Amazon 的操作、资源和条件密钥 EC2 - 服务授权参考
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon 的操作、资源和条件密钥 EC2

AmazonEC2(服务前缀:ec2)提供以下特定于服务的资源、操作和条件上下文密钥,供在IAM权限策略中使用。

参考:

Amazon 定义的操作 EC2

您可以在 Action 策略语句的 IAM 元素中指定以下操作。可以使用策略授予在 Amazon中执行操作的权限。当您在策略中使用操作时,通常会允许或拒绝访问具有相同名称的API操作或CLI命令。但在某些情况下,单一动作可控制对多项操作的访问。还有某些操作需要多种不同的动作。

操作表的资源类型列指示每项操作是否支持资源级权限。如果该列没有任何值,您必须在策略语句的 Resource 元素中指定策略应用的所有资源(“*”)。如果该列包含资源类型,则可以在带有该操作ARN的语句中指定该类型的资源类型。如果操作具有一个或多个必需资源,则调用方必须具有使用这些资源来使用该操作的权限。必需资源在表中以星号 (*) 表示。如果您使用IAM策略中的Resource元素限制资源访问权限,则必须为每种必需的资源类型包含ARN或模式。某些操作支持多种资源类型。如果资源类型是可选的(未指示为必需),则可以选择使用一种可选资源类型。

操作表的条件键列包括可以在策略语句的 Condition 元素中指定的键。有关与服务资源关联的条件键的更多信息,请参阅资源类型表的条件键列。

注意

资源条件键在资源类型表中列出。您可以在操作表的资源类型(* 为必需)列中找到应用于某项操作的资源类型的链接。资源类型表中的资源类型包括条件密钥列,这是应用于操作表中操作的资源条件键。

有关下表中各列的详细信息,请参阅操作表

操作 描述 访问级别 资源类型(* 为必需) 条件键 相关操作
AcceptAddressTransfer 授予权限以接受 Elastic IP 地址转换 写入

elastic-ip*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:CreateTags

ec2:Region

AcceptCapacityReservationBillingOwnership 授予接受将共享容量预留的可用容量计费分配给主叫账户的权限 写入

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:OutpostArn

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

ec2:Region

AcceptReservedInstancesExchangeQuote 授予权限以接受可转换预留实例交换报价 Write

ec2:Region

AcceptTransitGatewayMulticastDomainAssociations 授予接受关联子网与中转网关多播域的请求的权限 Write

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

AcceptTransitGatewayPeeringAttachment 授予权限以接受中转网关对等连接请求 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

AcceptTransitGatewayVpcAttachment 授予接受将连接至公交网关的请求的权限 VPC 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

AcceptVpcEndpointConnections 授予接受与您的终端节点服务的一个或多个接口VPC终VPC端节点连接的权限 写入

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceSupportedRegion

ec2:Region

AcceptVpcPeeringConnection 授予接受对VPC等连接请求的权限 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

AdvertiseByoipCidr 授予 Amazon 通过自带自己的 IP 地址发布预配置的 IP 地址范围的权限 () BYOIP 写入

ec2:Region

AllocateAddress 授予向您的账户分配弹性 IP 地址 (EIP) 的权限 写入

elastic-ip*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AllocateHosts 授予权限以向您的账户分配专用主机 写入

dedicated-host*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:HostRecovery

ec2:InstanceType

ec2:Quantity

ec2:CreateTags

ec2:Region

AllocateIpamPoolCidr 授予CIDR从 Amazon VPC IP 地址管理器 (IPAM) 池中分配的权限 写入

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ApplySecurityGroupsToClientVpnTargetNetwork 授予将安全组应用于客户端VPN终端节点和目标网络之间的关联的权限 写入

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AssignIpv6Addresses 授予向网络接口分配一个或多个IPv6地址的权限 写入

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssignPrivateIpAddresses 授予权限以将一个或多个辅助私有 IP 地址分配给网络接口 写入

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssignPrivateNatGatewayAddress 授予向私有NAT网关分配一个或多个辅助私有 IP 地址的权限 写入

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateAddress 授予将弹性 IP 地址 (EIP) 与实例或网络接口关联的权限 写入

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AssociateCapacityReservationBillingOwner 授予将共享容量预留中未使用容量的账单分配给消费者账户的权限 写入

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:OutpostArn

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

ec2:Region

AssociateClientVpnTargetNetwork 授予将目标网络与客户端VPN终端节点关联的权限 写入

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

AssociateDhcpOptions 授予将一组DHCP选项与关联或取消关联的权限 VPC 写入

dhcp-options*

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AssociateEnclaveCertificateIamRole 授予将ACM证书与要在 EC2 Encl IAM ave 中使用的角色关联的权限 写入

certificate*

role*

ec2:Region

AssociateIamInstanceProfile 授予将IAM实例配置文件与正在运行或已停止的实例关联的权限 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:NewInstanceProfile

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

iam:PassRole

ec2:Region

AssociateInstanceEventWindow 授予将一个或多个目标与事件窗口关联的权限 写入

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateIpamByoasn 授予将自治系统编号 (ASN) 与关联的权限 BYOIP CIDR 写入

ec2:Region

AssociateIpamResourceDiscovery 授予将IPAM资源发现与 Amazon 关联的权限 VPC IPAM 写入

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

ipam-resource-discovery*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery-association*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

AssociateNatGatewayAddress 授予权限以将弹性 IP 地址和私有 IP 地址与公有 NAT 网关关联 写入

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateRouteTable 授予权限以将子网或网关与路由表关联 写入

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateSecurityGroupVpc 授予将一个安全组与同一区域VPC中的另一个安全组关联的权限 写入

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AssociateSubnetCidrBlock 授予将CIDR区块与子网关联的权限 写入

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateTransitGatewayMulticastDomain 授予权限以将子网连接和列表与中转网关多播域关联 写入

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

AssociateTransitGatewayPolicyTable 授予权限以将策略表与中转网关连接关联: 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

ec2:Region

AssociateTransitGatewayRouteTable 授予权限以将连接与中转网关路由表关联 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

AssociateTrunkInterface 授予将分支网络接口与中继网络接口关联的权限 写入

ec2:Region

AssociateVerifiedAccessInstanceWebAcl[仅权限] 授予将 Amazon Web 应用程序防火墙 (WAF) Web 访问控制列表 (ACL) 与已验证访问实例关联的权限 写入

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AssociateVpcCidrBlock 授予将CIDR方块与关联的权限 VPC 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AttachClassicLinkVpc 授予VPC通过一个或多个安全组将 EC2-Class ClassicLink ic 实例关联到启用的实例VPC的权限 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AttachInternetGateway 授予将互联网网关附加到的权限 VPC 写入

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

AttachNetworkInterface 授予权限以将网络接口附加到实例 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

AttachVerifiedAccessTrustProvider 授予权限以将信任提供商附加到验证访问实例 写入

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-trust-provider*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AttachVolume 授予将EBS卷连接到正在运行或已停止的实例并将其公开给具有指定设备名称的实例的权限 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

AttachVpnGateway 授予将虚拟专用网关附加到的权限 VPC 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

AuthorizeClientVpnIngress 授予向客户端VPN终端节点添加入站授权规则的权限 写入

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

AuthorizeSecurityGroupEgress 授予向VPC安全组添加一条或多条出站规则的权限。只有当请求包含 security-group-rule资源级权限时,才会强制执行使用资源级权限的API策略 TagSpecifications 写入

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:CreateTags

security-group-rule

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

AuthorizeSecurityGroupIngress 授予向VPC安全组添加一条或多条入站规则的权限。只有当请求包含 security-group-rule资源级权限时,才会强制执行使用资源级权限的API策略 TagSpecifications 写入

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:CreateTags

security-group-rule

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

BundleInstance 授予权限以捆绑实例存储支持的 Windows 实例 Write

ec2:Region

CancelBundleTask 授予权限以取消捆绑操作 Write

ec2:Region

CancelCapacityReservation 授予权限以取消容量预留并释放预留的容量 写入

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:CapacityReservationFleet

ec2:Region

CancelCapacityReservationFleets 授予取消一个或多个容量预留队列的权限 写入

capacity-reservation-fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CancelCapacityReservation

ec2:Region

CancelConversionTask 授予权限以取消活动转换任务 写入

ec2:Region

CancelDeclarativePoliciesReport 授予取消声明性政策报告的权限 写入

declarative-policies-report*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelExportTask 授予权限以取消活动导出任务 写入

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelImageLaunchPermission 授予权限以 Amazon Web Services 账户 从指定项的启动权限中移除您的权限 AMI 写入

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

CancelImportTask 授予权限以取消正在进行的导入虚拟机或导入快照任务 Write

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelReservedInstancesListing 授予权限以取消预留实例 Marketplace 上的预留实例出售清单 Write

ec2:Region

CancelSpotFleetRequests 授予权限以取消一个或多个 Spot 队列请求 Write

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CancelSpotInstanceRequests 授予权限以取消一个或多个 Spot 实例请求 Write

spot-instances-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

ConfirmProductInstance 授予权限以确定拥有的产品代码是否与实例关联 写入

ec2:Region

CopyFpgaImage 授予将来源 Amazon FPGA 图片 (AFI) 复制到当前地区的权限。为此操作指定的资源级权限仅适用于新的AFI权限。它们不适用于来源 AFI 写入

fpga-image*

ec2:Owner

ec2:Region

CopyImage 授予将 Amazon 系统映像 (AMI) 从源区域复制到当前区域的权限 写入

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageID

ec2:Owner

ec2:CreateTags

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CopySnapshot 授予复制EBS卷 point-in-time快照并将其存储在 Amazon S3 中的权限。为此操作指定的资源级权限仅适用于新快照。它们不适用于源快照 Write

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:OutpostArn

ec2:SnapshotID

ec2:CreateTags

ec2:Region

CreateCapacityReservation 授予权限以创建容量预留 写入

capacity-reservation*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CapacityReservationFleet

ec2:CreateTags

ec2:Region

CreateCapacityReservationBySplitting 授予权限以通过拆分源容量预留的可用容量来创建新容量预留 写入

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:OutpostArn

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

ec2:CreateTags

ec2:Region

CreateCapacityReservationFleet 授予创建容量预留机群的权限 写入

capacity-reservation-fleet*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateCapacityReservation

ec2:CreateTags

ec2:DescribeCapacityReservations

ec2:DescribeInstances

ec2:Region

CreateCarrierGateway 授予创建运营商网关的权限并为VPC客户提供CSP连接 写入

carrier-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateClientVpnEndpoint 授予创建客户端VPN终端节点的权限 写入

client-vpn-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:CreateTags

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpcID

ec2:Region

CreateClientVpnRoute 授予向客户端VPN终端节点的路由表添加网络路由的权限 写入

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

CreateCoipCidr 授予创建一系列客户拥有的 IP (CoIP) 地址的权限 写入

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateCoipPool 授予创建客户拥有的 IP (CoIP) 地址池的权限 写入

coip-pool*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateCoipPoolPermission[仅权限] 授予允许服务访问客户拥有的 IP (CoIP) 池的权限 写入

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateCustomerGateway 授予创建客户网关的权限,该网关向您的客户网关设备提供 Amazon 有关信息 写入

customer-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateDefaultSubnet 授予在默认可用区中创建默认子网的权限 VPC 写入

ec2:Region

CreateDefaultVpc 授予在每个可用区中VPC使用默认子网创建默认子网的权限 写入

ec2:Region

CreateDhcpOptions 授予为创建一组DHCP选项的权限 VPC 写入

dhcp-options*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:DhcpOptionsID

ec2:CreateTags

ec2:Region

CreateEgressOnlyInternetGateway 授予为创建仅限出站的互联网网关的权限 VPC 写入

egress-only-internet-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateFleet 授予启动EC2舰队的权限。此操作的资源级权限不包括启动模板中指定的资源。要为启动模板中指定的资源指定资源级权限,您必须在操作语句中 RunInstances 包含这些资源 写入

fleet*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

instance*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:PlacementGroup

ec2:RootDeviceType

ec2:Tenancy

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

launch-template

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

volume

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:KmsKeyId

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

CreateFlowLogs 授予权限以创建一个或多个流日志,用于捕获网络接口的 IP 流量 写入

vpc-flow-log*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ecs:ListClusters

ecs:ListContainerInstances

ecs:ListServices

ecs:ListTaskDefinitions

ecs:ListTasks

iam:PassRole

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateFpgaImage 授予从设计检查点 (AFI) 创建 Amazon FPGA 图片的权限 (DCP) 写入

fpga-image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Owner

ec2:Public

ec2:CreateTags

ec2:Region

CreateImage 授予AMI从已停止或正在运行的由亚马逊EBS支持的实例创建由亚马逊EBS支持的实例的权限 写入

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageID

ec2:Owner

ec2:CreateTags

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:OutpostArn

ec2:ParentVolume

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:Region

CreateInstanceConnectEndpoint 授予创建 Instance EC2 Connect 终端节点的权限,该终端节点允许您在没有公有IPv4地址的情况下连接到实例 写入

instance-connect-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:SubnetID

ec2:CreateTags

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

CreateInstanceEventWindow 授予权限以创建事件窗口,关联的 Amazon EC2 实例的计划事件可以在该窗口中运行 写入

instance-event-window*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateInstanceExportTask 授予权限以将正在运行或已停止的实例导出到 Amazon S3 存储桶 写入

export-instance-task*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

CreateInternetGateway 授予为创建互联网网关的权限 VPC 写入

internet-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:InternetGatewayID

ec2:CreateTags

ec2:Region

CreateIpam 授予创建 Amazon VPC IP 地址管理器的权限 (IPAM) 写入

ipam*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

iam:CreateServiceLinkedRole

ec2:Region

CreateIpamExternalResourceVerificationToken 授予权限以创建验证令牌,该令牌可证明外部资源的所有权 写入

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

ipam-external-resource-verification-token*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateIpamPool 授予为 Amazon IP 地址管理器 (IPAM) 创建 VPC IP 地址池的权限,该地址池是一个连续 IP 地址的集合 CIDRs 写入

ipam-pool*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateIpamResourceDiscovery 授予创建IPAM资源发现的权限 写入

ipam-resource-discovery*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

iam:CreateServiceLinkedRole

ec2:Region

CreateIpamScope 授予创建 Amazon VPC IP 地址管理器 (IPAM) 范围的权限,该作用域是其中最高级别的容器 IPAM 写入

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

ipam-scope*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateKeyPair 授予创建 2048 位密钥RSA对的权限 写入

key-pair*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:KeyPairType

ec2:CreateTags

ec2:Region

CreateLaunchTemplate 授予权限以创建启动模板 Write

launch-template*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ManagedResourceOperator

ec2:CreateTags

ssm:GetParameters

ec2:Region

CreateLaunchTemplateVersion 授予权限以创建启动模板的新版本 Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

ssm:GetParameters

ec2:Region

CreateLocalGatewayRoute 授予权限以为本地网关路由表创建静态路由 写入

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRouteTable 授予创建本地网关路由表的权限 写入

local-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

local-gateway-route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateLocalGatewayRouteTablePermission[仅权限] 授予允许服务访问本地网关路由表的权限 写入

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation 授予创建本地网关路由表虚拟接口组关联的权限 写入

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

local-gateway-route-table-virtual-interface-group-association*

aws:RequestTag/${TagKey}

aws:TagKeys

local-gateway-virtual-interface-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateLocalGatewayRouteTableVpcAssociation 授予将VPC与本地网关路由表关联的权限 写入

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

local-gateway-route-table-vpc-association*

aws:RequestTag/${TagKey}

aws:TagKeys

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateManagedPrefixList 授予权限以创建托管前缀列表 写入

prefix-list*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateNatGateway 授予在子NAT网中创建网关的权限 写入

natgateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

CreateNetworkAcl 授予在中创建网络ACL的权限 VPC 写入

network-acl*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:NetworkAclID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateNetworkAclEntry 授予在网络中创建带编号的条目(规则)的权限 ACL 写入

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

CreateNetworkInsightsAccessScope 授予创建网络访问范围的权限 写入

network-insights-access-scope*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateNetworkInsightsPath 授予创建路径以分析可访问性的权限 Write

network-insights-path*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateNetworkInterface 授予权限以在子网中创建网络接口 写入

network-interface*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:CreateTags

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

CreateNetworkInterfacePermission 授予权限以创建权限,允许 Amazon授权用户在网络接口上执行某些操作 权限管理

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedService

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

CreatePlacementGroup 授予权限以创建置放群组 写入

placement-group*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:CreateTags

ec2:Region

CreatePublicIpv4Pool 授予您创建公共IPv4地址池的权限 IPv4CIDRs,该地址池由您拥有并带到亚马逊使用 Amazon VPC IP 地址管理器进行管理 (IPAM) 写入

ipv4pool-ec2*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateReplaceRootVolumeTask 授予创建根卷替换任务的权限 Write

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:CreateTags

replace-root-volume-task*

aws:RequestTag/${TagKey}

aws:TagKeys

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ManagedResourceOperator

ec2:VolumeID

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

snapshot

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

CreateReservedInstancesListing 授予权限以创建要在预留实例 Marketplace 出售的标准预留实例的列表 写入

ec2:Region

CreateRestoreImageTask 授予启动任务的权限,该任务AMI从先前使用创建的 S3 对象中恢复 CreateStoreImageTask 写入

image*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:ImageID

ec2:Owner

ec2:CreateTags

ec2:Region

CreateRoute 授予在路由表中创建VPC路由的权限 写入

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

CreateRouteTable 授予为创建路由表的权限 VPC 写入

route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:RouteTableID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateSecurityGroup 授予权限以创建安全组 写入

security-group*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:SecurityGroupID

ec2:CreateTags

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateSnapshot 授予创建EBS卷快照并将其存储在 Amazon S3 中的权限 写入

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Location

ec2:OutpostArn

ec2:ParentVolume

ec2:SnapshotID

ec2:SourceAvailabilityZone

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:CreateTags

volume*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

CreateSnapshots 授予创建多个EBS卷的崩溃一致性快照并将其存储在 Amazon S3 中的权限 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:CreateTags

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Location

ec2:OutpostArn

ec2:ParentVolume

ec2:SnapshotID

ec2:SourceAvailabilityZone

ec2:SourceOutpostArn

ec2:VolumeSize

volume*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

CreateSpotDatafeedSubscription 授予权限以便为 Spot 实例创建数据源,用于查看 Spot 实例使用日志 写入

ec2:Region

CreateStoreImageTask 授予将AMI作为单个对象存储在 S3 存储桶中的权限 写入

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

CreateSubnet 授予在中创建子网的权限 VPC 写入

subnet*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:SubnetID

ec2:CreateTags

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateSubnetCidrReservation 授予创建子网CIDR预留的权限 写入

ec2:Region

CreateTags 授予为 Amazon EC2 资源添加或覆盖一个或多个标签的权限 标记

capacity-reservation

aws:ResourceTag/${TagKey}

capacity-reservation-fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

carrier-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:Vpc

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

coip-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

customer-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

declarative-policies-report

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:AutoPlacement

ec2:AvailabilityZone

ec2:HostRecovery

ec2:InstanceType

ec2:Quantity

ec2:ResourceTag/${TagKey}

dhcp-options

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-gpu

aws:ResourceTag/${TagKey}

ec2:ElasticGpuType

ec2:ResourceTag/${TagKey}

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fpga-image

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

host-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

instance-connect-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

instance-event-window

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

ipam

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-external-resource-verification-token

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:KeyPairType

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-virtual-interface-group-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-acl

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

network-insights-access-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-access-scope-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-path

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

replace-root-volume-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

reserved-instances

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:InstanceType

ec2:ReservedInstancesOfferingType

ec2:ResourceTag/${TagKey}

ec2:Tenancy

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

security-group-rule

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

snapshot

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-instances-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

subnet-cidr-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-connect-peer

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayConnectPeerId

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

transit-gateway-policy-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableAnnouncementId

verified-access-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-endpoint-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-instance

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-policy

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-trust-provider

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

volume

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceServiceRegion

ec2:vpceSupportedRegion

vpc-endpoint-service-permission

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-flow-log

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

vpn-connection

aws:ResourceTag/${TagKey}

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:ResourceTag/${TagKey}

ec2:RoutingType

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateAction

ec2:Region

CreateTrafficMirrorFilter 授予权限以创建流量镜像筛选条件 Write

traffic-mirror-filter*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateTrafficMirrorFilterRule 授予权限以创建流量镜像筛选条件规则 Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

traffic-mirror-filter-rule*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Region

CreateTrafficMirrorSession 授予权限以创建流量镜像会话 Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:CreateTags

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session*

aws:RequestTag/${TagKey}

aws:TagKeys

traffic-mirror-target*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateTrafficMirrorTarget 授予权限以创建流量镜像目标 Write

traffic-mirror-target*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

network-interface

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpceServiceName

ec2:VpceServiceOwner

ec2:Region

CreateTransitGateway 授予权限以创建中转网关 Write

transit-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayId

ec2:CreateTags

ec2:Region

CreateTransitGatewayConnect 授予从指定中转网关挂载创建连接挂载的权限 Write

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayAttachmentId

ec2:CreateTags

ec2:Region

CreateTransitGatewayConnectPeer 授予在中转网关和设备之间创建对等连接的权限 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:CreateTags

transit-gateway-connect-peer*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayConnectPeerId

ec2:Region

CreateTransitGatewayMulticastDomain 授予权限以便为中转网关创建多播域 Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:CreateTags

transit-gateway-multicast-domain*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayMulticastDomainId

ec2:Region

CreateTransitGatewayPeeringAttachment 授予权限以在请求方和接受方中转网关之间请求中转网关对等连接 写入

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:CreateTags

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayAttachmentId

ec2:Region

CreateTransitGatewayPolicyTable 授予权限以创建中转网关策略表 写入

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:CreateTags

transit-gateway-policy-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayPolicyTableId

ec2:Region

CreateTransitGatewayPrefixListReference 授予权限以创建中转网关前缀列表引用 Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

CreateTransitGatewayRoute 授予权限以便为中转网关路由表创建静态路由 Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

CreateTransitGatewayRouteTable 授予权限以便为中转网关创建路由表 写入

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:CreateTags

transit-gateway-route-table*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayRouteTableId

ec2:Region

CreateTransitGatewayRouteTableAnnouncement 授予权限以创建中转网关路由表的公告 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:CreateTags

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-route-table-announcement*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayRouteTableAnnouncementId

ec2:Region

CreateTransitGatewayVpcAttachment 授予将连接至公交网关的权限 VPC 写入

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:CreateTags

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

transit-gateway-attachment*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:transitGatewayAttachmentId

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateVerifiedAccessEndpoint 授予权限以创建验证访问端点 写入

verified-access-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

verified-access-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

CreateVerifiedAccessGroup 授予权限以创建验证访问组 写入

verified-access-group*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVerifiedAccessInstance 授予权限以创建验证访问实例 写入

verified-access-instance*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateVerifiedAccessTrustProvider 授予权限以创建验证的信任提供商 写入

verified-access-trust-provider*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

CreateVolume 授予创建EBS卷的权限 写入

volume*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AvailabilityZone

ec2:Encrypted

ec2:KmsKeyId

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:CreateTags

ec2:Region

CreateVpc 授予使用指定VPCCIDR区块创建的权限 写入

vpc*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:VpcID

ec2:CreateTags

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpcBlockPublicAccessExclusion 授予在上创建禁止公开访问的排除列表的权限 VPC 写入

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:CreateTags

vpc

aws:ResourceTag/${TagKey}

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

CreateVpcEndpoint 授予为 Amazon 服务创建VPC终端节点的权限 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpcID

ec2:CreateTags

route53:AssociateVPCWithHostedZone

vpc-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:VpceServiceName

ec2:VpceServiceOwner

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

subnet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

CreateVpcEndpointConnectionNotification 授予为VPC终端节点或VPC终端节点服务创建连接通知的权限 写入

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceServiceRegion

ec2:Region

CreateVpcEndpointServiceConfiguration 授予创建服务使用者(Amazon 账户、IAM用户和IAM角色)可以连接的VPC终端节点服务配置的权限 写入

vpc-endpoint-service*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:VpceServicePrivateDnsName

ec2:vpceMultiRegion

ec2:vpceServiceRegion

ec2:CreateTags

ec2:Region

CreateVpcPeeringConnection 授予请求在两者之间建立VPC对等连接的权限 VPCs 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:CreateTags

vpc-peering-connection*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AccepterVpc

ec2:RequesterVpc

ec2:VpcPeeringConnectionID

ec2:Region

CreateVpnConnection 授予在虚拟专用网关或传输网关与客户网关之间创建VPN连接的权限 写入

customer-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:CreateTags

vpn-connection*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthenticationType

ec2:DPDTimeoutSeconds

ec2:GatewayType

ec2:IKEVersions

ec2:InsideTunnelCidr

ec2:InsideTunnelIpv6Cidr

ec2:Phase1DHGroup

ec2:Phase1EncryptionAlgorithms

ec2:Phase1IntegrityAlgorithms

ec2:Phase1LifetimeSeconds

ec2:Phase2DHGroup

ec2:Phase2EncryptionAlgorithms

ec2:Phase2IntegrityAlgorithms

ec2:Phase2LifetimeSeconds

ec2:RekeyFuzzPercentage

ec2:RekeyMarginTimeSeconds

ec2:ReplayWindowSizePackets

ec2:RoutingType

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpnConnectionRoute 授予为虚拟专用网关和客户网关之间的VPN连接创建静态路由的权限 写入

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

CreateVpnGateway 授予权限以创建虚拟私有网关 Write

vpn-gateway*

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:CreateTags

ec2:Region

DeleteCarrierGateway 授予权限以删除运营商网关 写入

carrier-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteClientVpnEndpoint 授予删除客户端VPN终端节点的权限 写入

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DeleteClientVpnRoute 授予从客户端VPN终端节点删除路由的权限 写入

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DeleteCoipCidr 授予删除一系列客户拥有的 IP (CoIP) 地址的权限 写入

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteCoipPool 授予删除客户拥有的 IP (CoIP) 地址池的权限 写入

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteCoipPoolPermission[仅权限] 授予拒绝服务访问客户拥有的 IP (CoIP) 池的权限 写入

coip-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteCustomerGateway 授予权限以删除客户网关 写入

customer-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteDhcpOptions 授予删除一组DHCP选项的权限 写入

dhcp-options*

aws:ResourceTag/${TagKey}

ec2:DhcpOptionsID

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteEgressOnlyInternetGateway 授予权限以删除仅出口互联网网关 写入

egress-only-internet-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFleets 授予删除一个或多个EC2舰队的权限 写入

fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFlowLogs 授予权限以删除一个或多个流日志 写入

vpc-flow-log*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteFpgaImage 授予删除 Amazon FPGA 图片的权限 (AFI) 写入

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteInstanceConnectEndpoint 授予删除 Instan EC2 ce Connect 终端节点的权限 写入

instance-connect-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Region

DeleteInstanceEventWindow 授予删除指定事件窗口的权限 写入

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteInternetGateway 授予权限以删除互联网网关 写入

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpam 授予删除 Amazon VPC IP 地址管理器 (IPAM) 和移除与之关联的所有受监控数据(IPAM包括的历史数据)的权限 CIDRs 写入

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamExternalResourceVerificationToken 授予权限以删除验证令牌,该令牌可证明外部资源的所有权 写入

ipam-external-resource-verification-token*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamPool 授予删除 Amazon VPC IP 地址管理器 (IPAM) 池的权限 写入

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamResourceDiscovery 授予删除IPAM资源发现的权限 写入

ipam-resource-discovery*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteIpamScope 授予删除 Amazon VPC IP 地址管理器作用域的权限 (IPAM) 写入

ipam-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteKeyPair 通过从 Amazon 移除公钥来授予删除密钥对的权限 EC2 写入

key-pair

aws:ResourceTag/${TagKey}

ec2:KeyPairName

ec2:KeyPairType

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLaunchTemplate 授予权限以删除启动模板及其关联版本 Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLaunchTemplateVersions 授予权限以删除启动模板的一个或多个版本 Write

launch-template*

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRoute 授予权限以从本地网关路由表中删除路由 写入

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTable 授予删除本地网关路由表的权限 写入

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTablePermission[仅权限] 授予拒绝服务访问本地网关路由表的权限 写入

local-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation 授予删除本地网关路由表虚拟接口组关联的权限 写入

local-gateway-route-table-virtual-interface-group-association*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteLocalGatewayRouteTableVpcAssociation 授予删除本地网关路由表VPC和本地网关路由表之间关联的权限 写入

local-gateway-route-table-vpc-association*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteManagedPrefixList 授予权限以删除托管前缀列表 写入

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNatGateway 授予删除NAT网关的权限 写入

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkAcl 授予删除网络的权限 ACL 写入

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

DeleteNetworkAclEntry 授予从网络中删除入站或出站条目(规则)的权限 ACL 写入

network-acl*

aws:ResourceTag/${TagKey}

ec2:NetworkAclID

ec2:ResourceTag/${TagKey}

ec2:Vpc

ec2:Region

DeleteNetworkInsightsAccessScope 授予删除网络访问范围的权限 写入

network-insights-access-scope*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsAccessScopeAnalysis 授予删除网络访问范围分析的权限 写入

network-insights-access-scope-analysis*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsAnalysis 授予删除网络见解分析的权限 Write

network-insights-analysis*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInsightsPath 授予删除网络见解路径的权限 Write

network-insights-path*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteNetworkInterface 授予权限以删除分离的网络接口 Write

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DeleteNetworkInterfacePermission 授予权限以删除与网络接口关联的权限 Permissions management

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DeletePlacementGroup 授予权限以删除置放群组 写入

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

ec2:Region

DeletePublicIpv4Pool 授予删除您拥有并带到亚马逊使用 Amazon VPC IP 地址管理器管理的公共IPv4CIDRs地址池的权限 (IPAM) IPv4 写入

ipv4pool-ec2*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteQueuedReservedInstances 授予删除指定预留实例的排队购买的权限 写入

ec2:Region

DeleteResourcePolicy[仅权限] 授予从资源中移除允许跨账户共享的IAM策略的权限 写入

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:PlacementGroupName

ec2:PlacementGroupStrategy

ec2:ResourceTag/${TagKey}

verified-access-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteRoute 授予权限以从路由表中删除路由 Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

DeleteRouteTable 授予权限以删除路由表 Write

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

ec2:Region

DeleteSecurityGroup 授予权限以删除安全组 写入

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

DeleteSnapshot 授予删除EBS卷快照的权限 写入

snapshot*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

DeleteSpotDatafeedSubscription 授予权限以删除 Spot 实例的数据源 Write

ec2:Region

DeleteSubnet 授予权限以删除子网 写入

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DeleteSubnetCidrReservation 授予删除子网CIDR预留的权限 写入

ec2:Region

DeleteTags 授予从 Amazon EC2 资源中删除一个或多个标签的权限 标记

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

capacity-reservation-fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

carrier-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

coip-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

customer-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

declarative-policies-report

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dedicated-host

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

dhcp-options

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

egress-only-internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-gpu

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

elastic-ip

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

export-instance-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fleet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

fpga-image

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

host-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

image

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-image-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

import-snapshot-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance-connect-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

instance-event-window

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

internet-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-external-resource-verification-token

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-pool

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-resource-discovery-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipam-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

key-pair

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

launch-template

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-virtual-interface-group-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-route-table-vpc-association

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

local-gateway-virtual-interface-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

natgateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-acl

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-access-scope

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-access-scope-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-analysis

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-insights-path

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

placement-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

prefix-list

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

replace-root-volume-task

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

reserved-instances

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

security-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

security-group-rule

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

snapshot

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-fleet-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

spot-instances-request

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

subnet-cidr-reservation

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-session

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-connect-peer

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-policy-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-endpoint-target

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-group

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-instance

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-policy

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-trust-provider

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

volume

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service-permission

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-flow-log

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-peering-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-connection

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

aws:TagKeys

ec2:Region

DeleteTrafficMirrorFilter 授予权限以删除流量镜像筛选条件 Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTrafficMirrorFilterRule 授予权限以删除流量镜像筛选条件规则 Write

traffic-mirror-filter*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

traffic-mirror-filter-rule*

aws:ResourceTag/${TagKey}

ec2:Region

DeleteTrafficMirrorSession 授予权限以删除流量镜像会话 Write

traffic-mirror-session*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTrafficMirrorTarget 授予权限以删除流量镜像目标 Write

traffic-mirror-target*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteTransitGateway 授予权限以删除中转网关 Write

transit-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayId

ec2:Region

DeleteTransitGatewayConnect 授予删除中转网关连接挂载的权限 Write

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

DeleteTransitGatewayConnectPeer 授予删除中转网关对等连接的权限 写入

transit-gateway-connect-peer*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayConnectPeerId

ec2:Region

DeleteTransitGatewayMulticastDomain 授予删除中转网关多播域的权限 写入

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

DeleteTransitGatewayPeeringAttachment 授予权限以从中转网关删除对等连接 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

DeleteTransitGatewayPolicyTable 授予权限以删除中转网关策略表 写入

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

ec2:Region

DeleteTransitGatewayPrefixListReference 授予权限以删除中转网关前缀列表引用 Write

prefix-list*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

DeleteTransitGatewayRoute 授予权限以从中转网关路由表中删除路由 Write

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

DeleteTransitGatewayRouteTable 授予权限以删除中转网关路由表 写入

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

DeleteTransitGatewayRouteTableAnnouncement 授予权限以删除中转网关路由表公告 写入

transit-gateway-route-table-announcement*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableAnnouncementId

ec2:Region

DeleteTransitGatewayVpcAttachment 授予从传输网关删除VPC附件的权限 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

ec2:Region

DeleteVerifiedAccessEndpoint 授予权限以删除验证访问端点 写入

verified-access-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVerifiedAccessGroup 授予权限以删除验证访问组 写入

verified-access-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVerifiedAccessInstance 授予权限以删除验证访问实例 写入

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVerifiedAccessTrustProvider 授予权限以删除验证的信任提供商 写入

verified-access-trust-provider*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVolume 授予删除EBS卷的权限 写入

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

DeleteVpc 授予删除权限 VPC 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DeleteVpcBlockPublicAccessExclusion 授予删除已阻止的公共访问的例外列表的权限 VPC 写入

vpc-block-public-access-exclusion*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpcEndpointConnectionNotifications 授予删除一个或多个VPC端点连接通知的权限 写入

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

vpc-endpoint-service

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceSupportedRegion

ec2:Region

DeleteVpcEndpointServiceConfigurations 授予删除一个或多个VPC终端节点服务配置的权限 写入

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceSupportedRegion

ec2:Region

DeleteVpcEndpoints 授予删除一个或多个VPC终端节点的权限 写入

vpc-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpceServiceName

ec2:Region

DeleteVpcPeeringConnection 授予删除对等连接VPC的权限 写入

vpc-peering-connection*

aws:ResourceTag/${TagKey}

ec2:AccepterVpc

ec2:RequesterVpc

ec2:ResourceTag/${TagKey}

ec2:VpcPeeringConnectionID

ec2:Region

DeleteVpnConnection 授予删除VPN连接的权限 写入

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpnConnectionRoute 授予删除虚拟专用网关和客户网关之间VPN连接的静态路由的权限 写入

vpn-connection*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeleteVpnGateway 授予权限以删除虚拟私有网关 写入

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeprovisionByoipCidr 授予释放通过自带 IP 地址 (BYOIP) 配置的 IP 地址范围以及删除相应地址池的权限 写入

ec2:Region

DeprovisionIpamByoasn 授予从亚马逊 Web Services 账户取消配置自治系统编号 (ASN) 的权限 写入

ipam*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeprovisionIpamPoolCidr 授予从 Amazon VPC IP 地址管理器 () IPAM 池中取消CIDR配置的资源的权限 写入

ipam-pool*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeprovisionPublicIpv4PoolCidr 授予CIDR从公共IPv4池中取消置备的权限 写入

ipv4pool-ec2*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DeregisterImage 授予取消注册 Amazon 系统映像的权限 () AMI 写入

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DeregisterInstanceEventNotificationAttributes 授予权限以从标签集中删除标签,从而包含在有关实例的计划事件的通知中 Write

ec2:Region

DeregisterTransitGatewayMulticastGroupMembers 授予权限以从中转网关多播域的组 IP 地址中取消注册一个或多个网络接口成员 Write

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

DeregisterTransitGatewayMulticastGroupSources 授予权限以从中转网关多播域的组 IP 地址中取消注册一个或多个网络接口源 写入

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

transit-gateway-multicast-domain

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

DescribeAccountAttributes 授予描述属性的权限 Amazon Web Services 账户 列表

ec2:Region

DescribeAddressTransfers 授予权限以描述 Elastic IP 地址转换 列表

ec2:Region

DescribeAddresses 授予权限以描述一个或多个弹性 IP 地址 List

ec2:Region

DescribeAddressesAttribute 授予权限以描述指定弹性 IP 地址的属性 List

ec2:Region

DescribeAggregateIdFormat 授予权限以描述所有资源类型的较长 ID 格式设置 List

ec2:Region

DescribeAvailabilityZones 授予权限以描述可供您使用的一个或多个可用区 列表

ec2:Region

DescribeAwsNetworkPerformanceMetricSubscriptions 授予权限以描述当前基础设施性能指标订阅 列表

ec2:Region

DescribeBundleTasks 授予权限以描述一个或多个捆绑任务 列表

ec2:Region

DescribeByoipCidrs 授予描述通过自带 IP 地址配置的 IP 地址范围的权限 () BYOIP 列表

ec2:Region

DescribeCapacityBlockExtensionHistory 授予描述容量区块扩展历史记录的权限 列表

capacity-reservation

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:OutpostArn

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

ec2:Region

DescribeCapacityBlockExtensionOfferings 授予描述容量区块扩展产品的权限 列表

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:OutpostArn

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

ec2:Region

DescribeCapacityBlockOfferings 授予描述可供购买的容量块产品的权限 列表

ec2:Region

DescribeCapacityReservationBillingRequests 授予描述一个或多个请求的权限,以分配容量预留的未使用容量的账单 列表

ec2:Region

DescribeCapacityReservationFleets 授予权限以描述一个或多个容量预留机群 列表

ec2:Region

DescribeCapacityReservations 授予权限以描述一个或多个容量预留 List

ec2:Region

DescribeCarrierGateways 授予权限以描述一个或多个运营商网关 列表

ec2:Region

DescribeClassicLinkInstances 授予描述一个或多个关联的 C EC2 lassic 实例的权限 列表

ec2:Region

DescribeClientVpnAuthorizationRules 授予描述客户端VPN终端节点授权规则的权限 列表

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeClientVpnConnections 授予描述客户端终VPN端节点的活动客户端连接和在过去 60 分钟内终止的连接的权限 列表

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnEndpoints 授予描述一个或多个客户端VPN终端节点的权限 列表

client-vpn-endpoint

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnRoutes 授予描述客户端VPN终端节点路由的权限 列表

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeClientVpnTargetNetworks 授予描述与客户端VPN终端节点关联的目标网络的权限 列表

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DescribeCoipPools 授予权限以描述客户拥有的指定地址池或客户拥有的所有地址池 List

ec2:Region

DescribeConversionTasks 授予权限以描述一个或多个转换任务 List

ec2:Region

DescribeCustomerGateways 授予权限以描述一个或多个客户网关 列表

ec2:Region

DescribeDeclarativePoliciesReports 授予描述一个或多个声明性策略报告的权限 列表

ec2:Region

DescribeDhcpOptions 授予描述一个或多个DHCP选项集的权限 列表

ec2:Region

DescribeEgressOnlyInternetGateways 授予权限以描述一个或多个仅出口互联网网关 List

ec2:Region

DescribeElasticGpus 授予权限以描述与实例关联的 Elastic Graphics 加速器 列表

ec2:Region

DescribeExportImageTasks 授予权限以描述一个或多个导出映像任务 List

ec2:Region

DescribeExportTasks 授予权限以描述一个或多个导出实例任务 列表

ec2:Region

DescribeFastLaunchImages 授予描述支持快速启动的 Windows 的权限 AMIs 列表

ec2:Region

DescribeFastSnapshotRestores 授予权限以描述快照的快速快照还原状态 列表

ec2:Region

DescribeFleetHistory 授予描述EC2舰队在指定时间内事件的权限 列表

fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFleetInstances 授予描述EC2舰队正在运行的实例的权限 列表

fleet*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFleets 授予描述一个或多个EC2舰队的权限 列表

ec2:Region

DescribeFlowLogs 授予权限以描述一个或多个流日志 列表

ec2:Region

DescribeFpgaImageAttribute 授予描述亚马逊FPGA图片属性的权限 (AFI) 列表

fpga-image*

aws:ResourceTag/${TagKey}

ec2:Owner

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeFpgaImages 授予描述一张或多张 Amazon FPGA 图片的权限 (AFIs) 列表

ec2:Region

DescribeHostReservationOfferings 授予权限以描述可供购买的专用主机预留 列表

ec2:Region

DescribeHostReservations 授予描述与专用主机关联的专用主机预留空间的权限 Amazon Web Services 账户 列表

ec2:Region

DescribeHosts 授予权限以描述一个或多个专用主机 列表

ec2:Region

DescribeIamInstanceProfileAssociations 授予描述IAM实例配置文件关联的权限 列表

ec2:Region

DescribeIdFormat 授予权限以描述资源的 ID 格式设置 列表

ec2:Region

DescribeIdentityIdFormat 授予描述IAM用户、IAM角色或 root 用户的资源 ID 格式设置的权限 列表

ec2:Region

DescribeImageAttribute 授予描述亚马逊系统映像属性的权限 (AMI) 列表

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DescribeImages 授予描述一张或多张图片的权限(AMIsAKIs、和ARIs) 列表

ec2:Region

DescribeImportImageTasks 授予权限以描述导入虚拟机或导入快照任务 List

ec2:Region

DescribeImportSnapshotTasks 授予权限以描述导入快照任务 List

ec2:Region

DescribeInstanceAttribute 授予权限以描述实例属性 列表

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DescribeInstanceConnectEndpoints 授予描述 Instance Conn EC2 ect 端点的权限 列表

ec2:Region

DescribeInstanceCreditSpecifications 授予描述CPU使用一个或多个可突发性能实例的积分选项的权限 列表

ec2:Region

DescribeInstanceEventNotificationAttributes 授予权限以描述要包含在有关实例计划事件的通知中的标签集 列表

ec2:Region

DescribeInstanceEventWindows 授予权限以描述指定事件窗口或所有事件窗口 列表

ec2:Region

DescribeInstanceImageMetadata 授予描述用于启动实例的权限 AMI 列表

ec2:Region

DescribeInstanceStatus 授予权限以描述一个或多个实例的状态 列表

ec2:Region

DescribeInstanceTopology 授予描述基于树的层次结构的权限,该层次结构表示实例的EC2物理主机位置 列表

ec2:Region

DescribeInstanceTypeOfferings 授予权限以描述位置中提供的实例类型集 List

ec2:Region

DescribeInstanceTypes 授予权限以描述位置中提供的实例类型详细信息 List

ec2:Region

DescribeInstances 授予权限以描述一个或多个实例 List

ec2:Region

DescribeInternetGateways 授予权限以描述一个或多个互联网网关 列表

ec2:Region

DescribeIpamByoasn 授予描述你自带的自治系统编号 (BYOASN) 的权限 IPAM 列表

ec2:Region

DescribeIpamExternalResourceVerificationTokens 授予权限以描述验证令牌,该令牌可证明外部资源的所有权 列表

ec2:Region

DescribeIpamPools 授予描述 Amazon VPC IP 地址管理器 (IPAM) 池的权限 列表

ec2:Region

DescribeIpamResourceDiscoveries 授予描述IPAM资源发现的权限 列表

ec2:Region

DescribeIpamResourceDiscoveryAssociations 授予描述与 Amazon 的资源发现关联的权限 VPC IPAM 列表

ec2:Region

DescribeIpamScopes 授予描述亚马逊 VPC IP 地址管理器 (IPAM) 范围的权限 列表

ec2:Region

DescribeIpams 授予描述亚马逊 VPC IP 地址管理器的权限 (IPAM) 列表

ec2:Region

DescribeIpv6Pools 授予描述一个或多个IPv6地址池的权限 列表

ec2:Region

DescribeKeyPairs 授予权限以描述一个或多个密钥对 List

ec2:Region

DescribeLaunchTemplateVersions 授予权限以描述一个或多个启动模板版本 List

ec2:Region

ssm:GetParameters

DescribeLaunchTemplates 授予权限以描述一个或多个启动模板 列表

ec2:Region

DescribeLocalGatewayRouteTablePermissions[仅权限] 授予权限以允许服务描述本地网关路由表的权限 列表

ec2:Region

DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations 授予权限以描述虚拟接口组与本地网关路由表之间关联 列表

ec2:Region

DescribeLocalGatewayRouteTableVpcAssociations 授予描述VPCs和本地网关路由表之间关联的权限 列表

ec2:Region

DescribeLocalGatewayRouteTables 授予权限以描述一个或多个本地网关路由表 List

ec2:Region

DescribeLocalGatewayVirtualInterfaceGroups 授予权限以描述本地网关虚拟接口组 List

ec2:Region

DescribeLocalGatewayVirtualInterfaces 授予权限以描述本地网关虚拟接口 List

ec2:Region

DescribeLocalGateways 授予权限以描述一个或多个本地网关 列表

ec2:Region

DescribeLockedSnapshots 授予描述快照锁定状态的权限 列表

ec2:Region

DescribeMacHosts 授予描述您的 EC2 Mac 专用主机的权限 列表

ec2:Region

DescribeManagedPrefixLists 授予描述您的托管前缀列表和任何托 Amazon管前缀列表的权限 列表

ec2:Region

DescribeMovingAddresses 授予描述正在移至VPC平台的弹性 IP 地址的EC2权限 列表

ec2:Region

DescribeNatGateways 授予描述一个或多个NAT网关的权限 列表

ec2:Region

DescribeNetworkAcls 授予描述一个或多个网络的权限 ACLs 列表

ec2:Region

DescribeNetworkInsightsAccessScopeAnalyses 授予描述一个或多个网络访问范围分析的权限 列表

ec2:Region

DescribeNetworkInsightsAccessScopes 授予描述网络访问范围的权限 列表

ec2:Region

DescribeNetworkInsightsAnalyses 授予描述一个或多个网络见解分析的权限 List

ec2:Region

DescribeNetworkInsightsPaths 授予描述一个或多个网络见解路径的权限 List

ec2:Region

DescribeNetworkInterfaceAttribute 授予权限以描述网络接口属性 List

ec2:Region

DescribeNetworkInterfacePermissions 授予权限以描述与网络接口关联的权限 List

ec2:Region

DescribeNetworkInterfaces 授予权限以描述一个或多个网络接口 List

ec2:Region

DescribePlacementGroups 授予权限以描述一个或多个置放群组 列表

ec2:Region

DescribePrefixLists 授予以前缀列表格式描述可用 Amazon 服务的权限 列表

ec2:Region

DescribePrincipalIdFormat 授予权限以描述 root 用户以及所有已明确指定较长 ID(17 个字符 ID)首选项的IAM角色和IAM用户的 ID 格式设置 列表

ec2:Region

DescribePublicIpv4Pools 授予描述一个或多个IPv4地址池的权限 列表

ec2:Region

DescribeRegions 授予描述您账户中当前可用的一项或多 Amazon Web Services 区域 项内容的权限 列表

ec2:Region

DescribeReplaceRootVolumeTasks 授予描述根卷替换任务的权限 List

ec2:Region

DescribeReservedInstances 授予权限以描述您账户中购买的一个或多个预留实例 List

ec2:Region

DescribeReservedInstancesListings 授予权限以描述您账户在预留实例 Marketplace 中的预留实例列表 List

ec2:Region

DescribeReservedInstancesModifications 授予权限以描述对一个或多个预留实例所做的修改 List

ec2:Region

DescribeReservedInstancesOfferings 授予权限以描述可供购买的预留实例产品 List

ec2:Region

DescribeRouteTables 授予权限以描述一个或多个路由表 List

ec2:Region

DescribeScheduledInstanceAvailability 授予权限以查找计划实例的可用计划 列表

ec2:Region

DescribeScheduledInstances 授予权限以描述您账户中的一个或多个计划实例 列表

ec2:Region

DescribeSecurityGroupReferences 授予描述引VPCs用指定VPC安全组的VPC对等连接另一端的权限 列表

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

ec2:Region

DescribeSecurityGroupRules 授予权限以描述一个或多个安全组规则 列表

ec2:Region

DescribeSecurityGroupVpcAssociations 授予描述安全组VPC关联的权限 列表

ec2:Region

DescribeSecurityGroups 授予权限以描述一个或多个安全组 List

ec2:Region

DescribeSnapshotAttribute 授予权限以描述快照的属性 列表

snapshot*

aws:ResourceTag/${TagKey}

ec2:Encrypted

ec2:OutpostArn

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:SourceOutpostArn

ec2:VolumeSize

ec2:Region

DescribeSnapshotTierStatus 授予描述 Amazon EBS 快照存储层状态的权限 列表

ec2:Region

DescribeSnapshots 授予描述一个或多个EBS快照的权限 列表

ec2:Region

DescribeSpotDatafeedSubscription 授予权限以描述 Spot 实例的数据源 List

ec2:Region

DescribeSpotFleetInstances 授予权限以描述 Spot 队列正在运行的实例 List

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeSpotFleetRequestHistory 授予权限以描述在指定时间段内 Spot 队列请求的事件 List

spot-fleet-request*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeSpotFleetRequests 授予权限以描述一个或多个 Spot 队列请求 List

ec2:Region

DescribeSpotInstanceRequests 授予权限以描述一个或多个 Spot 实例请求 List

ec2:Region

DescribeSpotPriceHistory 授予权限以描述 Spot 实例价格历史记录 列表

ec2:Region

DescribeStaleSecurityGroups 授予描述指定安全组中过时安全组规则的权限 VPC 列表

ec2:Region

DescribeStoreImageTasks 授予描述AMI商店任务进度的权限 列表

ec2:Region

DescribeSubnets 授予权限以描述一个或多个子网 列表

ec2:Region

DescribeTags 授予描述某个 Amazon EC2 资源的一个或多个标签的权限 列表

ec2:Region

DescribeTrafficMirrorFilterRules 授予权限以描述用于确定镜像流量的流量镜像筛选条件 列表

ec2:Region

DescribeTrafficMirrorFilters 授予权限以描述一个或多个流量镜像筛选条件 List

ec2:Region

DescribeTrafficMirrorSessions 授予权限以描述一个或多个流量镜像会话 List

ec2:Region

DescribeTrafficMirrorTargets 授予权限以描述一个或多个流量镜像目标 List

ec2:Region

DescribeTransitGatewayAttachments 授予权限以描述资源和中转网关之间的一个或多个连接 List

ec2:Region

DescribeTransitGatewayConnectPeers 授予描述一个或多个中转网关对等连接的权限 List

ec2:Region

DescribeTransitGatewayConnects 授予描述一个或多个中转网关连接挂载的权限 List

ec2:Region

DescribeTransitGatewayMulticastDomains 授予权限以描述一个或多个中转网关多播域 List

ec2:Region

DescribeTransitGatewayPeeringAttachments 授予权限以描述一个或多个中转网关对等连接 列表

ec2:Region

DescribeTransitGatewayPolicyTables 授予权限以描述中转网关策略表 列表

ec2:Region

DescribeTransitGatewayRouteTableAnnouncements 授予权限以描述中转网关路由表公告 列表

ec2:Region

DescribeTransitGatewayRouteTables 授予权限以描述一个或多个中转网关路由表 列表

ec2:Region

DescribeTransitGatewayVpcAttachments 授予描述公交网关上一个或多个VPC附件的权限 列表

ec2:Region

DescribeTransitGateways 授予权限以描述一个或多个中转网关 列表

ec2:Region

DescribeTrunkInterfaceAssociations 授予权限以描述一个或多个网络接口中继线关联 列表

ec2:Region

DescribeVerifiedAccessEndpoints 授予权限以描述指定的验证访问端点或所有验证访问端点 列表

ec2:Region

DescribeVerifiedAccessGroups 授予权限以描述指定的验证访问组或所有验证访问组 列表

ec2:Region

DescribeVerifiedAccessInstanceLoggingConfigurations 授予权限以描述验证访问实例的当前日志记录配置 列表

ec2:Region

DescribeVerifiedAccessInstanceWebAclAssociations[仅权限] 授予描述已验证访问实例 Amazon 的 Web 应用程序防火墙 (WAFACL) Web 访问控制列表 () 关联的权限 列表

ec2:Region

DescribeVerifiedAccessInstances 授予权限以描述指定的验证访问实例或所有验证访问实例 列表

ec2:Region

DescribeVerifiedAccessTrustProviders 授予权限以描述现有验证访问信任提供商的详细信息 列表

ec2:Region

DescribeVolumeAttribute 授予描述EBS卷属性的权限 列表

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

ec2:Region

DescribeVolumeStatus 授予描述一个或多个EBS卷状态的权限 列表

ec2:Region

DescribeVolumes 授予描述一个或多个EBS卷的权限 列表

ec2:Region

DescribeVolumesModifications 授予描述一个或多个EBS卷当前修改状态的权限 列表

ec2:Region

DescribeVpcAttribute 授予描述属性的权限 VPC 列表

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DescribeVpcBlockPublicAccessExclusions 授予描述被屏蔽的公共访问的排除列表的权限 VPC 列表

vpc-block-public-access-exclusion

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DescribeVpcBlockPublicAccessOptions 授予描述被屏蔽的公共访问选项的权限 VPC 列表

ec2:Region

授予描述一个或多个 ClassicLink 状态的权限 VPCs 列表

ec2:Region

DescribeVpcClassicLinkDnsSupport 授予描述一个或多个 ClassicLink DNS支持状态的权限 VPCs 列表

ec2:Region

DescribeVpcEndpointAssociations 授予描述VPC端点关联的权限 列表

vpc-endpoint

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:VpceServiceName

ec2:VpceServiceOwner

ec2:Region

DescribeVpcEndpointConnectionNotifications 授予描述VPC终端节点和VPC终端节点服务的连接通知的权限 列表

ec2:Region

DescribeVpcEndpointConnections 授予描述与您的VPC终端节点服务的终VPC端节点连接的权限 列表

ec2:Region

DescribeVpcEndpointServiceConfigurations 授予描述VPC终端节点服务配置(您的服务)的权限 列表

ec2:Region

DescribeVpcEndpointServicePermissions 授予描述允许发现您的VPC终端节点服务的委托人(服务使用者)的权限 列表

vpc-endpoint-service*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:vpceMultiRegion

ec2:vpceSupportedRegion

ec2:Region

DescribeVpcEndpointServices 授予描述创建VPC终端节点时可以指定的所有支持的 Amazon 服务的权限 列表

ec2:Region

DescribeVpcEndpoints 授予描述一个或多个VPC端点的权限 列表

ec2:Region

DescribeVpcPeeringConnections 授予描述一个或多个对VPC等连接的权限 列表

ec2:Region

DescribeVpcs 授予描述一个或多个的权限 VPCs 列表

ec2:Region

DescribeVpnConnections 授予描述一个或多个VPN连接的权限 列表

ec2:Region

DescribeVpnGateways 授予权限以描述一个或多个虚拟私有网关 列表

ec2:Region

DetachClassicLinkVpc 授予取消关联的 Cl EC2 assic 实例与的关联(分离)的权限 VPC 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DetachInternetGateway 授予将互联网网关与互联网网关断开连接的权限 VPC 写入

internet-gateway*

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DetachNetworkInterface 授予权限以从实例分离网络接口 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

network-interface*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DetachVerifiedAccessTrustProvider 授予权限以将信任提供商与验证访问实例分离 写入

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

verified-access-trust-provider*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DetachVolume 授予将EBS卷与实例分离的权限 写入

volume*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:ManagedResourceOperator

ec2:ParentSnapshot

ec2:ResourceTag/${TagKey}

ec2:VolumeID

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeThroughput

ec2:VolumeType

instance

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DetachVpnGateway 授予将虚拟专用网关与分开的权限 VPC 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisableAddressTransfer 授予权限以禁用 Elastic IP 地址转换 写入

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

DisableAllowedImagesSettings 授予禁用允许的图像设置的权限 写入

ec2:Region

DisableAwsNetworkPerformanceMetricSubscription 授予权限以禁用基础设施性能指标订阅 写入

ec2:Region

DisableEbsEncryptionByDefault 授予默认情况下为您的账户禁用EBS加密的权限 写入

ec2:Region

DisableFastLaunch 授予禁用 Windows 更快启动功能的权限 AMIs 写入

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableFastSnapshotRestores 授予权限以对指定可用区中的一个或多个快照禁用快速快照还原 写入

snapshot*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

DisableImage 授予禁用权限 AMI 写入

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableImageBlockPublicAccess 授予AMIs在指定账户级别禁用封锁公共访问权限的权限 Amazon Web Services 区域 写入

ec2:Region

DisableImageDeprecation 授予取消弃用指定内容的权限 AMI 写入

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableImageDeregistrationProtection 授予禁用注销保护的AMI权限。禁用注销保护后,AMI可以取消注册 写入

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

DisableIpamOrganizationAdminAccount 授予禁用 Organi Amazon zations 成员账户作为亚马逊 VPC IP 地址管理器 (IPAM) 管理员账户的权限 写入

ec2:Region

organizations:DeregisterDelegatedAdministrator

DisableSerialConsoleAccess 授予权限以禁用您的账户对所有实例的EC2串行控制台的访问权限 写入

ec2:Region

DisableSnapshotBlockPublicAccess 授予为某个区域禁用“屏蔽快照公共访问权限”设置的权限 写入

ec2:Region

DisableTransitGatewayRouteTablePropagation 授予权限以禁止资源连接将路由传播到指定的传播路由表 写入

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

transit-gateway-attachment

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-route-table-announcement

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableAnnouncementId

ec2:Region

DisableVgwRoutePropagation 授予禁止虚拟专用网关将路由传播到指定路由表的权限 VPC 写入

route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

vpn-gateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

授予禁 ClassicLink 用权限 VPC 写入

vpc*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DisableVpcClassicLinkDnsSupport 授予禁用对的 ClassicLink DNS支持的权限 VPC 写入

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DisassociateAddress 授予权限以取消弹性 IP 地址与实例或网络接口的关联 写入

elastic-ip

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

network-interface

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DisassociateCapacityReservationBillingOwner 授予取消将容量预留未使用容量账单分配给消费者账户的待处理请求的权限 写入

capacity-reservation*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CapacityReservationFleet

ec2:CreateDate

ec2:DestinationCapacityReservationId

ec2:EbsOptimized

ec2:EndDate

ec2:EndDateType

ec2:InstanceCount

ec2:InstanceMatchCriteria

ec2:InstancePlatform

ec2:InstanceType

ec2:OutpostArn

ec2:PlacementGroup

ec2:ResourceTag/${TagKey}

ec2:SourceCapacityReservationId

ec2:Tenancy

ec2:Region

DisassociateClientVpnTargetNetwork 授予取消目标网络与客户端VPN终端节点关联的权限 写入

client-vpn-endpoint*

aws:ResourceTag/${TagKey}

ec2:ClientRootCertificateChainArn

ec2:CloudwatchLogGroupArn

ec2:CloudwatchLogStreamArn

ec2:DirectoryArn

ec2:ResourceTag/${TagKey}

ec2:SamlProviderArn

ec2:ServerCertificateArn

ec2:Region

DisassociateEnclaveCertificateIamRole 授予取消ACM证书与角色关联的IAM权限 写入

certificate*

role*

ec2:Region

DisassociateIamInstanceProfile 授予取消IAM实例配置文件与正在运行或已停止的实例的关联的权限 写入

instance*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:CpuOptionsAmdSevSnp

ec2:EbsOptimized

ec2:InstanceAutoRecovery

ec2:InstanceID

ec2:InstanceMarketType

ec2:InstanceMetadataTags

ec2:InstanceProfile

ec2:InstanceType

ec2:ManagedResourceOperator

ec2:MetadataHttpEndpoint

ec2:MetadataHttpPutResponseHopLimit

ec2:MetadataHttpTokens

ec2:PlacementGroup

ec2:ProductCode

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Tenancy

ec2:Region

DisassociateInstanceEventWindow 授予权限以取消一个或多个目标与事件窗口的关联 写入

instance-event-window*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateIpamByoasn 授予取消自治系统编号 () 与自治系统编号 (ASN) 关联的权限 BYOIP CIDR 写入

ec2:Region

DisassociateIpamResourceDiscovery 授予将资源发现与 Amazon 解除关联的权限 VPC IPAM 写入

ipam-resource-discovery-association*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateNatGatewayAddress 授予解除辅助弹性 IP 地址与公共NAT网关关联的权限 写入

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

natgateway*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

network-interface*

aws:ResourceTag/${TagKey}

ec2:AuthorizedUser

ec2:AvailabilityZone

ec2:ManagedResourceOperator

ec2:NetworkInterfaceID

ec2:Permission

ec2:ResourceTag/${TagKey}

ec2:Subnet

ec2:Vpc

ec2:Region

DisassociateRouteTable 授予权限以取消子网与路由表的关联 写入

internet-gateway

aws:ResourceTag/${TagKey}

ec2:InternetGatewayID

ec2:ResourceTag/${TagKey}

ipv4pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ipv6pool-ec2

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

route-table

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:RouteTableID

ec2:Vpc

subnet

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

vpn-gateway

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateSecurityGroupVpc 授予解除安全组与安全组关联的权限 VPC 写入

security-group*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:SecurityGroupID

ec2:Vpc

vpc

aws:ResourceTag/${TagKey}

ec2:Ipv4IpamPoolId

ec2:Ipv6IpamPoolId

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

DisassociateSubnetCidrBlock 授予解除CIDR区块与子网关联的权限 写入

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

ec2:Region

DisassociateTransitGatewayMulticastDomain 授予权限以取消一个或多个子网与中转网关多播域的关联 写入

subnet*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:ResourceTag/${TagKey}

ec2:SubnetID

ec2:Vpc

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-multicast-domain*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayMulticastDomainId

ec2:Region

DisassociateTransitGatewayPolicyTable 授予权限以解除策略表与中转网关的关联 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-policy-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayPolicyTableId

ec2:Region

DisassociateTransitGatewayRouteTable 授予权限以从中转网关路由表取消资源连接的关联 写入

transit-gateway-attachment*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayAttachmentId

transit-gateway-route-table*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:transitGatewayRouteTableId

ec2:Region

DisassociateTrunkInterface 授予解除分支网络接口与中继网络接口关联的权限 写入

ec2:Region

DisassociateVerifiedAccessInstanceWebAcl[仅权限] 授予解除 Amazon Web 应用程序防火墙 (WAF) Web 访问控制列表 (ACL) 与已验证访问实例的关联的权限 写入

verified-access-instance*

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Region

DisassociateVpcCidrBlock 授予解除方块与CIDR方块关联的权限 VPC 写入

vpc

aws:ResourceTag/${TagKey}

ec2:ResourceTag/${TagKey}

ec2:Tenancy

ec2:VpcID

ec2:Region

EnableAddressTransfer 授予权限以启用 Elastic IP 地址转换 写入

elastic-ip*

aws:ResourceTag/${TagKey}

ec2:AllocationId

ec2:Domain

ec2:PublicIpAddress

ec2:ResourceTag/${TagKey}

ec2:Region

EnableAllowedImagesSettings 授予启用允许的图像设置的权限 写入

ec2:Region

EnableAwsNetworkPerformanceMetricSubscription 授予权限以启用基础设施性能订阅 写入

ec2:Region

EnableEbsEncryptionByDefault 授予默认情况下为您的账户启用EBS加密的权限 写入

ec2:Region

EnableFastLaunch 授予允许在 Windows 上实现更快启动的权限 AMIs 写入

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:CreateLaunchTemplate

ec2:CreateSnapshot

ec2:CreateTags

ec2:DeleteSnapshot

ec2:DescribeImages

ec2:DescribeInstanceAttribute

ec2:DescribeInstanceStatus

ec2:DescribeInstanceTypeOfferings

ec2:DescribeInstances

ec2:DescribeLaunchTemplateVersions

ec2:DescribeLaunchTemplates

ec2:DescribeSnapshots

ec2:DescribeSubnets

ec2:RunInstances

ec2:StopInstances

ec2:TerminateInstances

iam:PassRole

launch-template

aws:ResourceTag/${TagKey}

ec2:ManagedResourceOperator

ec2:ResourceTag/${TagKey}

ec2:Region

EnableFastSnapshotRestores 授予权限以对指定可用区中的一个或多个快照启用快速快照还原 写入

snapshot*

aws:ResourceTag/${TagKey}

ec2:AvailabilityZone

ec2:Encrypted

ec2:Owner

ec2:ParentVolume

ec2:ResourceTag/${TagKey}

ec2:SnapshotID

ec2:SnapshotTime

ec2:VolumeSize

ec2:Region

EnableImage 授予重新启用禁用者的权限 AMI 写入

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

EnableImageBlockPublicAccess 授予AMIs在指定账户级别启用封锁公共访问权限的权限 Amazon Web Services 区域 写入

ec2:Region

EnableImageDeprecation 授予允许AMI在指定日期和时间弃用指定内容的权限 写入

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

EnableImageDeregistrationProtection 授予启用注销保护的AMI权限。启用取消注册保护后,AMI无法取消注册 写入

image*

aws:ResourceTag/${TagKey}

ec2:ImageID

ec2:ImageType

ec2:Owner

ec2:Public

ec2:ResourceTag/${TagKey}

ec2:RootDeviceType

ec2:Region

EnableIpamOrganizationAdminAccount 授予将 Organiz Amazon ations 成员账户启用为亚马逊 VPC IP 地址管理器 (IPAM) 管理员账户的权限 写入

ec2:Region

iam:CreateServiceLinkedRole

organizations:EnableAWSServiceAccess

organizations:RegisterDelegatedAdministrator

EnableReachabilityAnalyzerOrganizationSharing 授予权限以启用可访问性分析器的组织分享 写入

ec2:Region

iam:CreateServiceLinkedRole

organizations:EnableAWSServiceAccess

EnableSerialConsoleAccess 授予允许您账户访问所有实例的EC2串行控制台的权限 写入

ec2:Region

Enable