Granting IAM Users Required Permissions for Amazon EC2 Resources
By default, AWS Identity and Access Management (IAM) users don't have permission to create or modify Amazon EC2 resources, or perform tasks using the Amazon EC2 API. To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant IAM users permissions for the specific resources and API actions they'll need to use, and then attach those policies to the IAM users or groups that require those permissions.
For more information and for example policies, see IAM Policies for Amazon EC2 in the Amazon EC2 User Guide.
When you make an API request, the parameters that you specify in the request determine which
resources an IAM user must have permission to use. If the user doesn't have the required
permissions, the request fails. For example, if you use RunInstances to launch an
instance in a subnet (by specifying the SubnetId parameter), an IAM
user must have permission to use the VPC.
If an action creates a resource, an IAM user must have permission to create the resource or the request fails. Many Amazon EC2 resources receive an identifier when they are created. Because you can't know what that identifier is in advance, you must use a wildcard in the ARN for a resource when it is to be created by the request, as shown in the following sections. Note that because you can't tag a resource when you create it, you can't use any of the tag condition keys with a resource that's created by an action. (We'll add support for tagging a resource at creation later.)
Resource-level permissions refers to the ability to specify which resources users are allowed to perform actions on. Amazon EC2 has partial support for resource-level permissions. This means that for certain Amazon EC2 actions, you can control when users are allowed to use those actions based on conditions that have to be fulfilled, or specific resources that users are allowed to use. For example, you can grant users permission to launch instances, but only of a specific type, and only using a specific AMI.
Supported Resource-Level Permissions
The following sections describe the resources that are created or modified by the Amazon EC2 actions, and the ARNs and Amazon EC2 condition keys that you can use in an IAM policy statement to grant users permission to create or modify particular Amazon EC2 resources. (We'll add support for additional actions, ARNs, and condition keys later.)
When specifying an ARN, you can use the * wildcard in your paths; for example, when you cannot or do not want to specify exact resource IDs. For examples of using wildcards, see the Example Policies in the Amazon EC2 User Guide.
Topics
Customer Gateways
| Resource | ARN Format | Condition Keys |
|---|---|---|
| Action: DeleteCustomerGateway | ||
|
Customer gateway |
arn:aws:ec2:region:account:customer-gateway/* arn:aws:ec2:region:account:customer-gateway/cgw-id |
ec2:Region ec2:ResourceTag/tag-key |
DHCP Options Sets
| Resource | ARN Format | Condition Keys |
|---|---|---|
| Action: DeleteDhcpOptions | ||
|
DHCP options set |
arn:aws:ec2:region:account:dhcp-options/* arn:aws:ec2:region:account:dhcp-options/dhcp-options-id |
ec2:Region ec2:ResourceTag/tag-key |
Instances
| Resource | ARN Format | Condition Keys |
|---|---|---|
| Action: AssociateIamInstanceProfile | ||
|
Instance |
arn:aws:ec2:region:account:instance/* arn:aws:ec2:region:account:instance/instance-id |
ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:Region ec2:ResourceTag/tag-key ec2:RootDeviceType ec2:Tenancy |
| Action: AttachClassicLinkVpc | ||
| Instance |
arn:aws:ec2:region:account:instance/* arn:aws:ec2:region:account:instance/instance-id |
ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:Region ec2:ResourceTag/tag-key ec2:RootDeviceType ec2:Tenancy |
| Security Group |
arn:aws:ec2:region:account:security-group/* arn:aws:ec2:region:account:security-group/security-group-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Vpc |
| VPC | arn:aws:ec2:region:account:vpc/* arn:aws:ec2:region:account:vpc/vpc-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Tenancy |
| Action: DetachClassicLinkVpc | ||
| Instance | arn:aws:ec2:region:account:instance/* arn:aws:ec2:region:account:instance/instance-id |
ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:Region ec2:ResourceTag/tag-key ec2:RootDeviceType ec2:Tenancy |
| VPC |
arn:aws:ec2:region:account:vpc/* arn:aws:ec2:region:account:vpc/vpc-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Tenancy |
| Action: DisassociateIamInstanceProfile | ||
|
Instance |
arn:aws:ec2:region:account:instance/* arn:aws:ec2:region:account:instance/instance-id |
ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:Region ec2:ResourceTag/tag-key ec2:RootDeviceType ec2:Tenancy |
| Action: GetConsoleScreenshot | ||
|
Instance |
arn:aws:ec2:region:account:instance/* arn:aws:ec2:region:account:instance/instance-id |
ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:Region ec2:ResourceTag/tag-key ec2:RootDeviceType ec2:Tenancy |
| Action: RebootInstances | ||
|
Instance |
arn:aws:ec2:region:account:instance/* arn:aws:ec2:region:account:instance/instance-id |
ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:Region ec2:ResourceTag/tag-key ec2:RootDeviceType ec2:Tenancy |
| Action: ReplaceIamInstanceProfileAssociation | ||
|
Instance |
arn:aws:ec2:region:account:instance/* arn:aws:ec2:region:account:instance/instance-id |
ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:Region ec2:ResourceTag/tag-key ec2:RootDeviceType ec2:Tenancy |
| Action: RunInstances | ||
|
Image |
arn:aws:ec2:region::image/* arn:aws:ec2:region::image/image-id |
ec2:ImageType ec2:Owner ec2:Public ec2:Region ec2:RootDeviceType ec2:ResourceTag/tag-key |
|
Instance |
arn:aws:ec2:region:account:instance/* |
ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:Region ec2:RootDeviceType ec2:Tenancy |
|
Key pair |
arn:aws:ec2:region:account:key-pair/* arn:aws:ec2:region:account:key-pair/key-pair-name |
ec2:Region |
|
Network interface |
arn:aws:ec2:region:account:network-interface/* (if specifying a subnet in the request) arn:aws:ec2:region:account:network-interface/eni-id |
ec2:AvailabilityZone ec2:Region ec2:Subnet ec2:ResourceTag/tag-key ec2:Vpc |
| Placement group |
arn:aws:ec2:region:account:placement-group/* arn:aws:ec2:region:account:placement-group/placement-group-name |
ec2:Region ec2:PlacementGroupStrategy |
|
Security group |
arn:aws:ec2:region:account:security-group/* arn:aws:ec2:region:account:security-group/security-group-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Vpc |
|
Snapshot |
arn:aws:ec2:region::snapshot/* arn:aws:ec2:region::snapshot/snapshot-id |
ec2:Owner ec2:ParentVolume ec2:Region ec2:SnapshotTime ec2:ResourceTag/tag-key ec2:VolumeSize |
|
Subnet |
arn:aws:ec2:region:account:subnet/* arn:aws:ec2:region:account:subnet/subnet-id |
ec2:AvailabilityZone ec2:Region ec2:ResourceTag/tag-key ec2:Vpc |
|
Volume |
arn:aws:ec2:region:account:volume/* (if launching from an EBS-backed image) |
ec2:AvailabilityZone ec2:ParentSnapshot ec2:Region ec2:VolumeIops ec2:VolumeSize ec2:VolumeType |
| Action: StartInstances | ||
|
Instance |
arn:aws:ec2:region:account:instance/* arn:aws:ec2:region:account:instance/instance-id |
ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:Region ec2:ResourceTag/tag-key ec2:RootDeviceType ec2:Tenancy |
| Action: StopInstances | ||
|
Instance |
arn:aws:ec2:region:account:instance/* arn:aws:ec2:region:account:instance/instance-id |
ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:Region ec2:ResourceTag/tag-key ec2:RootDeviceType ec2:Tenancy |
| Action: TerminateInstances | ||
|
Instance |
arn:aws:ec2:region:account:instance/* arn:aws:ec2:region:account:instance/instance-id |
ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:Region ec2:ResourceTag/tag-key ec2:RootDeviceType ec2:Tenancy |
Internet Gateways
| Resource | ARN Format | Condition Keys |
|---|---|---|
| Action: DeleteInternetGateway | ||
|
Internet gateway |
arn:aws:ec2:region:account:internet-gateway/* arn:aws:ec2:region:account:internet-gateway/igw-id |
ec2:Region ec2:ResourceTag/tag-key |
Network ACLs
| Resource | ARN Format | Condition Keys |
|---|---|---|
| Action: DeleteNetworkAcl | ||
|
Network ACL |
arn:aws:ec2:region:account:network-acl/* arn:aws:ec2:region:account:network-acl/nacl-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Vpc |
| Action: DeleteNetworkAclEntry | ||
|
Network ACL |
arn:aws:ec2:region:account:network-acl/* arn:aws:ec2:region:account:network-acl/nacl-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Vpc |
Route Tables
| Resource | ARN Format | Condition Keys |
|---|---|---|
| Action: DeleteRoute | ||
|
Route table |
arn:aws:ec2:region:account:route-table/* arn:aws:ec2:region:account:route-table/route-table-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Vpc |
| Action: DeleteRouteTable | ||
|
Route table |
arn:aws:ec2:region:account:route-table/* arn:aws:ec2:region:account:route-table/route-table-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Vpc |
Security Groups
| Resource | ARN Format | Condition Keys |
|---|---|---|
| Action: AuthorizeSecurityGroupEgress | ||
|
Security group |
arn:aws:ec2:region:account:security-group/* arn:aws:ec2:region:account:security-group/security-group-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Vpc |
| Action: AuthorizeSecurityGroupIngress | ||
|
Security group |
arn:aws:ec2:region:account:security-group/* arn:aws:ec2:region:account:security-group/security-group-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Vpc |
| Action: DeleteSecurityGroup | ||
|
Security group |
arn:aws:ec2:region:account:security-group/* arn:aws:ec2:region:account:security-group/security-group-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Vpc |
| Action: RevokeSecurityGroupEgress | ||
|
Security group |
arn:aws:ec2:region:account:security-group/* arn:aws:ec2:region:account:security-group/security-group-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Vpc |
| Action: RevokeSecurityGroupIngress | ||
|
Security group |
arn:aws:ec2:region:account:security-group/* arn:aws:ec2:region:account:security-group/security-group-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Vpc |
Volumes
| Resource | ARN Format | Condition Keys |
|---|---|---|
| Action: AttachVolume | ||
|
Instance |
arn:aws:ec2:region:account:instance/* arn:aws:ec2:region:account:instance/instance-id |
ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:Region ec2:ResourceTag/tag-key ec2:RootDeviceType ec2:Tenancy |
|
Volume |
arn:aws:ec2:region:account:volume/* arn:aws:ec2:region:account:volume/volume-id |
ec2:AvailabilityZone ec2:ParentSnapshot ec2:Region ec2:ResourceTag/tag-key ec2:VolumeIops ec2:VolumeSize ec2:VolumeType |
| Action: DeleteVolume | ||
|
Volume |
arn:aws:ec2:region:account:volume/* arn:aws:ec2:region:account:volume/volume-id |
ec2:AvailabilityZone ec2:ParentSnapshot ec2:Region ec2:ResourceTag/tag-key ec2:VolumeIops ec2:VolumeSize ec2:VolumeType |
| Action: DetachVolume | ||
|
Instance |
arn:aws:ec2:region:account:instance/* arn:aws:ec2:region:account:instance/instance-id |
ec2:AvailabilityZone ec2:EbsOptimized ec2:InstanceProfile ec2:InstanceType ec2:PlacementGroup ec2:Region ec2:ResourceTag/tag-key ec2:RootDeviceType ec2:Tenancy |
|
Volume |
arn:aws:ec2:region:account:volume/* arn:aws:ec2:region:account:volume/volume-id |
ec2:AvailabilityZone ec2:ParentSnapshot ec2:Region ec2:ResourceTag/tag-key ec2:VolumeIops ec2:VolumeSize ec2:VolumeType |
VPCs
| Resource | ARN Format | Condition Keys |
|---|---|---|
| Action: DisableVpcClassicLink | ||
|
VPC |
arn:aws:ec2:region:account:vpc/* arn:aws:ec2:region:account:vpc/vpc-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Tenancy |
| Action: EnableVpcClassicLink | ||
|
VPC |
arn:aws:ec2:region:account:vpc/* arn:aws:ec2:region:account:vpc/vpc-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Tenancy |
VPC Peering Connections
| Resource | ARN Format | Condition Keys |
|---|---|---|
| Action: AcceptVpcPeeringConnection | ||
|
VPC |
arn:aws:ec2:region:account:vpc/* arn:aws:ec2:region:account:vpc/vpc-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Tenancy |
| VPC peering connection |
arn:aws:ec2:region:account:vpc-peering-connection/* arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id |
ec2:AccepterVpc ec2:Region ec2:ResourceTag/tag-key ec2:RequesterVpc |
| Action: CreateVpcPeeringConnection | ||
|
VPC |
arn:aws:ec2:region:account:vpc/* arn:aws:ec2:region:account:vpc/vpc-id |
ec2:Region ec2:ResourceTag/tag-key ec2:Tenancy |
| VPC peering connection | arn:aws:ec2:region:account:vpc-peering-connection/* |
ec2:AccepterVpc ec2:Region ec2:RequesterVpc |
| Action: DeleteVpcPeeringConnection | ||
| VPC peering connection |
arn:aws:ec2:region:account:vpc-peering-connection/* arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id |
ec2:AccepterVpc ec2:Region ec2:ResourceTag/tag-key ec2:RequesterVpc |
| Action: RejectVpcPeeringConnection | ||
| VPC peering connection |
arn:aws:ec2:region:account:vpc-peering-connection/* arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id |
ec2:AccepterVpc ec2:Region ec2:ResourceTag/tag-key ec2:RequesterVpc |
Unsupported Resource-Level Permissions
All Amazon EC2 actions can be used in an IAM policy to either grant or deny users permission to
use that action. However, not all Amazon EC2 actions support resource-level permissions, which
enable you to specify the resources on which an action can be performed. The following Amazon EC2
API actions currently do not support resource-level permissions; therefore, to use these
actions in an IAM policy, you must grant users permission to use all resources for the
action by using a * wildcard for the Resource element in your statement. You may
not be able to use Amazon EC2 condition keys for these actions. For examples, see Example Policies for CLI or SDK.
AllocateAddress
AllocateHosts
AssignPrivateIpAddresses
AssociateAddress
AssociateDhcpOptions
AssociateRouteTable
AttachInternetGateway
AttachNetworkInterface
AttachVpnGateway
BundleInstance
CancelBundleTask
CancelConversionTask
CancelExportTask
CancelImportTask
CancelReservedInstancesListing
CancelSpotFleetRequests
CancelSpotInstanceRequests
ConfirmProductInstance
CopyImage
CopySnapshot
CreateCustomerGateway
CreateDhcpOptions
CreateFlowLogs
CreateImage
CreateInstanceExportTask
CreateInternetGateway
CreateKeyPair
CreateNatGateway
CreateNetworkAcl
CreateNetworkAclEntry
CreateNetworkInterface
CreatePlacementGroup
CreateReservedInstancesListing
CreateRoute
CreateRouteTable
CreateSecurityGroup
CreateSnapshot
CreateSpotDatafeedSubscription
CreateSubnet
CreateTags
CreateVolume
CreateVpc
CreateVpcEndpoint
CreateVpnConnection
CreateVpnConnectionRoute
CreateVpnGateway
DeleteFlowLogs
DeleteKeyPair
DeleteNatGateways
DeleteNetworkInterface
DeletePlacementGroup
DeleteSnapshot
DeleteSpotDatafeedSubscription
DeleteSubnet
DeleteTags
DeleteVpc
DeleteVpcEndpoints
DeleteVpnConnection
DeleteVpnConnectionRoute
DeleteVpnGateway
DeregisterImage
DescribeAccountAttributes
DescribeAddresses
DescribeAvailabilityZones
DescribeBundleTasks
DescribeClassicLinkInstances
DescribeConversionTasks
DescribeCustomerGateways
DescribeDhcpOptions
DescribeExportTasks
DescribeHosts
DescribeIamInstanceProfileAssociations
DescribeIdentityIdFormat
DescribeIdFormat
DescribeImageAttribute
DescribeImages
DescribeImportImageTasks
DescribeImportSnapshotTasks
DescribeInstanceAttribute
DescribeInstances
DescribeInstanceStatus
DescribeInternetGateways
DescribeFlowLogs
DescribeKeyPairs
DescribeMovingAddresses
DescribeNatGateways
DescribeNetworkAcls
DescribeNetworkInterfaceAttribute
DescribeNetworkInterfaces
DescribePlacementGroups
DescribePrefixLists
DescribeRegions
DescribeReservedInstances
DescribeReservedInstancesListings
DescribeReservedInstancesModifications
DescribeReservedInstancesOfferings
DescribeRouteTables
DescribeScheduledInstanceAvailability
DescribeScheduledInstances
DescribeSecurityGroupReferences
DescribeSecurityGroups
DescribeStaleSecurityGroups
DescribeSnapshotAttribute
DescribeSnapshots
DescribeSpotDatafeedSubscription
DescribeSpotFleetInstances
DescribeSpotFleetRequestHistory
DescribeSpotFleetRequests
DescribeSpotInstanceRequests
DescribeSpotPriceHistory
DescribeSubnets
DescribeTags
DescribeVolumeAttribute
DescribeVolumes
DescribeVolumeStatus
DescribeVpcAttribute
DescribeVpcClassicLink
DescribeVpcClassicLinkDnsSupport
DescribeVpcEndpoints
DescribeVpcEndpointServices
DescribeVpcPeeringConnections
DescribeVpcs
DescribeVpnConnections
DescribeVpnGateways
DetachInternetGateway
DetachNetworkInterface
DetachVpnGateway
DisableVgwRoutePropagation
DisableVpcClassicLinkDnsSupport
DisassociateAddress
DisassociateRouteTable
EnableVgwRoutePropagation
EnableVolumeIO
EnableVpcClassicLinkDnsSupport
GetConsoleOutput
GetPasswordData
ImportImage
ImportInstance
ImportKeyPair
ImportSnapshot
ImportVolume
ModifyHosts
ModifyIdentityIdFormat
ModifyIdFormat
ModifyImageAttribute
ModifyInstanceAttribute
ModifyInstancePlacement
ModifyNetworkInterfaceAttribute
ModifyReservedInstances
ModifySnapshotAttribute
ModifySpotFleetRequest
ModifySubnetAttribute
ModifyVolumeAttribute
ModifyVpcAttribute
ModifyVpcEndpoint
ModifyVpcPeeringConnectionOptions
MonitorInstances
MoveAddressToVpc
PurchaseReservedInstancesOffering
PurchaseScheduledInstances
RegisterImage
ReleaseAddress
ReleaseHosts
ReplaceNetworkAclAssociation
ReplaceNetworkAclEntry
ReplaceRoute
ReplaceRouteTableAssociation
ReportInstanceStatus
RequestSpotFleet
RequestSpotInstances
ResetImageAttribute
ResetInstanceAttribute
ResetNetworkInterfaceAttribute
ResetSnapshotAttribute
RestoreAddressToClassic
RunScheduledInstances
UnassignPrivateIpAddresses
UnmonitorInstances
