Amazon EC2 (ec2)

Has Resource: True

Actions:
  - AcceptReservedInstancesExchangeQuote
  - AcceptTransitGatewayMulticastDomainAssociations
  - AcceptTransitGatewayPeeringAttachment
  - AcceptTransitGatewayVpcAttachment
  - AcceptVpcEndpointConnections
  - AcceptVpcPeeringConnection
  - AdvertiseByoipCidr
  - AllocateAddress
  - AllocateHosts
  - ApplySecurityGroupsToClientVpnTargetNetwork
  - AssignIpv6Addresses
  - AssignPrivateIpAddresses
  - AssociateAddress
  - AssociateClientVpnTargetNetwork
  - AssociateDhcpOptions
  - AssociateEnclaveCertificateIamRole
  - AssociateIamInstanceProfile
  - AssociateRouteTable
  - AssociateSubnetCidrBlock
  - AssociateTransitGatewayMulticastDomain
  - AssociateTransitGatewayRouteTable
  - AssociateVpcCidrBlock
  - AttachClassicLinkVpc
  - AttachInternetGateway
  - AttachNetworkInterface
  - AttachVolume
  - AttachVpnGateway
  - AuthorizeClientVpnIngress
  - AuthorizeSecurityGroupEgress
  - AuthorizeSecurityGroupIngress
  - BundleInstance
  - CancelBundleTask
  - CancelCapacityReservation
  - CancelConversionTask
  - CancelExportTask
  - CancelImportTask
  - CancelReservedInstancesListing
  - CancelSpotFleetRequests
  - CancelSpotInstanceRequests
  - ConfirmProductInstance
  - CopyFpgaImage
  - CopyImage
  - CopySnapshot
  - CreateCapacityReservation
  - CreateCarrierGateway
  - CreateClientVpnEndpoint
  - CreateClientVpnRoute
  - CreateCustomerGateway
  - CreateDefaultSubnet
  - CreateDefaultVpc
  - CreateDhcpOptions
  - CreateEgressOnlyInternetGateway
  - CreateFleet
  - CreateFlowLogs
  - CreateFpgaImage
  - CreateImage
  - CreateInstanceExportTask
  - CreateInternetGateway
  - CreateKeyPair
  - CreateLaunchTemplate
  - CreateLaunchTemplateVersion
  - CreateLocalGatewayRoute
  - CreateLocalGatewayRouteTableVpcAssociation
  - CreateManagedPrefixList
  - CreateNatGateway
  - CreateNetworkAcl
  - CreateNetworkAclEntry
  - CreateNetworkInsightsPath
  - CreateNetworkInterface
  - CreateNetworkInterfacePermission
  - CreatePlacementGroup
  - CreateReplaceRootVolumeTask
  - CreateReservedInstancesListing
  - CreateRestoreImageTask
  - CreateRoute
  - CreateRouteTable
  - CreateSecurityGroup
  - CreateSnapshot
  - CreateSnapshots
  - CreateSpotDatafeedSubscription
  - CreateStoreImageTask
  - CreateSubnet
  - CreateTags
  - CreateTrafficMirrorFilter
  - CreateTrafficMirrorFilterRule
  - CreateTrafficMirrorSession
  - CreateTrafficMirrorTarget
  - CreateTransitGateway
  - CreateTransitGatewayConnect
  - CreateTransitGatewayConnectPeer
  - CreateTransitGatewayMulticastDomain
  - CreateTransitGatewayPeeringAttachment
  - CreateTransitGatewayPrefixListReference
  - CreateTransitGatewayRoute
  - CreateTransitGatewayRouteTable
  - CreateTransitGatewayVpcAttachment
  - CreateVolume
  - CreateVpc
  - CreateVpcEndpoint
  - CreateVpcEndpointConnectionNotification
  - CreateVpcEndpointServiceConfiguration
  - CreateVpcPeeringConnection
  - CreateVpnConnection
  - CreateVpnConnectionRoute
  - CreateVpnGateway
  - DeleteCarrierGateway
  - DeleteClientVpnEndpoint
  - DeleteClientVpnRoute
  - DeleteCustomerGateway
  - DeleteDhcpOptions
  - DeleteEgressOnlyInternetGateway
  - DeleteFleets
  - DeleteFlowLogs
  - DeleteFpgaImage
  - DeleteInternetGateway
  - DeleteKeyPair
  - DeleteLaunchTemplate
  - DeleteLaunchTemplateVersions
  - DeleteLocalGatewayRoute
  - DeleteLocalGatewayRouteTableVpcAssociation
  - DeleteManagedPrefixList
  - DeleteNatGateway
  - DeleteNetworkAcl
  - DeleteNetworkAclEntry
  - DeleteNetworkInsightsAnalysis
  - DeleteNetworkInsightsPath
  - DeleteNetworkInterface
  - DeleteNetworkInterfacePermission
  - DeletePlacementGroup
  - DeleteQueuedReservedInstances
  - DeleteRoute
  - DeleteRouteTable
  - DeleteSecurityGroup
  - DeleteSnapshot
  - DeleteSpotDatafeedSubscription
  - DeleteSubnet
  - DeleteTags
  - DeleteTrafficMirrorFilter
  - DeleteTrafficMirrorFilterRule
  - DeleteTrafficMirrorSession
  - DeleteTrafficMirrorTarget
  - DeleteTransitGateway
  - DeleteTransitGatewayConnect
  - DeleteTransitGatewayConnectPeer
  - DeleteTransitGatewayMulticastDomain
  - DeleteTransitGatewayPeeringAttachment
  - DeleteTransitGatewayPrefixListReference
  - DeleteTransitGatewayRoute
  - DeleteTransitGatewayRouteTable
  - DeleteTransitGatewayVpcAttachment
  - DeleteVolume
  - DeleteVpc
  - DeleteVpcEndpointConnectionNotifications
  - DeleteVpcEndpointServiceConfigurations
  - DeleteVpcEndpoints
  - DeleteVpcPeeringConnection
  - DeleteVpnConnection
  - DeleteVpnConnectionRoute
  - DeleteVpnGateway
  - DeprovisionByoipCidr
  - DeregisterImage
  - DeregisterInstanceEventNotificationAttributes
  - DeregisterTransitGatewayMulticastGroupMembers
  - DeregisterTransitGatewayMulticastGroupSources
  - DescribeAccountAttributes
  - DescribeAddresses
  - DescribeAddressesAttribute
  - DescribeAggregateIdFormat
  - DescribeAvailabilityZones
  - DescribeBundleTasks
  - DescribeByoipCidrs
  - DescribeCapacityReservations
  - DescribeCarrierGateways
  - DescribeClassicLinkInstances
  - DescribeClientVpnAuthorizationRules
  - DescribeClientVpnConnections
  - DescribeClientVpnEndpoints
  - DescribeClientVpnRoutes
  - DescribeClientVpnTargetNetworks
  - DescribeCoipPools
  - DescribeConversionTasks
  - DescribeCustomerGateways
  - DescribeDhcpOptions
  - DescribeEgressOnlyInternetGateways
  - DescribeElasticGpus
  - DescribeExportImageTasks
  - DescribeExportTasks
  - DescribeFastSnapshotRestores
  - DescribeFleetHistory
  - DescribeFleetInstances
  - DescribeFleets
  - DescribeFlowLogs
  - DescribeFpgaImageAttribute
  - DescribeFpgaImages
  - DescribeHostReservationOfferings
  - DescribeHostReservations
  - DescribeHosts
  - DescribeIamInstanceProfileAssociations
  - DescribeIdFormat
  - DescribeIdentityIdFormat
  - DescribeImageAttribute
  - DescribeImages
  - DescribeImportImageTasks
  - DescribeImportSnapshotTasks
  - DescribeInstanceAttribute
  - DescribeInstanceCreditSpecifications
  - DescribeInstanceEventNotificationAttributes
  - DescribeInstanceStatus
  - DescribeInstanceTypeOfferings
  - DescribeInstanceTypes
  - DescribeInstances
  - DescribeInternetGateways
  - DescribeIpv6Pools
  - DescribeKeyPairs
  - DescribeLaunchTemplateVersions
  - DescribeLaunchTemplates
  - DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations
  - DescribeLocalGatewayRouteTableVpcAssociations
  - DescribeLocalGatewayRouteTables
  - DescribeLocalGatewayVirtualInterfaceGroups
  - DescribeLocalGatewayVirtualInterfaces
  - DescribeLocalGateways
  - DescribeManagedPrefixLists
  - DescribeMovingAddresses
  - DescribeNatGateways
  - DescribeNetworkAcls
  - DescribeNetworkInsightsAnalyses
  - DescribeNetworkInsightsPaths
  - DescribeNetworkInterfaceAttribute
  - DescribeNetworkInterfacePermissions
  - DescribeNetworkInterfaces
  - DescribePlacementGroups
  - DescribePrefixLists
  - DescribePrincipalIdFormat
  - DescribePublicIpv4Pools
  - DescribeRegions
  - DescribeReplaceRootVolumeTasks
  - DescribeReservedInstances
  - DescribeReservedInstancesListings
  - DescribeReservedInstancesModifications
  - DescribeReservedInstancesOfferings
  - DescribeRouteTables
  - DescribeScheduledInstanceAvailability
  - DescribeScheduledInstances
  - DescribeSecurityGroupReferences
  - DescribeSecurityGroupRules
  - DescribeSecurityGroups
  - DescribeSnapshotAttribute
  - DescribeSnapshots
  - DescribeSpotDatafeedSubscription
  - DescribeSpotFleetInstances
  - DescribeSpotFleetRequestHistory
  - DescribeSpotFleetRequests
  - DescribeSpotInstanceRequests
  - DescribeSpotPriceHistory
  - DescribeStaleSecurityGroups
  - DescribeStoreImageTasks
  - DescribeSubnets
  - DescribeTags
  - DescribeTrafficMirrorFilters
  - DescribeTrafficMirrorSessions
  - DescribeTrafficMirrorTargets
  - DescribeTransitGatewayAttachments
  - DescribeTransitGatewayConnectPeers
  - DescribeTransitGatewayConnects
  - DescribeTransitGatewayMulticastDomains
  - DescribeTransitGatewayPeeringAttachments
  - DescribeTransitGatewayRouteTables
  - DescribeTransitGatewayVpcAttachments
  - DescribeTransitGateways
  - DescribeVolumeAttribute
  - DescribeVolumeStatus
  - DescribeVolumes
  - DescribeVolumesModifications
  - DescribeVpcAttribute
  - DescribeVpcClassicLink
  - DescribeVpcClassicLinkDnsSupport
  - DescribeVpcEndpointConnectionNotifications
  - DescribeVpcEndpointConnections
  - DescribeVpcEndpointServiceConfigurations
  - DescribeVpcEndpointServicePermissions
  - DescribeVpcEndpointServices
  - DescribeVpcEndpoints
  - DescribeVpcPeeringConnections
  - DescribeVpcs
  - DescribeVpnConnections
  - DescribeVpnGateways
  - DetachClassicLinkVpc
  - DetachInternetGateway
  - DetachNetworkInterface
  - DetachVolume
  - DetachVpnGateway
  - DisableEbsEncryptionByDefault
  - DisableFastSnapshotRestores
  - DisableImageDeprecation
  - DisableSerialConsoleAccess
  - DisableTransitGatewayRouteTablePropagation
  - DisableVgwRoutePropagation
  - DisableVpcClassicLink
  - DisableVpcClassicLinkDnsSupport
  - DisassociateAddress
  - DisassociateClientVpnTargetNetwork
  - DisassociateEnclaveCertificateIamRole
  - DisassociateIamInstanceProfile
  - DisassociateRouteTable
  - DisassociateSubnetCidrBlock
  - DisassociateTransitGatewayMulticastDomain
  - DisassociateTransitGatewayRouteTable
  - DisassociateVpcCidrBlock
  - EnableEbsEncryptionByDefault
  - EnableFastSnapshotRestores
  - EnableImageDeprecation
  - EnableSerialConsoleAccess
  - EnableTransitGatewayRouteTablePropagation
  - EnableVgwRoutePropagation
  - EnableVolumeIO
  - EnableVpcClassicLink
  - EnableVpcClassicLinkDnsSupport
  - ExportClientVpnClientCertificateRevocationList
  - ExportClientVpnClientConfiguration
  - ExportImage
  - ExportTransitGatewayRoutes
  - GetAssociatedEnclaveCertificateIamRoles
  - GetAssociatedIpv6PoolCidrs
  - GetCapacityReservationUsage
  - GetCoipPoolUsage
  - GetConsoleOutput
  - GetConsoleScreenshot
  - GetDefaultCreditSpecification
  - GetEbsDefaultKmsKeyId
  - GetEbsEncryptionByDefault
  - GetFlowLogsIntegrationTemplate
  - GetGroupsForCapacityReservation
  - GetHostReservationPurchasePreview
  - GetLaunchTemplateData
  - GetManagedPrefixListAssociations
  - GetManagedPrefixListEntries
  - GetPasswordData
  - GetReservedInstancesExchangeQuote
  - GetSerialConsoleAccessStatus
  - GetTransitGatewayAttachmentPropagations
  - GetTransitGatewayMulticastDomainAssociations
  - GetTransitGatewayPrefixListReferences
  - GetTransitGatewayRouteTableAssociations
  - GetTransitGatewayRouteTablePropagations
  - ImportClientVpnClientCertificateRevocationList
  - ImportImage
  - ImportInstance
  - ImportKeyPair
  - ImportSnapshot
  - ImportVolume
  - ModifyAddressAttribute
  - ModifyAvailabilityZoneGroup
  - ModifyCapacityReservation
  - ModifyClientVpnEndpoint
  - ModifyDefaultCreditSpecification
  - ModifyEbsDefaultKmsKeyId
  - ModifyFleet
  - ModifyFpgaImageAttribute
  - ModifyHosts
  - ModifyIdFormat
  - ModifyIdentityIdFormat
  - ModifyImageAttribute
  - ModifyInstanceAttribute
  - ModifyInstanceCapacityReservationAttributes
  - ModifyInstanceCreditSpecification
  - ModifyInstanceEventStartTime
  - ModifyInstanceMetadataOptions
  - ModifyInstancePlacement
  - ModifyLaunchTemplate
  - ModifyManagedPrefixList
  - ModifyNetworkInterfaceAttribute
  - ModifyReservedInstances
  - ModifySecurityGroupRules
  - ModifySnapshotAttribute
  - ModifySpotFleetRequest
  - ModifySubnetAttribute
  - ModifyTrafficMirrorFilterNetworkServices
  - ModifyTrafficMirrorFilterRule
  - ModifyTrafficMirrorSession
  - ModifyTransitGateway
  - ModifyTransitGatewayPrefixListReference
  - ModifyTransitGatewayVpcAttachment
  - ModifyVolume
  - ModifyVolumeAttribute
  - ModifyVpcAttribute
  - ModifyVpcEndpoint
  - ModifyVpcEndpointConnectionNotification
  - ModifyVpcEndpointServiceConfiguration
  - ModifyVpcEndpointServicePermissions
  - ModifyVpcPeeringConnectionOptions
  - ModifyVpcTenancy
  - ModifyVpnConnection
  - ModifyVpnConnectionOptions
  - ModifyVpnTunnelCertificate
  - ModifyVpnTunnelOptions
  - MonitorInstances
  - MoveAddressToVpc
  - ProvisionByoipCidr
  - PurchaseHostReservation
  - PurchaseReservedInstancesOffering
  - PurchaseScheduledInstances
  - RebootInstances
  - RegisterImage
  - RegisterInstanceEventNotificationAttributes
  - RegisterTransitGatewayMulticastGroupMembers
  - RegisterTransitGatewayMulticastGroupSources
  - RejectTransitGatewayMulticastDomainAssociations
  - RejectTransitGatewayPeeringAttachment
  - RejectTransitGatewayVpcAttachment
  - RejectVpcEndpointConnections
  - RejectVpcPeeringConnection
  - ReleaseAddress
  - ReleaseHosts
  - ReplaceIamInstanceProfileAssociation
  - ReplaceNetworkAclAssociation
  - ReplaceNetworkAclEntry
  - ReplaceRoute
  - ReplaceRouteTableAssociation
  - ReplaceTransitGatewayRoute
  - ReportInstanceStatus
  - RequestSpotFleet
  - RequestSpotInstances
  - ResetAddressAttribute
  - ResetEbsDefaultKmsKeyId
  - ResetFpgaImageAttribute
  - ResetImageAttribute
  - ResetInstanceAttribute
  - ResetNetworkInterfaceAttribute
  - ResetSnapshotAttribute
  - RestoreAddressToClassic
  - RestoreManagedPrefixListVersion
  - RevokeClientVpnIngress
  - RevokeSecurityGroupEgress
  - RevokeSecurityGroupIngress
  - RunInstances
  - RunScheduledInstances
  - SearchLocalGatewayRoutes
  - SearchTransitGatewayMulticastGroups
  - SearchTransitGatewayRoutes
  - SendDiagnosticInterrupt
  - StartInstances
  - StartNetworkInsightsAnalysis
  - StartVpcEndpointServicePrivateDnsVerification
  - StopInstances
  - TerminateClientVpnConnections
  - TerminateInstances
  - UnassignIpv6Addresses
  - UnassignPrivateIpAddresses
  - UnmonitorInstances
  - UpdateSecurityGroupRuleDescriptionsEgress
  - UpdateSecurityGroupRuleDescriptionsIngress
  - WithdrawByoipCidr

ARN Format: arn:aws:ec2:<region>:<account>:<resourceType>/<resourcePath>
ARN Regex: ^arn:aws:ec2:.+

Condition Keys:
  - aws:RequestTag/${TagKey}
  - aws:ResourceTag/
  - aws:ResourceTag/${TagKey}
  - aws:TagKeys
  - ec2:AccepterVpc
  - ec2:AssociatePublicIpAddress
  - ec2:Attribute/${AttributeName}
  - ec2:AuthenticationType
  - ec2:AuthorizedService
  - ec2:AuthorizedUser
  - ec2:AutoPlacement
  - ec2:AvailabilityZone
  - ec2:ClientRootCertificateChainArn
  - ec2:CloudwatchLogGroupArn
  - ec2:CloudwatchLogStreamArn
  - ec2:CreateAction
  - ec2:DPDTimeoutSeconds
  - ec2:DirectoryArn
  - ec2:EbsOptimized
  - ec2:ElasticGpuType
  - ec2:Encrypted
  - ec2:GatewayType
  - ec2:HostRecovery
  - ec2:IKEVersions
  - ec2:ImageType
  - ec2:InsideTunnelCidr
  - ec2:InstanceMarketType
  - ec2:InstanceProfile
  - ec2:InstanceType
  - ec2:IsLaunchTemplateResource
  - ec2:KeyPairName
  - ec2:LaunchTemplate
  - ec2:MetadataHttpEndpoint
  - ec2:MetadataHttpPutResponseHopLimit
  - ec2:MetadataHttpTokens
  - ec2:NewInstanceProfile
  - ec2:OutpostArn
  - ec2:Owner
  - ec2:ParentSnapshot
  - ec2:ParentVolume
  - ec2:Permission
  - ec2:Phase1DHGroupNumbers
  - ec2:Phase1EncryptionAlgorithms
  - ec2:Phase1IntegrityAlgorithms
  - ec2:Phase1LifetimeSeconds
  - ec2:Phase2DHGroupNumbers
  - ec2:Phase2EncryptionAlgorithms
  - ec2:Phase2IntegrityAlgorithms
  - ec2:Phase2LifetimeSeconds
  - ec2:PlacementGroup
  - ec2:PlacementGroupStrategy
  - ec2:PresharedKeys
  - ec2:ProductCode
  - ec2:Public
  - ec2:Quantity
  - ec2:Region
  - ec2:RekeyFuzzPercentage
  - ec2:RekeyMarginTimeSeconds
  - ec2:RequesterVpc
  - ec2:ReservedInstancesOfferingType
  - ec2:ResourceTag/
  - ec2:ResourceTag/${TagKey}
  - ec2:RoleDelivery
  - ec2:RootDeviceType
  - ec2:RoutingType
  - ec2:SamlProviderArn
  - ec2:ServerCertificateArn
  - ec2:SnapshotTime
  - ec2:SourceInstanceARN
  - ec2:SourceOutpostArn
  - ec2:Subnet
  - ec2:Tenancy
  - ec2:VolumeIops
  - ec2:VolumeSize
  - ec2:VolumeThroughput
  - ec2:VolumeType
  - ec2:Vpc
  - ec2:VpceServiceName
  - ec2:VpceServiceOwner
  - ec2:VpceServicePrivateDnsName
