Documentation Identity and Access Management Service Authorization Reference

Actions, resources, and condition keys for Amazon EC2

Amazon EC2 (service prefix:ec2) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of theAPI operations available for this service.
Learn how to secure this service and its resources byusing IAM permission policies.

Topics

Actions defined by Amazon EC2

You can specify the following actions in theAction element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

TheAccess level column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, seeAccess levels in policy summaries.

TheResource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in theResource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with theResource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

TheCondition keys column of the Actions table includes keys that you can specify in a policy statement'sCondition element. For more information on the condition keys that are associated with resources for the service, see theCondition keys column of the Resource types table.

TheDependent actions column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in theResource types (*required) column of the Actions table. The resource type in the Resource types table includes theCondition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, seeActions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
AcceptAddressTransfer	Grants permission to accept an Elastic IP address transfer	Write	elastic-ip*	aws:RequestTag/${TagKey} aws:TagKeys ec2:AllocationId ec2:Domain ec2:PublicIpAddress	ec2:CreateTags
AcceptAddressTransfer	Grants permission to accept an Elastic IP address transfer	Write		ec2:Region
AcceptCapacityReservationBillingOwnership	Grants permission to accept assign billing of the available capacity of a shared Capacity Reservation to the calling account	Write	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:CapacityReservationFleet ec2:CreateDate ec2:DestinationCapacityReservationId ec2:EbsOptimized ec2:EndDate ec2:EndDateType ec2:InstanceCount ec2:InstanceMatchCriteria ec2:InstancePlatform ec2:InstanceType ec2:OutpostArn ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:SourceCapacityReservationId ec2:Tenancy
AcceptCapacityReservationBillingOwnership		Write		ec2:Region
AcceptReservedInstancesExchangeQuote	Grants permission to accept a Convertible Reserved Instance exchange quote	Write	reserved-instances*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:InstanceType ec2:ReservedInstancesOfferingType ec2:ResourceTag/${TagKey} ec2:Tenancy
AcceptReservedInstancesExchangeQuote		Write		ec2:Region
AcceptTransitGatewayMulticastDomainAssociations	Grants permission to accept a request to associate subnets with a transit gateway multicast domain	Write	transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
			transit-gateway-multicast-domain	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayMulticastDomainId
				ec2:Region
AcceptTransitGatewayPeeringAttachment	Grants permission to accept a transit gateway peering attachment request	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
AcceptTransitGatewayPeeringAttachment		Write		ec2:Region
AcceptTransitGatewayVpcAttachment	Grants permission to accept a request to attach a VPC to a transit gateway	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
AcceptTransitGatewayVpcAttachment		Write		ec2:Region
AcceptVpcEndpointConnections	Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service	Write	vpc-endpoint-service*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceSupportedRegion
AcceptVpcEndpointConnections		Write		ec2:Region
AcceptVpcPeeringConnection	Grants permission to accept a VPC peering connection request	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
			vpc-peering-connection*	aws:ResourceTag/${TagKey} ec2:AccepterVpc ec2:RequesterVpc ec2:ResourceTag/${TagKey} ec2:VpcPeeringConnectionID
				ec2:Region
AdvertiseByoipCidr	Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP)	Write		ec2:Region
AllocateAddress	Grants permission to allocate an Elastic IP address (EIP) to your account	Write	elastic-ip*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipv4pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
AllocateHosts	Grants permission to allocate a Dedicated Host to your account	Write	dedicated-host*	aws:RequestTag/${TagKey} aws:TagKeys ec2:AutoPlacement ec2:AvailabilityZone ec2:HostRecovery ec2:InstanceType ec2:Quantity	ec2:CreateTags
AllocateHosts		Write		ec2:Region
AllocateIpamPoolCidr	Grants permission to allocate a CIDR from an Amazon VPC IP Address Manager (IPAM) pool	Write	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
AllocateIpamPoolCidr		Write		ec2:Region
ApplySecurityGroupsToClientVpnTargetNetwork	Grants permission to apply a security group to the association between a Client VPN endpoint and a target network	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
			security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
AssignIpv6Addresses	Grants permission to assign one or more IPv6 addresses to a network interface	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
AssignIpv6Addresses		Write		ec2:Region
AssignPrivateIpAddresses	Grants permission to assign one or more secondary private IP addresses to a network interface	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
AssignPrivateIpAddresses		Write		ec2:Region
AssignPrivateNatGatewayAddress	Grants permission to assign one or more secondary private IP addresses to a private NAT gateway	Write	natgateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
AssignPrivateNatGatewayAddress		Write		ec2:Region
AssociateAddress	Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface	Write	elastic-ip	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
			instance	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			network-interface	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
				ec2:Region
AssociateCapacityReservationBillingOwner	Grants permission to assign billing of the unused capacity of a shared Capacity Reservation to a consumer account	Write	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:CapacityReservationFleet ec2:CreateDate ec2:DestinationCapacityReservationId ec2:EbsOptimized ec2:EndDate ec2:EndDateType ec2:InstanceCount ec2:InstanceMatchCriteria ec2:InstancePlatform ec2:InstanceType ec2:OutpostArn ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:SourceCapacityReservationId ec2:Tenancy
AssociateCapacityReservationBillingOwner		Write		ec2:Region
AssociateClientVpnTargetNetwork	Grants permission to associate a target network with a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
			subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID
				ec2:Region
AssociateDhcpOptions	Grants permission to associate or disassociate a set of DHCP options with a VPC	Write	dhcp-options*	aws:ResourceTag/${TagKey} ec2:DhcpOptionsID ec2:ResourceTag/${TagKey}
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
AssociateEnclaveCertificateIamRole	Grants permission to associate an ACM certificate with an IAM role to be used in an EC2 Enclave	Write	certificate*
			role*
				ec2:Region
AssociateIamInstanceProfile	Grants permission to associate an IAM instance profile with a running or stopped instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:NewInstanceProfile ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy	iam:PassRole
AssociateIamInstanceProfile		Write		ec2:Region
AssociateInstanceEventWindow	Grants permission to associate one or more targets with an event window	Write	instance-event-window*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
AssociateInstanceEventWindow		Write		ec2:Region
AssociateIpamByoasn	Grants permission to associate an Autonomous System Number (ASN) with a BYOIP CIDR	Write		ec2:Region
AssociateIpamResourceDiscovery	Grants permission to associate an IPAM resource discovery with an Amazon VPC IPAM	Write	ipam*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			ipam-resource-discovery*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipam-resource-discovery-association*	aws:RequestTag/${TagKey} aws:TagKeys
				ec2:Region
AssociateNatGatewayAddress	Grants permission to associate an Elastic IP address and private IP address with a public Nat gateway	Write	elastic-ip*	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
			natgateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
AssociateRouteServer	Grants permission to associate a route server with a VPC	Write	route-server*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			vpc*	aws:ResourceTag/${TagKey} ec2:Ipv4IpamPoolId ec2:Ipv6IpamPoolId ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
AssociateRouteTable	Grants permission to associate a subnet or gateway with a route table	Write	route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
			internet-gateway	aws:ResourceTag/${TagKey} ec2:InternetGatewayID ec2:ResourceTag/${TagKey}
			ipv4pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			vpn-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
AssociateSecurityGroupVpc	Grants permission to associate a security group with another VPC in the same Region	Write	security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			vpc*	aws:ResourceTag/${TagKey} ec2:Ipv4IpamPoolId ec2:Ipv6IpamPoolId ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
AssociateSubnetCidrBlock	Grants permission to associate a CIDR block with a subnet	Write	subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Ipv6IpamPoolId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
AssociateTransitGatewayMulticastDomain	Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain	Write	subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
			transit-gateway-multicast-domain*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayMulticastDomainId
				ec2:Region
AssociateTransitGatewayPolicyTable	Grants permission to associate a policy table with a transit gateway attachment	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
			transit-gateway-policy-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayPolicyTableId
				ec2:Region
AssociateTransitGatewayRouteTable	Grants permission to associate an attachment with a transit gateway route table	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
			transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
				ec2:Region
AssociateTrunkInterface	Grants permission to associate a branch network interface with a trunk network interface	Write		ec2:Region
AssociateVerifiedAccessInstanceWebAcl [permission only]	Grants permission to associate an AWS Web Application Firewall (WAF) web access control list (ACL) with a Verified Access instance	Write	verified-access-instance*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
AssociateVerifiedAccessInstanceWebAcl [permission only]		Write		ec2:Region
AssociateVpcCidrBlock	Grants permission to associate a CIDR block with a VPC	Write	vpc*	aws:ResourceTag/${TagKey} ec2:Ipv4IpamPoolId ec2:Ipv6IpamPoolId ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
			ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipv6pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
AttachClassicLinkVpc	Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
AttachInternetGateway	Grants permission to attach an internet gateway to a VPC	Write	internet-gateway*	aws:ResourceTag/${TagKey} ec2:InternetGatewayID ec2:ResourceTag/${TagKey}
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
AttachNetworkInterface	Grants permission to attach a network interface to an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
				ec2:Region
AttachVerifiedAccessTrustProvider	Grants permission to attach a trust provider to a Verified Access instance	Write	verified-access-instance*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			verified-access-trust-provider*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
AttachVolume	Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeInitializationRate ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
				ec2:Region
AttachVpnGateway	Grants permission to attach a virtual private gateway to a VPC	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
			vpn-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
AuthorizeClientVpnIngress	Grants permission to add an inbound authorization rule to a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
AuthorizeClientVpnIngress		Write		ec2:Region
AuthorizeSecurityGroupEgress	Grants permission to add one or more outbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications	Write	security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc	ec2:CreateTags
			security-group-rule	aws:RequestTag/${TagKey} aws:TagKeys
				ec2:Region
AuthorizeSecurityGroupIngress	Grants permission to add one or more inbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications	Write	security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc	ec2:CreateTags
			security-group-rule	aws:RequestTag/${TagKey} aws:TagKeys
				ec2:Region
BundleInstance	Grants permission to bundle an instance store-backed Windows instance	Write		ec2:Region
CancelBundleTask	Grants permission to cancel a bundling operation	Write		ec2:Region
CancelCapacityReservation	Grants permission to cancel a Capacity Reservation and release the reserved capacity	Write	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:CapacityReservationFleet
CancelCapacityReservation		Write		ec2:Region
CancelCapacityReservationFleets	Grants permission to cancel one or more Capacity Reservation Fleets	Write	capacity-reservation-fleet*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CancelCapacityReservation
CancelCapacityReservationFleets		Write		ec2:Region
CancelConversionTask	Grants permission to cancel an active conversion task	Write		ec2:Region
CancelDeclarativePoliciesReport	Grants permission to cancel a declarative policies report	Write	declarative-policies-report*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CancelDeclarativePoliciesReport	Grants permission to cancel a declarative policies report	Write		ec2:Region
CancelExportTask	Grants permission to cancel an active export task	Write	export-image-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			export-instance-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CancelImageLaunchPermission	Grants permission to remove your AWS account from the launch permissions for the specified AMI	Permissions management	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
CancelImageLaunchPermission		Permissions management		ec2:Region
CancelImportTask	Grants permission to cancel an in-process import virtual machine or import snapshot task	Write	import-image-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			import-snapshot-task	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CancelReservedInstancesListing	Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace	Write		ec2:Region
CancelSpotFleetRequests	Grants permission to cancel one or more Spot Fleet requests	Write	spot-fleet-request*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CancelSpotFleetRequests	Grants permission to cancel one or more Spot Fleet requests	Write		ec2:Region
CancelSpotInstanceRequests	Grants permission to cancel one or more Spot Instance requests	Write	spot-instances-request*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CancelSpotInstanceRequests		Write		ec2:Region
ConfirmProductInstance	Grants permission to determine whether an owned product code is associated with an instance	Write		ec2:Region
CopyFpgaImage	Grants permission to copy a source Amazon FPGA image (AFI) to the current Region. Resource-level permissions specified for this action apply to the new AFI only. They do not apply to the source AFI	Write	fpga-image*	ec2:Owner
CopyFpgaImage		Write		ec2:Region
CopyImage	Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region	Write	image*	aws:RequestTag/${TagKey} aws:TagKeys ec2:ImageID ec2:Owner	ec2:CreateTags
			snapshot*	aws:RequestTag/${TagKey} aws:TagKeys
				ec2:Region
CopySnapshot	Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3. Resource-level permissions specified for this action apply to both the snapshot copy and the source snapshot	Write	snapshot*	aws:RequestTag/${TagKey} aws:TagKeys ec2:Encrypted ec2:OutpostArn ec2:Owner ec2:ParentSnapshot ec2:ParentVolume ec2:ProductCode ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize	ec2:CreateTags
CopySnapshot		Write		ec2:Region
CopyVolumes	Grants permission to create a copy of an EBS volume. Resource-level permissions specified for this action apply to the source and copied volume. Condition keys for the copied volume correspond to parameters specified in the CopyVolumes API request	Write	volume*	aws:RequestTag/${TagKey} aws:TagKeys ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:ParentVolume ec2:VolumeInitializationRate ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType	ec2:CreateTags
CopyVolumes		Write		ec2:Region
CreateCapacityManagerDataExport	Grants permission to create a new S3 Data Export for Capacity Manager	Write	capacity-manager-data-export*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
CreateCapacityManagerDataExport		Write		ec2:Region
CreateCapacityReservation	Grants permission to create a Capacity Reservation	Write	capacity-reservation*	aws:RequestTag/${TagKey} aws:TagKeys ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CapacityReservationFleet ec2:EbsOptimized ec2:EndDate ec2:EndDateType ec2:EphemeralStorage ec2:InstanceCount ec2:InstanceMatchCriteria ec2:InstancePlatform ec2:InstanceType ec2:OutpostArn ec2:PlacementGroup ec2:Tenancy	ec2:CreateTags
CreateCapacityReservation	Grants permission to create a Capacity Reservation	Write		ec2:Region
CreateCapacityReservationBySplitting	Grants permission to create a new Capacity Reservation by splitting the available capacity of the source Capacity Reservation	Write	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:CapacityReservationFleet ec2:CreateDate ec2:DestinationCapacityReservationId ec2:EbsOptimized ec2:EndDate ec2:EndDateType ec2:InstanceCount ec2:InstanceMatchCriteria ec2:InstancePlatform ec2:InstanceType ec2:OutpostArn ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:SourceCapacityReservationId ec2:Tenancy	ec2:CreateTags
CreateCapacityReservationBySplitting		Write		ec2:Region
CreateCapacityReservationFleet	Grants permission to create a Capacity Reservation Fleet	Write	capacity-reservation-fleet*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateCapacityReservation ec2:CreateTags ec2:DescribeCapacityReservations ec2:DescribeInstances
CreateCapacityReservationFleet	Grants permission to create a Capacity Reservation Fleet	Write		ec2:Region
CreateCarrierGateway	Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers	Write	carrier-gateway*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
CreateClientVpnEndpoint	Grants permission to create a Client VPN endpoint	Write	client-vpn-endpoint*	aws:RequestTag/${TagKey} aws:TagKeys ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:SamlProviderArn ec2:ServerCertificateArn	ec2:CreateTags
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID
			vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpcID
				ec2:Region
CreateClientVpnRoute	Grants permission to add a network route to a Client VPN endpoint's route table	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
			subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID
				ec2:Region
CreateCoipCidr	Grants permission to create a range of customer-owned IP (CoIP) addresses	Write	coip-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CreateCoipCidr		Write		ec2:Region
CreateCoipPool	Grants permission to create a pool of customer-owned IP (CoIP) addresses	Write	coip-pool*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CreateCoipPoolPermission [permission only]	Grants permission to allow a service to access a customer-owned IP (CoIP) pool	Permissions management	coip-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CreateCoipPoolPermission [permission only]		Permissions management		ec2:Region
CreateCustomerGateway	Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device	Write	customer-gateway*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
CreateCustomerGateway		Write		ec2:Region
CreateDefaultSubnet	Grants permission to create a default subnet in a specified Availability Zone in a default VPC	Write		ec2:Region
CreateDefaultVpc	Grants permission to create a default VPC with a default subnet in each Availability Zone	Write		ec2:Region
CreateDelegateMacVolumeOwnershipTask	Grants permission to create a volume ownership delegation task for an Apple silicon Mac instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy	ec2:CreateTags
			mac-modification-task*	aws:RequestTag/${TagKey} aws:TagKeys
				ec2:Region
CreateDhcpOptions	Grants permission to create a set of DHCP options for a VPC	Write	dhcp-options*	aws:RequestTag/${TagKey} aws:TagKeys ec2:DhcpOptionsID	ec2:CreateTags
CreateDhcpOptions	Grants permission to create a set of DHCP options for a VPC	Write		ec2:Region
CreateEgressOnlyInternetGateway	Grants permission to create an egress-only internet gateway for a VPC	Write	egress-only-internet-gateway*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
CreateFleet	Grants permission to launch an EC2 Fleet. Resource-level permissions for this action do not include the resources specified in a launch template. To specify resource-level permissions for resources specified in a launch template, you must include the resources in the RunInstances action statement	Write	fleet*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			instance*	aws:RequestTag/${TagKey} aws:TagKeys ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:RootDeviceType ec2:Tenancy
			image	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
			launch-template	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			placement-group	aws:ResourceTag/${TagKey} ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:ResourceTag/${TagKey}
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			volume	aws:RequestTag/${TagKey} aws:TagKeys ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:KmsKeyId ec2:ParentSnapshot ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
				ec2:Region
CreateFlowLogs	Grants permission to create one or more flow logs to capture IP traffic for a network interface	Write	vpc-flow-log*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags ecs:ListClusters ecs:ListContainerInstances ecs:ListServices ecs:ListTaskDefinitions ecs:ListTasks iam:PassRole
			network-interface	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			transit-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayId
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
			vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
CreateFpgaImage	Grants permission to create an Amazon FPGA Image (AFI) from a design checkpoint (DCP)	Write	fpga-image*	aws:RequestTag/${TagKey} aws:TagKeys ec2:Owner ec2:Public	ec2:CreateTags
CreateFpgaImage		Write		ec2:Region
CreateImage	Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance. This action can reboot instances as part of the image creation process, even without RebootInstances permissions. To prevent instance reboots during image creation, use the NoReboot parameter	Write	image*	aws:RequestTag/${TagKey} aws:TagKeys ec2:ImageID ec2:Owner	ec2:CreateTags
			instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			snapshot*	aws:RequestTag/${TagKey} aws:TagKeys ec2:OutpostArn ec2:ParentVolume ec2:SnapshotID ec2:SnapshotTime ec2:SourceOutpostArn ec2:VolumeSize
				ec2:Region
CreateImageUsageReport	Grants permission to create an AMI usage report	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType	ec2:CreateTags
			image-usage-report*	aws:RequestTag/${TagKey} aws:TagKeys
				ec2:Region
CreateInstanceConnectEndpoint	Grants permission to create an EC2 Instance Connect Endpoint that allows you to connect to an instance without a public IPv4 address	Write	instance-connect-endpoint*	aws:RequestTag/${TagKey} aws:TagKeys ec2:SubnetID	ec2:CreateTags
			subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
				ec2:Region
CreateInstanceEventWindow	Grants permission to create an event window in which scheduled events for the associated Amazon EC2 instances can run	Write	instance-event-window*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
CreateInstanceEventWindow		Write		ec2:Region
CreateInstanceExportTask	Grants permission to export a running or stopped instance to an Amazon S3 bucket	Write	export-instance-task*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
				ec2:Region
CreateInternetGateway	Grants permission to create an internet gateway for a VPC	Write	internet-gateway*	aws:RequestTag/${TagKey} aws:TagKeys ec2:InternetGatewayID	ec2:CreateTags
CreateInternetGateway	Grants permission to create an internet gateway for a VPC	Write		ec2:Region
CreateIpam	Grants permission to create an Amazon VPC IP Address Manager (IPAM)	Write	ipam*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags iam:CreateServiceLinkedRole
CreateIpam		Write		ec2:Region
CreateIpamExternalResourceVerificationToken	Grants permission to create a verification token, which proves ownership of an external resource	Write	ipam*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			ipam-external-resource-verification-token*	aws:RequestTag/${TagKey} aws:TagKeys
				ec2:Region
CreateIpamPool	Grants permission to create an IP address pool for Amazon VPC IP Address Manager (IPAM), which is a collection of contiguous IP address CIDRs	Write	ipam-pool*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			ipam-scope*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CreateIpamResourceDiscovery	Grants permission to create an IPAM resource discovery	Write	ipam-resource-discovery*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags iam:CreateServiceLinkedRole
CreateIpamResourceDiscovery	Grants permission to create an IPAM resource discovery	Write		ec2:Region
CreateIpamScope	Grants permission to create an Amazon VPC IP Address Manager (IPAM) scope, which is the highest-level container within IPAM	Write	ipam*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			ipam-scope*	aws:RequestTag/${TagKey} aws:TagKeys
				ec2:Region
CreateKeyPair	Grants permission to create a 2048-bit RSA key pair	Write	key-pair*	aws:RequestTag/${TagKey} aws:TagKeys ec2:KeyPairType	ec2:CreateTags
CreateKeyPair	Grants permission to create a 2048-bit RSA key pair	Write		ec2:Region
CreateLaunchTemplate	Grants permission to create a launch template	Write	launch-template*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags ssm:GetParameters
CreateLaunchTemplate	Grants permission to create a launch template	Write		ec2:Region
CreateLaunchTemplateVersion	Grants permission to create a new version of a launch template	Write	launch-template*	aws:ResourceTag/${TagKey} ec2:ManagedResourceOperator ec2:ResourceTag/${TagKey}	ssm:GetParameters
CreateLaunchTemplateVersion		Write		ec2:Region
CreateLocalGatewayRoute	Grants permission to create a static route for a local gateway route table	Write	local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			local-gateway-virtual-interface-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-interface	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			prefix-list	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CreateLocalGatewayRouteTable	Grants permission to create a local gateway route table	Write	local-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			local-gateway-route-table*	aws:RequestTag/${TagKey} aws:TagKeys
				ec2:Region
CreateLocalGatewayRouteTablePermission [permission only]	Grants permission to allow a service to access a local gateway route table	Permissions management	local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CreateLocalGatewayRouteTablePermission [permission only]		Permissions management		ec2:Region
CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation	Grants permission to create a local gateway route table virtual interface group association	Write	local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			local-gateway-route-table-virtual-interface-group-association*	aws:RequestTag/${TagKey} aws:TagKeys
			local-gateway-virtual-interface-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CreateLocalGatewayRouteTableVpcAssociation	Grants permission to associate a VPC with a local gateway route table	Write	local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			local-gateway-route-table-vpc-association*	aws:RequestTag/${TagKey} aws:TagKeys
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
CreateLocalGatewayVirtualInterface	Grants permission to create a local gateway virtual interface	Write	local-gateway-virtual-interface*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			local-gateway-virtual-interface-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			outpost-lag*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CreateLocalGatewayVirtualInterfaceGroup	Grants permission to create a local gateway virtual interface group	Write	local-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			local-gateway-virtual-interface-group*	aws:RequestTag/${TagKey} aws:TagKeys
				ec2:Region
CreateMacSystemIntegrityProtectionModificationTask	Grants permission to create a System Integrity Protection (SIP) modification task for an Amazon EC2 Mac instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy	ec2:CreateTags
			mac-modification-task*	aws:RequestTag/${TagKey} aws:TagKeys
				ec2:Region
CreateManagedPrefixList	Grants permission to create a managed prefix list	Write	prefix-list*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
CreateManagedPrefixList	Grants permission to create a managed prefix list	Write		ec2:Region
CreateNatGateway	Grants permission to create a NAT gateway in a subnet	Write	natgateway*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			elastic-ip	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
				ec2:Region
CreateNetworkAcl	Grants permission to create a network ACL in a VPC	Write	network-acl*	aws:RequestTag/${TagKey} aws:TagKeys ec2:NetworkAclID	ec2:CreateTags
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
CreateNetworkAclEntry	Grants permission to create a numbered entry (a rule) in a network ACL	Write	network-acl*	aws:ResourceTag/${TagKey} ec2:NetworkAclID ec2:ResourceTag/${TagKey} ec2:Vpc
CreateNetworkAclEntry		Write		ec2:Region
CreateNetworkInsightsAccessScope	Grants permission to create a Network Access Scope	Write	network-insights-access-scope*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
CreateNetworkInsightsAccessScope	Grants permission to create a Network Access Scope	Write		ec2:Region
CreateNetworkInsightsPath	Grants permission to create a path to analyze for reachability	Write	network-insights-path*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			instance	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			internet-gateway	aws:ResourceTag/${TagKey} ec2:InternetGatewayID ec2:ResourceTag/${TagKey}
			network-interface	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			transit-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayId
			vpc-endpoint	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			vpc-endpoint-service	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			vpc-peering-connection	aws:ResourceTag/${TagKey} ec2:AccepterVpc ec2:RequesterVpc ec2:ResourceTag/${TagKey} ec2:VpcPeeringConnectionID
			vpn-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CreateNetworkInterface	Grants permission to create a network interface in a subnet	Write	network-interface*	aws:RequestTag/${TagKey} aws:TagKeys ec2:NetworkInterfaceID	ec2:CreateTags
			subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
				ec2:Region
CreateNetworkInterfacePermission	Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface	Permissions management	network-interface*	aws:ResourceTag/${TagKey} ec2:AuthorizedService ec2:AuthorizedUser ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:Permission ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
CreateNetworkInterfacePermission		Permissions management		ec2:Region
CreatePlacementGroup	Grants permission to create a placement group	Write	placement-group*	aws:RequestTag/${TagKey} aws:TagKeys ec2:PlacementGroupName ec2:PlacementGroupStrategy	ec2:CreateTags
CreatePlacementGroup	Grants permission to create a placement group	Write		ec2:Region
CreatePublicIpv4Pool	Grants permission to create a public IPv4 address pool for public IPv4 CIDRs that you own and bring to Amazon to manage with Amazon VPC IP Address Manager (IPAM)	Write	ipv4pool-ec2*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
CreatePublicIpv4Pool		Write		ec2:Region
CreateReplaceRootVolumeTask	Grants permission to create a root volume replacement task	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy	ec2:CreateTags
			replace-root-volume-task*	aws:RequestTag/${TagKey} aws:TagKeys
			volume*	aws:RequestTag/${TagKey} aws:TagKeys ec2:VolumeID ec2:VolumeInitializationRate
			image	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
			snapshot	aws:ResourceTag/${TagKey} ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
				ec2:Region
CreateReservedInstancesListing	Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace	Write		ec2:Region
CreateRestoreImageTask	Grants permission to start a task that restores an AMI from an S3 object previously created by using CreateStoreImageTask	Write	image*	aws:RequestTag/${TagKey} aws:TagKeys ec2:ImageID ec2:Owner	ec2:CreateTags
CreateRestoreImageTask		Write		ec2:Region
CreateRoute	Grants permission to create a route in a VPC route table	Write	route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
CreateRoute	Grants permission to create a route in a VPC route table	Write		ec2:Region
CreateRouteServer	Grants permission to create a route server	Write	route-server*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags sns:CreateTopic
CreateRouteServer	Grants permission to create a route server	Write		ec2:Region
CreateRouteServerEndpoint	Grants permission to create a route server endpoint	Write	route-server*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:AuthorizeSecurityGroupIngress ec2:CreateNetworkInterface ec2:CreateNetworkInterfacePermission ec2:CreateSecurityGroup ec2:CreateTags ec2:DescribeSecurityGroups
			route-server-endpoint*	aws:RequestTag/${TagKey} aws:TagKeys ec2:AvailabilityZone
			subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
CreateRouteServerPeer	Grants permission to create a route server peer	Write	route-server-endpoint*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey}	ec2:AuthorizeSecurityGroupIngress ec2:CreateTags
			route-server-peer*	aws:RequestTag/${TagKey} aws:TagKeys ec2:AvailabilityZone
				ec2:Region
CreateRouteTable	Grants permission to create a route table for a VPC	Write	route-table*	aws:RequestTag/${TagKey} aws:TagKeys ec2:RouteTableID	ec2:CreateTags
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
CreateSecurityGroup	Grants permission to create a security group	Write	security-group*	aws:RequestTag/${TagKey} aws:TagKeys ec2:SecurityGroupID	ec2:CreateTags
			vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
CreateSnapshot	Grants permission to create a snapshot of an EBS volume and store it in Amazon S3	Write	snapshot*	aws:RequestTag/${TagKey} aws:TagKeys ec2:Location ec2:OutpostArn ec2:ParentVolume ec2:SnapshotID ec2:SourceAvailabilityZone ec2:SourceOutpostArn ec2:VolumeSize	ec2:CreateTags
			volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZoneId ec2:Encrypted ec2:ManagedResourceOperator ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeInitializationRate ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
				ec2:Region
CreateSnapshots	Grants permission to create crash-consistent snapshots of multiple EBS volumes and store them in Amazon S3	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy	ec2:CreateTags
			snapshot*	aws:RequestTag/${TagKey} aws:TagKeys ec2:Location ec2:OutpostArn ec2:ParentVolume ec2:SnapshotID ec2:SourceAvailabilityZone ec2:SourceOutpostArn ec2:VolumeSize
			volume*	aws:ResourceTag/${TagKey} ec2:Encrypted ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeInitializationRate ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
				ec2:Region
CreateSpotDatafeedSubscription	Grants permission to create a data feed for Spot Instances to view Spot Instance usage logs	Write		ec2:Region
CreateStoreImageTask	Grants permission to store an AMI as a single object in an S3 bucket	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
CreateStoreImageTask		Write		ec2:Region
CreateSubnet	Grants permission to create a subnet in a VPC	Write	subnet*	aws:RequestTag/${TagKey} aws:TagKeys ec2:Ipv4IpamPoolId ec2:Ipv6IpamPoolId ec2:SubnetID	ec2:CreateTags
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
			ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CreateSubnetCidrReservation	Grants permission to create a subnet CIDR reservation	Write	subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc	ec2:CreateTags
CreateSubnetCidrReservation	Grants permission to create a subnet CIDR reservation	Write		ec2:Region
CreateTags	Grants permission to add or overwrite one or more tags for Amazon EC2 resources	Tagging	capacity-block	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			capacity-manager-data-export	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			capacity-reservation	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys
			capacity-reservation-fleet	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			carrier-gateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:Vpc
			client-vpn-endpoint	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
			coip-pool	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			customer-gateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			declarative-policies-report	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			dedicated-host	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:AutoPlacement ec2:AvailabilityZone ec2:HostRecovery ec2:InstanceType ec2:Quantity ec2:ResourceTag/${TagKey}
			dhcp-options	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:DhcpOptionsID ec2:ResourceTag/${TagKey}
			egress-only-internet-gateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			elastic-gpu	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ElasticGpuType ec2:ResourceTag/${TagKey}
			elastic-ip	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:AllocationId ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
			export-image-task	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			export-instance-task	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			fleet	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			fpga-image	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Owner ec2:Public ec2:ResourceTag/${TagKey}
			host-reservation	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			image	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
			image-usage-report	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			import-image-task	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			import-snapshot-task	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			instance	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			instance-connect-endpoint	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey} ec2:SubnetID
			instance-event-window	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			internet-gateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:InternetGatewayID ec2:ResourceTag/${TagKey}
			ipam	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipam-external-resource-verification-token	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipam-pool	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipam-resource-discovery	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipam-resource-discovery-association	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipam-scope	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipv4pool-ec2	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipv6pool-ec2	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			key-pair	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:KeyPairName ec2:KeyPairType ec2:ResourceTag/${TagKey}
			launch-template	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ManagedResourceOperator ec2:ResourceTag/${TagKey}
			local-gateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			local-gateway-route-table	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			local-gateway-route-table-virtual-interface-group-association	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			local-gateway-route-table-vpc-association	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			local-gateway-virtual-interface	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			local-gateway-virtual-interface-group	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			natgateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			network-acl	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:NetworkAclID ec2:ResourceTag/${TagKey} ec2:Vpc
			network-insights-access-scope	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			network-insights-access-scope-analysis	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			network-insights-analysis	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			network-insights-path	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			network-interface	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:AuthorizedUser ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:Permission ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			placement-group	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:ResourceTag/${TagKey}
			prefix-list	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			replace-root-volume-task	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			reserved-instances	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:AvailabilityZone ec2:InstanceType ec2:ReservedInstancesOfferingType ec2:ResourceTag/${TagKey} ec2:Tenancy
			route-server	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			route-server-endpoint	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			route-server-peer	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			route-table	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
			security-group	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			security-group-rule	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			snapshot	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Encrypted ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
			spot-fleet-request	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			spot-instances-request	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			subnet	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
subnet-cidr-reservation	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
traffic-mirror-filter	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
traffic-mirror-filter-rule	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
traffic-mirror-session	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
traffic-mirror-target	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
transit-gateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey} ec2:transitGatewayId
transit-gateway-attachment	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
transit-gateway-connect-peer	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey} ec2:transitGatewayConnectPeerId
transit-gateway-multicast-domain	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey} ec2:transitGatewayMulticastDomainId
transit-gateway-policy-table	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey} ec2:transitGatewayPolicyTableId
transit-gateway-route-table	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
transit-gateway-route-table-announcement	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableAnnouncementId
verified-access-endpoint	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
verified-access-endpoint-target	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
verified-access-group	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
verified-access-instance	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
verified-access-policy	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
verified-access-trust-provider	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
volume	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeInitializationRate ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
vpc	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
vpc-block-public-access-exclusion	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpc-endpoint	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpc-endpoint-connection	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpc-endpoint-service	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceServiceRegion ec2:VpceSupportedRegion
vpc-endpoint-service-permission	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpc-flow-log	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpc-peering-connection	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:AccepterVpc ec2:RequesterVpc ec2:ResourceTag/${TagKey} ec2:VpcPeeringConnectionID
vpn-connection	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:AuthenticationType ec2:DPDTimeoutSeconds ec2:GatewayType ec2:IKEVersions ec2:InsideTunnelCidr ec2:InsideTunnelIpv6Cidr ec2:Phase1DHGroup ec2:Phase1EncryptionAlgorithms ec2:Phase1IntegrityAlgorithms ec2:Phase1LifetimeSeconds ec2:Phase2DHGroup ec2:Phase2EncryptionAlgorithms ec2:Phase2IntegrityAlgorithms ec2:Phase2LifetimeSeconds ec2:RekeyFuzzPercentage ec2:RekeyMarginTimeSeconds ec2:ReplayWindowSizePackets ec2:ResourceTag/${TagKey} ec2:RoutingType
vpn-gateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
	ec2:CreateAction ec2:Region
CreateTrafficMirrorFilter	Grants permission to create a traffic mirror filter	Write	traffic-mirror-filter*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
CreateTrafficMirrorFilter	Grants permission to create a traffic mirror filter	Write		ec2:Region
CreateTrafficMirrorFilterRule	Grants permission to create a traffic mirror filter rule	Write	traffic-mirror-filter*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			traffic-mirror-filter-rule*	aws:RequestTag/${TagKey} aws:TagKeys
				ec2:Region
CreateTrafficMirrorSession	Grants permission to create a traffic mirror session	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc	ec2:CreateTags
			traffic-mirror-filter*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			traffic-mirror-session*	aws:RequestTag/${TagKey} aws:TagKeys
			traffic-mirror-target*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CreateTrafficMirrorTarget	Grants permission to create a traffic mirror target	Write	traffic-mirror-target*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			network-interface	aws:ResourceTag/${TagKey} ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey}
			vpc-endpoint	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpceServiceName ec2:VpceServiceOwner
				ec2:Region
CreateTransitGateway	Grants permission to create a transit gateway	Write	transit-gateway*	aws:RequestTag/${TagKey} aws:TagKeys ec2:transitGatewayId	ec2:CreateTags
CreateTransitGateway	Grants permission to create a transit gateway	Write		ec2:Region
CreateTransitGatewayConnect	Grants permission to create a Connect attachment from a specified transit gateway attachment	Write	transit-gateway-attachment*	aws:RequestTag/${TagKey} aws:TagKeys ec2:transitGatewayAttachmentId	ec2:CreateTags
CreateTransitGatewayConnect		Write		ec2:Region
CreateTransitGatewayConnectPeer	Grants permission to create a Connect peer between a transit gateway and an appliance	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId	ec2:CreateTags
			transit-gateway-connect-peer*	aws:RequestTag/${TagKey} aws:TagKeys ec2:transitGatewayConnectPeerId
				ec2:Region
CreateTransitGatewayMulticastDomain	Grants permission to create a multicast domain for a transit gateway	Write	transit-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayId	ec2:CreateTags
			transit-gateway-multicast-domain*	aws:RequestTag/${TagKey} aws:TagKeys ec2:transitGatewayMulticastDomainId
				ec2:Region
CreateTransitGatewayPeeringAttachment	Grants permission to request a transit gateway peering attachment between a requester and accepter transit gateway	Write	transit-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayId	ec2:CreateTags
			transit-gateway-attachment*	aws:RequestTag/${TagKey} aws:TagKeys ec2:transitGatewayAttachmentId
				ec2:Region
CreateTransitGatewayPolicyTable	Grants permission to create a transit gateway policy table	Write	transit-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayId	ec2:CreateTags
			transit-gateway-policy-table*	aws:RequestTag/${TagKey} aws:TagKeys ec2:transitGatewayPolicyTableId
				ec2:Region
CreateTransitGatewayPrefixListReference	Grants permission to create a transit gateway prefix list reference	Write	prefix-list*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
				ec2:Region
CreateTransitGatewayRoute	Grants permission to create a static route for a transit gateway route table	Write	transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
				ec2:Region
CreateTransitGatewayRouteTable	Grants permission to create a route table for a transit gateway	Write	transit-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayId	ec2:CreateTags
			transit-gateway-route-table*	aws:RequestTag/${TagKey} aws:TagKeys ec2:transitGatewayRouteTableId
				ec2:Region
CreateTransitGatewayRouteTableAnnouncement	Grants permission to create an announcement for a transit gateway route table	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId	ec2:CreateTags
			transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
			transit-gateway-route-table-announcement*	aws:RequestTag/${TagKey} aws:TagKeys ec2:transitGatewayRouteTableAnnouncementId
				ec2:Region
CreateTransitGatewayVpcAttachment	Grants permission to attach a VPC to a transit gateway	Write	subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc	ec2:CreateTags
			transit-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayId
			transit-gateway-attachment*	aws:RequestTag/${TagKey} aws:TagKeys ec2:transitGatewayAttachmentId
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
CreateVerifiedAccessEndpoint	Grants permission to create a Verified Access endpoint	Write	verified-access-endpoint*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			verified-access-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-interface	aws:ResourceTag/${TagKey} ec2:AuthorizedUser ec2:AvailabilityZone ec2:NetworkInterfaceID ec2:Permission ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
CreateVerifiedAccessGroup	Grants permission to create a Verified Access group	Write	verified-access-group*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			verified-access-instance*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CreateVerifiedAccessInstance	Grants permission to create a Verified Access instance	Write	verified-access-instance*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
CreateVerifiedAccessInstance	Grants permission to create a Verified Access instance	Write		ec2:Region
CreateVerifiedAccessTrustProvider	Grants permission to create a verified trust provider	Write	verified-access-trust-provider*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
CreateVerifiedAccessTrustProvider	Grants permission to create a verified trust provider	Write		ec2:Region
CreateVolume	Grants permission to create an EBS volume	Write	volume*	aws:RequestTag/${TagKey} aws:TagKeys ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:KmsKeyId ec2:ParentSnapshot ec2:VolumeID ec2:VolumeInitializationRate ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType	ec2:CreateTags
			snapshot	aws:ResourceTag/${TagKey} ec2:Encrypted ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotTime ec2:VolumeSize
				ec2:Region
CreateVpc	Grants permission to create a VPC with a specified CIDR block	Write	vpc*	aws:RequestTag/${TagKey} aws:TagKeys ec2:Ipv4IpamPoolId ec2:Ipv6IpamPoolId ec2:VpcID	ec2:CreateTags
			ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipv6pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CreateVpcBlockPublicAccessExclusion	Grants permission to create an exclusion list for blocked public access on a VPC	Write	vpc-block-public-access-exclusion*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			vpc	aws:ResourceTag/${TagKey} ec2:Ipv4IpamPoolId ec2:Ipv6IpamPoolId ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
CreateVpcEndpoint	Grants permission to create a VPC endpoint for an AWS service	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpcID	ec2:CreateTags ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVpcs route53:AssociateVPCWithHostedZone
			vpc-endpoint*	aws:RequestTag/${TagKey} aws:TagKeys ec2:VpceMultiRegion ec2:VpceServiceName ec2:VpceServiceOwner ec2:VpceServiceRegion
			route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID
			subnet	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SubnetID
				ec2:Region
CreateVpcEndpointConnectionNotification	Grants permission to create a connection notification for a VPC endpoint or VPC endpoint service	Write	vpc-endpoint	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			vpc-endpoint-service	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceServiceRegion
				ec2:Region
CreateVpcEndpointServiceConfiguration	Grants permission to create a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles) can connect	Write	vpc-endpoint-service*	aws:RequestTag/${TagKey} aws:TagKeys ec2:VpceMultiRegion ec2:VpceServicePrivateDnsName ec2:VpceServiceRegion	ec2:CreateTags
CreateVpcEndpointServiceConfiguration		Write		ec2:Region
CreateVpcPeeringConnection	Grants permission to request a VPC peering connection between two VPCs	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID	ec2:CreateTags
			vpc-peering-connection*	aws:RequestTag/${TagKey} aws:TagKeys ec2:AccepterVpc ec2:RequesterVpc ec2:VpcPeeringConnectionID
				ec2:Region
CreateVpnConnection	Grants permission to create a VPN connection between a virtual private gateway or transit gateway and a customer gateway	Write	customer-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			vpn-connection*	aws:RequestTag/${TagKey} aws:TagKeys ec2:AuthenticationType ec2:DPDTimeoutSeconds ec2:GatewayType ec2:IKEVersions ec2:InsideTunnelCidr ec2:InsideTunnelIpv6Cidr ec2:Phase1DHGroup ec2:Phase1EncryptionAlgorithms ec2:Phase1IntegrityAlgorithms ec2:Phase1LifetimeSeconds ec2:Phase2DHGroup ec2:Phase2EncryptionAlgorithms ec2:Phase2IntegrityAlgorithms ec2:Phase2LifetimeSeconds ec2:RekeyFuzzPercentage ec2:RekeyMarginTimeSeconds ec2:ReplayWindowSizePackets ec2:RoutingType
			transit-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayId
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
			vpn-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
CreateVpnConnectionRoute	Grants permission to create a static route for a VPN connection between a virtual private gateway and a customer gateway	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
CreateVpnConnectionRoute		Write		ec2:Region
CreateVpnGateway	Grants permission to create a virtual private gateway	Write	vpn-gateway*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
CreateVpnGateway	Grants permission to create a virtual private gateway	Write		ec2:Region
DeleteCapacityManagerDataExport	Grants permission to delete an existing Capacity Manager data export configuration	Write	capacity-manager-data-export*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteCapacityManagerDataExport		Write		ec2:Region
DeleteCarrierGateway	Grants permission to delete a carrier gateway	Write	carrier-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteCarrierGateway	Grants permission to delete a carrier gateway	Write		ec2:Region
DeleteClientVpnEndpoint	Grants permission to delete a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
DeleteClientVpnEndpoint	Grants permission to delete a Client VPN endpoint	Write		ec2:Region
DeleteClientVpnRoute	Grants permission to delete a route from a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
DeleteCoipCidr	Grants permission to delete a range of customer-owned IP (CoIP) addresses	Write	coip-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteCoipCidr		Write		ec2:Region
DeleteCoipPool	Grants permission to delete a pool of customer-owned IP (CoIP) addresses	Write	coip-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteCoipPool		Write		ec2:Region
DeleteCoipPoolPermission [permission only]	Grants permission to deny a service from accessing a customer-owned IP (CoIP) pool	Permissions management	coip-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteCoipPoolPermission [permission only]		Permissions management		ec2:Region
DeleteCustomerGateway	Grants permission to delete a customer gateway	Write	customer-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteCustomerGateway	Grants permission to delete a customer gateway	Write		ec2:Region
DeleteDhcpOptions	Grants permission to delete a set of DHCP options	Write	dhcp-options*	aws:ResourceTag/${TagKey} ec2:DhcpOptionsID ec2:ResourceTag/${TagKey}
DeleteDhcpOptions	Grants permission to delete a set of DHCP options	Write		ec2:Region
DeleteEgressOnlyInternetGateway	Grants permission to delete an egress-only internet gateway	Write	egress-only-internet-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteEgressOnlyInternetGateway	Grants permission to delete an egress-only internet gateway	Write		ec2:Region
DeleteFleets	Grants permission to delete one or more EC2 Fleets	Write	fleet*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteFleets	Grants permission to delete one or more EC2 Fleets	Write		ec2:Region
DeleteFlowLogs	Grants permission to delete one or more flow logs	Write	vpc-flow-log*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteFlowLogs	Grants permission to delete one or more flow logs	Write		ec2:Region
DeleteFpgaImage	Grants permission to delete an Amazon FPGA Image (AFI)	Write	fpga-image*	aws:ResourceTag/${TagKey} ec2:Owner ec2:Public ec2:ResourceTag/${TagKey}
DeleteFpgaImage	Grants permission to delete an Amazon FPGA Image (AFI)	Write		ec2:Region
DeleteImageUsageReport	Grants permission to delete an AMI usage report	Write	image-usage-report*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteImageUsageReport	Grants permission to delete an AMI usage report	Write		ec2:Region
DeleteInstanceConnectEndpoint	Grants permission to delete an EC2 Instance Connect Endpoint	Write	instance-connect-endpoint*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SubnetID
DeleteInstanceConnectEndpoint		Write		ec2:Region
DeleteInstanceEventWindow	Grants permission to delete the specified event window	Write	instance-event-window*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteInstanceEventWindow	Grants permission to delete the specified event window	Write		ec2:Region
DeleteInternetGateway	Grants permission to delete an internet gateway	Write	internet-gateway*	aws:ResourceTag/${TagKey} ec2:InternetGatewayID ec2:ResourceTag/${TagKey}
DeleteInternetGateway	Grants permission to delete an internet gateway	Write		ec2:Region
DeleteIpam	Grants permission to delete an Amazon VPC IP Address Manager (IPAM) and remove all monitored data associated with the IPAM including the historical data for CIDRs	Write	ipam*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteIpam		Write		ec2:Region
DeleteIpamExternalResourceVerificationToken	Grants permission to delete a verification token, which proves ownership of an external resource	Write	ipam-external-resource-verification-token*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteIpamExternalResourceVerificationToken		Write		ec2:Region
DeleteIpamPool	Grants permission to delete an Amazon VPC IP Address Manager (IPAM) pool	Write	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteIpamPool		Write		ec2:Region
DeleteIpamResourceDiscovery	Grants permission to delete an IPAM resource discovery	Write	ipam-resource-discovery*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteIpamResourceDiscovery	Grants permission to delete an IPAM resource discovery	Write		ec2:Region
DeleteIpamScope	Grants permission to delete the scope for an Amazon VPC IP Address Manager (IPAM)	Write	ipam-scope*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteIpamScope		Write		ec2:Region
DeleteKeyPair	Grants permission to delete a key pair by removing the public key from Amazon EC2	Write	key-pair	aws:ResourceTag/${TagKey} ec2:KeyPairName ec2:KeyPairType ec2:ResourceTag/${TagKey}
DeleteKeyPair		Write		ec2:Region
DeleteLaunchTemplate	Grants permission to delete a launch template and its associated versions	Write	launch-template*	aws:ResourceTag/${TagKey} ec2:ManagedResourceOperator ec2:ResourceTag/${TagKey}
DeleteLaunchTemplate		Write		ec2:Region
DeleteLaunchTemplateVersions	Grants permission to delete one or more versions of a launch template	Write	launch-template*	aws:ResourceTag/${TagKey} ec2:ManagedResourceOperator ec2:ResourceTag/${TagKey}
DeleteLaunchTemplateVersions		Write		ec2:Region
DeleteLocalGatewayRoute	Grants permission to delete a route from a local gateway route table	Write	local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			prefix-list	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DeleteLocalGatewayRouteTable	Grants permission to delete a local gateway route table	Write	local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteLocalGatewayRouteTable	Grants permission to delete a local gateway route table	Write		ec2:Region
DeleteLocalGatewayRouteTablePermission [permission only]	Grants permission to deny a service from accessing a local gateway route table	Permissions management	local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteLocalGatewayRouteTablePermission [permission only]		Permissions management		ec2:Region
DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation	Grants permission to delete a local gateway route table virtual interface group association	Write	local-gateway-route-table-virtual-interface-group-association*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
		Write		ec2:Region
DeleteLocalGatewayRouteTableVpcAssociation	Grants permission to delete an association between a VPC and local gateway route table	Write	local-gateway-route-table-vpc-association*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteLocalGatewayRouteTableVpcAssociation		Write		ec2:Region
DeleteLocalGatewayVirtualInterface	Grants permission to delete a local gateway virtual interface	Write	local-gateway-virtual-interface*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteLocalGatewayVirtualInterface		Write		ec2:Region
DeleteLocalGatewayVirtualInterfaceGroup	Grants permission to delete a local gateway virtual interface group	Write	local-gateway-virtual-interface-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteLocalGatewayVirtualInterfaceGroup		Write		ec2:Region
DeleteManagedPrefixList	Grants permission to delete a managed prefix list	Write	prefix-list*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteManagedPrefixList	Grants permission to delete a managed prefix list	Write		ec2:Region
DeleteNatGateway	Grants permission to delete a NAT gateway	Write	natgateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteNatGateway	Grants permission to delete a NAT gateway	Write		ec2:Region
DeleteNetworkAcl	Grants permission to delete a network ACL	Write	network-acl*	aws:ResourceTag/${TagKey} ec2:NetworkAclID ec2:ResourceTag/${TagKey} ec2:Vpc
DeleteNetworkAcl	Grants permission to delete a network ACL	Write		ec2:Region
DeleteNetworkAclEntry	Grants permission to delete an inbound or outbound entry (rule) from a network ACL	Write	network-acl*	aws:ResourceTag/${TagKey} ec2:NetworkAclID ec2:ResourceTag/${TagKey} ec2:Vpc
DeleteNetworkAclEntry		Write		ec2:Region
DeleteNetworkInsightsAccessScope	Grants permission to delete a Network Access Scope	Write	network-insights-access-scope*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteNetworkInsightsAccessScope	Grants permission to delete a Network Access Scope	Write		ec2:Region
DeleteNetworkInsightsAccessScopeAnalysis	Grants permission to delete a Network Access Scope analysis	Write	network-insights-access-scope-analysis*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteNetworkInsightsAccessScopeAnalysis	Grants permission to delete a Network Access Scope analysis	Write		ec2:Region
DeleteNetworkInsightsAnalysis	Grants permission to delete a network insights analysis	Write	network-insights-analysis*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteNetworkInsightsAnalysis	Grants permission to delete a network insights analysis	Write		ec2:Region
DeleteNetworkInsightsPath	Grants permission to delete a network insights path	Write	network-insights-path*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteNetworkInsightsPath	Grants permission to delete a network insights path	Write		ec2:Region
DeleteNetworkInterface	Grants permission to delete a detached network interface	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
DeleteNetworkInterface	Grants permission to delete a detached network interface	Write		ec2:Region
DeleteNetworkInterfacePermission	Grants permission to delete a permission that is associated with a network interface	Permissions management	network-interface	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
DeleteNetworkInterfacePermission		Permissions management		ec2:Region
DeletePlacementGroup	Grants permission to delete a placement group	Write	placement-group	aws:ResourceTag/${TagKey} ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:ResourceTag/${TagKey}
DeletePlacementGroup	Grants permission to delete a placement group	Write		ec2:Region
DeletePublicIpv4Pool	Grants permission to delete a public IPv4 address pool for public IPv4 CIDRs that you own and brought to Amazon to manage with Amazon VPC IP Address Manager (IPAM)	Write	ipv4pool-ec2*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeletePublicIpv4Pool		Write		ec2:Region
DeleteQueuedReservedInstances	Grants permission to delete the queued purchases for the specified Reserved Instances	Write	reserved-instances*	aws:ResourceTag/${TagKey} ec2:InstanceType ec2:ReservedInstancesOfferingType ec2:ResourceTag/${TagKey} ec2:Tenancy
DeleteQueuedReservedInstances		Write		ec2:Region
DeleteResourcePolicy [permission only]	Grants permission to remove an IAM policy that enables cross-account sharing from a resource	Permissions management	ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			placement-group	aws:ResourceTag/${TagKey} ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:ResourceTag/${TagKey}
			verified-access-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DeleteRoute	Grants permission to delete a route from a route table	Write	route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
DeleteRoute	Grants permission to delete a route from a route table	Write		ec2:Region
DeleteRouteServer	Grants permission to delete a route server	Write	route-server*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	sns:DeleteTopic
DeleteRouteServer	Grants permission to delete a route server	Write		ec2:Region
DeleteRouteServerEndpoint	Grants permission to delete a route server endpoint	Write	route-server-endpoint*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey}	ec2:DeleteNetworkInterface ec2:DeleteSecurityGroup ec2:RevokeSecurityGroupIngress
DeleteRouteServerEndpoint	Grants permission to delete a route server endpoint	Write		ec2:Region
DeleteRouteServerPeer	Grants permission to delete a route server peer	Write	route-server-peer*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey}	ec2:RevokeSecurityGroupIngress
DeleteRouteServerPeer	Grants permission to delete a route server peer	Write		ec2:Region
DeleteRouteTable	Grants permission to delete a route table	Write	route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
DeleteRouteTable	Grants permission to delete a route table	Write		ec2:Region
DeleteSecurityGroup	Grants permission to delete a security group	Write	security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
DeleteSecurityGroup	Grants permission to delete a security group	Write		ec2:Region
DeleteSnapshot	Grants permission to delete a snapshot of an EBS volume	Write	snapshot*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:OutpostArn ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
DeleteSnapshot	Grants permission to delete a snapshot of an EBS volume	Write		ec2:Region
DeleteSpotDatafeedSubscription	Grants permission to delete a data feed for Spot Instances	Write		ec2:Region
DeleteSubnet	Grants permission to delete a subnet	Write	subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
DeleteSubnet	Grants permission to delete a subnet	Write		ec2:Region
DeleteSubnetCidrReservation	Grants permission to delete a subnet CIDR reservation	Write		ec2:Region
DeleteTags	Grants permission to delete one or more tags from Amazon EC2 resources	Tagging	capacity-block	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			capacity-manager-data-export	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			capacity-reservation	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			capacity-reservation-fleet	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			carrier-gateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			client-vpn-endpoint	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			coip-pool	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			customer-gateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			declarative-policies-report	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			dedicated-host	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			dhcp-options	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			egress-only-internet-gateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			elastic-gpu	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			elastic-ip	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			export-image-task	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			export-instance-task	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			fleet	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			fpga-image	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			host-reservation	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			image	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			image-usage-report	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			import-image-task	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			import-snapshot-task	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			instance	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			instance-connect-endpoint	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			instance-event-window	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			internet-gateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipam	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipam-external-resource-verification-token	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipam-pool	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipam-resource-discovery	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipam-resource-discovery-association	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipam-scope	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipv4pool-ec2	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			ipv6pool-ec2	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			key-pair	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			launch-template	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			local-gateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			local-gateway-route-table	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			local-gateway-route-table-virtual-interface-group-association	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			local-gateway-route-table-vpc-association	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			local-gateway-virtual-interface	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			local-gateway-virtual-interface-group	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			natgateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			network-acl	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			network-insights-access-scope	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			network-insights-access-scope-analysis	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			network-insights-analysis	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			network-insights-path	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			network-interface	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			placement-group	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			prefix-list	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			replace-root-volume-task	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			reserved-instances	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			route-server	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			route-server-endpoint	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			route-server-peer	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			route-table	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			security-group	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			security-group-rule	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			snapshot	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			spot-fleet-request	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			spot-instances-request	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
			subnet	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
subnet-cidr-reservation	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
traffic-mirror-filter	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
traffic-mirror-filter-rule	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
traffic-mirror-session	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
traffic-mirror-target	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
transit-gateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
transit-gateway-attachment	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
transit-gateway-connect-peer	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
transit-gateway-multicast-domain	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
transit-gateway-policy-table	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
transit-gateway-route-table	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
transit-gateway-route-table-announcement	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
verified-access-endpoint	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
verified-access-endpoint-target	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
verified-access-group	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
verified-access-instance	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
verified-access-policy	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
verified-access-trust-provider	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
volume	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpc	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpc-block-public-access-exclusion	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpc-endpoint	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpc-endpoint-connection	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpc-endpoint-service	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpc-endpoint-service-permission	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpc-flow-log	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpc-peering-connection	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpn-connection	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
vpn-gateway	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ResourceTag/${TagKey}
	aws:TagKeys ec2:Region
DeleteTrafficMirrorFilter	Grants permission to delete a traffic mirror filter	Write	traffic-mirror-filter*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTrafficMirrorFilter	Grants permission to delete a traffic mirror filter	Write		ec2:Region
DeleteTrafficMirrorFilterRule	Grants permission to delete a traffic mirror filter rule	Write	traffic-mirror-filter*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			traffic-mirror-filter-rule*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DeleteTrafficMirrorSession	Grants permission to delete a traffic mirror session	Write	traffic-mirror-session*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTrafficMirrorSession	Grants permission to delete a traffic mirror session	Write		ec2:Region
DeleteTrafficMirrorTarget	Grants permission to delete a traffic mirror target	Write	traffic-mirror-target*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteTrafficMirrorTarget	Grants permission to delete a traffic mirror target	Write		ec2:Region
DeleteTransitGateway	Grants permission to delete a transit gateway	Write	transit-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayId
DeleteTransitGateway	Grants permission to delete a transit gateway	Write		ec2:Region
DeleteTransitGatewayConnect	Grants permission to delete a transit gateway connect attachment	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
DeleteTransitGatewayConnect		Write		ec2:Region
DeleteTransitGatewayConnectPeer	Grants permission to delete a transit gateway connect peer	Write	transit-gateway-connect-peer*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayConnectPeerId
DeleteTransitGatewayConnectPeer	Grants permission to delete a transit gateway connect peer	Write		ec2:Region
DeleteTransitGatewayMulticastDomain	Grants permission to delete a transit gateway multicast domain	Write	transit-gateway-multicast-domain*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayMulticastDomainId
DeleteTransitGatewayMulticastDomain		Write		ec2:Region
DeleteTransitGatewayPeeringAttachment	Grants permission to delete a peering attachment from a transit gateway	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
DeleteTransitGatewayPeeringAttachment		Write		ec2:Region
DeleteTransitGatewayPolicyTable	Grants permission to delete a transit gateway policy table	Write	transit-gateway-policy-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayPolicyTableId
DeleteTransitGatewayPolicyTable	Grants permission to delete a transit gateway policy table	Write		ec2:Region
DeleteTransitGatewayPrefixListReference	Grants permission to delete a transit gateway prefix list reference	Write	prefix-list*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
				ec2:Region
DeleteTransitGatewayRoute	Grants permission to delete a route from a transit gateway route table	Write	transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
DeleteTransitGatewayRoute		Write		ec2:Region
DeleteTransitGatewayRouteTable	Grants permission to delete a transit gateway route table	Write	transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
DeleteTransitGatewayRouteTable	Grants permission to delete a transit gateway route table	Write		ec2:Region
DeleteTransitGatewayRouteTableAnnouncement	Grants permission to delete a transit gateway route table announcement	Write	transit-gateway-route-table-announcement*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableAnnouncementId
DeleteTransitGatewayRouteTableAnnouncement		Write		ec2:Region
DeleteTransitGatewayVpcAttachment	Grants permission to delete a VPC attachment from a transit gateway	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
DeleteTransitGatewayVpcAttachment		Write		ec2:Region
DeleteVerifiedAccessEndpoint	Grants permission to delete a Verified Access endpoint	Write	verified-access-endpoint*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteVerifiedAccessEndpoint	Grants permission to delete a Verified Access endpoint	Write		ec2:Region
DeleteVerifiedAccessGroup	Grants permission to delete a Verified Access group	Write	verified-access-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteVerifiedAccessGroup	Grants permission to delete a Verified Access group	Write		ec2:Region
DeleteVerifiedAccessInstance	Grants permission to delete a Verified Access instance	Write	verified-access-instance*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteVerifiedAccessInstance	Grants permission to delete a Verified Access instance	Write		ec2:Region
DeleteVerifiedAccessTrustProvider	Grants permission to delete a verified trust provider	Write	verified-access-trust-provider*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteVerifiedAccessTrustProvider	Grants permission to delete a verified trust provider	Write		ec2:Region
DeleteVolume	Grants permission to delete an EBS volume	Write	volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeInitializationRate ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
DeleteVolume	Grants permission to delete an EBS volume	Write		ec2:Region
DeleteVpc	Grants permission to delete a VPC	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
DeleteVpc	Grants permission to delete a VPC	Write		ec2:Region
DeleteVpcBlockPublicAccessExclusion	Grants permission to delete an exclusion list for blocked public access on a VPC	Write	vpc-block-public-access-exclusion*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteVpcBlockPublicAccessExclusion		Write		ec2:Region
DeleteVpcEndpointConnectionNotifications	Grants permission to delete one or more VPC endpoint connection notifications	Write	vpc-endpoint	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			vpc-endpoint-service	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceSupportedRegion
				ec2:Region
DeleteVpcEndpointServiceConfigurations	Grants permission to delete one or more VPC endpoint service configurations	Write	vpc-endpoint-service*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceSupportedRegion
DeleteVpcEndpointServiceConfigurations		Write		ec2:Region
DeleteVpcEndpoints	Grants permission to delete one or more VPC endpoints	Write	vpc-endpoint*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceServiceName ec2:VpceServiceRegion
DeleteVpcEndpoints	Grants permission to delete one or more VPC endpoints	Write		ec2:Region
DeleteVpcPeeringConnection	Grants permission to delete a VPC peering connection	Write	vpc-peering-connection*	aws:ResourceTag/${TagKey} ec2:AccepterVpc ec2:RequesterVpc ec2:ResourceTag/${TagKey} ec2:VpcPeeringConnectionID
DeleteVpcPeeringConnection	Grants permission to delete a VPC peering connection	Write		ec2:Region
DeleteVpnConnection	Grants permission to delete a VPN connection	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteVpnConnection	Grants permission to delete a VPN connection	Write		ec2:Region
DeleteVpnConnectionRoute	Grants permission to delete a static route for a VPN connection between a virtual private gateway and a customer gateway	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteVpnConnectionRoute		Write		ec2:Region
DeleteVpnGateway	Grants permission to delete a virtual private gateway	Write	vpn-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeleteVpnGateway	Grants permission to delete a virtual private gateway	Write		ec2:Region
DeprovisionByoipCidr	Grants permission to release an IP address range that was provisioned through bring your own IP addresses (BYOIP), and to delete the corresponding address pool	Write		ec2:Region
DeprovisionIpamByoasn	Grants permission to deprovision an Autonomous System Number (ASN) from an Amazon Web Services account	Write	ipam*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeprovisionIpamByoasn		Write		ec2:Region
DeprovisionIpamPoolCidr	Grants permission to deprovision a CIDR provisioned from an Amazon VPC IP Address Manager (IPAM) pool	Write	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeprovisionIpamPoolCidr		Write		ec2:Region
DeprovisionPublicIpv4PoolCidr	Grants permission to deprovision a CIDR from a public IPv4 pool	Write	ipv4pool-ec2*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DeprovisionPublicIpv4PoolCidr		Write		ec2:Region
DeregisterImage	Grants permission to deregister an Amazon Machine Image (AMI)	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
DeregisterImage		Write		ec2:Region
DeregisterInstanceEventNotificationAttributes	Grants permission to remove tags from the set of tags to include in notifications about scheduled events for your instances	Write		ec2:Region
DeregisterTransitGatewayMulticastGroupMembers	Grants permission to deregister one or more network interface members from a group IP address in a transit gateway multicast domain	Write	network-interface	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			transit-gateway-multicast-domain	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayMulticastDomainId
				ec2:Region
DeregisterTransitGatewayMulticastGroupSources	Grants permission to deregister one or more network interface sources from a group IP address in a transit gateway multicast domain	Write	network-interface	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			transit-gateway-multicast-domain	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayMulticastDomainId
				ec2:Region
DescribeAccountAttributes	Grants permission to describe the attributes of the AWS account	List		ec2:Region
DescribeAddressTransfers	Grants permission to describe an Elastic IP address transfer	List		ec2:Region
DescribeAddresses	Grants permission to describe one or more Elastic IP addresses	List		ec2:Region
DescribeAddressesAttribute	Grants permission to describe the attributes of the specified Elastic IP addresses	List		ec2:Region
DescribeAggregateIdFormat	Grants permission to describe the longer ID format settings for all resource types	List		ec2:Region
DescribeAvailabilityZones	Grants permission to describe one or more of the Availability Zones that are available to you	List		ec2:Region
DescribeAwsNetworkPerformanceMetricSubscriptions	Grants permission to describe the current infrastructure performance metric subscriptions	List		ec2:Region
DescribeBundleTasks	Grants permission to describe one or more bundling tasks	List		ec2:Region
DescribeByoipCidrs	Grants permission to describe the IP address ranges that were provisioned through bring your own IP addresses (BYOIP)	List		ec2:Region
DescribeCapacityBlockExtensionHistory	Grants permission to describe Capacity Block extensions history	List		ec2:Region
DescribeCapacityBlockExtensionOfferings	Grants permission to describe Capacity Block extensions offerings	List	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:CapacityReservationFleet ec2:CreateDate ec2:DestinationCapacityReservationId ec2:EbsOptimized ec2:EndDate ec2:EndDateType ec2:InstanceCount ec2:InstanceMatchCriteria ec2:InstancePlatform ec2:InstanceType ec2:OutpostArn ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:SourceCapacityReservationId ec2:Tenancy
DescribeCapacityBlockExtensionOfferings		List		ec2:Region
DescribeCapacityBlockOfferings	Grants permission to describe Capacity Block offerings available for purchase	List		ec2:Region
DescribeCapacityBlockStatus	Grants permission to describe the availability of capacity for the specified Capacity blocks, or all of your Capacity Blocks	List		ec2:Region
DescribeCapacityBlocks	Grants permission to describe details about Capacity Blocks in the AWS Region that you're currently using	List		ec2:Region
DescribeCapacityManagerDataExports	Grants permission to describe one or more Capacity Manager data export configurations	List		ec2:Region
DescribeCapacityReservationBillingRequests	Grants permission to describe one or more requests to assign the billing of the unused capacity of a Capacity Reservation	List		ec2:Region
DescribeCapacityReservationFleets	Grants permission to describe one or more Capacity Reservation Fleets	List		ec2:Region
DescribeCapacityReservations	Grants permission to describe one or more Capacity Reservations	List		ec2:Region
DescribeCarrierGateways	Grants permission to describe one or more Carrier Gateways	List		ec2:Region
DescribeClassicLinkInstances	Grants permission to describe one or more linked EC2-Classic instances	List		ec2:Region
DescribeClientVpnAuthorizationRules	Grants permission to describe the authorization rules for a Client VPN endpoint	List	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DescribeClientVpnAuthorizationRules		List		ec2:Region
DescribeClientVpnConnections	Grants permission to describe active client connections and connections that have been terminated within the last 60 minutes for a Client VPN endpoint	List	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
DescribeClientVpnConnections		List		ec2:Region
DescribeClientVpnEndpoints	Grants permission to describe one or more Client VPN endpoints	List		ec2:Region
DescribeClientVpnRoutes	Grants permission to describe the routes for a Client VPN endpoint	List	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
DescribeClientVpnRoutes		List		ec2:Region
DescribeClientVpnTargetNetworks	Grants permission to describe the target networks that are associated with a Client VPN endpoint	List	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
DescribeClientVpnTargetNetworks		List		ec2:Region
DescribeCoipPools	Grants permission to describe the specified customer-owned address pools or all of your customer-owned address pools	List		ec2:Region
DescribeConversionTasks	Grants permission to describe one or more conversion tasks	List		ec2:Region
DescribeCustomerGateways	Grants permission to describe one or more customer gateways	List		ec2:Region
DescribeDeclarativePoliciesReports	Grants permission to describe one or more declarative policies reports	List		ec2:Region
DescribeDhcpOptions	Grants permission to describe one or more DHCP options sets	List		ec2:Region
DescribeEgressOnlyInternetGateways	Grants permission to describe one or more egress-only internet gateways	List		ec2:Region
DescribeElasticGpus	Grants permission to describe an Elastic Graphics accelerator that is associated with an instance	List		ec2:Region
DescribeExportImageTasks	Grants permission to describe one or more export image tasks	List		ec2:Region
DescribeExportTasks	Grants permission to describe one or more export instance tasks	List		ec2:Region
DescribeFastLaunchImages	Grants permission to describe fast-launch enabled Windows AMIs	List		ec2:Region
DescribeFastSnapshotRestores	Grants permission to describe the state of fast snapshot restores for snapshots	List		ec2:Region
DescribeFleetHistory	Grants permission to describe the events for an EC2 Fleet during a specified time	List	fleet*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DescribeFleetHistory		List		ec2:Region
DescribeFleetInstances	Grants permission to describe the running instances for an EC2 Fleet	List	fleet*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DescribeFleetInstances		List		ec2:Region
DescribeFleets	Grants permission to describe one or more EC2 Fleets	List		ec2:Region
DescribeFlowLogs	Grants permission to describe one or more flow logs	List		ec2:Region
DescribeFpgaImageAttribute	Grants permission to describe the attributes of an Amazon FPGA Image (AFI)	List	fpga-image*	aws:ResourceTag/${TagKey} ec2:Owner ec2:ResourceTag/${TagKey}
DescribeFpgaImageAttribute		List		ec2:Region
DescribeFpgaImages	Grants permission to describe one or more Amazon FPGA Images (AFIs)	List		ec2:Region
DescribeHostReservationOfferings	Grants permission to describe the Dedicated Host Reservations that are available to purchase	List		ec2:Region
DescribeHostReservations	Grants permission to describe the Dedicated Host Reservations that are associated with Dedicated Hosts in the AWS account	List		ec2:Region
DescribeHosts	Grants permission to describe one or more Dedicated Hosts	List		ec2:Region
DescribeIamInstanceProfileAssociations	Grants permission to describe the IAM instance profile associations	List		ec2:Region
DescribeIdFormat	Grants permission to describe the ID format settings for resources	List		ec2:Region
DescribeIdentityIdFormat	Grants permission to describe the ID format settings for resources for an IAM user, IAM role, or root user	List		ec2:Region
DescribeImageAttribute	Grants permission to describe an attribute of an Amazon Machine Image (AMI)	List	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
DescribeImageAttribute		List		ec2:Region
DescribeImageReferences	Grants permission to describe your AWS resources that are referencing specified images	List		ec2:Region
DescribeImageUsageReportEntries	Grants permission to describe the entries of an AMI usage report	List		ec2:Region
DescribeImageUsageReports	Grants permission to describe the configuration and status of an AMI usage report	List		ec2:Region
DescribeImages	Grants permission to describe one or more images (AMIs, AKIs, and ARIs)	List		ec2:Region
DescribeImportImageTasks	Grants permission to describe import virtual machine or import snapshot tasks	List		ec2:Region
DescribeImportSnapshotTasks	Grants permission to describe import snapshot tasks	List		ec2:Region
DescribeInstanceAttribute	Grants permission to describe the attributes of an instance	List	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
DescribeInstanceAttribute	Grants permission to describe the attributes of an instance	List		ec2:Region
DescribeInstanceConnectEndpoints	Grants permission to describe EC2 Instance Connect Endpoints	List		ec2:Region
DescribeInstanceCreditSpecifications	Grants permission to describe the credit option for CPU usage of one or more burstable performance instances	List		ec2:Region
DescribeInstanceEventNotificationAttributes	Grants permission to describe the set of tags to include in notifications about scheduled events for your instances	List		ec2:Region
DescribeInstanceEventWindows	Grants permission to describe the specified event windows or all event windows	List		ec2:Region
DescribeInstanceImageMetadata	Grants permission to describe the AMI that was used to launch an instance	List		ec2:Region
DescribeInstanceStatus	Grants permission to describe the status of one or more instances	List		ec2:Region
DescribeInstanceTopology	Grants permission to describe a tree-based hierarchy that represents the physical host placement of EC2 instances	List		ec2:Region
DescribeInstanceTypeOfferings	Grants permission to describe the set of instance types that are offered in a location	List		ec2:Region
DescribeInstanceTypes	Grants permission to describe the details of instance types that are offered in a location	List		ec2:Region
DescribeInstances	Grants permission to describe one or more instances	List		ec2:Region
DescribeInternetGateways	Grants permission to describe one or more internet gateways	List		ec2:Region
DescribeIpamByoasn	Grants permission to describe a bring your own Autonomous System Number (BYOASN) that you've brought to IPAM	List		ec2:Region
DescribeIpamExternalResourceVerificationTokens	Grants permission to describe verification tokens, which proves ownership of an external resource	List		ec2:Region
DescribeIpamPools	Grants permission to describe Amazon VPC IP Address Manager (IPAM) pools	List		ec2:Region
DescribeIpamResourceDiscoveries	Grants permission to describe IPAM resource discoveries	List		ec2:Region
DescribeIpamResourceDiscoveryAssociations	Grants permission to describe resource discovery associations with an Amazon VPC IPAM	List		ec2:Region
DescribeIpamScopes	Grants permission to describe Amazon VPC IP Address Manager (IPAM) scopes	List		ec2:Region
DescribeIpams	Grants permission to describe an Amazon VPC IP Address Manager (IPAM)	List		ec2:Region
DescribeIpv6Pools	Grants permission to describe one or more IPv6 address pools	List		ec2:Region
DescribeKeyPairs	Grants permission to describe one or more key pairs	List		ec2:Region
DescribeLaunchTemplateVersions	Grants permission to describe one or more launch template versions	List		ec2:Region	ssm:GetParameters
DescribeLaunchTemplates	Grants permission to describe one or more launch templates	List		ec2:Region
DescribeLocalGatewayRouteTablePermissions [permission only]	Grants permission to allow a service to describe local gateway route table permissions	List		ec2:Region
DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations	Grants permission to describe the associations between virtual interface groups and local gateway route tables	List		ec2:Region
DescribeLocalGatewayRouteTableVpcAssociations	Grants permission to describe an association between VPCs and local gateway route tables	List		ec2:Region
DescribeLocalGatewayRouteTables	Grants permission to describe one or more local gateway route tables	List		ec2:Region
DescribeLocalGatewayVirtualInterfaceGroups	Grants permission to describe local gateway virtual interface groups	List		ec2:Region
DescribeLocalGatewayVirtualInterfaces	Grants permission to describe local gateway virtual interfaces	List		ec2:Region
DescribeLocalGateways	Grants permission to describe one or more local gateways	List		ec2:Region
DescribeLockedSnapshots	Grants permission to describe the lock status for a snapshot	List		ec2:Region
DescribeMacHosts	Grants permission to describe your EC2 Mac Dedicated hosts	List		ec2:Region
DescribeMacModificationTasks	Grants permission to describe a System Integrity Protection (SIP) modification task or volume ownership delegation task for an Amazon EC2 Mac instance	List		ec2:Region
DescribeManagedPrefixLists	Grants permission to describe your managed prefix lists and any AWS-managed prefix lists	List		ec2:Region
DescribeMovingAddresses	Grants permission to describe Elastic IP addresses that are being moved to the EC2-VPC platform	List		ec2:Region
DescribeNatGateways	Grants permission to describe one or more NAT gateways	List		ec2:Region
DescribeNetworkAcls	Grants permission to describe one or more network ACLs	List		ec2:Region
DescribeNetworkInsightsAccessScopeAnalyses	Grants permission to describe one or more Network Access Scope analyses	List		ec2:Region
DescribeNetworkInsightsAccessScopes	Grants permission to describe the Network Access Scopes	List		ec2:Region
DescribeNetworkInsightsAnalyses	Grants permission to describe one or more network insights analyses	List		ec2:Region
DescribeNetworkInsightsPaths	Grants permission to describe one or more network insights paths	List		ec2:Region
DescribeNetworkInterfaceAttribute	Grants permission to describe a network interface attribute	List		ec2:Region
DescribeNetworkInterfacePermissions	Grants permission to describe the permissions that are associated with a network interface	List		ec2:Region
DescribeNetworkInterfaces	Grants permission to describe one or more network interfaces	List		ec2:Region
DescribeOutpostLags	Grants permission to describe Outpost LAGs	List		ec2:Region
DescribePlacementGroups	Grants permission to describe one or more placement groups	List		ec2:Region
DescribePrefixLists	Grants permission to describe available AWS services in a prefix list format	List		ec2:Region
DescribePrincipalIdFormat	Grants permission to describe the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified a longer ID (17-character ID) preference	List		ec2:Region
DescribePublicIpv4Pools	Grants permission to describe one or more IPv4 address pools	List		ec2:Region
DescribeRegions	Grants permission to describe one or more AWS Regions that are currently available in your account	List		ec2:Region
DescribeReplaceRootVolumeTasks	Grants permission to describe a root volume replacement task	List		ec2:Region
DescribeReservedInstances	Grants permission to describe one or more purchased Reserved Instances in your account	List		ec2:Region
DescribeReservedInstancesListings	Grants permission to describe your account's Reserved Instance listings in the Reserved Instance Marketplace	List		ec2:Region
DescribeReservedInstancesModifications	Grants permission to describe the modifications made to one or more Reserved Instances	List		ec2:Region
DescribeReservedInstancesOfferings	Grants permission to describe the Reserved Instance offerings that are available for purchase	List		ec2:Region
DescribeRouteServerEndpoints	Grants permission to describe one or more route server endpoints	List		ec2:Region
DescribeRouteServerPeers	Grants permission to describe one or more route server peers	List		ec2:Region
DescribeRouteServers	Grants permission to describe one or more route servers	List		ec2:Region
DescribeRouteTables	Grants permission to describe one or more route tables	List		ec2:Region
DescribeScheduledInstanceAvailability	Grants permission to find available schedules for Scheduled Instances	List		ec2:Region
DescribeScheduledInstances	Grants permission to describe one or more Scheduled Instances in your account	List		ec2:Region
DescribeSecurityGroupReferences	Grants permission to describe the VPCs on the other side of a VPC peering connection that are referencing specified VPC security groups	List	security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
DescribeSecurityGroupReferences		List		ec2:Region
DescribeSecurityGroupRules	Grants permission to describe one or more of your security group rules	List		ec2:Region
DescribeSecurityGroupVpcAssociations	Grants permission to describe security group VPC associations	List		ec2:Region
DescribeSecurityGroups	Grants permission to describe one or more security groups	List		ec2:Region
DescribeServiceLinkVirtualInterfaces	Grants permission to describe service link virtual interfaces	List		ec2:Region
DescribeSnapshotAttribute	Grants permission to describe an attribute of a snapshot	List	snapshot*	aws:ResourceTag/${TagKey} ec2:Encrypted ec2:OutpostArn ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:SourceOutpostArn ec2:VolumeSize
DescribeSnapshotAttribute	Grants permission to describe an attribute of a snapshot	List		ec2:Region
DescribeSnapshotTierStatus	Grants permission to describe the storage tier status for Amazon EBS snapshots	List		ec2:Region
DescribeSnapshots	Grants permission to describe one or more EBS snapshots	List		ec2:Region
DescribeSpotDatafeedSubscription	Grants permission to describe the data feed for Spot Instances	List		ec2:Region
DescribeSpotFleetInstances	Grants permission to describe the running instances for a Spot Fleet	List	spot-fleet-request*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DescribeSpotFleetInstances		List		ec2:Region
DescribeSpotFleetRequestHistory	Grants permission to describe the events for a Spot Fleet request during a specified time	List	spot-fleet-request*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DescribeSpotFleetRequestHistory		List		ec2:Region
DescribeSpotFleetRequests	Grants permission to describe one or more Spot Fleet requests	List		ec2:Region
DescribeSpotInstanceRequests	Grants permission to describe one or more Spot Instance requests	List		ec2:Region
DescribeSpotPriceHistory	Grants permission to describe the Spot Instance price history	List		ec2:Region
DescribeStaleSecurityGroups	Grants permission to describe the stale security group rules for security groups in a specified VPC	List		ec2:Region
DescribeStoreImageTasks	Grants permission to describe the progress of the AMI store tasks	List		ec2:Region
DescribeSubnets	Grants permission to describe one or more subnets	List		ec2:Region
DescribeTags	Grants permission to describe one or more tags for an Amazon EC2 resource	List		ec2:Region
DescribeTrafficMirrorFilterRules	Grants permission to describe traffic mirror filters that determine the traffic that is mirrored	List		ec2:Region
DescribeTrafficMirrorFilters	Grants permission to describe one or more traffic mirror filters	List		ec2:Region
DescribeTrafficMirrorSessions	Grants permission to describe one or more traffic mirror sessions	List		ec2:Region
DescribeTrafficMirrorTargets	Grants permission to describe one or more traffic mirror targets	List		ec2:Region
DescribeTransitGatewayAttachments	Grants permission to describe one or more attachments between resources and transit gateways	List		ec2:Region
DescribeTransitGatewayConnectPeers	Grants permission to describe one or more transit gateway connect peers	List		ec2:Region
DescribeTransitGatewayConnects	Grants permission to describe one or more transit gateway connect attachments	List		ec2:Region
DescribeTransitGatewayMulticastDomains	Grants permission to describe one or more transit gateway multicast domains	List		ec2:Region
DescribeTransitGatewayPeeringAttachments	Grants permission to describe one or more transit gateway peering attachments	List		ec2:Region
DescribeTransitGatewayPolicyTables	Grants permission to describe a transit gateway policy table	List		ec2:Region
DescribeTransitGatewayRouteTableAnnouncements	Grants permission to describe a transit gateway route table announcement	List		ec2:Region
DescribeTransitGatewayRouteTables	Grants permission to describe one or more transit gateway route tables	List		ec2:Region
DescribeTransitGatewayVpcAttachments	Grants permission to describe one or more VPC attachments on a transit gateway	List		ec2:Region
DescribeTransitGateways	Grants permission to describe one or more transit gateways	List		ec2:Region
DescribeTrunkInterfaceAssociations	Grants permission to describe one or more network interface trunk associations	List		ec2:Region
DescribeVerifiedAccessEndpoints	Grants permission to describe the specified Verified Access endpoints or all Verified Access endpoints	List		ec2:Region
DescribeVerifiedAccessGroups	Grants permission to describe the specified Verified Access groups or all Verified Access groups	List		ec2:Region
DescribeVerifiedAccessInstanceLoggingConfigurations	Grants permission to describe the current logging configuration for the Verified Access instances	List		ec2:Region
DescribeVerifiedAccessInstanceWebAclAssociations [permission only]	Grants permission to describe the AWS Web Application Firewall (WAF) web access control list (ACL) associations for a Verified Access instance	List		ec2:Region
DescribeVerifiedAccessInstances	Grants permission to describe the specified Verified Access instances or all Verified Access instances	List		ec2:Region
DescribeVerifiedAccessTrustProviders	Grants permission to describe details of existing Verified Access trust providers	List		ec2:Region
DescribeVolumeAttribute	Grants permission to describe an attribute of an EBS volume	List	volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeInitializationRate ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
DescribeVolumeAttribute	Grants permission to describe an attribute of an EBS volume	List		ec2:Region
DescribeVolumeStatus	Grants permission to describe the status of one or more EBS volumes	List		ec2:Region
DescribeVolumes	Grants permission to describe one or more EBS volumes	List		ec2:Region
DescribeVolumesModifications	Grants permission to describe the current modification status of one or more EBS volumes	List		ec2:Region
DescribeVpcAttribute	Grants permission to describe an attribute of a VPC	List	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
DescribeVpcAttribute	Grants permission to describe an attribute of a VPC	List		ec2:Region
DescribeVpcBlockPublicAccessExclusions	Grants permission to describe an exclusion list for blocked public access on a VPC	List		ec2:Region
DescribeVpcBlockPublicAccessOptions	Grants permission to describe options for blocked public access on a VPC	List		ec2:Region
DescribeVpcClassicLink	Grants permission to describe the ClassicLink status of one or more VPCs	List		ec2:Region
DescribeVpcClassicLinkDnsSupport	Grants permission to describe the ClassicLink DNS support status of one or more VPCs	List		ec2:Region
DescribeVpcEndpointAssociations	Grants permission to describe the VPC endpoint associations	List		ec2:Region
DescribeVpcEndpointConnectionNotifications	Grants permission to describe the connection notifications for VPC endpoints and VPC endpoint services	List		ec2:Region
DescribeVpcEndpointConnections	Grants permission to describe the VPC endpoint connections to your VPC endpoint services	List		ec2:Region
DescribeVpcEndpointServiceConfigurations	Grants permission to describe VPC endpoint service configurations (your services)	List		ec2:Region
DescribeVpcEndpointServicePermissions	Grants permission to describe the principals (service consumers) that are permitted to discover your VPC endpoint service	List	vpc-endpoint-service*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceSupportedRegion
DescribeVpcEndpointServicePermissions		List		ec2:Region
DescribeVpcEndpointServices	Grants permission to describe all supported AWS services that can be specified when creating a VPC endpoint	List		ec2:Region
DescribeVpcEndpoints	Grants permission to describe one or more VPC endpoints	List		ec2:Region
DescribeVpcPeeringConnections	Grants permission to describe one or more VPC peering connections	List		ec2:Region
DescribeVpcs	Grants permission to describe one or more VPCs	List		ec2:Region
DescribeVpnConnections	Grants permission to describe one or more VPN connections	List		ec2:Region
DescribeVpnGateways	Grants permission to describe one or more virtual private gateways	List		ec2:Region
DetachClassicLinkVpc	Grants permission to unlink (detach) a linked EC2-Classic instance from a VPC	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
DetachInternetGateway	Grants permission to detach an internet gateway from a VPC	Write	internet-gateway*	aws:ResourceTag/${TagKey} ec2:InternetGatewayID ec2:ResourceTag/${TagKey}
			vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
DetachNetworkInterface	Grants permission to detach a network interface from an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
				ec2:Region
DetachVerifiedAccessTrustProvider	Grants permission to detach a trust provider from a Verified Access instance	Write	verified-access-instance*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			verified-access-trust-provider*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DetachVolume	Grants permission to detach an EBS volume from an instance	Write	volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeInitializationRate ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
			instance	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
				ec2:Region
DetachVpnGateway	Grants permission to detach a virtual private gateway from a VPC	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
			vpn-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DisableAddressTransfer	Grants permission to disable Elastic IP address transfer	Write	elastic-ip*	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
DisableAddressTransfer	Grants permission to disable Elastic IP address transfer	Write		ec2:Region
DisableAllowedImagesSettings	Grants permission to disable allowed images settings	Write		ec2:Region
DisableAwsNetworkPerformanceMetricSubscription	Grants permission to disable infrastructure performance metric subscriptions	Write		ec2:Region
DisableCapacityManager	Grants permission to disable EC2 Capacity Manager for your account	Write		ec2:Region
DisableEbsEncryptionByDefault	Grants permission to disable EBS encryption by default for your account	Write		ec2:Region
DisableFastLaunch	Grants permission to disable faster launching for Windows AMIs	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
DisableFastLaunch		Write		ec2:Region
DisableFastSnapshotRestores	Grants permission to disable fast snapshot restores for one or more snapshots in specified Availability Zones	Write	snapshot*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
DisableFastSnapshotRestores		Write		ec2:Region
DisableImage	Grants permission to disable an AMI	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
DisableImage	Grants permission to disable an AMI	Write		ec2:Region
DisableImageBlockPublicAccess	Grants permission to disable block public access for AMIs at the account level in the specified AWS Region	Permissions management		ec2:Region
DisableImageDeprecation	Grants permission to cancel the deprecation of the specified AMI	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
DisableImageDeprecation		Write		ec2:Region
DisableImageDeregistrationProtection	Grants permission to disable deregistration protection for an AMI. When deregistration protection is disabled, the AMI can be deregistered	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
DisableImageDeregistrationProtection		Write		ec2:Region
DisableIpamOrganizationAdminAccount	Grants permission to disable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account	Write		ec2:Region	organizations:DeregisterDelegatedAdministrator
DisableRouteServerPropagation	Grants permission to disable route server propagation	Write	route-server*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
				ec2:Region
DisableSerialConsoleAccess	Grants permission to disable access to the EC2 serial console of all instances for your account	Write		ec2:Region
DisableSnapshotBlockPublicAccess	Grants permission to disable the block public access for snapshots setting for a Region	Permissions management		ec2:Region
DisableTransitGatewayRouteTablePropagation	Grants permission to disable a resource attachment from propagating routes to the specified propagation route table	Write	transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
			transit-gateway-route-table-announcement	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableAnnouncementId
				ec2:Region
DisableVgwRoutePropagation	Grants permission to disable a virtual private gateway from propagating routes to a specified route table of a VPC	Write	route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
			vpn-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DisableVpcClassicLink	Grants permission to disable ClassicLink for a VPC	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
DisableVpcClassicLink	Grants permission to disable ClassicLink for a VPC	Write		ec2:Region
DisableVpcClassicLinkDnsSupport	Grants permission to disable ClassicLink DNS support for a VPC	Write	vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
DisableVpcClassicLinkDnsSupport		Write		ec2:Region
DisassociateAddress	Grants permission to disassociate an Elastic IP address from an instance or network interface	Write	elastic-ip	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
			network-interface	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
				ec2:Region
DisassociateCapacityReservationBillingOwner	Grants permission to cancel a pending request to assign billing of the unused capacity of a Capacity Reservation to a consumer account	Write	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:CapacityReservationFleet ec2:CreateDate ec2:DestinationCapacityReservationId ec2:EbsOptimized ec2:EndDate ec2:EndDateType ec2:InstanceCount ec2:InstanceMatchCriteria ec2:InstancePlatform ec2:InstanceType ec2:OutpostArn ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:SourceCapacityReservationId ec2:Tenancy
DisassociateCapacityReservationBillingOwner		Write		ec2:Region
DisassociateClientVpnTargetNetwork	Grants permission to disassociate a target network from a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
DisassociateClientVpnTargetNetwork		Write		ec2:Region
DisassociateEnclaveCertificateIamRole	Grants permission to disassociate an ACM certificate from a IAM role	Write	certificate*
			role*
				ec2:Region
DisassociateIamInstanceProfile	Grants permission to disassociate an IAM instance profile from a running or stopped instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
DisassociateIamInstanceProfile		Write		ec2:Region
DisassociateInstanceEventWindow	Grants permission to disassociate one or more targets from an event window	Write	instance-event-window*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DisassociateInstanceEventWindow		Write		ec2:Region
DisassociateIpamByoasn	Grants permission to disassociate an Autonomous System Number (ASN) from a BYOIP CIDR	Write		ec2:Region
DisassociateIpamResourceDiscovery	Grants permission to disassociate a resource discovery from an Amazon VPC IPAM	Write	ipam-resource-discovery-association*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DisassociateIpamResourceDiscovery		Write		ec2:Region
DisassociateNatGatewayAddress	Grants permission to disassociate a secondary Elastic IP address from a public NAT gateway	Write	elastic-ip*	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
			natgateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-interface	aws:ResourceTag/${TagKey} ec2:AuthorizedUser ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:Permission ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
				ec2:Region
DisassociateRouteServer	Grants permission to disassociate a route server from a VPC	Write	route-server*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			vpc*	aws:ResourceTag/${TagKey} ec2:Ipv4IpamPoolId ec2:Ipv6IpamPoolId ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
DisassociateRouteTable	Grants permission to disassociate a subnet from a route table	Write	internet-gateway	aws:ResourceTag/${TagKey} ec2:InternetGatewayID ec2:ResourceTag/${TagKey}
			ipv4pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipv6pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			vpn-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
DisassociateSecurityGroupVpc	Grants permission to disassociate a security group from a VPC	Write	security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			vpc	aws:ResourceTag/${TagKey} ec2:Ipv4IpamPoolId ec2:Ipv6IpamPoolId ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
DisassociateSubnetCidrBlock	Grants permission to disassociate a CIDR block from a subnet	Write	subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
DisassociateSubnetCidrBlock		Write		ec2:Region
DisassociateTransitGatewayMulticastDomain	Grants permission to disassociate one or more subnets from a transit gateway multicast domain	Write	subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
			transit-gateway-multicast-domain*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayMulticastDomainId
				ec2:Region
DisassociateTransitGatewayPolicyTable	Grants permission to disassociate a policy table from a transit gateway	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
			transit-gateway-policy-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayPolicyTableId
				ec2:Region
DisassociateTransitGatewayRouteTable	Grants permission to disassociate a resource attachment from a transit gateway route table	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
			transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
				ec2:Region
DisassociateTrunkInterface	Grants permission to disassociate a branch network interface to a trunk network interface	Write		ec2:Region
DisassociateVerifiedAccessInstanceWebAcl [permission only]	Grants permission to disassociate an AWS Web Application Firewall (WAF) web access control list (ACL) from a Verified Access instance	Write	verified-access-instance*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
DisassociateVerifiedAccessInstanceWebAcl [permission only]		Write		ec2:Region
DisassociateVpcCidrBlock	Grants permission to disassociate a CIDR block from a VPC	Write	vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
DisassociateVpcCidrBlock	Grants permission to disassociate a CIDR block from a VPC	Write		ec2:Region
EnableAddressTransfer	Grants permission to enable Elastic IP address transfer	Write	elastic-ip*	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
EnableAddressTransfer	Grants permission to enable Elastic IP address transfer	Write		ec2:Region
EnableAllowedImagesSettings	Grants permission to enable allowed images settings	Write		ec2:Region
EnableAwsNetworkPerformanceMetricSubscription	Grants permission to enable infrastructure performance subscriptions	Write		ec2:Region
EnableCapacityManager	Grants permission to enable EC2 Capacity Manager for your account	Write		ec2:Region
EnableEbsEncryptionByDefault	Grants permission to enable EBS encryption by default for your account	Write		ec2:Region
EnableFastLaunch	Grants permission to enable faster launching for Windows AMIs	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType	ec2:CreateLaunchTemplate ec2:CreateSnapshot ec2:CreateTags ec2:DeleteSnapshot ec2:DescribeImages ec2:DescribeInstanceAttribute ec2:DescribeInstanceStatus ec2:DescribeInstanceTypeOfferings ec2:DescribeInstances ec2:DescribeLaunchTemplateVersions ec2:DescribeLaunchTemplates ec2:DescribeSnapshots ec2:DescribeSubnets ec2:RunInstances ec2:StopInstances ec2:TerminateInstances iam:PassRole
			launch-template	aws:ResourceTag/${TagKey} ec2:ManagedResourceOperator ec2:ResourceTag/${TagKey}
				ec2:Region
EnableFastSnapshotRestores	Grants permission to enable fast snapshot restores for one or more snapshots in specified Availability Zones	Write	snapshot*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
EnableFastSnapshotRestores		Write		ec2:Region
EnableImage	Grants permission to re-enable a disabled AMI	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
EnableImage	Grants permission to re-enable a disabled AMI	Write		ec2:Region
EnableImageBlockPublicAccess	Grants permission to enable block public access for AMIs at the account level in the specified AWS Region	Permissions management		ec2:Region
EnableImageDeprecation	Grants permission to enable deprecation of the specified AMI at the specified date and time	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
EnableImageDeprecation		Write		ec2:Region
EnableImageDeregistrationProtection	Grants permission to enable deregistration protection for an AMI. When deregistration protection is enabled, the AMI can't be deregistered	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
EnableImageDeregistrationProtection		Write		ec2:Region
EnableIpamOrganizationAdminAccount	Grants permission to enable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account	Write		ec2:Region	iam:CreateServiceLinkedRole organizations:EnableAWSServiceAccess organizations:RegisterDelegatedAdministrator
EnableReachabilityAnalyzerOrganizationSharing	Grants permission to enable organization sharing of reachability analyzer	Write		ec2:Region	iam:CreateServiceLinkedRole organizations:EnableAWSServiceAccess
EnableRouteServerPropagation	Grants permission to enable route server propagation	Write	route-server*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
				ec2:Region
EnableSerialConsoleAccess	Grants permission to enable access to the EC2 serial console of all instances for your account	Write		ec2:Region
EnableSnapshotBlockPublicAccess	Grants permission to enable or modify the block public access for snapshots setting for a Region	Permissions management		ec2:Region
EnableTransitGatewayRouteTablePropagation	Grants permission to enable an attachment to propagate routes to a propagation route table	Write	transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
			transit-gateway-route-table-announcement	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableAnnouncementId
				ec2:Region
EnableVgwRoutePropagation	Grants permission to enable a virtual private gateway to propagate routes to a VPC route table	Write	route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
			vpn-gateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
EnableVolumeIO	Grants permission to enable I/O operations for a volume that had I/O operations disabled	Write	volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
EnableVolumeIO		Write		ec2:Region
EnableVpcClassicLink	Grants permission to enable a VPC for ClassicLink	Write	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
EnableVpcClassicLink	Grants permission to enable a VPC for ClassicLink	Write		ec2:Region
EnableVpcClassicLinkDnsSupport	Grants permission to enable a VPC to support DNS hostname resolution for ClassicLink	Write	vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
EnableVpcClassicLinkDnsSupport		Write		ec2:Region
ExportClientVpnClientCertificateRevocationList	Grants permission to download the client certificate revocation list for a Client VPN endpoint	Read	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
ExportClientVpnClientCertificateRevocationList		Read		ec2:Region
ExportClientVpnClientConfiguration	Grants permission to download the contents of the Client VPN endpoint configuration file for a Client VPN endpoint	Read	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
ExportClientVpnClientConfiguration		Read		ec2:Region
ExportImage	Grants permission to export an Amazon Machine Image (AMI) to a VM file	Write	export-image-task*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
				ec2:Region
ExportTransitGatewayRoutes	Grants permission to export routes from a transit gateway route table to an Amazon S3 bucket	Write		ec2:Region
ExportVerifiedAccessInstanceClientConfiguration	Grants permission to export a verified access instance client configuration	Read	verified-access-instance*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
ExportVerifiedAccessInstanceClientConfiguration		Read		ec2:Region
GetActiveVpnTunnelStatus	Grants permission to retrieve the current security parameters for an active VPN tunnel	Read	vpn-connection*	ec2:ResourceTag/${TagKey}
GetActiveVpnTunnelStatus		Read		ec2:Region
GetAllowedImagesSettings	Grants permission to get the allowed settings for images	Read		ec2:Region
GetAssociatedEnclaveCertificateIamRoles	Grants permission to get the list of roles associated with an ACM certificate	Read	certificate*
GetAssociatedEnclaveCertificateIamRoles		Read		ec2:Region
GetAssociatedIpv6PoolCidrs	Grants permission to get information about the IPv6 CIDR block associations for a specified IPv6 address pool	Read	ipv6pool-ec2*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetAssociatedIpv6PoolCidrs		Read		ec2:Region
GetAwsNetworkPerformanceData	Grants permission to get network performance data	Read		ec2:Region
GetCapacityManagerAttributes	Grants permission to retrieve the current configuration and status of EC2 Capacity Manager	Read		ec2:Region
GetCapacityManagerMetricData	Grants permission to retrieve capacity usage metrics for your EC2 resources	Read		ec2:Region
GetCapacityManagerMetricDimensions	Grants permission to retrieve the available dimension values for capacity metrics within a specified time range	Read		ec2:Region
GetCapacityReservationUsage	Grants permission to get usage information about a Capacity Reservation	Read	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:CapacityReservationFleet
GetCapacityReservationUsage		Read		ec2:Region
GetCoipPoolUsage	Grants permission to describe the allocations from the specified customer-owned address pool	Read	coip-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetCoipPoolUsage		Read		ec2:Region
GetConsoleOutput	Grants permission to get the console output for an instance	Read	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
GetConsoleOutput	Grants permission to get the console output for an instance	Read		ec2:Region
GetConsoleScreenshot	Grants permission to retrieve a JPG-format screenshot of a running instance	Read	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:NewInstanceProfile ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
GetConsoleScreenshot		Read		ec2:Region
GetDeclarativePoliciesReportSummary	Grants permission to get the report summary of declarative policies	Read	declarative-policies-report*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetDeclarativePoliciesReportSummary		Read		ec2:Region
GetDefaultCreditSpecification	Grants permission to get the default credit option for CPU usage of a burstable performance instance family	Read		ec2:Region
GetEbsDefaultKmsKeyId	Grants permission to get the ID of the default customer master key (CMK) for EBS encryption by default	Read		ec2:Region
GetEbsEncryptionByDefault	Grants permission to describe whether EBS encryption by default is enabled for your account	Read		ec2:Region
GetFlowLogsIntegrationTemplate	Grants permission to generate a CloudFormation template to streamline the integration of VPC flow logs with Amazon Athena	Read	vpc-flow-log*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetFlowLogsIntegrationTemplate		Read		ec2:Region
GetGroupsForCapacityReservation	Grants permission to list the resource groups to which a Capacity Reservation has been added	List	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:CapacityReservationFleet
GetGroupsForCapacityReservation		List		ec2:Region
GetHostReservationPurchasePreview	Grants permission to preview a reservation purchase with configurations that match those of a Dedicated Host	Read		ec2:Region
GetImageBlockPublicAccessState	Grants permission to get the current state of block public access for AMIs at the account level in the specified AWS Region	Read		ec2:Region
GetInstanceMetadataDefaults	Grants permission to view the default instance metadata service (IMDS) settings set for your account in the specified Region	List		ec2:Region
GetInstanceTpmEkPub	Grants permission to get the public endorsement key associated with the Nitro Trusted Platform Module (NitroTPM) for the specified instance	Read	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
GetInstanceTpmEkPub		Read		ec2:Region
GetInstanceTypesFromInstanceRequirements	Grants permission to view a list of instance types with specified instance attributes	List		ec2:Region
GetInstanceUefiData	Grants permission to retrieve the binary representation of the UEFI variable store	Read	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:NewInstanceProfile ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
GetInstanceUefiData		Read		ec2:Region
GetIpamAddressHistory	Grants permission to retrieve historical information about a CIDR within an Amazon VPC IP Address Manager (IPAM) scope	Read	ipam-scope*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetIpamAddressHistory		Read		ec2:Region
GetIpamDiscoveredAccounts	Grants permission to retrieve IPAM discovered accounts	Read	ipam-resource-discovery*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetIpamDiscoveredAccounts	Grants permission to retrieve IPAM discovered accounts	Read		ec2:Region
GetIpamDiscoveredPublicAddresses	Grants permission to retrieve the public IP addresses that have been discovered by IPAM	Read	ipam-resource-discovery*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetIpamDiscoveredPublicAddresses		Read		ec2:Region
GetIpamDiscoveredResourceCidrs	Grants permission to retrieve the resource CIDRs that are monitored as part of a resource discovery	Read	ipam-resource-discovery*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetIpamDiscoveredResourceCidrs		Read		ec2:Region
GetIpamPoolAllocations	Grants permission to get a list of all the CIDR allocations in an Amazon VPC IP Address Manager (IPAM) pool	List	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetIpamPoolAllocations		List		ec2:Region
GetIpamPoolCidrs	Grants permission to get the CIDRs provisioned to an Amazon VPC IP Address Manager (IPAM) pool	Read	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetIpamPoolCidrs		Read		ec2:Region
GetIpamResourceCidrs	Grants permission to get information about the resources in an Amazon VPC IP Address Manager (IPAM) scope	Read	ipam-scope*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
GetLaunchTemplateData	Grants permission to get the configuration data of the specified instance for use with a new launch template or launch template version	Read	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
GetLaunchTemplateData		Read		ec2:Region
GetManagedPrefixListAssociations	Grants permission to get information about the resources that are associated with the specified managed prefix list	Read	prefix-list*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetManagedPrefixListAssociations		Read		ec2:Region
GetManagedPrefixListEntries	Grants permission to get information about the entries for a specified managed prefix list	Read	prefix-list*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetManagedPrefixListEntries		Read		ec2:Region
GetNetworkInsightsAccessScopeAnalysisFindings	Grants permission to get the findings for one or more Network Access Scope analyses	Read	network-insights-access-scope-analysis*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetNetworkInsightsAccessScopeAnalysisFindings		Read		ec2:Region
GetNetworkInsightsAccessScopeContent	Grants permission to get the content for a specified Network Access Scope	Read	network-insights-access-scope*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetNetworkInsightsAccessScopeContent		Read		ec2:Region
GetPasswordData	Grants permission to retrieve the encrypted administrator password for a running Windows instance	Read	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
GetPasswordData		Read		ec2:Region
GetReservedInstancesExchangeQuote	Grants permission to return a quote and exchange information for exchanging one or more Convertible Reserved Instances for a new Convertible Reserved Instance	Read	reserved-instances*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:InstanceType ec2:ReservedInstancesOfferingType ec2:ResourceTag/${TagKey} ec2:Tenancy
GetReservedInstancesExchangeQuote		Read		ec2:Region
GetResourcePolicy [permission only]	Grants permission to describe an IAM policy that enables cross-account sharing	Read	ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			placement-group	aws:ResourceTag/${TagKey} ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:ResourceTag/${TagKey}
			verified-access-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
GetRouteServerAssociations	Grants permission to get associations for a route server	Read	route-server*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetRouteServerAssociations	Grants permission to get associations for a route server	Read		ec2:Region
GetRouteServerPropagations	Grants permission to get propagations for a route server	Read	route-server*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
				ec2:Region
GetRouteServerRoutingDatabase	Grants permission to get the routing database for a route server	Read	route-server*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetRouteServerRoutingDatabase		Read		ec2:Region
GetSecurityGroupsForVpc	Grants permission to retrieve a list of security groups for a specified VPC	Read	vpc*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
GetSecurityGroupsForVpc		Read		ec2:Region
GetSerialConsoleAccessStatus	Grants permission to retrieve the access status of your account to the EC2 serial console of all instances	Read		ec2:Region
GetSnapshotBlockPublicAccessState	Grants permission to retrieve the current state of the block public access for snapshots setting for a Region	Read		ec2:Region
GetSpotPlacementScores	Grants permission to calculate the Spot placement score for a Region or Availability Zone based on the specified target capacity and compute requirements	Read		ec2:Region
GetSubnetCidrReservations	Grants permission to retrieve information about the subnet CIDR reservations	Read		ec2:Region
GetTransitGatewayAttachmentPropagations	Grants permission to list the route tables to which a resource attachment propagates routes	List		ec2:Region
GetTransitGatewayMulticastDomainAssociations	Grants permission to get information about the associations for a transit gateway multicast domain	List	transit-gateway-multicast-domain*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayMulticastDomainId
GetTransitGatewayMulticastDomainAssociations		List		ec2:Region
GetTransitGatewayPolicyTableAssociations	Grants permission to get information about associations for a transit gateway policy table	List	transit-gateway-policy-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayPolicyTableId
GetTransitGatewayPolicyTableAssociations		List		ec2:Region
GetTransitGatewayPolicyTableEntries	Grants permission to get information about associations for a transit gateway policy table entry	List	transit-gateway-policy-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayPolicyTableId
GetTransitGatewayPolicyTableEntries		List		ec2:Region
GetTransitGatewayPrefixListReferences	Grants permission to get information about prefix list references for a transit gateway route table	List		ec2:Region
GetTransitGatewayRouteTableAssociations	Grants permission to get information about associations for a transit gateway route table	List		ec2:Region
GetTransitGatewayRouteTablePropagations	Grants permission to get information about the route table propagations for a transit gateway route table	List		ec2:Region
GetVerifiedAccessEndpointPolicy	Grants permission to show the Verified Access policy associated with the endpoint	List	verified-access-endpoint*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetVerifiedAccessEndpointPolicy		List		ec2:Region
GetVerifiedAccessEndpointTargets	Grants permission to get verified access endpoint targets	List	verified-access-endpoint*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetVerifiedAccessEndpointTargets	Grants permission to get verified access endpoint targets	List		ec2:Region
GetVerifiedAccessGroupPolicy	Grants permission to show the contents of the Verified Access policy associated with the group	List	verified-access-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetVerifiedAccessGroupPolicy		List		ec2:Region
GetVerifiedAccessInstanceWebAcl [permission only]	Grants permission to show the AWS Web Application Firewall (WAF) web access control list (ACL) for a Verified Access instance	List	verified-access-instance*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetVerifiedAccessInstanceWebAcl [permission only]		List		ec2:Region
GetVpnConnectionDeviceSampleConfiguration	Grants permission to download an AWS-provided sample configuration file to be used with the customer gateway device	List	vpn-connection*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			vpn-connection-device-type*
				ec2:Region
GetVpnConnectionDeviceTypes	Grants permission to obtain a list of customer gateway devices for which sample configuration files can be provided	List		ec2:Region
GetVpnTunnelReplacementStatus	Grants permission to view available tunnel endpoint maintenance events	List	vpn-connection*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
GetVpnTunnelReplacementStatus		List		ec2:Region
ImportByoipCidrToIpam [permission only]	Grants permission to transfer existing BYOIP IPv4 CIDRs to IPAM	Write	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
ImportByoipCidrToIpam [permission only]		Write		ec2:Region
ImportClientVpnClientCertificateRevocationList	Grants permission to upload a client certificate revocation list to a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
ImportClientVpnClientCertificateRevocationList		Write		ec2:Region
ImportImage	Grants permission to import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI)	Write	image*	aws:RequestTag/${TagKey} aws:TagKeys ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:RootDeviceType	ec2:CreateTags
			import-image-task*	aws:RequestTag/${TagKey} aws:TagKeys
			snapshot	aws:ResourceTag/${TagKey} ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
				ec2:Region
ImportInstance	Grants permission to create an import instance task using metadata from a disk image	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:CpuOptionsAmdSevSnp ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:ManagedResourceOperator ec2:ResourceTag/${TagKey}
			volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:Encrypted ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
ImportKeyPair	Grants permission to import a public key from an RSA key pair that was created with a third-party tool	Write	key-pair*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
ImportKeyPair		Write		ec2:Region
ImportSnapshot	Grants permission to import a disk into an EBS snapshot	Write	import-snapshot-task*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			snapshot*	aws:RequestTag/${TagKey} aws:TagKeys ec2:Owner ec2:ParentVolume ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
				ec2:Region
ImportVolume	Grants permission to create an import volume task using metadata from a disk image	Write	volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
ImportVolume		Write		ec2:Region
InjectApiError [permission only]	Grants permission to temporarily inject errors for target API requests	Write		ec2:FisActionId ec2:FisTargetArns ec2:Region
ListImagesInRecycleBin	Grants permission to list Amazon Machine Images (AMIs) that are currently in the Recycle Bin	List		ec2:Region
ListSnapshotsInRecycleBin	Grants permission to list the Amazon EBS snapshots that are currently in the Recycle Bin	List		ec2:Region
LockSnapshot	Grants permission to lock an Amazon EBS snapshot in either governance or compliance mode to protect it against accidental or malicious deletions	Write	snapshot*	aws:ResourceTag/${TagKey} ec2:Encrypted ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotCoolOffPeriod ec2:SnapshotID ec2:SnapshotLockDuration ec2:SnapshotTime ec2:VolumeSize
LockSnapshot		Write		ec2:Region
ModifyAddressAttribute	Grants permission to modify an attribute of the specified Elastic IP address	Write	elastic-ip*	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Attribute ec2:Attribute/${AttributeName} ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
ModifyAddressAttribute		Write		ec2:Region
ModifyAvailabilityZoneGroup	Grants permission to modify the opt-in status of the Local Zone and Wavelength Zone group for your account	Write		ec2:Region
ModifyCapacityReservation	Grants permission to modify a Capacity Reservation's capacity and the conditions under which it is to be released	Write	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:CapacityReservationFleet
ModifyCapacityReservation		Write		ec2:Region
ModifyCapacityReservationFleet	Grants permission to modify a Capacity Reservation Fleet	Write	capacity-reservation-fleet*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}	ec2:ModifyCapacityReservation
ModifyCapacityReservationFleet	Grants permission to modify a Capacity Reservation Fleet	Write		ec2:Region
ModifyClientVpnEndpoint	Grants permission to modify a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			vpc	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
				ec2:Region
ModifyDefaultCreditSpecification	Grants permission to change the account level default credit option for CPU usage of burstable performance instances	Write		ec2:Region
ModifyEbsDefaultKmsKeyId	Grants permission to change the default customer master key (CMK) for EBS encryption by default for your account	Write		ec2:Region
ModifyFleet	Grants permission to modify an EC2 Fleet	Write	fleet*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			image	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
			launch-template	aws:ResourceTag/${TagKey} ec2:ManagedResourceOperator ec2:ResourceTag/${TagKey}
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
ModifyFpgaImageAttribute	Grants permission to modify an attribute of an Amazon FPGA Image (AFI)	Write	fpga-image*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:Owner ec2:Public ec2:ResourceTag/${TagKey}
ModifyFpgaImageAttribute		Write		ec2:Region
ModifyHosts	Grants permission to modify a Dedicated Host	Write	dedicated-host*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyHosts	Grants permission to modify a Dedicated Host	Write		ec2:Region
ModifyIdFormat	Grants permission to modify the ID format for a resource	Write		ec2:Region
ModifyIdentityIdFormat	Grants permission to modify the ID format of a resource for a specific principal in your account	Write		ec2:Region
ModifyImageAttribute	Grants permission to modify an attribute of an Amazon Machine Image (AMI)	Write	image*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
ModifyImageAttribute		Write		ec2:Region
ModifyInstanceAttribute	Grants permission to modify an attribute of an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			volume	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeInitializationRate ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
				ec2:Region
ModifyInstanceCapacityReservationAttributes	Grants permission to modify the Capacity Reservation settings for a stopped instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			capacity-reservation	aws:ResourceTag/${TagKey}
				ec2:Region
ModifyInstanceConnectEndpoint	Grants permission to modify an existing EC2 Instance Connect Endpoint	Write	instance-connect-endpoint*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
				ec2:Region
ModifyInstanceCpuOptions	Grants permission to modify the CPU options on an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
ModifyInstanceCpuOptions	Grants permission to modify the CPU options on an instance	Write		ec2:Region
ModifyInstanceCreditSpecification	Grants permission to modify the credit option for CPU usage on an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
ModifyInstanceCreditSpecification		Write		ec2:Region
ModifyInstanceEventStartTime	Grants permission to modify the start time for a scheduled EC2 instance event	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
ModifyInstanceEventStartTime		Write		ec2:Region
ModifyInstanceEventWindow	Grants permission to modify the specified event window	Write	instance-event-window*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyInstanceEventWindow	Grants permission to modify the specified event window	Write		ec2:Region
ModifyInstanceMaintenanceOptions	Grants permission to modify the recovery behaviour for an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
ModifyInstanceMaintenanceOptions		Write		ec2:Region
ModifyInstanceMetadataDefaults	Grants permission to modify the default instance metadata service (IMDS) settings for your account in the specified Region	Write		ec2:Attribute/${AttributeName} ec2:Region
ModifyInstanceMetadataOptions	Grants permission to modify the metadata options for an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
ModifyInstanceMetadataOptions		Write		ec2:Region
ModifyInstanceNetworkPerformanceOptions	Grants permission to modify the network performance options for an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
ModifyInstanceNetworkPerformanceOptions		Write		ec2:Region
ModifyInstancePlacement	Grants permission to modify the placement attributes for an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			dedicated-host	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			placement-group	aws:ResourceTag/${TagKey} ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:ResourceTag/${TagKey}
				ec2:Region
ModifyIpam	Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM)	Write	ipam*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyIpam		Write		ec2:Region
ModifyIpamPool	Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) pool	Write	ipam-pool*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyIpamPool		Write		ec2:Region
ModifyIpamResourceCidr	Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) resource CIDR	Write	ipam-scope*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyIpamResourceCidr		Write		ec2:Region
ModifyIpamResourceDiscovery	Grants permission to modify a resource discovery	Write	ipam-resource-discovery*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyIpamResourceDiscovery	Grants permission to modify a resource discovery	Write		ec2:Region
ModifyIpamScope	Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) scope	Write	ipam-scope*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyIpamScope		Write		ec2:Region
ModifyLaunchTemplate	Grants permission to modify a launch template	Write	launch-template*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ManagedResourceOperator ec2:ResourceTag/${TagKey}
ModifyLaunchTemplate	Grants permission to modify a launch template	Write		ec2:Region
ModifyLocalGatewayRoute	Grants permission to modify a local gateway route	Write	local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			local-gateway-virtual-interface-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			network-interface	aws:ResourceTag/${TagKey} ec2:AuthorizedUser ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:Permission ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			prefix-list	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
ModifyManagedPrefixList	Grants permission to modify a managed prefix list	Write	prefix-list*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyManagedPrefixList	Grants permission to modify a managed prefix list	Write		ec2:Region
ModifyNetworkInterfaceAttribute	Grants permission to modify an attribute of a network interface	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			instance	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:Vpc
				ec2:Region
ModifyPrivateDnsNameOptions	Grants permission to modify the options for instance hostnames for the specified instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:NewInstanceProfile ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
ModifyPrivateDnsNameOptions		Write		ec2:Region
ModifyPublicIpDnsNameOptions	Grants permission to modify public hostname options for a network interface	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
ModifyPublicIpDnsNameOptions		Write		ec2:Region
ModifyReservedInstances	Grants permission to modify attributes of one or more Reserved Instances	Write	reserved-instances*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:InstanceType ec2:ReservedInstancesOfferingType ec2:ResourceTag/${TagKey} ec2:Tenancy
ModifyReservedInstances		Write		ec2:Region
ModifyRouteServer	Grants permission to modify a route server	Write	route-server*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
ModifyRouteServer	Grants permission to modify a route server	Write		ec2:Region
ModifySecurityGroupRules	Grants permission to modify the rules of a security group	Write	security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			security-group-rule*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			prefix-list	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
ModifySnapshotAttribute	Grants permission to add or remove permission settings for a snapshot	Permissions management	snapshot*	aws:ResourceTag/${TagKey} ec2:Add/group ec2:Add/userId ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:Owner ec2:ParentVolume ec2:Remove/group ec2:Remove/userId ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
ModifySnapshotAttribute		Permissions management		ec2:Region
ModifySnapshotTier	Grants permission to archive Amazon EBS snapshots	Write	snapshot*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:Encrypted ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
ModifySnapshotTier	Grants permission to archive Amazon EBS snapshots	Write		ec2:Region
ModifySpotFleetRequest	Grants permission to modify a Spot Fleet request	Write	spot-fleet-request*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			launch-template	aws:ResourceTag/${TagKey} ec2:ManagedResourceOperator ec2:ResourceTag/${TagKey}
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
ModifySubnetAttribute	Grants permission to modify an attribute of a subnet	Write	subnet*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
ModifySubnetAttribute	Grants permission to modify an attribute of a subnet	Write		ec2:Region
ModifyTrafficMirrorFilterNetworkServices	Grants permission to allow or restrict mirroring network services	Write	traffic-mirror-filter*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyTrafficMirrorFilterNetworkServices		Write		ec2:Region
ModifyTrafficMirrorFilterRule	Grants permission to modify a traffic mirror rule	Write	traffic-mirror-filter*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			traffic-mirror-filter-rule*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
				ec2:Region
ModifyTrafficMirrorSession	Grants permission to modify a traffic mirror session	Write	traffic-mirror-session*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			traffic-mirror-filter	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			traffic-mirror-target	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
ModifyTransitGateway	Grants permission to modify a transit gateway	Write	transit-gateway*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey} ec2:transitGatewayId
			transit-gateway-route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
				ec2:Region
ModifyTransitGatewayPrefixListReference	Grants permission to modify a transit gateway prefix list reference	Write	prefix-list*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
				ec2:Region
ModifyTransitGatewayVpcAttachment	Grants permission to modify a VPC attachment on a transit gateway	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
ModifyVerifiedAccessEndpoint	Grants permission to modify the configuration of a Verified Access endpoint	Write	verified-access-endpoint*	aws:ResourceTag/${TagKey} ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			verified-access-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
ModifyVerifiedAccessEndpointPolicy	Grants permission to modify the specified Verified Access endpoint policy	Write	verified-access-endpoint*	aws:ResourceTag/${TagKey} ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyVerifiedAccessEndpointPolicy		Write		ec2:Region
ModifyVerifiedAccessGroup	Grants permission to modify the specified Verified Access Group configuration	Write	verified-access-group*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
			verified-access-instance	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
ModifyVerifiedAccessGroupPolicy	Grants permission to modify the specified Verified Access group policy	Write	verified-access-group*	aws:ResourceTag/${TagKey} ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyVerifiedAccessGroupPolicy		Write		ec2:Region
ModifyVerifiedAccessInstance	Grants permission to modify the configuration of the specified Verified Access instance	Write	verified-access-instance*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyVerifiedAccessInstance		Write		ec2:Region
ModifyVerifiedAccessInstanceLoggingConfiguration	Grants permission to modify the logging configuration for the specified Verified Access instance	Write	verified-access-instance*	aws:ResourceTag/${TagKey} ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyVerifiedAccessInstanceLoggingConfiguration		Write		ec2:Region
ModifyVerifiedAccessTrustProvider	Grants permission to modify the configuration of the specified Verified Access trust provider	Write	verified-access-trust-provider*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyVerifiedAccessTrustProvider		Write		ec2:Region
ModifyVolume	Grants permission to modify the parameters of an EBS volume	Write	volume*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeInitializationRate ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
ModifyVolume	Grants permission to modify the parameters of an EBS volume	Write		ec2:Region
ModifyVolumeAttribute	Grants permission to modify an attribute of a volume	Write	volume*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeInitializationRate ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
ModifyVolumeAttribute	Grants permission to modify an attribute of a volume	Write		ec2:Region
ModifyVpcAttribute	Grants permission to modify an attribute of a VPC	Write	vpc*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
ModifyVpcAttribute	Grants permission to modify an attribute of a VPC	Write		ec2:Region
ModifyVpcBlockPublicAccessExclusion	Grants permission to modify an exclusion list for blocked public access on a VPC	Write	vpc-block-public-access-exclusion*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyVpcBlockPublicAccessExclusion		Write		ec2:Region
ModifyVpcBlockPublicAccessOptions	Grants permission to modify options for blocked public access on a VPC	Write		ec2:Region
ModifyVpcEndpoint	Grants permission to modify an attribute of a VPC endpoint	Write	vpc-endpoint*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceServiceRegion
			route-table	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
ModifyVpcEndpointConnectionNotification	Grants permission to modify a connection notification for a VPC endpoint or VPC endpoint service	Write	vpc-endpoint	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			vpc-endpoint-service	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceSupportedRegion
				ec2:Region
ModifyVpcEndpointServiceConfiguration	Grants permission to modify the attributes of a VPC endpoint service configuration	Write	vpc-endpoint-service*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceServicePrivateDnsName ec2:VpceSupportedRegion
ModifyVpcEndpointServiceConfiguration		Write		ec2:Region
ModifyVpcEndpointServicePayerResponsibility	Grants permission to modify the payer responsibility for a VPC endpoint service	Write	vpc-endpoint-service*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceSupportedRegion
ModifyVpcEndpointServicePayerResponsibility		Write		ec2:Region
ModifyVpcEndpointServicePermissions	Grants permission to modify the permissions for a VPC endpoint service	Permissions management	vpc-endpoint-service*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceSupportedRegion
ModifyVpcEndpointServicePermissions		Permissions management		ec2:Region
ModifyVpcPeeringConnectionOptions	Grants permission to modify the VPC peering connection options on one side of a VPC peering connection	Write	vpc-peering-connection*	aws:ResourceTag/${TagKey} ec2:AccepterVpc ec2:Attribute ec2:Attribute/${AttributeName} ec2:RequesterVpc ec2:ResourceTag/${TagKey} ec2:VpcPeeringConnectionID
ModifyVpcPeeringConnectionOptions		Write		ec2:Region
ModifyVpcTenancy	Grants permission to modify the instance tenancy attribute of a VPC	Write	vpc*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
ModifyVpcTenancy		Write		ec2:Region
ModifyVpnConnection	Grants permission to modify the target gateway of a Site-to-Site VPN connection	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AuthenticationType ec2:DPDTimeoutSeconds ec2:GatewayType ec2:IKEVersions ec2:InsideTunnelCidr ec2:InsideTunnelIpv6Cidr ec2:Phase1DHGroup ec2:Phase1EncryptionAlgorithms ec2:Phase1IntegrityAlgorithms ec2:Phase1LifetimeSeconds ec2:Phase2DHGroup ec2:Phase2EncryptionAlgorithms ec2:Phase2IntegrityAlgorithms ec2:Phase2LifetimeSeconds ec2:RekeyFuzzPercentage ec2:RekeyMarginTimeSeconds ec2:ReplayWindowSizePackets ec2:ResourceTag/${TagKey} ec2:RoutingType
ModifyVpnConnection		Write		ec2:Region
ModifyVpnConnectionOptions	Grants permission to modify the connection options for your Site-to-Site VPN connection	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyVpnConnectionOptions		Write		ec2:Region
ModifyVpnTunnelCertificate	Grants permission to modify the certificate for a Site-to-Site VPN connection	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ResourceTag/${TagKey}
ModifyVpnTunnelCertificate		Write		ec2:Region
ModifyVpnTunnelOptions	Grants permission to modify the options for a Site-to-Site VPN connection	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:AuthenticationType ec2:DPDTimeoutSeconds ec2:GatewayType ec2:IKEVersions ec2:InsideTunnelCidr ec2:InsideTunnelIpv6Cidr ec2:Phase1DHGroup ec2:Phase1EncryptionAlgorithms ec2:Phase1IntegrityAlgorithms ec2:Phase1LifetimeSeconds ec2:Phase2DHGroup ec2:Phase2EncryptionAlgorithms ec2:Phase2IntegrityAlgorithms ec2:Phase2LifetimeSeconds ec2:RekeyFuzzPercentage ec2:RekeyMarginTimeSeconds ec2:ReplayWindowSizePackets ec2:ResourceTag/${TagKey} ec2:RoutingType
ModifyVpnTunnelOptions		Write		ec2:Region
MonitorInstances	Grants permission to enable detailed monitoring for a running instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
MonitorInstances		Write		ec2:Region
MoveAddressToVpc	Grants permission to move an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform	Write		ec2:Region
MoveByoipCidrToIpam	Grants permission to move a BYOIP IPv4 CIDR to Amazon VPC IP Address Manager (IPAM) from a public IPv4 pool	Write	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
MoveByoipCidrToIpam		Write		ec2:Region
MoveCapacityReservationInstances	Grants permission to move available capacity from a source Capacity Reservation to a destination Capacity Reservation	Write	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:CapacityReservationFleet ec2:CreateDate ec2:DestinationCapacityReservationId ec2:EbsOptimized ec2:EndDate ec2:EndDateType ec2:InstanceCount ec2:InstanceMatchCriteria ec2:InstancePlatform ec2:InstanceType ec2:OutpostArn ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:SourceCapacityReservationId ec2:Tenancy
MoveCapacityReservationInstances		Write		ec2:Region
PauseVolumeIO [permission only]	Grants permission to temporarily pause I/O operations for a target Amazon EBS volume	Write	volume*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
			instance	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
				ec2:Region
ProvisionByoipCidr	Grants permission to provision an address range for use in AWS through bring your own IP addresses (BYOIP), and to create a corresponding address pool	Write		ec2:Region
ProvisionIpamByoasn	Grants permission to provision an Autonomous System Number (ASN) for use in an Amazon Web Services account	Write	ipam*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
ProvisionIpamByoasn		Write		ec2:Region
ProvisionIpamPoolCidr	Grants permission to provision a CIDR to an Amazon VPC IP Address Manager (IPAM) pool	Write	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipam-external-resource-verification-token	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
ProvisionPublicIpv4PoolCidr	Grants permission to provision a CIDR to a public IPv4 pool	Write	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipv4pool-ec2*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
PurchaseCapacityBlock	Grants permission to purchase a Capacity Block offering	Write	capacity-reservation*	aws:RequestTag/${TagKey} aws:TagKeys ec2:CapacityReservationFleet	ec2:CreateTags
PurchaseCapacityBlock	Grants permission to purchase a Capacity Block offering	Write		ec2:Region
PurchaseCapacityBlockExtension	Grants permission to purchase a Capacity Block extension	Write	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:CapacityReservationFleet
PurchaseCapacityBlockExtension	Grants permission to purchase a Capacity Block extension	Write		ec2:Region
PurchaseHostReservation	Grants permission to purchase a reservation with configurations that match those of a Dedicated Host	Write	dedicated-host*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
PurchaseHostReservation		Write		ec2:Region
PurchaseReservedInstancesOffering	Grants permission to purchase a Reserved Instance offering	Write		ec2:Region
PurchaseScheduledInstances	Grants permission to purchase one or more Scheduled Instances with a specified schedule	Write		ec2:Region
PutResourcePolicy [permission only]	Grants permission to attach an IAM policy that enables cross-account sharing to a resource	Permissions management	ipam-pool	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			placement-group	aws:ResourceTag/${TagKey} ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:ResourceTag/${TagKey}
			verified-access-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
RebootInstances	Grants permission to request a reboot of one or more instances	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
RebootInstances		Write		ec2:Region
RegisterImage	Grants permission to register an Amazon Machine Image (AMI)	Write	image*	aws:RequestTag/${TagKey} aws:TagKeys ec2:ImageID ec2:Owner	ec2:CreateTags
			snapshot	aws:ResourceTag/${TagKey} ec2:OutpostArn ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:SourceOutpostArn ec2:VolumeSize
				ec2:Region
RegisterInstanceEventNotificationAttributes	Grants permission to add tags to the set of tags to include in notifications about scheduled events for your instances	Write		ec2:Region
RegisterTransitGatewayMulticastGroupMembers	Grants permission to register one or more network interfaces as a member of a group IP address in a transit gateway multicast domain	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			transit-gateway-multicast-domain*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayMulticastDomainId
				ec2:Region
RegisterTransitGatewayMulticastGroupSources	Grants permission to register one or more network interfaces as a source of a group IP address in a transit gateway multicast domain	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			transit-gateway-multicast-domain*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayMulticastDomainId
				ec2:Region
RejectCapacityReservationBillingOwnership	Grants permission to reject a request to assign billing of the available capacity of a shared Capacity Reservation to your account	Write	capacity-reservation*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:CapacityReservationFleet ec2:CreateDate ec2:DestinationCapacityReservationId ec2:EbsOptimized ec2:EndDate ec2:EndDateType ec2:InstanceCount ec2:InstanceMatchCriteria ec2:InstancePlatform ec2:InstanceType ec2:OutpostArn ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:SourceCapacityReservationId ec2:Tenancy
RejectCapacityReservationBillingOwnership		Write		ec2:Region
RejectTransitGatewayMulticastDomainAssociations	Grants permission to reject requests to associate cross-account subnets with a transit gateway multicast domain	Write	transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
			transit-gateway-multicast-domain	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayMulticastDomainId
				ec2:Region
RejectTransitGatewayPeeringAttachment	Grants permission to reject a transit gateway peering attachment request	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
RejectTransitGatewayPeeringAttachment		Write		ec2:Region
RejectTransitGatewayVpcAttachment	Grants permission to reject a request to attach a VPC to a transit gateway	Write	transit-gateway-attachment*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
RejectTransitGatewayVpcAttachment		Write		ec2:Region
RejectVpcEndpointConnections	Grants permission to reject one or more VPC endpoint connection requests to a VPC endpoint service	Write	vpc-endpoint-service*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceSupportedRegion
RejectVpcEndpointConnections		Write		ec2:Region
RejectVpcPeeringConnection	Grants permission to reject a VPC peering connection request	Write	vpc-peering-connection*	aws:ResourceTag/${TagKey} ec2:AccepterVpc ec2:RequesterVpc ec2:ResourceTag/${TagKey} ec2:VpcPeeringConnectionID
RejectVpcPeeringConnection		Write		ec2:Region
ReleaseAddress	Grants permission to release an Elastic IP address	Write	elastic-ip	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
ReleaseAddress	Grants permission to release an Elastic IP address	Write		ec2:Region
ReleaseHosts	Grants permission to release one or more On-Demand Dedicated Hosts	Write	dedicated-host*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
ReleaseHosts		Write		ec2:Region
ReleaseIpamPoolAllocation	Grants permission to release an allocation within an Amazon VPC IP Address Manager (IPAM) pool	Write	ipam-pool*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
ReleaseIpamPoolAllocation		Write		ec2:Region
ReplaceIamInstanceProfileAssociation	Grants permission to replace an IAM instance profile for an instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:NewInstanceProfile ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy	iam:PassRole
ReplaceIamInstanceProfileAssociation		Write		ec2:Region
ReplaceImageCriteriaInAllowedImagesSettings	Grants permission to replace image criteria in allowed images settings	Write		ec2:Region
ReplaceNetworkAclAssociation	Grants permission to change which network ACL a subnet is associated with	Write	network-acl*	aws:ResourceTag/${TagKey} ec2:NetworkAclID ec2:ResourceTag/${TagKey} ec2:Vpc
			subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
ReplaceNetworkAclEntry	Grants permission to replace an entry (rule) in a network ACL	Write	network-acl*	aws:ResourceTag/${TagKey} ec2:NetworkAclID ec2:ResourceTag/${TagKey} ec2:Vpc
ReplaceNetworkAclEntry		Write		ec2:Region
ReplaceRoute	Grants permission to replace a route within a route table in a VPC	Write	route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
ReplaceRoute		Write		ec2:Region
ReplaceRouteTableAssociation	Grants permission to change the route table that is associated with a subnet	Write	route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
			internet-gateway	aws:ResourceTag/${TagKey} ec2:InternetGatewayID ec2:ResourceTag/${TagKey}
			ipv4pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			ipv6pool-ec2	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			vpn-gateway	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
ReplaceTransitGatewayRoute	Grants permission to replace a route in a transit gateway route table	Write	transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
			transit-gateway-attachment	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
				ec2:Region
ReplaceVpnTunnel	Grants permission to replace a VPN tunnel	Write	vpn-connection*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
ReplaceVpnTunnel	Grants permission to replace a VPN tunnel	Write		ec2:Region
ReportInstanceStatus	Grants permission to submit feedback about the status of an instance	Write	instance*	ec2:AvailabilityZoneId ec2:InstanceBandwidthWeighting ec2:InstanceID
ReportInstanceStatus		Write		ec2:Region
RequestSpotFleet	Grants permission to create a Spot Fleet request	Write	spot-fleet-request*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			image	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
			key-pair	aws:ResourceTag/${TagKey} ec2:KeyPairName ec2:KeyPairType ec2:ResourceTag/${TagKey}
			launch-template	aws:ResourceTag/${TagKey} ec2:ManagedResourceOperator ec2:ResourceTag/${TagKey}
			placement-group	aws:ResourceTag/${TagKey} ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:ResourceTag/${TagKey}
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			snapshot	aws:ResourceTag/${TagKey} ec2:OutpostArn ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:SourceOutpostArn ec2:VolumeSize
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
RequestSpotInstances	Grants permission to create a Spot Instance request	Write	spot-instances-request*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags iam:PassRole
			image	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
			key-pair	aws:ResourceTag/${TagKey} ec2:KeyPairName ec2:KeyPairType ec2:ResourceTag/${TagKey}
			network-interface	aws:ResourceTag/${TagKey} ec2:AuthorizedUser ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:Permission ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
			placement-group	aws:ResourceTag/${TagKey} ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:ResourceTag/${TagKey}
			security-group	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			snapshot	aws:ResourceTag/${TagKey} ec2:OutpostArn ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:SourceOutpostArn ec2:VolumeSize
			subnet	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
				ec2:Region
ResetAddressAttribute	Grants permission to reset the attribute of the specified IP address	Write	elastic-ip*	aws:ResourceTag/${TagKey} ec2:AllocationId ec2:Attribute ec2:Attribute/${AttributeName} ec2:Domain ec2:PublicIpAddress ec2:ResourceTag/${TagKey}
ResetAddressAttribute		Write		ec2:Region
ResetEbsDefaultKmsKeyId	Grants permission to reset the default customer master key (CMK) for EBS encryption for your account to use the AWS-managed CMK for EBS	Write		ec2:Region
ResetFpgaImageAttribute	Grants permission to reset an attribute of an Amazon FPGA Image (AFI) to its default value	Write	fpga-image*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:Owner ec2:Public ec2:ResourceTag/${TagKey}
ResetFpgaImageAttribute		Write		ec2:Region
ResetImageAttribute	Grants permission to reset an attribute of an Amazon Machine Image (AMI) to its default value	Write	image*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
ResetImageAttribute		Write		ec2:Region
ResetInstanceAttribute	Grants permission to reset an attribute of an instance to its default value	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
ResetInstanceAttribute		Write		ec2:Region
ResetNetworkInterfaceAttribute	Grants permission to reset an attribute of a network interface	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
ResetNetworkInterfaceAttribute		Write		ec2:Region
ResetSnapshotAttribute	Grants permission to reset permission settings for a snapshot	Permissions management	snapshot*	aws:ResourceTag/${TagKey} ec2:Attribute ec2:Attribute/${AttributeName} ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
ResetSnapshotAttribute		Permissions management		ec2:Region
RestoreAddressToClassic	Grants permission to restore an Elastic IP address that was previously moved to the EC2-VPC platform back to the EC2-Classic platform	Write		ec2:Region
RestoreImageFromRecycleBin	Grants permission to restore an Amazon Machine Image (AMI) from the Recycle Bin	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType
RestoreImageFromRecycleBin		Write		ec2:Region
RestoreManagedPrefixListVersion	Grants permission to restore the entries from a previous version of a managed prefix list to a new version of the prefix list	Write	prefix-list*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
RestoreManagedPrefixListVersion		Write		ec2:Region
RestoreSnapshotFromRecycleBin	Grants permission to restore an Amazon EBS snapshot from the Recycle Bin	Write	snapshot*	aws:ResourceTag/${TagKey} ec2:Encrypted ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
RestoreSnapshotFromRecycleBin		Write		ec2:Region
RestoreSnapshotTier	Grants permission to restore an archived Amazon EBS snapshot for use temporarily or permanently, or modify the restore period or restore type for a snapshot that was previously temporarily restored	Write	snapshot*	aws:ResourceTag/${TagKey} ec2:Encrypted ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
RestoreSnapshotTier		Write		ec2:Region
RevokeClientVpnIngress	Grants permission to remove an inbound authorization rule from a Client VPN endpoint	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
RevokeClientVpnIngress		Write		ec2:Region
RevokeSecurityGroupEgress	Grants permission to remove one or more outbound rules from a VPC security group	Write	security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
RevokeSecurityGroupEgress		Write		ec2:Region
RevokeSecurityGroupIngress	Grants permission to remove one or more inbound rules from a security group	Write	security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
RevokeSecurityGroupIngress		Write		ec2:Region
RunInstances	Grants permission to launch one or more instances	Write	image*	aws:ResourceTag/${TagKey} ec2:ImageID ec2:ImageType ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:Owner ec2:Public ec2:ResourceTag/${TagKey} ec2:RootDeviceType	ec2:CreateTags iam:PassRole ssm:GetParameters
			instance*	aws:RequestTag/${TagKey} aws:TagKeys ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:RootDeviceType ec2:Tenancy
			network-interface*	aws:RequestTag/${TagKey} aws:TagKeys ec2:AssociatePublicIpAddress ec2:AuthorizedService ec2:AvailabilityZone ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:Subnet ec2:Vpc
			security-group*	aws:ResourceTag/${TagKey} ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
			subnet*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
			capacity-reservation	aws:ResourceTag/${TagKey} ec2:IsLaunchTemplateResource ec2:LaunchTemplate
			elastic-gpu	aws:ResourceTag/${TagKey} ec2:ElasticGpuType ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:ResourceTag/${TagKey}
			elastic-inference
			group
			key-pair	aws:ResourceTag/${TagKey} ec2:IsLaunchTemplateResource ec2:KeyPairName ec2:KeyPairType ec2:LaunchTemplate ec2:ResourceTag/${TagKey}
			launch-template	aws:ResourceTag/${TagKey} ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:ManagedResourceOperator ec2:ResourceTag/${TagKey}
			license-configuration
			placement-group	aws:ResourceTag/${TagKey} ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:ResourceTag/${TagKey}
			snapshot	aws:ResourceTag/${TagKey} ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotID ec2:SnapshotTime ec2:VolumeSize
			volume	aws:RequestTag/${TagKey} aws:TagKeys ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:VolumeID ec2:VolumeInitializationRate ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
				ec2:Region
	SCENARIO: EC2-Classic-EBS		image* instance* security-group* volume* key-pair placement-group snapshot
	SCENARIO: EC2-Classic-InstanceStore		image* instance* security-group* key-pair placement-group snapshot
	SCENARIO: EC2-VPC-EBS		image* instance* network-interface* security-group* volume* key-pair placement-group snapshot
	SCENARIO: EC2-VPC-EBS-Subnet		image* instance* network-interface* security-group* subnet* volume* key-pair placement-group snapshot
	SCENARIO: EC2-VPC-InstanceStore		image* instance* network-interface* security-group* key-pair placement-group snapshot
	SCENARIO: EC2-VPC-InstanceStore-Subnet		image* instance* network-interface* security-group* subnet* key-pair placement-group snapshot
RunScheduledInstances	Grants permission to launch one or more Scheduled Instances	Write		ec2:Region
SearchLocalGatewayRoutes	Grants permission to search for routes in a local gateway route table	List	local-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
SearchLocalGatewayRoutes		List		ec2:Region
SearchTransitGatewayMulticastGroups	Grants permission to search for groups, sources, and members in a transit gateway multicast domain	List	transit-gateway-multicast-domain*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayMulticastDomainId
SearchTransitGatewayMulticastGroups		List		ec2:Region
SearchTransitGatewayRoutes	Grants permission to search for routes in a transit gateway route table	List	transit-gateway-route-table*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
SearchTransitGatewayRoutes		List		ec2:Region
SendDiagnosticInterrupt	Grants permission to send a diagnostic interrupt to an Amazon EC2 instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
SendDiagnosticInterrupt		Write		ec2:Region
SendSpotInstanceInterruptions [permission only]	Grants permission to interrupt a Spot Instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
SendSpotInstanceInterruptions [permission only]	Grants permission to interrupt a Spot Instance	Write		ec2:Region
StartDeclarativePoliciesReport	Grants permission to start a declarative policies report	Read		ec2:Region
StartInstances	Grants permission to start a stopped instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
			license-configuration
				ec2:Region
StartNetworkInsightsAccessScopeAnalysis	Grants permission to start a Network Access Scope analysis	Write	network-insights-access-scope*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}	ec2:CreateTags
			network-insights-access-scope-analysis*	aws:RequestTag/${TagKey} aws:TagKeys
				ec2:Region
StartNetworkInsightsAnalysis	Grants permission to start analyzing a specified path	Write	network-insights-analysis*	aws:RequestTag/${TagKey} aws:TagKeys	ec2:CreateTags
			network-insights-path*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
				ec2:Region
StartVpcEndpointServicePrivateDnsVerification	Grants permission to start the private DNS verification process for a VPC endpoint service	Write	vpc-endpoint-service*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceSupportedRegion
StartVpcEndpointServicePrivateDnsVerification		Write		ec2:Region
StopInstances	Grants permission to stop an Amazon EBS-backed instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
StopInstances	Grants permission to stop an Amazon EBS-backed instance	Write		ec2:Region
TerminateClientVpnConnections	Grants permission to terminate active Client VPN endpoint connections	Write	client-vpn-endpoint*	aws:ResourceTag/${TagKey} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
TerminateClientVpnConnections		Write		ec2:Region
TerminateInstances	Grants permission to shut down one or more instances	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
TerminateInstances	Grants permission to shut down one or more instances	Write		ec2:Region
UnassignIpv6Addresses	Grants permission to unassign one or more IPv6 addresses from a network interface	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
UnassignIpv6Addresses		Write		ec2:Region
UnassignPrivateIpAddresses	Grants permission to unassign one or more secondary private IP addresses from a network interface	Write	network-interface*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
UnassignPrivateIpAddresses		Write		ec2:Region
UnassignPrivateNatGatewayAddress	Grants permission to unassign secondary private IPv4 addresses from a private NAT gateway	Write	natgateway*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey}
UnassignPrivateNatGatewayAddress		Write		ec2:Region
UnlockSnapshot	Grants permission to unlock a snapshot that is locked in governance mode or in compliance mode while still in the cooling-off period	Write	snapshot*	aws:ResourceTag/${TagKey} ec2:Encrypted ec2:Owner ec2:ParentVolume ec2:ResourceTag/${TagKey} ec2:SnapshotCoolOffPeriod ec2:SnapshotID ec2:SnapshotLockDuration ec2:SnapshotTime ec2:VolumeSize
UnlockSnapshot		Write		ec2:Region
UnmonitorInstances	Grants permission to disable detailed monitoring for a running instance	Write	instance*	aws:ResourceTag/${TagKey} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:PlacementGroup ec2:ProductCode ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
UnmonitorInstances		Write		ec2:Region
UpdateCapacityManagerOrganizationsAccess	Grants permission to update the Organizations access setting for EC2 Capacity Manager	Write		ec2:Region
UpdateSecurityGroupRuleDescriptionsEgress	Grants permission to update descriptions for one or more outbound rules in a VPC security group	Write	security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
UpdateSecurityGroupRuleDescriptionsEgress		Write		ec2:Region
UpdateSecurityGroupRuleDescriptionsIngress	Grants permission to update descriptions for one or more inbound rules in a security group	Write	security-group*	aws:ResourceTag/${TagKey} ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
UpdateSecurityGroupRuleDescriptionsIngress		Write		ec2:Region
WithdrawByoipCidr	Grants permission to stop advertising an address range that was provisioned for use in AWS through bring your own IP addresses (BYOIP)	Write		ec2:Region

Resource types defined by Amazon EC2

The following resource types are defined by this service and can be used in theResource element of IAM permission policy statements. Each action in theActions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, seeResource types table.

Resource types	ARN	Condition keys
elastic-ip	`arn:${Partition}:ec2:${Region}:${Account}:elastic-ip/${AllocationId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:AllocationId ec2:Attribute ec2:Attribute/${AttributeName} ec2:Domain ec2:PublicIpAddress ec2:Region ec2:ResourceTag/${TagKey}
capacity-block	`arn:${Partition}:ec2:${Region}:${Account}:capacity-block/${CapacityBlockId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
capacity-manager-data-export	`arn:${Partition}:ec2:${Region}:${Account}:capacity-manager-data-export/${CapacityManagerDataExportId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
capacity-reservation-fleet	`arn:${Partition}:ec2:${Region}:${Account}:capacity-reservation-fleet/${CapacityReservationFleetId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
capacity-reservation	`arn:${Partition}:ec2:${Region}:${Account}:capacity-reservation/${CapacityReservationId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CapacityReservationFleet ec2:CreateDate ec2:DestinationCapacityReservationId ec2:EbsOptimized ec2:EndDate ec2:EndDateType ec2:EphemeralStorage ec2:InstanceCount ec2:InstanceMatchCriteria ec2:InstancePlatform ec2:InstanceType ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:OutpostArn ec2:PlacementGroup ec2:Region ec2:ResourceTag/${TagKey} ec2:SourceCapacityReservationId ec2:Tenancy
carrier-gateway	`arn:${Partition}:ec2:${Region}:${Account}:carrier-gateway/${CarrierGatewayId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:Vpc
certificate	`arn:${Partition}:acm:${Region}:${Account}:certificate/${CertificateId}`
client-vpn-endpoint	`arn:${Partition}:ec2:${Region}:${Account}:client-vpn-endpoint/${ClientVpnEndpointId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:ClientRootCertificateChainArn ec2:CloudwatchLogGroupArn ec2:CloudwatchLogStreamArn ec2:DirectoryArn ec2:Region ec2:ResourceTag/${TagKey} ec2:SamlProviderArn ec2:ServerCertificateArn
customer-gateway	`arn:${Partition}:ec2:${Region}:${Account}:customer-gateway/${CustomerGatewayId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
declarative-policies-report	`arn:${Partition}:ec2:${Region}:${Account}:declarative-policies-report/${DeclarativePoliciesReportId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
dedicated-host	`arn:${Partition}:ec2:${Region}:${Account}:dedicated-host/${DedicatedHostId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:AutoPlacement ec2:AvailabilityZone ec2:HostRecovery ec2:InstanceType ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:Quantity ec2:Region ec2:ResourceTag/${TagKey}
dhcp-options	`arn:${Partition}:ec2:${Region}:${Account}:dhcp-options/${DhcpOptionsId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:DhcpOptionsID ec2:Region ec2:ResourceTag/${TagKey}
egress-only-internet-gateway	`arn:${Partition}:ec2:${Region}:${Account}:egress-only-internet-gateway/${EgressOnlyInternetGatewayId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
elastic-gpu	`arn:${Partition}:ec2:${Region}:${Account}:elastic-gpu/${ElasticGpuId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:ElasticGpuType ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:Region ec2:ResourceTag/${TagKey}
elastic-inference	`arn:${Partition}:elastic-inference:${Region}:${Account}:elastic-inference-accelerator/${AcceleratorId}`
export-image-task	`arn:${Partition}:ec2:${Region}:${Account}:export-image-task/${ExportImageTaskId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
export-instance-task	`arn:${Partition}:ec2:${Region}:${Account}:export-instance-task/${ExportTaskId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
fleet	`arn:${Partition}:ec2:${Region}:${Account}:fleet/${FleetId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
fpga-image	`arn:${Partition}:ec2:${Region}:${Account}:fpga-image/${FpgaImageId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Owner ec2:Public ec2:Region ec2:ResourceTag/${TagKey}
host-reservation	`arn:${Partition}:ec2:${Region}:${Account}:host-reservation/${HostReservationId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
image	`arn:${Partition}:ec2:${Region}::image/${ImageId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:ImageID ec2:ImageType ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:Owner ec2:Public ec2:Region ec2:ResourceTag/${TagKey} ec2:RootDeviceType
image-usage-report	`arn:${Partition}:ec2:${Region}:${Account}:image-usage-report/${ImageUsageReportId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
import-image-task	`arn:${Partition}:ec2:${Region}:${Account}:import-image-task/${ImportImageTaskId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
import-snapshot-task	`arn:${Partition}:ec2:${Region}:${Account}:import-snapshot-task/${ImportSnapshotTaskId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
instance-connect-endpoint	`arn:${Partition}:ec2:${Region}:${Account}:instance-connect-endpoint/${InstanceConnectEndpointId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey} ec2:SubnetID
instance-event-window	`arn:${Partition}:ec2:${Region}:${Account}:instance-event-window/${InstanceEventWindowId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
instance	`arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:CpuOptionsAmdSevSnp ec2:EbsOptimized ec2:InstanceAutoRecovery ec2:InstanceBandwidthWeighting ec2:InstanceID ec2:InstanceMarketType ec2:InstanceMetadataTags ec2:InstanceProfile ec2:InstanceType ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:ManagedResourceOperator ec2:MetadataHttpEndpoint ec2:MetadataHttpPutResponseHopLimit ec2:MetadataHttpTokens ec2:NewInstanceProfile ec2:PlacementGroup ec2:ProductCode ec2:Region ec2:ResourceTag/${TagKey} ec2:RootDeviceType ec2:Tenancy
internet-gateway	`arn:${Partition}:ec2:${Region}:${Account}:internet-gateway/${InternetGatewayId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:InternetGatewayID ec2:Region ec2:ResourceTag/${TagKey}
ipam-external-resource-verification-token	`arn:${Partition}:ec2::${Account}:ipam-external-resource-verification-token/${IpamExternalResourceVerificationTokenId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
ipam	`arn:${Partition}:ec2::${Account}:ipam/${IpamId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
ipam-pool	`arn:${Partition}:ec2::${Account}:ipam-pool/${IpamPoolId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
ipam-resource-discovery-association	`arn:${Partition}:ec2::${Account}:ipam-resource-discovery-association/${IpamResourceDiscoveryAssociationId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
ipam-resource-discovery	`arn:${Partition}:ec2::${Account}:ipam-resource-discovery/${IpamResourceDiscoveryId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
ipam-scope	`arn:${Partition}:ec2::${Account}:ipam-scope/${IpamScopeId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
coip-pool	`arn:${Partition}:ec2:${Region}:${Account}:coip-pool/${Ipv4PoolCoipId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
ipv4pool-ec2	`arn:${Partition}:ec2:${Region}:${Account}:ipv4pool-ec2/${Ipv4PoolEc2Id}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
ipv6pool-ec2	`arn:${Partition}:ec2:${Region}:${Account}:ipv6pool-ec2/${Ipv6PoolEc2Id}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
key-pair	`arn:${Partition}:ec2:${Region}:${Account}:key-pair/${KeyPairName}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:IsLaunchTemplateResource ec2:KeyPairName ec2:KeyPairType ec2:LaunchTemplate ec2:Region ec2:ResourceTag/${TagKey}
launch-template	`arn:${Partition}:ec2:${Region}:${Account}:launch-template/${LaunchTemplateId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:ManagedResourceOperator ec2:Region ec2:ResourceTag/${TagKey}
license-configuration	`arn:${Partition}:license-manager:${Region}:${Account}:license-configuration:${LicenseConfigurationId}`
local-gateway	`arn:${Partition}:ec2:${Region}:${Account}:local-gateway/${LocalGatewayId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
local-gateway-route-table-virtual-interface-group-association	`arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table-virtual-interface-group-association/${LocalGatewayRouteTableVirtualInterfaceGroupAssociationId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
local-gateway-route-table-vpc-association	`arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table-vpc-association/${LocalGatewayRouteTableVpcAssociationId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
local-gateway-route-table	`arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table/${LocalGatewayRoutetableId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
local-gateway-virtual-interface-group	`arn:${Partition}:ec2:${Region}:${Account}:local-gateway-virtual-interface-group/${LocalGatewayVirtualInterfaceGroupId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
local-gateway-virtual-interface	`arn:${Partition}:ec2:${Region}:${Account}:local-gateway-virtual-interface/${LocalGatewayVirtualInterfaceId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
mac-modification-task	`arn:${Partition}:ec2:${Region}:${Account}:mac-modification-task/${MacModificationTaskId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
natgateway	`arn:${Partition}:ec2:${Region}:${Account}:natgateway/${NatGatewayId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
network-acl	`arn:${Partition}:ec2:${Region}:${Account}:network-acl/${NaclId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:NetworkAclID ec2:Region ec2:ResourceTag/${TagKey} ec2:Vpc
network-insights-access-scope-analysis	`arn:${Partition}:ec2:${Region}:${Account}:network-insights-access-scope-analysis/${NetworkInsightsAccessScopeAnalysisId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
network-insights-access-scope	`arn:${Partition}:ec2:${Region}:${Account}:network-insights-access-scope/${NetworkInsightsAccessScopeId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
network-insights-analysis	`arn:${Partition}:ec2:${Region}:${Account}:network-insights-analysis/${NetworkInsightsAnalysisId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
network-insights-path	`arn:${Partition}:ec2:${Region}:${Account}:network-insights-path/${NetworkInsightsPathId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
network-interface	`arn:${Partition}:ec2:${Region}:${Account}:network-interface/${NetworkInterfaceId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:AssociatePublicIpAddress ec2:Attribute ec2:Attribute/${AttributeName} ec2:AuthorizedService ec2:AuthorizedUser ec2:AvailabilityZone ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:ManagedResourceOperator ec2:NetworkInterfaceID ec2:Permission ec2:Region ec2:ResourceTag/${TagKey} ec2:Subnet ec2:Vpc
outpost-lag	`arn:${Partition}:ec2:${Region}:${Account}:outpost-lag/${OutpostLagId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
placement-group	`arn:${Partition}:ec2:${Region}:${Account}:placement-group/${PlacementGroupName}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:PlacementGroupName ec2:PlacementGroupStrategy ec2:Region ec2:ResourceTag/${TagKey}
prefix-list	`arn:${Partition}:ec2:${Region}:${Account}:prefix-list/${PrefixListId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
replace-root-volume-task	`arn:${Partition}:ec2:${Region}:${Account}:replace-root-volume-task/${ReplaceRootVolumeTaskId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
reserved-instances	`arn:${Partition}:ec2:${Region}:${Account}:reserved-instances/${ReservationId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:InstanceType ec2:Region ec2:ReservedInstancesOfferingType ec2:ResourceTag/${TagKey} ec2:Tenancy
group	`arn:${Partition}:resource-groups:${Region}:${Account}:group/${GroupName}`
role	`arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}`
route-server-endpoint	`arn:${Partition}:ec2:${Region}:${Account}:route-server-endpoint/${RouteServerEndpointId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:AvailabilityZone ec2:Region ec2:ResourceTag/${TagKey}
route-server	`arn:${Partition}:ec2:${Region}:${Account}:route-server/${RouteServerId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
route-server-peer	`arn:${Partition}:ec2:${Region}:${Account}:route-server-peer/${RouteServerPeerId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:AvailabilityZone ec2:Region ec2:ResourceTag/${TagKey}
route-table	`arn:${Partition}:ec2:${Region}:${Account}:route-table/${RouteTableId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey} ec2:RouteTableID ec2:Vpc
security-group	`arn:${Partition}:ec2:${Region}:${Account}:security-group/${SecurityGroupId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:Region ec2:ResourceTag/${TagKey} ec2:SecurityGroupID ec2:Vpc
security-group-rule	`arn:${Partition}:ec2:${Region}:${Account}:security-group-rule/${SecurityGroupRuleId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
snapshot	`arn:${Partition}:ec2:${Region}::snapshot/${SnapshotId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Add/group ec2:Add/userId ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:Encrypted ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:Location ec2:OutpostArn ec2:Owner ec2:ParentSnapshot ec2:ParentVolume ec2:ProductCode ec2:Region ec2:Remove/group ec2:Remove/userId ec2:ResourceTag/${TagKey} ec2:SnapshotCoolOffPeriod ec2:SnapshotID ec2:SnapshotLockDuration ec2:SnapshotTime ec2:SourceAvailabilityZone ec2:SourceOutpostArn ec2:VolumeSize
spot-fleet-request	`arn:${Partition}:ec2:${Region}:${Account}:spot-fleet-request/${SpotFleetRequestId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
spot-instances-request	`arn:${Partition}:ec2:${Region}:${Account}:spot-instances-request/${SpotInstanceRequestId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
subnet-cidr-reservation	`arn:${Partition}:ec2:${Region}:${Account}:subnet-cidr-reservation/${SubnetCidrReservationId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
subnet	`arn:${Partition}:ec2:${Region}:${Account}:subnet/${SubnetId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Ipv4IpamPoolId ec2:Ipv6IpamPoolId ec2:IsLaunchTemplateResource ec2:LaunchTemplate ec2:Region ec2:ResourceTag/${TagKey} ec2:SubnetID ec2:Vpc
traffic-mirror-filter	`arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter/${TrafficMirrorFilterId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
traffic-mirror-filter-rule	`arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter-rule/${TrafficMirrorFilterRuleId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
traffic-mirror-session	`arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-session/${TrafficMirrorSessionId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
traffic-mirror-target	`arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-target/${TrafficMirrorTargetId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
transit-gateway-attachment	`arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-attachment/${TransitGatewayAttachmentId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey} ec2:transitGatewayAttachmentId
transit-gateway-connect-peer	`arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-connect-peer/${TransitGatewayConnectPeerId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey} ec2:transitGatewayConnectPeerId
transit-gateway	`arn:${Partition}:ec2:${Region}:${Account}:transit-gateway/${TransitGatewayId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey} ec2:transitGatewayId
transit-gateway-multicast-domain	`arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-multicast-domain/${TransitGatewayMulticastDomainId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey} ec2:transitGatewayMulticastDomainId
transit-gateway-policy-table	`arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-policy-table/${TransitGatewayPolicyTableId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey} ec2:transitGatewayPolicyTableId
transit-gateway-route-table-announcement	`arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-route-table-announcement/${TransitGatewayRouteTableAnnouncementId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableAnnouncementId
transit-gateway-route-table	`arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-route-table/${TransitGatewayRouteTableId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey} ec2:transitGatewayRouteTableId
verified-access-endpoint	`arn:${Partition}:ec2:${Region}:${Account}:verified-access-endpoint/${VerifiedAccessEndpointId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
verified-access-endpoint-target	`arn:${Partition}:ec2:${Region}:${Account}:verified-access-endpoint-target/${VerifiedAccessEndpointTargetId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
verified-access-group	`arn:${Partition}:ec2:${Region}:${Account}:verified-access-group/${VerifiedAccessGroupId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
verified-access-instance	`arn:${Partition}:ec2:${Region}:${Account}:verified-access-instance/${VerifiedAccessInstanceId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
verified-access-policy	`arn:${Partition}:ec2:${Region}:${Account}:verified-access-policy/${VerifiedAccessPolicyId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
verified-access-trust-provider	`arn:${Partition}:ec2:${Region}:${Account}:verified-access-trust-provider/${VerifiedAccessTrustProviderId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
volume	`arn:${Partition}:ec2:${Region}:${Account}:volume/${VolumeId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:AvailabilityZone ec2:AvailabilityZoneId ec2:Encrypted ec2:IsLaunchTemplateResource ec2:KmsKeyId ec2:LaunchTemplate ec2:ManagedResourceOperator ec2:ParentSnapshot ec2:ParentVolume ec2:Region ec2:ResourceTag/${TagKey} ec2:VolumeID ec2:VolumeInitializationRate ec2:VolumeIops ec2:VolumeSize ec2:VolumeThroughput ec2:VolumeType
vpc-block-public-access-exclusion	`arn:${Partition}:ec2:${Region}:${Account}:vpc-block-public-access-exclusion/${VpcBlockPublicAccessExclusionId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey}
vpc-endpoint-connection	`arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-connection/${VpcEndpointConnectionId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
vpc-endpoint	`arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint/${VpcEndpointId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceServiceName ec2:VpceServiceOwner ec2:VpceServiceRegion
vpc-endpoint-service	`arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-service/${VpcEndpointServiceId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:ResourceTag/${TagKey} ec2:VpceMultiRegion ec2:VpceServicePrivateDnsName ec2:VpceServiceRegion ec2:VpceSupportedRegion
vpc-endpoint-service-permission	`arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-service-permission/${VpcEndpointServicePermissionId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
vpc-flow-log	`arn:${Partition}:ec2:${Region}:${Account}:vpc-flow-log/${VpcFlowLogId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}
vpc	`arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:Ipv4IpamPoolId ec2:Ipv6IpamPoolId ec2:Region ec2:ResourceTag/${TagKey} ec2:Tenancy ec2:VpcID
vpc-peering-connection	`arn:${Partition}:ec2:${Region}:${Account}:vpc-peering-connection/${VpcPeeringConnectionId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:AccepterVpc ec2:Attribute ec2:Attribute/${AttributeName} ec2:Region ec2:RequesterVpc ec2:ResourceTag/${TagKey} ec2:VpcPeeringConnectionID
vpn-connection-device-type	`arn:${Partition}:ec2:${Region}:${Account}:vpn-connection-device-type/${VpnConnectionDeviceTypeId}`	ec2:Region
vpn-connection	`arn:${Partition}:ec2:${Region}:${Account}:vpn-connection/${VpnConnectionId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Attribute ec2:Attribute/${AttributeName} ec2:AuthenticationType ec2:DPDTimeoutSeconds ec2:GatewayType ec2:IKEVersions ec2:InsideTunnelCidr ec2:InsideTunnelIpv6Cidr ec2:Phase1DHGroup ec2:Phase1EncryptionAlgorithms ec2:Phase1IntegrityAlgorithms ec2:Phase1LifetimeSeconds ec2:Phase2DHGroup ec2:Phase2EncryptionAlgorithms ec2:Phase2IntegrityAlgorithms ec2:Phase2LifetimeSeconds ec2:Region ec2:RekeyFuzzPercentage ec2:RekeyMarginTimeSeconds ec2:ReplayWindowSizePackets ec2:ResourceTag/${TagKey} ec2:RoutingType
vpn-gateway	`arn:${Partition}:ec2:${Region}:${Account}:vpn-gateway/${VpnGatewayId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys ec2:Region ec2:ResourceTag/${TagKey}

Condition keys for Amazon EC2

Amazon EC2 defines the following condition keys that can be used in theCondition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, seeCondition keys table.

To view the global condition keys that are available to all services, seeAWS global condition context keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by a tag key and value pair that is allowed in the request	String
aws:ResourceTag/${TagKey}	Filters access by a tag key and value pair of a resource	String
aws:TagKeys	Filters access by a list of tag keys that are allowed in the request	ArrayOfString
ec2:AccepterVpc	Filters access by the ARN of an accepter VPC in a VPC peering connection	ARN
ec2:Add/group	Filters access by the group being added to a snapshot	String
ec2:Add/userId	Filters access by the account id being added to a snapshot	String
ec2:AllocationId	Filters access by the allocation ID of the Elastic IP address	String
ec2:AssociatePublicIpAddress	Filters access by whether the user wants to associate a public IP address with the instance	Bool
ec2:Attribute	Filters access by an attribute of a resource	String
ec2:Attribute/${AttributeName}	Filters access by an attribute being set on a resource	String
ec2:AuthenticationType	Filters access by the authentication type for the VPN tunnel endpoints	String
ec2:AuthorizedService	Filters access by the AWS service that has permission to use a resource	String
ec2:AuthorizedUser	Filters access by an IAM principal that has permission to use a resource	String
ec2:AutoPlacement	Filters access by the Auto Placement properties of a Dedicated Host	String
ec2:AvailabilityZone	Filters access by the name of an Availability Zone in an AWS Region	String
ec2:AvailabilityZoneId	Filters access by the ID of an Availability Zone in an AWS Region	String
ec2:CapacityReservationFleet	Filters access by the ARN of the Capacity Reservation Fleet	ARN
ec2:ClientRootCertificateChainArn	Filters access by the ARN of the client root certificate chain	ARN
ec2:CloudwatchLogGroupArn	Filters access by the ARN of the CloudWatch Logs log group	ARN
ec2:CloudwatchLogStreamArn	Filters access by the ARN of the CloudWatch Logs log stream	ARN
ec2:CpuOptionsAmdSevSnp	Filters access by the state of AMD SEV-SNP CPU Options. Currently, only US East (Ohio) and Europe (Ireland) are supported	String
ec2:CreateAction	Filters access by the name of a resource-creating API action	String
ec2:CreateDate	Filters access by the date and time at which the Capacity Reservation was created	Date
ec2:DPDTimeoutSeconds	Filters access by the duration after which DPD timeout occurs on a VPN tunnel	Numeric
ec2:DestinationCapacityReservationId	Filters access by the ID of the Capacity Reservation that you want to move capacity into	ARN
ec2:DhcpOptionsID	Filters access by the ID of a dynamic host configuration protocol (DHCP) options set	String
ec2:DirectoryArn	Filters access by the ARN of the directory	ARN
ec2:Domain	Filters access by the domain of the Elastic IP address	String
ec2:EbsOptimized	Filters access by whether the instance is enabled for EBS optimization	Bool
ec2:ElasticGpuType	Filters access by the type of Elastic Graphics accelerator	String
ec2:Encrypted	Filters access by whether the EBS volume is encrypted	Bool
ec2:EndDate	Filters access by the date and time at which the Capacity Reservation ends	Date
ec2:EndDateType	Filters access by the way in which the Capacity Reservation ends	String
ec2:EphemeralStorage	Filters access by whether the instance is enabled for ephemeral storage	Bool
ec2:FisActionId	Filters access by the ID of an AWS FIS action	String
ec2:FisTargetArns	Filters access by the ARN of an AWS FIS target	ArrayOfARN
ec2:GatewayType	Filters access by the gateway type for a VPN endpoint on the AWS side of a VPN connection	String
ec2:HostRecovery	Filters access by whether host recovery is enabled for a Dedicated Host	String
ec2:IKEVersions	Filters access by the internet key exchange (IKE) versions that are permitted for a VPN tunnel	ArrayOfString
ec2:ImageID	Filters access by the ID of an image	String
ec2:ImageType	Filters access by the type of image (machine, aki, or ari)	String
ec2:InsideTunnelCidr	Filters access by the range of inside IP addresses for a VPN tunnel	String
ec2:InsideTunnelIpv6Cidr	Filters access by a range of inside IPv6 addresses for a VPN tunnel	String
ec2:InstanceAutoRecovery	Filters access by whether the instance type supports auto recovery	String
ec2:InstanceBandwidthWeighting	Filters access by the bandwidth weighting of an instance	String
ec2:InstanceCount	Filters access by the number of instances	Numeric
ec2:InstanceID	Filters access by the ID of an instance	String
ec2:InstanceMarketType	Filters access by the market or purchasing option of an instance (capacity-block, on-demand, or spot)	String
ec2:InstanceMatchCriteria	Filters access by the type of instance launches that the Capacity Reservation accepts	String
ec2:InstanceMetadataTags	Filters access by whether the instance allows access to instance tags from the instance metadata	String
ec2:InstancePlatform	Filters access by the type of operating system for which the Capacity Reservation reserves capacity	ARN
ec2:InstanceProfile	Filters access by the ARN of an instance profile	ARN
ec2:InstanceType	Filters access by the type of instance	String
ec2:InternetGatewayID	Filters access by the ID of an internet gateway	String
ec2:Ipv4IpamPoolId	Filters access by the ID of an IPAM pool provided for IPv4 CIDR block allocation	String
ec2:Ipv6IpamPoolId	Filters access by the ID of an IPAM pool provided for IPv6 CIDR block allocation	String
ec2:IsLaunchTemplateResource	Filters access by whether users are able to override resources that are specified in the launch template	Bool
ec2:KeyPairName	Filters access by the name of a key pair	String
ec2:KeyPairType	Filters access by the type of a key pair	String
ec2:KmsKeyId	Filters access by the ID of an AWS KMS key provided in the request	String
ec2:LaunchTemplate	Filters access by the ARN of a launch template	ARN
ec2:Location	Filters access by the destination for the snapshot copy	String
ec2:ManagedResourceOperator	Filters access by the presence of an EC2 operator provisioning a managed resource	String
ec2:MetadataHttpEndpoint	Filters access by whether the HTTP endpoint is enabled for the instance metadata service	String
ec2:MetadataHttpPutResponseHopLimit	Filters access by the allowed number of hops when calling the instance metadata service	Numeric
ec2:MetadataHttpTokens	Filters access by whether tokens are required when calling the instance metadata service (optional or required)	String
ec2:NetworkAclID	Filters access by the ID of a network access control list (ACL)	String
ec2:NetworkInterfaceID	Filters access by the ID of an elastic network interface	String
ec2:NewInstanceProfile	Filters access by the ARN of the instance profile being attached	ARN
ec2:OutpostArn	Filters access by the ARN of the Outpost	ARN
ec2:Owner	Filters access by the owner of the resource (amazon, aws-marketplace, or an AWS account ID)	String
ec2:ParentSnapshot	Filters access by the ARN of the parent snapshot	ARN
ec2:ParentVolume	Filters access by the ARN of the parent volume from which the snapshot was created	ARN
ec2:Permission	Filters access by the type of permission for a resource (INSTANCE-ATTACH or EIP-ASSOCIATE)	String
ec2:Phase1DHGroup	Filters access by the Diffie-Hellman group numbers that are permitted for a VPN tunnel for the phase 1 IKE negotiations	ArrayOfString
ec2:Phase1EncryptionAlgorithms	Filters access by the encryption algorithms that are permitted for a VPN tunnel for the phase 1 IKE negotiations	ArrayOfString
ec2:Phase1IntegrityAlgorithms	Filters access by the integrity algorithms that are permitted for a VPN tunnel for the phase 1 IKE negotiations	ArrayOfString
ec2:Phase1LifetimeSeconds	Filters access by the lifetime in seconds for phase 1 of the IKE negotiations for a VPN tunnel	Numeric
ec2:Phase2DHGroup	Filters access by the Diffie-Hellman group numbers that are permitted for a VPN tunnel for the phase 2 IKE negotiations	ArrayOfString
ec2:Phase2EncryptionAlgorithms	Filters access by the encryption algorithms that are permitted for a VPN tunnel for the phase 2 IKE negotiations	ArrayOfString
ec2:Phase2IntegrityAlgorithms	Filters access by the integrity algorithms that are permitted for a VPN tunnel for the phase 2 IKE negotiations	ArrayOfString
ec2:Phase2LifetimeSeconds	Filters access by the lifetime in seconds for phase 2 of the IKE negotiations for a VPN tunnel	Numeric
ec2:PlacementGroup	Filters access by the ARN of the placement group	ARN
ec2:PlacementGroupName	Filters access by the name of a placement group	String
ec2:PlacementGroupStrategy	Filters access by the instance placement strategy used by the placement group (cluster, spread, or partition)	String
ec2:ProductCode	Filters access by the product code that is associated with the AMI	String
ec2:Public	Filters access by whether the image has public launch permissions	Bool
ec2:PublicIpAddress	Filters access by a public IP address	String
ec2:Quantity	Filters access by the number of Dedicated Hosts in a request	Numeric
ec2:Region	Filters access by the name of the AWS Region	String
ec2:RekeyFuzzPercentage	Filters access by the percentage of increase of the rekey window (determined by the rekey margin time) within which the rekey time is randomly selected for a VPN tunnel	Numeric
ec2:RekeyMarginTimeSeconds	Filters access by the margin time before the phase 2 lifetime expires for a VPN tunnel	Numeric
ec2:Remove/group	Filters access by the group being removed from a snapshot	String
ec2:Remove/userId	Filters access by the account id being removed from a snapshot	String
ec2:ReplayWindowSizePackets	Filters access by the number of packets in an IKE replay window	String
ec2:RequesterVpc	Filters access by the ARN of a requester VPC in a VPC peering connection	ARN
ec2:ReservedInstancesOfferingType	Filters access by the payment option of the Reserved Instance offering (No Upfront, Partial Upfront, or All Upfront)	String
ec2:ResourceTag/${TagKey}	Filters access by a tag key and value pair of a resource	String
ec2:RoleDelivery	Filters access by the version of the instance metadata service for retrieving IAM role credentials for EC2	Numeric
ec2:RootDeviceType	Filters access by the root device type of the instance (ebs or instance-store)	String
ec2:RouteTableID	Filters access by the ID of a route table	String
ec2:RoutingType	Filters access by the routing type for the VPN connection	String
ec2:SamlProviderArn	Filters access by the ARN of the IAM SAML identity provider	ARN
ec2:SecurityGroupID	Filters access by the ID of a security group	String
ec2:ServerCertificateArn	Filters access by the ARN of the server certificate	ARN
ec2:SnapshotCoolOffPeriod	Filters access by the compliance mode cooling-off period	Numeric
ec2:SnapshotID	Filters access by the ID of a snapshot	String
ec2:SnapshotLockDuration	Filters access by the snapshot lock duration	Numeric
ec2:SnapshotTime	Filters access by the initiation time of a snapshot	String
ec2:SourceAvailabilityZone	Filters access by the name of the Availability Zone from which the request originated	String
ec2:SourceCapacityReservationId	Filters access by the ID of the Capacity Reservation from which you want to move capacity	ARN
ec2:SourceInstanceARN	Filters access by the ARN of the instance from which the request originated	ARN
ec2:SourceOutpostArn	Filters access by the ARN of the Outpost from which the request originated	ARN
ec2:Subnet	Filters access by the ARN of the subnet	ARN
ec2:SubnetID	Filters access by the ID of a subnet	String
ec2:Tenancy	Filters access by the tenancy of the VPC or instance (default, dedicated, or host)	String
ec2:VolumeID	Filters access by the ID of a volume	String
ec2:VolumeInitializationRate	Filters access by the initialization rate of the volume, in MiBps	Numeric
ec2:VolumeIops	Filters access by the the number of input/output operations per second (IOPS) provisioned for the volume	Numeric
ec2:VolumeSize	Filters access by the size of the volume, in GiB	Numeric
ec2:VolumeThroughput	Filters access by the throughput of the volume, in MiBps	Numeric
ec2:VolumeType	Filters access by the type of volume (gp2, gp3, io1, io2, st1, sc1, or standard)	String
ec2:Vpc	Filters access by the ARN of the VPC	ARN
ec2:VpcID	Filters access by the ID of a virtual private cloud (VPC)	String
ec2:VpcPeeringConnectionID	Filters access by the ID of a VPC peering connection	String
ec2:VpceMultiRegion	Filters access by multi region of the VPC endpoint service	String
ec2:VpceServiceName	Filters access by the name of the VPC endpoint service	String
ec2:VpceServiceOwner	Filters access by the service owner of the VPC endpoint service (amazon, aws-marketplace, or an AWS account ID)	String
ec2:VpceServicePrivateDnsName	Filters access by the private DNS name of the VPC endpoint service	String
ec2:VpceServiceRegion	Filters access by the region of the VPC endpoint service	String
ec2:VpceSupportedRegion	Filters access by the supported region of the VPC endpoint service	String
ec2:transitGatewayAttachmentId	Filters access by the ID of a transit gateway attachment	String
ec2:transitGatewayConnectPeerId	Filters access by the ID of a transit gateway connect peer	String
ec2:transitGatewayId	Filters access by the ID of a transit gateway	String
ec2:transitGatewayMulticastDomainId	Filters access by the ID of a transit gateway multicast domain	String
ec2:transitGatewayPolicyTableId	Filters access by the ID of a transit gateway policy table	String
ec2:transitGatewayRouteTableAnnouncementId	Filters access by the ID of a transit gateway route table announcement	String
ec2:transitGatewayRouteTableId	Filters access by the ID of a transit gateway route table	String

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of it.

Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.