@cloud-copilot/iam-data
Version:
1,800 lines • 589 kB
JSON
{
"acceptaddresstransfer": {
"name": "AcceptAddressTransfer",
"description": "Grants permission to accept an Elastic IP address transfer",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "elastic-ip",
"required": true,
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
"ec2:AllocationId",
"ec2:Domain",
"ec2:PublicIpAddress"
],
"dependentActions": [
"ec2:CreateTags"
]
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"acceptcapacityreservationbillingownership": {
"name": "AcceptCapacityReservationBillingOwnership",
"description": "Grants permission to accept assign billing of the available capacity of a shared Capacity Reservation to the calling account",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "capacity-reservation",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:CapacityReservationFleet",
"ec2:CreateDate",
"ec2:DestinationCapacityReservationId",
"ec2:EbsOptimized",
"ec2:EndDate",
"ec2:EndDateType",
"ec2:InstanceCount",
"ec2:InstanceMatchCriteria",
"ec2:InstancePlatform",
"ec2:InstanceType",
"ec2:OutpostArn",
"ec2:PlacementGroup",
"ec2:ResourceTag/${TagKey}",
"ec2:SourceCapacityReservationId",
"ec2:Tenancy"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"acceptreservedinstancesexchangequote": {
"name": "AcceptReservedInstancesExchangeQuote",
"description": "Grants permission to accept a Convertible Reserved Instance exchange quote",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "reserved-instances",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:InstanceType",
"ec2:ReservedInstancesOfferingType",
"ec2:ResourceTag/${TagKey}",
"ec2:Tenancy"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"accepttransitgatewaymulticastdomainassociations": {
"name": "AcceptTransitGatewayMulticastDomainAssociations",
"description": "Grants permission to accept a request to associate subnets with a transit gateway multicast domain",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "transit-gateway-attachment",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:transitGatewayAttachmentId"
],
"dependentActions": []
},
{
"name": "transit-gateway-multicast-domain",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:transitGatewayMulticastDomainId"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"accepttransitgatewaypeeringattachment": {
"name": "AcceptTransitGatewayPeeringAttachment",
"description": "Grants permission to accept a transit gateway peering attachment request",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "transit-gateway-attachment",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:transitGatewayAttachmentId"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"accepttransitgatewayvpcattachment": {
"name": "AcceptTransitGatewayVpcAttachment",
"description": "Grants permission to accept a request to attach a VPC to a transit gateway",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "transit-gateway-attachment",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:transitGatewayAttachmentId"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"acceptvpcendpointconnections": {
"name": "AcceptVpcEndpointConnections",
"description": "Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "vpc-endpoint-service",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:VpceMultiRegion",
"ec2:VpceSupportedRegion"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"acceptvpcpeeringconnection": {
"name": "AcceptVpcPeeringConnection",
"description": "Grants permission to accept a VPC peering connection request",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "vpc",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:Tenancy",
"ec2:VpcID"
],
"dependentActions": []
},
{
"name": "vpc-peering-connection",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AccepterVpc",
"ec2:RequesterVpc",
"ec2:ResourceTag/${TagKey}",
"ec2:VpcPeeringConnectionID"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"advertisebyoipcidr": {
"name": "AdvertiseByoipCidr",
"description": "Grants permission to advertise an IP address range that is provisioned for use in AWS through bring your own IP addresses (BYOIP)",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"allocateaddress": {
"name": "AllocateAddress",
"description": "Grants permission to allocate an Elastic IP address (EIP) to your account",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "elastic-ip",
"required": true,
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": [
"ec2:CreateTags"
]
},
{
"name": "ipam-pool",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
},
{
"name": "ipv4pool-ec2",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"allocatehosts": {
"name": "AllocateHosts",
"description": "Grants permission to allocate a Dedicated Host to your account",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "dedicated-host",
"required": true,
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
"ec2:AutoPlacement",
"ec2:AvailabilityZone",
"ec2:HostRecovery",
"ec2:InstanceType",
"ec2:Quantity"
],
"dependentActions": [
"ec2:CreateTags"
]
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"allocateipampoolcidr": {
"name": "AllocateIpamPoolCidr",
"description": "Grants permission to allocate a CIDR from an Amazon VPC IP Address Manager (IPAM) pool",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "ipam-pool",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"applysecuritygroupstoclientvpntargetnetwork": {
"name": "ApplySecurityGroupsToClientVpnTargetNetwork",
"description": "Grants permission to apply a security group to the association between a Client VPN endpoint and a target network",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "client-vpn-endpoint",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ClientRootCertificateChainArn",
"ec2:CloudwatchLogGroupArn",
"ec2:CloudwatchLogStreamArn",
"ec2:DirectoryArn",
"ec2:ResourceTag/${TagKey}",
"ec2:SamlProviderArn",
"ec2:ServerCertificateArn"
],
"dependentActions": []
},
{
"name": "security-group",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:SecurityGroupID",
"ec2:Vpc"
],
"dependentActions": []
},
{
"name": "vpc",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:Tenancy",
"ec2:VpcID"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"assignipv6addresses": {
"name": "AssignIpv6Addresses",
"description": "Grants permission to assign one or more IPv6 addresses to a network interface",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "network-interface",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:ManagedResourceOperator",
"ec2:NetworkInterfaceID",
"ec2:ResourceTag/${TagKey}",
"ec2:Subnet",
"ec2:Vpc"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"assignprivateipaddresses": {
"name": "AssignPrivateIpAddresses",
"description": "Grants permission to assign one or more secondary private IP addresses to a network interface",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "network-interface",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:ManagedResourceOperator",
"ec2:NetworkInterfaceID",
"ec2:ResourceTag/${TagKey}",
"ec2:Subnet",
"ec2:Vpc"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"assignprivatenatgatewayaddress": {
"name": "AssignPrivateNatGatewayAddress",
"description": "Grants permission to assign one or more secondary private IP addresses to a private NAT gateway",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "natgateway",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associateaddress": {
"name": "AssociateAddress",
"description": "Grants permission to associate an Elastic IP address (EIP) with an instance or a network interface",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "elastic-ip",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AllocationId",
"ec2:Domain",
"ec2:PublicIpAddress",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
},
{
"name": "instance",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:AvailabilityZoneId",
"ec2:CpuOptionsAmdSevSnp",
"ec2:EbsOptimized",
"ec2:InstanceAutoRecovery",
"ec2:InstanceBandwidthWeighting",
"ec2:InstanceID",
"ec2:InstanceMarketType",
"ec2:InstanceMetadataTags",
"ec2:InstanceProfile",
"ec2:InstanceType",
"ec2:ManagedResourceOperator",
"ec2:MetadataHttpEndpoint",
"ec2:MetadataHttpPutResponseHopLimit",
"ec2:MetadataHttpTokens",
"ec2:PlacementGroup",
"ec2:ProductCode",
"ec2:ResourceTag/${TagKey}",
"ec2:RootDeviceType",
"ec2:Tenancy"
],
"dependentActions": []
},
{
"name": "network-interface",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:ManagedResourceOperator",
"ec2:NetworkInterfaceID",
"ec2:ResourceTag/${TagKey}",
"ec2:Subnet",
"ec2:Vpc"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associatecapacityreservationbillingowner": {
"name": "AssociateCapacityReservationBillingOwner",
"description": "Grants permission to assign billing of the unused capacity of a shared Capacity Reservation to a consumer account",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "capacity-reservation",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:CapacityReservationFleet",
"ec2:CreateDate",
"ec2:DestinationCapacityReservationId",
"ec2:EbsOptimized",
"ec2:EndDate",
"ec2:EndDateType",
"ec2:InstanceCount",
"ec2:InstanceMatchCriteria",
"ec2:InstancePlatform",
"ec2:InstanceType",
"ec2:OutpostArn",
"ec2:PlacementGroup",
"ec2:ResourceTag/${TagKey}",
"ec2:SourceCapacityReservationId",
"ec2:Tenancy"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associateclientvpntargetnetwork": {
"name": "AssociateClientVpnTargetNetwork",
"description": "Grants permission to associate a target network with a Client VPN endpoint",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "client-vpn-endpoint",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ClientRootCertificateChainArn",
"ec2:CloudwatchLogGroupArn",
"ec2:CloudwatchLogStreamArn",
"ec2:DirectoryArn",
"ec2:ResourceTag/${TagKey}",
"ec2:SamlProviderArn",
"ec2:ServerCertificateArn"
],
"dependentActions": []
},
{
"name": "subnet",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZoneId",
"ec2:ResourceTag/${TagKey}",
"ec2:SubnetID"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associatedhcpoptions": {
"name": "AssociateDhcpOptions",
"description": "Grants permission to associate or disassociate a set of DHCP options with a VPC",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "dhcp-options",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:DhcpOptionsID",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
},
{
"name": "vpc",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:Tenancy",
"ec2:VpcID"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associateenclavecertificateiamrole": {
"name": "AssociateEnclaveCertificateIamRole",
"description": "Grants permission to associate an ACM certificate with an IAM role to be used in an EC2 Enclave",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "certificate",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "role",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associateiaminstanceprofile": {
"name": "AssociateIamInstanceProfile",
"description": "Grants permission to associate an IAM instance profile with a running or stopped instance",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "instance",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:AvailabilityZoneId",
"ec2:CpuOptionsAmdSevSnp",
"ec2:EbsOptimized",
"ec2:InstanceAutoRecovery",
"ec2:InstanceBandwidthWeighting",
"ec2:InstanceID",
"ec2:InstanceMarketType",
"ec2:InstanceMetadataTags",
"ec2:InstanceProfile",
"ec2:InstanceType",
"ec2:ManagedResourceOperator",
"ec2:MetadataHttpEndpoint",
"ec2:MetadataHttpPutResponseHopLimit",
"ec2:MetadataHttpTokens",
"ec2:NewInstanceProfile",
"ec2:PlacementGroup",
"ec2:ProductCode",
"ec2:ResourceTag/${TagKey}",
"ec2:RootDeviceType",
"ec2:Tenancy"
],
"dependentActions": [
"iam:PassRole"
]
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associateinstanceeventwindow": {
"name": "AssociateInstanceEventWindow",
"description": "Grants permission to associate one or more targets with an event window",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "instance-event-window",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associateipambyoasn": {
"name": "AssociateIpamByoasn",
"description": "Grants permission to associate an Autonomous System Number (ASN) with a BYOIP CIDR",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associateipamresourcediscovery": {
"name": "AssociateIpamResourceDiscovery",
"description": "Grants permission to associate an IPAM resource discovery with an Amazon VPC IPAM",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "ipam",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": [
"ec2:CreateTags"
]
},
{
"name": "ipam-resource-discovery",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
},
{
"name": "ipam-resource-discovery-association",
"required": true,
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associatenatgatewayaddress": {
"name": "AssociateNatGatewayAddress",
"description": "Grants permission to associate an Elastic IP address and private IP address with a public Nat gateway",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "elastic-ip",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AllocationId",
"ec2:Domain",
"ec2:PublicIpAddress",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
},
{
"name": "natgateway",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associaterouteserver": {
"name": "AssociateRouteServer",
"description": "Grants permission to associate a route server with a VPC",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "route-server",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
},
{
"name": "vpc",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:Ipv4IpamPoolId",
"ec2:Ipv6IpamPoolId",
"ec2:ResourceTag/${TagKey}",
"ec2:Tenancy",
"ec2:VpcID"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associateroutetable": {
"name": "AssociateRouteTable",
"description": "Grants permission to associate a subnet or gateway with a route table",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "route-table",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:RouteTableID",
"ec2:Vpc"
],
"dependentActions": []
},
{
"name": "internet-gateway",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:InternetGatewayID",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
},
{
"name": "ipv4pool-ec2",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
},
{
"name": "subnet",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:AvailabilityZoneId",
"ec2:ResourceTag/${TagKey}",
"ec2:SubnetID",
"ec2:Vpc"
],
"dependentActions": []
},
{
"name": "vpn-gateway",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associatesecuritygroupvpc": {
"name": "AssociateSecurityGroupVpc",
"description": "Grants permission to associate a security group with another VPC in the same Region",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "security-group",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:SecurityGroupID",
"ec2:Vpc"
],
"dependentActions": []
},
{
"name": "vpc",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:Ipv4IpamPoolId",
"ec2:Ipv6IpamPoolId",
"ec2:ResourceTag/${TagKey}",
"ec2:Tenancy",
"ec2:VpcID"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associatesubnetcidrblock": {
"name": "AssociateSubnetCidrBlock",
"description": "Grants permission to associate a CIDR block with a subnet",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "subnet",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:AvailabilityZoneId",
"ec2:Ipv6IpamPoolId",
"ec2:ResourceTag/${TagKey}",
"ec2:SubnetID",
"ec2:Vpc"
],
"dependentActions": []
},
{
"name": "ipam-pool",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associatetransitgatewaymulticastdomain": {
"name": "AssociateTransitGatewayMulticastDomain",
"description": "Grants permission to associate an attachment and list of subnets with a transit gateway multicast domain",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "subnet",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:AvailabilityZoneId",
"ec2:ResourceTag/${TagKey}",
"ec2:SubnetID",
"ec2:Vpc"
],
"dependentActions": []
},
{
"name": "transit-gateway-attachment",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:transitGatewayAttachmentId"
],
"dependentActions": []
},
{
"name": "transit-gateway-multicast-domain",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:transitGatewayMulticastDomainId"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associatetransitgatewaypolicytable": {
"name": "AssociateTransitGatewayPolicyTable",
"description": "Grants permission to associate a policy table with a transit gateway attachment",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "transit-gateway-attachment",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:transitGatewayAttachmentId"
],
"dependentActions": []
},
{
"name": "transit-gateway-policy-table",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:transitGatewayPolicyTableId"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associatetransitgatewayroutetable": {
"name": "AssociateTransitGatewayRouteTable",
"description": "Grants permission to associate an attachment with a transit gateway route table",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "transit-gateway-attachment",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:transitGatewayAttachmentId"
],
"dependentActions": []
},
{
"name": "transit-gateway-route-table",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:transitGatewayRouteTableId"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associatetrunkinterface": {
"name": "AssociateTrunkInterface",
"description": "Grants permission to associate a branch network interface with a trunk network interface",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associateverifiedaccessinstancewebacl": {
"name": "AssociateVerifiedAccessInstanceWebAcl",
"isPermissionOnly": true,
"description": "Grants permission to associate an AWS Web Application Firewall (WAF) web access control list (ACL) with a Verified Access instance",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "verified-access-instance",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"associatevpccidrblock": {
"name": "AssociateVpcCidrBlock",
"description": "Grants permission to associate a CIDR block with a VPC",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "vpc",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:Ipv4IpamPoolId",
"ec2:Ipv6IpamPoolId",
"ec2:ResourceTag/${TagKey}",
"ec2:Tenancy",
"ec2:VpcID"
],
"dependentActions": []
},
{
"name": "ipam-pool",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
},
{
"name": "ipv6pool-ec2",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"attachappliancetonatgateway": {
"name": "AttachApplianceToNatGateway",
"isPermissionOnly": true,
"description": "Grants permission to attach an appliance with a public/private Natgateway",
"accessLevel": "Permissions management",
"resourceTypes": [
{
"name": "natgateway",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"attachclassiclinkvpc": {
"name": "AttachClassicLinkVpc",
"description": "Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "instance",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:AvailabilityZoneId",
"ec2:CpuOptionsAmdSevSnp",
"ec2:EbsOptimized",
"ec2:InstanceAutoRecovery",
"ec2:InstanceBandwidthWeighting",
"ec2:InstanceID",
"ec2:InstanceMarketType",
"ec2:InstanceMetadataTags",
"ec2:InstanceProfile",
"ec2:InstanceType",
"ec2:ManagedResourceOperator",
"ec2:MetadataHttpEndpoint",
"ec2:MetadataHttpPutResponseHopLimit",
"ec2:MetadataHttpTokens",
"ec2:PlacementGroup",
"ec2:ResourceTag/${TagKey}",
"ec2:RootDeviceType",
"ec2:Tenancy"
],
"dependentActions": []
},
{
"name": "security-group",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:SecurityGroupID",
"ec2:Vpc"
],
"dependentActions": []
},
{
"name": "vpc",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:Tenancy",
"ec2:VpcID"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"attachinternetgateway": {
"name": "AttachInternetGateway",
"description": "Grants permission to attach an internet gateway to a VPC",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "internet-gateway",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:InternetGatewayID",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
},
{
"name": "vpc",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:Tenancy",
"ec2:VpcID"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"attachnetworkinterface": {
"name": "AttachNetworkInterface",
"description": "Grants permission to attach a network interface to an instance",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "instance",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:AvailabilityZoneId",
"ec2:CpuOptionsAmdSevSnp",
"ec2:EbsOptimized",
"ec2:InstanceAutoRecovery",
"ec2:InstanceBandwidthWeighting",
"ec2:InstanceID",
"ec2:InstanceMarketType",
"ec2:InstanceMetadataTags",
"ec2:InstanceProfile",
"ec2:InstanceType",
"ec2:ManagedResourceOperator",
"ec2:MetadataHttpEndpoint",
"ec2:MetadataHttpPutResponseHopLimit",
"ec2:MetadataHttpTokens",
"ec2:PlacementGroup",
"ec2:ProductCode",
"ec2:ResourceTag/${TagKey}",
"ec2:RootDeviceType",
"ec2:Tenancy"
],
"dependentActions": []
},
{
"name": "network-interface",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:ManagedResourceOperator",
"ec2:NetworkInterfaceID",
"ec2:ResourceTag/${TagKey}",
"ec2:Subnet",
"ec2:Vpc"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"attachresourcestoplacementgroup": {
"name": "AttachResourcesToPlacementGroup",
"isPermissionOnly": true,
"description": "Grants permission to attach resources to a placement group",
"accessLevel": "Permissions management",
"resourceTypes": [
{
"name": "placement-group",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:PlacementGroupName",
"ec2:PlacementGroupStrategy",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"attachverifiedaccesstrustprovider": {
"name": "AttachVerifiedAccessTrustProvider",
"description": "Grants permission to attach a trust provider to a Verified Access instance",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "verified-access-instance",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
},
{
"name": "verified-access-trust-provider",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"attachvolume": {
"name": "AttachVolume",
"description": "Grants permission to attach an EBS volume to a running or stopped instance and expose it to the instance with the specified device name",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "instance",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:AvailabilityZoneId",
"ec2:CpuOptionsAmdSevSnp",
"ec2:EbsOptimized",
"ec2:InstanceAutoRecovery",
"ec2:InstanceBandwidthWeighting",
"ec2:InstanceID",
"ec2:InstanceMarketType",
"ec2:InstanceMetadataTags",
"ec2:InstanceProfile",
"ec2:InstanceType",
"ec2:ManagedResourceOperator",
"ec2:MetadataHttpEndpoint",
"ec2:MetadataHttpPutResponseHopLimit",
"ec2:MetadataHttpTokens",
"ec2:PlacementGroup",
"ec2:ProductCode",
"ec2:ResourceTag/${TagKey}",
"ec2:RootDeviceType",
"ec2:Tenancy"
],
"dependentActions": []
},
{
"name": "volume",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:AvailabilityZoneId",
"ec2:Encrypted",
"ec2:ManagedResourceOperator",
"ec2:ParentSnapshot",
"ec2:ParentVolume",
"ec2:ResourceTag/${TagKey}",
"ec2:VolumeID",
"ec2:VolumeInitializationRate",
"ec2:VolumeIops",
"ec2:VolumeSize",
"ec2:VolumeThroughput",
"ec2:VolumeType"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"attachvpngateway": {
"name": "AttachVpnGateway",
"description": "Grants permission to attach a virtual private gateway to a VPC",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "vpc",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:Tenancy",
"ec2:VpcID"
],
"dependentActions": []
},
{
"name": "vpn-gateway",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"authorizeclientvpningress": {
"name": "AuthorizeClientVpnIngress",
"description": "Grants permission to add an inbound authorization rule to a Client VPN endpoint",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "client-vpn-endpoint",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ClientRootCertificateChainArn",
"ec2:CloudwatchLogGroupArn",
"ec2:CloudwatchLogStreamArn",
"ec2:DirectoryArn",
"ec2:ResourceTag/${TagKey}",
"ec2:SamlProviderArn",
"ec2:ServerCertificateArn"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"authorizesecuritygroupegress": {
"name": "AuthorizeSecurityGroupEgress",
"description": "Grants permission to add one or more outbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "security-group",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:SecurityGroupID",
"ec2:Vpc"
],
"dependentActions": [
"ec2:CreateTags"
]
},
{
"name": "security-group-rule",
"required": false,
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"authorizesecuritygroupingress": {
"name": "AuthorizeSecurityGroupIngress",
"description": "Grants permission to add one or more inbound rules to a VPC security group. Policies using the security-group-rule resource-level permission are only enforced when the API request includes TagSpecifications",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "security-group",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}",
"ec2:SecurityGroupID",
"ec2:Vpc"
],
"dependentActions": [
"ec2:CreateTags"
]
},
{
"name": "security-group-rule",
"required": false,
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"bundleinstance": {
"name": "BundleInstance",
"description": "Grants permission to bundle an instance store-backed Windows instance",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"cancelbundletask": {
"name": "CancelBundleTask",
"description": "Grants permission to cancel a bundling operation",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"cancelcapacityreservation": {
"name": "CancelCapacityReservation",
"description": "Grants permission to cancel a Capacity Reservation and release the reserved capacity",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "capacity-reservation",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:CapacityReservationFleet"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"cancelcapacityreservationfleets": {
"name": "CancelCapacityReservationFleets",
"description": "Grants permission to cancel one or more Capacity Reservation Fleets",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "capacity-reservation-fleet",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": [
"ec2:CancelCapacityReservation"
]
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"cancelconversiontask": {
"name": "CancelConversionTask",
"description": "Grants permission to cancel an active conversion task",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"canceldeclarativepoliciesreport": {
"name": "CancelDeclarativePoliciesReport",
"description": "Grants permission to cancel a declarative policies report",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "declarative-policies-report",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"cancelexporttask": {
"name": "CancelExportTask",
"description": "Grants permission to cancel an active export task",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "export-image-task",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
},
{
"name": "export-instance-task",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"cancelimagelaunchpermission": {
"name": "CancelImageLaunchPermission",
"description": "Grants permission to remove your AWS account from the launch permissions for the specified AMI",
"accessLevel": "Permissions management",
"resourceTypes": [
{
"name": "image",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ImageID",
"ec2:ImageType",
"ec2:Owner",
"ec2:Public",
"ec2:ResourceTag/${TagKey}",
"ec2:RootDeviceType"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"cancelimporttask": {
"name": "CancelImportTask",
"description": "Grants permission to cancel an in-process import virtual machine or import snapshot task",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "import-image-task",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
},
{
"name": "import-snapshot-task",
"required": false,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"cancelreservedinstanceslisting": {
"name": "CancelReservedInstancesListing",
"description": "Grants permission to cancel a Reserved Instance listing on the Reserved Instance Marketplace",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"cancelspotfleetrequests": {
"name": "CancelSpotFleetRequests",
"description": "Grants permission to cancel one or more Spot Fleet requests",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "spot-fleet-request",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"cancelspotinstancerequests": {
"name": "CancelSpotInstanceRequests",
"description": "Grants permission to cancel one or more Spot Instance requests",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "spot-instances-request",
"required": true,
"conditionKeys": [
"aws:ResourceTag/${TagKey}",
"ec2:ResourceTag/${TagKey}"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"confirmproductinstance": {
"name": "ConfirmProductInstance",
"description": "Grants permission to determine whether an owned product code is associated with an instance",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"copyfpgaimage": {
"name": "CopyFpgaImage",
"description": "Grants permission to copy a source Amazon FPGA image (AFI) to the current Region. Resource-level permissions specified for this action apply to the new AFI only. They do not apply to the source AFI",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "fpga-image",
"required": true,
"conditionKeys": [
"ec2:Owner"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"copyimage": {
"name": "CopyImage",
"description": "Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "image",
"required": true,
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
"ec2:ImageID",
"ec2:Owner"
],
"dependentActions": [
"ec2:CreateTags"
]
},
{
"name": "snapshot",
"required": true,
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
}
],
"conditionKeys": [
"ec2:Region"
],
"dependentActions": []
},
"copysnapshot": {
"name": "CopySnapshot",
"description": "Grants permission to