Amazon EC2 的操作、资源和条件键 - 服务授权参考
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon EC2 的操作、资源和条件键

Amazon EC2(服务前缀:ec2)提供以下服务特定的资源、操作和条件上下文键以在 IAM 权限策略中使用。

参考:

Amazon EC2 定义的操作

您可以在 Action 策略语句的 IAM 元素中指定以下操作。可以使用策略授予在 AWS 中执行操作的权限。您在策略中使用一项操作时,通常使用相同的名称允许或拒绝对 API 操作或 CLI 命令的访问。但在某些情况下,单一动作可控制对多项操作的访问。还有某些操作需要多种不同的动作。

资源类型列指示每项操作是否支持资源级权限。如果该列没有任何值,您必须在策略语句的 Resource 元素中指定所有资源(“*”)。如果该列包含一种资源类型,则可以在含有该操作的语句中指定该类型的 ARN。必需资源在表中以星号 (*) 表示。如果在使用该操作的语句中指定资源级权限 ARN,则它必须属于该类型。某些操作支持多种资源类型。如果资源类型是可选的(未指示为必需),则可以选择使用一种类型而不使用其他类型。

有关下表中各列的详细信息,请参阅 操作表

操作 描述 访问级别 资源类型(* 为必需) 条件键 相关操作
AcceptReservedInstancesExchangeQuote 授予权限以接受可转换预留实例交换报价 写入

reserved-instances*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

AcceptTransitGatewayMulticastDomainAssociations 授予接受关联子网与中转网关多播域的请求的权限 写入

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AcceptTransitGatewayPeeringAttachment 授予权限以接受中转网关对等连接请求 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AcceptTransitGatewayVpcAttachment 授予权限以接受将 VPC 连接到中转网关的请求 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AcceptVpcEndpointConnections 授予权限以接受与 VPC 终端节点服务的一个或多个接口 VPC 终端节点连接 写入

vpc-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

AcceptVpcPeeringConnection 授予权限以接受 VPC 对等连接请求 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

AdvertiseByoipCidr 授予权限以发布通过自带 IP 地址 (BYOIP) 预配置的在 AWS 中使用的 IP 地址范围 写入
AllocateAddress 授予权限以向您的账户分配弹性 IP 地址 (EIP) 写入

ipv4pool-ec2

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ResourceTag/${TagKey}

AllocateHosts 授予权限以向您的账户分配专用主机 写入

dedicated-host*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:InstanceType

ec2:Quantity

ec2:HostRecovery

ApplySecurityGroupsToClientVpnTargetNetwork 授予权限以将安全组应用到客户端 VPN 终端节点与目标网络之间的关联 写入

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

security-group*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

AssignIpv6Addresses 授予权限以将一个或多个 IPv6 地址分配给网络接口 写入

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

AssignPrivateIpAddresses 授予权限以将一个或多个辅助私有 IP 地址分配给网络接口 写入

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

AssociateAddress 授予权限以将弹性 IP 地址 (EIP) 与实例或网络接口关联 写入

elastic-ip

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

AssociateClientVpnTargetNetwork 授予权限以将目标网络与客户端 VPN 终端节点关联 写入

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

AssociateDhcpOptions 授予权限以将一组 DHCP 选项与 VPC 关联或取消关联 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

AssociateEnclaveCertificateIamRole 授予关联 ACM 证书与要在 EC2 Enclave 中使用的 IAM 角色的权限 写入

certificate*

role*

AssociateIamInstanceProfile 授予权限以将 IAM 实例配置文件与正在运行或已停止的实例关联 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:NewInstanceProfile

iam:PassRole

AssociateRouteTable 授予权限以将子网或网关与路由表关联 写入

route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

internet-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AssociateSubnetCidrBlock 授予权限以将 CIDR 块与子网关联 写入

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

AssociateTransitGatewayMulticastDomain 授予权限以将子网连接和列表与中转网关多播域关联 写入

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AssociateTransitGatewayRouteTable 授予权限以将连接与中转网关路由表关联 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AssociateVpcCidrBlock 授予权限以将 CIDR 块与 VPC 关联 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AttachClassicLinkVpc 授予权限,以通过 VPC 的一个或多个安全组将 EC2-Classic 实例链接至已启用 ClassicLink 的 VPC 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

AttachInternetGateway 授予权限以将互联网网关连接到 VPC 写入

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

AttachNetworkInterface 授予权限以将网络接口附加到实例 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

AttachVolume 授予权限,以将 EBS 卷附加到正在运行或已停止的实例,然后将其公开给具有指定设备名称的实例 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

AttachVpnGateway 授予权限以将虚拟私有网关附加到 VPC 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

AuthorizeClientVpnIngress 授予权限以将入站授权规则添加到客户端 VPN 终端节点 写入

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

AuthorizeSecurityGroupEgress 授予权限以将一个或多个出站规则添加到 VPC 安全组 写入

security-group*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

AuthorizeSecurityGroupIngress 授予权限以将一个或多个入站规则添加到安全组 写入

security-group*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

BundleInstance 授予权限以捆绑实例存储支持的 Windows 实例 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

CancelBundleTask 授予权限以取消捆绑操作 写入
CancelCapacityReservation 授予权限以取消容量预留并释放预留的容量 写入

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CancelConversionTask 授予权限以取消活动转换任务 写入
CancelExportTask 授予权限以取消活动导出任务 写入

export-image-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CancelImportTask 授予权限以取消正在进行的导入虚拟机或导入快照任务 写入

import-image-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CancelReservedInstancesListing 授予权限以取消预留实例市场上的预留实例出售清单 写入
CancelSpotFleetRequests 授予权限以取消一个或多个 Spot 队列请求 写入

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CancelSpotInstanceRequests 授予权限以取消一个或多个 Spot 实例请求 写入

spot-instances-request*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ConfirmProductInstance 授予权限以确定拥有的产品代码是否与实例关联 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

CopyFpgaImage 授予权限以将源 Amazon FPGA 映像 (AFI) 复制到当前区域。为此操作指定的资源级权限仅适用于新的 AFI。它们不适用于源 AFI 写入

fpga-image*

ec2:Owner

ec2:Region

CopyImage 授予权限以将 Amazon 系统映像 (AMI) 从源区域复制到当前区域。为此操作指定的资源级权限仅适用于新的 AMI。它们不适用于源 AMI 写入

image*

ec2:Owner

ec2:Region

CopySnapshot 授予权限以复制 EBS 卷的时间点快照并将其存储在 Amazon S3 中。为此操作指定的资源级权限仅适用于新快照。它们不适用于源快照 写入

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:OutpostArn

ec2:SourceOutpostArn

CreateCapacityReservation 授予权限以创建容量预留 写入

capacity-reservation*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateCarrierGateway 授予权限以创建运营商网关,并向 VPC 客户提供 CSP 连接。 写入

carrier-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:Vpc

ec2:Tenancy

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateClientVpnEndpoint 授予权限以创建客户端 VPN 终端节点 写入

client-vpn-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

security-group

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpc

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateClientVpnRoute 授予权限以将网络路由添加到客户端 VPN 终端节点的路由表 写入

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateCustomerGateway 授予权限以创建客户网关,该网关向 AWS 提供有关您客户网关设备的信息 写入

customer-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateDefaultSubnet 授予权限以在默认 VPC 的指定可用区中创建默认子网 写入
CreateDefaultVpc 授予权限以在每个可用区中创建具有默认子网的默认 VPC 写入
CreateDhcpOptions 授予权限以便为 VPC 创建一组 DHCP 选项 写入

dhcp-options*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateEgressOnlyInternetGateway 授予权限以便为 VPC 创建仅出口互联网网关 写入

egress-only-internet-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateFleet 授予权限以启动 EC2 队列 写入

fleet*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

image

aws:ResourceTag/${TagKey}

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:Region

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

security-group

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateFlowLogs 授予权限以创建一个或多个流日志,用于捕获网络接口的 IP 流量 写入

vpc-flow-log*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

iam:PassRole

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

vpc

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateFpgaImage 授予权限以从设计检查点 (DCP) 创建 Amazon FPGA 映像 (AFI) 写入

fpga-image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:Public

ec2:Region

CreateImage 授予权限以从已停止或正在运行的 Amazon EBS 支持的实例创建由 Amazon EBS 支持的 AMI 写入

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:RootDeviceType

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

CreateInstanceExportTask 授予权限以将正在运行或已停止的实例导出到 Amazon S3 存储桶 写入

export-instance-task*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

CreateInternetGateway 授予权限以便为 VPC 创建互联网网关 写入

internet-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateKeyPair 授予权限以便创建 2048 位 RSA 密钥对 写入

key-pair*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:KeyPairName

ec2:Region

CreateLaunchTemplate 授予权限以创建启动模板 写入

launch-template*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:InstanceType

ec2:Quantity

ec2:HostRecovery

image

aws:ResourceTag/${TagKey}

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:Region

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupStrategy

ec2:Region

ec2:ResourceTag/${TagKey}

security-group

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateLaunchTemplateVersion 授予权限以创建启动模板的新版本 写入

launch-template*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:InstanceType

ec2:Quantity

ec2:HostRecovery

image

aws:ResourceTag/${TagKey}

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:Region

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupStrategy

ec2:Region

ec2:ResourceTag/${TagKey}

security-group

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateLocalGatewayRoute 授予权限以为本地网关路由表创建静态路由 写入

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CreateLocalGatewayRouteTableVpcAssociation 授予权限以将 VPC 与本地网关路由表关联 写入

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:Tenancy

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateManagedPrefixList 授予权限以创建托管前缀列表 写入

prefix-list*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateNatGateway 授予权限以在子网中创建 NAT 网关 写入

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

natgateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateNetworkAcl 授予权限以在 VPC 中创建网络 ACL 写入

network-acl*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateNetworkAclEntry 授予权限以在网络 ACL 中创建编号条目(规则) 写入

network-acl*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateNetworkInsightsPath 授予创建路径以分析可访问性的权限 写入

network-insights-path*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateNetworkInterface 授予权限以在子网中创建网络接口 写入

network-interface*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateNetworkInterfacePermission 授予权限以针对 AWS 授权用户创建权限,用于在网络接口上执行特定操作 权限管理

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

CreatePlacementGroup 授予权限以创建置放群组 写入

placement-group*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:PlacementGroupStrategy

ec2:Region

CreateReservedInstancesListing 授予权限以创建要在预留实例市场出售的标准预留实例的列表 写入

reserved-instances*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateRoute 授予权限以在 VPC 路由表中创建路由 写入

route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

carrier-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Tenancy

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

prefix-list

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CreateRouteTable 授予权限以便为 VPC 创建路由表 写入

route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateSecurityGroup 授予权限以创建安全组 写入

security-group*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:Vpc

vpc

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateSnapshot 授予权限以创建 EBS 卷快照并将其存储在 Amazon S3 中 写入

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:SnapshotTime

ec2:VolumeSize

volume*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

CreateSnapshots 授予权限以创建多个 EBS 卷的崩溃一致性快照并将其存储在 Amazon S3 中 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

aws:TagKeys

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

volume*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

CreateSpotDatafeedSubscription 授予权限以便为 Spot 实例创建数据源,用于查看 Spot 实例使用日志 写入
CreateSubnet 授予权限以在 VPC 中创建子网 写入

subnet*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Region

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

CreateTags 授予权限以便为 Amazon EC2 资源添加或覆盖一个或多个标签 标记

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

customer-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:InstanceType

ec2:Quantity

ec2:HostRecovery

dhcp-options

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

elastic-gpu

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ElasticGpuType

elastic-ip

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

export-image-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

fleet

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

fpga-image

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

host-reservation

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

import-image-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:Region

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-route-table-virtual-interface-group-association

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

local-gateway-virtual-interface

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

network-acl

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupStrategy

ec2:Region

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

reserved-instances

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

route-table

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

spot-instances-request

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-connect-peer

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

volume

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

vpc

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

vpc-flow-log

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

vpn-connection

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:Phase1DHGroupNumbers

ec2:Phase2DHGroupNumbers

ec2:Phase1EncryptionAlgorithms

ec2:Phase2EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2LifetimeSeconds

ec2:PresharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:RoutingType

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:CreateAction

CreateTrafficMirrorFilter 授予权限以创建流量镜像筛选条件 写入

traffic-mirror-filter*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTrafficMirrorFilterRule 授予权限以创建流量镜像筛选条件规则 写入

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

ec2:Region

CreateTrafficMirrorSession 授予权限以创建流量镜像会话 写入

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-session*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

traffic-mirror-target*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTrafficMirrorTarget 授予权限以创建流量镜像目标 写入

traffic-mirror-target*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

CreateTransitGateway 授予权限以创建中转网关 写入

transit-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayConnect 授予从指定中转网关挂载创建连接挂载的权限 写入

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayConnectPeer 授予在中转网关和设备之间创建对等连接的权限 写入

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayMulticastDomain 授予权限以便为中转网关创建多播域 写入

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayPeeringAttachment 授予权限以在请求方和接受方中转网关之间请求中转网关对等连接 写入

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayPrefixListReference 授予权限以创建中转网关前缀列表引用 写入

prefix-list*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTransitGatewayRoute 授予权限以便为中转网关路由表创建静态路由 写入

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CreateTransitGatewayRouteTable 授予权限以便为中转网关创建路由表 写入

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTransitGatewayVpcAttachment 授予权限以将 VPC 附加到中转网关 写入

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateVolume 授予权限以创建 EBS 卷 写入

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

CreateVpc 授予权限以创建具有指定 CIDR 块的 VPC 写入

vpc*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:Tenancy

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CreateVpcEndpoint 授予权限以便为 AWS 服务创建 VPC 终端节点 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

route53:AssociateVPCWithHostedZone

vpc-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

route-table

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

CreateVpcEndpointConnectionNotification 授予权限以便为 VPC 终端节点或 VPC 终端节点服务创建连接通知 写入

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

CreateVpcEndpointServiceConfiguration 授予权限以创建服务使用者(AWS 账户、IAM 用户和 IAM 角色)可以连接到的 VPC 终端节点服务配置 写入

vpc-endpoint-service*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:VpceServicePrivateDnsName

CreateVpcPeeringConnection 授予权限以在两个 VPC 之间请求 VPC 对等连接 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpc-peering-connection*

ec2:AccepterVpc

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:RequesterVpc

CreateVpnConnection 授予权限以在虚拟私有网关或中转网关与客户网关之间创建 VPN 连接 写入

customer-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpn-connection*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:Phase1DHGroupNumbers

ec2:Phase2DHGroupNumbers

ec2:Phase1EncryptionAlgorithms

ec2:Phase2EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2LifetimeSeconds

ec2:PresharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:RoutingType

transit-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

CreateVpnConnectionRoute 授予权限以在虚拟私有网关和客户网关之间为 VPN 连接创建静态路由 写入

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:Phase1DHGroupNumbers

ec2:Phase2DHGroupNumbers

ec2:Phase1EncryptionAlgorithms

ec2:Phase2EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2LifetimeSeconds

ec2:PresharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:RoutingType

CreateVpnGateway 授予权限以创建虚拟私有网关 写入

vpn-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

DeleteCarrierGateway 授予权限以删除运营商网关 写入

carrier-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Tenancy

DeleteClientVpnEndpoint 授予权限以删除客户端 VPN 终端节点 写入

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

DeleteClientVpnRoute 授予权限以从客户端 VPN 终端节点删除路由 写入

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteCustomerGateway 授予权限以删除客户网关 写入

customer-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteDhcpOptions 授予权限以删除一组 DHCP 选项 写入

dhcp-options*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteEgressOnlyInternetGateway 授予权限以删除仅出口互联网网关 写入

egress-only-internet-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteFleets 授予权限以删除一个或多个 EC2 队列 写入

fleet*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteFlowLogs 授予权限以删除一个或多个流日志 写入

vpc-flow-log*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteFpgaImage 授予权限以删除 Amazon FPGA 映像 (AFI) 写入

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteInternetGateway 授予权限以删除互联网网关 写入

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteKeyPair 授予权限以通过从 Amazon EC2 中删除公有密钥来删除密钥对 写入

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteLaunchTemplate 授予权限以删除启动模板及其关联版本 写入

launch-template

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteLaunchTemplateVersions 授予权限以删除启动模板的一个或多个版本 写入

launch-template

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteLocalGatewayRoute 授予权限以从本地网关路由表中删除路由 写入

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteLocalGatewayRouteTableVpcAssociation 授予权限以删除 VPC 与本地网关路由表之间的关联 写入

local-gateway-route-table-vpc-association*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

DeleteManagedPrefixList 授予权限以删除托管前缀列表 写入

prefix-list*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteNatGateway 授予权限以删除 NAT 网关 写入

natgateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteNetworkAcl 授予权限以删除网络 ACL 写入

network-acl*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteNetworkAclEntry 授予权限以从网络 ACL 中删除入站或出站条目(规则) 写入

network-acl*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteNetworkInsightsAnalysis 授予删除网络见解分析的权限 写入

network-insights-analysis*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteNetworkInsightsPath 授予删除网络见解路径的权限 写入

network-insights-path*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteNetworkInterface 授予权限以删除分离的网络接口 写入

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

DeleteNetworkInterfacePermission 授予权限以删除与网络接口关联的权限 权限管理
DeletePlacementGroup 授予权限以删除置放群组 写入
DeleteQueuedReservedInstances 授予删除指定预留实例的排队购买的权限 写入

reserved-instances*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

DeleteRoute 授予权限以从路由表中删除路由 写入

route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

prefix-list

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteRouteTable 授予权限以删除路由表 写入

route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteSecurityGroup 授予权限以删除安全组 写入

security-group*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteSnapshot 授予权限以删除 EBS 卷快照 写入

snapshot*

aws:ResourceTag/${TagKey}

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

DeleteSpotDatafeedSubscription 授予权限以删除 Spot 实例的数据源 写入
DeleteSubnet 授予权限以删除子网 写入

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

DeleteTags 授予权限以从 Amazon EC2 资源中删除一个或多个标签 标记

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ServerCertificateArn

ec2:ClientRootCertificateChainArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

customer-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:InstanceType

ec2:Quantity

ec2:HostRecovery

dhcp-options

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

elastic-gpu

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:ElasticGpuType

elastic-ip

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

export-image-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

fleet

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

fpga-image

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

host-reservation

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

import-image-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:Region

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-route-table-virtual-interface-group-association

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

local-gateway-virtual-interface

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

network-acl

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:AssociatePublicIpAddress

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupStrategy

ec2:Region

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

reserved-instances

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceType

ec2:Region

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

route-table

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:SnapshotTime

ec2:VolumeSize

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

spot-instances-request

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Vpc

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-connect-peer

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

volume

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

vpc

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

vpc-flow-log

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

vpn-connection

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:Phase1DHGroupNumbers

ec2:Phase2DHGroupNumbers

ec2:Phase1EncryptionAlgorithms

ec2:Phase2EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2LifetimeSeconds

ec2:PresharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:RoutingType

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTrafficMirrorFilter 授予权限以删除流量镜像筛选条件 写入

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTrafficMirrorFilterRule 授予权限以删除流量镜像筛选条件规则 写入

traffic-mirror-filter-rule*

ec2:Region

DeleteTrafficMirrorSession 授予权限以删除流量镜像会话 写入

traffic-mirror-session*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTrafficMirrorTarget 授予权限以删除流量镜像目标 写入

traffic-mirror-target*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGateway 授予权限以删除中转网关 写入

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayConnect 授予删除中转网关连接挂载的权限 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayConnectPeer 授予删除中转网关对等连接的权限 写入

transit-gateway-connect-peer*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayMulticastDomain 授予权限以删除中转网关多播域 写入

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayPeeringAttachment 授予权限以从中转网关删除对等连接 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayPrefixListReference 授予权限以删除中转网关前缀列表引用 写入

prefix-list*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayRoute 授予权限以从中转网关路由表中删除路由 写入

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayRouteTable 授予权限以删除中转网关路由表 写入

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteTransitGatewayVpcAttachment 授予权限以从中转网关删除 VPC 连接 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteVolume 授予权限以删除 EBS 卷 写入

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

DeleteVpc 授予权限以删除 VPC 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:Tenancy

DeleteVpcEndpointConnectionNotifications 授予权限以删除一个或多个 VPC 终端节点连接通知 写入

vpc-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

DeleteVpcEndpointServiceConfigurations 授予权限以删除一个或多个 VPC 终端节点服务配置 写入

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:VpceServicePrivateDnsName

DeleteVpcEndpoints 授予权限以删除一个或多个 VPC 终端节点 写入

vpc-endpoint*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

DeleteVpcPeeringConnection 授予权限以删除 VPC 对等连接 写入

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

DeleteVpnConnection 授予权限以删除 VPN 连接 写入

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:Phase1DHGroupNumbers

ec2:Phase2DHGroupNumbers

ec2:Phase1EncryptionAlgorithms

ec2:Phase2EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2LifetimeSeconds

ec2:PresharedKeys

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:RoutingType

DeleteVpnConnectionRoute 授予权限以删除虚拟私有网关和客户网关之间 VPN 连接的静态路由 写入

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:Region

ec2:ResourceTag/${TagKey}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:Phase1DHGroupNumbers

ec2:Phase2DHGroupNumbers

ec2:Phase1EncryptionAlgorithms

ec2:Phase2EncryptionAlgorithms