Amazon EC2 的操作、资源和条件键 - 服务授权参考
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

Amazon EC2 的操作、资源和条件键

Amazon EC2(服务前缀:ec2)提供以下服务特定的资源、操作和条件上下文键以在 IAM 权限策略中使用。

参考:

Amazon EC2 定义的操作

您可以在 Action 策略语句的 IAM 元素中指定以下操作。可以使用策略授予在 Amazon 中执行操作的权限。您在策略中使用一项操作时,通常使用相同的名称允许或拒绝对 API 操作或 CLI 命令的访问。但在某些情况下,单一动作可控制对多项操作的访问。还有某些操作需要多种不同的动作。

资源类型列指示每项操作是否支持资源级权限。如果该列没有任何值,您必须在策略语句的 Resource 元素中指定所有资源(“*”)。如果该列包含一种资源类型,则可以在含有该操作的语句中指定该类型的 ARN。必需资源在表中以星号 (*) 表示。如果在使用该操作的语句中指定资源级权限 ARN,则它必须属于该类型。某些操作支持多种资源类型。如果资源类型是可选的(未指示为必需),则可以选择使用一种类型而不使用其他类型。

有关下表中各列的详细信息,请参阅操作表

操作 描述 访问级别 资源类型(* 为必需) 条件键 相关操作
AcceptReservedInstancesExchangeQuote 授予权限以接受可转换预留实例交换报价 Write

ec2:Region

AcceptTransitGatewayMulticastDomainAssociations 授予接受关联子网与中转网关多播域的请求的权限 Write

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AcceptTransitGatewayPeeringAttachment 授予权限以接受中转网关对等连接请求 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AcceptTransitGatewayVpcAttachment 授予权限以接受将 VPC 连接到中转网关的请求 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AcceptVpcEndpointConnections 授予权限以接受与 VPC 终端节点服务的一个或多个接口 VPC 终端节点连接 Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AcceptVpcPeeringConnection 授予权限以接受 VPC 对等连接请求 Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

AdvertiseByoipCidr 授予权限以发布通过自带 IP 地址 (BYOIP) 预配置的在 Amazon 中使用的 IP 地址范围 Write

ec2:Region

AllocateAddress 授予权限以向您的账户分配弹性 IP 地址 (EIP) Write

elastic-ip*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AllocateHosts 授予权限以向您的账户分配专用主机 Write

dedicated-host*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:HostRecovery

ec2:InstanceType

ec2:Quantity

ec2:CreateTags

ec2:Region

AllocateIpamPoolCidr 授予从 Amazon VPC IP 地址管理器 (IPAM) 池分配 CIDR 的权限 Write

ipam-pool*

ec2:ResourceTag/${TagKey}

ec2:Region

ApplySecurityGroupsToClientVpnTargetNetwork 授予权限以将安全组应用到客户端 VPN 终端节点与目标网络之间的关联 Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpcID

ec2:Region

AssignIpv6Addresses 授予权限以将一个或多个 IPv6 地址分配给网络接口 Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssignPrivateIpAddresses 授予权限以将一个或多个辅助私有 IP 地址分配给网络接口 Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssociateAddress 授予权限以将弹性 IP 地址 (EIP) 与实例或网络接口关联 Write

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssociateClientVpnTargetNetwork 授予权限以将目标网络与客户端 VPN 终端节点关联 Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

AssociateDhcpOptions 授予权限以将一组 DHCP 选项与 VPC 关联或取消关联 Write

dhcp-options*

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AssociateEnclaveCertificateIamRole 授予关联 ACM 证书与要在 EC2 Enclave 中使用的 IAM 角色的权限 Write

certificate*

role*

ec2:Region

AssociateIamInstanceProfile 授予权限以将 IAM 实例配置文件与正在运行或已停止的实例关联 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

ec2:Region

AssociateInstanceEventWindow 授予将一个或多个目标与事件窗口关联的权限 Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateRouteTable 授予权限以将子网或网关与路由表关联 Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateSubnetCidrBlock 授予权限以将 CIDR 块与子网关联 Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

AssociateTransitGatewayMulticastDomain 授予权限以将子网连接和列表与中转网关多播域关联 Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateTransitGatewayRouteTable 授予权限以将连接与中转网关路由表关联 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateTrunkInterface 授予将分支网络接口与中继网络接口关联的权限 Write

ec2:Region

AssociateVpcCidrBlock 授予权限以将 CIDR 块与 VPC 关联 Write

vpc*

aws:ResourceTag/${TagKey}

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ipam-pool

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AttachClassicLinkVpc 授予权限,以通过 VPC 的一个或多个安全组将 EC2-Classic 实例链接至已启用 ClassicLink 的 VPC Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AttachInternetGateway 授予权限以将互联网网关连接到 VPC Write

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AttachNetworkInterface 授予权限以将网络接口附加到实例 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AttachVolume 授予权限,以将 EBS 卷附加到正在运行或已停止的实例,然后将其公开给具有指定设备名称的实例 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

AttachVpnGateway 授予权限以将虚拟私有网关附加到 VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AuthorizeClientVpnIngress 授予权限以将入站授权规则添加到客户端 VPN 终端节点 Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

AuthorizeSecurityGroupEgress 授予权限以将一个或多个出站规则添加到 VPC 安全组 Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:CreateTags

ec2:Region

AuthorizeSecurityGroupIngress 授予权限以将一个或多个入站规则添加到安全组 Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:CreateTags

ec2:Region

BundleInstance 授予权限以捆绑实例存储支持的 Windows 实例 Write

ec2:Region

CancelBundleTask 授予权限以取消捆绑操作 Write

ec2:Region

CancelCapacityReservation 授予权限以取消容量预留并释放预留的容量 Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:CapacityReservationFleet

ec2:ResourceTag/${TagKey}

ec2:Region

CancelCapacityReservationFleets 授予取消一个或多个容量预留队列的权限 Write

capacity-reservation-fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelConversionTask 授予权限以取消活动转换任务 Write

ec2:Region

CancelExportTask 授予权限以取消活动导出任务 Write

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelImportTask 授予权限以取消正在进行的导入虚拟机或导入快照任务 Write

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelReservedInstancesListing 授予权限以取消预留实例 Marketplace 上的预留实例出售清单 Write

ec2:Region

CancelSpotFleetRequests 授予权限以取消一个或多个 Spot 队列请求 Write

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelSpotInstanceRequests 授予权限以取消一个或多个 Spot 实例请求 Write

spot-instances-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ConfirmProductInstance 授予权限以确定拥有的产品代码是否与实例关联 Write

ec2:Region

CopyFpgaImage 授予权限以将源 Amazon FPGA 映像 (AFI) 复制到当前区域。为此操作指定的资源级权限仅适用于新的 AFI。它们不适用于源 AFI Write

fpga-image*

ec2:Owner

ec2:Region

CopyImage 授予权限以将 Amazon Machine Image (AMI) 从源区域复制到当前区域。为此操作指定的资源级权限仅适用于新的 AMI。它们不适用于源 AMI Write

image*

ec2:ImageID

ec2:Owner

ec2:Region

CopySnapshot 授予权限以复制 EBS 卷的时间点快照并将其存储在 Amazon S3 中。为此操作指定的资源级权限仅适用于新快照。它们不适用于源快照 Write

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:OutpostArn

ec2:SnapshotID

ec2:SourceOutpostArn

ec2:CreateTags

ec2:Region

CreateCapacityReservation 授予权限以创建容量预留 Write

capacity-reservation*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CapacityReservationFleet

ec2:CreateTags

ec2:Region

CreateCapacityReservationFleet 授予创建容量预留机群的权限 Write

capacity-reservation-fleet*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateCarrierGateway 授予创建运营商网关,并向 VPC 客户提供 CSP 连接的权限 Write

carrier-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateClientVpnEndpoint 授予权限以创建客户端 VPN 终端节点 Write

client-vpn-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:CreateTags

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpcID

ec2:Region

CreateClientVpnRoute 授予权限以将网络路由添加到客户端 VPN 终端节点的路由表 Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

CreateCoipPoolPermission [仅权限] 授予允许服务访问客户拥有的 IP(CoIP)池的权限 Write

ec2:Region

CreateCustomerGateway 授予权限以创建客户网关,该网关向 Amazon 提供有关您客户网关设备的信息 Write

customer-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateDefaultSubnet 授予权限以在默认 VPC 的指定可用区中创建默认子网 Write

ec2:Region

CreateDefaultVpc 授予权限以在每个可用区中创建具有默认子网的默认 VPC Write

ec2:Region

CreateDhcpOptions 授予权限以便为 VPC 创建一组 DHCP 选项 Write

dhcp-options*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:DhcpOptionsID

ec2:CreateTags

ec2:Region

CreateEgressOnlyInternetGateway 授予权限以便为 VPC 创建仅出口互联网网关 Write

egress-only-internet-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateFleet 授予权限以启动 EC2 队列 Write

fleet*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

instance*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:RootDeviceType

ec2:Tenancy

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:KeyPairType

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AssociatePublicIpAddress

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

volume

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:KmsKeyId

ec2:ParentSnapshot

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

CreateFlowLogs 授予权限以创建一个或多个流日志,用于捕获网络接口的 IP 流量 Write

vpc-flow-log*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

iam:PassRole

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateFpgaImage 授予权限以从设计检查点 (DCP) 创建 Amazon FPGA 映像 (AFI) Write

fpga-image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:Public

ec2:CreateTags

ec2:Region

CreateImage 授予权限以从已停止或正在运行的 Amazon EBS 支持的实例创建由 Amazon EBS 支持的 AMI Write

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageID

ec2:Owner

ec2:CreateTags

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:Region

CreateInstanceEventWindow 授予创建事件窗口的权限,可在此窗口中运行相关 Amazon EC2 实例的计划事件 Write

instance-event-window*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateInstanceExportTask 授予权限以将正在运行或已停止的实例导出到 Amazon S3 存储桶 Write

export-instance-task*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

CreateInternetGateway 授予权限以便为 VPC 创建互联网网关 Write

internet-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:InternetGatewayID

ec2:CreateTags

ec2:Region

CreateIpam 授予创建 Amazon VPC IP 地址管理器 (IPAM) 的权限 Write

ipam*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

iam:CreateServiceLinkedRole

ec2:Region

CreateIpamPool 授予为 Amazon VPC IP 地址管理器 (IPAM) 创建 IP 地址池的权限,该管理器是连续 IP 地址 CIDR 的集合 Write

ipam-pool*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ipam-scope*

ec2:ResourceTag/${TagKey}

ec2:Region

CreateIpamScope 授予创建 Amazon VPC IP 地址管理器 (IPAM) 范围的权限,该范围是 IPAM 中最高级别的容器 Write

ipam*

ec2:ResourceTag/${TagKey}

ec2:CreateTags

ipam-scope*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateKeyPair 授予权限以便创建 2048 位 RSA 密钥对 Write

key-pair*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:KeyPairType

ec2:CreateTags

ec2:Region

CreateLaunchTemplate 授予权限以创建启动模板 Write

launch-template*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateLaunchTemplateVersion 授予权限以创建启动模板的新版本 Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRoute 授予权限以为本地网关路由表创建静态路由 Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRouteTablePermission [仅权限] 授予允许服务访问本地网关路由表的权限 Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRouteTableVpcAssociation 授予权限以将 VPC 与本地网关路由表关联 Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

local-gateway-route-table-vpc-association*

aws:RequestTag/${TagKey}

aws:TagKeys

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateManagedPrefixList 授予权限以创建托管前缀列表 Write

prefix-list*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateNatGateway 授予权限以在子网中创建 NAT 网关 Write

natgateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

CreateNetworkAcl 授予权限以在 VPC 中创建网络 ACL Write

network-acl*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:NetworkAclID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateNetworkAclEntry 授予权限以在网络 ACL 中创建编号条目(规则) Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

CreateNetworkInsightsAccessScope 授予创建网络访问范围的权限 Write

network-insights-access-scope*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateNetworkInsightsPath 授予创建路径以分析可访问性的权限 Write

network-insights-path*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AssociatePublicIpAddress

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateNetworkInterface 授予权限以在子网中创建网络接口 Write

network-interface*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:NetworkInterfaceID

ec2:CreateTags

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

CreateNetworkInterfacePermission 授予权限以针对 Amazon 授权用户创建权限,用于在网络接口上执行特定操作 Permissions management

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

CreatePlacementGroup 授予权限以创建置放群组 Write

placement-group*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:CreateTags

ec2:Region

CreatePublicIpv4Pool 授予为您拥有的公有 IPv4 CIDR 创建公有 IPv4 地址池的权限,这些 CIDR 由 Amazon 使用 Amazon VPC IP 地址管理器 (IPAM) 进行管理 Write

network-insights-access-scope*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateReplaceRootVolumeTask 授予创建根卷替换任务的权限 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:CreateTags

replace-root-volume-task*

aws:RequestTag/${TagKey}

aws:TagKeys

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:VolumeID

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

CreateReservedInstancesListing 授予权限以创建要在预留实例 Marketplace 出售的标准预留实例的列表 Write

ec2:Region

CreateRestoreImageTask 授予启动从先前使用 CreateStoreImageTask 创建的 S3 对象恢复 AMI 的任务的权限 Write

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageID

ec2:Owner

ec2:CreateTags

ec2:Region

CreateRoute 授予权限以在 VPC 路由表中创建路由 Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

CreateRouteTable 授予权限以便为 VPC 创建路由表 Write

route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:RouteTableID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateSecurityGroup 授予权限以创建安全组 Write

security-group*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:SecurityGroupID

ec2:CreateTags

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateSnapshot 授予权限以创建 EBS 卷快照并将其存储在 Amazon S3 中 Write

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:OutpostArn

ec2:ParentVolume

ec2:SnapshotID

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:CreateTags

volume*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

CreateSnapshots 授予权限以创建多个 EBS 卷的崩溃一致性快照并将其存储在 Amazon S3 中 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:CreateTags

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:OutpostArn

ec2:ParentVolume

ec2:SnapshotID

ec2:SourceOutpostArn

ec2:VolumeSize

volume*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

CreateSpotDatafeedSubscription 授予权限以便为 Spot 实例创建数据源,用于查看 Spot 实例使用日志 Write

ec2:Region

CreateStoreImageTask 授予将 AMI 作为单个对象存储在 S3 存储桶中的权限 Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

CreateSubnet 授予权限以在 VPC 中创建子网 Write

subnet*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:SubnetID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateSubnetCidrReservation 授予权限以创建子网 CIDR 预留 Write

ec2:Region

CreateTags 授予权限以便为 Amazon EC2 资源添加或覆盖一个或多个标签 Tagging

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

capacity-reservation-fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

customer-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:HostRecovery

ec2:InstanceType

ec2:Quantity

ec2:ResourceTag/${TagKey}

dhcp-options

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-gpu

aws:ResourceTag/${TagKey}

ec2:ElasticGpuType

ec2:ResourceTag/${TagKey}

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fpga-image

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

host-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

instance-event-window

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

ipam

ec2:ResourceTag/${TagKey}

ipam-pool

ec2:ResourceTag/${TagKey}

ipam-scope

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:KeyPairType

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-virtual-interface-group-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-acl

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

network-insights-access-scope

ec2:ResourceTag/${TagKey}

network-insights-access-scope-analysis

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AssociatePublicIpAddress

ec2:AuthorizedService

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

replace-root-volume-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

reserved-instances

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceType

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

security-group-rule

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

snapshot

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-instances-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

subnet-cidr-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-connect-peer

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

volume

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

vpc-flow-log

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

vpn-connection

aws:ResourceTag/${TagKey}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:PreSharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:ResourceTag/${TagKey}

ec2:RoutingType

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateAction

ec2:Region

CreateTrafficMirrorFilter 授予权限以创建流量镜像筛选条件 Write

traffic-mirror-filter*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateTrafficMirrorFilterRule 授予权限以创建流量镜像筛选条件规则 Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateTrafficMirrorSession 授予权限以创建流量镜像会话 Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:CreateTags

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session*

aws:RequestTag/${TagKey}

aws:TagKeys

traffic-mirror-target*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateTrafficMirrorTarget 授予权限以创建流量镜像目标 Write

traffic-mirror-target*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

network-interface

aws:ResourceTag/${TagKey}

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Region

CreateTransitGateway 授予权限以创建中转网关 Write

transit-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateTransitGatewayConnect 授予从指定中转网关挂载创建连接挂载的权限 Write

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateTransitGatewayConnectPeer 授予在中转网关和设备之间创建对等连接的权限 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

transit-gateway-connect-peer*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayMulticastDomain 授予权限以便为中转网关创建多播域 Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

transit-gateway-multicast-domain*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayPeeringAttachment 授予权限以在请求方和接受方中转网关之间请求中转网关对等连接 Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayPrefixListReference 授予权限以创建中转网关前缀列表引用 Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateTransitGatewayRoute 授予权限以便为中转网关路由表创建静态路由 Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateTransitGatewayRouteTable 授予权限以便为中转网关创建路由表 Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

transit-gateway-route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayVpcAttachment 授予权限以将 VPC 附加到中转网关 Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

CreateVolume 授予权限以创建 EBS 卷 Write

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:KmsKeyId

ec2:ParentSnapshot

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:CreateTags

ec2:Region

CreateVpc 授予权限以创建具有指定 CIDR 块的 VPC Write

vpc*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:VpcID

ec2:CreateTags

ipam-pool

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpcEndpoint 授予权限以便为Amazon服务创建 VPC 终端节点 Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpcID

ec2:CreateTags

route53:AssociateVPCWithHostedZone

vpc-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:VpceServiceName

ec2:VpceServiceOwner

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

subnet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

CreateVpcEndpointConnectionNotification 授予权限以便为 VPC 终端节点或 VPC 终端节点服务创建连接通知 Write

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpcEndpointServiceConfiguration 授予权限以创建服务使用者(Amazon账户、IAM 用户和 IAM 角色)可以连接到的 VPC 终端节点服务配置 Write

vpc-endpoint-service*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:VpceServicePrivateDnsName

ec2:CreateTags

ec2:Region

CreateVpcPeeringConnection 授予权限以在两个 VPC 之间请求 VPC 对等连接 Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:CreateTags

vpc-peering-connection*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AccepterVpc

ec2:RequesterVpc

ec2:VpcPeeringConnectionID

ec2:Region

CreateVpnConnection 授予权限以在虚拟私有网关或中转网关与客户网关之间创建 VPN 连接 Write

customer-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

vpn-connection*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:PreSharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:RoutingType

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpnConnectionRoute 授予权限以在虚拟私有网关和客户网关之间为 VPN 连接创建静态路由 Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpnGateway 授予权限以创建虚拟私有网关 Write

vpn-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

DeleteCarrierGateway 授予权限以删除运营商网关 Write

carrier-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteClientVpnEndpoint 授予权限以删除客户端 VPN 终端节点 Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DeleteClientVpnRoute 授予权限以从客户端 VPN 终端节点删除路由 Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DeleteCoipPoolPermission [仅权限] 授予拒绝服务访问客户拥有的 IP(CoIP)池的权限 Write

ec2:Region

DeleteCustomerGateway 授予权限以删除客户网关 Write

customer-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteDhcpOptions 授予权限以删除一组 DHCP 选项 Write

dhcp-options*

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteEgressOnlyInternetGateway 授予权限以删除仅出口互联网网关 Write

egress-only-internet-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFleets 授予权限以删除一个或多个 EC2 队列 Write

fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFlowLogs 授予权限以删除一个或多个流日志 Write

vpc-flow-log*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFpgaImage 授予权限以删除 Amazon FPGA 映像 (AFI) Write

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteInstanceEventWindow 授予删除指定事件窗口的权限 Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteInternetGateway 授予权限以删除互联网网关 Write

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpam 授予删除 Amazon VPC IP 地址管理器 (IPAM) 和删除与 IPAM 关联的所有受监控数据的权限,包括 CIDR 的历史数据 Write

ipam*

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamPool 授予删除 Amazon VPC IP 地址管理器 (IPAM) 池的权限 Write

ipam-pool*

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamScope 授予删除 Amazon VPC IP 地址管理器 (IPAM) 范围的权限 Write

ipam-scope*

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteKeyPair 授予权限以通过从 Amazon EC2 中删除公有密钥来删除密钥对 Write

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:KeyPairType

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLaunchTemplate 授予权限以删除启动模板及其关联版本 Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLaunchTemplateVersions 授予权限以删除启动模板的一个或多个版本 Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRoute 授予权限以从本地网关路由表中删除路由 Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTablePermission [仅权限] 授予拒绝服务访问本地网关路由表的权限 Write

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTableVpcAssociation 授予权限以删除 VPC 与本地网关路由表之间的关联 Write

local-gateway-route-table-vpc-association*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteManagedPrefixList 授予权限以删除托管前缀列表 Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNatGateway 授予权限以删除 NAT 网关 Write

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkAcl 授予权限以删除网络 ACL Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

DeleteNetworkAclEntry 授予权限以从网络 ACL 中删除入站或出站条目(规则) Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

DeleteNetworkInsightsAccessScope 授予删除网络访问范围的权限 Write

network-insights-access-scope*

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsAccessScopeAnalysis 授予删除网络访问范围分析的权限 Write

network-insights-access-scope-analysis*

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsAnalysis 授予删除网络见解分析的权限 Write

network-insights-analysis*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsPath 授予删除网络见解路径的权限 Write

network-insights-path*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInterface 授予权限以删除分离的网络接口 Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DeleteNetworkInterfacePermission 授予权限以删除与网络接口关联的权限 Permissions management

network-interface

aws:ResourceTag/${TagKey}

ec2:AssociatePublicIpAddress

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DeletePlacementGroup 授予权限以删除置放群组 Write

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

ec2:Region

DeletePublicIpv4Pool 授予为您拥有的公有 IPv4 CIDR 删除公有 IPv4 地址池的权限,这些 CIDR 由 Amazon 使用 Amazon VPC IP 地址管理器 (IPAM) 进行管理 Write

ipv4pool-ec2*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteQueuedReservedInstances 授予删除指定预留实例的排队购买的权限 Write

ec2:Region

DeleteResourcePolicy [仅权限] 授予从资源中删除启用跨账户共享的 IAM 策略的权限 Write

ipam-pool

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteRoute 授予权限以从路由表中删除路由 Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteRouteTable 授予权限以删除路由表 Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

DeleteSecurityGroup 授予权限以删除安全组 Write

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

DeleteSnapshot 授予权限以删除 EBS 卷快照 Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:Region

DeleteSpotDatafeedSubscription 授予权限以删除 Spot 实例的数据源 Write

ec2:Region

DeleteSubnet 授予权限以删除子网 Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DeleteSubnetCidrReservation 授予权限以删除子网 CIDR 预留 Write

ec2:Region

DeleteTags 授予权限以从 Amazon EC2 资源中删除一个或多个标签 Tagging

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

capacity-reservation-fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

customer-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dhcp-options

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-gpu

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-ip

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fpga-image

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

host-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance-event-window

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam

ec2:ResourceTag/${TagKey}

ipam-pool

ec2:ResourceTag/${TagKey}

ipam-scope

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

key-pair

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-virtual-interface-group-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-acl

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-access-scope

ec2:ResourceTag/${TagKey}

network-insights-access-scope-analysis

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

replace-root-volume-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

reserved-instances

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

security-group-rule

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

snapshot

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-instances-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet-cidr-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-connect-peer

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

volume

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-flow-log

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTrafficMirrorFilter 授予权限以删除流量镜像筛选条件 Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTrafficMirrorFilterRule 授予权限以删除流量镜像筛选条件规则 Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

ec2:Region

DeleteTrafficMirrorSession 授予权限以删除流量镜像会话 Write

traffic-mirror-session*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTrafficMirrorTarget 授予权限以删除流量镜像目标 Write

traffic-mirror-target*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGateway 授予权限以删除中转网关 Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayConnect 授予删除中转网关连接挂载的权限 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayConnectPeer 授予删除中转网关对等连接的权限 Write

transit-gateway-connect-peer*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayMulticastDomain 授予删除中转网关多播域的权限 Write

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayPeeringAttachment 授予权限以从中转网关删除对等连接 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayPrefixListReference 授予权限以删除中转网关前缀列表引用 Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayRoute 授予权限以从中转网关路由表中删除路由 Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayRouteTable 授予权限以删除中转网关路由表 Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGatewayVpcAttachment 授予权限以从中转网关删除 VPC 连接 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVolume 授予权限以删除 EBS 卷 Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

DeleteVpc 授予权限以删除 VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DeleteVpcEndpointConnectionNotifications 授予权限以删除一个或多个 VPC 终端节点连接通知 Write

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpcEndpointServiceConfigurations 授予权限以删除一个或多个 VPC 终端节点服务配置 Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpcEndpoints 授予权限以删除一个或多个 VPC 终端节点 Write

vpc-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpceServiceName

ec2:Region

DeleteVpcPeeringConnection 授予权限以删除 VPC 对等连接 Write

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

DeleteVpnConnection 授予权限以删除 VPN 连接 Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpnConnectionRoute 授予权限以删除虚拟私有网关和客户网关之间 VPN 连接的静态路由 Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpnGateway 授予权限以删除虚拟私有网关 Write

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeprovisionByoipCidr 授予权限以释放通过带自带 IP 地址 (BYOIP) 预配置的 IP 地址范围,并删除相应地址池 Write

ec2:Region

DeprovisionIpamPoolCidr 授予权限以取消预置从 Amazon VPC IP 地址管理器 (IPAM) 池预置 CIDR Write

ipam-pool*

ec2:ResourceTag/${TagKey}

ec2:Region

DeprovisionPublicIpv4PoolCidr 授予从公有 IPv4 池中取消预置 CIDR 的权限 Write

ipv4pool-ec2*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeregisterImage 授予权限以取消注册 Amazon Machine Image (AMI) Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DeregisterInstanceEventNotificationAttributes 授予权限以从标签集中删除标签,从而包含在有关实例的计划事件的通知中 Write

ec2:Region

DeregisterTransitGatewayMulticastGroupMembers 授予权限以从中转网关多播域的组 IP 地址中取消注册一个或多个网络接口成员 Write

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeregisterTransitGatewayMulticastGroupSources 授予权限以从中转网关多播域的组 IP 地址中取消注册一个或多个网络接口源 Write

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeAccountAttributes 授予描述Amazon Web Services 账户的属性的权限 List

ec2:Region

DescribeAddresses 授予权限以描述一个或多个弹性 IP 地址 List

ec2:Region

DescribeAddressesAttribute 授予权限以描述指定弹性 IP 地址的属性 List

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeAggregateIdFormat 授予权限以描述所有资源类型的较长 ID 格式设置 List

ec2:Region

DescribeAvailabilityZones 授予权限以描述可供您使用的一个或多个可用区 List

ec2:Region

DescribeBundleTasks 授予权限以描述一个或多个捆绑任务 List

ec2:Region

DescribeByoipCidrs 授予权限以描述通过自带 IP 地址 (BYOIP) 预配置的 IP 地址范围 List

ec2:Region

DescribeCapacityReservationFleets 授予权限以描述一个或多个容量预留机群 List

ec2:Region

DescribeCapacityReservations 授予权限以描述一个或多个容量预留 List

ec2:Region

DescribeCarrierGateways 授予权限以描述一个或多个运营商网关 List

ec2:Region

DescribeClassicLinkInstances 授予权限以描述一个或多个链接的 EC2-Classic 实例 List

ec2:Region

DescribeClientVpnAuthorizationRules 授予权限以描述客户端 VPN 终端节点的授权规则 List

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnConnections 授予权限以描述某个客户端 VPN 终端节点的活动客户端连接以及在过去 60 分钟内终止的连接 List

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnEndpoints 授予权限以描述一个或多个客户端 VPN 终端节点 List

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnRoutes 授予权限以描述客户端 VPN 终端节点的路由 List

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnTargetNetworks 授予权限以描述与客户端 VPN 终端节点关联的目标网络 List

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeCoipPools 授予权限以描述客户拥有的指定地址池或客户拥有的所有地址池 List

ec2:Region

DescribeConversionTasks 授予权限以描述一个或多个转换任务 List

ec2:Region

DescribeCustomerGateways 授予权限以描述一个或多个客户网关 List

ec2:Region

DescribeDhcpOptions 授予权限以描述一个或多个 DHCP 选项集 List

ec2:Region

DescribeEgressOnlyInternetGateways 授予权限以描述一个或多个仅出口互联网网关 List

ec2:Region

DescribeElasticGpus 授予权限以描述与实例关联的 Elastic Graphics 加速器 Read

ec2:Region

DescribeExportImageTasks 授予权限以描述一个或多个导出映像任务 List

ec2:Region

DescribeExportTasks 授予权限以描述一个或多个导出实例任务 List

ec2:Region

DescribeFastLaunchImages 授予权限以描述已启用快速启动的 Windows AMI 的权限 Read

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DescribeFastSnapshotRestores 授予权限以描述快照的快速快照还原状态 Read

ec2:Region

DescribeFleetHistory 授予权限以描述指定时间段内 EC2 队列的事件 List

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFleetInstances 授予权限以描述 EC2 队列的正在运行实例 List

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFleets 授予权限以描述一个或多个 EC2 队列 List

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFlowLogs 授予权限以描述一个或多个流日志 List

ec2:Region

DescribeFpgaImageAttribute 授予权限以描述 Amazon FPGA 映像 (AFI) 的属性 List

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Attribute/${AttributeName}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFpgaImages 授予权限以描述一个或多个 Amazon FPGA 映像 (AFI) List

ec2:Region

DescribeHostReservationOfferings 授予权限以描述可供购买的专用主机预留 List

ec2:Region

DescribeHostReservations 授予描述与Amazon Web Services 账户中专属主机关联的专属主机预留的权限 List

ec2:Region

DescribeHosts 授予权限以描述一个或多个专用主机 List

ec2:Region

DescribeIamInstanceProfileAssociations 授予权限以描述 IAM 实例配置文件关联 List

ec2:Region

DescribeIdFormat 授予权限以描述资源的 ID 格式设置 List

ec2:Region

DescribeIdentityIdFormat 授予权限以描述 IAM 用户、IAM 角色或根用户资源的 ID 格式设置 List

ec2:Region

DescribeImageAttribute 授予权限以描述 Amazon Machine Image (AMI) 的属性 List

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DescribeImages 授予权限以描述一个或多个映像(AMI、AKI 和 ARI) List

ec2:Region

DescribeImportImageTasks 授予权限以描述导入虚拟机或导入快照任务 List

ec2:Region

DescribeImportSnapshotTasks 授予权限以描述导入快照任务 List

ec2:Region

DescribeInstanceAttribute 授予权限以描述实例属性 List

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DescribeInstanceCreditSpecifications 授予权限以描述一个或多个可突增性能实例的 CPU 使用情况的服务抵扣金选项 List

ec2:Region

DescribeInstanceEventNotificationAttributes 授予权限以描述要包含在有关实例计划事件的通知中的标签集 List

ec2:Region

DescribeInstanceEventWindows 授予权限以描述指定事件窗口或所有事件窗口 List

ec2:Region

DescribeInstanceStatus 授予权限以描述一个或多个实例的状态 List

ec2:Region

DescribeInstanceTypeOfferings 授予权限以描述位置中提供的实例类型集 List

ec2:Region

DescribeInstanceTypes 授予权限以描述位置中提供的实例类型详细信息 List

ec2:Region

DescribeInstances 授予权限以描述一个或多个实例 List

ec2:Region

DescribeInternetGateways 授予权限以描述一个或多个互联网网关 List

ec2:Region

DescribeIpamPools 授予描述 Amazon VPC IP 地址管理器 (IPAM) 池的权限 List

ec2:Region

DescribeIpamScopes 授予描述 Amazon VPC IP 地址管理器 (IPAM) 范围的权限 List

ec2:Region

DescribeIpams 授予描述 Amazon VPC IP 地址管理器 (IPAM) 的权限 List

ec2:Region

DescribeIpv6Pools 授予描述一个或多个 IPv6 地址池的权限 List

ec2:Region

DescribeKeyPairs 授予权限以描述一个或多个密钥对 List

ec2:Region

DescribeLaunchTemplateVersions 授予权限以描述一个或多个启动模板版本 List

ec2:Region

DescribeLaunchTemplates 授予权限以描述一个或多个启动模板 List

ec2:Region

DescribeLocalGatewayRouteTablePermissions [仅权限] 授予权限以允许服务描述本地网关路由表的权限 List

ec2:Region

DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations 授予权限以描述虚拟接口组与本地网关路由表之间关联 List

ec2:Region

DescribeLocalGatewayRouteTableVpcAssociations 授予权限以描述 VPC 与本地网关路由表之间的关联 List

ec2:Region

DescribeLocalGatewayRouteTables 授予权限以描述一个或多个本地网关路由表 List

ec2:Region

DescribeLocalGatewayVirtualInterfaceGroups 授予权限以描述本地网关虚拟接口组 List

ec2:Region

DescribeLocalGatewayVirtualInterfaces 授予权限以描述本地网关虚拟接口 List

ec2:Region

DescribeLocalGateways 授予权限以描述一个或多个本地网关 List

ec2:Region

DescribeManagedPrefixLists 授予权限以描述您的托管前缀列表和任何 Amazon 托管前缀列表 List

ec2:Region

DescribeMovingAddresses 授予权限以描述正在移动到 EC2-VPC 平台的弹性 IP 地址 List

ec2:Region

DescribeNatGateways 授予权限以描述一个或多个 NAT 网关 List

ec2:Region

DescribeNetworkAcls 授予权限以描述一个或多个网络 ACL List

ec2:Region

DescribeNetworkInsightsAccessScopeAnalyses 授予描述一个或多个网络访问范围分析的权限 List

ec2:Region

DescribeNetworkInsightsAccessScopes 授予描述网络访问范围的权限 List

ec2:Region

DescribeNetworkInsightsAnalyses 授予描述一个或多个网络见解分析的权限 List

ec2:Region

DescribeNetworkInsightsPaths 授予描述一个或多个网络见解路径的权限 List

ec2:Region

DescribeNetworkInterfaceAttribute 授予权限以描述网络接口属性 List

ec2:Region

DescribeNetworkInterfacePermissions 授予权限以描述与网络接口关联的权限 List

ec2:Region

DescribeNetworkInterfaces 授予权限以描述一个或多个网络接口 List

ec2:Region

DescribePlacementGroups 授予权限以描述一个或多个置放群组 List

ec2:Region

DescribePrefixLists 授予权限,从而以前缀列表格式描述可用Amazon服务 List

ec2:Region

DescribePrincipalIdFormat 授予权限以描述根用户以及明确指定较长 ID(17 个字符的 ID)首选项的所有 IAM 角色和 IAM 用户的 ID 格式设置 List

ec2:Region

DescribePublicIpv4Pools 授予权限以描述一个或多个 IPv4 地址池 List

ec2:Region

DescribeRegions 授予描述您账户中当前可用的一个或多个Amazon Web Services 区域的权限 List

ec2:Region

DescribeReplaceRootVolumeTasks 授予描述根卷替换任务的权限 List

ec2:Region

DescribeReservedInstances 授予权限以描述您账户中购买的一个或多个预留实例 List

ec2:Region

DescribeReservedInstancesListings 授予权限以描述您账户在预留实例 Marketplace 中的预留实例列表 List

ec2:Region

DescribeReservedInstancesModifications 授予权限以描述对一个或多个预留实例所做的修改 List

ec2:Region

DescribeReservedInstancesOfferings 授予权限以描述可供购买的预留实例产品 List

ec2:Region

DescribeRouteTables 授予权限以描述一个或多个路由表 List

ec2:Region

DescribeScheduledInstanceAvailability 授予权限以查找计划实例的可用计划 Read

ec2:Region

DescribeScheduledInstances 授予权限以描述您账户中的一个或多个计划实例 Read

ec2:Region

DescribeSecurityGroupReferences 授予权限以描述在 VPC 对等连接另一侧引用了指定 VPC 安全组的 VPC List

ec2:Region

DescribeSecurityGroupRules 授予权限以描述一个或多个安全组规则 List

ec2:Region

DescribeSecurityGroups 授予权限以描述一个或多个安全组 List

ec2:Region

DescribeSnapshotAttribute 授予权限以描述快照的属性 List

snapshot

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:Region

DescribeSnapshotTierStatus 授予权限以描述 Amazon EBS 快照的存储层状态 List

ec2:Region

DescribeSnapshots 授予权限以描述一个或多个 EBS 快照 List

ec2:Region

DescribeSpotDatafeedSubscription 授予权限以描述 Spot 实例的数据源 List

ec2:Region

DescribeSpotFleetInstances 授予权限以描述 Spot 队列正在运行的实例 List

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeSpotFleetRequestHistory 授予权限以描述在指定时间段内 Spot 队列请求的事件 List

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeSpotFleetRequests 授予权限以描述一个或多个 Spot 队列请求 List

ec2:Region

DescribeSpotInstanceRequests 授予权限以描述一个或多个 Spot 实例请求 List

ec2:Region

DescribeSpotPriceHistory 授予权限以描述 Spot 实例价格历史记录 List

ec2:Region

DescribeStaleSecurityGroups 授予权限以描述指定 VPC 中安全组过时的安全组规则 List

ec2:Region

DescribeStoreImageTasks 授予描述 AMI 存储任务进度的权限 List

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DescribeSubnets 授予权限以描述一个或多个子网 List

ec2:Region

DescribeTags 授予权限以描述 Amazon EC2 资源的一个或多个标签 Read

ec2:Region

DescribeTrafficMirrorFilters 授予权限以描述一个或多个流量镜像筛选条件 List

ec2:Region

DescribeTrafficMirrorSessions 授予权限以描述一个或多个流量镜像会话 List

ec2:Region

DescribeTrafficMirrorTargets 授予权限以描述一个或多个流量镜像目标 List

ec2:Region

DescribeTransitGatewayAttachments 授予权限以描述资源和中转网关之间的一个或多个连接 List

ec2:Region

DescribeTransitGatewayConnectPeers 授予描述一个或多个中转网关对等连接的权限 List

ec2:Region

DescribeTransitGatewayConnects 授予描述一个或多个中转网关连接挂载的权限 List

ec2:Region

DescribeTransitGatewayMulticastDomains 授予权限以描述一个或多个中转网关多播域 List

ec2:Region

DescribeTransitGatewayPeeringAttachments 授予权限以描述一个或多个中转网关对等连接 List

ec2:Region

DescribeTransitGatewayRouteTables 授予权限以描述一个或多个中转网关路由表 List

ec2:Region

DescribeTransitGatewayVpcAttachments 授予权限以描述中转网关上的一个或多个 VPC 连接 List

ec2:Region

DescribeTransitGateways 授予权限以描述一个或多个中转网关 List

ec2:Region

DescribeTrunkInterfaceAssociations 授予权限以描述一个或多个网络接口中继线关联 List

ec2:Region

DescribeVolumeAttribute 授予权限以描述 EBS 卷的属性 List

volume

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:KmsKeyId

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

DescribeVolumeStatus 授予权限以描述一个或多个 EBS 卷的状态 List

ec2:Region

DescribeVolumes 授予权限以描述一个或多个 EBS 卷 List

ec2:Region

DescribeVolumesModifications 授予权限以描述一个或多个 EBS 卷的当前修改状态 Read

ec2:Region

DescribeVpcAttribute 授予权限以描述 VPC 的属性 List

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DescribeVpcClassicLink 授予权限以描述一个或多个 VPC 的 ClassicLink 状态 List

ec2:Region

DescribeVpcClassicLinkDnsSupport 授予权限以描述一个或多个 VPC 的 ClassicLink DNS 支持状态 List

ec2:Region

DescribeVpcEndpointConnectionNotifications 授予权限以描述 VPC 终端节点和 VPC 终端节点服务的连接通知 List

ec2:Region

DescribeVpcEndpointConnections 授予权限以描述与 VPC 终端节点服务的 VPC 终端节点连接 List

ec2:Region

DescribeVpcEndpointServiceConfigurations 授予权限以描述 VPC 终端节点服务配置(您的服务) List

ec2:Region

DescribeVpcEndpointServicePermissions 授予权限以描述允许发现 VPC 终端节点服务的委托人(服务使用者) List

ec2:Region

DescribeVpcEndpointServices 授予权限以描述可在创建 VPC 终端节点时指定的所有受支持的Amazon服务 List

ec2:Region

DescribeVpcEndpoints 授予权限以描述一个或多个 VPC 终端节点 List

ec2:Region

DescribeVpcPeeringConnections 授予权限以描述一个或多个 VPC 对等连接 List

ec2:Region

DescribeVpcs 授予权限以描述一个或多个 VPC List

ec2:Region

DescribeVpnConnections 授予权限以描述一个或多个 VPN 连接 Read

ec2:Region

DescribeVpnGateways 授予权限以描述一个或多个虚拟私有网关 List

ec2:Region

DetachClassicLinkVpc 授予权限以从 VPC 取消链接(分离)链接的 EC2-Classic 实例 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DetachInternetGateway 授予权限以从 VPC 中分离互联网网关 Write

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DetachNetworkInterface 授予权限以从实例分离网络接口 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DetachVolume 授予权限以从实例分离 EBS 卷 Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DetachVpnGateway 授予权限以从 VPC 分离虚拟私有网关 Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisableEbsEncryptionByDefault 授予权限以默认对您的账户禁用 EBS 加密 Write

ec2:Region

DisableFastLaunch 授予权限以禁用 Windows AMI 的更快启动 Write

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableFastSnapshotRestores 授予权限以对指定可用区中的一个或多个快照禁用快速快照还原 Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

DisableImageDeprecation 授予取消指定 AMI 弃用的权限 Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableIpamOrganizationAdminAccount 授予权限以禁用作为 Amazon VPC IP 地址管理器 (IPAM) 管理员账户的 Amazon Organizations 成员账户 Write

ec2:Region

organizations:DeregisterDelegatedAdministrator

DisableSerialConsoleAccess 授予权限以禁止对账户所有实例的 EC2 串行控制台进行访问 Write

ec2:Region

DisableTransitGatewayRouteTablePropagation 授予权限以禁止资源连接将路由传播到指定的传播路由表 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisableVgwRoutePropagation 授予权限以禁止虚拟私有网关将路由传播到 VPC 的指定路由表 Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisableVpcClassicLink 授予权限以禁用 VPC 的 ClassicLink Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DisableVpcClassicLinkDnsSupport 授予权限以禁用 VPC 的 ClassicLink DNS 支持 Write

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DisassociateAddress 授予权限以取消弹性 IP 地址与实例或网络接口的关联 Write

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DisassociateClientVpnTargetNetwork 授予权限以取消目标网络与客户端 VPN 终端节点的关联 Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DisassociateEnclaveCertificateIamRole 授予取消 ACM 证书与 IAM 角色之间的关联的权限 Write

certificate*

role*

ec2:Region

DisassociateIamInstanceProfile 授予权限以取消 IAM 实例配置文件与正在运行或已停止实例的关联 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DisassociateInstanceEventWindow 授予权限以取消一个或多个目标与事件窗口的关联 Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateRouteTable 授予权限以取消子网与路由表的关联 Write

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DisassociateSubnetCidrBlock 授予权限以取消 CIDR 块与子网的关联 Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DisassociateTransitGatewayMulticastDomain 授予权限以取消一个或多个子网与中转网关多播域的关联 Write

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateTransitGatewayRouteTable 授予权限以从中转网关路由表取消资源连接的关联 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateTrunkInterface 授予解除分支网络接口与中继网络接口关联的权限 Write

ec2:Region

DisassociateVpcCidrBlock 授予权限以取消 CIDR 块与 VPC 的关联 Write

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

EnableEbsEncryptionByDefault 授予权限以对您的账户默认启用 EBS 加密 Write

ec2:Region

EnableFastLaunch 授予权限以启用 Windows AMI 的更快启动 Write

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

EnableFastSnapshotRestores 授予权限以对指定可用区中的一个或多个快照启用快速快照还原 Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

EnableImageDeprecation 授予权限以在指定日期和时间启用指定 AMI 弃用 Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

EnableIpamOrganizationAdminAccount 授予权限以启用作为 Amazon VPC IP 地址管理器 (IPAM) 管理员账户的 Amazon Organizations 成员账户 Write

ec2:Region

iam:CreateServiceLinkedRole

organizations:EnableAWSServiceAccess

organizations:RegisterDelegatedAdministrator

EnableSerialConsoleAccess 授予权限以对账户所有实例的 EC2 串行控制台进行访问 Write

ec2:Region

EnableTransitGatewayRouteTablePropagation 授予权限以允许连接将路由传播到传播路由表 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

EnableVgwRoutePropagation 授予权限以允许虚拟私有网关将路由传播到 VPC 路由表 Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

EnableVolumeIO 授予权限以对禁用了 I/O 操作的卷启用 I/O 操作 Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

EnableVpcClassicLink 授予权限以便为 ClassicLink 启用 VPC Write

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

EnableVpcClassicLinkDnsSupport 授予权限以允许 VPC 支持 ClassicLink 的 DNS 主机名解析 Write

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

ExportClientVpnClientCertificateRevocationList 授予权限以下载客户端 VPN 终端节点的客户端证书吊销列表 Read

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

ExportClientVpnClientConfiguration 授予权限以下载客户端 VPN 终端节点的客户端 VPN 端点配置文件的内容 Read

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

ExportImage 授予权限以将 Amazon Machine Image (AMI) 导出到 VM 文件 Write

export-image-task*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

ExportTransitGatewayRoutes 授予权限以将路由从中转网关路由表导出到 Amazon S3 存储桶 Write

ec2:Region

GetAssociatedEnclaveCertificateIamRoles 授予获取与 ACM 证书关联的角色列表的权限 Read

certificate*

ec2:Region

GetAssociatedIpv6PoolCidrs 授予获取有关指定 IPv6 地址池的 IPv6 CIDR 数据块关联信息的权限 Read

ec2:Region

GetCapacityReservationUsage 授予权限以获取容量预留的使用信息 Read

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:CapacityReservationFleet

ec2:ResourceTag/${TagKey}

ec2:Region

GetCoipPoolUsage 授予权限以描述来自客户拥有的指定地址池的分配 Read

ec2:Region

GetConsoleOutput 授予权限以获取实例的控制台输出 Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetConsoleScreenshot 授予权限以检索正在运行实例的 JPG 格式屏幕截图 Read

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetDefaultCreditSpecification 授予权限以获取可突增性能实例系列的 CPU 使用情况的默认服务抵扣金选项 Read

ec2:Region

GetEbsDefaultKmsKeyId 授予权限以获取默认 EBS 加密的默认客户主密钥 (CMK) 的 ID Read

ec2:Region

GetEbsEncryptionByDefault 授予权限以描述默认情况下是否为您的账户启用 EBS 加密 Read

ec2:Region

GetFlowLogsIntegrationTemplate 授予生成 CloudFormation 模板以简化 VPC 流日志与 Amazon Athena 的集成的权限 Read

vpc-flow-log*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetGroupsForCapacityReservation 授予列出已为其添加了容量预留的资源组的权限 List

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:CapacityReservationFleet

ec2:ResourceTag/${TagKey}

ec2:Region

GetHostReservationPurchasePreview 授予权限以查看其配置与专用主机配置匹配的预留购买 Read

ec2:Region

GetInstanceTypesFromInstanceRequirements 授予权限以查看具有指定实例属性的实例类型列表 Read

ec2:Region

GetIpamAddressHistory 授予在 Amazon VPC IP 地址管理器 (IPAM) 范围内检索有关 CIDR 的历史信息的权限 Read

ipam-scope*

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamPoolAllocations 授予获取 Amazon VPC IP 地址管理器 (IPAM) 池中的所有 CIDR 分配列表的权限 Read

ipam-pool*

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamPoolCidrs 授予获取预置到 Amazon VPC IP 地址管理器 (IPAM) 池的 CIDR 的权限 Read

ipam-pool*

ec2:ResourceTag/${TagKey}

ec2:Region

GetIpamResourceCidrs 授予获取有关 Amazon VPC IP 地址管理器 (IPAM) 范围中的资源信息的权限 Read

ipam-pool*

ec2:ResourceTag/${TagKey}

ipam-scope*

ec2:ResourceTag/${TagKey}

ec2:Region

GetLaunchTemplateData 授予权限以获取用于新启动模板或启动模板版本的指定实例的配置数据 Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetManagedPrefixListAssociations 授予权限以获取与指定托管前缀列表关联的资源的相关信息 Read

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetManagedPrefixListEntries 授予权限以获取指定托管前缀列表的条目的相关信息 Read

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetNetworkInsightsAccessScopeAnalysisFindings 授予获取一个或多个网络访问范围分析结果的权限 Read

ec2:Region

GetNetworkInsightsAccessScopeContent 授予权限以获取指定网络访问范围的内容 Read

ec2:Region

GetPasswordData 授予权限以检索正在运行的 Windows 实例的加密管理员密码 Read

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

GetReservedInstancesExchangeQuote 授予权限以返回报价和交换信息,以便为新的可转换预留实例交换一个或多个可转换预留实例 Read

ec2:Region

GetResourcePolicy [仅权限] 授予描述启用跨账户共享的 IAM 策略的权限 Read

ipam-pool

ec2:ResourceTag/${TagKey}

ec2:Region

GetSerialConsoleAccessStatus 授予权限以检索账户对所有实例的 EC2 串行控制台的访问状态 Read

ec2:Region

GetSpotPlacementScores 授予根据指定的目标容量和计算要求计算某个区域或可用区的 Spot 放置分数的权限 Read

ec2:Region

GetSubnetCidrReservations 授予权限以检索有关子网 CIDR 预留的信息 Read

ec2:Region

GetTransitGatewayAttachmentPropagations 授予权限以列出资源连接向其传播路由的路由表 List

ec2:Region

GetTransitGatewayMulticastDomainAssociations 授予权限以获取有关中转网关多播域的关联的信息 List

ec2:Region

GetTransitGatewayPrefixListReferences 授予权限以获取中转网关路由表的前缀列表引用的相关信息 List

ec2:Region

GetTransitGatewayRouteTableAssociations 授予权限以获取有关中转网关路由表的关联的信息 List

ec2:Region

GetTransitGatewayRouteTablePropagations 授予权限以获取有关中转网关路由表的路由表传播信息 List

ec2:Region

GetVpnConnectionDeviceSampleConfiguration 授予下载与客户网关设备一起使用的 Amazon 提供的示例配置文件的权限 List

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-connection-device-type

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

GetVpnConnectionDeviceTypes 授予获取可为其提供示例配置文件的客户网关设备列表的权限 List

ec2:Region

ImportClientVpnClientCertificateRevocationList 授予权限以将客户端证书吊销列表上传到客户端 VPN 终端节点 Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

ImportImage 授予权限以将单个或多个卷磁盘映像或 EBS 快照导入 Amazon Machine Image (AMI) Write

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:RootDeviceType

ec2:CreateTags

import-image-task*

aws:RequestTag/${TagKey}

aws:TagKeys

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

ImportInstance 授予权限以使用磁盘映像中的元数据创建导入实例任务 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceID

ec2:ResourceTag/${TagKey}

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ImportKeyPair 授予权限以从使用第三方工具创建的 RSA 密钥对导入公有密钥 Write

key-pair*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

ImportSnapshot 授予权限以将磁盘导入 EBS 快照 Write

import-snapshot-task*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

ImportVolume 授予权限以使用磁盘映像中的元数据创建导入卷任务 Write

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

ListImagesInRecycleBin 授予权限以列出当前位于 Recycle Bin 中的 Amazon Machine Images (AMI) List

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

ListSnapshotsInRecycleBin 授予权限以列出当前位于回收站中的 Amazon EBS 快照 List

snapshot

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

ModifyAddressAttribute 授予权限以修改指定弹性 IP 地址属性 Write

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyAvailabilityZoneGroup 授予修改账户的本地区域和 Wavelength 区域组的选择加入状态的权限 Write

ec2:Region

ModifyCapacityReservation 授予权限以修改容量预留的容量以及释放容量的条件 Write

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:CapacityReservationFleet

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyCapacityReservationFleet 授予修改容量预留机群的权限 Write

capacity-reservation-fleet*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyClientVpnEndpoint 授予权限以修改客户端 VPN 终端节点 Write

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpcID

ec2:Region

ModifyDefaultCreditSpecification 授予权限以更改可突增性能实例的 CPU 使用情况的账户级别默认服务抵扣金选项 Write

ec2:Region

ModifyEbsDefaultKmsKeyId 授予权限以更改您账户的默认 EBS 加密的默认客户主密钥 (CMK) Write

ec2:Region

ModifyFleet 授予权限以修改 EC2 队列 Write

fleet*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AssociatePublicIpAddress

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ModifyFpgaImageAttribute 授予权限以修改 Amazon FPGA 映像 (AFI) 的属性 Write

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyHosts 授予权限以修改专用主机 Write

dedicated-host*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIdFormat 授予权限以修改资源的 ID 格式 Write

ec2:Region

ModifyIdentityIdFormat 授予权限以修改您账户中特定委托人的资源的 ID 格式 Write

ec2:Region

ModifyImageAttribute 授予权限以修改 Amazon Machine Image (AMI) 的属性 Write

image*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

ModifyInstanceAttribute 授予权限以修改实例的属性 Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

volume

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

ModifyInstanceCapacityReservationAttributes 授予权限以修改已停止实例的容量预留设置 Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyInstanceCreditSpecification 授予权限以修改实例上 CPU 使用情况的服务抵扣金选项 Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ModifyInstanceEventStartTime 授予权限以修改计划 EC2 实例事件的开始时间 Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute/${AttributeName}

ec2:InstanceID

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyInstanceEventWindow 授予修改指定事件窗口的权限 Write

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyInstanceMetadataOptions 授予权限以修改实例的元数据选项 Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ModifyInstancePlacement 授予权限以修改实例的置放属性 Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

dedicated-host

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIpam 授予修改 Amazon VPC IP 地址管理器 (IPAM) 配置的权限 Write

ipam*

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIpamPool 授予修改 Amazon VPC IP 地址管理器 (IPAM) 池配置的权限 Write

ipam-pool*

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIpamResourceCidr 授予修改 Amazon VPC IP 地址管理器 (IPAM) 资源 CIDR 配置的权限 Write

ipam-scope*

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyIpamScope 授予修改 Amazon VPC IP 地址管理器 (IPAM) 范围配置的权限 Write

ipam-scope*

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyLaunchTemplate 授予权限以修改启动模板 Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyManagedPrefixList 授予权限以修改托管前缀列表 Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyNetworkInterfaceAttribute 授予权限以修改网络接口的属性 Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

ModifyPrivateDnsNameOptions 授予权限以修改指定实例的实例主机名选项 Write

instance*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

ModifyReservedInstances 授予权限以修改一个或多个预留实例的属性 Write

reserved-instances*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:InstanceType

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:Region

ModifySecurityGroupRules 授予权限以修改安全组的规则 Write

security-group*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

security-group-rule

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifySnapshotAttribute 授予权限以添加或删除快照的权限设置 权限管理

snapshot*

aws:ResourceTag/${TagKey}

ec2:Add/group

ec2:Add/userId

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Owner

ec2:ParentVolume

ec2:Remove/group

ec2:Remove/userId

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

ModifySnapshotTier 授予权限以存档 Amazon EBS 快照 Write

snapshot*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

ModifySpotFleetRequest 授予权限以修改 Spot 队列请求 Write

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ModifySubnetAttribute 授予权限以修改子网的属性 Write

subnet*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ModifyTrafficMirrorFilterNetworkServices 授予权限以允许或限制镜像网络服务 Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyTrafficMirrorFilterRule 授予权限以修改流量镜像规则 Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:Region

ModifyTrafficMirrorSession 授予权限以修改流量镜像会话 Write

traffic-mirror-session*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyTransitGateway 授予权限以修改中转网关 Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyTransitGatewayPrefixListReference 授予权限以修改中转网关前缀列表引用 Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyTransitGatewayVpcAttachment 授予权限以修改中转网关上的 VPC 连接 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

ModifyVolume 授予权限以修改 EBS 卷的参数 Write

volume*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

ModifyVolumeAttribute 授予权限以修改卷的属性 Write

volume*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

ModifyVpcAttribute 授予权限以修改 VPC 的属性 Write

vpc*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

ModifyVpcEndpoint 授予权限以修改 VPC 终端节点的属性 Write

vpc-endpoint*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

subnet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

ModifyVpcEndpointConnectionNotification 授予权限以修改 VPC 终端节点或 VPC 终端节点服务的连接通知 Write

vpc-endpoint*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVpcEndpointServiceConfiguration 授予权限以修改 VPC 终端节点服务配置的属性 Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

ec2:Region

ModifyVpcEndpointServicePayerResponsibility 授予权限以修改 VPC 终端节点服务的付款人责任 Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVpcEndpointServicePermissions 授予权限以修改 VPC 终端节点服务的权限 Permissions management

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVpcPeeringConnectionOptions 授予权限以在 VPC 对等连接一侧修改 VPC 对等连接选项 Write

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

ModifyVpcTenancy 授予权限以修改 VPC 的实例租赁属性 Write

vpc*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

ModifyVpnConnection 授予权限以修改 Site-to-Site VPN 连接的目标网关 Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:PreSharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:ResourceTag/${TagKey}

ec2:RoutingType

ec2:Region

ModifyVpnConnectionOptions 授予修改 Site-to-Site VPN 连接的连接选项的权限 Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVpnTunnelCertificate 授予权限以修改 Site-to-Site VPN 连接的证书 Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:ResourceTag/${TagKey}

ec2:Region

ModifyVpnTunnelOptions 授予权限以修改 Site-to-Site VPN 连接的选项 Write

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Attribute

ec2:Attribute/${AttributeName}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:PreSharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:ResourceTag/${TagKey}

ec2:RoutingType

ec2:Region

MonitorInstances 授予权限以对正在运行的实例启用详细监控 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

MoveAddressToVpc 授予权限以将弹性 IP 地址从 EC2-Classic 平台移动到 EC2-VPC 平台 Write

ec2:Region

MoveByoipCidrToIpam 授予将 BYOIP IPv4 CIDR 从公有 IPv4 池移动到 Amazon VPC IP 地址管理器 (IPAM) 的权限 Write

ipam-pool

ec2:ResourceTag/${TagKey}

ec2:Region

ProvisionByoipCidr 授予权限以通过自带 IP 地址 (BYOIP) 预置在 Amazon 中使用的地址范围,并创建相应的地址池 Write

ec2:Region

ProvisionIpamPoolCidr 授予权限以将 CIDR 预置到 Amazon VPC IP 地址管理器 (IPAM) 池 Write

ipam-pool*

ec2:ResourceTag/${TagKey}

ec2:Region

ProvisionPublicIpv4PoolCidr 授予向公有 IPv4 池中预置 CIDR 的权限 Write

ipam-pool*

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

PurchaseHostReservation 授予权限以购买其配置与专用主机配置匹配的预留 Write

dedicated-host*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

ec2:Region

PurchaseReservedInstancesOffering 授予权限以购买预留实例产品 Write

ec2:Region

PurchaseScheduledInstances 授予权限以购买具有指定计划的一个或多个计划实例 Write

ec2:Region

PutResourcePolicy [仅权限] 授予向资源附加启用跨账户共享的 IAM 策略的权限 Write

ipam-pool

ec2:ResourceTag/${TagKey}

ec2:Region

RebootInstances 授予权限以请求重启一个或多个实例 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

RegisterImage 授予权限以注册 Amazon Machine Image (AMI) Write

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:Owner

ec2:ResourceTag/${TagKey}

snapshot

aws:ResourceTag/${TagKey}

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:Region

RegisterInstanceEventNotificationAttributes 授予权限以将标签添加到标签集,从而包含在有关实例计划事件的通知 Write

ec2:Region

RegisterTransitGatewayMulticastGroupMembers 授予权限以将一个或多个网络接口注册为中转网关多播域中组 IP 地址的成员 Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

RegisterTransitGatewayMulticastGroupSources 授予权限以将一个或多个网络接口注册为中转网关多播域中组 IP 地址的源 Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

RejectTransitGatewayMulticastDomainAssociations 授予拒绝关联跨账户子网与中转网关多播域的请求的权限 Write

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

RejectTransitGatewayPeeringAttachment 授予权限以拒绝中转网关对等连接请求 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

RejectTransitGatewayVpcAttachment 授予权限以拒绝将 VPC 连接到中转网关的请求 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

RejectVpcEndpointConnections 授予权限以拒绝对 VPC 终端节点服务的一个或多个 VPC 终端节点连接请求 Write

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

RejectVpcPeeringConnection 授予权限以拒绝 VPC 对等连接请求 Write

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

ReleaseAddress 授予权限以释放弹性 IP 地址 Write

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

ReleaseHosts 授予权限以释放一个或多个按需专用主机 Write

dedicated-host*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ReleaseIpamPoolAllocation 授予在 Amazon VPC IP 地址管理器 (IPAM) 池内发布分配的权限 Write

ipam-pool*

ec2:ResourceTag/${TagKey}

ec2:Region

ReplaceIamInstanceProfileAssociation 授予权限以替换实例的 IAM 实例配置文件 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

ec2:Region

ReplaceNetworkAclAssociation 授予权限以更改子网所关联的网络 ACL Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

ReplaceNetworkAclEntry 授予权限以替换网络 ACL 中的条目(规则) Write

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

ReplaceRoute 授予权限以替换 VPC 的路由表中的路由 Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

carrier-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:Vpc

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceProfile

ec2:InstanceType

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ne