{ "url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html", "name": "Amazon EC2", "prefix": "ec2", "timestamp": "1775779207", "actions": [ { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AcceptAddressTransfer.html", "name": "AcceptAddressTransfer", "description": "Grants permission to accept an Elastic IP address transfer", "access": "Write", "resources": [ { "name": "elastic-ip", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AcceptCapacityReservationBillingOwnership.html", "name": "AcceptCapacityReservationBillingOwnership", "description": "Grants permission to accept assign billing of the available capacity of a shared Capacity Reservation to the calling account", "access": "Write", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CapacityReservationFleet", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AcceptReservedInstancesExchangeQuote.html", "name": "AcceptReservedInstancesExchangeQuote", "description": "Grants permission to accept a Convertible Reserved Instance exchange quote", "access": "Write", "resources": [ { "name": "reserved-instances", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:InstanceType", "ec2:ReservedInstancesOfferingType", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AcceptTransitGatewayMulticastDomainAssociations.html", "name": "AcceptTransitGatewayMulticastDomainAssociations", "description": "Grants permission to accept a request to associate subnets with a transit gateway multicast domain", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": false }, { "name": "transit-gateway-multicast-domain", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:transitGatewayMulticastDomainId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AcceptTransitGatewayPeeringAttachment.html", "name": "AcceptTransitGatewayPeeringAttachment", "description": "Grants permission to accept a transit gateway peering attachment request", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AcceptTransitGatewayVpcAttachment.html", "name": "AcceptTransitGatewayVpcAttachment", "description": "Grants permission to accept a request to attach a VPC to a transit gateway", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AcceptVpcEndpointConnections.html", "name": "AcceptVpcEndpointConnections", "description": "Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service", "access": "Write", "resources": [ { "name": "vpc-endpoint-service", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpceSupportedRegion", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AcceptVpcPeeringConnection.html", "name": "AcceptVpcPeeringConnection", "description": "Grants permission to accept a VPC peering connection request", "access": "Write", "resources": [ { "name": "vpc", "is_required": true }, { "name": "vpc-peering-connection", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:AccepterVpc", "ec2:RequesterVpc", "ec2:VpcPeeringConnectionID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AdvertiseByoipCidr.html", "name": "AdvertiseByoipCidr", "description": "Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP)", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AllocateAddress.html", "name": "AllocateAddress", "description": "Grants permission to allocate an Elastic IP address (EIP) to your account", "access": "Write", "resources": [ { "name": "elastic-ip", "is_required": true }, { "name": "ipam-pool", "is_required": false }, { "name": "ipv4pool-ec2", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AllocateHosts.html", "name": "AllocateHosts", "description": "Grants permission to allocate a Dedicated Host to your account", "access": "Write", "resources": [ { "name": "dedicated-host", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AutoPlacement", "ec2:AvailabilityZone", "ec2:HostRecovery", "ec2:InstanceType", "ec2:Quantity", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AllocateIpamPoolCidr.html", "name": "AllocateIpamPoolCidr", "description": "Grants permission to allocate a CIDR from an Amazon VPC IP Address Manager (IPAM) pool", "access": "Write", "resources": [ { "name": "ipam-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ApplySecurityGroupsToClientVpnTargetNetwork.html", "name": "ApplySecurityGroupsToClientVpnTargetNetwork", "description": "Grants permission to apply a security group to the association between a Client VPN endpoint and a target network", "access": "Write", "resources": [ { "name": "client-vpn-endpoint", "is_required": true }, { "name": "security-group", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssignIpv6Addresses.html", "name": "AssignIpv6Addresses", "description": "Grants permission to assign one or more IPv6 addresses to a network interface", "access": "Write", "resources": [ { "name": "network-interface", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssignPrivateIpAddresses.html", "name": "AssignPrivateIpAddresses", "description": "Grants permission to assign one or more secondary private IP addresses to a network interface", "access": "Write", "resources": [ { "name": "network-interface", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssignPrivateNatGatewayAddress.html", "name": "AssignPrivateNatGatewayAddress", "description": "Grants permission to assign one or more secondary private IP addresses to a private NAT gateway", "access": "Write", "resources": [ { "name": "natgateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateAddress.html", "name": "AssociateAddress", "description": "Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface", "access": "Write", "resources": [ { "name": "elastic-ip", "is_required": false }, { "name": "instance", "is_required": false }, { "name": "network-interface", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:NetworkInterfaceID", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateCapacityReservationBillingOwner.html", "name": "AssociateCapacityReservationBillingOwner", "description": "Grants permission to assign billing of the unused capacity of a shared Capacity Reservation to a consumer account", "access": "Write", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CapacityReservationFleet", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateClientVpnTargetNetwork.html", "name": "AssociateClientVpnTargetNetwork", "description": "Grants permission to associate a target network with a Client VPN endpoint", "access": "Write", "resources": [ { "name": "client-vpn-endpoint", "is_required": true }, { "name": "subnet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateDhcpOptions.html", "name": "AssociateDhcpOptions", "description": "Grants permission to associate or disassociate a set of DHCP options with a VPC", "access": "Write", "resources": [ { "name": "dhcp-options", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:DhcpOptionsID", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateEnclaveCertificateIamRole.html", "name": "AssociateEnclaveCertificateIamRole", "description": "Grants permission to associate an ACM certificate with an IAM role to be used in an EC2 Enclave", "access": "Write", "resources": [ { "name": "certificate", "is_required": true }, { "name": "role", "is_required": true } ], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIamInstanceProfile.html", "name": "AssociateIamInstanceProfile", "description": "Grants permission to associate an IAM instance profile with a running or stopped instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:NewInstanceProfile", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [ "iam:PassRole" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateInstanceEventWindow.html", "name": "AssociateInstanceEventWindow", "description": "Grants permission to associate one or more targets with an event window", "access": "Write", "resources": [ { "name": "instance-event-window", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIpamByoasn.html", "name": "AssociateIpamByoasn", "description": "Grants permission to associate an Autonomous System Number (ASN) with a BYOIP CIDR", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIpamResourceDiscovery.html", "name": "AssociateIpamResourceDiscovery", "description": "Grants permission to associate an IPAM resource discovery with an Amazon VPC IPAM", "access": "Write", "resources": [ { "name": "ipam", "is_required": true }, { "name": "ipam-resource-discovery", "is_required": true }, { "name": "ipam-resource-discovery-association", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateNatGatewayAddress.html", "name": "AssociateNatGatewayAddress", "description": "Grants permission to associate an Elastic IP address and private IP address with a public Nat gateway", "access": "Write", "resources": [ { "name": "elastic-ip", "is_required": true }, { "name": "natgateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateRouteServer.html", "name": "AssociateRouteServer", "description": "Grants permission to associate a route server with a VPC", "access": "Write", "resources": [ { "name": "route-server", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateRouteTable.html", "name": "AssociateRouteTable", "description": "Grants permission to associate a subnet or gateway with a route table", "access": "Write", "resources": [ { "name": "route-table", "is_required": true }, { "name": "internet-gateway", "is_required": false }, { "name": "ipv4pool-ec2", "is_required": false }, { "name": "subnet", "is_required": false }, { "name": "vpn-gateway", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc", "ec2:InternetGatewayID", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateSecurityGroupVpc.html", "name": "AssociateSecurityGroupVpc", "description": "Grants permission to associate a security group with another VPC in the same Region", "access": "Write", "resources": [ { "name": "security-group", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateSubnetCidrBlock.html", "name": "AssociateSubnetCidrBlock", "description": "Grants permission to associate a CIDR block with a subnet", "access": "Write", "resources": [ { "name": "subnet", "is_required": true }, { "name": "ipam-pool", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Ipv6IpamPoolId", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateTransitGatewayMulticastDomain.html", "name": "AssociateTransitGatewayMulticastDomain", "description": "Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain", "access": "Write", "resources": [ { "name": "subnet", "is_required": true }, { "name": "transit-gateway-attachment", "is_required": true }, { "name": "transit-gateway-multicast-domain", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc", "ec2:transitGatewayAttachmentId", "ec2:transitGatewayMulticastDomainId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateTransitGatewayPolicyTable.html", "name": "AssociateTransitGatewayPolicyTable", "description": "Grants permission to associate a policy table with a transit gateway attachment", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true }, { "name": "transit-gateway-policy-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:transitGatewayPolicyTableId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateTransitGatewayRouteTable.html", "name": "AssociateTransitGatewayRouteTable", "description": "Grants permission to associate an attachment with a transit gateway route table", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true }, { "name": "transit-gateway-route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:transitGatewayRouteTableId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateTrunkInterface.html", "name": "AssociateTrunkInterface", "description": "Grants permission to associate a branch network interface with a trunk network interface", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/verified-access/latest/ug/waf-integration.html", "name": "AssociateVerifiedAccessInstanceWebAcl", "description": "Grants permission to associate an AWS Web Application Firewall (WAF) web access control list (ACL) with a Verified Access instance", "access": "Write", "resources": [ { "name": "verified-access-instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateVpcCidrBlock.html", "name": "AssociateVpcCidrBlock", "description": "Grants permission to associate a CIDR block with a VPC", "access": "Write", "resources": [ { "name": "vpc", "is_required": true }, { "name": "ipam-pool", "is_required": false }, { "name": "ipv6pool-ec2", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachApplianceToNatGateway.html", "name": "AttachApplianceToNatGateway", "description": "Grants permission to attach an appliance with a public/private Natgateway", "access": "Permissions management", "resources": [ { "name": "natgateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachClassicLinkVpc.html", "name": "AttachClassicLinkVpc", "description": "Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups", "access": "Write", "resources": [ { "name": "instance", "is_required": true }, { "name": "security-group", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachInternetGateway.html", "name": "AttachInternetGateway", "description": "Grants permission to attach an internet gateway to a VPC", "access": "Write", "resources": [ { "name": "internet-gateway", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachNetworkInterface.html", "name": "AttachNetworkInterface", "description": "Grants permission to attach a network interface to an instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true }, { "name": "network-interface", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:NetworkInterfaceID", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/UserGuide/placement-groups.html", "name": "AttachResourcesToPlacementGroup", "description": "Grants permission to attach resources to a placement group", "access": "Permissions management", "resources": [ { "name": "placement-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachVerifiedAccessTrustProvider.html", "name": "AttachVerifiedAccessTrustProvider", "description": "Grants permission to attach a trust provider to a Verified Access instance", "access": "Write", "resources": [ { "name": "verified-access-instance", "is_required": true }, { "name": "verified-access-trust-provider", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachVolume.html", "name": "AttachVolume", "description": "Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name", "access": "Write", "resources": [ { "name": "instance", "is_required": true }, { "name": "volume", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Encrypted", "ec2:ParentSnapshot", "ec2:ParentVolume", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachVpnGateway.html", "name": "AttachVpnGateway", "description": "Grants permission to attach a virtual private gateway to a VPC", "access": "Write", "resources": [ { "name": "vpc", "is_required": true }, { "name": "vpn-gateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeClientVpnIngress.html", "name": "AuthorizeClientVpnIngress", "description": "Grants permission to add an inbound authorization rule to a Client VPN endpoint", "access": "Write", "resources": [ { "name": "client-vpn-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html", "name": "AuthorizeSecurityGroupEgress", "description": "Grants permission to add one or more outbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications", "access": "Write", "resources": [ { "name": "security-group", "is_required": true }, { "name": "security-group-rule", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html", "name": "AuthorizeSecurityGroupIngress", "description": "Grants permission to add one or more inbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications", "access": "Write", "resources": [ { "name": "security-group", "is_required": true }, { "name": "security-group-rule", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_BundleInstance.html", "name": "BundleInstance", "description": "Grants permission to bundle an instance store-backed Windows instance", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CancelBundleTask.html", "name": "CancelBundleTask", "description": "Grants permission to cancel a bundling operation", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CancelCapacityReservation.html", "name": "CancelCapacityReservation", "description": "Grants permission to cancel a Capacity Reservation and release the reserved capacity", "access": "Write", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:CapacityReservationFleet", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CancelCapacityReservationFleets.html", "name": "CancelCapacityReservationFleets", "description": "Grants permission to cancel one or more Capacity Reservation Fleets", "access": "Write", "resources": [ { "name": "capacity-reservation-fleet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [ "ec2:CancelCapacityReservation" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CancelConversionTask.html", "name": "CancelConversionTask", "description": "Grants permission to cancel an active conversion task", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CancelDeclarativePoliciesReport.html", "name": "CancelDeclarativePoliciesReport", "description": "Grants permission to cancel a declarative policies report", "access": "Write", "resources": [ { "name": "declarative-policies-report", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CancelExportTask.html", "name": "CancelExportTask", "description": "Grants permission to cancel an active export task", "access": "Write", "resources": [ { "name": "export-image-task", "is_required": false }, { "name": "export-instance-task", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CancelImageLaunchPermission.html", "name": "CancelImageLaunchPermission", "description": "Grants permission to remove your AWS account from the launch permissions for the specified AMI", "access": "Permissions management", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CancelImportTask.html", "name": "CancelImportTask", "description": "Grants permission to cancel an in-process import virtual machine or import snapshot task", "access": "Write", "resources": [ { "name": "import-image-task", "is_required": false }, { "name": "import-snapshot-task", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CancelReservedInstancesListing.html", "name": "CancelReservedInstancesListing", "description": "Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CancelSpotFleetRequests.html", "name": "CancelSpotFleetRequests", "description": "Grants permission to cancel one or more Spot Fleet requests", "access": "Write", "resources": [ { "name": "spot-fleet-request", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CancelSpotInstanceRequests.html", "name": "CancelSpotInstanceRequests", "description": "Grants permission to cancel one or more Spot Instance requests", "access": "Write", "resources": [ { "name": "spot-instances-request", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ConfirmProductInstance.html", "name": "ConfirmProductInstance", "description": "Grants permission to determine whether an owned product code is associated with an instance", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CopyFpgaImage.html", "name": "CopyFpgaImage", "description": "Grants permission to copy a source Amazon FPGA image (AFI) to the current Region. Resource-level permissions specified for this action apply to the new AFI only. They do not apply to the source AFI", "access": "Write", "resources": [ { "name": "fpga-image", "is_required": true } ], "conditions": [ "ec2:Owner", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CopyImage.html", "name": "CopyImage", "description": "Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region", "access": "Write", "resources": [ { "name": "image", "is_required": true }, { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:ImageID", "ec2:Owner", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CopySnapshot.html", "name": "CopySnapshot", "description": "Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3. Resource-level permissions specified for this action apply to both the snapshot copy and the source snapshot", "access": "Write", "resources": [ { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Encrypted", "ec2:OutpostArn", "ec2:Owner", "ec2:ParentSnapshot", "ec2:ParentVolume", "ec2:ProductCode", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CopyVolumes.html", "name": "CopyVolumes", "description": "Grants permission to create a copy of an EBS volume. Resource-level permissions specified for this action apply to the source and copied volume. Condition keys for the copied volume correspond to parameters specified in the CopyVolumes API request", "access": "Write", "resources": [ { "name": "volume", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ParentVolume", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCapacityManagerDataExport.html", "name": "CreateCapacityManagerDataExport", "description": "Grants permission to create a new S3 Data Export for Capacity Manager", "access": "Write", "resources": [ { "name": "capacity-manager-data-export", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCapacityReservation.html", "name": "CreateCapacityReservation", "description": "Grants permission to create a Capacity Reservation", "access": "Write", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CapacityReservationFleet", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:EphemeralStorage", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:Tenancy", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCapacityReservationBySplitting.html", "name": "CreateCapacityReservationBySplitting", "description": "Grants permission to create a new Capacity Reservation by splitting the available capacity of the source Capacity Reservation", "access": "Write", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CapacityReservationFleet", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:Tenancy", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCapacityReservationFleet.html", "name": "CreateCapacityReservationFleet", "description": "Grants permission to create a Capacity Reservation Fleet", "access": "Write", "resources": [ { "name": "capacity-reservation-fleet", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateCapacityReservation", "ec2:CreateTags", "ec2:DescribeCapacityReservations", "ec2:DescribeInstances" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCarrierGateway.html", "name": "CreateCarrierGateway", "description": "Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers", "access": "Write", "resources": [ { "name": "carrier-gateway", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateClientVpnEndpoint.html", "name": "CreateClientVpnEndpoint", "description": "Grants permission to create a Client VPN endpoint", "access": "Write", "resources": [ { "name": "client-vpn-endpoint", "is_required": true }, { "name": "security-group", "is_required": false }, { "name": "vpc", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:VpcID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateClientVpnRoute.html", "name": "CreateClientVpnRoute", "description": "Grants permission to add a network route to a Client VPN endpoint's route table", "access": "Write", "resources": [ { "name": "client-vpn-endpoint", "is_required": true }, { "name": "subnet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCoipCidr.html", "name": "CreateCoipCidr", "description": "Grants permission to create a range of customer-owned IP (CoIP) addresses", "access": "Write", "resources": [ { "name": "coip-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCoipPool.html", "name": "CreateCoipPool", "description": "Grants permission to create a pool of customer-owned IP (CoIP) addresses", "access": "Write", "resources": [ { "name": "coip-pool", "is_required": true }, { "name": "local-gateway-route-table", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/outposts/latest/userguide/identity-access-management.html", "name": "CreateCoipPoolPermission", "description": "Grants permission to allow a service to access a customer-owned IP (CoIP) pool", "access": "Permissions management", "resources": [ { "name": "coip-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCustomerGateway.html", "name": "CreateCustomerGateway", "description": "Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device", "access": "Write", "resources": [ { "name": "customer-gateway", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateDefaultSubnet.html", "name": "CreateDefaultSubnet", "description": "Grants permission to create a default subnet in a specified Availability Zone in a default VPC", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateDefaultVpc.html", "name": "CreateDefaultVpc", "description": "Grants permission to create a default VPC with a default subnet in each Availability Zone", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateDelegateMacVolumeOwnershipTask.html", "name": "CreateDelegateMacVolumeOwnershipTask", "description": "Grants permission to create a volume ownership delegation task for an Apple silicon Mac instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true }, { "name": "mac-modification-task", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateDhcpOptions.html", "name": "CreateDhcpOptions", "description": "Grants permission to create a set of DHCP options for a VPC", "access": "Write", "resources": [ { "name": "dhcp-options", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:DhcpOptionsID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateEgressOnlyInternetGateway.html", "name": "CreateEgressOnlyInternetGateway", "description": "Grants permission to create an egress-only internet gateway for a VPC", "access": "Write", "resources": [ { "name": "egress-only-internet-gateway", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet.html", "name": "CreateFleet", "description": "Grants permission to launch an EC2 Fleet. Resource-level permissions for this action do not include the resources specified in a launch template. To specify resource-level permissions for resources specified in a launch template, you must include the resources in the RunInstances action statement", "access": "Write", "resources": [ { "name": "fleet", "is_required": true }, { "name": "instance", "is_required": true }, { "name": "image", "is_required": false }, { "name": "launch-template", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "subnet", "is_required": false }, { "name": "volume", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:PlacementGroup", "ec2:RootDeviceType", "ec2:Tenancy", "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:SubnetID", "ec2:Vpc", "ec2:Encrypted", "ec2:KmsKeyId", "ec2:ParentSnapshot", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFlowLogs.html", "name": "CreateFlowLogs", "description": "Grants permission to create one or more flow logs to capture IP traffic for a network interface", "access": "Write", "resources": [ { "name": "vpc-flow-log", "is_required": true }, { "name": "natgateway", "is_required": false }, { "name": "network-interface", "is_required": false }, { "name": "subnet", "is_required": false }, { "name": "transit-gateway", "is_required": false }, { "name": "transit-gateway-attachment", "is_required": false }, { "name": "vpc", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Vpc", "ec2:AvailabilityZone", "ec2:NetworkInterfaceID", "ec2:Subnet", "ec2:SubnetID", "ec2:transitGatewayId", "ec2:transitGatewayAttachmentId", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [ "ec2:CreateTags", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListServices", "ecs:ListTaskDefinitions", "ecs:ListTasks", "iam:PassRole" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFpgaImage.html", "name": "CreateFpgaImage", "description": "Grants permission to create an Amazon FPGA Image (AFI) from a design checkpoint (DCP)", "access": "Write", "resources": [ { "name": "fpga-image", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Owner", "ec2:Public", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateImage.html", "name": "CreateImage", "description": "Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance. This action can reboot instances as part of the image creation process, even without RebootInstances permissions. To prevent instance reboots during image creation, use the NoReboot parameter", "access": "Write", "resources": [ { "name": "image", "is_required": true }, { "name": "instance", "is_required": true }, { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:ImageID", "ec2:Owner", "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:OutpostArn", "ec2:ParentVolume", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateImageUsageReport.html", "name": "CreateImageUsageReport", "description": "Grants permission to create an AMI usage report", "access": "Write", "resources": [ { "name": "image", "is_required": true }, { "name": "image-usage-report", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInstanceConnectEndpoint.html", "name": "CreateInstanceConnectEndpoint", "description": "Grants permission to create an EC2 Instance Connect Endpoint that allows you to connect to an instance without a public IPv4 address", "access": "Write", "resources": [ { "name": "instance-connect-endpoint", "is_required": true }, { "name": "subnet", "is_required": true }, { "name": "security-group", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:SubnetID", "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:ResourceTag/${TagKey}", "ec2:Vpc", "ec2:SecurityGroupID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInstanceEventWindow.html", "name": "CreateInstanceEventWindow", "description": "Grants permission to create an event window in which scheduled events for the associated Amazon EC2 instances can run", "access": "Write", "resources": [ { "name": "instance-event-window", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInstanceExportTask.html", "name": "CreateInstanceExportTask", "description": "Grants permission to export a running or stopped instance to an Amazon S3 bucket", "access": "Write", "resources": [ { "name": "export-instance-task", "is_required": true }, { "name": "instance", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInternetGateway.html", "name": "CreateInternetGateway", "description": "Grants permission to create an internet gateway for a VPC", "access": "Write", "resources": [ { "name": "internet-gateway", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:InternetGatewayID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInterruptibleCapacityReservationAllocation.html", "name": "CreateInterruptibleCapacityReservationAllocation", "description": "Grants permission to create an interruptible Capacity Reservation by specifying the number of unused instances you want to allocate from your source reservation", "access": "Write", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CreateDate", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:InterruptibleCapacityReservationId", "ec2:InterruptionType", "ec2:IsInterruptible", "ec2:SourceCapacityReservationId", "ec2:TargetInstanceCount", "ec2:Tenancy", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateIpam.html", "name": "CreateIpam", "description": "Grants permission to create an Amazon VPC IP Address Manager (IPAM)", "access": "Write", "resources": [ { "name": "ipam", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags", "iam:CreateServiceLinkedRole" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateIpamExternalResourceVerificationToken.html", "name": "CreateIpamExternalResourceVerificationToken", "description": "Grants permission to create a verification token, which proves ownership of an external resource", "access": "Write", "resources": [ { "name": "ipam", "is_required": true }, { "name": "ipam-external-resource-verification-token", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateIpamPolicy.html", "name": "CreateIpamPolicy", "description": "Grants permission to create a policy in Amazon VPC IP Address Manager (IPAM) that defines rules for allocating public IPv4 addresses from IPAM pools to AWS resources", "access": "Write", "resources": [ { "name": "ipam", "is_required": true }, { "name": "ipam-policy", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateIpamPool.html", "name": "CreateIpamPool", "description": "Grants permission to create an IP address pool for Amazon VPC IP Address Manager (IPAM), which is a collection of contiguous IP address CIDRs", "access": "Write", "resources": [ { "name": "ipam-pool", "is_required": true }, { "name": "ipam-scope", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateIpamPrefixListResolver.html", "name": "CreateIpamPrefixListResolver", "description": "Grants permission to create an IPAM prefix list resolver that defines rules for selecting CIDRs to include in prefix lists", "access": "Write", "resources": [ { "name": "ipam", "is_required": true }, { "name": "ipam-prefix-list-resolver", "is_required": true }, { "name": "ipam-scope", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateIpamPrefixListResolverTarget.html", "name": "CreateIpamPrefixListResolverTarget", "description": "Grants permission to create an IPAM prefix list resolver target that links a resolver to a managed prefix list", "access": "Write", "resources": [ { "name": "ipam-prefix-list-resolver", "is_required": true }, { "name": "ipam-prefix-list-resolver-target", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateIpamResourceDiscovery.html", "name": "CreateIpamResourceDiscovery", "description": "Grants permission to create an IPAM resource discovery", "access": "Write", "resources": [ { "name": "ipam-resource-discovery", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags", "iam:CreateServiceLinkedRole" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateIpamScope.html", "name": "CreateIpamScope", "description": "Grants permission to create an Amazon VPC IP Address Manager (IPAM) scope, which is the highest-level container within IPAM", "access": "Write", "resources": [ { "name": "ipam", "is_required": true }, { "name": "ipam-scope", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateKeyPair.html", "name": "CreateKeyPair", "description": "Grants permission to create a 2048-bit RSA key pair", "access": "Write", "resources": [ { "name": "key-pair", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:KeyPairType", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLaunchTemplate.html", "name": "CreateLaunchTemplate", "description": "Grants permission to create a launch template", "access": "Write", "resources": [ { "name": "launch-template", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags", "ssm:GetParameters" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLaunchTemplateVersion.html", "name": "CreateLaunchTemplateVersion", "description": "Grants permission to create a new version of a launch template", "access": "Write", "resources": [ { "name": "launch-template", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [ "ssm:GetParameters" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLocalGatewayRoute.html", "name": "CreateLocalGatewayRoute", "description": "Grants permission to create a static route for a local gateway route table", "access": "Write", "resources": [ { "name": "local-gateway-route-table", "is_required": true }, { "name": "local-gateway-virtual-interface-group", "is_required": false }, { "name": "network-interface", "is_required": false }, { "name": "prefix-list", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:NetworkInterfaceID", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLocalGatewayRouteTable.html", "name": "CreateLocalGatewayRouteTable", "description": "Grants permission to create a local gateway route table", "access": "Write", "resources": [ { "name": "local-gateway", "is_required": true }, { "name": "local-gateway-route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/outposts/latest/userguide/identity-access-management.html", "name": "CreateLocalGatewayRouteTablePermission", "description": "Grants permission to allow a service to access a local gateway route table", "access": "Permissions management", "resources": [ { "name": "local-gateway-route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation.html", "name": "CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation", "description": "Grants permission to create a local gateway route table virtual interface group association", "access": "Write", "resources": [ { "name": "local-gateway-route-table", "is_required": true }, { "name": "local-gateway-route-table-virtual-interface-group-association", "is_required": true }, { "name": "local-gateway-virtual-interface-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLocalGatewayRouteTableVpcAssociation.html", "name": "CreateLocalGatewayRouteTableVpcAssociation", "description": "Grants permission to associate a VPC with a local gateway route table", "access": "Write", "resources": [ { "name": "local-gateway-route-table", "is_required": true }, { "name": "local-gateway-route-table-vpc-association", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLocalGatewayVirtualInterface.html", "name": "CreateLocalGatewayVirtualInterface", "description": "Grants permission to create a local gateway virtual interface", "access": "Write", "resources": [ { "name": "local-gateway-virtual-interface", "is_required": true }, { "name": "local-gateway-virtual-interface-group", "is_required": true }, { "name": "outpost-lag", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLocalGatewayVirtualInterfaceGroup.html", "name": "CreateLocalGatewayVirtualInterfaceGroup", "description": "Grants permission to create a local gateway virtual interface group", "access": "Write", "resources": [ { "name": "local-gateway", "is_required": true }, { "name": "local-gateway-virtual-interface-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateMacSystemIntegrityProtectionModificationTask.html", "name": "CreateMacSystemIntegrityProtectionModificationTask", "description": "Grants permission to create a System Integrity Protection (SIP) modification task for an Amazon EC2 Mac instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true }, { "name": "mac-modification-task", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateManagedPrefixList.html", "name": "CreateManagedPrefixList", "description": "Grants permission to create a managed prefix list", "access": "Write", "resources": [ { "name": "prefix-list", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNatGateway.html", "name": "CreateNatGateway", "description": "Grants permission to create a NAT gateway in a subnet", "access": "Write", "resources": [ { "name": "natgateway", "is_required": true }, { "name": "elastic-ip", "is_required": false }, { "name": "subnet", "is_required": false }, { "name": "vpc", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Vpc", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", "name": "CreateNetworkAcl", "description": "Grants permission to create a network ACL in a VPC", "access": "Write", "resources": [ { "name": "network-acl", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:NetworkAclID", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html", "name": "CreateNetworkAclEntry", "description": "Grants permission to create a numbered entry (a rule) in a network ACL", "access": "Write", "resources": [ { "name": "network-acl", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkInsightsAccessScope.html", "name": "CreateNetworkInsightsAccessScope", "description": "Grants permission to create a Network Access Scope", "access": "Write", "resources": [ { "name": "network-insights-access-scope", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkInsightsPath.html", "name": "CreateNetworkInsightsPath", "description": "Grants permission to create a path to analyze for reachability", "access": "Write", "resources": [ { "name": "network-insights-path", "is_required": true }, { "name": "instance", "is_required": false }, { "name": "internet-gateway", "is_required": false }, { "name": "network-interface", "is_required": false }, { "name": "transit-gateway", "is_required": false }, { "name": "vpc-endpoint", "is_required": false }, { "name": "vpc-endpoint-service", "is_required": false }, { "name": "vpc-peering-connection", "is_required": false }, { "name": "vpn-gateway", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:InternetGatewayID", "ec2:NetworkInterfaceID", "ec2:Subnet", "ec2:Vpc", "ec2:transitGatewayId", "ec2:AccepterVpc", "ec2:RequesterVpc", "ec2:VpcPeeringConnectionID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkInterface.html", "name": "CreateNetworkInterface", "description": "Grants permission to create a network interface in a subnet", "access": "Write", "resources": [ { "name": "network-interface", "is_required": true }, { "name": "subnet", "is_required": true }, { "name": "security-group", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:NetworkInterfaceID", "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc", "ec2:SecurityGroupID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkInterfacePermission.html", "name": "CreateNetworkInterfacePermission", "description": "Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface", "access": "Permissions management", "resources": [ { "name": "network-interface", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AuthorizedService", "ec2:AuthorizedUser", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:Permission", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateOdbNetworkPeering.html", "name": "CreateOdbNetworkPeering", "description": "Grants permission to allow Oracle Database@AWS to create a peering connection between an ODB network and a VPC", "access": "Permissions management", "resources": [ { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreatePlacementGroup.html", "name": "CreatePlacementGroup", "description": "Grants permission to create a placement group", "access": "Write", "resources": [ { "name": "placement-group", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreatePublicIpv4Pool.html", "name": "CreatePublicIpv4Pool", "description": "Grants permission to create a public IPv4 address pool for public IPv4 CIDRs that you own and bring to Amazon to manage with Amazon VPC IP Address Manager (IPAM)", "access": "Write", "resources": [ { "name": "ipv4pool-ec2", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateReplaceRootVolumeTask.html", "name": "CreateReplaceRootVolumeTask", "description": "Grants permission to create a root volume replacement task", "access": "Write", "resources": [ { "name": "instance", "is_required": true }, { "name": "replace-root-volume-task", "is_required": true }, { "name": "volume", "is_required": true }, { "name": "image", "is_required": false }, { "name": "snapshot", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ParentVolume", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateReservedInstancesListing.html", "name": "CreateReservedInstancesListing", "description": "Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRestoreImageTask.html", "name": "CreateRestoreImageTask", "description": "Grants permission to start a task that restores an AMI from an S3 object previously created by using CreateStoreImageTask", "access": "Write", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:ImageID", "ec2:Owner", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", "name": "CreateRoute", "description": "Grants permission to create a route in a VPC route table", "access": "Write", "resources": [ { "name": "route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteServer.html", "name": "CreateRouteServer", "description": "Grants permission to create a route server", "access": "Write", "resources": [ { "name": "route-server", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags", "sns:CreateTopic" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteServerEndpoint.html", "name": "CreateRouteServerEndpoint", "description": "Grants permission to create a route server endpoint", "access": "Write", "resources": [ { "name": "route-server", "is_required": true }, { "name": "route-server-endpoint", "is_required": true }, { "name": "subnet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Vpc", "ec2:Region" ], "dependents": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DescribeSecurityGroups" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteServerPeer.html", "name": "CreateRouteServerPeer", "description": "Grants permission to create a route server peer", "access": "Write", "resources": [ { "name": "route-server-endpoint", "is_required": true }, { "name": "route-server-peer", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable.html", "name": "CreateRouteTable", "description": "Grants permission to create a route table for a VPC", "access": "Write", "resources": [ { "name": "route-table", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:RouteTableID", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecondaryNetwork.html", "name": "CreateSecondaryNetwork", "description": "Grants permission to create a secondary network", "access": "Write", "resources": [ { "name": "secondary-network", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecondarySubnet.html", "name": "CreateSecondarySubnet", "description": "Grants permission to create a secondary subnet", "access": "Write", "resources": [ { "name": "secondary-network", "is_required": true }, { "name": "secondary-subnet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html", "name": "CreateSecurityGroup", "description": "Grants permission to create a security group", "access": "Write", "resources": [ { "name": "security-group", "is_required": true }, { "name": "vpc", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:SecurityGroupID", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html", "name": "CreateSnapshot", "description": "Grants permission to create a snapshot of an EBS volume and store it in Amazon S3", "access": "Write", "resources": [ { "name": "snapshot", "is_required": true }, { "name": "volume", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Location", "ec2:OutpostArn", "ec2:ParentVolume", "ec2:SnapshotID", "ec2:SourceAvailabilityZone", "ec2:SourceOutpostArn", "ec2:VolumeSize", "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZoneId", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshots.html", "name": "CreateSnapshots", "description": "Grants permission to create crash-consistent snapshots of multiple EBS volumes and store them in Amazon S3", "access": "Write", "resources": [ { "name": "instance", "is_required": true }, { "name": "snapshot", "is_required": true }, { "name": "volume", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Location", "ec2:OutpostArn", "ec2:ParentVolume", "ec2:SnapshotID", "ec2:SourceAvailabilityZone", "ec2:SourceOutpostArn", "ec2:VolumeSize", "ec2:Encrypted", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSpotDatafeedSubscription.html", "name": "CreateSpotDatafeedSubscription", "description": "Grants permission to create a data feed for Spot Instances to view Spot Instance usage logs", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateStoreImageTask.html", "name": "CreateStoreImageTask", "description": "Grants permission to store an AMI as a single object in an S3 bucket", "access": "Write", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSubnet.html", "name": "CreateSubnet", "description": "Grants permission to create a subnet in a VPC", "access": "Write", "resources": [ { "name": "subnet", "is_required": true }, { "name": "vpc", "is_required": true }, { "name": "ipam-pool", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:SubnetID", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSubnetCidrReservation.html", "name": "CreateSubnetCidrReservation", "description": "Grants permission to create a subnet CIDR reservation", "access": "Write", "resources": [ { "name": "subnet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html", "name": "CreateTags", "description": "Grants permission to add or overwrite one or more tags for Amazon EC2 resources", "access": "Tagging", "resources": [ { "name": "capacity-block", "is_required": false }, { "name": "capacity-manager-data-export", "is_required": false }, { "name": "capacity-reservation", "is_required": false }, { "name": "capacity-reservation-fleet", "is_required": false }, { "name": "carrier-gateway", "is_required": false }, { "name": "client-vpn-endpoint", "is_required": false }, { "name": "coip-pool", "is_required": false }, { "name": "customer-gateway", "is_required": false }, { "name": "declarative-policies-report", "is_required": false }, { "name": "dedicated-host", "is_required": false }, { "name": "dhcp-options", "is_required": false }, { "name": "egress-only-internet-gateway", "is_required": false }, { "name": "elastic-gpu", "is_required": false }, { "name": "elastic-ip", "is_required": false }, { "name": "export-image-task", "is_required": false }, { "name": "export-instance-task", "is_required": false }, { "name": "fleet", "is_required": false }, { "name": "fpga-image", "is_required": false }, { "name": "host-reservation", "is_required": false }, { "name": "image", "is_required": false }, { "name": "image-usage-report", "is_required": false }, { "name": "import-image-task", "is_required": false }, { "name": "import-snapshot-task", "is_required": false }, { "name": "instance", "is_required": false }, { "name": "instance-connect-endpoint", "is_required": false }, { "name": "instance-event-window", "is_required": false }, { "name": "internet-gateway", "is_required": false }, { "name": "ipam", "is_required": false }, { "name": "ipam-external-resource-verification-token", "is_required": false }, { "name": "ipam-policy", "is_required": false }, { "name": "ipam-pool", "is_required": false }, { "name": "ipam-prefix-list-resolver", "is_required": false }, { "name": "ipam-prefix-list-resolver-target", "is_required": false }, { "name": "ipam-resource-discovery", "is_required": false }, { "name": "ipam-resource-discovery-association", "is_required": false }, { "name": "ipam-scope", "is_required": false }, { "name": "ipv4pool-ec2", "is_required": false }, { "name": "ipv6pool-ec2", "is_required": false }, { "name": "key-pair", "is_required": false }, { "name": "launch-template", "is_required": false }, { "name": "local-gateway", "is_required": false }, { "name": "local-gateway-route-table", "is_required": false }, { "name": "local-gateway-route-table-virtual-interface-group-association", "is_required": false }, { "name": "local-gateway-route-table-vpc-association", "is_required": false }, { "name": "local-gateway-virtual-interface", "is_required": false }, { "name": "local-gateway-virtual-interface-group", "is_required": false }, { "name": "natgateway", "is_required": false }, { "name": "network-acl", "is_required": false }, { "name": "network-insights-access-scope", "is_required": false }, { "name": "network-insights-access-scope-analysis", "is_required": false }, { "name": "network-insights-analysis", "is_required": false }, { "name": "network-insights-path", "is_required": false }, { "name": "network-interface", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "prefix-list", "is_required": false }, { "name": "replace-root-volume-task", "is_required": false }, { "name": "reserved-instances", "is_required": false }, { "name": "route-server", "is_required": false }, { "name": "route-server-endpoint", "is_required": false }, { "name": "route-server-peer", "is_required": false }, { "name": "route-table", "is_required": false }, { "name": "secondary-interface", "is_required": false }, { "name": "secondary-network", "is_required": false }, { "name": "secondary-subnet", "is_required": false }, { "name": "security-group", "is_required": false }, { "name": "security-group-rule", "is_required": false }, { "name": "snapshot", "is_required": false }, { "name": "spot-fleet-request", "is_required": false }, { "name": "spot-instances-request", "is_required": false }, { "name": "subnet", "is_required": false }, { "name": "subnet-cidr-reservation", "is_required": false }, { "name": "traffic-mirror-filter", "is_required": false }, { "name": "traffic-mirror-filter-rule", "is_required": false }, { "name": "traffic-mirror-session", "is_required": false }, { "name": "traffic-mirror-target", "is_required": false }, { "name": "transit-gateway", "is_required": false }, { "name": "transit-gateway-attachment", "is_required": false }, { "name": "transit-gateway-connect-peer", "is_required": false }, { "name": "transit-gateway-metering-policy", "is_required": false }, { "name": "transit-gateway-multicast-domain", "is_required": false }, { "name": "transit-gateway-policy-table", "is_required": false }, { "name": "transit-gateway-route-table", "is_required": false }, { "name": "transit-gateway-route-table-announcement", "is_required": false }, { "name": "verified-access-endpoint", "is_required": false }, { "name": "verified-access-endpoint-target", "is_required": false }, { "name": "verified-access-group", "is_required": false }, { "name": "verified-access-instance", "is_required": false }, { "name": "verified-access-policy", "is_required": false }, { "name": "verified-access-trust-provider", "is_required": false }, { "name": "volume", "is_required": false }, { "name": "vpc", "is_required": false }, { "name": "vpc-block-public-access-exclusion", "is_required": false }, { "name": "vpc-encryption-control", "is_required": false }, { "name": "vpc-endpoint", "is_required": false }, { "name": "vpc-endpoint-connection", "is_required": false }, { "name": "vpc-endpoint-service", "is_required": false }, { "name": "vpc-endpoint-service-permission", "is_required": false }, { "name": "vpc-flow-log", "is_required": false }, { "name": "vpc-peering-connection", "is_required": false }, { "name": "vpn-concentrator", "is_required": false }, { "name": "vpn-connection", "is_required": false }, { "name": "vpn-gateway", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:Vpc", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:AutoPlacement", "ec2:AvailabilityZone", "ec2:HostRecovery", "ec2:InstanceType", "ec2:Quantity", "ec2:DhcpOptionsID", "ec2:ElasticGpuType", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:Owner", "ec2:Public", "ec2:ImageID", "ec2:ImageType", "ec2:RootDeviceType", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:SubnetID", "ec2:InternetGatewayID", "ec2:KeyPairName", "ec2:KeyPairType", "ec2:NetworkAclID", "ec2:AuthorizedUser", "ec2:NetworkInterfaceID", "ec2:Permission", "ec2:Subnet", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:IpamPrefixListResolverTargetId", "ec2:ReservedInstancesOfferingType", "ec2:RouteTableID", "ec2:SecurityGroupID", "ec2:Encrypted", "ec2:ParentVolume", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:transitGatewayId", "ec2:transitGatewayAttachmentId", "ec2:transitGatewayConnectPeerId", "ec2:transitGatewayMeteringPolicyId", "ec2:transitGatewayMulticastDomainId", "ec2:transitGatewayPolicyTableId", "ec2:transitGatewayRouteTableId", "ec2:transitGatewayRouteTableAnnouncementId", "ec2:ParentSnapshot", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:VpcID", "ec2:VpceMultiRegion", "ec2:VpceServiceRegion", "ec2:VpceSupportedRegion", "ec2:AccepterVpc", "ec2:RequesterVpc", "ec2:VpcPeeringConnectionID", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:InsideTunnelIpv6Cidr", "ec2:Phase1DHGroup", "ec2:Phase1EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", "ec2:Phase2DHGroup", "ec2:Phase2EncryptionAlgorithms", "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", "ec2:ReplayWindowSizePackets", "ec2:RoutingType", "ec2:CreateAction", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTrafficMirrorFilter.html", "name": "CreateTrafficMirrorFilter", "description": "Grants permission to create a traffic mirror filter", "access": "Write", "resources": [ { "name": "traffic-mirror-filter", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTrafficMirrorFilterRule.html", "name": "CreateTrafficMirrorFilterRule", "description": "Grants permission to create a traffic mirror filter rule", "access": "Write", "resources": [ { "name": "traffic-mirror-filter", "is_required": true }, { "name": "traffic-mirror-filter-rule", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTrafficMirrorSession.html", "name": "CreateTrafficMirrorSession", "description": "Grants permission to create a traffic mirror session", "access": "Write", "resources": [ { "name": "network-interface", "is_required": true }, { "name": "traffic-mirror-filter", "is_required": true }, { "name": "traffic-mirror-session", "is_required": true }, { "name": "traffic-mirror-target", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTrafficMirrorTarget.html", "name": "CreateTrafficMirrorTarget", "description": "Grants permission to create a traffic mirror target", "access": "Write", "resources": [ { "name": "traffic-mirror-target", "is_required": true }, { "name": "network-interface", "is_required": false }, { "name": "vpc-endpoint", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:VpceServiceName", "ec2:VpceServiceOwner", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGateway.html", "name": "CreateTransitGateway", "description": "Grants permission to create a transit gateway", "access": "Write", "resources": [ { "name": "transit-gateway", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayId", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGatewayConnect.html", "name": "CreateTransitGatewayConnect", "description": "Grants permission to create a Connect attachment from a specified transit gateway attachment", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGatewayConnectPeer.html", "name": "CreateTransitGatewayConnectPeer", "description": "Grants permission to create a Connect peer between a transit gateway and an appliance", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true }, { "name": "transit-gateway-connect-peer", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayConnectPeerId", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGatewayMeteringPolicy.html", "name": "CreateTransitGatewayMeteringPolicy", "description": "Grants permission to create a metering policy for a transit gateway", "access": "Write", "resources": [ { "name": "transit-gateway", "is_required": true }, { "name": "transit-gateway-metering-policy", "is_required": true }, { "name": "transit-gateway-attachment", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayMeteringPolicyId", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGatewayMeteringPolicyEntry.html", "name": "CreateTransitGatewayMeteringPolicyEntry", "description": "Grants permission to create an entry for a transit gateway metering policy", "access": "Write", "resources": [ { "name": "transit-gateway-metering-policy", "is_required": true }, { "name": "transit-gateway-attachment", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMeteringPolicyId", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGatewayMulticastDomain.html", "name": "CreateTransitGatewayMulticastDomain", "description": "Grants permission to create a multicast domain for a transit gateway", "access": "Write", "resources": [ { "name": "transit-gateway", "is_required": true }, { "name": "transit-gateway-multicast-domain", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayMulticastDomainId", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGatewayPeeringAttachment.html", "name": "CreateTransitGatewayPeeringAttachment", "description": "Grants permission to request a transit gateway peering attachment between a requester and accepter transit gateway", "access": "Write", "resources": [ { "name": "transit-gateway", "is_required": true }, { "name": "transit-gateway-attachment", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGatewayPolicyTable.html", "name": "CreateTransitGatewayPolicyTable", "description": "Grants permission to create a transit gateway policy table", "access": "Write", "resources": [ { "name": "transit-gateway", "is_required": true }, { "name": "transit-gateway-policy-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayPolicyTableId", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGatewayPrefixListReference.html", "name": "CreateTransitGatewayPrefixListReference", "description": "Grants permission to create a transit gateway prefix list reference", "access": "Write", "resources": [ { "name": "prefix-list", "is_required": true }, { "name": "transit-gateway-route-table", "is_required": true }, { "name": "transit-gateway-attachment", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGatewayRoute.html", "name": "CreateTransitGatewayRoute", "description": "Grants permission to create a static route for a transit gateway route table", "access": "Write", "resources": [ { "name": "transit-gateway-route-table", "is_required": true }, { "name": "transit-gateway-attachment", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGatewayRouteTable.html", "name": "CreateTransitGatewayRouteTable", "description": "Grants permission to create a route table for a transit gateway", "access": "Write", "resources": [ { "name": "transit-gateway", "is_required": true }, { "name": "transit-gateway-route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayRouteTableId", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGatewayRouteTableAnnouncement.html", "name": "CreateTransitGatewayRouteTableAnnouncement", "description": "Grants permission to create an announcement for a transit gateway route table", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true }, { "name": "transit-gateway-route-table", "is_required": true }, { "name": "transit-gateway-route-table-announcement", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:transitGatewayRouteTableId", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayRouteTableAnnouncementId", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGatewayVpcAttachment.html", "name": "CreateTransitGatewayVpcAttachment", "description": "Grants permission to attach a VPC to a transit gateway", "access": "Write", "resources": [ { "name": "subnet", "is_required": true }, { "name": "transit-gateway", "is_required": true }, { "name": "transit-gateway-attachment", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc", "ec2:transitGatewayId", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:transitGatewayAttachmentId", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVerifiedAccessEndpoint.html", "name": "CreateVerifiedAccessEndpoint", "description": "Grants permission to create a Verified Access endpoint", "access": "Write", "resources": [ { "name": "verified-access-endpoint", "is_required": true }, { "name": "verified-access-group", "is_required": true }, { "name": "network-interface", "is_required": false }, { "name": "security-group", "is_required": false }, { "name": "subnet", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:AuthorizedUser", "ec2:AvailabilityZone", "ec2:NetworkInterfaceID", "ec2:Permission", "ec2:Subnet", "ec2:Vpc", "ec2:SecurityGroupID", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVerifiedAccessGroup.html", "name": "CreateVerifiedAccessGroup", "description": "Grants permission to create a Verified Access group", "access": "Write", "resources": [ { "name": "verified-access-group", "is_required": true }, { "name": "verified-access-instance", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVerifiedAccessInstance.html", "name": "CreateVerifiedAccessInstance", "description": "Grants permission to create a Verified Access instance", "access": "Write", "resources": [ { "name": "verified-access-instance", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVerifiedAccessTrustProvider.html", "name": "CreateVerifiedAccessTrustProvider", "description": "Grants permission to create a verified trust provider", "access": "Write", "resources": [ { "name": "verified-access-trust-provider", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVolume.html", "name": "CreateVolume", "description": "Grants permission to create an EBS volume", "access": "Write", "resources": [ { "name": "volume", "is_required": true }, { "name": "snapshot", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Encrypted", "ec2:KmsKeyId", "ec2:ParentSnapshot", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotTime", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpc.html", "name": "CreateVpc", "description": "Grants permission to create a VPC with a specified CIDR block", "access": "Write", "resources": [ { "name": "vpc", "is_required": true }, { "name": "ipam-pool", "is_required": false }, { "name": "ipv6pool-ec2", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:VpcID", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpcBlockPublicAccessExclusion.html", "name": "CreateVpcBlockPublicAccessExclusion", "description": "Grants permission to create an exclusion list for blocked public access on a VPC", "access": "Write", "resources": [ { "name": "vpc-block-public-access-exclusion", "is_required": true }, { "name": "subnet", "is_required": false }, { "name": "vpc", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpcEncryptionControl.html", "name": "CreateVpcEncryptionControl", "description": "Grants permission to create a VPC Encryption Control", "access": "Write", "resources": [ { "name": "vpc", "is_required": true }, { "name": "vpc-encryption-control", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpcEndpoint.html", "name": "CreateVpcEndpoint", "description": "Grants permission to create a VPC endpoint for an AWS service", "access": "Write", "resources": [ { "name": "vpc", "is_required": true }, { "name": "vpc-endpoint", "is_required": true }, { "name": "route-table", "is_required": false }, { "name": "security-group", "is_required": false }, { "name": "subnet", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:VpcID", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:VpceMultiRegion", "ec2:VpcePrivateDnsPreference", "ec2:VpcePrivateDnsSpecifiedDomains", "ec2:VpceServiceName", "ec2:VpceServiceOwner", "ec2:VpceServiceRegion", "ec2:RouteTableID", "ec2:SecurityGroupID", "ec2:SubnetID", "ec2:Region" ], "dependents": [ "ec2:CreateTags", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "route53:AssociateVPCWithHostedZone" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpcEndpointConnectionNotification.html", "name": "CreateVpcEndpointConnectionNotification", "description": "Grants permission to create a connection notification for a VPC endpoint or VPC endpoint service", "access": "Write", "resources": [ { "name": "vpc-endpoint", "is_required": false }, { "name": "vpc-endpoint-service", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpceServiceRegion", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpcEndpointServiceConfiguration.html", "name": "CreateVpcEndpointServiceConfiguration", "description": "Grants permission to create a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect", "access": "Write", "resources": [ { "name": "vpc-endpoint-service", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:VpceMultiRegion", "ec2:VpceServicePrivateDnsName", "ec2:VpceServiceRegion", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpcPeeringConnection.html", "name": "CreateVpcPeeringConnection", "description": "Grants permission to request a VPC peering connection between two VPCs", "access": "Write", "resources": [ { "name": "vpc", "is_required": true }, { "name": "vpc-peering-connection", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AccepterVpc", "ec2:RequesterVpc", "ec2:VpcPeeringConnectionID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpnConcentrator.html", "name": "CreateVpnConcentrator", "description": "Grants permission to create a VPN concentrator that aggregates multiple VPN connections to a transit gateway", "access": "Write", "resources": [ { "name": "vpn-concentrator", "is_required": true }, { "name": "transit-gateway", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpnConnection.html", "name": "CreateVpnConnection", "description": "Grants permission to create a VPN connection between a virtual private gateway or transit gateway and a customer gateway", "access": "Write", "resources": [ { "name": "customer-gateway", "is_required": true }, { "name": "vpn-connection", "is_required": true }, { "name": "transit-gateway", "is_required": false }, { "name": "transit-gateway-attachment", "is_required": false }, { "name": "vpn-concentrator", "is_required": false }, { "name": "vpn-gateway", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:InsideTunnelIpv6Cidr", "ec2:Phase1DHGroup", "ec2:Phase1EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", "ec2:Phase2DHGroup", "ec2:Phase2EncryptionAlgorithms", "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", "ec2:ReplayWindowSizePackets", "ec2:RoutingType", "ec2:transitGatewayId", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpnConnectionRoute.html", "name": "CreateVpnConnectionRoute", "description": "Grants permission to create a static route for a VPN connection between a virtual private gateway and a customer gateway", "access": "Write", "resources": [ { "name": "vpn-connection", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpnGateway.html", "name": "CreateVpnGateway", "description": "Grants permission to create a virtual private gateway", "access": "Write", "resources": [ { "name": "vpn-gateway", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCapacityManagerDataExport.html", "name": "DeleteCapacityManagerDataExport", "description": "Grants permission to delete an existing Capacity Manager data export configuration", "access": "Write", "resources": [ { "name": "capacity-manager-data-export", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCarrierGateway.html", "name": "DeleteCarrierGateway", "description": "Grants permission to delete a carrier gateway", "access": "Write", "resources": [ { "name": "carrier-gateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteClientVpnEndpoint.html", "name": "DeleteClientVpnEndpoint", "description": "Grants permission to delete a Client VPN endpoint", "access": "Write", "resources": [ { "name": "client-vpn-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteClientVpnRoute.html", "name": "DeleteClientVpnRoute", "description": "Grants permission to delete a route from a Client VPN endpoint", "access": "Write", "resources": [ { "name": "client-vpn-endpoint", "is_required": true }, { "name": "subnet", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCoipCidr.html", "name": "DeleteCoipCidr", "description": "Grants permission to delete a range of customer-owned IP (CoIP) addresses", "access": "Write", "resources": [ { "name": "coip-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCoipPool.html", "name": "DeleteCoipPool", "description": "Grants permission to delete a pool of customer-owned IP (CoIP) addresses", "access": "Write", "resources": [ { "name": "coip-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/outposts/latest/userguide/identity-access-management.html", "name": "DeleteCoipPoolPermission", "description": "Grants permission to deny a service from accessing a customer-owned IP (CoIP) pool", "access": "Permissions management", "resources": [ { "name": "coip-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCustomerGateway.html", "name": "DeleteCustomerGateway", "description": "Grants permission to delete a customer gateway", "access": "Write", "resources": [ { "name": "customer-gateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteDhcpOptions.html", "name": "DeleteDhcpOptions", "description": "Grants permission to delete a set of DHCP options", "access": "Write", "resources": [ { "name": "dhcp-options", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:DhcpOptionsID", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteEgressOnlyInternetGateway.html", "name": "DeleteEgressOnlyInternetGateway", "description": "Grants permission to delete an egress-only internet gateway", "access": "Write", "resources": [ { "name": "egress-only-internet-gateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFleets.html", "name": "DeleteFleets", "description": "Grants permission to delete one or more EC2 Fleets", "access": "Write", "resources": [ { "name": "fleet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html", "name": "DeleteFlowLogs", "description": "Grants permission to delete one or more flow logs", "access": "Write", "resources": [ { "name": "vpc-flow-log", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFpgaImage.html", "name": "DeleteFpgaImage", "description": "Grants permission to delete an Amazon FPGA Image (AFI)", "access": "Write", "resources": [ { "name": "fpga-image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteImageUsageReport.html", "name": "DeleteImageUsageReport", "description": "Grants permission to delete an AMI usage report", "access": "Write", "resources": [ { "name": "image-usage-report", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInstanceConnectEndpoint.html", "name": "DeleteInstanceConnectEndpoint", "description": "Grants permission to delete an EC2 Instance Connect Endpoint", "access": "Write", "resources": [ { "name": "instance-connect-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInstanceEventWindow.html", "name": "DeleteInstanceEventWindow", "description": "Grants permission to delete the specified event window", "access": "Write", "resources": [ { "name": "instance-event-window", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInternetGateway.html", "name": "DeleteInternetGateway", "description": "Grants permission to delete an internet gateway", "access": "Write", "resources": [ { "name": "internet-gateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteIpam.html", "name": "DeleteIpam", "description": "Grants permission to delete an Amazon VPC IP Address Manager (IPAM) and remove all monitored data associated with the IPAM including the historical data for CIDRs", "access": "Write", "resources": [ { "name": "ipam", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteIpamExternalResourceVerificationToken.html", "name": "DeleteIpamExternalResourceVerificationToken", "description": "Grants permission to delete a verification token, which proves ownership of an external resource", "access": "Write", "resources": [ { "name": "ipam-external-resource-verification-token", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteIpamPolicy.html", "name": "DeleteIpamPolicy", "description": "Grants permission to delete an Amazon VPC IP Address Manager (IPAM) policy", "access": "Write", "resources": [ { "name": "ipam-policy", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteIpamPool.html", "name": "DeleteIpamPool", "description": "Grants permission to delete an Amazon VPC IP Address Manager (IPAM) pool", "access": "Write", "resources": [ { "name": "ipam-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteIpamPrefixListResolver.html", "name": "DeleteIpamPrefixListResolver", "description": "Grants permission to delete an IPAM prefix list resolver", "access": "Write", "resources": [ { "name": "ipam-prefix-list-resolver", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteIpamPrefixListResolverTarget.html", "name": "DeleteIpamPrefixListResolverTarget", "description": "Grants permission to delete an IPAM prefix list resolver target", "access": "Write", "resources": [ { "name": "ipam-prefix-list-resolver-target", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteIpamResourceDiscovery.html", "name": "DeleteIpamResourceDiscovery", "description": "Grants permission to delete an IPAM resource discovery", "access": "Write", "resources": [ { "name": "ipam-resource-discovery", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteIpamScope.html", "name": "DeleteIpamScope", "description": "Grants permission to delete the scope for an Amazon VPC IP Address Manager (IPAM)", "access": "Write", "resources": [ { "name": "ipam-scope", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteKeyPair.html", "name": "DeleteKeyPair", "description": "Grants permission to delete a key pair by removing the public key from Amazon EC2", "access": "Write", "resources": [ { "name": "key-pair", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:KeyPairName", "ec2:KeyPairType", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteLaunchTemplate.html", "name": "DeleteLaunchTemplate", "description": "Grants permission to delete a launch template and its associated versions", "access": "Write", "resources": [ { "name": "launch-template", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteLaunchTemplateVersions.html", "name": "DeleteLaunchTemplateVersions", "description": "Grants permission to delete one or more versions of a launch template", "access": "Write", "resources": [ { "name": "launch-template", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteLocalGatewayRoute.html", "name": "DeleteLocalGatewayRoute", "description": "Grants permission to delete a route from a local gateway route table", "access": "Write", "resources": [ { "name": "local-gateway-route-table", "is_required": true }, { "name": "prefix-list", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteLocalGatewayRouteTable.html", "name": "DeleteLocalGatewayRouteTable", "description": "Grants permission to delete a local gateway route table", "access": "Write", "resources": [ { "name": "local-gateway-route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/outposts/latest/userguide/identity-access-management.html", "name": "DeleteLocalGatewayRouteTablePermission", "description": "Grants permission to deny a service from accessing a local gateway route table", "access": "Permissions management", "resources": [ { "name": "local-gateway-route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation.html", "name": "DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation", "description": "Grants permission to delete a local gateway route table virtual interface group association", "access": "Write", "resources": [ { "name": "local-gateway-route-table-virtual-interface-group-association", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteLocalGatewayRouteTableVpcAssociation.html", "name": "DeleteLocalGatewayRouteTableVpcAssociation", "description": "Grants permission to delete an association between a VPC and local gateway route table", "access": "Write", "resources": [ { "name": "local-gateway-route-table-vpc-association", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteLocalGatewayVirtualInterface.html", "name": "DeleteLocalGatewayVirtualInterface", "description": "Grants permission to delete a local gateway virtual interface", "access": "Write", "resources": [ { "name": "local-gateway-virtual-interface", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteLocalGatewayVirtualInterfaceGroup.html", "name": "DeleteLocalGatewayVirtualInterfaceGroup", "description": "Grants permission to delete a local gateway virtual interface group", "access": "Write", "resources": [ { "name": "local-gateway-virtual-interface-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteManagedPrefixList.html", "name": "DeleteManagedPrefixList", "description": "Grants permission to delete a managed prefix list", "access": "Write", "resources": [ { "name": "prefix-list", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:IpamPrefixListResolverTargetId", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNatGateway.html", "name": "DeleteNatGateway", "description": "Grants permission to delete a NAT gateway", "access": "Write", "resources": [ { "name": "natgateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", "name": "DeleteNetworkAcl", "description": "Grants permission to delete a network ACL", "access": "Write", "resources": [ { "name": "network-acl", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html", "name": "DeleteNetworkAclEntry", "description": "Grants permission to delete an inbound or outbound entry (rule) from a network ACL", "access": "Write", "resources": [ { "name": "network-acl", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkInsightsAccessScope.html", "name": "DeleteNetworkInsightsAccessScope", "description": "Grants permission to delete a Network Access Scope", "access": "Write", "resources": [ { "name": "network-insights-access-scope", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkInsightsAccessScopeAnalysis.html", "name": "DeleteNetworkInsightsAccessScopeAnalysis", "description": "Grants permission to delete a Network Access Scope analysis", "access": "Write", "resources": [ { "name": "network-insights-access-scope-analysis", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkInsightsAnalysis.html", "name": "DeleteNetworkInsightsAnalysis", "description": "Grants permission to delete a network insights analysis", "access": "Write", "resources": [ { "name": "network-insights-analysis", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkInsightsPath.html", "name": "DeleteNetworkInsightsPath", "description": "Grants permission to delete a network insights path", "access": "Write", "resources": [ { "name": "network-insights-path", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkInterface.html", "name": "DeleteNetworkInterface", "description": "Grants permission to delete a detached network interface", "access": "Write", "resources": [ { "name": "network-interface", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkInterfacePermission.html", "name": "DeleteNetworkInterfacePermission", "description": "Grants permission to delete a permission that is associated with a network interface", "access": "Permissions management", "resources": [ { "name": "network-interface", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteOdbNetworkPeering.html", "name": "DeleteOdbNetworkPeering", "description": "Grants permission to allow Oracle Database@AWS to delete a peering connection between an ODB network and a VPC", "access": "Permissions management", "resources": [ { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeletePlacementGroup.html", "name": "DeletePlacementGroup", "description": "Grants permission to delete a placement group", "access": "Write", "resources": [ { "name": "placement-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeletePublicIpv4Pool.html", "name": "DeletePublicIpv4Pool", "description": "Grants permission to delete a public IPv4 address pool for public IPv4 CIDRs that you own and brought to Amazon to manage with Amazon VPC IP Address Manager (IPAM)", "access": "Write", "resources": [ { "name": "ipv4pool-ec2", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteQueuedReservedInstances.html", "name": "DeleteQueuedReservedInstances", "description": "Grants permission to delete the queued purchases for the specified Reserved Instances", "access": "Write", "resources": [ { "name": "reserved-instances", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:InstanceType", "ec2:ReservedInstancesOfferingType", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/vpc/latest/ipam/share-pool-ipam.html", "name": "DeleteResourcePolicy", "description": "Grants permission to remove an IAM policy that enables cross-account sharing from a resource", "access": "Permissions management", "resources": [ { "name": "ipam-pool", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "verified-access-group", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html", "name": "DeleteRoute", "description": "Grants permission to delete a route from a route table", "access": "Write", "resources": [ { "name": "route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteServer.html", "name": "DeleteRouteServer", "description": "Grants permission to delete a route server", "access": "Write", "resources": [ { "name": "route-server", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [ "sns:DeleteTopic" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteServerEndpoint.html", "name": "DeleteRouteServerEndpoint", "description": "Grants permission to delete a route server endpoint", "access": "Write", "resources": [ { "name": "route-server-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [ "ec2:DeleteNetworkInterface", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupIngress" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteServerPeer.html", "name": "DeleteRouteServerPeer", "description": "Grants permission to delete a route server peer", "access": "Write", "resources": [ { "name": "route-server-peer", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [ "ec2:RevokeSecurityGroupIngress" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html", "name": "DeleteRouteTable", "description": "Grants permission to delete a route table", "access": "Write", "resources": [ { "name": "route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecondaryNetwork.html", "name": "DeleteSecondaryNetwork", "description": "Grants permission to delete a secondary network", "access": "Write", "resources": [ { "name": "secondary-network", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecondarySubnet.html", "name": "DeleteSecondarySubnet", "description": "Grants permission to delete a secondary subnet", "access": "Write", "resources": [ { "name": "secondary-subnet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html", "name": "DeleteSecurityGroup", "description": "Grants permission to delete a security group", "access": "Write", "resources": [ { "name": "security-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSnapshot.html", "name": "DeleteSnapshot", "description": "Grants permission to delete a snapshot of an EBS volume", "access": "Write", "resources": [ { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSpotDatafeedSubscription.html", "name": "DeleteSpotDatafeedSubscription", "description": "Grants permission to delete a data feed for Spot Instances", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSubnet.html", "name": "DeleteSubnet", "description": "Grants permission to delete a subnet", "access": "Write", "resources": [ { "name": "subnet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSubnetCidrReservation.html", "name": "DeleteSubnetCidrReservation", "description": "Grants permission to delete a subnet CIDR reservation", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTags.html", "name": "DeleteTags", "description": "Grants permission to delete one or more tags from Amazon EC2 resources", "access": "Tagging", "resources": [ { "name": "capacity-block", "is_required": false }, { "name": "capacity-manager-data-export", "is_required": false }, { "name": "capacity-reservation", "is_required": false }, { "name": "capacity-reservation-fleet", "is_required": false }, { "name": "carrier-gateway", "is_required": false }, { "name": "client-vpn-endpoint", "is_required": false }, { "name": "coip-pool", "is_required": false }, { "name": "customer-gateway", "is_required": false }, { "name": "declarative-policies-report", "is_required": false }, { "name": "dedicated-host", "is_required": false }, { "name": "dhcp-options", "is_required": false }, { "name": "egress-only-internet-gateway", "is_required": false }, { "name": "elastic-gpu", "is_required": false }, { "name": "elastic-ip", "is_required": false }, { "name": "export-image-task", "is_required": false }, { "name": "export-instance-task", "is_required": false }, { "name": "fleet", "is_required": false }, { "name": "fpga-image", "is_required": false }, { "name": "host-reservation", "is_required": false }, { "name": "image", "is_required": false }, { "name": "image-usage-report", "is_required": false }, { "name": "import-image-task", "is_required": false }, { "name": "import-snapshot-task", "is_required": false }, { "name": "instance", "is_required": false }, { "name": "instance-connect-endpoint", "is_required": false }, { "name": "instance-event-window", "is_required": false }, { "name": "internet-gateway", "is_required": false }, { "name": "ipam", "is_required": false }, { "name": "ipam-external-resource-verification-token", "is_required": false }, { "name": "ipam-policy", "is_required": false }, { "name": "ipam-pool", "is_required": false }, { "name": "ipam-prefix-list-resolver", "is_required": false }, { "name": "ipam-prefix-list-resolver-target", "is_required": false }, { "name": "ipam-resource-discovery", "is_required": false }, { "name": "ipam-resource-discovery-association", "is_required": false }, { "name": "ipam-scope", "is_required": false }, { "name": "ipv4pool-ec2", "is_required": false }, { "name": "ipv6pool-ec2", "is_required": false }, { "name": "key-pair", "is_required": false }, { "name": "launch-template", "is_required": false }, { "name": "local-gateway", "is_required": false }, { "name": "local-gateway-route-table", "is_required": false }, { "name": "local-gateway-route-table-virtual-interface-group-association", "is_required": false }, { "name": "local-gateway-route-table-vpc-association", "is_required": false }, { "name": "local-gateway-virtual-interface", "is_required": false }, { "name": "local-gateway-virtual-interface-group", "is_required": false }, { "name": "natgateway", "is_required": false }, { "name": "network-acl", "is_required": false }, { "name": "network-insights-access-scope", "is_required": false }, { "name": "network-insights-access-scope-analysis", "is_required": false }, { "name": "network-insights-analysis", "is_required": false }, { "name": "network-insights-path", "is_required": false }, { "name": "network-interface", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "prefix-list", "is_required": false }, { "name": "replace-root-volume-task", "is_required": false }, { "name": "reserved-instances", "is_required": false }, { "name": "route-server", "is_required": false }, { "name": "route-server-endpoint", "is_required": false }, { "name": "route-server-peer", "is_required": false }, { "name": "route-table", "is_required": false }, { "name": "secondary-interface", "is_required": false }, { "name": "secondary-network", "is_required": false }, { "name": "secondary-subnet", "is_required": false }, { "name": "security-group", "is_required": false }, { "name": "security-group-rule", "is_required": false }, { "name": "snapshot", "is_required": false }, { "name": "spot-fleet-request", "is_required": false }, { "name": "spot-instances-request", "is_required": false }, { "name": "subnet", "is_required": false }, { "name": "subnet-cidr-reservation", "is_required": false }, { "name": "traffic-mirror-filter", "is_required": false }, { "name": "traffic-mirror-filter-rule", "is_required": false }, { "name": "traffic-mirror-session", "is_required": false }, { "name": "traffic-mirror-target", "is_required": false }, { "name": "transit-gateway", "is_required": false }, { "name": "transit-gateway-attachment", "is_required": false }, { "name": "transit-gateway-connect-peer", "is_required": false }, { "name": "transit-gateway-metering-policy", "is_required": false }, { "name": "transit-gateway-multicast-domain", "is_required": false }, { "name": "transit-gateway-policy-table", "is_required": false }, { "name": "transit-gateway-route-table", "is_required": false }, { "name": "transit-gateway-route-table-announcement", "is_required": false }, { "name": "verified-access-endpoint", "is_required": false }, { "name": "verified-access-endpoint-target", "is_required": false }, { "name": "verified-access-group", "is_required": false }, { "name": "verified-access-instance", "is_required": false }, { "name": "verified-access-policy", "is_required": false }, { "name": "verified-access-trust-provider", "is_required": false }, { "name": "volume", "is_required": false }, { "name": "vpc", "is_required": false }, { "name": "vpc-block-public-access-exclusion", "is_required": false }, { "name": "vpc-encryption-control", "is_required": false }, { "name": "vpc-endpoint", "is_required": false }, { "name": "vpc-endpoint-connection", "is_required": false }, { "name": "vpc-endpoint-service", "is_required": false }, { "name": "vpc-endpoint-service-permission", "is_required": false }, { "name": "vpc-flow-log", "is_required": false }, { "name": "vpc-peering-connection", "is_required": false }, { "name": "vpn-concentrator", "is_required": false }, { "name": "vpn-connection", "is_required": false }, { "name": "vpn-gateway", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTrafficMirrorFilter.html", "name": "DeleteTrafficMirrorFilter", "description": "Grants permission to delete a traffic mirror filter", "access": "Write", "resources": [ { "name": "traffic-mirror-filter", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTrafficMirrorFilterRule.html", "name": "DeleteTrafficMirrorFilterRule", "description": "Grants permission to delete a traffic mirror filter rule", "access": "Write", "resources": [ { "name": "traffic-mirror-filter", "is_required": true }, { "name": "traffic-mirror-filter-rule", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTrafficMirrorSession.html", "name": "DeleteTrafficMirrorSession", "description": "Grants permission to delete a traffic mirror session", "access": "Write", "resources": [ { "name": "traffic-mirror-session", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTrafficMirrorTarget.html", "name": "DeleteTrafficMirrorTarget", "description": "Grants permission to delete a traffic mirror target", "access": "Write", "resources": [ { "name": "traffic-mirror-target", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTransitGateway.html", "name": "DeleteTransitGateway", "description": "Grants permission to delete a transit gateway", "access": "Write", "resources": [ { "name": "transit-gateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTransitGatewayConnect.html", "name": "DeleteTransitGatewayConnect", "description": "Grants permission to delete a transit gateway connect attachment", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTransitGatewayConnectPeer.html", "name": "DeleteTransitGatewayConnectPeer", "description": "Grants permission to delete a transit gateway connect peer", "access": "Write", "resources": [ { "name": "transit-gateway-connect-peer", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayConnectPeerId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTransitGatewayMeteringPolicy.html", "name": "DeleteTransitGatewayMeteringPolicy", "description": "Grants permission to delete a transit gateway metering policy", "access": "Write", "resources": [ { "name": "transit-gateway-metering-policy", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMeteringPolicyId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTransitGatewayMeteringPolicyEntry.html", "name": "DeleteTransitGatewayMeteringPolicyEntry", "description": "Grants permission to delete an entry from a transit gateway metering policy", "access": "Write", "resources": [ { "name": "transit-gateway-metering-policy", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMeteringPolicyId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTransitGatewayMulticastDomain.html", "name": "DeleteTransitGatewayMulticastDomain", "description": "Grants permission to delete a transit gateway multicast domain", "access": "Write", "resources": [ { "name": "transit-gateway-multicast-domain", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTransitGatewayPeeringAttachment.html", "name": "DeleteTransitGatewayPeeringAttachment", "description": "Grants permission to delete a peering attachment from a transit gateway", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTransitGatewayPolicyTable.html", "name": "DeleteTransitGatewayPolicyTable", "description": "Grants permission to delete a transit gateway policy table", "access": "Write", "resources": [ { "name": "transit-gateway-policy-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayPolicyTableId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTransitGatewayPrefixListReference.html", "name": "DeleteTransitGatewayPrefixListReference", "description": "Grants permission to delete a transit gateway prefix list reference", "access": "Write", "resources": [ { "name": "prefix-list", "is_required": true }, { "name": "transit-gateway-route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTransitGatewayRoute.html", "name": "DeleteTransitGatewayRoute", "description": "Grants permission to delete a route from a transit gateway route table", "access": "Write", "resources": [ { "name": "transit-gateway-route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTransitGatewayRouteTable.html", "name": "DeleteTransitGatewayRouteTable", "description": "Grants permission to delete a transit gateway route table", "access": "Write", "resources": [ { "name": "transit-gateway-route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTransitGatewayRouteTableAnnouncement.html", "name": "DeleteTransitGatewayRouteTableAnnouncement", "description": "Grants permission to delete a transit gateway route table announcement", "access": "Write", "resources": [ { "name": "transit-gateway-route-table-announcement", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableAnnouncementId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteTransitGatewayVpcAttachment.html", "name": "DeleteTransitGatewayVpcAttachment", "description": "Grants permission to delete a VPC attachment from a transit gateway", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVerifiedAccessEndpoint.html", "name": "DeleteVerifiedAccessEndpoint", "description": "Grants permission to delete a Verified Access endpoint", "access": "Write", "resources": [ { "name": "verified-access-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVerifiedAccessGroup.html", "name": "DeleteVerifiedAccessGroup", "description": "Grants permission to delete a Verified Access group", "access": "Write", "resources": [ { "name": "verified-access-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVerifiedAccessInstance.html", "name": "DeleteVerifiedAccessInstance", "description": "Grants permission to delete a Verified Access instance", "access": "Write", "resources": [ { "name": "verified-access-instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVerifiedAccessTrustProvider.html", "name": "DeleteVerifiedAccessTrustProvider", "description": "Grants permission to delete a verified trust provider", "access": "Write", "resources": [ { "name": "verified-access-trust-provider", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVolume.html", "name": "DeleteVolume", "description": "Grants permission to delete an EBS volume", "access": "Write", "resources": [ { "name": "volume", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVpc.html", "name": "DeleteVpc", "description": "Grants permission to delete a VPC", "access": "Write", "resources": [ { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVpcBlockPublicAccessExclusion.html", "name": "DeleteVpcBlockPublicAccessExclusion", "description": "Grants permission to delete an exclusion list for blocked public access on a VPC", "access": "Write", "resources": [ { "name": "vpc-block-public-access-exclusion", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVpcEncryptionControl.html", "name": "DeleteVpcEncryptionControl", "description": "Grants permission to delete a VPC Encryption Control", "access": "Write", "resources": [ { "name": "vpc-encryption-control", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVpcEndpointConnectionNotifications.html", "name": "DeleteVpcEndpointConnectionNotifications", "description": "Grants permission to delete one or more VPC endpoint connection notifications", "access": "Write", "resources": [ { "name": "vpc-endpoint", "is_required": false }, { "name": "vpc-endpoint-service", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpceSupportedRegion", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVpcEndpointServiceConfigurations.html", "name": "DeleteVpcEndpointServiceConfigurations", "description": "Grants permission to delete one or more VPC endpoint service configurations", "access": "Write", "resources": [ { "name": "vpc-endpoint-service", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpceSupportedRegion", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVpcEndpoints.html", "name": "DeleteVpcEndpoints", "description": "Grants permission to delete one or more VPC endpoints", "access": "Write", "resources": [ { "name": "vpc-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpceServiceName", "ec2:VpceServiceRegion", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVpcPeeringConnection.html", "name": "DeleteVpcPeeringConnection", "description": "Grants permission to delete a VPC peering connection", "access": "Write", "resources": [ { "name": "vpc-peering-connection", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", "ec2:RequesterVpc", "ec2:ResourceTag/${TagKey}", "ec2:VpcPeeringConnectionID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVpnConcentrator.html", "name": "DeleteVpnConcentrator", "description": "Grants permission to delete a VPN concentrator", "access": "Write", "resources": [ { "name": "vpn-concentrator", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVpnConnection.html", "name": "DeleteVpnConnection", "description": "Grants permission to delete a VPN connection", "access": "Write", "resources": [ { "name": "vpn-connection", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVpnConnectionRoute.html", "name": "DeleteVpnConnectionRoute", "description": "Grants permission to delete a static route for a VPN connection between a virtual private gateway and a customer gateway", "access": "Write", "resources": [ { "name": "vpn-connection", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteVpnGateway.html", "name": "DeleteVpnGateway", "description": "Grants permission to delete a virtual private gateway", "access": "Write", "resources": [ { "name": "vpn-gateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeprovisionByoipCidr.html", "name": "DeprovisionByoipCidr", "description": "Grants permission to release an IP address range that was provisioned through bring your own IP addresses (BYOIP), and to delete the corresponding address pool", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeprovisionIpamByoasn.html", "name": "DeprovisionIpamByoasn", "description": "Grants permission to deprovision an Autonomous System Number (ASN) from an Amazon Web Services account", "access": "Write", "resources": [ { "name": "ipam", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeprovisionIpamPoolCidr.html", "name": "DeprovisionIpamPoolCidr", "description": "Grants permission to deprovision a CIDR provisioned from an Amazon VPC IP Address Manager (IPAM) pool", "access": "Write", "resources": [ { "name": "ipam-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeprovisionPublicIpv4PoolCidr.html", "name": "DeprovisionPublicIpv4PoolCidr", "description": "Grants permission to deprovision a CIDR from a public IPv4 pool", "access": "Write", "resources": [ { "name": "ipv4pool-ec2", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeregisterImage.html", "name": "DeregisterImage", "description": "Grants permission to deregister an Amazon Machine Image (AMI)", "access": "Write", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeregisterInstanceEventNotificationAttributes.html", "name": "DeregisterInstanceEventNotificationAttributes", "description": "Grants permission to remove tags from the set of tags to include in notifications about scheduled events for your instances", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeregisterTransitGatewayMulticastGroupMembers.html", "name": "DeregisterTransitGatewayMulticastGroupMembers", "description": "Grants permission to deregister one or more network interface members from a group IP address in a transit gateway multicast domain", "access": "Write", "resources": [ { "name": "network-interface", "is_required": false }, { "name": "transit-gateway-multicast-domain", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "ec2:transitGatewayMulticastDomainId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeregisterTransitGatewayMulticastGroupSources.html", "name": "DeregisterTransitGatewayMulticastGroupSources", "description": "Grants permission to deregister one or more network interface sources from a group IP address in a transit gateway multicast domain", "access": "Write", "resources": [ { "name": "network-interface", "is_required": false }, { "name": "transit-gateway-multicast-domain", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "ec2:transitGatewayMulticastDomainId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAccountAttributes.html", "name": "DescribeAccountAttributes", "description": "Grants permission to describe the attributes of the AWS account", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAddressTransfers.html", "name": "DescribeAddressTransfers", "description": "Grants permission to describe an Elastic IP address transfer", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAddresses.html", "name": "DescribeAddresses", "description": "Grants permission to describe one or more Elastic IP addresses", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAddressesAttribute.html", "name": "DescribeAddressesAttribute", "description": "Grants permission to describe the attributes of the specified Elastic IP addresses", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAggregateIdFormat.html", "name": "DescribeAggregateIdFormat", "description": "Grants permission to describe the longer ID format settings for all resource types", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html", "name": "DescribeAvailabilityZones", "description": "Grants permission to describe one or more of the Availability Zones that are available to you", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAwsNetworkPerformanceMetricSubscriptions.html", "name": "DescribeAwsNetworkPerformanceMetricSubscriptions", "description": "Grants permission to describe the current infrastructure performance metric subscriptions", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeBundleTasks.html", "name": "DescribeBundleTasks", "description": "Grants permission to describe one or more bundling tasks", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeByoipCidrs.html", "name": "DescribeByoipCidrs", "description": "Grants permission to describe the IP address ranges that were provisioned through bring your own IP addresses (BYOIP)", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCapacityBlockExtensionHistory.html", "name": "DescribeCapacityBlockExtensionHistory", "description": "Grants permission to describe Capacity Block extensions history", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCapacityBlockExtensionOfferings.html", "name": "DescribeCapacityBlockExtensionOfferings", "description": "Grants permission to describe Capacity Block extensions offerings", "access": "List", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CapacityReservationFleet", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCapacityBlockOfferings.html", "name": "DescribeCapacityBlockOfferings", "description": "Grants permission to describe Capacity Block offerings available for purchase", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCapacityBlockStatus.html", "name": "DescribeCapacityBlockStatus", "description": "Grants permission to describe the availability of capacity for the specified Capacity blocks, or all of your Capacity Blocks", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCapacityBlocks.html", "name": "DescribeCapacityBlocks", "description": "Grants permission to describe details about Capacity Blocks in the AWS Region that you're currently using", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCapacityManagerDataExports.html", "name": "DescribeCapacityManagerDataExports", "description": "Grants permission to describe one or more Capacity Manager data export configurations", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCapacityReservationBillingRequests.html", "name": "DescribeCapacityReservationBillingRequests", "description": "Grants permission to describe one or more requests to assign the billing of the unused capacity of a Capacity Reservation", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCapacityReservationFleets.html", "name": "DescribeCapacityReservationFleets", "description": "Grants permission to describe one or more Capacity Reservation Fleets", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCapacityReservationTopology.html", "name": "DescribeCapacityReservationTopology", "description": "Grants permission to describe the topology of one or more Capacity Reservations", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCapacityReservations.html", "name": "DescribeCapacityReservations", "description": "Grants permission to describe one or more Capacity Reservations", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCarrierGateways.html", "name": "DescribeCarrierGateways", "description": "Grants permission to describe one or more Carrier Gateways", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeClassicLinkInstances.html", "name": "DescribeClassicLinkInstances", "description": "Grants permission to describe one or more linked EC2-Classic instances", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeClientVpnAuthorizationRules.html", "name": "DescribeClientVpnAuthorizationRules", "description": "Grants permission to describe the authorization rules for a Client VPN endpoint", "access": "List", "resources": [ { "name": "client-vpn-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeClientVpnConnections.html", "name": "DescribeClientVpnConnections", "description": "Grants permission to describe active client connections and connections that have been terminated within the last 60 minutes for a Client VPN endpoint", "access": "List", "resources": [ { "name": "client-vpn-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeClientVpnEndpoints.html", "name": "DescribeClientVpnEndpoints", "description": "Grants permission to describe one or more Client VPN endpoints", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeClientVpnRoutes.html", "name": "DescribeClientVpnRoutes", "description": "Grants permission to describe the routes for a Client VPN endpoint", "access": "List", "resources": [ { "name": "client-vpn-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeClientVpnTargetNetworks.html", "name": "DescribeClientVpnTargetNetworks", "description": "Grants permission to describe the target networks that are associated with a Client VPN endpoint", "access": "List", "resources": [ { "name": "client-vpn-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCoipPools.html", "name": "DescribeCoipPools", "description": "Grants permission to describe the specified customer-owned address pools or all of your customer-owned address pools", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeConversionTasks.html", "name": "DescribeConversionTasks", "description": "Grants permission to describe one or more conversion tasks", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCustomerGateways.html", "name": "DescribeCustomerGateways", "description": "Grants permission to describe one or more customer gateways", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeDeclarativePoliciesReports.html", "name": "DescribeDeclarativePoliciesReports", "description": "Grants permission to describe one or more declarative policies reports", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeDhcpOptions.html", "name": "DescribeDhcpOptions", "description": "Grants permission to describe one or more DHCP options sets", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeEgressOnlyInternetGateways.html", "name": "DescribeEgressOnlyInternetGateways", "description": "Grants permission to describe one or more egress-only internet gateways", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeElasticGpus.html", "name": "DescribeElasticGpus", "description": "Grants permission to describe an Elastic Graphics accelerator that is associated with an instance", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeExportImageTasks.html", "name": "DescribeExportImageTasks", "description": "Grants permission to describe one or more export image tasks", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeExportTasks.html", "name": "DescribeExportTasks", "description": "Grants permission to describe one or more export instance tasks", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeFastLaunchImages.html", "name": "DescribeFastLaunchImages", "description": "Grants permission to describe fast-launch enabled Windows AMIs", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeFastSnapshotRestores.html", "name": "DescribeFastSnapshotRestores", "description": "Grants permission to describe the state of fast snapshot restores for snapshots", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeFleetHistory.html", "name": "DescribeFleetHistory", "description": "Grants permission to describe the events for an EC2 Fleet during a specified time", "access": "List", "resources": [ { "name": "fleet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeFleetInstances.html", "name": "DescribeFleetInstances", "description": "Grants permission to describe the running instances for an EC2 Fleet", "access": "List", "resources": [ { "name": "fleet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeFleets.html", "name": "DescribeFleets", "description": "Grants permission to describe one or more EC2 Fleets", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeFlowLogs.html", "name": "DescribeFlowLogs", "description": "Grants permission to describe one or more flow logs", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeFpgaImageAttribute.html", "name": "DescribeFpgaImageAttribute", "description": "Grants permission to describe the attributes of an Amazon FPGA Image (AFI)", "access": "List", "resources": [ { "name": "fpga-image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeFpgaImages.html", "name": "DescribeFpgaImages", "description": "Grants permission to describe one or more Amazon FPGA Images (AFIs)", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeHostReservationOfferings.html", "name": "DescribeHostReservationOfferings", "description": "Grants permission to describe the Dedicated Host Reservations that are available to purchase", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeHostReservations.html", "name": "DescribeHostReservations", "description": "Grants permission to describe the Dedicated Host Reservations that are associated with Dedicated Hosts in the AWS account", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeHosts.html", "name": "DescribeHosts", "description": "Grants permission to describe one or more Dedicated Hosts", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIamInstanceProfileAssociations.html", "name": "DescribeIamInstanceProfileAssociations", "description": "Grants permission to describe the IAM instance profile associations", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIdFormat.html", "name": "DescribeIdFormat", "description": "Grants permission to describe the ID format settings for resources", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIdentityIdFormat.html", "name": "DescribeIdentityIdFormat", "description": "Grants permission to describe the ID format settings for resources for an IAM user, IAM role, or root user", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImageAttribute.html", "name": "DescribeImageAttribute", "description": "Grants permission to describe an attribute of an Amazon Machine Image (AMI)", "access": "List", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImageReferences.html", "name": "DescribeImageReferences", "description": "Grants permission to describe your AWS resources that are referencing specified images", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImageUsageReportEntries.html", "name": "DescribeImageUsageReportEntries", "description": "Grants permission to describe the entries of an AMI usage report", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImageUsageReports.html", "name": "DescribeImageUsageReports", "description": "Grants permission to describe the configuration and status of an AMI usage report", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImages.html", "name": "DescribeImages", "description": "Grants permission to describe one or more images (AMIs, AKIs, and ARIs)", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImportImageTasks.html", "name": "DescribeImportImageTasks", "description": "Grants permission to describe import virtual machine or import snapshot tasks", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImportSnapshotTasks.html", "name": "DescribeImportSnapshotTasks", "description": "Grants permission to describe import snapshot tasks", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceAttribute.html", "name": "DescribeInstanceAttribute", "description": "Grants permission to describe the attributes of an instance", "access": "List", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceConnectEndpoints.html", "name": "DescribeInstanceConnectEndpoints", "description": "Grants permission to describe EC2 Instance Connect Endpoints", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceCreditSpecifications.html", "name": "DescribeInstanceCreditSpecifications", "description": "Grants permission to describe the credit option for CPU usage of one or more burstable performance instances", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceEventNotificationAttributes.html", "name": "DescribeInstanceEventNotificationAttributes", "description": "Grants permission to describe the set of tags to include in notifications about scheduled events for your instances", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceEventWindows.html", "name": "DescribeInstanceEventWindows", "description": "Grants permission to describe the specified event windows or all event windows", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceImageMetadata.html", "name": "DescribeInstanceImageMetadata", "description": "Grants permission to describe the AMI that was used to launch an instance", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceSqlHaHistoryStates.html", "name": "DescribeInstanceSqlHaHistoryStates", "description": "Grants permission to describe EC2 instance SQL HA history states", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceSqlHaStates.html", "name": "DescribeInstanceSqlHaStates", "description": "Grants permission to describe EC2 instance SQL HA states", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceStatus.html", "name": "DescribeInstanceStatus", "description": "Grants permission to describe the status of one or more instances", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceTopology.html", "name": "DescribeInstanceTopology", "description": "Grants permission to describe a tree-based hierarchy that represents the physical host placement of EC2 instances", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceTypeOfferings.html", "name": "DescribeInstanceTypeOfferings", "description": "Grants permission to describe the set of instance types that are offered in a location", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceTypes.html", "name": "DescribeInstanceTypes", "description": "Grants permission to describe the details of instance types that are offered in a location", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html", "name": "DescribeInstances", "description": "Grants permission to describe one or more instances", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInternetGateways.html", "name": "DescribeInternetGateways", "description": "Grants permission to describe one or more internet gateways", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIpamByoasn.html", "name": "DescribeIpamByoasn", "description": "Grants permission to describe a bring your own Autonomous System Number (BYOASN) that you've brought to IPAM", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIpamExternalResourceVerificationTokens.html", "name": "DescribeIpamExternalResourceVerificationTokens", "description": "Grants permission to describe verification tokens, which proves ownership of an external resource", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIpamPolicies.html", "name": "DescribeIpamPolicies", "description": "Grants permission to describe Amazon VPC IP Address Manager (IPAM) policies", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIpamPools.html", "name": "DescribeIpamPools", "description": "Grants permission to describe Amazon VPC IP Address Manager (IPAM) pools", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIpamPrefixListResolverTargets.html", "name": "DescribeIpamPrefixListResolverTargets", "description": "Grants permission to describe IPAM prefix list resolver targets", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIpamPrefixListResolvers.html", "name": "DescribeIpamPrefixListResolvers", "description": "Grants permission to describe IPAM prefix list resolvers", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIpamResourceDiscoveries.html", "name": "DescribeIpamResourceDiscoveries", "description": "Grants permission to describe IPAM resource discoveries", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIpamResourceDiscoveryAssociations.html", "name": "DescribeIpamResourceDiscoveryAssociations", "description": "Grants permission to describe resource discovery associations with an Amazon VPC IPAM", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIpamScopes.html", "name": "DescribeIpamScopes", "description": "Grants permission to describe Amazon VPC IP Address Manager (IPAM) scopes", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIpams.html", "name": "DescribeIpams", "description": "Grants permission to describe an Amazon VPC IP Address Manager (IPAM)", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIpv6Pools.html", "name": "DescribeIpv6Pools", "description": "Grants permission to describe one or more IPv6 address pools", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeKeyPairs.html", "name": "DescribeKeyPairs", "description": "Grants permission to describe one or more key pairs", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLaunchTemplateVersions.html", "name": "DescribeLaunchTemplateVersions", "description": "Grants permission to describe one or more launch template versions", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [ "ssm:GetParameters" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLaunchTemplates.html", "name": "DescribeLaunchTemplates", "description": "Grants permission to describe one or more launch templates", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/outposts/latest/userguide/identity-access-management.html", "name": "DescribeLocalGatewayRouteTablePermissions", "description": "Grants permission to allow a service to describe local gateway route table permissions", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations.html", "name": "DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations", "description": "Grants permission to describe the associations between virtual interface groups and local gateway route tables", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLocalGatewayRouteTableVpcAssociations.html", "name": "DescribeLocalGatewayRouteTableVpcAssociations", "description": "Grants permission to describe an association between VPCs and local gateway route tables", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLocalGatewayRouteTables.html", "name": "DescribeLocalGatewayRouteTables", "description": "Grants permission to describe one or more local gateway route tables", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLocalGatewayVirtualInterfaceGroups.html", "name": "DescribeLocalGatewayVirtualInterfaceGroups", "description": "Grants permission to describe local gateway virtual interface groups", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLocalGatewayVirtualInterfaces.html", "name": "DescribeLocalGatewayVirtualInterfaces", "description": "Grants permission to describe local gateway virtual interfaces", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLocalGateways.html", "name": "DescribeLocalGateways", "description": "Grants permission to describe one or more local gateways", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLockedSnapshots.html", "name": "DescribeLockedSnapshots", "description": "Grants permission to describe the lock status for a snapshot", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeMacHosts.html", "name": "DescribeMacHosts", "description": "Grants permission to describe your EC2 Mac Dedicated hosts", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeMacModificationTasks.html", "name": "DescribeMacModificationTasks", "description": "Grants permission to describe a System Integrity Protection (SIP) modification task or volume ownership delegation task for an Amazon EC2 Mac instance", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeManagedPrefixLists.html", "name": "DescribeManagedPrefixLists", "description": "Grants permission to describe your managed prefix lists and any AWS-managed prefix lists", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeMovingAddresses.html", "name": "DescribeMovingAddresses", "description": "Grants permission to describe Elastic IP addresses that are being moved to the EC2-VPC platform", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNatGateways.html", "name": "DescribeNatGateways", "description": "Grants permission to describe one or more NAT gateways", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkAcls.html", "name": "DescribeNetworkAcls", "description": "Grants permission to describe one or more network ACLs", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkInsightsAccessScopeAnalyses.html", "name": "DescribeNetworkInsightsAccessScopeAnalyses", "description": "Grants permission to describe one or more Network Access Scope analyses", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkInsightsAccessScopes.html", "name": "DescribeNetworkInsightsAccessScopes", "description": "Grants permission to describe the Network Access Scopes", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkInsightsAnalyses.html", "name": "DescribeNetworkInsightsAnalyses", "description": "Grants permission to describe one or more network insights analyses", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkInsightsPaths.html", "name": "DescribeNetworkInsightsPaths", "description": "Grants permission to describe one or more network insights paths", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkInterfaceAttribute.html", "name": "DescribeNetworkInterfaceAttribute", "description": "Grants permission to describe a network interface attribute", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkInterfacePermissions.html", "name": "DescribeNetworkInterfacePermissions", "description": "Grants permission to describe the permissions that are associated with a network interface", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkInterfaces.html", "name": "DescribeNetworkInterfaces", "description": "Grants permission to describe one or more network interfaces", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeOutpostLags.html", "name": "DescribeOutpostLags", "description": "Grants permission to describe Outpost LAGs", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribePlacementGroups.html", "name": "DescribePlacementGroups", "description": "Grants permission to describe one or more placement groups", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribePrefixLists.html", "name": "DescribePrefixLists", "description": "Grants permission to describe available AWS services in a prefix list format", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribePrincipalIdFormat.html", "name": "DescribePrincipalIdFormat", "description": "Grants permission to describe the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified a longer ID (17-character ID) preference", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribePublicIpv4Pools.html", "name": "DescribePublicIpv4Pools", "description": "Grants permission to describe one or more IPv4 address pools", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRegions.html", "name": "DescribeRegions", "description": "Grants permission to describe one or more AWS Regions that are currently available in your account", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeReplaceRootVolumeTasks.html", "name": "DescribeReplaceRootVolumeTasks", "description": "Grants permission to describe a root volume replacement task", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeReservedInstances.html", "name": "DescribeReservedInstances", "description": "Grants permission to describe one or more purchased Reserved Instances in your account", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeReservedInstancesListings.html", "name": "DescribeReservedInstancesListings", "description": "Grants permission to describe your account's Reserved Instance listings in the Reserved Instance Marketplace", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeReservedInstancesModifications.html", "name": "DescribeReservedInstancesModifications", "description": "Grants permission to describe the modifications made to one or more Reserved Instances", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeReservedInstancesOfferings.html", "name": "DescribeReservedInstancesOfferings", "description": "Grants permission to describe the Reserved Instance offerings that are available for purchase", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRouteServerEndpoints.html", "name": "DescribeRouteServerEndpoints", "description": "Grants permission to describe one or more route server endpoints", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRouteServerPeers.html", "name": "DescribeRouteServerPeers", "description": "Grants permission to describe one or more route server peers", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRouteServers.html", "name": "DescribeRouteServers", "description": "Grants permission to describe one or more route servers", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRouteTables.html", "name": "DescribeRouteTables", "description": "Grants permission to describe one or more route tables", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeScheduledInstanceAvailability.html", "name": "DescribeScheduledInstanceAvailability", "description": "Grants permission to find available schedules for Scheduled Instances", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeScheduledInstances.html", "name": "DescribeScheduledInstances", "description": "Grants permission to describe one or more Scheduled Instances in your account", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecondaryInterfaces.html", "name": "DescribeSecondaryInterfaces", "description": "Grants permission to describe one or more secondary interfaces", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecondaryNetworks.html", "name": "DescribeSecondaryNetworks", "description": "Grants permission to describe one or more secondary networks", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecondarySubnets.html", "name": "DescribeSecondarySubnets", "description": "Grants permission to describe one or more secondary subnets", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroupReferences.html", "name": "DescribeSecurityGroupReferences", "description": "Grants permission to describe the VPCs on the other side of a VPC peering connection that are referencing specified VPC security groups", "access": "List", "resources": [ { "name": "security-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroupRules.html", "name": "DescribeSecurityGroupRules", "description": "Grants permission to describe one or more of your security group rules", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroupVpcAssociations.html", "name": "DescribeSecurityGroupVpcAssociations", "description": "Grants permission to describe security group VPC associations", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html", "name": "DescribeSecurityGroups", "description": "Grants permission to describe one or more security groups", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeServiceLinkVirtualInterfaces.html", "name": "DescribeServiceLinkVirtualInterfaces", "description": "Grants permission to describe service link virtual interfaces", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSnapshotAttribute.html", "name": "DescribeSnapshotAttribute", "description": "Grants permission to describe an attribute of a snapshot", "access": "List", "resources": [ { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSnapshotTierStatus.html", "name": "DescribeSnapshotTierStatus", "description": "Grants permission to describe the storage tier status for Amazon EBS snapshots", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSnapshots.html", "name": "DescribeSnapshots", "description": "Grants permission to describe one or more EBS snapshots", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSpotDatafeedSubscription.html", "name": "DescribeSpotDatafeedSubscription", "description": "Grants permission to describe the data feed for Spot Instances", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSpotFleetInstances.html", "name": "DescribeSpotFleetInstances", "description": "Grants permission to describe the running instances for a Spot Fleet", "access": "List", "resources": [ { "name": "spot-fleet-request", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSpotFleetRequestHistory.html", "name": "DescribeSpotFleetRequestHistory", "description": "Grants permission to describe the events for a Spot Fleet request during a specified time", "access": "List", "resources": [ { "name": "spot-fleet-request", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSpotFleetRequests.html", "name": "DescribeSpotFleetRequests", "description": "Grants permission to describe one or more Spot Fleet requests", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSpotInstanceRequests.html", "name": "DescribeSpotInstanceRequests", "description": "Grants permission to describe one or more Spot Instance requests", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSpotPriceHistory.html", "name": "DescribeSpotPriceHistory", "description": "Grants permission to describe the Spot Instance price history", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeStaleSecurityGroups.html", "name": "DescribeStaleSecurityGroups", "description": "Grants permission to describe the stale security group rules for security groups in a specified VPC", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeStoreImageTasks.html", "name": "DescribeStoreImageTasks", "description": "Grants permission to describe the progress of the AMI store tasks", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSubnets.html", "name": "DescribeSubnets", "description": "Grants permission to describe one or more subnets", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTags.html", "name": "DescribeTags", "description": "Grants permission to describe one or more tags for an Amazon EC2 resource", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTrafficMirrorFilterRules.html", "name": "DescribeTrafficMirrorFilterRules", "description": "Grants permission to describe traffic mirror filters that determine the traffic that is mirrored", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTrafficMirrorFilters.html", "name": "DescribeTrafficMirrorFilters", "description": "Grants permission to describe one or more traffic mirror filters", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTrafficMirrorSessions.html", "name": "DescribeTrafficMirrorSessions", "description": "Grants permission to describe one or more traffic mirror sessions", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTrafficMirrorTargets.html", "name": "DescribeTrafficMirrorTargets", "description": "Grants permission to describe one or more traffic mirror targets", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTransitGatewayAttachments.html", "name": "DescribeTransitGatewayAttachments", "description": "Grants permission to describe one or more attachments between resources and transit gateways", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTransitGatewayConnectPeers.html", "name": "DescribeTransitGatewayConnectPeers", "description": "Grants permission to describe one or more transit gateway connect peers", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTransitGatewayConnects.html", "name": "DescribeTransitGatewayConnects", "description": "Grants permission to describe one or more transit gateway connect attachments", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTransitGatewayMeteringPolicies.html", "name": "DescribeTransitGatewayMeteringPolicies", "description": "Grants permission to describe one or more transit gateway metering policies", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTransitGatewayMulticastDomains.html", "name": "DescribeTransitGatewayMulticastDomains", "description": "Grants permission to describe one or more transit gateway multicast domains", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTransitGatewayPeeringAttachments.html", "name": "DescribeTransitGatewayPeeringAttachments", "description": "Grants permission to describe one or more transit gateway peering attachments", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTransitGatewayPolicyTables.html", "name": "DescribeTransitGatewayPolicyTables", "description": "Grants permission to describe a transit gateway policy table", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTransitGatewayRouteTableAnnouncements.html", "name": "DescribeTransitGatewayRouteTableAnnouncements", "description": "Grants permission to describe a transit gateway route table announcement", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTransitGatewayRouteTables.html", "name": "DescribeTransitGatewayRouteTables", "description": "Grants permission to describe one or more transit gateway route tables", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTransitGatewayVpcAttachments.html", "name": "DescribeTransitGatewayVpcAttachments", "description": "Grants permission to describe one or more VPC attachments on a transit gateway", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTransitGateways.html", "name": "DescribeTransitGateways", "description": "Grants permission to describe one or more transit gateways", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTrunkInterfaceAssociations.html", "name": "DescribeTrunkInterfaceAssociations", "description": "Grants permission to describe one or more network interface trunk associations", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVerifiedAccessEndpoints.html", "name": "DescribeVerifiedAccessEndpoints", "description": "Grants permission to describe the specified Verified Access endpoints or all Verified Access endpoints", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVerifiedAccessGroups.html", "name": "DescribeVerifiedAccessGroups", "description": "Grants permission to describe the specified Verified Access groups or all Verified Access groups", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVerifiedAccessInstanceLoggingConfigurations.html", "name": "DescribeVerifiedAccessInstanceLoggingConfigurations", "description": "Grants permission to describe the current logging configuration for the Verified Access instances", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/verified-access/latest/ug/waf-integration.html", "name": "DescribeVerifiedAccessInstanceWebAclAssociations", "description": "Grants permission to describe the AWS Web Application Firewall (WAF) web access control list (ACL) associations for a Verified Access instance", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVerifiedAccessInstances.html", "name": "DescribeVerifiedAccessInstances", "description": "Grants permission to describe the specified Verified Access instances or all Verified Access instances", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVerifiedAccessTrustProviders.html", "name": "DescribeVerifiedAccessTrustProviders", "description": "Grants permission to describe details of existing Verified Access trust providers", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVolumeAttribute.html", "name": "DescribeVolumeAttribute", "description": "Grants permission to describe an attribute of an EBS volume", "access": "List", "resources": [ { "name": "volume", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVolumeStatus.html", "name": "DescribeVolumeStatus", "description": "Grants permission to describe the status of one or more EBS volumes", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVolumes.html", "name": "DescribeVolumes", "description": "Grants permission to describe one or more EBS volumes", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVolumesModifications.html", "name": "DescribeVolumesModifications", "description": "Grants permission to describe the current modification status of one or more EBS volumes", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcAttribute.html", "name": "DescribeVpcAttribute", "description": "Grants permission to describe an attribute of a VPC", "access": "List", "resources": [ { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcBlockPublicAccessExclusions.html", "name": "DescribeVpcBlockPublicAccessExclusions", "description": "Grants permission to describe an exclusion list for blocked public access on a VPC", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcBlockPublicAccessOptions.html", "name": "DescribeVpcBlockPublicAccessOptions", "description": "Grants permission to describe options for blocked public access on a VPC", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcClassicLink.html", "name": "DescribeVpcClassicLink", "description": "Grants permission to describe the ClassicLink status of one or more VPCs", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcClassicLinkDnsSupport.html", "name": "DescribeVpcClassicLinkDnsSupport", "description": "Grants permission to describe the ClassicLink DNS support status of one or more VPCs", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEncryptionControls.html", "name": "DescribeVpcEncryptionControls", "description": "Grants permission to describe one or more VPC Encryption Controls", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpointAssociations.html", "name": "DescribeVpcEndpointAssociations", "description": "Grants permission to describe the VPC endpoint associations", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpointConnectionNotifications.html", "name": "DescribeVpcEndpointConnectionNotifications", "description": "Grants permission to describe the connection notifications for VPC endpoints and VPC endpoint services", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpointConnections.html", "name": "DescribeVpcEndpointConnections", "description": "Grants permission to describe the VPC endpoint connections to your VPC endpoint services", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpointServiceConfigurations.html", "name": "DescribeVpcEndpointServiceConfigurations", "description": "Grants permission to describe VPC endpoint service configurations (your services)", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpointServicePermissions.html", "name": "DescribeVpcEndpointServicePermissions", "description": "Grants permission to describe the principals (service consumers) that are permitted to discover your VPC endpoint service", "access": "List", "resources": [ { "name": "vpc-endpoint-service", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpceSupportedRegion", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpointServices.html", "name": "DescribeVpcEndpointServices", "description": "Grants permission to describe all supported AWS services that can be specified when creating a VPC endpoint", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpoints.html", "name": "DescribeVpcEndpoints", "description": "Grants permission to describe one or more VPC endpoints", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcPeeringConnections.html", "name": "DescribeVpcPeeringConnections", "description": "Grants permission to describe one or more VPC peering connections", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcs.html", "name": "DescribeVpcs", "description": "Grants permission to describe one or more VPCs", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpnConcentrators.html", "name": "DescribeVpnConcentrators", "description": "Grants permission to describe one or more VPN concentrators", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpnConnections.html", "name": "DescribeVpnConnections", "description": "Grants permission to describe one or more VPN connections", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpnGateways.html", "name": "DescribeVpnGateways", "description": "Grants permission to describe one or more virtual private gateways", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachApplianceFromNatGateway.html", "name": "DetachApplianceFromNatGateway", "description": "Grants permission to detach an appliance from a public/private Natgateway", "access": "Permissions management", "resources": [ { "name": "natgateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachClassicLinkVpc.html", "name": "DetachClassicLinkVpc", "description": "Grants permission to unlink (detach) a linked EC2-Classic instance from a VPC", "access": "Write", "resources": [ { "name": "instance", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachInternetGateway.html", "name": "DetachInternetGateway", "description": "Grants permission to detach an internet gateway from a VPC", "access": "Write", "resources": [ { "name": "internet-gateway", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachNetworkInterface.html", "name": "DetachNetworkInterface", "description": "Grants permission to detach a network interface from an instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true }, { "name": "network-interface", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:NetworkInterfaceID", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/UserGuide/placement-groups.html", "name": "DetachResourcesFromPlacementGroup", "description": "Grants permission to detach resources from a placement group", "access": "Permissions management", "resources": [ { "name": "placement-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachVerifiedAccessTrustProvider.html", "name": "DetachVerifiedAccessTrustProvider", "description": "Grants permission to detach a trust provider from a Verified Access instance", "access": "Write", "resources": [ { "name": "verified-access-instance", "is_required": true }, { "name": "verified-access-trust-provider", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachVolume.html", "name": "DetachVolume", "description": "Grants permission to detach an EBS volume from an instance", "access": "Write", "resources": [ { "name": "volume", "is_required": true }, { "name": "instance", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachVpnGateway.html", "name": "DetachVpnGateway", "description": "Grants permission to detach a virtual private gateway from a VPC", "access": "Write", "resources": [ { "name": "vpc", "is_required": true }, { "name": "vpn-gateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableAddressTransfer.html", "name": "DisableAddressTransfer", "description": "Grants permission to disable Elastic IP address transfer", "access": "Write", "resources": [ { "name": "elastic-ip", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableAllowedImagesSettings.html", "name": "DisableAllowedImagesSettings", "description": "Grants permission to disable allowed images settings", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableAwsNetworkPerformanceMetricSubscription.html", "name": "DisableAwsNetworkPerformanceMetricSubscription", "description": "Grants permission to disable infrastructure performance metric subscriptions", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableCapacityManager.html", "name": "DisableCapacityManager", "description": "Grants permission to disable EC2 Capacity Manager for your account", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html", "name": "DisableEbsEncryptionByDefault", "description": "Grants permission to disable EBS encryption by default for your account", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableFastLaunch.html", "name": "DisableFastLaunch", "description": "Grants permission to disable faster launching for Windows AMIs", "access": "Write", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableFastSnapshotRestores.html", "name": "DisableFastSnapshotRestores", "description": "Grants permission to disable fast snapshot restores for one or more snapshots in specified Availability Zones", "access": "Write", "resources": [ { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableImage.html", "name": "DisableImage", "description": "Grants permission to disable an AMI", "access": "Write", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableImageBlockPublicAccess.html", "name": "DisableImageBlockPublicAccess", "description": "Grants permission to disable block public access for AMIs at the account level in the specified AWS Region", "access": "Permissions management", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableImageDeprecation.html", "name": "DisableImageDeprecation", "description": "Grants permission to cancel the deprecation of the specified AMI", "access": "Write", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableImageDeregistrationProtection.html", "name": "DisableImageDeregistrationProtection", "description": "Grants permission to disable deregistration protection for an AMI. When deregistration protection is disabled, the AMI can be deregistered", "access": "Write", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableInstanceSqlHaStandbyDetections.html", "name": "DisableInstanceSqlHaStandbyDetections", "description": "Grants permission to disable EC2 instance SQL HA standby detections", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableIpamOrganizationAdminAccount.html", "name": "DisableIpamOrganizationAdminAccount", "description": "Grants permission to disable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [ "organizations:DeregisterDelegatedAdministrator" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableIpamPolicy.html", "name": "DisableIpamPolicy", "description": "Grants permission to disable a policy in Amazon VPC IP Address Manager (IPAM) that controls public IPv4 address allocation", "access": "Write", "resources": [ { "name": "ipam-policy", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableRouteServerPropagation.html", "name": "DisableRouteServerPropagation", "description": "Grants permission to disable route server propagation", "access": "Write", "resources": [ { "name": "route-server", "is_required": true }, { "name": "route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableSerialConsoleAccess.html", "name": "DisableSerialConsoleAccess", "description": "Grants permission to disable access to the EC2 serial console of all instances for your account", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableSnapshotBlockPublicAccess.html", "name": "DisableSnapshotBlockPublicAccess", "description": "Grants permission to disable the block public access for snapshots setting for a Region", "access": "Permissions management", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableTransitGatewayRouteTablePropagation.html", "name": "DisableTransitGatewayRouteTablePropagation", "description": "Grants permission to disable a resource attachment from propagating routes to the specified propagation route table", "access": "Write", "resources": [ { "name": "transit-gateway-route-table", "is_required": true }, { "name": "transit-gateway-attachment", "is_required": false }, { "name": "transit-gateway-route-table-announcement", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId", "ec2:transitGatewayAttachmentId", "ec2:transitGatewayRouteTableAnnouncementId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableVgwRoutePropagation.html", "name": "DisableVgwRoutePropagation", "description": "Grants permission to disable a virtual private gateway from propagating routes to a specified route table of a VPC", "access": "Write", "resources": [ { "name": "route-table", "is_required": true }, { "name": "vpn-gateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableVpcClassicLink.html", "name": "DisableVpcClassicLink", "description": "Grants permission to disable ClassicLink for a VPC", "access": "Write", "resources": [ { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableVpcClassicLinkDnsSupport.html", "name": "DisableVpcClassicLinkDnsSupport", "description": "Grants permission to disable ClassicLink DNS support for a VPC", "access": "Write", "resources": [ { "name": "vpc", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateAddress.html", "name": "DisassociateAddress", "description": "Grants permission to disassociate an Elastic IP address from an instance or network interface", "access": "Write", "resources": [ { "name": "elastic-ip", "is_required": false }, { "name": "network-interface", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateCapacityReservationBillingOwner.html", "name": "DisassociateCapacityReservationBillingOwner", "description": "Grants permission to cancel a pending request to assign billing of the unused capacity of a Capacity Reservation to a consumer account", "access": "Write", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CapacityReservationFleet", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateClientVpnTargetNetwork.html", "name": "DisassociateClientVpnTargetNetwork", "description": "Grants permission to disassociate a target network from a Client VPN endpoint", "access": "Write", "resources": [ { "name": "client-vpn-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateEnclaveCertificateIamRole.html", "name": "DisassociateEnclaveCertificateIamRole", "description": "Grants permission to disassociate an ACM certificate from a IAM role", "access": "Write", "resources": [ { "name": "certificate", "is_required": true }, { "name": "role", "is_required": true } ], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateIamInstanceProfile.html", "name": "DisassociateIamInstanceProfile", "description": "Grants permission to disassociate an IAM instance profile from a running or stopped instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateInstanceEventWindow.html", "name": "DisassociateInstanceEventWindow", "description": "Grants permission to disassociate one or more targets from an event window", "access": "Write", "resources": [ { "name": "instance-event-window", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateIpamByoasn.html", "name": "DisassociateIpamByoasn", "description": "Grants permission to disassociate an Autonomous System Number (ASN) from a BYOIP CIDR", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateIpamResourceDiscovery.html", "name": "DisassociateIpamResourceDiscovery", "description": "Grants permission to disassociate a resource discovery from an Amazon VPC IPAM", "access": "Write", "resources": [ { "name": "ipam-resource-discovery-association", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateNatGatewayAddress.html", "name": "DisassociateNatGatewayAddress", "description": "Grants permission to disassociate a secondary Elastic IP address from a public NAT gateway", "access": "Write", "resources": [ { "name": "elastic-ip", "is_required": true }, { "name": "natgateway", "is_required": true }, { "name": "network-interface", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}", "ec2:AuthorizedUser", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:Permission", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteServer.html", "name": "DisassociateRouteServer", "description": "Grants permission to disassociate a route server from a VPC", "access": "Write", "resources": [ { "name": "route-server", "is_required": true }, { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html", "name": "DisassociateRouteTable", "description": "Grants permission to disassociate a subnet from a route table", "access": "Write", "resources": [ { "name": "internet-gateway", "is_required": false }, { "name": "ipv4pool-ec2", "is_required": false }, { "name": "ipv6pool-ec2", "is_required": false }, { "name": "route-table", "is_required": false }, { "name": "subnet", "is_required": false }, { "name": "vpn-gateway", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateSecurityGroupVpc.html", "name": "DisassociateSecurityGroupVpc", "description": "Grants permission to disassociate a security group from a VPC", "access": "Write", "resources": [ { "name": "security-group", "is_required": true }, { "name": "vpc", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateSubnetCidrBlock.html", "name": "DisassociateSubnetCidrBlock", "description": "Grants permission to disassociate a CIDR block from a subnet", "access": "Write", "resources": [ { "name": "subnet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateTransitGatewayMulticastDomain.html", "name": "DisassociateTransitGatewayMulticastDomain", "description": "Grants permission to disassociate one or more subnets from a transit gateway multicast domain", "access": "Write", "resources": [ { "name": "subnet", "is_required": true }, { "name": "transit-gateway-attachment", "is_required": true }, { "name": "transit-gateway-multicast-domain", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc", "ec2:transitGatewayAttachmentId", "ec2:transitGatewayMulticastDomainId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateTransitGatewayPolicyTable.html", "name": "DisassociateTransitGatewayPolicyTable", "description": "Grants permission to disassociate a policy table from a transit gateway", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true }, { "name": "transit-gateway-policy-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:transitGatewayPolicyTableId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateTransitGatewayRouteTable.html", "name": "DisassociateTransitGatewayRouteTable", "description": "Grants permission to disassociate a resource attachment from a transit gateway route table", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true }, { "name": "transit-gateway-route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:transitGatewayRouteTableId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateTrunkInterface.html", "name": "DisassociateTrunkInterface", "description": "Grants permission to disassociate a branch network interface to a trunk network interface", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/verified-access/latest/ug/waf-integration.html", "name": "DisassociateVerifiedAccessInstanceWebAcl", "description": "Grants permission to disassociate an AWS Web Application Firewall (WAF) web access control list (ACL) from a Verified Access instance", "access": "Write", "resources": [ { "name": "verified-access-instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateVpcCidrBlock.html", "name": "DisassociateVpcCidrBlock", "description": "Grants permission to disassociate a CIDR block from a VPC", "access": "Write", "resources": [ { "name": "vpc", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableAddressTransfer.html", "name": "EnableAddressTransfer", "description": "Grants permission to enable Elastic IP address transfer", "access": "Write", "resources": [ { "name": "elastic-ip", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableAllowedImagesSettings.html", "name": "EnableAllowedImagesSettings", "description": "Grants permission to enable allowed images settings", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableAwsNetworkPerformanceMetricSubscription.html", "name": "EnableAwsNetworkPerformanceMetricSubscription", "description": "Grants permission to enable infrastructure performance subscriptions", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableCapacityManager.html", "name": "EnableCapacityManager", "description": "Grants permission to enable EC2 Capacity Manager for your account", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableEbsEncryptionByDefault.html", "name": "EnableEbsEncryptionByDefault", "description": "Grants permission to enable EBS encryption by default for your account", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableFastLaunch.html", "name": "EnableFastLaunch", "description": "Grants permission to enable faster launching for Windows AMIs", "access": "Write", "resources": [ { "name": "image", "is_required": true }, { "name": "launch-template", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:ManagedResourceOperator", "ec2:Region" ], "dependents": [ "ec2:CreateLaunchTemplate", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:DeleteSnapshot", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstances", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:RunInstances", "ec2:StopInstances", "ec2:TerminateInstances", "iam:PassRole" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableFastSnapshotRestores.html", "name": "EnableFastSnapshotRestores", "description": "Grants permission to enable fast snapshot restores for one or more snapshots in specified Availability Zones", "access": "Write", "resources": [ { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableImage.html", "name": "EnableImage", "description": "Grants permission to re-enable a disabled AMI", "access": "Write", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableImageBlockPublicAccess.html", "name": "EnableImageBlockPublicAccess", "description": "Grants permission to enable block public access for AMIs at the account level in the specified AWS Region", "access": "Permissions management", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableImageDeprecation.html", "name": "EnableImageDeprecation", "description": "Grants permission to enable deprecation of the specified AMI at the specified date and time", "access": "Write", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableImageDeregistrationProtection.html", "name": "EnableImageDeregistrationProtection", "description": "Grants permission to enable deregistration protection for an AMI. When deregistration protection is enabled, the AMI can't be deregistered", "access": "Write", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableInstanceSqlHaStandbyDetections.html", "name": "EnableInstanceSqlHaStandbyDetections", "description": "Grants permission to enable EC2 instance SQL HA standby detections", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableIpamOrganizationAdminAccount.html", "name": "EnableIpamOrganizationAdminAccount", "description": "Grants permission to enable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [ "iam:CreateServiceLinkedRole", "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableIpamPolicy.html", "name": "EnableIpamPolicy", "description": "Grants permission to enable an Amazon VPC IP Address Manager (IPAM) policy", "access": "Write", "resources": [ { "name": "ipam-policy", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableReachabilityAnalyzerOrganizationSharing.html", "name": "EnableReachabilityAnalyzerOrganizationSharing", "description": "Grants permission to enable organization sharing of reachability analyzer", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [ "iam:CreateServiceLinkedRole", "organizations:EnableAWSServiceAccess" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableRouteServerPropagation.html", "name": "EnableRouteServerPropagation", "description": "Grants permission to enable route server propagation", "access": "Write", "resources": [ { "name": "route-server", "is_required": true }, { "name": "route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableSerialConsoleAccess.html", "name": "EnableSerialConsoleAccess", "description": "Grants permission to enable access to the EC2 serial console of all instances for your account", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableSnapshotBlockPublicAccess.html", "name": "EnableSnapshotBlockPublicAccess", "description": "Grants permission to enable or modify the block public access for snapshots setting for a Region", "access": "Permissions management", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableTransitGatewayRouteTablePropagation.html", "name": "EnableTransitGatewayRouteTablePropagation", "description": "Grants permission to enable an attachment to propagate routes to a propagation route table", "access": "Write", "resources": [ { "name": "transit-gateway-route-table", "is_required": true }, { "name": "transit-gateway-attachment", "is_required": false }, { "name": "transit-gateway-route-table-announcement", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId", "ec2:transitGatewayAttachmentId", "ec2:transitGatewayRouteTableAnnouncementId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableVgwRoutePropagation.html", "name": "EnableVgwRoutePropagation", "description": "Grants permission to enable a virtual private gateway to propagate routes to a VPC route table", "access": "Write", "resources": [ { "name": "route-table", "is_required": true }, { "name": "vpn-gateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableVolumeIO.html", "name": "EnableVolumeIO", "description": "Grants permission to enable I/O operations for a volume that had I/O operations disabled", "access": "Write", "resources": [ { "name": "volume", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableVpcClassicLink.html", "name": "EnableVpcClassicLink", "description": "Grants permission to enable a VPC for ClassicLink", "access": "Write", "resources": [ { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableVpcClassicLinkDnsSupport.html", "name": "EnableVpcClassicLinkDnsSupport", "description": "Grants permission to enable a VPC to support DNS hostname resolution for ClassicLink", "access": "Write", "resources": [ { "name": "vpc", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ExportClientVpnClientCertificateRevocationList.html", "name": "ExportClientVpnClientCertificateRevocationList", "description": "Grants permission to download the client certificate revocation list for a Client VPN endpoint", "access": "Read", "resources": [ { "name": "client-vpn-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ExportClientVpnClientConfiguration.html", "name": "ExportClientVpnClientConfiguration", "description": "Grants permission to download the contents of the Client VPN endpoint configuration file for a Client VPN endpoint", "access": "Read", "resources": [ { "name": "client-vpn-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ExportImage.html", "name": "ExportImage", "description": "Grants permission to export an Amazon Machine Image (AMI) to a VM file", "access": "Write", "resources": [ { "name": "export-image-task", "is_required": true }, { "name": "image", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ExportTransitGatewayRoutes.html", "name": "ExportTransitGatewayRoutes", "description": "Grants permission to export routes from a transit gateway route table to an Amazon S3 bucket", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ExportVerifiedAccessInstanceClientConfiguration.html", "name": "ExportVerifiedAccessInstanceClientConfiguration", "description": "Grants permission to export a verified access instance client configuration", "access": "Read", "resources": [ { "name": "verified-access-instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetActiveVpnTunnelStatus.html", "name": "GetActiveVpnTunnelStatus", "description": "Grants permission to retrieve the current security parameters for an active VPN tunnel", "access": "Read", "resources": [ { "name": "vpn-connection", "is_required": true } ], "conditions": [ "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetAllowedImagesSettings.html", "name": "GetAllowedImagesSettings", "description": "Grants permission to get the allowed settings for images", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetAssociatedEnclaveCertificateIamRoles.html", "name": "GetAssociatedEnclaveCertificateIamRoles", "description": "Grants permission to get the list of roles associated with an ACM certificate", "access": "Read", "resources": [ { "name": "certificate", "is_required": true } ], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetAssociatedIpv6PoolCidrs.html", "name": "GetAssociatedIpv6PoolCidrs", "description": "Grants permission to get information about the IPv6 CIDR block associations for a specified IPv6 address pool", "access": "Read", "resources": [ { "name": "ipv6pool-ec2", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetAwsNetworkPerformanceData.html", "name": "GetAwsNetworkPerformanceData", "description": "Grants permission to get network performance data", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetCapacityManagerAttributes.html", "name": "GetCapacityManagerAttributes", "description": "Grants permission to retrieve the current configuration and status of EC2 Capacity Manager", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetCapacityManagerMetricData.html", "name": "GetCapacityManagerMetricData", "description": "Grants permission to retrieve capacity usage metrics for your EC2 resources", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetCapacityManagerMetricDimensions.html", "name": "GetCapacityManagerMetricDimensions", "description": "Grants permission to retrieve the available dimension values for capacity metrics within a specified time range", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetCapacityReservationUsage.html", "name": "GetCapacityReservationUsage", "description": "Grants permission to get usage information about a Capacity Reservation", "access": "Read", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:CapacityReservationFleet", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetCoipPoolUsage.html", "name": "GetCoipPoolUsage", "description": "Grants permission to describe the allocations from the specified customer-owned address pool", "access": "Read", "resources": [ { "name": "coip-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetConsoleOutput.html", "name": "GetConsoleOutput", "description": "Grants permission to get the console output for an instance", "access": "Read", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetConsoleScreenshot.html", "name": "GetConsoleScreenshot", "description": "Grants permission to retrieve a JPG-format screenshot of a running instance", "access": "Read", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:NewInstanceProfile", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetDeclarativePoliciesReportSummary.html", "name": "GetDeclarativePoliciesReportSummary", "description": "Grants permission to get the report summary of declarative policies", "access": "Read", "resources": [ { "name": "declarative-policies-report", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetDefaultCreditSpecification.html", "name": "GetDefaultCreditSpecification", "description": "Grants permission to get the default credit option for CPU usage of a burstable performance instance family", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetEbsDefaultKmsKeyId.html", "name": "GetEbsDefaultKmsKeyId", "description": "Grants permission to get the ID of the default customer master key (CMK) for EBS encryption by default", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetEbsEncryptionByDefault.html", "name": "GetEbsEncryptionByDefault", "description": "Grants permission to describe whether EBS encryption by default is enabled for your account", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetEnabledIpamPolicy.html", "name": "GetEnabledIpamPolicy", "description": "Grants permission to describe the currently enabled policy in Amazon VPC IP Address Manager (IPAM)", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetFlowLogsIntegrationTemplate.html", "name": "GetFlowLogsIntegrationTemplate", "description": "Grants permission to generate a CloudFormation template to streamline the integration of VPC flow logs with Amazon Athena", "access": "Read", "resources": [ { "name": "vpc-flow-log", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetGroupsForCapacityReservation.html", "name": "GetGroupsForCapacityReservation", "description": "Grants permission to list the resource groups to which a Capacity Reservation has been added", "access": "List", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:CapacityReservationFleet", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetHostReservationPurchasePreview.html", "name": "GetHostReservationPurchasePreview", "description": "Grants permission to preview a reservation purchase with configurations that match those of a Dedicated Host", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetImageAncestry.html", "name": "GetImageAncestry", "description": "Grants permission to retrieve the ancestry chain of an AMI back to its root AMI", "access": "Read", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetImageBlockPublicAccessState.html", "name": "GetImageBlockPublicAccessState", "description": "Grants permission to get the current state of block public access for AMIs at the account level in the specified AWS Region", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceMetadataDefaults.html", "name": "GetInstanceMetadataDefaults", "description": "Grants permission to view the default instance metadata service (IMDS) settings set for your account in the specified Region", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceTpmEkPub.html", "name": "GetInstanceTpmEkPub", "description": "Grants permission to get the public endorsement key associated with the Nitro Trusted Platform Module (NitroTPM) for the specified instance", "access": "Read", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceTypesFromInstanceRequirements.html", "name": "GetInstanceTypesFromInstanceRequirements", "description": "Grants permission to view a list of instance types with specified instance attributes", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceUefiData.html", "name": "GetInstanceUefiData", "description": "Grants permission to retrieve the binary representation of the UEFI variable store", "access": "Read", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:NewInstanceProfile", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamAddressHistory.html", "name": "GetIpamAddressHistory", "description": "Grants permission to retrieve historical information about a CIDR within an Amazon VPC IP Address Manager (IPAM) scope", "access": "Read", "resources": [ { "name": "ipam-scope", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamDiscoveredAccounts.html", "name": "GetIpamDiscoveredAccounts", "description": "Grants permission to retrieve IPAM discovered accounts", "access": "Read", "resources": [ { "name": "ipam-resource-discovery", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamDiscoveredPublicAddresses.html", "name": "GetIpamDiscoveredPublicAddresses", "description": "Grants permission to retrieve the public IP addresses that have been discovered by IPAM", "access": "Read", "resources": [ { "name": "ipam-resource-discovery", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamDiscoveredResourceCidrs.html", "name": "GetIpamDiscoveredResourceCidrs", "description": "Grants permission to retrieve the resource CIDRs that are monitored as part of a resource discovery", "access": "Read", "resources": [ { "name": "ipam-resource-discovery", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamPolicyAllocationRules.html", "name": "GetIpamPolicyAllocationRules", "description": "Grants permission to describe the rules that define how Amazon VPC IP Address Manager (IPAM) pools allocate IP addresses to AWS resource types within an IPAM policy", "access": "List", "resources": [ { "name": "ipam-policy", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamPolicyOrganizationTargets.html", "name": "GetIpamPolicyOrganizationTargets", "description": "Grants permission to retrieve the AWS Organizations targets associated with an Amazon VPC IP Address Manager (IPAM) policy", "access": "List", "resources": [ { "name": "ipam-policy", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamPoolAllocations.html", "name": "GetIpamPoolAllocations", "description": "Grants permission to get a list of all the CIDR allocations in an Amazon VPC IP Address Manager (IPAM) pool", "access": "List", "resources": [ { "name": "ipam-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamPoolCidrs.html", "name": "GetIpamPoolCidrs", "description": "Grants permission to get the CIDRs provisioned to an Amazon VPC IP Address Manager (IPAM) pool", "access": "Read", "resources": [ { "name": "ipam-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamPrefixListResolverRules.html", "name": "GetIpamPrefixListResolverRules", "description": "Grants permission to get rules for an IPAM prefix list resolver", "access": "Read", "resources": [ { "name": "ipam-prefix-list-resolver", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamPrefixListResolverVersionEntries.html", "name": "GetIpamPrefixListResolverVersionEntries", "description": "Grants permission to get CIDR entries for a specific version of an IPAM prefix list resolver", "access": "Read", "resources": [ { "name": "ipam-prefix-list-resolver", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamPrefixListResolverVersions.html", "name": "GetIpamPrefixListResolverVersions", "description": "Grants permission to get versions of an IPAM prefix list resolver", "access": "Read", "resources": [ { "name": "ipam-prefix-list-resolver", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamResourceCidrs.html", "name": "GetIpamResourceCidrs", "description": "Grants permission to get information about the resources in an Amazon VPC IP Address Manager (IPAM) scope", "access": "Read", "resources": [ { "name": "ipam-scope", "is_required": true }, { "name": "ipam-pool", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetLaunchTemplateData.html", "name": "GetLaunchTemplateData", "description": "Grants permission to get the configuration data of the specified instance for use with a new launch template or launch template version", "access": "Read", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetManagedPrefixListAssociations.html", "name": "GetManagedPrefixListAssociations", "description": "Grants permission to get information about the resources that are associated with the specified managed prefix list", "access": "Read", "resources": [ { "name": "prefix-list", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:IpamPrefixListResolverTargetId", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetManagedPrefixListEntries.html", "name": "GetManagedPrefixListEntries", "description": "Grants permission to get information about the entries for a specified managed prefix list", "access": "Read", "resources": [ { "name": "prefix-list", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:IpamPrefixListResolverTargetId", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetNetworkInsightsAccessScopeAnalysisFindings.html", "name": "GetNetworkInsightsAccessScopeAnalysisFindings", "description": "Grants permission to get the findings for one or more Network Access Scope analyses", "access": "Read", "resources": [ { "name": "network-insights-access-scope-analysis", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetNetworkInsightsAccessScopeContent.html", "name": "GetNetworkInsightsAccessScopeContent", "description": "Grants permission to get the content for a specified Network Access Scope", "access": "Read", "resources": [ { "name": "network-insights-access-scope", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html", "name": "GetPasswordData", "description": "Grants permission to retrieve the encrypted administrator password for a running Windows instance", "access": "Read", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetReservedInstancesExchangeQuote.html", "name": "GetReservedInstancesExchangeQuote", "description": "Grants permission to return a quote and exchange information for exchanging one or more Convertible Reserved Instances for a new Convertible Reserved Instance", "access": "Read", "resources": [ { "name": "reserved-instances", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:InstanceType", "ec2:ReservedInstancesOfferingType", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/vpc/latest/ipam/share-pool-ipam.html", "name": "GetResourcePolicy", "description": "Grants permission to describe an IAM policy that enables cross-account sharing", "access": "Read", "resources": [ { "name": "ipam-pool", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "verified-access-group", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetRouteServerAssociations.html", "name": "GetRouteServerAssociations", "description": "Grants permission to get associations for a route server", "access": "Read", "resources": [ { "name": "route-server", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetRouteServerPropagations.html", "name": "GetRouteServerPropagations", "description": "Grants permission to get propagations for a route server", "access": "Read", "resources": [ { "name": "route-server", "is_required": true }, { "name": "route-table", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetRouteServerRoutingDatabase.html", "name": "GetRouteServerRoutingDatabase", "description": "Grants permission to get the routing database for a route server", "access": "Read", "resources": [ { "name": "route-server", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSecurityGroupsForVpc.html", "name": "GetSecurityGroupsForVpc", "description": "Grants permission to retrieve a list of security groups for a specified VPC", "access": "Read", "resources": [ { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSerialConsoleAccessStatus.html", "name": "GetSerialConsoleAccessStatus", "description": "Grants permission to retrieve the access status of your account to the EC2 serial console of all instances", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSnapshotBlockPublicAccessState.html", "name": "GetSnapshotBlockPublicAccessState", "description": "Grants permission to retrieve the current state of the block public access for snapshots setting for a Region", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html", "name": "GetSpotPlacementScores", "description": "Grants permission to calculate the Spot placement score for a Region or Availability Zone based on the specified target capacity and compute requirements", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSubnetCidrReservations.html", "name": "GetSubnetCidrReservations", "description": "Grants permission to retrieve information about the subnet CIDR reservations", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetTransitGatewayAttachmentPropagations.html", "name": "GetTransitGatewayAttachmentPropagations", "description": "Grants permission to list the route tables to which a resource attachment propagates routes", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetTransitGatewayMeteringPolicyEntries.html", "name": "GetTransitGatewayMeteringPolicyEntries", "description": "Grants permission to list the entries for a transit gateway metering policy", "access": "List", "resources": [ { "name": "transit-gateway-metering-policy", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMeteringPolicyId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetTransitGatewayMulticastDomainAssociations.html", "name": "GetTransitGatewayMulticastDomainAssociations", "description": "Grants permission to get information about the associations for a transit gateway multicast domain", "access": "List", "resources": [ { "name": "transit-gateway-multicast-domain", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetTransitGatewayPolicyTableAssociations.html", "name": "GetTransitGatewayPolicyTableAssociations", "description": "Grants permission to get information about associations for a transit gateway policy table", "access": "List", "resources": [ { "name": "transit-gateway-policy-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayPolicyTableId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetTransitGatewayPolicyTableEntries.html", "name": "GetTransitGatewayPolicyTableEntries", "description": "Grants permission to get information about associations for a transit gateway policy table entry", "access": "List", "resources": [ { "name": "transit-gateway-policy-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayPolicyTableId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetTransitGatewayPrefixListReferences.html", "name": "GetTransitGatewayPrefixListReferences", "description": "Grants permission to get information about prefix list references for a transit gateway route table", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetTransitGatewayRouteTableAssociations.html", "name": "GetTransitGatewayRouteTableAssociations", "description": "Grants permission to get information about associations for a transit gateway route table", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetTransitGatewayRouteTablePropagations.html", "name": "GetTransitGatewayRouteTablePropagations", "description": "Grants permission to get information about the route table propagations for a transit gateway route table", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetVerifiedAccessEndpointPolicy.html", "name": "GetVerifiedAccessEndpointPolicy", "description": "Grants permission to show the Verified Access policy associated with the endpoint", "access": "List", "resources": [ { "name": "verified-access-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetVerifiedAccessEndpointTargets.html", "name": "GetVerifiedAccessEndpointTargets", "description": "Grants permission to get verified access endpoint targets", "access": "List", "resources": [ { "name": "verified-access-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetVerifiedAccessGroupPolicy.html", "name": "GetVerifiedAccessGroupPolicy", "description": "Grants permission to show the contents of the Verified Access policy associated with the group", "access": "List", "resources": [ { "name": "verified-access-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/verified-access/latest/ug/waf-integration.html", "name": "GetVerifiedAccessInstanceWebAcl", "description": "Grants permission to show the AWS Web Application Firewall (WAF) web access control list (ACL) for a Verified Access instance", "access": "List", "resources": [ { "name": "verified-access-instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetVpcResourcesBlockingEncryptionEnforcement.html", "name": "GetVpcResourcesBlockingEncryptionEnforcement", "description": "Grants permission to describe resources that would block VPC Encryption Control enforcement", "access": "List", "resources": [ { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetVpnConnectionDeviceSampleConfiguration.html", "name": "GetVpnConnectionDeviceSampleConfiguration", "description": "Grants permission to download an AWS-provided sample configuration file to be used with the customer gateway device", "access": "List", "resources": [ { "name": "vpn-connection", "is_required": true }, { "name": "vpn-connection-device-type", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetVpnConnectionDeviceTypes.html", "name": "GetVpnConnectionDeviceTypes", "description": "Grants permission to obtain a list of customer gateway devices for which sample configuration files can be provided", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetVpnTunnelReplacementStatus.html", "name": "GetVpnTunnelReplacementStatus", "description": "Grants permission to view available tunnel endpoint maintenance events", "access": "List", "resources": [ { "name": "vpn-connection", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/vpc/latest/ipam/tutorials-byoip-ipam-transfer-ipv4.html", "name": "ImportByoipCidrToIpam", "description": "Grants permission to transfer existing BYOIP IPv4 CIDRs to IPAM", "access": "Write", "resources": [ { "name": "ipam-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportClientVpnClientCertificateRevocationList.html", "name": "ImportClientVpnClientCertificateRevocationList", "description": "Grants permission to upload a client certificate revocation list to a Client VPN endpoint", "access": "Write", "resources": [ { "name": "client-vpn-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportImage.html", "name": "ImportImage", "description": "Grants permission to import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI)", "access": "Write", "resources": [ { "name": "image", "is_required": true }, { "name": "import-image-task", "is_required": true }, { "name": "snapshot", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:RootDeviceType", "aws:ResourceTag/${TagKey}", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportInstance.html", "name": "ImportInstance", "description": "Grants permission to create an import instance task using metadata from a disk image", "access": "Write", "resources": [ { "name": "instance", "is_required": true }, { "name": "volume", "is_required": true }, { "name": "security-group", "is_required": false }, { "name": "subnet", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CpuOptionsAmdSevSnp", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}", "ec2:Encrypted", "ec2:ParentSnapshot", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:SubnetID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html", "name": "ImportKeyPair", "description": "Grants permission to import a public key from an RSA key pair that was created with a third-party tool", "access": "Write", "resources": [ { "name": "key-pair", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportSnapshot.html", "name": "ImportSnapshot", "description": "Grants permission to import a disk into an EBS snapshot", "access": "Write", "resources": [ { "name": "import-snapshot-task", "is_required": true }, { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Owner", "ec2:ParentVolume", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportVolume.html", "name": "ImportVolume", "description": "Grants permission to create an import volume task using metadata from a disk image", "access": "Write", "resources": [ { "name": "volume", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html", "name": "InjectApiError", "description": "Grants permission to temporarily inject errors for target API requests", "access": "Write", "resources": [], "conditions": [ "ec2:FisActionId", "ec2:FisTargetArns", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#ebs-actions-reference", "name": "InjectVolumeIOLatency", "description": "Grants permission to temporarily inject latency to I/O operations for a target Amazon EBS volume", "access": "Write", "resources": [ { "name": "volume", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Encrypted", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ListImagesInRecycleBin.html", "name": "ListImagesInRecycleBin", "description": "Grants permission to list Amazon Machine Images (AMIs) that are currently in the Recycle Bin", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ListSnapshotsInRecycleBin.html", "name": "ListSnapshotsInRecycleBin", "description": "Grants permission to list the Amazon EBS snapshots that are currently in the Recycle Bin", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ListVolumesInRecycleBin.html", "name": "ListVolumesInRecycleBin", "description": "Grants permission to list EBS volumes in Recycle Bin", "access": "List", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_LockSnapshot.html", "name": "LockSnapshot", "description": "Grants permission to lock an Amazon EBS snapshot in either governance or compliance mode to protect it against accidental or malicious deletions", "access": "Write", "resources": [ { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotCoolOffPeriod", "ec2:SnapshotID", "ec2:SnapshotLockDuration", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyAddressAttribute.html", "name": "ModifyAddressAttribute", "description": "Grants permission to modify an attribute of the specified Elastic IP address", "access": "Write", "resources": [ { "name": "elastic-ip", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyAvailabilityZoneGroup.html", "name": "ModifyAvailabilityZoneGroup", "description": "Grants permission to modify the opt-in status of the Local Zone and Wavelength Zone group for your account", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyCapacityReservation.html", "name": "ModifyCapacityReservation", "description": "Grants permission to modify a Capacity Reservation's capacity and the conditions under which it is to be released", "access": "Write", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:CapacityReservationFleet", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyCapacityReservationFleet.html", "name": "ModifyCapacityReservationFleet", "description": "Grants permission to modify a Capacity Reservation Fleet", "access": "Write", "resources": [ { "name": "capacity-reservation-fleet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [ "ec2:ModifyCapacityReservation" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyClientVpnEndpoint.html", "name": "ModifyClientVpnEndpoint", "description": "Grants permission to modify a Client VPN endpoint", "access": "Write", "resources": [ { "name": "client-vpn-endpoint", "is_required": true }, { "name": "security-group", "is_required": false }, { "name": "vpc", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyDefaultCreditSpecification.html", "name": "ModifyDefaultCreditSpecification", "description": "Grants permission to change the account level default credit option for CPU usage of burstable performance instances", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyEbsDefaultKmsKeyId.html", "name": "ModifyEbsDefaultKmsKeyId", "description": "Grants permission to change the default customer master key (CMK) for EBS encryption by default for your account", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyFleet.html", "name": "ModifyFleet", "description": "Grants permission to modify an EC2 Fleet", "access": "Write", "resources": [ { "name": "fleet", "is_required": true }, { "name": "image", "is_required": false }, { "name": "launch-template", "is_required": false }, { "name": "subnet", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:RootDeviceType", "ec2:ManagedResourceOperator", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyFpgaImageAttribute.html", "name": "ModifyFpgaImageAttribute", "description": "Grants permission to modify an attribute of an Amazon FPGA Image (AFI)", "access": "Write", "resources": [ { "name": "fpga-image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyHosts.html", "name": "ModifyHosts", "description": "Grants permission to modify a Dedicated Host", "access": "Write", "resources": [ { "name": "dedicated-host", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyIdFormat.html", "name": "ModifyIdFormat", "description": "Grants permission to modify the ID format for a resource", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyIdentityIdFormat.html", "name": "ModifyIdentityIdFormat", "description": "Grants permission to modify the ID format of a resource for a specific principal in your account", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyImageAttribute.html", "name": "ModifyImageAttribute", "description": "Grants permission to modify an attribute of an Amazon Machine Image (AMI)", "access": "Write", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html", "name": "ModifyInstanceAttribute", "description": "Grants permission to modify an attribute of an instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true }, { "name": "security-group", "is_required": false }, { "name": "volume", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:Encrypted", "ec2:ParentSnapshot", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceCapacityReservationAttributes.html", "name": "ModifyInstanceCapacityReservationAttributes", "description": "Grants permission to modify the Capacity Reservation settings for a stopped instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true }, { "name": "capacity-reservation", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceConnectEndpoint.html", "name": "ModifyInstanceConnectEndpoint", "description": "Grants permission to modify an existing EC2 Instance Connect Endpoint", "access": "Write", "resources": [ { "name": "instance-connect-endpoint", "is_required": true }, { "name": "security-group", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceCpuOptions.html", "name": "ModifyInstanceCpuOptions", "description": "Grants permission to modify the CPU options on an instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceCreditSpecification.html", "name": "ModifyInstanceCreditSpecification", "description": "Grants permission to modify the credit option for CPU usage on an instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceEventStartTime.html", "name": "ModifyInstanceEventStartTime", "description": "Grants permission to modify the start time for a scheduled EC2 instance event", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceEventWindow.html", "name": "ModifyInstanceEventWindow", "description": "Grants permission to modify the specified event window", "access": "Write", "resources": [ { "name": "instance-event-window", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceMaintenanceOptions.html", "name": "ModifyInstanceMaintenanceOptions", "description": "Grants permission to modify the recovery behaviour for an instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceMetadataDefaults.html", "name": "ModifyInstanceMetadataDefaults", "description": "Grants permission to modify the default instance metadata service (IMDS) settings for your account in the specified Region", "access": "Write", "resources": [], "conditions": [ "ec2:Attribute/${AttributeName}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceMetadataOptions.html", "name": "ModifyInstanceMetadataOptions", "description": "Grants permission to modify the metadata options for an instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceNetworkPerformanceOptions.html", "name": "ModifyInstanceNetworkPerformanceOptions", "description": "Grants permission to modify the network performance options for an instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstancePlacement.html", "name": "ModifyInstancePlacement", "description": "Grants permission to modify the placement attributes for an instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true }, { "name": "dedicated-host", "is_required": false }, { "name": "placement-group", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyIpam.html", "name": "ModifyIpam", "description": "Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM)", "access": "Write", "resources": [ { "name": "ipam", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyIpamPolicyAllocationRules.html", "name": "ModifyIpamPolicyAllocationRules", "description": "Grants permission to modify the rules that define how Amazon VPC IP Address Manager (IPAM) pools allocate IP addresses to AWS resource types within an IPAM policy", "access": "Write", "resources": [ { "name": "ipam-policy", "is_required": true }, { "name": "ipam-pool", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyIpamPool.html", "name": "ModifyIpamPool", "description": "Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) pool", "access": "Write", "resources": [ { "name": "ipam-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyIpamPrefixListResolver.html", "name": "ModifyIpamPrefixListResolver", "description": "Grants permission to modify an IPAM prefix list resolver", "access": "Write", "resources": [ { "name": "ipam-prefix-list-resolver", "is_required": true }, { "name": "ipam-scope", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyIpamPrefixListResolverTarget.html", "name": "ModifyIpamPrefixListResolverTarget", "description": "Grants permission to modify an IPAM prefix list resolver target", "access": "Write", "resources": [ { "name": "ipam-prefix-list-resolver-target", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyIpamResourceCidr.html", "name": "ModifyIpamResourceCidr", "description": "Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) resource CIDR", "access": "Write", "resources": [ { "name": "ipam-scope", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyIpamResourceDiscovery.html", "name": "ModifyIpamResourceDiscovery", "description": "Grants permission to modify a resource discovery", "access": "Write", "resources": [ { "name": "ipam-resource-discovery", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyIpamScope.html", "name": "ModifyIpamScope", "description": "Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) scope", "access": "Write", "resources": [ { "name": "ipam-scope", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyLaunchTemplate.html", "name": "ModifyLaunchTemplate", "description": "Grants permission to modify a launch template", "access": "Write", "resources": [ { "name": "launch-template", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ManagedResourceOperator", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyLocalGatewayRoute.html", "name": "ModifyLocalGatewayRoute", "description": "Grants permission to modify a local gateway route", "access": "Write", "resources": [ { "name": "local-gateway-route-table", "is_required": true }, { "name": "local-gateway-virtual-interface-group", "is_required": false }, { "name": "network-interface", "is_required": false }, { "name": "prefix-list", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:AuthorizedUser", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:Permission", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyManagedPrefixList.html", "name": "ModifyManagedPrefixList", "description": "Grants permission to modify a managed prefix list", "access": "Write", "resources": [ { "name": "prefix-list", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:IpamPrefixListResolverTargetId", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyNetworkInterfaceAttribute.html", "name": "ModifyNetworkInterfaceAttribute", "description": "Grants permission to modify an attribute of a network interface", "access": "Write", "resources": [ { "name": "network-interface", "is_required": true }, { "name": "instance", "is_required": false }, { "name": "security-group", "is_required": false }, { "name": "subnet", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:SecurityGroupID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyOdbNetworkPeering.html", "name": "ModifyOdbNetworkPeering", "description": "Grants permission to allow Oracle Database@AWS to modify the settings of a peering connection between an ODB network and a VPC", "access": "Permissions management", "resources": [ { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyPrivateDnsNameOptions.html", "name": "ModifyPrivateDnsNameOptions", "description": "Grants permission to modify the options for instance hostnames for the specified instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:NewInstanceProfile", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyPublicIpDnsNameOptions.html", "name": "ModifyPublicIpDnsNameOptions", "description": "Grants permission to modify public hostname options for a network interface", "access": "Write", "resources": [ { "name": "network-interface", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyReservedInstances.html", "name": "ModifyReservedInstances", "description": "Grants permission to modify attributes of one or more Reserved Instances", "access": "Write", "resources": [ { "name": "reserved-instances", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:InstanceType", "ec2:ReservedInstancesOfferingType", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyRouteServer.html", "name": "ModifyRouteServer", "description": "Grants permission to modify a route server", "access": "Write", "resources": [ { "name": "route-server", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySecurityGroupRules.html", "name": "ModifySecurityGroupRules", "description": "Grants permission to modify the rules of a security group", "access": "Write", "resources": [ { "name": "security-group", "is_required": true }, { "name": "security-group-rule", "is_required": true }, { "name": "prefix-list", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html", "name": "ModifySnapshotAttribute", "description": "Grants permission to add or remove permission settings for a snapshot", "access": "Permissions management", "resources": [ { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Add/group", "ec2:Add/userId", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:Owner", "ec2:ParentVolume", "ec2:Remove/group", "ec2:Remove/userId", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotTier.html", "name": "ModifySnapshotTier", "description": "Grants permission to archive Amazon EBS snapshots", "access": "Write", "resources": [ { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySpotFleetRequest.html", "name": "ModifySpotFleetRequest", "description": "Grants permission to modify a Spot Fleet request", "access": "Write", "resources": [ { "name": "spot-fleet-request", "is_required": true }, { "name": "launch-template", "is_required": false }, { "name": "subnet", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:ManagedResourceOperator", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySubnetAttribute.html", "name": "ModifySubnetAttribute", "description": "Grants permission to modify an attribute of a subnet", "access": "Write", "resources": [ { "name": "subnet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyTrafficMirrorFilterNetworkServices.html", "name": "ModifyTrafficMirrorFilterNetworkServices", "description": "Grants permission to allow or restrict mirroring network services", "access": "Write", "resources": [ { "name": "traffic-mirror-filter", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyTrafficMirrorFilterRule.html", "name": "ModifyTrafficMirrorFilterRule", "description": "Grants permission to modify a traffic mirror rule", "access": "Write", "resources": [ { "name": "traffic-mirror-filter", "is_required": true }, { "name": "traffic-mirror-filter-rule", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyTrafficMirrorSession.html", "name": "ModifyTrafficMirrorSession", "description": "Grants permission to modify a traffic mirror session", "access": "Write", "resources": [ { "name": "traffic-mirror-session", "is_required": true }, { "name": "traffic-mirror-filter", "is_required": false }, { "name": "traffic-mirror-target", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyTransitGateway.html", "name": "ModifyTransitGateway", "description": "Grants permission to modify a transit gateway", "access": "Write", "resources": [ { "name": "transit-gateway", "is_required": true }, { "name": "transit-gateway-route-table", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId", "ec2:transitGatewayRouteTableId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyTransitGatewayMeteringPolicy.html", "name": "ModifyTransitGatewayMeteringPolicy", "description": "Grants permission to modify a transit gateway metering policy", "access": "Write", "resources": [ { "name": "transit-gateway-metering-policy", "is_required": true }, { "name": "transit-gateway-attachment", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMeteringPolicyId", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyTransitGatewayPrefixListReference.html", "name": "ModifyTransitGatewayPrefixListReference", "description": "Grants permission to modify a transit gateway prefix list reference", "access": "Write", "resources": [ { "name": "prefix-list", "is_required": true }, { "name": "transit-gateway-route-table", "is_required": true }, { "name": "transit-gateway-attachment", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyTransitGatewayVpcAttachment.html", "name": "ModifyTransitGatewayVpcAttachment", "description": "Grants permission to modify a VPC attachment on a transit gateway", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true }, { "name": "subnet", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVerifiedAccessEndpoint.html", "name": "ModifyVerifiedAccessEndpoint", "description": "Grants permission to modify the configuration of a Verified Access endpoint", "access": "Write", "resources": [ { "name": "verified-access-endpoint", "is_required": true }, { "name": "subnet", "is_required": false }, { "name": "verified-access-group", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVerifiedAccessEndpointPolicy.html", "name": "ModifyVerifiedAccessEndpointPolicy", "description": "Grants permission to modify the specified Verified Access endpoint policy", "access": "Write", "resources": [ { "name": "verified-access-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVerifiedAccessGroup.html", "name": "ModifyVerifiedAccessGroup", "description": "Grants permission to modify the specified Verified Access Group configuration", "access": "Write", "resources": [ { "name": "verified-access-group", "is_required": true }, { "name": "verified-access-instance", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVerifiedAccessGroupPolicy.html", "name": "ModifyVerifiedAccessGroupPolicy", "description": "Grants permission to modify the specified Verified Access group policy", "access": "Write", "resources": [ { "name": "verified-access-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVerifiedAccessInstance.html", "name": "ModifyVerifiedAccessInstance", "description": "Grants permission to modify the configuration of the specified Verified Access instance", "access": "Write", "resources": [ { "name": "verified-access-instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVerifiedAccessInstanceLoggingConfiguration.html", "name": "ModifyVerifiedAccessInstanceLoggingConfiguration", "description": "Grants permission to modify the logging configuration for the specified Verified Access instance", "access": "Write", "resources": [ { "name": "verified-access-instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVerifiedAccessTrustProvider.html", "name": "ModifyVerifiedAccessTrustProvider", "description": "Grants permission to modify the configuration of the specified Verified Access trust provider", "access": "Write", "resources": [ { "name": "verified-access-trust-provider", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVolume.html", "name": "ModifyVolume", "description": "Grants permission to modify the parameters of an EBS volume", "access": "Write", "resources": [ { "name": "volume", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVolumeAttribute.html", "name": "ModifyVolumeAttribute", "description": "Grants permission to modify an attribute of a volume", "access": "Write", "resources": [ { "name": "volume", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpcAttribute.html", "name": "ModifyVpcAttribute", "description": "Grants permission to modify an attribute of a VPC", "access": "Write", "resources": [ { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpcBlockPublicAccessExclusion.html", "name": "ModifyVpcBlockPublicAccessExclusion", "description": "Grants permission to modify an exclusion list for blocked public access on a VPC", "access": "Write", "resources": [ { "name": "vpc-block-public-access-exclusion", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpcBlockPublicAccessOptions.html", "name": "ModifyVpcBlockPublicAccessOptions", "description": "Grants permission to modify options for blocked public access on a VPC", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpcEncryptionControl.html", "name": "ModifyVpcEncryptionControl", "description": "Grants permission to modify an existing VPC Encryption Control", "access": "Write", "resources": [ { "name": "vpc-encryption-control", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpcEndpoint.html", "name": "ModifyVpcEndpoint", "description": "Grants permission to modify an attribute of a VPC endpoint", "access": "Write", "resources": [ { "name": "vpc-endpoint", "is_required": true }, { "name": "route-table", "is_required": false }, { "name": "security-group", "is_required": false }, { "name": "subnet", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpceServiceRegion", "ec2:RouteTableID", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpcEndpointConnectionNotification.html", "name": "ModifyVpcEndpointConnectionNotification", "description": "Grants permission to modify a connection notification for a VPC endpoint or VPC endpoint service", "access": "Write", "resources": [ { "name": "vpc-endpoint", "is_required": false }, { "name": "vpc-endpoint-service", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpceSupportedRegion", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpcEndpointServiceConfiguration.html", "name": "ModifyVpcEndpointServiceConfiguration", "description": "Grants permission to modify the attributes of a VPC endpoint service configuration", "access": "Write", "resources": [ { "name": "vpc-endpoint-service", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpceServicePrivateDnsName", "ec2:VpceSupportedRegion", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpcEndpointServicePayerResponsibility.html", "name": "ModifyVpcEndpointServicePayerResponsibility", "description": "Grants permission to modify the payer responsibility for a VPC endpoint service", "access": "Write", "resources": [ { "name": "vpc-endpoint-service", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpceSupportedRegion", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpcEndpointServicePermissions.html", "name": "ModifyVpcEndpointServicePermissions", "description": "Grants permission to modify the permissions for a VPC endpoint service", "access": "Permissions management", "resources": [ { "name": "vpc-endpoint-service", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpceSupportedRegion", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpcPeeringConnectionOptions.html", "name": "ModifyVpcPeeringConnectionOptions", "description": "Grants permission to modify the VPC peering connection options on one side of a VPC peering connection", "access": "Write", "resources": [ { "name": "vpc-peering-connection", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:RequesterVpc", "ec2:ResourceTag/${TagKey}", "ec2:VpcPeeringConnectionID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpcTenancy.html", "name": "ModifyVpcTenancy", "description": "Grants permission to modify the instance tenancy attribute of a VPC", "access": "Write", "resources": [ { "name": "vpc", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpnConnection.html", "name": "ModifyVpnConnection", "description": "Grants permission to modify the target gateway of a Site-to-Site VPN connection", "access": "Write", "resources": [ { "name": "vpn-connection", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:InsideTunnelIpv6Cidr", "ec2:Phase1DHGroup", "ec2:Phase1EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", "ec2:Phase2DHGroup", "ec2:Phase2EncryptionAlgorithms", "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", "ec2:ReplayWindowSizePackets", "ec2:ResourceTag/${TagKey}", "ec2:RoutingType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpnConnectionOptions.html", "name": "ModifyVpnConnectionOptions", "description": "Grants permission to modify the connection options for your Site-to-Site VPN connection", "access": "Write", "resources": [ { "name": "vpn-connection", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpnTunnelCertificate.html", "name": "ModifyVpnTunnelCertificate", "description": "Grants permission to modify the certificate for a Site-to-Site VPN connection", "access": "Write", "resources": [ { "name": "vpn-connection", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpnTunnelOptions.html", "name": "ModifyVpnTunnelOptions", "description": "Grants permission to modify the options for a Site-to-Site VPN connection", "access": "Write", "resources": [ { "name": "vpn-connection", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:InsideTunnelIpv6Cidr", "ec2:Phase1DHGroup", "ec2:Phase1EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", "ec2:Phase2DHGroup", "ec2:Phase2EncryptionAlgorithms", "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", "ec2:ReplayWindowSizePackets", "ec2:ResourceTag/${TagKey}", "ec2:RoutingType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_MonitorInstances.html", "name": "MonitorInstances", "description": "Grants permission to enable detailed monitoring for a running instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_MoveAddressToVpc.html", "name": "MoveAddressToVpc", "description": "Grants permission to move an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_MoveByoipCidrToIpam.html", "name": "MoveByoipCidrToIpam", "description": "Grants permission to move a BYOIP IPv4 CIDR to Amazon VPC IP Address Manager (IPAM) from a public IPv4 pool", "access": "Write", "resources": [ { "name": "ipam-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_MoveCapacityReservationInstances.html", "name": "MoveCapacityReservationInstances", "description": "Grants permission to move available capacity from a source Capacity Reservation to a destination Capacity Reservation", "access": "Write", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CapacityReservationFleet", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#ebs-actions-reference", "name": "PauseVolumeIO", "description": "Grants permission to temporarily pause I/O operations for a target Amazon EBS volume", "access": "Write", "resources": [ { "name": "volume", "is_required": true }, { "name": "instance", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Encrypted", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ProvisionByoipCidr.html", "name": "ProvisionByoipCidr", "description": "Grants permission to provision an address range for use in AWS through bring your own IP addresses (BYOIP), and to create a corresponding address pool", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ProvisionIpamByoasn.html", "name": "ProvisionIpamByoasn", "description": "Grants permission to provision an Autonomous System Number (ASN) for use in an Amazon Web Services account", "access": "Write", "resources": [ { "name": "ipam", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ProvisionIpamPoolCidr.html", "name": "ProvisionIpamPoolCidr", "description": "Grants permission to provision a CIDR to an Amazon VPC IP Address Manager (IPAM) pool", "access": "Write", "resources": [ { "name": "ipam-pool", "is_required": true }, { "name": "ipam-external-resource-verification-token", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ProvisionPublicIpv4PoolCidr.html", "name": "ProvisionPublicIpv4PoolCidr", "description": "Grants permission to provision a CIDR to a public IPv4 pool", "access": "Write", "resources": [ { "name": "ipam-pool", "is_required": true }, { "name": "ipv4pool-ec2", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_PurchaseCapacityBlock.html", "name": "PurchaseCapacityBlock", "description": "Grants permission to purchase a Capacity Block offering", "access": "Write", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:CapacityReservationFleet", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_PurchaseCapacityBlockExtension.html", "name": "PurchaseCapacityBlockExtension", "description": "Grants permission to purchase a Capacity Block extension", "access": "Write", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:CapacityReservationFleet", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_PurchaseHostReservation.html", "name": "PurchaseHostReservation", "description": "Grants permission to purchase a reservation with configurations that match those of a Dedicated Host", "access": "Write", "resources": [ { "name": "dedicated-host", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_PurchaseReservedInstancesOffering.html", "name": "PurchaseReservedInstancesOffering", "description": "Grants permission to purchase a Reserved Instance offering", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_PurchaseScheduledInstances.html", "name": "PurchaseScheduledInstances", "description": "Grants permission to purchase one or more Scheduled Instances with a specified schedule", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/vpc/latest/ipam/share-pool-ipam.html", "name": "PutResourcePolicy", "description": "Grants permission to attach an IAM policy that enables cross-account sharing to a resource", "access": "Permissions management", "resources": [ { "name": "ipam-pool", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "verified-access-group", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RebootInstances.html", "name": "RebootInstances", "description": "Grants permission to request a reboot of one or more instances", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RegisterImage.html", "name": "RegisterImage", "description": "Grants permission to register an Amazon Machine Image (AMI)", "access": "Write", "resources": [ { "name": "image", "is_required": true }, { "name": "snapshot", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:ImageID", "ec2:Owner", "aws:ResourceTag/${TagKey}", "ec2:OutpostArn", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RegisterInstanceEventNotificationAttributes.html", "name": "RegisterInstanceEventNotificationAttributes", "description": "Grants permission to add tags to the set of tags to include in notifications about scheduled events for your instances", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RegisterTransitGatewayMulticastGroupMembers.html", "name": "RegisterTransitGatewayMulticastGroupMembers", "description": "Grants permission to register one or more network interfaces as a member of a group IP address in a transit gateway multicast domain", "access": "Write", "resources": [ { "name": "network-interface", "is_required": true }, { "name": "transit-gateway-multicast-domain", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "ec2:transitGatewayMulticastDomainId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RegisterTransitGatewayMulticastGroupSources.html", "name": "RegisterTransitGatewayMulticastGroupSources", "description": "Grants permission to register one or more network interfaces as a source of a group IP address in a transit gateway multicast domain", "access": "Write", "resources": [ { "name": "network-interface", "is_required": true }, { "name": "transit-gateway-multicast-domain", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "ec2:transitGatewayMulticastDomainId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RejectCapacityReservationBillingOwnership.html", "name": "RejectCapacityReservationBillingOwnership", "description": "Grants permission to reject a request to assign billing of the available capacity of a shared Capacity Reservation to your account", "access": "Write", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:CapacityReservationFleet", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RejectTransitGatewayMulticastDomainAssociations.html", "name": "RejectTransitGatewayMulticastDomainAssociations", "description": "Grants permission to reject requests to associate cross-account subnets with a transit gateway multicast domain", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": false }, { "name": "transit-gateway-multicast-domain", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:transitGatewayMulticastDomainId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RejectTransitGatewayPeeringAttachment.html", "name": "RejectTransitGatewayPeeringAttachment", "description": "Grants permission to reject a transit gateway peering attachment request", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RejectTransitGatewayVpcAttachment.html", "name": "RejectTransitGatewayVpcAttachment", "description": "Grants permission to reject a request to attach a VPC to a transit gateway", "access": "Write", "resources": [ { "name": "transit-gateway-attachment", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RejectVpcEndpointConnections.html", "name": "RejectVpcEndpointConnections", "description": "Grants permission to reject one or more VPC endpoint connection requests to a VPC endpoint service", "access": "Write", "resources": [ { "name": "vpc-endpoint-service", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpceSupportedRegion", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RejectVpcPeeringConnection.html", "name": "RejectVpcPeeringConnection", "description": "Grants permission to reject a VPC peering connection request", "access": "Write", "resources": [ { "name": "vpc-peering-connection", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", "ec2:RequesterVpc", "ec2:ResourceTag/${TagKey}", "ec2:VpcPeeringConnectionID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReleaseAddress.html", "name": "ReleaseAddress", "description": "Grants permission to release an Elastic IP address", "access": "Write", "resources": [ { "name": "elastic-ip", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReleaseHosts.html", "name": "ReleaseHosts", "description": "Grants permission to release one or more On-Demand Dedicated Hosts", "access": "Write", "resources": [ { "name": "dedicated-host", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReleaseIpamPoolAllocation.html", "name": "ReleaseIpamPoolAllocation", "description": "Grants permission to release an allocation within an Amazon VPC IP Address Manager (IPAM) pool", "access": "Write", "resources": [ { "name": "ipam-pool", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceIamInstanceProfileAssociation.html", "name": "ReplaceIamInstanceProfileAssociation", "description": "Grants permission to replace an IAM instance profile for an instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:NewInstanceProfile", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [ "iam:PassRole" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceImageCriteriaInAllowedImagesSettings.html", "name": "ReplaceImageCriteriaInAllowedImagesSettings", "description": "Grants permission to replace image criteria in allowed images settings", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclAssociation.html", "name": "ReplaceNetworkAclAssociation", "description": "Grants permission to change which network ACL a subnet is associated with", "access": "Write", "resources": [ { "name": "network-acl", "is_required": true }, { "name": "subnet", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclEntry.html", "name": "ReplaceNetworkAclEntry", "description": "Grants permission to replace an entry (rule) in a network ACL", "access": "Write", "resources": [ { "name": "network-acl", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html", "name": "ReplaceRoute", "description": "Grants permission to replace a route within a route table in a VPC", "access": "Write", "resources": [ { "name": "route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation.html", "name": "ReplaceRouteTableAssociation", "description": "Grants permission to change the route table that is associated with a subnet", "access": "Write", "resources": [ { "name": "route-table", "is_required": true }, { "name": "internet-gateway", "is_required": false }, { "name": "ipv4pool-ec2", "is_required": false }, { "name": "ipv6pool-ec2", "is_required": false }, { "name": "subnet", "is_required": false }, { "name": "vpn-gateway", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc", "ec2:InternetGatewayID", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceTransitGatewayRoute.html", "name": "ReplaceTransitGatewayRoute", "description": "Grants permission to replace a route in a transit gateway route table", "access": "Write", "resources": [ { "name": "transit-gateway-route-table", "is_required": true }, { "name": "transit-gateway-attachment", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId", "ec2:transitGatewayAttachmentId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceVpnTunnel.html", "name": "ReplaceVpnTunnel", "description": "Grants permission to replace a VPN tunnel", "access": "Write", "resources": [ { "name": "vpn-connection", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReportInstanceStatus.html", "name": "ReportInstanceStatus", "description": "Grants permission to submit feedback about the status of an instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "ec2:AvailabilityZoneId", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RequestSpotFleet.html", "name": "RequestSpotFleet", "description": "Grants permission to create a Spot Fleet request", "access": "Write", "resources": [ { "name": "spot-fleet-request", "is_required": true }, { "name": "image", "is_required": false }, { "name": "key-pair", "is_required": false }, { "name": "launch-template", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "security-group", "is_required": false }, { "name": "snapshot", "is_required": false }, { "name": "subnet", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:KeyPairName", "ec2:KeyPairType", "ec2:ManagedResourceOperator", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:OutpostArn", "ec2:ParentVolume", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RequestSpotInstances.html", "name": "RequestSpotInstances", "description": "Grants permission to create a Spot Instance request", "access": "Write", "resources": [ { "name": "spot-instances-request", "is_required": true }, { "name": "image", "is_required": false }, { "name": "key-pair", "is_required": false }, { "name": "network-interface", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "security-group", "is_required": false }, { "name": "snapshot", "is_required": false }, { "name": "subnet", "is_required": false } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:KeyPairName", "ec2:KeyPairType", "ec2:AuthorizedUser", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:Permission", "ec2:Subnet", "ec2:Vpc", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:SecurityGroupID", "ec2:OutpostArn", "ec2:ParentVolume", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize", "ec2:AvailabilityZoneId", "ec2:SubnetID", "ec2:Region" ], "dependents": [ "ec2:CreateTags", "iam:PassRole" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ResetAddressAttribute.html", "name": "ResetAddressAttribute", "description": "Grants permission to reset the attribute of the specified IP address", "access": "Write", "resources": [ { "name": "elastic-ip", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Domain", "ec2:PublicIpAddress", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ResetEbsDefaultKmsKeyId.html", "name": "ResetEbsDefaultKmsKeyId", "description": "Grants permission to reset the default customer master key (CMK) for EBS encryption for your account to use the AWS-managed CMK for EBS", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ResetFpgaImageAttribute.html", "name": "ResetFpgaImageAttribute", "description": "Grants permission to reset an attribute of an Amazon FPGA Image (AFI) to its default value", "access": "Write", "resources": [ { "name": "fpga-image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ResetImageAttribute.html", "name": "ResetImageAttribute", "description": "Grants permission to reset an attribute of an Amazon Machine Image (AMI) to its default value", "access": "Write", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ResetInstanceAttribute.html", "name": "ResetInstanceAttribute", "description": "Grants permission to reset an attribute of an instance to its default value", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ResetNetworkInterfaceAttribute.html", "name": "ResetNetworkInterfaceAttribute", "description": "Grants permission to reset an attribute of a network interface", "access": "Write", "resources": [ { "name": "network-interface", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ResetSnapshotAttribute.html", "name": "ResetSnapshotAttribute", "description": "Grants permission to reset permission settings for a snapshot", "access": "Permissions management", "resources": [ { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RestoreAddressToClassic.html", "name": "RestoreAddressToClassic", "description": "Grants permission to restore an Elastic IP address that was previously moved to the EC2-VPC platform back to the EC2-Classic platform", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RestoreImageFromRecycleBin.html", "name": "RestoreImageFromRecycleBin", "description": "Grants permission to restore an Amazon Machine Image (AMI) from the Recycle Bin", "access": "Write", "resources": [ { "name": "image", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RestoreManagedPrefixListVersion.html", "name": "RestoreManagedPrefixListVersion", "description": "Grants permission to restore the entries from a previous version of a managed prefix list to a new version of the prefix list", "access": "Write", "resources": [ { "name": "prefix-list", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RestoreSnapshotFromRecycleBin.html", "name": "RestoreSnapshotFromRecycleBin", "description": "Grants permission to restore an Amazon EBS snapshot from the Recycle Bin", "access": "Write", "resources": [ { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RestoreSnapshotTier.html", "name": "RestoreSnapshotTier", "description": "Grants permission to restore an archived Amazon EBS snapshot for use temporarily or permanently, or modify the restore period or restore type for a snapshot that was previously temporarily restored", "access": "Write", "resources": [ { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RestoreVolumeFromRecycleBin.html", "name": "RestoreVolumeFromRecycleBin", "description": "Grants permission to restore an EBS volume from Recycle Bin", "access": "Write", "resources": [ { "name": "volume", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Encrypted", "ec2:ParentSnapshot", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeClientVpnIngress.html", "name": "RevokeClientVpnIngress", "description": "Grants permission to remove an inbound authorization rule from a Client VPN endpoint", "access": "Write", "resources": [ { "name": "client-vpn-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html", "name": "RevokeSecurityGroupEgress", "description": "Grants permission to remove one or more outbound rules from a VPC security group", "access": "Write", "resources": [ { "name": "security-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html", "name": "RevokeSecurityGroupIngress", "description": "Grants permission to remove one or more inbound rules from a security group", "access": "Write", "resources": [ { "name": "security-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html", "name": "RunInstances", "description": "Grants permission to launch one or more instances", "access": "Write", "resources": [ { "name": "image", "is_required": true }, { "name": "instance", "is_required": true }, { "name": "network-interface", "is_required": true }, { "name": "security-group", "is_required": true }, { "name": "subnet", "is_required": true }, { "name": "capacity-reservation", "is_required": false }, { "name": "elastic-gpu", "is_required": false }, { "name": "elastic-inference", "is_required": false }, { "name": "group", "is_required": false }, { "name": "key-pair", "is_required": false }, { "name": "launch-template", "is_required": false }, { "name": "license-configuration", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "secondary-subnet", "is_required": false }, { "name": "snapshot", "is_required": false }, { "name": "volume", "is_required": false }, { "name": "image", "is_required": true }, { "name": "instance", "is_required": true }, { "name": "security-group", "is_required": true }, { "name": "volume", "is_required": true }, { "name": "key-pair", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "snapshot", "is_required": false }, { "name": "image", "is_required": true }, { "name": "instance", "is_required": true }, { "name": "security-group", "is_required": true }, { "name": "key-pair", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "snapshot", "is_required": false }, { "name": "image", "is_required": true }, { "name": "instance", "is_required": true }, { "name": "network-interface", "is_required": true }, { "name": "security-group", "is_required": true }, { "name": "volume", "is_required": true }, { "name": "key-pair", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "snapshot", "is_required": false }, { "name": "image", "is_required": true }, { "name": "instance", "is_required": true }, { "name": "network-interface", "is_required": true }, { "name": "security-group", "is_required": true }, { "name": "subnet", "is_required": true }, { "name": "volume", "is_required": true }, { "name": "key-pair", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "snapshot", "is_required": false }, { "name": "image", "is_required": true }, { "name": "instance", "is_required": true }, { "name": "network-interface", "is_required": true }, { "name": "security-group", "is_required": true }, { "name": "key-pair", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "snapshot", "is_required": false }, { "name": "image", "is_required": true }, { "name": "instance", "is_required": true }, { "name": "network-interface", "is_required": true }, { "name": "security-group", "is_required": true }, { "name": "subnet", "is_required": true }, { "name": "key-pair", "is_required": false }, { "name": "placement-group", "is_required": false }, { "name": "snapshot", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ImageID", "ec2:ImageType", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:Owner", "ec2:Public", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:Tenancy", "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:NetworkInterfaceID", "ec2:Subnet", "ec2:Vpc", "ec2:SecurityGroupID", "ec2:SubnetID", "ec2:ElasticGpuType", "ec2:KeyPairName", "ec2:KeyPairType", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:ParentVolume", "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Encrypted", "ec2:ParentSnapshot", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeThroughput", "ec2:VolumeType", "ec2:Region" ], "dependents": [ "ec2:CreateTags", "iam:PassRole", "ssm:GetParameters" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunScheduledInstances.html", "name": "RunScheduledInstances", "description": "Grants permission to launch one or more Scheduled Instances", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SearchLocalGatewayRoutes.html", "name": "SearchLocalGatewayRoutes", "description": "Grants permission to search for routes in a local gateway route table", "access": "List", "resources": [ { "name": "local-gateway-route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SearchTransitGatewayMulticastGroups.html", "name": "SearchTransitGatewayMulticastGroups", "description": "Grants permission to search for groups, sources, and members in a transit gateway multicast domain", "access": "List", "resources": [ { "name": "transit-gateway-multicast-domain", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SearchTransitGatewayRoutes.html", "name": "SearchTransitGatewayRoutes", "description": "Grants permission to search for routes in a transit gateway route table", "access": "List", "resources": [ { "name": "transit-gateway-route-table", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SendDiagnosticInterrupt.html", "name": "SendDiagnosticInterrupt", "description": "Grants permission to send a diagnostic interrupt to an Amazon EC2 instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#send-spot-instance-interruptions", "name": "SendSpotInstanceInterruptions", "description": "Grants permission to interrupt a Spot Instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartDeclarativePoliciesReport.html", "name": "StartDeclarativePoliciesReport", "description": "Grants permission to start a declarative policies report", "access": "Read", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html", "name": "StartInstances", "description": "Grants permission to start a stopped instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true }, { "name": "license-configuration", "is_required": false } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartNetworkInsightsAccessScopeAnalysis.html", "name": "StartNetworkInsightsAccessScopeAnalysis", "description": "Grants permission to start a Network Access Scope analysis", "access": "Write", "resources": [ { "name": "network-insights-access-scope", "is_required": true }, { "name": "network-insights-access-scope-analysis", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartNetworkInsightsAnalysis.html", "name": "StartNetworkInsightsAnalysis", "description": "Grants permission to start analyzing a specified path", "access": "Write", "resources": [ { "name": "network-insights-analysis", "is_required": true }, { "name": "network-insights-path", "is_required": true } ], "conditions": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [ "ec2:CreateTags" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartVpcEndpointServicePrivateDnsVerification.html", "name": "StartVpcEndpointServicePrivateDnsVerification", "description": "Grants permission to start the private DNS verification process for a VPC endpoint service", "access": "Write", "resources": [ { "name": "vpc-endpoint-service", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpceSupportedRegion", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html", "name": "StopInstances", "description": "Grants permission to stop an Amazon EBS-backed instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TerminateClientVpnConnections.html", "name": "TerminateClientVpnConnections", "description": "Grants permission to terminate active Client VPN endpoint connections", "access": "Write", "resources": [ { "name": "client-vpn-endpoint", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TerminateInstances.html", "name": "TerminateInstances", "description": "Grants permission to shut down one or more instances", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_UnassignIpv6Addresses.html", "name": "UnassignIpv6Addresses", "description": "Grants permission to unassign one or more IPv6 addresses from a network interface", "access": "Write", "resources": [ { "name": "network-interface", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_UnassignPrivateIpAddresses.html", "name": "UnassignPrivateIpAddresses", "description": "Grants permission to unassign one or more secondary private IP addresses from a network interface", "access": "Write", "resources": [ { "name": "network-interface", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_UnassignPrivateNatGatewayAddress.html", "name": "UnassignPrivateNatGatewayAddress", "description": "Grants permission to unassign secondary private IPv4 addresses from a private NAT gateway", "access": "Write", "resources": [ { "name": "natgateway", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_UnlockSnapshot.html", "name": "UnlockSnapshot", "description": "Grants permission to unlock a snapshot that is locked in governance mode or in compliance mode while still in the cooling-off period", "access": "Write", "resources": [ { "name": "snapshot", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotCoolOffPeriod", "ec2:SnapshotID", "ec2:SnapshotLockDuration", "ec2:SnapshotTime", "ec2:VolumeSize", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_UnmonitorInstances.html", "name": "UnmonitorInstances", "description": "Grants permission to disable detailed monitoring for a running instance", "access": "Write", "resources": [ { "name": "instance", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_UpdateCapacityManagerOrganizationsAccess.html", "name": "UpdateCapacityManagerOrganizationsAccess", "description": "Grants permission to update the Organizations access setting for EC2 Capacity Manager", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_UpdateInterruptibleCapacityReservationAllocation.html", "name": "UpdateInterruptibleCapacityReservationAllocation", "description": "Grants permission to update the number of instances allocated to an interruptible reservation, allowing you to add more capacity or reclaim capacity to your source Capacity Reservation", "access": "Write", "resources": [ { "name": "capacity-reservation", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CreateDate", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:InterruptibleCapacityReservationId", "ec2:InterruptionType", "ec2:IsInterruptible", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:TargetInstanceCount", "ec2:Tenancy", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_UpdateSecurityGroupRuleDescriptionsEgress.html", "name": "UpdateSecurityGroupRuleDescriptionsEgress", "description": "Grants permission to update descriptions for one or more outbound rules in a VPC security group", "access": "Write", "resources": [ { "name": "security-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_UpdateSecurityGroupRuleDescriptionsIngress.html", "name": "UpdateSecurityGroupRuleDescriptionsIngress", "description": "Grants permission to update descriptions for one or more inbound rules in a security group", "access": "Write", "resources": [ { "name": "security-group", "is_required": true } ], "conditions": [ "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc", "ec2:Region" ], "dependents": [] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_WithdrawByoipCidr.html", "name": "WithdrawByoipCidr", "description": "Grants permission to stop advertising an address range that was provisioned for use in AWS through bring your own IP addresses (BYOIP)", "access": "Write", "resources": [], "conditions": [ "ec2:Region" ], "dependents": [] } ], "resources": [ { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html", "name": "elastic-ip", "arn": "arn:${Partition}:ec2:${Region}:${Account}:elastic-ip/${AllocationId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AllocationId", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Domain", "ec2:PublicIpAddress", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "capacity-block", "arn": "arn:${Partition}:ec2:${Region}:${Account}:capacity-block/${CapacityBlockId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "capacity-manager-data-export", "arn": "arn:${Partition}:ec2:${Region}:${Account}:capacity-manager-data-export/${CapacityManagerDataExportId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "capacity-reservation-fleet", "arn": "arn:${Partition}:ec2:${Region}:${Account}:capacity-reservation-fleet/${CapacityReservationFleetId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-capacity-reservations.html", "name": "capacity-reservation", "arn": "arn:${Partition}:ec2:${Region}:${Account}:capacity-reservation/${CapacityReservationId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CapacityReservationFleet", "ec2:CommitmentDuration", "ec2:CreateDate", "ec2:DestinationCapacityReservationId", "ec2:EbsOptimized", "ec2:EndDate", "ec2:EndDateType", "ec2:EphemeralStorage", "ec2:InstanceCount", "ec2:InstanceMatchCriteria", "ec2:InstancePlatform", "ec2:InstanceType", "ec2:InterruptibleCapacityReservationId", "ec2:InterruptionType", "ec2:IsInterruptible", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:OutpostArn", "ec2:PlacementGroup", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SourceCapacityReservationId", "ec2:TargetInstanceCount", "ec2:Tenancy" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/Carrier_Gateway.html", "name": "carrier-gateway", "arn": "arn:${Partition}:ec2:${Region}:${Account}:carrier-gateway/${CarrierGatewayId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:Vpc" ] }, { "url": "https://docs.aws.amazon.com/acm/latest/userguide/authen-overview.html#acm-resources-operations", "name": "certificate", "arn": "arn:${Partition}:acm:${Region}:${Account}:certificate/${CertificateId}", "conditions": [] }, { "url": "https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html", "name": "client-vpn-endpoint", "arn": "arn:${Partition}:ec2:${Region}:${Account}:client-vpn-endpoint/${ClientVpnEndpointId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ] }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html", "name": "customer-gateway", "arn": "arn:${Partition}:ec2:${Region}:${Account}:customer-gateway/${CustomerGatewayId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "declarative-policies-report", "arn": "arn:${Partition}:ec2:${Region}:${Account}:declarative-policies-report/${DeclarativePoliciesReportId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html", "name": "dedicated-host", "arn": "arn:${Partition}:ec2:${Region}:${Account}:dedicated-host/${DedicatedHostId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AutoPlacement", "ec2:AvailabilityZone", "ec2:HostRecovery", "ec2:InstanceType", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:Quantity", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html", "name": "dhcp-options", "arn": "arn:${Partition}:ec2:${Region}:${Account}:dhcp-options/${DhcpOptionsId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:DhcpOptionsID", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html", "name": "egress-only-internet-gateway", "arn": "arn:${Partition}:ec2:${Region}:${Account}:egress-only-internet-gateway/${EgressOnlyInternetGatewayId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/elastic-gpus.html", "name": "elastic-gpu", "arn": "arn:${Partition}:ec2:${Region}:${Account}:elastic-gpu/${ElasticGpuId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ElasticGpuType", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/elastic-inference/latest/developerguide/what-is-ei.html", "name": "elastic-inference", "arn": "arn:${Partition}:elastic-inference:${Region}:${Account}:elastic-inference-accelerator/${AcceleratorId}", "conditions": [] }, { "url": "https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html#export-vm-image", "name": "export-image-task", "arn": "arn:${Partition}:ec2:${Region}:${Account}:export-image-task/${ExportImageTaskId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html", "name": "export-instance-task", "arn": "arn:${Partition}:ec2:${Region}:${Account}:export-instance-task/${ExportTaskId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet.html", "name": "fleet", "arn": "arn:${Partition}:ec2:${Region}:${Account}:fleet/${FleetId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "fpga-image", "arn": "arn:${Partition}:ec2:${Region}:${Account}:fpga-image/${FpgaImageId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Owner", "ec2:Public", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "host-reservation", "arn": "arn:${Partition}:ec2:${Region}:${Account}:host-reservation/${HostReservationId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html", "name": "image", "arn": "arn:${Partition}:ec2:${Region}::image/${ImageId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ImageID", "ec2:ImageType", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:Owner", "ec2:Public", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ] }, { "url": "https://docs.aws.amazon.com/vm-import/latest/userguide/image-usage-report.html", "name": "image-usage-report", "arn": "arn:${Partition}:ec2:${Region}:${Account}:image-usage-report/${ImageUsageReportId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html#import-vm-image", "name": "import-image-task", "arn": "arn:${Partition}:ec2:${Region}:${Account}:import-image-task/${ImportImageTaskId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-import-snapshot.html", "name": "import-snapshot-task", "arn": "arn:${Partition}:ec2:${Region}:${Account}:import-snapshot-task/${ImportSnapshotTaskId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "instance-connect-endpoint", "arn": "arn:${Partition}:ec2:${Region}:${Account}:instance-connect-endpoint/${InstanceConnectEndpointId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "instance-event-window", "arn": "arn:${Partition}:ec2:${Region}:${Account}:instance-event-window/${InstanceEventWindowId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Instances.html", "name": "instance", "arn": "arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:CpuOptionsAmdSevSnp", "ec2:EbsOptimized", "ec2:InstanceAutoRecovery", "ec2:InstanceBandwidthWeighting", "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:ManagedResourceOperator", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:NewInstanceProfile", "ec2:PlacementGroup", "ec2:ProductCode", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html", "name": "internet-gateway", "arn": "arn:${Partition}:ec2:${Region}:${Account}:internet-gateway/${InternetGatewayId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:InternetGatewayID", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "ipam-external-resource-verification-token", "arn": "arn:${Partition}:ec2::${Account}:ipam-external-resource-verification-token/${IpamExternalResourceVerificationTokenId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "ipam", "arn": "arn:${Partition}:ec2::${Account}:ipam/${IpamId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "ipam-policy", "arn": "arn:${Partition}:ec2::${Account}:ipam-policy/${IpamPolicyId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "ipam-pool", "arn": "arn:${Partition}:ec2::${Account}:ipam-pool/${IpamPoolId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "ipam-prefix-list-resolver", "arn": "arn:${Partition}:ec2::${Account}:ipam-prefix-list-resolver/${IpamPrefixListResolverId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "ipam-prefix-list-resolver-target", "arn": "arn:${Partition}:ec2::${Account}:ipam-prefix-list-resolver-target/${IpamPrefixListResolverTargetId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "ipam-resource-discovery-association", "arn": "arn:${Partition}:ec2::${Account}:ipam-resource-discovery-association/${IpamResourceDiscoveryAssociationId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "ipam-resource-discovery", "arn": "arn:${Partition}:ec2::${Account}:ipam-resource-discovery/${IpamResourceDiscoveryId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "ipam-scope", "arn": "arn:${Partition}:ec2::${Account}:ipam-scope/${IpamScopeId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "coip-pool", "arn": "arn:${Partition}:ec2:${Region}:${Account}:coip-pool/${Ipv4PoolCoipId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#ip-addressing-eips", "name": "ipv4pool-ec2", "arn": "arn:${Partition}:ec2:${Region}:${Account}:ipv4pool-ec2/${Ipv4PoolEc2Id}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#ipv6-addressing", "name": "ipv6pool-ec2", "arn": "arn:${Partition}:ec2:${Region}:${Account}:ipv6pool-ec2/${Ipv6PoolEc2Id}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html", "name": "key-pair", "arn": "arn:${Partition}:ec2:${Region}:${Account}:key-pair/${KeyPairName}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:IsLaunchTemplateResource", "ec2:KeyPairName", "ec2:KeyPairType", "ec2:LaunchTemplate", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html", "name": "launch-template", "arn": "arn:${Partition}:ec2:${Region}:${Account}:launch-template/${LaunchTemplateId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:ManagedResourceOperator", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/license-manager/latest/userguide/create-license-configuration.html", "name": "license-configuration", "arn": "arn:${Partition}:license-manager:${Region}:${Account}:license-configuration:${LicenseConfigurationId}", "conditions": [] }, { "url": "https://docs.aws.amazon.com/outposts/latest/userguide/outposts-local-gateways.html#lgw", "name": "local-gateway", "arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway/${LocalGatewayId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/outposts/latest/userguide/outposts-local-gateways.html", "name": "local-gateway-route-table-virtual-interface-group-association", "arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table-virtual-interface-group-association/${LocalGatewayRouteTableVirtualInterfaceGroupAssociationId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/outposts/latest/userguide/outposts-local-gateways.html#vpc-associations", "name": "local-gateway-route-table-vpc-association", "arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table-vpc-association/${LocalGatewayRouteTableVpcAssociationId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/outposts/latest/userguide/outposts-local-gateways.html#route-tables", "name": "local-gateway-route-table", "arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table/${LocalGatewayRoutetableId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/outposts/latest/userguide/outposts-local-gateways.html", "name": "local-gateway-virtual-interface-group", "arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway-virtual-interface-group/${LocalGatewayVirtualInterfaceGroupId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/outposts/latest/userguide/outposts-local-gateways.html", "name": "local-gateway-virtual-interface", "arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway-virtual-interface/${LocalGatewayVirtualInterfaceId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/mac-modification-task.html", "name": "mac-modification-task", "arn": "arn:${Partition}:ec2:${Region}:${Account}:mac-modification-task/${MacModificationTaskId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html", "name": "natgateway", "arn": "arn:${Partition}:ec2:${Region}:${Account}:natgateway/${NatGatewayId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", "name": "network-acl", "arn": "arn:${Partition}:ec2:${Region}:${Account}:network-acl/${NaclId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:NetworkAclID", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "network-insights-access-scope-analysis", "arn": "arn:${Partition}:ec2:${Region}:${Account}:network-insights-access-scope-analysis/${NetworkInsightsAccessScopeAnalysisId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "network-insights-access-scope", "arn": "arn:${Partition}:ec2:${Region}:${Account}:network-insights-access-scope/${NetworkInsightsAccessScopeId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "network-insights-analysis", "arn": "arn:${Partition}:ec2:${Region}:${Account}:network-insights-analysis/${NetworkInsightsAnalysisId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "network-insights-path", "arn": "arn:${Partition}:ec2:${Region}:${Account}:network-insights-path/${NetworkInsightsPathId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html", "name": "network-interface", "arn": "arn:${Partition}:ec2:${Region}:${Account}:network-interface/${NetworkInterfaceId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AssociatePublicIpAddress", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AuthorizedService", "ec2:AuthorizedUser", "ec2:AvailabilityZone", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:ManagedResourceOperator", "ec2:NetworkInterfaceID", "ec2:Permission", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ] }, { "url": "outposts-lag.html#outpostlag", "name": "outpost-lag", "arn": "arn:${Partition}:ec2:${Region}:${Account}:outpost-lag/${OutpostLagId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html", "name": "placement-group", "arn": "arn:${Partition}:ec2:${Region}:${Account}:placement-group/${PlacementGroupName}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html", "name": "prefix-list", "arn": "arn:${Partition}:ec2:${Region}:${Account}:prefix-list/${PrefixListId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:IpamPrefixListResolverTargetId", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/replace-root.html", "name": "replace-root-volume-task", "arn": "arn:${Partition}:ec2:${Region}:${Account}:replace-root-volume-task/${ReplaceRootVolumeTaskId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-reserved-instances.html", "name": "reserved-instances", "arn": "arn:${Partition}:ec2:${Region}:${Account}:reserved-instances/${ReservationId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:InstanceType", "ec2:Region", "ec2:ReservedInstancesOfferingType", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" ] }, { "url": "https://docs.aws.amazon.com/ARG/latest/userguide/resource-groups.html", "name": "group", "arn": "arn:${Partition}:resource-groups:${Region}:${Account}:group/${GroupName}", "conditions": [] }, { "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html", "name": "role", "arn": "arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}", "conditions": [] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/route-server-terms.html", "name": "route-server-endpoint", "arn": "arn:${Partition}:ec2:${Region}:${Account}:route-server-endpoint/${RouteServerEndpointId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/route-server-terms.html", "name": "route-server", "arn": "arn:${Partition}:ec2:${Region}:${Account}:route-server/${RouteServerId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/route-server-terms.html", "name": "route-server-peer", "arn": "arn:${Partition}:ec2:${Region}:${Account}:route-server-peer/${RouteServerPeerId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html", "name": "route-table", "arn": "arn:${Partition}:ec2:${Region}:${Account}:route-table/${RouteTableId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RouteTableID", "ec2:Vpc" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "secondary-interface", "arn": "arn:${Partition}:ec2:${Region}:${Account}:secondary-interface/${SecondaryInterfaceId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "secondary-network", "arn": "arn:${Partition}:ec2:${Region}:${Account}:secondary-network/${SecondaryNetworkId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "secondary-subnet", "arn": "arn:${Partition}:ec2:${Region}:${Account}:secondary-subnet/${SecondarySubnetId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html", "name": "security-group", "arn": "arn:${Partition}:ec2:${Region}:${Account}:security-group/${SecurityGroupId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SecurityGroupID", "ec2:Vpc" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "security-group-rule", "arn": "arn:${Partition}:ec2:${Region}:${Account}:security-group-rule/${SecurityGroupRuleId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/ebs/latest/userguide/ebs-snapshots.html", "name": "snapshot", "arn": "arn:${Partition}:ec2:${Region}::snapshot/${SnapshotId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Add/group", "ec2:Add/userId", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:Location", "ec2:OutpostArn", "ec2:Owner", "ec2:ParentSnapshot", "ec2:ParentVolume", "ec2:ProductCode", "ec2:Region", "ec2:Remove/group", "ec2:Remove/userId", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotCoolOffPeriod", "ec2:SnapshotID", "ec2:SnapshotLockDuration", "ec2:SnapshotTime", "ec2:SourceAvailabilityZone", "ec2:SourceOutpostArn", "ec2:VolumeSize" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "spot-fleet-request", "arn": "arn:${Partition}:ec2:${Region}:${Account}:spot-fleet-request/${SpotFleetRequestId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-spot-instances.html", "name": "spot-instances-request", "arn": "arn:${Partition}:ec2:${Region}:${Account}:spot-instances-request/${SpotInstanceRequestId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/subnet-cidr-reservation.html", "name": "subnet-cidr-reservation", "arn": "arn:${Partition}:ec2:${Region}:${Account}:subnet-cidr-reservation/${SubnetCidrReservationId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html", "name": "subnet", "arn": "arn:${Partition}:ec2:${Region}:${Account}:subnet/${SubnetId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:IsLaunchTemplateResource", "ec2:LaunchTemplate", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SubnetID", "ec2:Vpc" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-filter.html", "name": "traffic-mirror-filter", "arn": "arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter/${TrafficMirrorFilterId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-filter.html", "name": "traffic-mirror-filter-rule", "arn": "arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter-rule/${TrafficMirrorFilterRuleId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-session.html", "name": "traffic-mirror-session", "arn": "arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-session/${TrafficMirrorSessionId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-target.html", "name": "traffic-mirror-target", "arn": "arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-target/${TrafficMirrorTargetId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html", "name": "transit-gateway-attachment", "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-attachment/${TransitGatewayAttachmentId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayAttachmentId" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "transit-gateway-connect-peer", "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-connect-peer/${TransitGatewayConnectPeerId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayConnectPeerId" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html", "name": "transit-gateway", "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway/${TransitGatewayId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayId" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "transit-gateway-metering-policy", "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-metering-policy/${TransitGatewayMeteringPolicyId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMeteringPolicyId" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/tgw/tgw-multicast-overview.html", "name": "transit-gateway-multicast-domain", "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-multicast-domain/${TransitGatewayMulticastDomainId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayMulticastDomainId" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "transit-gateway-policy-table", "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-policy-table/${TransitGatewayPolicyTableId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayPolicyTableId" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "transit-gateway-route-table-announcement", "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-route-table-announcement/${TransitGatewayRouteTableAnnouncementId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableAnnouncementId" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html", "name": "transit-gateway-route-table", "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-route-table/${TransitGatewayRouteTableId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:transitGatewayRouteTableId" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "verified-access-endpoint", "arn": "arn:${Partition}:ec2:${Region}:${Account}:verified-access-endpoint/${VerifiedAccessEndpointId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "verified-access-endpoint-target", "arn": "arn:${Partition}:ec2:${Region}:${Account}:verified-access-endpoint-target/${VerifiedAccessEndpointTargetId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "verified-access-group", "arn": "arn:${Partition}:ec2:${Region}:${Account}:verified-access-group/${VerifiedAccessGroupId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "verified-access-instance", "arn": "arn:${Partition}:ec2:${Region}:${Account}:verified-access-instance/${VerifiedAccessInstanceId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "verified-access-policy", "arn": "arn:${Partition}:ec2:${Region}:${Account}:verified-access-policy/${VerifiedAccessPolicyId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#EC2_ARN_Format", "name": "verified-access-trust-provider", "arn": "arn:${Partition}:ec2:${Region}:${Account}:verified-access-trust-provider/${VerifiedAccessTrustProviderId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volumes.html", "name": "volume", "arn": "arn:${Partition}:ec2:${Region}:${Account}:volume/${VolumeId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:AvailabilityZoneId", "ec2:Encrypted", "ec2:IsLaunchTemplateResource", "ec2:KmsKeyId", "ec2:LaunchTemplate", "ec2:ManagedResourceOperator", "ec2:ParentSnapshot", "ec2:ParentVolume", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:VolumeID", "ec2:VolumeInitializationRate", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-block-public-access.html", "name": "vpc-block-public-access-exclusion", "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-block-public-access-exclusion/${VpcBlockPublicAccessExclusionId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-encryption-control.html", "name": "vpc-encryption-control", "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-encryption-control/${VpcEncryptionControlId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html", "name": "vpc-endpoint-connection", "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-connection/${VpcEndpointConnectionId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html", "name": "vpc-endpoint", "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint/${VpcEndpointId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpcePrivateDnsPreference", "ec2:VpcePrivateDnsSpecifiedDomains", "ec2:VpceServiceName", "ec2:VpceServiceOwner", "ec2:VpceServiceRegion" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html", "name": "vpc-endpoint-service", "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-service/${VpcEndpointServiceId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:VpceMultiRegion", "ec2:VpceServicePrivateDnsName", "ec2:VpceServiceRegion", "ec2:VpceSupportedRegion" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html#vpc-endpoint-policies", "name": "vpc-endpoint-service-permission", "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-service-permission/${VpcEndpointServicePermissionId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html", "name": "vpc-flow-log", "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-flow-log/${VpcFlowLogId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html", "name": "vpc", "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Ipv4IpamPoolId", "ec2:Ipv6IpamPoolId", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy", "ec2:VpcID" ] }, { "url": "https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html", "name": "vpc-peering-connection", "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-peering-connection/${VpcPeeringConnectionId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AccepterVpc", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:RequesterVpc", "ec2:ResourceTag/${TagKey}", "ec2:VpcPeeringConnectionID" ] }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html", "name": "vpn-concentrator", "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpn-concentrator/${VpnConcentratorId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html", "name": "vpn-connection-device-type", "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpn-connection-device-type/${VpnConnectionDeviceTypeId}", "conditions": [ "ec2:Region" ] }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html", "name": "vpn-connection", "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpn-connection/${VpnConnectionId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:InsideTunnelIpv6Cidr", "ec2:Phase1DHGroup", "ec2:Phase1EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", "ec2:Phase2DHGroup", "ec2:Phase2EncryptionAlgorithms", "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", "ec2:ReplayWindowSizePackets", "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ] }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html", "name": "vpn-gateway", "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpn-gateway/${VpnGatewayId}", "conditions": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ] } ], "conditions": [ { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/supported-iam-actions-tagging.html#control-tagging", "name": "aws:RequestTag/${TagKey}", "description": "Filters access by a tag key and value pair that is allowed in the request", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/control-access-with-tags.html", "name": "aws:ResourceTag/${TagKey}", "description": "Filters access by a tag key and value pair of a resource", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/supported-iam-actions-tagging.html#control-tagging", "name": "aws:TagKeys", "description": "Filters access by a list of tag keys that are allowed in the request", "type": "ArrayOfString" }, { "url": "https://docs.aws.amazon.com/vpc/latest/peering/security-iam.html", "name": "ec2:AccepterVpc", "description": "Filters access by the ARN of an accepter VPC in a VPC peering connection", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Add/group", "description": "Filters access by the group being added to a snapshot", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Add/userId", "description": "Filters access by the account id being added to a snapshot", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:AllocationId", "description": "Filters access by the allocation ID of the Elastic IP address", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:AssociatePublicIpAddress", "description": "Filters access by whether the user wants to associate a public IP address with the instance", "type": "Bool" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#attribute-key", "name": "ec2:Attribute", "description": "Filters access by an attribute of a resource", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#attribute-key", "name": "ec2:Attribute/${AttributeName}", "description": "Filters access by an attribute being set on a resource", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:AuthenticationType", "description": "Filters access by the authentication type for the VPN tunnel endpoints", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:AuthorizedService", "description": "Filters access by the AWS service that has permission to use a resource", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:AuthorizedUser", "description": "Filters access by an IAM principal that has permission to use a resource", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:AutoPlacement", "description": "Filters access by the Auto Placement properties of a Dedicated Host", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:AvailabilityZone", "description": "Filters access by the name of an Availability Zone in an AWS Region", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:AvailabilityZoneId", "description": "Filters access by the ID of an Availability Zone in an AWS Region", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:CapacityReservationFleet", "description": "Filters access by the ARN of the Capacity Reservation Fleet", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:ClientRootCertificateChainArn", "description": "Filters access by the ARN of the client root certificate chain", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:CloudwatchLogGroupArn", "description": "Filters access by the ARN of the CloudWatch Logs log group", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:CloudwatchLogStreamArn", "description": "Filters access by the ARN of the CloudWatch Logs log stream", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:CommitmentDuration", "description": "Filters access by commitment duration of the Capacity Reservation", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html", "name": "ec2:CpuOptionsAmdSevSnp", "description": "Filters access by the state of AMD SEV-SNP CPU Options. Currently, only US East (Ohio) and Europe (Ireland) are supported", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/supported-iam-actions-tagging.html", "name": "ec2:CreateAction", "description": "Filters access by the name of a resource-creating API action", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:CreateDate", "description": "Filters access by the date and time at which the Capacity Reservation was created", "type": "Date" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:DPDTimeoutSeconds", "description": "Filters access by the duration after which DPD timeout occurs on a VPN tunnel", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:DestinationCapacityReservationId", "description": "Filters access by the ID of the Capacity Reservation that you want to move capacity into", "type": "ARN" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:DhcpOptionsID", "description": "Filters access by the ID of a dynamic host configuration protocol (DHCP) options set", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:DirectoryArn", "description": "Filters access by the ARN of the directory", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Domain", "description": "Filters access by the domain of the Elastic IP address", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:EbsOptimized", "description": "Filters access by whether the instance is enabled for EBS optimization", "type": "Bool" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:ElasticGpuType", "description": "Filters access by the type of Elastic Graphics accelerator", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Encrypted", "description": "Filters access by whether the EBS volume is encrypted", "type": "Bool" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:EndDate", "description": "Filters access by the date and time at which the Capacity Reservation ends", "type": "Date" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:EndDateType", "description": "Filters access by the way in which the Capacity Reservation ends", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:EphemeralStorage", "description": "Filters access by whether the instance is enabled for ephemeral storage", "type": "Bool" }, { "url": "https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html", "name": "ec2:FisActionId", "description": "Filters access by the ID of an AWS FIS action", "type": "String" }, { "url": "https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html", "name": "ec2:FisTargetArns", "description": "Filters access by the ARN of an AWS FIS target", "type": "ArrayOfARN" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:GatewayType", "description": "Filters access by the gateway type for a VPN endpoint on the AWS side of a VPN connection", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:HostRecovery", "description": "Filters access by whether host recovery is enabled for a Dedicated Host", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:IKEVersions", "description": "Filters access by the internet key exchange (IKE) versions that are permitted for a VPN tunnel", "type": "ArrayOfString" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:ImageID", "description": "Filters access by the ID of an image", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:ImageType", "description": "Filters access by the type of image (machine, aki, or ari)", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:InsideTunnelCidr", "description": "Filters access by the range of inside IP addresses for a VPN tunnel", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:InsideTunnelIpv6Cidr", "description": "Filters access by a range of inside IPv6 addresses for a VPN tunnel", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:InstanceAutoRecovery", "description": "Filters access by whether the instance type supports auto recovery", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:InstanceBandwidthWeighting", "description": "Filters access by the bandwidth weighting of an instance", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:InstanceCount", "description": "Filters access by the number of instances", "type": "Numeric" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:InstanceID", "description": "Filters access by the ID of an instance", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:InstanceMarketType", "description": "Filters access by the market or purchasing option of an instance (capacity-block, on-demand, or spot)", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:InstanceMatchCriteria", "description": "Filters access by the type of instance launches that the Capacity Reservation accepts", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:InstanceMetadataTags", "description": "Filters access by whether the instance allows access to instance tags from the instance metadata", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:InstancePlatform", "description": "Filters access by the type of operating system for which the Capacity Reservation reserves capacity", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:InstanceProfile", "description": "Filters access by the ARN of an instance profile", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:InstanceType", "description": "Filters access by the type of instance", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:InternetGatewayID", "description": "Filters access by the ID of an internet gateway", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:InterruptibleCapacityReservationId", "description": "Filters access by the ID of an interruptible Capacity Reservation", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:InterruptionType", "description": "Filters access by the type of interruption", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:IpamPrefixListResolverTargetId", "description": "Filters access by the IPAM prefix list resolver target ID that is syncing CIDRs to a managed prefix list", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Ipv4IpamPoolId", "description": "Filters access by the ID of an IPAM pool provided for IPv4 CIDR block allocation", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Ipv6IpamPoolId", "description": "Filters access by the ID of an IPAM pool provided for IPv6 CIDR block allocation", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:IsInterruptible", "description": "Filters access by whether Capacity Reservations are interruptible", "type": "Bool" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:IsLaunchTemplateResource", "description": "Filters access by whether users are able to override resources that are specified in the launch template", "type": "Bool" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:KeyPairName", "description": "Filters access by the name of a key pair", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:KeyPairType", "description": "Filters access by the type of a key pair", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:KmsKeyId", "description": "Filters access by the ID of an AWS KMS key provided in the request", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:LaunchTemplate", "description": "Filters access by the ARN of a launch template", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Location", "description": "Filters access by the destination for the snapshot copy", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:ManagedResourceOperator", "description": "Filters access by the presence of an EC2 operator provisioning a managed resource", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:MetadataHttpEndpoint", "description": "Filters access by whether the HTTP endpoint is enabled for the instance metadata service", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:MetadataHttpPutResponseHopLimit", "description": "Filters access by the allowed number of hops when calling the instance metadata service", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:MetadataHttpTokens", "description": "Filters access by whether tokens are required when calling the instance metadata service (optional or required)", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:NetworkAclID", "description": "Filters access by the ID of a network access control list (ACL)", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:NetworkInterfaceID", "description": "Filters access by the ID of an elastic network interface", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:NewInstanceProfile", "description": "Filters access by the ARN of the instance profile being attached", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:OutpostArn", "description": "Filters access by the ARN of the Outpost", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Owner", "description": "Filters access by the owner of the resource (amazon, aws-marketplace, or an AWS account ID)", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:ParentSnapshot", "description": "Filters access by the ARN of the parent snapshot", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:ParentVolume", "description": "Filters access by the ARN of the parent volume from which the snapshot was created", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Permission", "description": "Filters access by the type of permission for a resource (INSTANCE-ATTACH or EIP-ASSOCIATE)", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:Phase1DHGroup", "description": "Filters access by the Diffie-Hellman group numbers that are permitted for a VPN tunnel for the phase 1 IKE negotiations", "type": "ArrayOfString" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:Phase1EncryptionAlgorithms", "description": "Filters access by the encryption algorithms that are permitted for a VPN tunnel for the phase 1 IKE negotiations", "type": "ArrayOfString" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:Phase1IntegrityAlgorithms", "description": "Filters access by the integrity algorithms that are permitted for a VPN tunnel for the phase 1 IKE negotiations", "type": "ArrayOfString" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:Phase1LifetimeSeconds", "description": "Filters access by the lifetime in seconds for phase 1 of the IKE negotiations for a VPN tunnel", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:Phase2DHGroup", "description": "Filters access by the Diffie-Hellman group numbers that are permitted for a VPN tunnel for the phase 2 IKE negotiations", "type": "ArrayOfString" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:Phase2EncryptionAlgorithms", "description": "Filters access by the encryption algorithms that are permitted for a VPN tunnel for the phase 2 IKE negotiations", "type": "ArrayOfString" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:Phase2IntegrityAlgorithms", "description": "Filters access by the integrity algorithms that are permitted for a VPN tunnel for the phase 2 IKE negotiations", "type": "ArrayOfString" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:Phase2LifetimeSeconds", "description": "Filters access by the lifetime in seconds for phase 2 of the IKE negotiations for a VPN tunnel", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:PlacementGroup", "description": "Filters access by the ARN of the placement group", "type": "ARN" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:PlacementGroupName", "description": "Filters access by the name of a placement group", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:PlacementGroupStrategy", "description": "Filters access by the instance placement strategy used by the placement group (cluster, spread, or partition)", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:ProductCode", "description": "Filters access by the product code that is associated with the AMI", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Public", "description": "Filters access by whether the image has public launch permissions", "type": "Bool" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:PublicIpAddress", "description": "Filters access by a public IP address", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Quantity", "description": "Filters access by the number of Dedicated Hosts in a request", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Region", "description": "Filters access by the name of the AWS Region", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:RekeyFuzzPercentage", "description": "Filters access by the percentage of increase of the rekey window (determined by the rekey margin time) within which the rekey time is randomly selected for a VPN tunnel", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:RekeyMarginTimeSeconds", "description": "Filters access by the margin time before the phase 2 lifetime expires for a VPN tunnel", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Remove/group", "description": "Filters access by the group being removed from a snapshot", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Remove/userId", "description": "Filters access by the account id being removed from a snapshot", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:ReplayWindowSizePackets", "description": "Filters access by the number of packets in an IKE replay window", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpc/latest/peering/security-iam.html", "name": "ec2:RequesterVpc", "description": "Filters access by the ARN of a requester VPC in a VPC peering connection", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-reserved-instances.html#ri-payment-options", "name": "ec2:ReservedInstancesOfferingType", "description": "Filters access by the payment option of the Reserved Instance offering (No Upfront, Partial Upfront, or All Upfront)", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/control-access-with-tags.html", "name": "ec2:ResourceTag/${TagKey}", "description": "Filters access by a tag key and value pair of a resource", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:RoleDelivery", "description": "Filters access by the version of the instance metadata service for retrieving IAM role credentials for EC2", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:RootDeviceType", "description": "Filters access by the root device type of the instance (ebs or instance-store)", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:RouteTableID", "description": "Filters access by the ID of a route table", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-authentication-access-control.html", "name": "ec2:RoutingType", "description": "Filters access by the routing type for the VPN connection", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:SamlProviderArn", "description": "Filters access by the ARN of the IAM SAML identity provider", "type": "ARN" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:SecurityGroupID", "description": "Filters access by the ID of a security group", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:ServerCertificateArn", "description": "Filters access by the ARN of the server certificate", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:SnapshotCoolOffPeriod", "description": "Filters access by the compliance mode cooling-off period", "type": "Numeric" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:SnapshotID", "description": "Filters access by the ID of a snapshot", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:SnapshotLockDuration", "description": "Filters access by the snapshot lock duration", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:SnapshotTime", "description": "Filters access by the initiation time of a snapshot", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:SourceAvailabilityZone", "description": "Filters access by the name of the Availability Zone from which the request originated", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:SourceCapacityReservationId", "description": "Filters access by the ID of the Capacity Reservation from which you want to move capacity", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:SourceInstanceARN", "description": "Filters access by the ARN of the instance from which the request originated", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:SourceOutpostArn", "description": "Filters access by the ARN of the Outpost from which the request originated", "type": "ARN" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Subnet", "description": "Filters access by the ARN of the subnet", "type": "ARN" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:SubnetID", "description": "Filters access by the ID of a subnet", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:TargetInstanceCount", "description": "Filters access by the number of instances the interruptible Capacity Reservation is assigned", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Tenancy", "description": "Filters access by the tenancy of the VPC or instance (default, dedicated, or host)", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:VolumeID", "description": "Filters access by the ID of a volume", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:VolumeInitializationRate", "description": "Filters access by the initialization rate of the volume, in MiBps", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:VolumeIops", "description": "Filters access by the the number of input/output operations per second (IOPS) provisioned for the volume", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:VolumeSize", "description": "Filters access by the size of the volume, in GiB", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:VolumeThroughput", "description": "Filters access by the throughput of the volume, in MiBps", "type": "Numeric" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:VolumeType", "description": "Filters access by the type of volume (gp2, gp3, io1, io2, st1, sc1, or standard)", "type": "String" }, { "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys", "name": "ec2:Vpc", "description": "Filters access by the ARN of the VPC", "type": "ARN" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:VpcID", "description": "Filters access by the ID of a virtual private cloud (VPC)", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:VpcPeeringConnectionID", "description": "Filters access by the ID of a VPC peering connection", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-iam.html", "name": "ec2:VpceMultiRegion", "description": "Filters access by multi region of the VPC endpoint service", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-iam.html", "name": "ec2:VpcePrivateDnsPreference", "description": "Filters access by the private DNS preference", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-iam.html", "name": "ec2:VpcePrivateDnsSpecifiedDomains", "description": "Filters access by the private DNS domains", "type": "ArrayOfString" }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-iam.html", "name": "ec2:VpceServiceName", "description": "Filters access by the name of the VPC endpoint service", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-iam.html", "name": "ec2:VpceServiceOwner", "description": "Filters access by the service owner of the VPC endpoint service (amazon, aws-marketplace, or an AWS account ID)", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-iam.html", "name": "ec2:VpceServicePrivateDnsName", "description": "Filters access by the private DNS name of the VPC endpoint service", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-iam.html", "name": "ec2:VpceServiceRegion", "description": "Filters access by the region of the VPC endpoint service", "type": "String" }, { "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-iam.html", "name": "ec2:VpceSupportedRegion", "description": "Filters access by the supported region of the VPC endpoint service", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:transitGatewayAttachmentId", "description": "Filters access by the ID of a transit gateway attachment", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:transitGatewayConnectPeerId", "description": "Filters access by the ID of a transit gateway connect peer", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:transitGatewayId", "description": "Filters access by the ID of a transit gateway", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:transitGatewayMeteringPolicyId", "description": "Filters access by the ID of a metering policy id", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:transitGatewayMulticastDomainId", "description": "Filters access by the ID of a transit gateway multicast domain", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:transitGatewayPolicyTableId", "description": "Filters access by the ID of a transit gateway policy table", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:transitGatewayRouteTableAnnouncementId", "description": "Filters access by the ID of a transit gateway route table announcement", "type": "String" }, { "url": "iam-policies-for-amazon-ec2.html#imageId-key", "name": "ec2:transitGatewayRouteTableId", "description": "Filters access by the ID of a transit gateway route table", "type": "String" } ] }