSecurityGroupRules", "description": "Grants permission to describe one or more of your security group rules", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describesecuritygroupvpcassociations": { "name": "DescribeSecurityGroupVpcAssociations", "description": "Grants permission to describe security group VPC associations", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describesecuritygroups": { "name": "DescribeSecurityGroups", "description": "Grants permission to describe one or more security groups", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeservicelinkvirtualinterfaces": { "name": "DescribeServiceLinkVirtualInterfaces", "description": "Grants permission to describe service link virtual interfaces", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describesnapshotattribute": { "name": "DescribeSnapshotAttribute", "description": "Grants permission to describe an attribute of a snapshot", "accessLevel": "List", "resourceTypes": [ { "name": "snapshot", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describesnapshottierstatus": { "name": "DescribeSnapshotTierStatus", "description": "Grants permission to describe the storage tier status for Amazon EBS snapshots", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describesnapshots": { "name": "DescribeSnapshots", "description": "Grants permission to describe one or more EBS snapshots", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describespotdatafeedsubscription": { "name": "DescribeSpotDatafeedSubscription", "description": "Grants permission to describe the data feed for Spot Instances", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describespotfleetinstances": { "name": "DescribeSpotFleetInstances", "description": "Grants permission to describe the running instances for a Spot Fleet", "accessLevel": "List", "resourceTypes": [ { "name": "spot-fleet-request", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describespotfleetrequesthistory": { "name": "DescribeSpotFleetRequestHistory", "description": "Grants permission to describe the events for a Spot Fleet request during a specified time", "accessLevel": "List", "resourceTypes": [ { "name": "spot-fleet-request", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describespotfleetrequests": { "name": "DescribeSpotFleetRequests", "description": "Grants permission to describe one or more Spot Fleet requests", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describespotinstancerequests": { "name": "DescribeSpotInstanceRequests", "description": "Grants permission to describe one or more Spot Instance requests", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describespotpricehistory": { "name": "DescribeSpotPriceHistory", "description": "Grants permission to describe the Spot Instance price history", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describestalesecuritygroups": { "name": "DescribeStaleSecurityGroups", "description": "Grants permission to describe the stale security group rules for security groups in a specified VPC", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describestoreimagetasks": { "name": "DescribeStoreImageTasks", "description": "Grants permission to describe the progress of the AMI store tasks", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describesubnets": { "name": "DescribeSubnets", "description": "Grants permission to describe one or more subnets", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetags": { "name": "DescribeTags", "description": "Grants permission to describe one or more tags for an Amazon EC2 resource", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetrafficmirrorfilterrules": { "name": "DescribeTrafficMirrorFilterRules", "description": "Grants permission to describe traffic mirror filters that determine the traffic that is mirrored", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetrafficmirrorfilters": { "name": "DescribeTrafficMirrorFilters", "description": "Grants permission to describe one or more traffic mirror filters", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetrafficmirrorsessions": { "name": "DescribeTrafficMirrorSessions", "description": "Grants permission to describe one or more traffic mirror sessions", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetrafficmirrortargets": { "name": "DescribeTrafficMirrorTargets", "description": "Grants permission to describe one or more traffic mirror targets", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetransitgatewayattachments": { "name": "DescribeTransitGatewayAttachments", "description": "Grants permission to describe one or more attachments between resources and transit gateways", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetransitgatewayconnectpeers": { "name": "DescribeTransitGatewayConnectPeers", "description": "Grants permission to describe one or more transit gateway connect peers", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetransitgatewayconnects": { "name": "DescribeTransitGatewayConnects", "description": "Grants permission to describe one or more transit gateway connect attachments", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetransitgatewaymulticastdomains": { "name": "DescribeTransitGatewayMulticastDomains", "description": "Grants permission to describe one or more transit gateway multicast domains", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetransitgatewaypeeringattachments": { "name": "DescribeTransitGatewayPeeringAttachments", "description": "Grants permission to describe one or more transit gateway peering attachments", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetransitgatewaypolicytables": { "name": "DescribeTransitGatewayPolicyTables", "description": "Grants permission to describe a transit gateway policy table", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetransitgatewayroutetableannouncements": { "name": "DescribeTransitGatewayRouteTableAnnouncements", "description": "Grants permission to describe a transit gateway route table announcement", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetransitgatewayroutetables": { "name": "DescribeTransitGatewayRouteTables", "description": "Grants permission to describe one or more transit gateway route tables", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetransitgatewayvpcattachments": { "name": "DescribeTransitGatewayVpcAttachments", "description": "Grants permission to describe one or more VPC attachments on a transit gateway", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetransitgateways": { "name": "DescribeTransitGateways", "description": "Grants permission to describe one or more transit gateways", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describetrunkinterfaceassociations": { "name": "DescribeTrunkInterfaceAssociations", "description": "Grants permission to describe one or more network interface trunk associations", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeverifiedaccessendpoints": { "name": "DescribeVerifiedAccessEndpoints", "description": "Grants permission to describe the specified Verified Access endpoints or all Verified Access endpoints", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeverifiedaccessgroups": { "name": "DescribeVerifiedAccessGroups", "description": "Grants permission to describe the specified Verified Access groups or all Verified Access groups", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeverifiedaccessinstanceloggingconfigurations": { "name": "DescribeVerifiedAccessInstanceLoggingConfigurations", "description": "Grants permission to describe the current logging configuration for the Verified Access instances", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeverifiedaccessinstancewebaclassociations": { "name": "DescribeVerifiedAccessInstanceWebAclAssociations", "isPermissionOnly": true, "description": "Grants permission to describe the AWS Web Application Firewall (WAF) web access control list (ACL) associations for a Verified Access instance", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeverifiedaccessinstances": { "name": "DescribeVerifiedAccessInstances", "description": "Grants permission to describe the specified Verified Access instances or all Verified Access instances", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describeverifiedaccesstrustproviders": { "name": "DescribeVerifiedAccessTrustProviders", "description": "Grants permission to describe details of existing Verified Access trust providers", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevolumeattribute": { "name": "DescribeVolumeAttribute", "description": "Grants permission to describe an attribute of an EBS volume", "accessLevel": "List", "resourceTypes": [ { "name": "volume", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevolumestatus": { "name": "DescribeVolumeStatus", "description": "Grants permission to describe the status of one or more EBS volumes", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevolumes": { "name": "DescribeVolumes", "description": "Grants permission to describe one or more EBS volumes", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevolumesmodifications": { "name": "DescribeVolumesModifications", "description": "Grants permission to describe the current modification status of one or more EBS volumes", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpcattribute": { "name": "DescribeVpcAttribute", "description": "Grants permission to describe an attribute of a VPC", "accessLevel": "List", "resourceTypes": [ { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpcblockpublicaccessexclusions": { "name": "DescribeVpcBlockPublicAccessExclusions", "description": "Grants permission to describe an exclusion list for blocked public access on a VPC", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpcblockpublicaccessoptions": { "name": "DescribeVpcBlockPublicAccessOptions", "description": "Grants permission to describe options for blocked public access on a VPC", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpcclassiclink": { "name": "DescribeVpcClassicLink", "description": "Grants permission to describe the ClassicLink status of one or more VPCs", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpcclassiclinkdnssupport": { "name": "DescribeVpcClassicLinkDnsSupport", "description": "Grants permission to describe the ClassicLink DNS support status of one or more VPCs", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpcendpointassociations": { "name": "DescribeVpcEndpointAssociations", "description": "Grants permission to describe the VPC endpoint associations", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpcendpointconnectionnotifications": { "name": "DescribeVpcEndpointConnectionNotifications", "description": "Grants permission to describe the connection notifications for VPC endpoints and VPC endpoint services", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpcendpointconnections": { "name": "DescribeVpcEndpointConnections", "description": "Grants permission to describe the VPC endpoint connections to your VPC endpoint services", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpcendpointserviceconfigurations": { "name": "DescribeVpcEndpointServiceConfigurations", "description": "Grants permission to describe VPC endpoint service configurations (your services)", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpcendpointservicepermissions": { "name": "DescribeVpcEndpointServicePermissions", "description": "Grants permission to describe the principals (service consumers) that are permitted to discover your VPC endpoint service", "accessLevel": "List", "resourceTypes": [ { "name": "vpc-endpoint-service", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:vpceMultiRegion", "ec2:vpceSupportedRegion" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpcendpointservices": { "name": "DescribeVpcEndpointServices", "description": "Grants permission to describe all supported AWS services that can be specified when creating a VPC endpoint", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpcendpoints": { "name": "DescribeVpcEndpoints", "description": "Grants permission to describe one or more VPC endpoints", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpcpeeringconnections": { "name": "DescribeVpcPeeringConnections", "description": "Grants permission to describe one or more VPC peering connections", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpcs": { "name": "DescribeVpcs", "description": "Grants permission to describe one or more VPCs", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpnconnections": { "name": "DescribeVpnConnections", "description": "Grants permission to describe one or more VPN connections", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "describevpngateways": { "name": "DescribeVpnGateways", "description": "Grants permission to describe one or more virtual private gateways", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "detachclassiclinkvpc": { "name": "DetachClassicLinkVpc", "description": "Grants permission to unlink (detach) a linked EC2-Classic instance from a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "detachinternetgateway": { "name": "DetachInternetGateway", "description": "Grants permission to detach an internet gateway from a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "internet-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "detachnetworkinterface": { "name": "DetachNetworkInterface", "description": "Grants permission to detach a network interface from an instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "network-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "detachverifiedaccesstrustprovider": { "name": "DetachVerifiedAccessTrustProvider", "description": "Grants permission to detach a trust provider from a Verified Access instance", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-trust-provider", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "detachvolume": { "name": "DetachVolume", "description": "Grants permission to detach an EBS volume from an instance", "accessLevel": "Write", "resourceTypes": [ { "name": "volume", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] }, { "name": "instance", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "detachvpngateway": { "name": "DetachVpnGateway", "description": "Grants permission to detach a virtual private gateway from a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] }, { "name": "vpn-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disableaddresstransfer": { "name": "DisableAddressTransfer", "description": "Grants permission to disable Elastic IP address transfer", "accessLevel": "Write", "resourceTypes": [ { "name": "elastic-ip", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disableallowedimagessettings": { "name": "DisableAllowedImagesSettings", "description": "Grants permission to disable allowed images settings", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disableawsnetworkperformancemetricsubscription": { "name": "DisableAwsNetworkPerformanceMetricSubscription", "description": "Grants permission to disable infrastructure performance metric subscriptions", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disableebsencryptionbydefault": { "name": "DisableEbsEncryptionByDefault", "description": "Grants permission to disable EBS encryption by default for your account", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disablefastlaunch": { "name": "DisableFastLaunch", "description": "Grants permission to disable faster launching for Windows AMIs", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disablefastsnapshotrestores": { "name": "DisableFastSnapshotRestores", "description": "Grants permission to disable fast snapshot restores for one or more snapshots in specified Availability Zones", "accessLevel": "Write", "resourceTypes": [ { "name": "snapshot", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disableimage": { "name": "DisableImage", "description": "Grants permission to disable an AMI", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disableimageblockpublicaccess": { "name": "DisableImageBlockPublicAccess", "description": "Grants permission to disable block public access for AMIs at the account level in the specified AWS Region", "accessLevel": "Permissions management", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disableimagedeprecation": { "name": "DisableImageDeprecation", "description": "Grants permission to cancel the deprecation of the specified AMI", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disableimagederegistrationprotection": { "name": "DisableImageDeregistrationProtection", "description": "Grants permission to disable deregistration protection for an AMI. When deregistration protection is disabled, the AMI can be deregistered", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disableipamorganizationadminaccount": { "name": "DisableIpamOrganizationAdminAccount", "description": "Grants permission to disable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [ "organizations:DeregisterDelegatedAdministrator" ] }, "disablerouteserverpropagation": { "name": "DisableRouteServerPropagation", "description": "Grants permission to disable route server propagation", "accessLevel": "Write", "resourceTypes": [ { "name": "route-server", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disableserialconsoleaccess": { "name": "DisableSerialConsoleAccess", "description": "Grants permission to disable access to the EC2 serial console of all instances for your account", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disablesnapshotblockpublicaccess": { "name": "DisableSnapshotBlockPublicAccess", "description": "Grants permission to disable the block public access for snapshots setting for a Region", "accessLevel": "Permissions management", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disabletransitgatewayroutetablepropagation": { "name": "DisableTransitGatewayRouteTablePropagation", "description": "Grants permission to disable a resource attachment from propagating routes to the specified propagation route table", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] }, { "name": "transit-gateway-attachment", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "transit-gateway-route-table-announcement", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableAnnouncementId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disablevgwroutepropagation": { "name": "DisableVgwRoutePropagation", "description": "Grants permission to disable a virtual private gateway from propagating routes to a specified route table of a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "vpn-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disablevpcclassiclink": { "name": "DisableVpcClassicLink", "description": "Grants permission to disable ClassicLink for a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disablevpcclassiclinkdnssupport": { "name": "DisableVpcClassicLinkDnsSupport", "description": "Grants permission to disable ClassicLink DNS support for a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociateaddress": { "name": "DisassociateAddress", "description": "Grants permission to disassociate an Elastic IP address from an instance or network interface", "accessLevel": "Write", "resourceTypes": [ { "name": "elastic-ip", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-interface", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociatecapacityreservationbillingowner": { "name": "DisassociateCapacityReservationBillingOwner", "description": "Grants permission to cancel a pending request to assign billing of the unused capacity of a Capacity Reservation to a consumer account", "accessLevel": "Write", "resourceTypes": [ { "name": "capacity-reservation", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CapacityReservationFleet", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociateclientvpntargetnetwork": { "name": "DisassociateClientVpnTargetNetwork", "description": "Grants permission to disassociate a target network from a Client VPN endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociateenclavecertificateiamrole": { "name": "DisassociateEnclaveCertificateIamRole", "description": "Grants permission to disassociate an ACM certificate from a IAM role", "accessLevel": "Write", "resourceTypes": [ { "name": "certificate", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "role", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociateiaminstanceprofile": { "name": "DisassociateIamInstanceProfile", "description": "Grants permission to disassociate an IAM instance profile from a running or stopped instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociateinstanceeventwindow": { "name": "DisassociateInstanceEventWindow", "description": "Grants permission to disassociate one or more targets from an event window", "accessLevel": "Write", "resourceTypes": [ { "name": "instance-event-window", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociateipambyoasn": { "name": "DisassociateIpamByoasn", "description": "Grants permission to disassociate an Autonomous System Number (ASN) from a BYOIP CIDR", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociateipamresourcediscovery": { "name": "DisassociateIpamResourceDiscovery", "description": "Grants permission to disassociate a resource discovery from an Amazon VPC IPAM", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-resource-discovery-association", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociatenatgatewayaddress": { "name": "DisassociateNatGatewayAddress", "description": "Grants permission to disassociate a secondary Elastic IP address from a public NAT gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "elastic-ip", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "natgateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-interface", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AuthorizedUser", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:Permission", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociaterouteserver": { "name": "DisassociateRouteServer", "description": "Grants permission to disassociate a route server from a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "route-server", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociateroutetable": { "name": "DisassociateRouteTable", "description": "Grants permission to disassociate a subnet from a route table", "accessLevel": "Write", "resourceTypes": [ { "name": "internet-gateway", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipv4pool-ec2", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipv6pool-ec2", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "route-table", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "vpn-gateway", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociatesecuritygroupvpc": { "name": "DisassociateSecurityGroupVpc", "description": "Grants permission to disassociate a security group from a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "security-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "vpc", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociatesubnetcidrblock": { "name": "DisassociateSubnetCidrBlock", "description": "Grants permission to disassociate a CIDR block from a subnet", "accessLevel": "Write", "resourceTypes": [ { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociatetransitgatewaymulticastdomain": { "name": "DisassociateTransitGatewayMulticastDomain", "description": "Grants permission to disassociate one or more subnets from a transit gateway multicast domain", "accessLevel": "Write", "resourceTypes": [ { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "transit-gateway-multicast-domain", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociatetransitgatewaypolicytable": { "name": "DisassociateTransitGatewayPolicyTable", "description": "Grants permission to disassociate a policy table from a transit gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "transit-gateway-policy-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayPolicyTableId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociatetransitgatewayroutetable": { "name": "DisassociateTransitGatewayRouteTable", "description": "Grants permission to disassociate a resource attachment from a transit gateway route table", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "transit-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociatetrunkinterface": { "name": "DisassociateTrunkInterface", "description": "Grants permission to disassociate a branch network interface to a trunk network interface", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociateverifiedaccessinstancewebacl": { "name": "DisassociateVerifiedAccessInstanceWebAcl", "isPermissionOnly": true, "description": "Grants permission to disassociate an AWS Web Application Firewall (WAF) web access control list (ACL) from a Verified Access instance", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "disassociatevpccidrblock": { "name": "DisassociateVpcCidrBlock", "description": "Grants permission to disassociate a CIDR block from a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enableaddresstransfer": { "name": "EnableAddressTransfer", "description": "Grants permission to enable Elastic IP address transfer", "accessLevel": "Write", "resourceTypes": [ { "name": "elastic-ip", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enableallowedimagessettings": { "name": "EnableAllowedImagesSettings", "description": "Grants permission to enable allowed images settings", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enableawsnetworkperformancemetricsubscription": { "name": "EnableAwsNetworkPerformanceMetricSubscription", "description": "Grants permission to enable infrastructure performance subscriptions", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enableebsencryptionbydefault": { "name": "EnableEbsEncryptionByDefault", "description": "Grants permission to enable EBS encryption by default for your account", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enablefastlaunch": { "name": "EnableFastLaunch", "description": "Grants permission to enable faster launching for Windows AMIs", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [ "ec2:CreateLaunchTemplate", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:DeleteSnapshot", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstances", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:RunInstances", "ec2:StopInstances", "ec2:TerminateInstances", "iam:PassRole" ] }, { "name": "launch-template", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enablefastsnapshotrestores": { "name": "EnableFastSnapshotRestores", "description": "Grants permission to enable fast snapshot restores for one or more snapshots in specified Availability Zones", "accessLevel": "Write", "resourceTypes": [ { "name": "snapshot", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enableimage": { "name": "EnableImage", "description": "Grants permission to re-enable a disabled AMI", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enableimageblockpublicaccess": { "name": "EnableImageBlockPublicAccess", "description": "Grants permission to enable block public access for AMIs at the account level in the specified AWS Region", "accessLevel": "Permissions management", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enableimagedeprecation": { "name": "EnableImageDeprecation", "description": "Grants permission to enable deprecation of the specified AMI at the specified date and time", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enableimagederegistrationprotection": { "name": "EnableImageDeregistrationProtection", "description": "Grants permission to enable deregistration protection for an AMI. When deregistration protection is enabled, the AMI can't be deregistered", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enableipamorganizationadminaccount": { "name": "EnableIpamOrganizationAdminAccount", "description": "Grants permission to enable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [ "iam:CreateServiceLinkedRole", "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator" ] }, "enablereachabilityanalyzerorganizationsharing": { "name": "EnableReachabilityAnalyzerOrganizationSharing", "description": "Grants permission to enable organization sharing of reachability analyzer", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [ "iam:CreateServiceLinkedRole", "organizations:EnableAWSServiceAccess" ] }, "enablerouteserverpropagation": { "name": "EnableRouteServerPropagation", "description": "Grants permission to enable route server propagation", "accessLevel": "Write", "resourceTypes": [ { "name": "route-server", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enableserialconsoleaccess": { "name": "EnableSerialConsoleAccess", "description": "Grants permission to enable access to the EC2 serial console of all instances for your account", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enablesnapshotblockpublicaccess": { "name": "EnableSnapshotBlockPublicAccess", "description": "Grants permission to enable or modify the block public access for snapshots setting for a Region", "accessLevel": "Permissions management", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enabletransitgatewayroutetablepropagation": { "name": "EnableTransitGatewayRouteTablePropagation", "description": "Grants permission to enable an attachment to propagate routes to a propagation route table", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] }, { "name": "transit-gateway-attachment", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "transit-gateway-route-table-announcement", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableAnnouncementId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enablevgwroutepropagation": { "name": "EnableVgwRoutePropagation", "description": "Grants permission to enable a virtual private gateway to propagate routes to a VPC route table", "accessLevel": "Write", "resourceTypes": [ { "name": "route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "vpn-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enablevolumeio": { "name": "EnableVolumeIO", "description": "Grants permission to enable I/O operations for a volume that had I/O operations disabled", "accessLevel": "Write", "resourceTypes": [ { "name": "volume", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enablevpcclassiclink": { "name": "EnableVpcClassicLink", "description": "Grants permission to enable a VPC for ClassicLink", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "enablevpcclassiclinkdnssupport": { "name": "EnableVpcClassicLinkDnsSupport", "description": "Grants permission to enable a VPC to support DNS hostname resolution for ClassicLink", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "exportclientvpnclientcertificaterevocationlist": { "name": "ExportClientVpnClientCertificateRevocationList", "description": "Grants permission to download the client certificate revocation list for a Client VPN endpoint", "accessLevel": "Read", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "exportclientvpnclientconfiguration": { "name": "ExportClientVpnClientConfiguration", "description": "Grants permission to download the contents of the Client VPN endpoint configuration file for a Client VPN endpoint", "accessLevel": "Read", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "exportimage": { "name": "ExportImage", "description": "Grants permission to export an Amazon Machine Image (AMI) to a VM file", "accessLevel": "Write", "resourceTypes": [ { "name": "export-image-task", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "exporttransitgatewayroutes": { "name": "ExportTransitGatewayRoutes", "description": "Grants permission to export routes from a transit gateway route table to an Amazon S3 bucket", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "exportverifiedaccessinstanceclientconfiguration": { "name": "ExportVerifiedAccessInstanceClientConfiguration", "description": "Grants permission to export a verified access instance client configuration", "accessLevel": "Read", "resourceTypes": [ { "name": "verified-access-instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getactivevpntunnelstatus": { "name": "GetActiveVpnTunnelStatus", "description": "Grants permission to retrieve the current security parameters for an active VPN tunnel", "accessLevel": "Read", "resourceTypes": [ { "name": "vpn-connection", "required": true, "conditionKeys": [ "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getallowedimagessettings": { "name": "GetAllowedImagesSettings", "description": "Grants permission to get the allowed settings for images", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getassociatedenclavecertificateiamroles": { "name": "GetAssociatedEnclaveCertificateIamRoles", "description": "Grants permission to get the list of roles associated with an ACM certificate", "accessLevel": "Read", "resourceTypes": [ { "name": "certificate", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getassociatedipv6poolcidrs": { "name": "GetAssociatedIpv6PoolCidrs", "description": "Grants permission to get information about the IPv6 CIDR block associations for a specified IPv6 address pool", "accessLevel": "Read", "resourceTypes": [ { "name": "ipv6pool-ec2", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getawsnetworkperformancedata": { "name": "GetAwsNetworkPerformanceData", "description": "Grants permission to get network performance data", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getcapacityreservationusage": { "name": "GetCapacityReservationUsage", "description": "Grants permission to get usage information about a Capacity Reservation", "accessLevel": "Read", "resourceTypes": [ { "name": "capacity-reservation", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:CapacityReservationFleet" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getcoippoolusage": { "name": "GetCoipPoolUsage", "description": "Grants permission to describe the allocations from the specified customer-owned address pool", "accessLevel": "Read", "resourceTypes": [ { "name": "coip-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getconsoleoutput": { "name": "GetConsoleOutput", "description": "Grants permission to get the console output for an instance", "accessLevel": "Read", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getconsolescreenshot": { "name": "GetConsoleScreenshot", "description": "Grants permission to retrieve a JPG-format screenshot of a running instance", "accessLevel": "Read", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:NewInstanceProfile", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getdeclarativepoliciesreportsummary": { "name": "GetDeclarativePoliciesReportSummary", "description": "Grants permission to get the report summary of declarative policies", "accessLevel": "Read", "resourceTypes": [ { "name": "declarative-policies-report", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getdefaultcreditspecification": { "name": "GetDefaultCreditSpecification", "description": "Grants permission to get the default credit option for CPU usage of a burstable performance instance family", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getebsdefaultkmskeyid": { "name": "GetEbsDefaultKmsKeyId", "description": "Grants permission to get the ID of the default customer master key (CMK) for EBS encryption by default", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getebsencryptionbydefault": { "name": "GetEbsEncryptionByDefault", "description": "Grants permission to describe whether EBS encryption by default is enabled for your account", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getflowlogsintegrationtemplate": { "name": "GetFlowLogsIntegrationTemplate", "description": "Grants permission to generate a CloudFormation template to streamline the integration of VPC flow logs with Amazon Athena", "accessLevel": "Read", "resourceTypes": [ { "name": "vpc-flow-log", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getgroupsforcapacityreservation": { "name": "GetGroupsForCapacityReservation", "description": "Grants permission to list the resource groups to which a Capacity Reservation has been added", "accessLevel": "List", "resourceTypes": [ { "name": "capacity-reservation", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:CapacityReservationFleet" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "gethostreservationpurchasepreview": { "name": "GetHostReservationPurchasePreview", "description": "Grants permission to preview a reservation purchase with configurations that match those of a Dedicated Host", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getimageblockpublicaccessstate": { "name": "GetImageBlockPublicAccessState", "description": "Grants permission to get the current state of block public access for AMIs at the account level in the specified AWS Region", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getinstancemetadatadefaults": { "name": "GetInstanceMetadataDefaults", "description": "Grants permission to view the default instance metadata service (IMDS) settings set for your account in the specified Region", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getinstancetpmekpub": { "name": "GetInstanceTpmEkPub", "description": "Grants permission to get the public endorsement key associated with the Nitro Trusted Platform Module (NitroTPM) for the specified instance", "accessLevel": "Read", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getinstancetypesfrominstancerequirements": { "name": "GetInstanceTypesFromInstanceRequirements", "description": "Grants permission to view a list of instance types with specified instance attributes", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getinstanceuefidata": { "name": "GetInstanceUefiData", "description": "Grants permission to retrieve the binary representation of the UEFI variable store", "accessLevel": "Read", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:NewInstanceProfile", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getipamaddresshistory": { "name": "GetIpamAddressHistory", "description": "Grants permission to retrieve historical information about a CIDR within an Amazon VPC IP Address Manager (IPAM) scope", "accessLevel": "Read", "resourceTypes": [ { "name": "ipam-scope", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getipamdiscoveredaccounts": { "name": "GetIpamDiscoveredAccounts", "description": "Grants permission to retrieve IPAM discovered accounts", "accessLevel": "Read", "resourceTypes": [ { "name": "ipam-resource-discovery", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getipamdiscoveredpublicaddresses": { "name": "GetIpamDiscoveredPublicAddresses", "description": "Grants permission to retrieve the public IP addresses that have been discovered by IPAM", "accessLevel": "Read", "resourceTypes": [ { "name": "ipam-resource-discovery", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getipamdiscoveredresourcecidrs": { "name": "GetIpamDiscoveredResourceCidrs", "description": "Grants permission to retrieve the resource CIDRs that are monitored as part of a resource discovery", "accessLevel": "Read", "resourceTypes": [ { "name": "ipam-resource-discovery", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getipampoolallocations": { "name": "GetIpamPoolAllocations", "description": "Grants permission to get a list of all the CIDR allocations in an Amazon VPC IP Address Manager (IPAM) pool", "accessLevel": "List", "resourceTypes": [ { "name": "ipam-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getipampoolcidrs": { "name": "GetIpamPoolCidrs", "description": "Grants permission to get the CIDRs provisioned to an Amazon VPC IP Address Manager (IPAM) pool", "accessLevel": "Read", "resourceTypes": [ { "name": "ipam-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getipamresourcecidrs": { "name": "GetIpamResourceCidrs", "description": "Grants permission to get information about the resources in an Amazon VPC IP Address Manager (IPAM) scope", "accessLevel": "Read", "resourceTypes": [ { "name": "ipam-scope", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam-pool", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getlaunchtemplatedata": { "name": "GetLaunchTemplateData", "description": "Grants permission to get the configuration data of the specified instance for use with a new launch template or launch template version", "accessLevel": "Read", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getmanagedprefixlistassociations": { "name": "GetManagedPrefixListAssociations", "description": "Grants permission to get information about the resources that are associated with the specified managed prefix list", "accessLevel": "Read", "resourceTypes": [ { "name": "prefix-list", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getmanagedprefixlistentries": { "name": "GetManagedPrefixListEntries", "description": "Grants permission to get information about the entries for a specified managed prefix list", "accessLevel": "Read", "resourceTypes": [ { "name": "prefix-list", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getnetworkinsightsaccessscopeanalysisfindings": { "name": "GetNetworkInsightsAccessScopeAnalysisFindings", "description": "Grants permission to get the findings for one or more Network Access Scope analyses", "accessLevel": "Read", "resourceTypes": [ { "name": "network-insights-access-scope-analysis", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getnetworkinsightsaccessscopecontent": { "name": "GetNetworkInsightsAccessScopeContent", "description": "Grants permission to get the content for a specified Network Access Scope", "accessLevel": "Read", "resourceTypes": [ { "name": "network-insights-access-scope", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getpassworddata": { "name": "GetPasswordData", "description": "Grants permission to retrieve the encrypted administrator password for a running Windows instance", "accessLevel": "Read", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getreservedinstancesexchangequote": { "name": "GetReservedInstancesExchangeQuote", "description": "Grants permission to return a quote and exchange information for exchanging one or more Convertible Reserved Instances for a new Convertible Reserved Instance", "accessLevel": "Read", "resourceTypes": [ { "name": "reserved-instances", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:InstanceType", "ec2:ReservedInstancesOfferingType", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getresourcepolicy": { "name": "GetResourcePolicy", "isPermissionOnly": true, "description": "Grants permission to describe an IAM policy that enables cross-account sharing", "accessLevel": "Read", "resourceTypes": [ { "name": "ipam-pool", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "placement-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getrouteserverassociations": { "name": "GetRouteServerAssociations", "description": "Grants permission to get associations for a route server", "accessLevel": "Read", "resourceTypes": [ { "name": "route-server", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getrouteserverpropagations": { "name": "GetRouteServerPropagations", "description": "Grants permission to get propagations for a route server", "accessLevel": "Read", "resourceTypes": [ { "name": "route-server", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "route-table", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getrouteserverroutingdatabase": { "name": "GetRouteServerRoutingDatabase", "description": "Grants permission to get the routing database for a route server", "accessLevel": "Read", "resourceTypes": [ { "name": "route-server", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getsecuritygroupsforvpc": { "name": "GetSecurityGroupsForVpc", "description": "Grants permission to retrieve a list of security groups for a specified VPC", "accessLevel": "Read", "resourceTypes": [ { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getserialconsoleaccessstatus": { "name": "GetSerialConsoleAccessStatus", "description": "Grants permission to retrieve the access status of your account to the EC2 serial console of all instances", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getsnapshotblockpublicaccessstate": { "name": "GetSnapshotBlockPublicAccessState", "description": "Grants permission to retrieve the current state of the block public access for snapshots setting for a Region", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getspotplacementscores": { "name": "GetSpotPlacementScores", "description": "Grants permission to calculate the Spot placement score for a Region or Availability Zone based on the specified target capacity and compute requirements", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getsubnetcidrreservations": { "name": "GetSubnetCidrReservations", "description": "Grants permission to retrieve information about the subnet CIDR reservations", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "gettransitgatewayattachmentpropagations": { "name": "GetTransitGatewayAttachmentPropagations", "description": "Grants permission to list the route tables to which a resource attachment propagates routes", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "gettransitgatewaymulticastdomainassociations": { "name": "GetTransitGatewayMulticastDomainAssociations", "description": "Grants permission to get information about the associations for a transit gateway multicast domain", "accessLevel": "List", "resourceTypes": [ { "name": "transit-gateway-multicast-domain", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "gettransitgatewaypolicytableassociations": { "name": "GetTransitGatewayPolicyTableAssociations", "description": "Grants permission to get information about associations for a transit gateway policy table", "accessLevel": "List", "resourceTypes": [ { "name": "transit-gateway-policy-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayPolicyTableId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "gettransitgatewaypolicytableentries": { "name": "GetTransitGatewayPolicyTableEntries", "description": "Grants permission to get information about associations for a transit gateway policy table entry", "accessLevel": "List", "resourceTypes": [ { "name": "transit-gateway-policy-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayPolicyTableId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "gettransitgatewayprefixlistreferences": { "name": "GetTransitGatewayPrefixListReferences", "description": "Grants permission to get information about prefix list references for a transit gateway route table", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "gettransitgatewayroutetableassociations": { "name": "GetTransitGatewayRouteTableAssociations", "description": "Grants permission to get information about associations for a transit gateway route table", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "gettransitgatewayroutetablepropagations": { "name": "GetTransitGatewayRouteTablePropagations", "description": "Grants permission to get information about the route table propagations for a transit gateway route table", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getverifiedaccessendpointpolicy": { "name": "GetVerifiedAccessEndpointPolicy", "description": "Grants permission to show the Verified Access policy associated with the endpoint", "accessLevel": "List", "resourceTypes": [ { "name": "verified-access-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getverifiedaccessendpointtargets": { "name": "GetVerifiedAccessEndpointTargets", "description": "Grants permission to get verified access endpoint targets", "accessLevel": "List", "resourceTypes": [ { "name": "verified-access-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getverifiedaccessgrouppolicy": { "name": "GetVerifiedAccessGroupPolicy", "description": "Grants permission to show the contents of the Verified Access policy associated with the group", "accessLevel": "List", "resourceTypes": [ { "name": "verified-access-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getverifiedaccessinstancewebacl": { "name": "GetVerifiedAccessInstanceWebAcl", "isPermissionOnly": true, "description": "Grants permission to show the AWS Web Application Firewall (WAF) web access control list (ACL) for a Verified Access instance", "accessLevel": "List", "resourceTypes": [ { "name": "verified-access-instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getvpnconnectiondevicesampleconfiguration": { "name": "GetVpnConnectionDeviceSampleConfiguration", "description": "Grants permission to download an AWS-provided sample configuration file to be used with the customer gateway device", "accessLevel": "List", "resourceTypes": [ { "name": "vpn-connection", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpn-connection-device-type", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getvpnconnectiondevicetypes": { "name": "GetVpnConnectionDeviceTypes", "description": "Grants permission to obtain a list of customer gateway devices for which sample configuration files can be provided", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "getvpntunnelreplacementstatus": { "name": "GetVpnTunnelReplacementStatus", "description": "Grants permission to view available tunnel endpoint maintenance events", "accessLevel": "List", "resourceTypes": [ { "name": "vpn-connection", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "importbyoipcidrtoipam": { "name": "ImportByoipCidrToIpam", "isPermissionOnly": true, "description": "Grants permission to transfer existing BYOIP IPv4 CIDRs to IPAM", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "importclientvpnclientcertificaterevocationlist": { "name": "ImportClientVpnClientCertificateRevocationList", "description": "Grants permission to upload a client certificate revocation list to a Client VPN endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "importimage": { "name": "ImportImage", "description": "Grants permission to import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI)", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:RootDeviceType" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "import-image-task", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] }, { "name": "snapshot", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "importinstance": { "name": "ImportInstance", "description": "Grants permission to create an import instance task using metadata from a disk image", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "volume", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] }, { "name": "security-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "importkeypair": { "name": "ImportKeyPair", "description": "Grants permission to import a public key from an RSA key pair that was created with a third-party tool", "accessLevel": "Write", "resourceTypes": [ { "name": "key-pair", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "importsnapshot": { "name": "ImportSnapshot", "description": "Grants permission to import a disk into an EBS snapshot", "accessLevel": "Write", "resourceTypes": [ { "name": "import-snapshot-task", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "snapshot", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Owner", "ec2:ParentVolume", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "importvolume": { "name": "ImportVolume", "description": "Grants permission to create an import volume task using metadata from a disk image", "accessLevel": "Write", "resourceTypes": [ { "name": "volume", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "injectapierror": { "name": "InjectApiError", "isPermissionOnly": true, "description": "Grants permission to temporarily inject errors for target API requests", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:FisActionId", "ec2:FisTargetArns", "ec2:Region" ], "dependentActions": [] }, "listimagesinrecyclebin": { "name": "ListImagesInRecycleBin", "description": "Grants permission to list Amazon Machine Images (AMIs) that are currently in the Recycle Bin", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "listsnapshotsinrecyclebin": { "name": "ListSnapshotsInRecycleBin", "description": "Grants permission to list the Amazon EBS snapshots that are currently in the Recycle Bin", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "locksnapshot": { "name": "LockSnapshot", "description": "Grants permission to lock an Amazon EBS snapshot in either governance or compliance mode to protect it against accidental or malicious deletions", "accessLevel": "Write", "resourceTypes": [ { "name": "snapshot", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotCoolOffPeriod", "ec2:SnapshotID", "ec2:SnapshotLockDuration", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyaddressattribute": { "name": "ModifyAddressAttribute", "description": "Grants permission to modify an attribute of the specified Elastic IP address", "accessLevel": "Write", "resourceTypes": [ { "name": "elastic-ip", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyavailabilityzonegroup": { "name": "ModifyAvailabilityZoneGroup", "description": "Grants permission to modify the opt-in status of the Local Zone and Wavelength Zone group for your account", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifycapacityreservation": { "name": "ModifyCapacityReservation", "description": "Grants permission to modify a Capacity Reservation's capacity and the conditions under which it is to be released", "accessLevel": "Write", "resourceTypes": [ { "name": "capacity-reservation", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:CapacityReservationFleet" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifycapacityreservationfleet": { "name": "ModifyCapacityReservationFleet", "description": "Grants permission to modify a Capacity Reservation Fleet", "accessLevel": "Write", "resourceTypes": [ { "name": "capacity-reservation-fleet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:ModifyCapacityReservation" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyclientvpnendpoint": { "name": "ModifyClientVpnEndpoint", "description": "Grants permission to modify a Client VPN endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] }, { "name": "security-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "vpc", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifydefaultcreditspecification": { "name": "ModifyDefaultCreditSpecification", "description": "Grants permission to change the account level default credit option for CPU usage of burstable performance instances", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyebsdefaultkmskeyid": { "name": "ModifyEbsDefaultKmsKeyId", "description": "Grants permission to change the default customer master key (CMK) for EBS encryption by default for your account", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyfleet": { "name": "ModifyFleet", "description": "Grants permission to modify an EC2 Fleet", "accessLevel": "Write", "resourceTypes": [ { "name": "fleet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "image", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] }, { "name": "launch-template", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyfpgaimageattribute": { "name": "ModifyFpgaImageAttribute", "description": "Grants permission to modify an attribute of an Amazon FPGA Image (AFI)", "accessLevel": "Write", "resourceTypes": [ { "name": "fpga-image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyhosts": { "name": "ModifyHosts", "description": "Grants permission to modify a Dedicated Host", "accessLevel": "Write", "resourceTypes": [ { "name": "dedicated-host", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyidformat": { "name": "ModifyIdFormat", "description": "Grants permission to modify the ID format for a resource", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyidentityidformat": { "name": "ModifyIdentityIdFormat", "description": "Grants permission to modify the ID format of a resource for a specific principal in your account", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyimageattribute": { "name": "ModifyImageAttribute", "description": "Grants permission to modify an attribute of an Amazon Machine Image (AMI)", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyinstanceattribute": { "name": "ModifyInstanceAttribute", "description": "Grants permission to modify an attribute of an instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "security-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "volume", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyinstancecapacityreservationattributes": { "name": "ModifyInstanceCapacityReservationAttributes", "description": "Grants permission to modify the Capacity Reservation settings for a stopped instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "capacity-reservation", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyinstancecpuoptions": { "name": "ModifyInstanceCpuOptions", "description": "Grants permission to modify the CPU options on an instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyinstancecreditspecification": { "name": "ModifyInstanceCreditSpecification", "description": "Grants permission to modify the credit option for CPU usage on an instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyinstanceeventstarttime": { "name": "ModifyInstanceEventStartTime", "description": "Grants permission to modify the start time for a scheduled EC2 instance event", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyinstanceeventwindow": { "name": "ModifyInstanceEventWindow", "description": "Grants permission to modify the specified event window", "accessLevel": "Write", "resourceTypes": [ { "name": "instance-event-window", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyinstancemaintenanceoptions": { "name": "ModifyInstanceMaintenanceOptions", "description": "Grants permission to modify the recovery behaviour for an instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyinstancemetadatadefaults": { "name": "ModifyInstanceMetadataDefaults", "description": "Grants permission to modify the default instance metadata service (IMDS) settings for your account in the specified Region", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Attribute/${AttributeName}", "ec2:Region" ], "dependentActions": [] }, "modifyinstancemetadataoptions": { "name": "ModifyInstanceMetadataOptions", "description": "Grants permission to modify the metadata options for an instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyinstancenetworkperformanceoptions": { "name": "ModifyInstanceNetworkPerformanceOptions", "description": "Grants permission to modify the network performance options for an instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyinstanceplacement": { "name": "ModifyInstancePlacement", "description": "Grants permission to modify the placement attributes for an instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "dedicated-host", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "placement-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyipam": { "name": "ModifyIpam", "description": "Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM)", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyipampool": { "name": "ModifyIpamPool", "description": "Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) pool", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyipamresourcecidr": { "name": "ModifyIpamResourceCidr", "description": "Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) resource CIDR", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-scope", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyipamresourcediscovery": { "name": "ModifyIpamResourceDiscovery", "description": "Grants permission to modify a resource discovery", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-resource-discovery", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyipamscope": { "name": "ModifyIpamScope", "description": "Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) scope", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-scope", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifylaunchtemplate": { "name": "ModifyLaunchTemplate", "description": "Grants permission to modify a launch template", "accessLevel": "Write", "resourceTypes": [ { "name": "launch-template", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifylocalgatewayroute": { "name": "ModifyLocalGatewayRoute", "description": "Grants permission to modify a local gateway route", "accessLevel": "Write", "resourceTypes": [ { "name": "local-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "local-gateway-virtual-interface-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-interface", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AuthorizedUser", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:Permission", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] }, { "name": "prefix-list", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifymanagedprefixlist": { "name": "ModifyManagedPrefixList", "description": "Grants permission to modify a managed prefix list", "accessLevel": "Write", "resourceTypes": [ { "name": "prefix-list", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifynetworkinterfaceattribute": { "name": "ModifyNetworkInterfaceAttribute", "description": "Grants permission to modify an attribute of a network interface", "accessLevel": "Write", "resourceTypes": [ { "name": "network-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] }, { "name": "instance", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "security-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyprivatednsnameoptions": { "name": "ModifyPrivateDnsNameOptions", "description": "Grants permission to modify the options for instance hostnames for the specified instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:NewInstanceProfile", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifypublicipdnsnameoptions": { "name": "ModifyPublicIpDnsNameOptions", "description": "Grants permission to modify public hostname options for a network interface", "accessLevel": "Write", "resourceTypes": [ { "name": "network-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyreservedinstances": { "name": "ModifyReservedInstances", "description": "Grants permission to modify attributes of one or more Reserved Instances", "accessLevel": "Write", "resourceTypes": [ { "name": "reserved-instances", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:InstanceType", "ec2:ReservedInstancesOfferingType", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyrouteserver": { "name": "ModifyRouteServer", "description": "Grants permission to modify a route server", "accessLevel": "Write", "resourceTypes": [ { "name": "route-server", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifysecuritygrouprules": { "name": "ModifySecurityGroupRules", "description": "Grants permission to modify the rules of a security group", "accessLevel": "Write", "resourceTypes": [ { "name": "security-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "security-group-rule", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "prefix-list", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifysnapshotattribute": { "name": "ModifySnapshotAttribute", "description": "Grants permission to add or remove permission settings for a snapshot", "accessLevel": "Permissions management", "resourceTypes": [ { "name": "snapshot", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Add/group", "ec2:Add/userId", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:Owner", "ec2:ParentVolume", "ec2:Remove/group", "ec2:Remove/userId", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifysnapshottier": { "name": "ModifySnapshotTier", "description": "Grants permission to archive Amazon EBS snapshots", "accessLevel": "Write", "resourceTypes": [ { "name": "snapshot", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyspotfleetrequest": { "name": "ModifySpotFleetRequest", "description": "Grants permission to modify a Spot Fleet request", "accessLevel": "Write", "resourceTypes": [ { "name": "spot-fleet-request", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "launch-template", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifysubnetattribute": { "name": "ModifySubnetAttribute", "description": "Grants permission to modify an attribute of a subnet", "accessLevel": "Write", "resourceTypes": [ { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifytrafficmirrorfilternetworkservices": { "name": "ModifyTrafficMirrorFilterNetworkServices", "description": "Grants permission to allow or restrict mirroring network services", "accessLevel": "Write", "resourceTypes": [ { "name": "traffic-mirror-filter", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifytrafficmirrorfilterrule": { "name": "ModifyTrafficMirrorFilterRule", "description": "Grants permission to modify a traffic mirror rule", "accessLevel": "Write", "resourceTypes": [ { "name": "traffic-mirror-filter", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "traffic-mirror-filter-rule", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifytrafficmirrorsession": { "name": "ModifyTrafficMirrorSession", "description": "Grants permission to modify a traffic mirror session", "accessLevel": "Write", "resourceTypes": [ { "name": "traffic-mirror-session", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "traffic-mirror-filter", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "traffic-mirror-target", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifytransitgateway": { "name": "ModifyTransitGateway", "description": "Grants permission to modify a transit gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId" ], "dependentActions": [] }, { "name": "transit-gateway-route-table", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifytransitgatewayprefixlistreference": { "name": "ModifyTransitGatewayPrefixListReference", "description": "Grants permission to modify a transit gateway prefix list reference", "accessLevel": "Write", "resourceTypes": [ { "name": "prefix-list", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "transit-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] }, { "name": "transit-gateway-attachment", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifytransitgatewayvpcattachment": { "name": "ModifyTransitGatewayVpcAttachment", "description": "Grants permission to modify a VPC attachment on a transit gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyverifiedaccessendpoint": { "name": "ModifyVerifiedAccessEndpoint", "description": "Grants permission to modify the configuration of a Verified Access endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "verified-access-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyverifiedaccessendpointpolicy": { "name": "ModifyVerifiedAccessEndpointPolicy", "description": "Grants permission to modify the specified Verified Access endpoint policy", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyverifiedaccessgroup": { "name": "ModifyVerifiedAccessGroup", "description": "Grants permission to modify the specified Verified Access Group configuration", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-instance", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyverifiedaccessgrouppolicy": { "name": "ModifyVerifiedAccessGroupPolicy", "description": "Grants permission to modify the specified Verified Access group policy", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyverifiedaccessinstance": { "name": "ModifyVerifiedAccessInstance", "description": "Grants permission to modify the configuration of the specified Verified Access instance", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyverifiedaccessinstanceloggingconfiguration": { "name": "ModifyVerifiedAccessInstanceLoggingConfiguration", "description": "Grants permission to modify the logging configuration for the specified Verified Access instance", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyverifiedaccesstrustprovider": { "name": "ModifyVerifiedAccessTrustProvider", "description": "Grants permission to modify the configuration of the specified Verified Access trust provider", "accessLevel": "Write", "resourceTypes": [ { "name": "verified-access-trust-provider", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvolume": { "name": "ModifyVolume", "description": "Grants permission to modify the parameters of an EBS volume", "accessLevel": "Write", "resourceTypes": [ { "name": "volume", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvolumeattribute": { "name": "ModifyVolumeAttribute", "description": "Grants permission to modify an attribute of a volume", "accessLevel": "Write", "resourceTypes": [ { "name": "volume", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvpcattribute": { "name": "ModifyVpcAttribute", "description": "Grants permission to modify an attribute of a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvpcblockpublicaccessexclusion": { "name": "ModifyVpcBlockPublicAccessExclusion", "description": "Grants permission to modify an exclusion list for blocked public access on a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-block-public-access-exclusion", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvpcblockpublicaccessoptions": { "name": "ModifyVpcBlockPublicAccessOptions", "description": "Grants permission to modify options for blocked public access on a VPC", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvpcendpoint": { "name": "ModifyVpcEndpoint", "description": "Grants permission to modify an attribute of a VPC endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:vpceMultiRegion", "ec2:vpceServiceRegion" ], "dependentActions": [] }, { "name": "route-table", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID" ], "dependentActions": [] }, { "name": "security-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvpcendpointconnectionnotification": { "name": "ModifyVpcEndpointConnectionNotification", "description": "Grants permission to modify a connection notification for a VPC endpoint or VPC endpoint service", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-endpoint", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "vpc-endpoint-service", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:vpceMultiRegion", "ec2:vpceSupportedRegion" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvpcendpointserviceconfiguration": { "name": "ModifyVpcEndpointServiceConfiguration", "description": "Grants permission to modify the attributes of a VPC endpoint service configuration", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-endpoint-service", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:VpceServicePrivateDnsName", "ec2:vpceMultiRegion", "ec2:vpceSupportedRegion" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvpcendpointservicepayerresponsibility": { "name": "ModifyVpcEndpointServicePayerResponsibility", "description": "Grants permission to modify the payer responsibility for a VPC endpoint service", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-endpoint-service", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:vpceMultiRegion", "ec2:vpceSupportedRegion" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvpcendpointservicepermissions": { "name": "ModifyVpcEndpointServicePermissions", "description": "Grants permission to modify the permissions for a VPC endpoint service", "accessLevel": "Permissions management", "resourceTypes": [ { "name": "vpc-endpoint-service", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:vpceMultiRegion", "ec2:vpceSupportedRegion" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvpcpeeringconnectionoptions": { "name": "ModifyVpcPeeringConnectionOptions", "description": "Grants permission to modify the VPC peering connection options on one side of a VPC peering connection", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-peering-connection", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:RequesterVpc", "ec2:ResourceTag/${TagKey}", "ec2:VpcPeeringConnectionID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvpctenancy": { "name": "ModifyVpcTenancy", "description": "Grants permission to modify the instance tenancy attribute of a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvpnconnection": { "name": "ModifyVpnConnection", "description": "Grants permission to modify the target gateway of a Site-to-Site VPN connection", "accessLevel": "Write", "resourceTypes": [ { "name": "vpn-connection", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:InsideTunnelIpv6Cidr", "ec2:Phase1DHGroup", "ec2:Phase1EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", "ec2:Phase2DHGroup", "ec2:Phase2EncryptionAlgorithms", "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", "ec2:ReplayWindowSizePackets", "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvpnconnectionoptions": { "name": "ModifyVpnConnectionOptions", "description": "Grants permission to modify the connection options for your Site-to-Site VPN connection", "accessLevel": "Write", "resourceTypes": [ { "name": "vpn-connection", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvpntunnelcertificate": { "name": "ModifyVpnTunnelCertificate", "description": "Grants permission to modify the certificate for a Site-to-Site VPN connection", "accessLevel": "Write", "resourceTypes": [ { "name": "vpn-connection", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "modifyvpntunneloptions": { "name": "ModifyVpnTunnelOptions", "description": "Grants permission to modify the options for a Site-to-Site VPN connection", "accessLevel": "Write", "resourceTypes": [ { "name": "vpn-connection", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:InsideTunnelIpv6Cidr", "ec2:Phase1DHGroup", "ec2:Phase1EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", "ec2:Phase2DHGroup", "ec2:Phase2EncryptionAlgorithms", "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", "ec2:ReplayWindowSizePackets", "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "monitorinstances": { "name": "MonitorInstances", "description": "Grants permission to enable detailed monitoring for a running instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "moveaddresstovpc": { "name": "MoveAddressToVpc", "description": "Grants permission to move an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "movebyoipcidrtoipam": { "name": "MoveByoipCidrToIpam", "description": "Grants permission to move a BYOIP IPv4 CIDR to Amazon VPC IP Address Manager (IPAM) from a public IPv4 pool", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "movecapacityreservationinstances": { "name": "MoveCapacityReservationInstances", "description": "Grants permission to move available capacity from a source Capacity Reservation to a destination Capacity Reservation", "accessLevel": "Write", "resourceTypes": [ { "name": "capacity-reservation", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CapacityReservationFleet", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "pausevolumeio": { "name": "PauseVolumeIO", "isPermissionOnly": true, "description": "Grants permission to temporarily pause I/O operations for a target Amazon EBS volume", "accessLevel": "Write", "resourceTypes": [ { "name": "volume", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] }, { "name": "instance", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "provisionbyoipcidr": { "name": "ProvisionByoipCidr", "description": "Grants permission to provision an address range for use in AWS through bring your own IP addresses (BYOIP), and to create a corresponding address pool", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "provisionipambyoasn": { "name": "ProvisionIpamByoasn", "description": "Grants permission to provision an Autonomous System Number (ASN) for use in an Amazon Web Services account", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "provisionipampoolcidr": { "name": "ProvisionIpamPoolCidr", "description": "Grants permission to provision a CIDR to an Amazon VPC IP Address Manager (IPAM) pool", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipam-external-resource-verification-token", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "provisionpublicipv4poolcidr": { "name": "ProvisionPublicIpv4PoolCidr", "description": "Grants permission to provision a CIDR to a public IPv4 pool", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipv4pool-ec2", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "purchasecapacityblock": { "name": "PurchaseCapacityBlock", "description": "Grants permission to purchase a Capacity Block offering", "accessLevel": "Write", "resourceTypes": [ { "name": "capacity-reservation", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:CapacityReservationFleet" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "purchasecapacityblockextension": { "name": "PurchaseCapacityBlockExtension", "description": "Grants permission to purchase a Capacity Block extension", "accessLevel": "Write", "resourceTypes": [ { "name": "capacity-reservation", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:CapacityReservationFleet" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "purchasehostreservation": { "name": "PurchaseHostReservation", "description": "Grants permission to purchase a reservation with configurations that match those of a Dedicated Host", "accessLevel": "Write", "resourceTypes": [ { "name": "dedicated-host", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:CreateTags" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "purchasereservedinstancesoffering": { "name": "PurchaseReservedInstancesOffering", "description": "Grants permission to purchase a Reserved Instance offering", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "purchasescheduledinstances": { "name": "PurchaseScheduledInstances", "description": "Grants permission to purchase one or more Scheduled Instances with a specified schedule", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "putresourcepolicy": { "name": "PutResourcePolicy", "isPermissionOnly": true, "description": "Grants permission to attach an IAM policy that enables cross-account sharing to a resource", "accessLevel": "Permissions management", "resourceTypes": [ { "name": "ipam-pool", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "placement-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "verified-access-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "rebootinstances": { "name": "RebootInstances", "description": "Grants permission to request a reboot of one or more instances", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "registerimage": { "name": "RegisterImage", "description": "Grants permission to register an Amazon Machine Image (AMI)", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:ImageID", "ec2:Owner" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "snapshot", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "registerinstanceeventnotificationattributes": { "name": "RegisterInstanceEventNotificationAttributes", "description": "Grants permission to add tags to the set of tags to include in notifications about scheduled events for your instances", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "registertransitgatewaymulticastgroupmembers": { "name": "RegisterTransitGatewayMulticastGroupMembers", "description": "Grants permission to register one or more network interfaces as a member of a group IP address in a transit gateway multicast domain", "accessLevel": "Write", "resourceTypes": [ { "name": "network-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] }, { "name": "transit-gateway-multicast-domain", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "registertransitgatewaymulticastgroupsources": { "name": "RegisterTransitGatewayMulticastGroupSources", "description": "Grants permission to register one or more network interfaces as a source of a group IP address in a transit gateway multicast domain", "accessLevel": "Write", "resourceTypes": [ { "name": "network-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] }, { "name": "transit-gateway-multicast-domain", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "rejectcapacityreservationbillingownership": { "name": "RejectCapacityReservationBillingOwnership", "description": "Grants permission to reject a request to assign billing of the available capacity of a shared Capacity Reservation to your account", "accessLevel": "Write", "resourceTypes": [ { "name": "capacity-reservation", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CapacityReservationFleet", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "rejecttransitgatewaymulticastdomainassociations": { "name": "RejectTransitGatewayMulticastDomainAssociations", "description": "Grants permission to reject requests to associate cross-account subnets with a transit gateway multicast domain", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] }, { "name": "transit-gateway-multicast-domain", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "rejecttransitgatewaypeeringattachment": { "name": "RejectTransitGatewayPeeringAttachment", "description": "Grants permission to reject a transit gateway peering attachment request", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "rejecttransitgatewayvpcattachment": { "name": "RejectTransitGatewayVpcAttachment", "description": "Grants permission to reject a request to attach a VPC to a transit gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-attachment", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "rejectvpcendpointconnections": { "name": "RejectVpcEndpointConnections", "description": "Grants permission to reject one or more VPC endpoint connection requests to a VPC endpoint service", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-endpoint-service", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:vpceMultiRegion", "ec2:vpceSupportedRegion" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "rejectvpcpeeringconnection": { "name": "RejectVpcPeeringConnection", "description": "Grants permission to reject a VPC peering connection request", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-peering-connection", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", "ec2:RequesterVpc", "ec2:ResourceTag/${TagKey}", "ec2:VpcPeeringConnectionID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "releaseaddress": { "name": "ReleaseAddress", "description": "Grants permission to release an Elastic IP address", "accessLevel": "Write", "resourceTypes": [ { "name": "elastic-ip", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "releasehosts": { "name": "ReleaseHosts", "description": "Grants permission to release one or more On-Demand Dedicated Hosts", "accessLevel": "Write", "resourceTypes": [ { "name": "dedicated-host", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "releaseipampoolallocation": { "name": "ReleaseIpamPoolAllocation", "description": "Grants permission to release an allocation within an Amazon VPC IP Address Manager (IPAM) pool", "accessLevel": "Write", "resourceTypes": [ { "name": "ipam-pool", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "replaceiaminstanceprofileassociation": { "name": "ReplaceIamInstanceProfileAssociation", "description": "Grants permission to replace an IAM instance profile for an instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:NewInstanceProfile", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [ "iam:PassRole" ] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "replaceimagecriteriainallowedimagessettings": { "name": "ReplaceImageCriteriaInAllowedImagesSettings", "description": "Grants permission to replace image criteria in allowed images settings", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "replacenetworkaclassociation": { "name": "ReplaceNetworkAclAssociation", "description": "Grants permission to change which network ACL a subnet is associated with", "accessLevel": "Write", "resourceTypes": [ { "name": "network-acl", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], "dependentActions": [] }, { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "replacenetworkaclentry": { "name": "ReplaceNetworkAclEntry", "description": "Grants permission to replace an entry (rule) in a network ACL", "accessLevel": "Write", "resourceTypes": [ { "name": "network-acl", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "replaceroute": { "name": "ReplaceRoute", "description": "Grants permission to replace a route within a route table in a VPC", "accessLevel": "Write", "resourceTypes": [ { "name": "route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "replaceroutetableassociation": { "name": "ReplaceRouteTableAssociation", "description": "Grants permission to change the route table that is associated with a subnet", "accessLevel": "Write", "resourceTypes": [ { "name": "route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "internet-gateway", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipv4pool-ec2", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "ipv6pool-ec2", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "vpn-gateway", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "replacetransitgatewayroute": { "name": "ReplaceTransitGatewayRoute", "description": "Grants permission to replace a route in a transit gateway route table", "accessLevel": "Write", "resourceTypes": [ { "name": "transit-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] }, { "name": "transit-gateway-attachment", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "replacevpntunnel": { "name": "ReplaceVpnTunnel", "description": "Grants permission to replace a VPN tunnel", "accessLevel": "Write", "resourceTypes": [ { "name": "vpn-connection", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "reportinstancestatus": { "name": "ReportInstanceStatus", "description": "Grants permission to submit feedback about the status of an instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "ec2:InstanceBandwidthWeighting", "ec2:InstanceID" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "requestspotfleet": { "name": "RequestSpotFleet", "description": "Grants permission to create a Spot Fleet request", "accessLevel": "Write", "resourceTypes": [ { "name": "spot-fleet-request", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "image", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] }, { "name": "key-pair", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:KeyPairName", "ec2:KeyPairType", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "launch-template", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "placement-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "security-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "snapshot", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "requestspotinstances": { "name": "RequestSpotInstances", "description": "Grants permission to create a Spot Instance request", "accessLevel": "Write", "resourceTypes": [ { "name": "spot-instances-request", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags", "iam:PassRole" ] }, { "name": "image", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] }, { "name": "key-pair", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:KeyPairName", "ec2:KeyPairType", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "network-interface", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AuthorizedUser", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:Permission", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] }, { "name": "placement-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "security-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "snapshot", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize" ], "dependentActions": [] }, { "name": "subnet", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "resetaddressattribute": { "name": "ResetAddressAttribute", "description": "Grants permission to reset the attribute of the specified IP address", "accessLevel": "Write", "resourceTypes": [ { "name": "elastic-ip", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "resetebsdefaultkmskeyid": { "name": "ResetEbsDefaultKmsKeyId", "description": "Grants permission to reset the default customer master key (CMK) for EBS encryption for your account to use the AWS-managed CMK for EBS", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "resetfpgaimageattribute": { "name": "ResetFpgaImageAttribute", "description": "Grants permission to reset an attribute of an Amazon FPGA Image (AFI) to its default value", "accessLevel": "Write", "resourceTypes": [ { "name": "fpga-image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "resetimageattribute": { "name": "ResetImageAttribute", "description": "Grants permission to reset an attribute of an Amazon Machine Image (AMI) to its default value", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "resetinstanceattribute": { "name": "ResetInstanceAttribute", "description": "Grants permission to reset an attribute of an instance to its default value", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "resetnetworkinterfaceattribute": { "name": "ResetNetworkInterfaceAttribute", "description": "Grants permission to reset an attribute of a network interface", "accessLevel": "Write", "resourceTypes": [ { "name": "network-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "resetsnapshotattribute": { "name": "ResetSnapshotAttribute", "description": "Grants permission to reset permission settings for a snapshot", "accessLevel": "Permissions management", "resourceTypes": [ { "name": "snapshot", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "restoreaddresstoclassic": { "name": "RestoreAddressToClassic", "description": "Grants permission to restore an Elastic IP address that was previously moved to the EC2-VPC platform back to the EC2-Classic platform", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "restoreimagefromrecyclebin": { "name": "RestoreImageFromRecycleBin", "description": "Grants permission to restore an Amazon Machine Image (AMI) from the Recycle Bin", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "restoremanagedprefixlistversion": { "name": "RestoreManagedPrefixListVersion", "description": "Grants permission to restore the entries from a previous version of a managed prefix list to a new version of the prefix list", "accessLevel": "Write", "resourceTypes": [ { "name": "prefix-list", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "restoresnapshotfromrecyclebin": { "name": "RestoreSnapshotFromRecycleBin", "description": "Grants permission to restore an Amazon EBS snapshot from the Recycle Bin", "accessLevel": "Write", "resourceTypes": [ { "name": "snapshot", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "restoresnapshottier": { "name": "RestoreSnapshotTier", "description": "Grants permission to restore an archived Amazon EBS snapshot for use temporarily or permanently, or modify the restore period or restore type for a snapshot that was previously temporarily restored", "accessLevel": "Write", "resourceTypes": [ { "name": "snapshot", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "revokeclientvpningress": { "name": "RevokeClientVpnIngress", "description": "Grants permission to remove an inbound authorization rule from a Client VPN endpoint", "accessLevel": "Write", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "revokesecuritygroupegress": { "name": "RevokeSecurityGroupEgress", "description": "Grants permission to remove one or more outbound rules from a VPC security group", "accessLevel": "Write", "resourceTypes": [ { "name": "security-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "revokesecuritygroupingress": { "name": "RevokeSecurityGroupIngress", "description": "Grants permission to remove one or more inbound rules from a security group", "accessLevel": "Write", "resourceTypes": [ { "name": "security-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "runinstances": { "name": "RunInstances", "description": "Grants permission to launch one or more instances", "accessLevel": "Write", "resourceTypes": [ { "name": "image", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependentActions": [ "ec2:CreateTags", "iam:PassRole", "ssm:GetParameters" ] }, { "name": "instance", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "network-interface", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] }, { "name": "security-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "subnet", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ], "dependentActions": [] }, { "name": "capacity-reservation", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate" ], "dependentActions": [] }, { "name": "elastic-gpu", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ElasticGpuType", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "elastic-inference", "required": false, "conditionKeys": [], "dependentActions": [] }, { "name": "group", "required": false, "conditionKeys": [], "dependentActions": [] }, { "name": "key-pair", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:IsLaunchTemplateResource", "ec2:KeyPairName", "ec2:KeyPairType", "ec2:LaunchTemplate", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "launch-template", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "license-configuration", "required": false, "conditionKeys": [], "dependentActions": [] }, { "name": "placement-group", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] }, { "name": "snapshot", "required": false, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] }, { "name": "volume", "required": false, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [], "scenarios": [ { "name": "EC2-Classic-EBS", "resourceTypes": [ { "name": "image", "required": true }, { "name": "instance", "required": true }, { "name": "security-group", "required": true }, { "name": "volume", "required": true }, { "name": "key-pair", "required": false }, { "name": "placement-group", "required": false }, { "name": "snapshot", "required": false } ] }, { "name": "EC2-Classic-InstanceStore", "resourceTypes": [ { "name": "image", "required": true }, { "name": "instance", "required": true }, { "name": "security-group", "required": true }, { "name": "key-pair", "required": false }, { "name": "placement-group", "required": false }, { "name": "snapshot", "required": false } ] }, { "name": "EC2-VPC-EBS", "resourceTypes": [ { "name": "image", "required": true }, { "name": "instance", "required": true }, { "name": "network-interface", "required": true }, { "name": "security-group", "required": true }, { "name": "volume", "required": true }, { "name": "key-pair", "required": false }, { "name": "placement-group", "required": false }, { "name": "snapshot", "required": false } ] }, { "name": "EC2-VPC-EBS-Subnet", "resourceTypes": [ { "name": "image", "required": true }, { "name": "instance", "required": true }, { "name": "network-interface", "required": true }, { "name": "security-group", "required": true }, { "name": "subnet", "required": true }, { "name": "volume", "required": true }, { "name": "key-pair", "required": false }, { "name": "placement-group", "required": false }, { "name": "snapshot", "required": false } ] }, { "name": "EC2-VPC-InstanceStore", "resourceTypes": [ { "name": "image", "required": true }, { "name": "instance", "required": true }, { "name": "network-interface", "required": true }, { "name": "security-group", "required": true }, { "name": "key-pair", "required": false }, { "name": "placement-group", "required": false }, { "name": "snapshot", "required": false } ] }, { "name": "EC2-VPC-InstanceStore-Subnet", "resourceTypes": [ { "name": "image", "required": true }, { "name": "instance", "required": true }, { "name": "network-interface", "required": true }, { "name": "security-group", "required": true }, { "name": "subnet", "required": true }, { "name": "key-pair", "required": false }, { "name": "placement-group", "required": false }, { "name": "snapshot", "required": false } ] } ] }, "runscheduledinstances": { "name": "RunScheduledInstances", "description": "Grants permission to launch one or more Scheduled Instances", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "searchlocalgatewayroutes": { "name": "SearchLocalGatewayRoutes", "description": "Grants permission to search for routes in a local gateway route table", "accessLevel": "List", "resourceTypes": [ { "name": "local-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "searchtransitgatewaymulticastgroups": { "name": "SearchTransitGatewayMulticastGroups", "description": "Grants permission to search for groups, sources, and members in a transit gateway multicast domain", "accessLevel": "List", "resourceTypes": [ { "name": "transit-gateway-multicast-domain", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "searchtransitgatewayroutes": { "name": "SearchTransitGatewayRoutes", "description": "Grants permission to search for routes in a transit gateway route table", "accessLevel": "List", "resourceTypes": [ { "name": "transit-gateway-route-table", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "senddiagnosticinterrupt": { "name": "SendDiagnosticInterrupt", "description": "Grants permission to send a diagnostic interrupt to an Amazon EC2 instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "sendspotinstanceinterruptions": { "name": "SendSpotInstanceInterruptions", "isPermissionOnly": true, "description": "Grants permission to interrupt a Spot Instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "startdeclarativepoliciesreport": { "name": "StartDeclarativePoliciesReport", "description": "Grants permission to start a declarative policies report", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "startinstances": { "name": "StartInstances", "description": "Grants permission to start a stopped instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] }, { "name": "license-configuration", "required": false, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "startnetworkinsightsaccessscopeanalysis": { "name": "StartNetworkInsightsAccessScopeAnalysis", "description": "Grants permission to start a Network Access Scope analysis", "accessLevel": "Write", "resourceTypes": [ { "name": "network-insights-access-scope", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "network-insights-access-scope-analysis", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "startnetworkinsightsanalysis": { "name": "StartNetworkInsightsAnalysis", "description": "Grants permission to start analyzing a specified path", "accessLevel": "Write", "resourceTypes": [ { "name": "network-insights-analysis", "required": true, "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "ec2:CreateTags" ] }, { "name": "network-insights-path", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "startvpcendpointserviceprivatednsverification": { "name": "StartVpcEndpointServicePrivateDnsVerification", "description": "Grants permission to start the private DNS verification process for a VPC endpoint service", "accessLevel": "Write", "resourceTypes": [ { "name": "vpc-endpoint-service", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:vpceMultiRegion", "ec2:vpceSupportedRegion" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "stopinstances": { "name": "StopInstances", "description": "Grants permission to stop an Amazon EBS-backed instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "terminateclientvpnconnections": { "name": "TerminateClientVpnConnections", "description": "Grants permission to terminate active Client VPN endpoint connections", "accessLevel": "Write", "resourceTypes": [ { "name": "client-vpn-endpoint", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "terminateinstances": { "name": "TerminateInstances", "description": "Grants permission to shut down one or more instances", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "unassignipv6addresses": { "name": "UnassignIpv6Addresses", "description": "Grants permission to unassign one or more IPv6 addresses from a network interface", "accessLevel": "Write", "resourceTypes": [ { "name": "network-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "unassignprivateipaddresses": { "name": "UnassignPrivateIpAddresses", "description": "Grants permission to unassign one or more secondary private IP addresses from a network interface", "accessLevel": "Write", "resourceTypes": [ { "name": "network-interface", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "unassignprivatenatgatewayaddress": { "name": "UnassignPrivateNatGatewayAddress", "description": "Grants permission to unassign secondary private IPv4 addresses from a private NAT gateway", "accessLevel": "Write", "resourceTypes": [ { "name": "natgateway", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "unlocksnapshot": { "name": "UnlockSnapshot", "description": "Grants permission to unlock a snapshot that is locked in governance mode or in compliance mode while still in the cooling-off period", "accessLevel": "Write", "resourceTypes": [ { "name": "snapshot", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotCoolOffPeriod", "ec2:SnapshotID", "ec2:SnapshotLockDuration", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "unmonitorinstances": { "name": "UnmonitorInstances", "description": "Grants permission to disable detailed monitoring for a running instance", "accessLevel": "Write", "resourceTypes": [ { "name": "instance", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "updatesecuritygroupruledescriptionsegress": { "name": "UpdateSecurityGroupRuleDescriptionsEgress", "description": "Grants permission to update descriptions for one or more outbound rules in a VPC security group", "accessLevel": "Write", "resourceTypes": [ { "name": "security-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "updatesecuritygroupruledescriptionsingress": { "name": "UpdateSecurityGroupRuleDescriptionsIngress", "description": "Grants permission to update descriptions for one or more inbound rules in a security group", "accessLevel": "Write", "resourceTypes": [ { "name": "security-group", "required": true, "conditionKeys": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ], "dependentActions": [] } ], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] }, "withdrawbyoipcidr": { "name": "WithdrawByoipCidr", "description": "Grants permission to stop advertising an address range that was provisioned for use in AWS through bring your own IP addresses (BYOIP)", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "ec2:Region" ], "dependentActions": [] } }