Permissions for @turbot/aws-ec2

Taking a look at permissions and associated grant levels for each permission for EC2:

Permission	Grant Level	Help
acm:ListCertificates	Metadata	Required for ELB launches.
application-autoscaling:DeleteScalingPolicy	Admin	Admins can change the autoscaling process.
application-autoscaling:DeleteScheduledAction	Admin
application-autoscaling:DeregisterScalableTarget	Operator
application-autoscaling:DescribeScalableTargets	Metadata
application-autoscaling:DescribeScalingActivities	Metadata
application-autoscaling:DescribeScalingPolicies	Metadata
application-autoscaling:DescribeScheduledActions	Metadata
application-autoscaling:PutScalingPolicy	Admin	Admins can change the autoscaling process.
application-autoscaling:PutScheduledAction	Admin
application-autoscaling:RegisterScalableTarget	Operator
autoscaling-plans:CreateScalingPlan	Admin
autoscaling-plans:DeleteScalingPlan	Admin
autoscaling-plans:DescribeScalingPlanResources	Metadata
autoscaling-plans:DescribeScalingPlans	Metadata
autoscaling-plans:GetScalingPlanResourceForecastData	Metadata
autoscaling-plans:UpdateScalingPlan	Operator
autoscaling:AttachInstances	Operator	Operators can manage instances in an autoscaling group but not change its config.
autoscaling:AttachLoadBalancerTargetGroups	Operator	Operators can manage instances in an autoscaling group but not change its config.
autoscaling:AttachLoadBalancers	Operator	Operators can manage instances in an autoscaling group but not change its config.
autoscaling:BatchDeleteScheduledAction	Whitelist	Admins can change the autoscaling process.
autoscaling:BatchPutScheduledUpdateGroupAction	Whitelist	Admins can change the autoscaling process.
autoscaling:CancelInstanceRefresh	Whitelist
autoscaling:CompleteLifecycleAction	Operator	Allows custom steps in the autoscaling lifecycle process
autoscaling:CreateAutoScalingGroup	Whitelist
autoscaling:CreateLaunchConfiguration	Whitelist
autoscaling:CreateOrUpdateScalingTrigger	Whitelist
autoscaling:CreateOrUpdateTags	Operator
autoscaling:CreateScalingPlan	Whitelist	Admins can create autoscaling plan.
autoscaling:DeleteAutoScalingGroup	Whitelist
autoscaling:DeleteLaunchConfiguration	Whitelist
autoscaling:DeleteLifecycleHook	Whitelist	Admins can change the autoscaling process.
autoscaling:DeleteNotificationConfiguration	Operator	Operators can control monitoring & notification of the autoscaling group.
autoscaling:DeletePolicy	Whitelist	Admins can change the autoscaling process.
autoscaling:DeleteScalingPlan	Whitelist	Admins can delete autoscaling plan.
autoscaling:DeleteScheduledAction	Whitelist	Admins can change the autoscaling process.
autoscaling:DeleteTags	Operator
autoscaling:DeleteTrigger	Whitelist
autoscaling:DeleteWarmPool	Admin
autoscaling:DescribeAccountLimits	Metadata
autoscaling:DescribeAdjustmentTypes	Metadata
autoscaling:DescribeAutoScalingGroups	Metadata
autoscaling:DescribeAutoScalingInstances	Metadata
autoscaling:DescribeAutoScalingNotificationTypes	Metadata
autoscaling:DescribeInstanceRefreshes	Metadata
autoscaling:DescribeLaunchConfigurations	Metadata
autoscaling:DescribeLifecycleHookTypes	Metadata
autoscaling:DescribeLifecycleHooks	Metadata
autoscaling:DescribeLoadBalancerTargetGroups	Metadata
autoscaling:DescribeLoadBalancers	Metadata
autoscaling:DescribeMetricCollectionTypes	Metadata
autoscaling:DescribeNotificationConfigurations	Metadata
autoscaling:DescribePolicies	Metadata
autoscaling:DescribeScalingActivities	Metadata
autoscaling:DescribeScalingPlanResources	Metadata	Describes the scalable resources in the specified scaling plan.
autoscaling:DescribeScalingPlans	Metadata	Describes the specified scaling plans or all of your scaling plans.
autoscaling:DescribeScalingProcessTypes	Metadata
autoscaling:DescribeScheduledActions	Metadata
autoscaling:DescribeTags	Metadata
autoscaling:DescribeTerminationPolicyTypes	Metadata
autoscaling:DescribeTriggers	Metadata
autoscaling:DescribeWarmPool	Metadata
autoscaling:DetachInstances	Operator	Operators can manage instances in an autoscaling group but not change its config.
autoscaling:DetachLoadBalancerTargetGroups	Operator	Operators can manage instances in an autoscaling group but not change its config.
autoscaling:DetachLoadBalancers	Operator	Operators can manage instances in an autoscaling group but not change its config.
autoscaling:DisableMetricsCollection	Operator	Operators can control monitoring & notification of the autoscaling group.
autoscaling:EnableMetricsCollection	Operator	Operators can control monitoring & notification of the autoscaling group.
autoscaling:EnterStandby	Operator	Operators can manage instances in an autoscaling group but not change its config.
autoscaling:ExecutePolicy	Operator	Operators can execute a policy that was defined by an Admin.
autoscaling:ExitStandby	Operator	Operators can manage instances in an autoscaling group but not change its config.
autoscaling:PutLifecycleHook	Whitelist	Admins can change the autoscaling process.
autoscaling:PutNotificationConfiguration	Operator	Operators can control monitoring & notification of the autoscaling group.
autoscaling:PutScalingPolicy	Whitelist	Admins can change the autoscaling process.
autoscaling:PutScheduledUpdateGroupAction	Whitelist	Admins can change the autoscaling process.
autoscaling:PutWarmPool	Admin
autoscaling:RecordLifecycleActionHeartbeat	Operator	Operators can manage instances in an autoscaling group but not change its config.
autoscaling:ResumeProcesses	Operator
autoscaling:SetDesiredCapacity	Whitelist
autoscaling:SetInstanceHealth	Operator
autoscaling:SetInstanceProtection	Operator	Operators can manage instances in an autoscaling group but not change its config.
autoscaling:StartInstanceRefresh	Whitelist
autoscaling:SuspendProcesses	Operator
autoscaling:TerminateInstanceInAutoScalingGroup	Operator
autoscaling:UpdateAutoScalingGroup	Whitelist
aws-marketplace:BatchMeterUsage	Admin	Administrators may report software usage.
aws-marketplace:GetEntitlements	Metadata	Viewing entitlement of a customer to a given product. http://docs.aws.amazon.com/marketplaceentitlement/latest/APIReference/Welcome.html.
aws-marketplace:MeterUsage	Admin	Administrators may report software usage.
aws-marketplace:ResolveCustomer	Admin	Used by SaaS application and returns customer identifier and product code based on registration token.
aws-marketplace:Subscribe	Whitelist	Administrators may subscribe to marketplace software
aws-marketplace:Unsubscribe	Whitelist	Administrators may subscribe to marketplace software
aws-marketplace:ViewSubscriptions	Metadata	Viewing marketplace subscriptions is required for server management if the marketplace is used.
cloudwatch:DescribeAlarmHistory	Metadata	For console access per EC2 ReadOnly policy
cloudwatch:DescribeAlarms	Metadata	For console access per EC2 ReadOnly policy
cloudwatch:DescribeAlarmsForMetric	Metadata	For console access per EC2 ReadOnly policy
cloudwatch:GetMetricData	Metadata	This allows GetMetricData API to retrieve as many as metrics data and to perform mathematical expressions on this data.
cloudwatch:GetMetricStatistics	Metadata	For console access per EC2 ReadOnly policy
cloudwatch:ListMetrics	Metadata	For console access per EC2 ReadOnly policy
ec2-reports:ViewInstanceUsageReport	Metadata	Obscure permission http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usage-reports.html#iam-access-ec2-reports
ec2-reports:ViewReservedInstanceUtilizationReport	Metadata	Obscure permission http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usage-reports.html#iam-access-ec2-reports
ec2:AcceptReservedInstancesExchangeQuote	Admin	Accounts can manage their own reserved instances (but cannot resell them).
ec2:AllocateAddress	Admin	Admins can allocate new elastic IP addresses; this is considered safe as the proper routing still needs to be configured for public access.
ec2:AllocateHosts	Admin
ec2:AssignIpv6Addresses	Admin	Private IP addresses are within the allocated space to the account so can be safely managed by the account.
ec2:AssignPrivateIpAddresses	Admin	Private IP addresses are within the allocated space to the account so can be safely managed by the account.
ec2:AssociateAddress	Admin	Admins can associate elastic IP addresses; this is considered safe as the proper routing still needs to be configured for public access.
ec2:AssociateEnclaveCertificateIamRole	Admin
ec2:AssociateIamInstanceProfile	Admin	Admins manage IAM instance profile associations for existing instances.
ec2:AssociateInstanceEventWindow	Admin
ec2:AssociateTrunkInterface	Admin
ec2:AttachNetworkInterface	Admin	Network interfaces can be safely used by the account inside the VPC context.
ec2:AttachVolume	Admin
ec2:BidEvictedEvent	Admin	Admins can update or terminate spot instances.
ec2:BundleInstance	Whitelist	Optional VM export
ec2:CancelBundleTask	Whitelist	Optional VM export
ec2:CancelCapacityReservation	Admin
ec2:CancelCapacityReservationFleets	Admin
ec2:CancelConversionTask	Whitelist	Optional VM export
ec2:CancelExportTask	Whitelist	Optional VM export
ec2:CancelImportTask	Whitelist	Optional VM import
ec2:CancelReservedInstancesListing	Admin	Reserved instance reselling is at the cluster level.
ec2:CancelSpotFleetRequests	Admin
ec2:CancelSpotInstanceRequests	Admin	Accounts can safely use spot instances within their VPC.
ec2:ConfirmProductInstance	Admin	Only relevant to AMI marketplace sellers.
ec2:CopyFpgaImage	Admin	Copies the specified Amazon FPGA Image (AFI) to the current region.
ec2:CopyImage	Whitelist	Optional image management. Copies image between regions not across accounts
ec2:CopySnapshot	Operator	Low risk operation to copy data within the same account.
ec2:CreateCapacityReservation	Admin
ec2:CreateCapacityReservationFleet	Admin
ec2:CreateFleet	Admin
ec2:CreateFpgaImage	Whitelist	Optional FPGA image management. https://aws.amazon.com/ec2/instance-types/f1/
ec2:CreateImage	Whitelist	Optional image management. Creates a new AMI from an instance in the account.
ec2:CreateInstanceExportTask	Whitelist	Optional VM export.
ec2:CreateInstanceEventWindow	Admin
ec2:CreateKeyPair	Admin	Administrators use key pairs when starting new instances. This should be moved to an option in the future when Guardrails supports non-key pair based login.
ec2:CreateLaunchTemplate	Admin
ec2:CreateLaunchTemplateVersion	Admin
ec2:CreateManagedPrefixList	Admin
ec2:CreateNetworkInterfacePermission	Admin
ec2:CreateNetworkInterface	Admin	Network interfaces can be safely used by the account inside the VPC context.
ec2:CreatePlacementGroup	Admin	Servers can be safely placed within cluster managed networks.
ec2:CreateReplaceRootVolumeTask	Admin
ec2:CreateReservedInstancesListing	Admin	Reserved instance reselling is at the cluster level.
ec2:CreateRestoreImageTask	Admin
ec2:CreateSnapshot	Operator	Low risk operation to backup data within the same account.
ec2:CreateSnapshots	Operator	Low risk operation to backup data within the same account.
ec2:CreateSpotDatafeedSubscription	Admin	Accounts can safely use spot instances within their VPC.
ec2:CreateStoreImageTask	Admin
ec2:CreateTags	Operator	Tags are low risk for management in Guardrails since accounts are the isolation boundary; not tags.
ec2:CreateVolume	Admin	Storage management is safe within the account.
ec2:DeleteFleets	Admin
ec2:DeleteFpgaImage	Admin	Deletes the specified Amazon FPGA Image.
ec2:DeleteInstanceEventWindow	Admin
ec2:DeleteKeyPair	Admin
ec2:DeleteLaunchTemplate	Admin
ec2:DeleteLaunchTemplateVersions	Admin
ec2:DeleteManagedPrefixList	Admin
ec2:DeleteNetworkInterface	Admin	Network interfaces can be safely used by the account inside the VPC context.
ec2:DeleteNetworkInterfacePermission	Admin
ec2:DeletePlacementGroup	Admin
ec2:DeleteSnapshot	Admin	Deletion of snapshots is limited to Admin though creation is open to Operator.
ec2:DeleteSpotDatafeedSubscription	Admin
ec2:DeleteTags	Operator	Tags are low risk for management in Guardrails since accounts are the isolation boundary; not tags. Most deletions are denied to operator but tags are a low risk management activity even for deletion.
ec2:DeleteQueuedReservedInstances	Admin
ec2:DeleteVolume	Admin
ec2:DeregisterImage	Whitelist	Optional image management. Deregisters an image preventing further launches
ec2:DeregisterInstanceEventNotificationAttributes	Admin
ec2:DescribeAccountAttributes	Metadata
ec2:DescribeAddresses	Metadata
ec2:DescribeAddressesAttribute	Metadata
ec2:DescribeAvailabilityZones	Metadata
ec2:DescribeBundleTasks	Metadata
ec2:DescribeCapacityReservations	Metadata
ec2:DescribeCapacityReservationFleets	Metadata
ec2:DescribeCarrierGateways	Metadata
ec2:DescribeClassicLinkInstances	Metadata
ec2:DescribeConversionTasks	Metadata
ec2:DescribeElasticGpus	Metadata
ec2:DescribeExportImageTasks	Metadata
ec2:DescribeExportTasks	Metadata
ec2:DescribeFastSnapshotRestores	Metadata
ec2:DescribeFleetHistory	Metadata
ec2:DescribeFleetInstances	Metadata
ec2:DescribeFleets	Metadata
ec2:DescribeFpgaImageAttribute	Metadata	Describes the specified attribute of the specified Amazon FPGA Image.
ec2:DescribeFpgaImages	Metadata
ec2:DescribeHostReservationOfferings	Metadata
ec2:DescribeHostReservations	Metadata
ec2:DescribeHosts	Metadata
ec2:DescribeIamInstanceProfileAssociations	Metadata
ec2:DescribeIdFormat	Metadata
ec2:DescribeIdentityIdFormat	Metadata
ec2:DescribeImageAttribute	Metadata
ec2:DescribeImages	Metadata
ec2:DescribeImportImageTasks	Metadata
ec2:DescribeImportSnapshotTasks	Metadata
ec2:DescribeInstanceAttribute	Metadata
ec2:DescribeInstanceCreditSpecifications	Metadata
ec2:DescribeInstanceEventNotificationAttributes	Metadata
ec2:DescribeInstanceEventWindows	Metadata
ec2:DescribeInstanceStatus	Metadata
ec2:DescribeInstances	Metadata
ec2:DescribeInstanceTypeOfferings	Metadata
ec2:DescribeInstanceTypes	Metadata
ec2:DescribeKeyPairs	Metadata
ec2:DescribeLaunchTemplateVersions	Metadata
ec2:DescribeLaunchTemplates	Metadata
ec2:DescribeLicenses	Metadata	Note: Not currently in use by AWS - http://aws.amazon.com/blogs/aws/bring\_your\_own\_ea\_windows\_server\_license\_to\_ec2/
ec2:DescribeMovingAddresses	Metadata
ec2:DescribeNetworkInterfaceAttribute	Metadata
ec2:DescribeNetworkInterfacePermissions	Metadata	Describes the permissions of network interfaces.
ec2:DescribeNetworkInterfaces	Metadata
ec2:DescribePlacementGroups	Metadata
ec2:DescribePublicIpv4Pools	Metadata
ec2:DescribeIpv6Pools	Metadata
ec2:DescribeReplaceRootVolumeTasks	Metadata
ec2:DescribeRegions	Metadata
ec2:DescribeReservedInstances	Metadata
ec2:DescribeReservedInstancesListings	Metadata
ec2:DescribeReservedInstancesModifications	Metadata
ec2:DescribeReservedInstancesOfferings	Metadata
ec2:DescribeReplaceRootVolumeTasks	Metadata
ec2:DescribeScheduledInstanceAvailability	Metadata
ec2:DescribeScheduledInstances	Metadata
ec2:DescribeSecurityGroupReferences	Metadata
ec2:DescribeSecurityGroups	Metadata
ec2:DescribeSnapshotAttribute	Metadata
ec2:DescribeSnapshotTierStatus	Metadata
ec2:DescribeSnapshots	Metadata
ec2:DescribeSpotDatafeedSubscription	Metadata
ec2:DescribeSpotFleetInstances	Metadata
ec2:DescribeSpotFleetRequestHistory	Metadata
ec2:DescribeSpotFleetRequests	Metadata
ec2:DescribeSpotInstanceRequests	Metadata
ec2:DescribeSpotPriceHistory	Metadata
ec2:DescribeStaleSecurityGroups	Metadata
ec2:DescribeStoreImageTasks	Metadata
ec2:DescribeTags	Metadata
ec2:DescribeVolumeAttribute	Metadata
ec2:DescribeVolumeStatus	Metadata
ec2:DescribeVolumes	Metadata
ec2:DescribeVolumesModifications	Metadata
ec2:DetachClassicLinkVpc	Admin
ec2:DetachNetworkInterface	Admin	Network interfaces can be safely used by the account inside the VPC context.
ec2:DetachVolume	Admin
ec2:DisableEbsEncryptionByDefault	Admin	Admins can disable EBS Encryption by Default.
ec2:DisableFastSnapshotRestores	Admin
ec2:DisableImageDeprecation	Admin
ec2:DisableSerialConsoleAccess	Admin
ec2:DisassociateAddress	Admin	Admins can disassociate elastic IP addresses.
ec2:DisassociateEnclaveCertificateIamRole	Admin
ec2:DisassociateIamInstanceProfile	Admin	Admins manage IAM instance profile associations for existing instances.
ec2:DisassociateInstanceEventWindow	Admin
ec2:DisassociateTrunkInterface	Admin
ec2:EnableFastSnapshotRestores	Admin
ec2:DisableImageBlockPublicAccess	Admin
ec2:EnableImageBlockPublicAccess	Admin
ec2:EnableImageDeprecation	Admin
ec2:EnableSerialConsoleAccess	Admin
ec2:EnableEbsEncryptionByDefault	Admin	Admins can enable EBS Encryption by Default.
ec2:EnableVolumeIO	Admin
ec2:ExportImage	Operator
ec2:GetAssociatedEnclaveCertificateIamRoles	Metadata
ec2:GetCapacityReservationUsage	Metadata
ec2:GetConsoleOutput	Metadata	Allows viewing of console data from machines; helpful for monitoring & investigating system during bootup. Considered to be metadata not ReadOnly since systems should not be logging sensitive information and it's a key part of troubleshooting before needing access to the actual machine (which would obviously be at least ReadOnly).
ec2:GetConsoleScreenshot	Metadata	Allows viewing of on-demand screenshot of instance console for machines which is helpful for monitoring & investigating systems when they become unreachable via RDS and SSH. Considered to be metadata and not ReadOnly since it's a key part of troubleshooting when the instance is unreachable.
ec2:GetDefaultCreditSpecification	Metadata
ec2:GetEbsDefaultKmsKeyId	Metadata
ec2:GetEbsEncryptionByDefault	Metadata
ec2:GetGroupsForCapacityReservation	Metadata
ec2:GetHostReservationPurchasePreview	Metadata	Allows preview of host reservation purchase but does not result in offering being purchased.
ec2:GetInstanceTypesFromInstanceRequirements	Metadata
ec2:GetLaunchTemplateData	Metadata	Launch template data contains metadata about the EC2 instance.
ec2:GetPasswordData	Admin	Required for launch of Windows machines and used with key pairs.
ec2:GetReservedInstancesExchangeQuote	Metadata
ec2:GetSerialConsoleAccessStatus	Metadata
ec2:GetSpotPlacementScores	Metadata
ec2:ImportImage	Whitelist	Optional VM import
ec2:ImportInstance	Whitelist	Optional VM import
ec2:ImportKeyPair	Admin	Administrators use key pairs when starting new instances. This should be moved to an option in the future when Guardrails supports non-key pair based login.
ec2:ImportSnapshot	Whitelist	Optional VM import
ec2:ImportVolume	Whitelist	Optional VM import
ec2:ListSnapshotsInRecycleBin	Metadata
ec2:ModifyAvailabilityZoneGroup	Admin
ec2:ModifyCapacityReservation	Admin
ec2:ModifyCapacityReservationFleet	Admin
ec2:ModifyDefaultCreditSpecification	Admin
ec2:ModifyEbsDefaultKmsKeyId	Admin	Admins can update default KMS key for EBS Encryption by Default.
ec2:ModifyFleet	Admin
ec2:ModifyFpgaImageAttribute	Admin	Modifies the specified attributes(description
ec2:ModifyHosts	Admin
ec2:ModifyIdFormat	Admin
ec2:ModifyIdentityIdFormat	Admin
ec2:ModifyInstanceEventWindow	Admin
ec2:ModifyImageAttribute	Whitelist	Optional image attribute management
ec2:ModifyInstanceAttribute	Admin	Accounts can manage their own instances.
ec2:ModifyInstanceCapacityReservationAttributes	Admin
ec2:ModifyInstanceCreditSpecification	Admin
ec2:ModifyInstanceEventStartTime	Admin
ec2:ModifyInstanceMetadataOptions	Admin
ec2:ModifyInstancePlacement	Admin
ec2:ModifyLaunchTemplate	Admin
ec2:ModifyNetworkInterfaceAttribute	Admin	Network interfaces can be safely used by the account inside the VPC context.
ec2:ModifyReservedInstances	Admin	Accounts can manage their own reserved instances (but cannot resell them).
ec2:ModifySnapshotTier	Admin
ec2:ModifySnapshotAttribute	Admin	Allows for cross-account access.
ec2:ModifySpotFleetRequest	Admin
ec2:ModifyVolume	Admin	Within account storage performance changes.
ec2:ModifyVolumeAttribute	Admin	Within account storage performance changes.
ec2:MonitorInstances	Admin	Monitoring frequency is managed by accounts.
ec2:MoveAddressToVpc	Admin
ec2:PurchaseHostReservation	Admin	Accounts can manage their own dedicated hosts.
ec2:PurchaseReservedInstancesOffering	Admin	Accounts can manage their own reserved instances (but cannot resell them).
ec2:PurchaseScheduledInstances	Owner	Long term subscriptions are managed by owners.
ec2:RebootInstances	Operator	Operators can start stop and reboot existing instances.
ec2:RegisterImage	Whitelist	Optional image management. Registers an AMI for launching; typically done automatically as part of CreateImage
ec2:RegisterInstanceEventNotificationAttributes	Admin
ec2:ReleaseAddress	Admin	Admins can release elastic IP addresses.
ec2:ReleaseHosts	Admin
ec2:ReplaceIamInstanceProfileAssociation	Admin	Admins manage IAM instance profile associations for existing instances.
ec2:ReportInstanceStatus	Operator	Operators can report bad instances to AWS support.
ec2:RequestSpotFleet	Admin
ec2:RequestSpotInstances	Admin	Accounts can safely use spot instances within their VPC.
ec2:ResetEbsDefaultKmsKeyId	Admin	Admins can reset default KMS key for EBS Encryption by Default to the AWS managed CMK for EBS.
ec2:ResetFpgaImageAttribute	Admin	Resets the the load permission attribute.
ec2:ResetImageAttribute	Whitelist	Optional image attribute management
ec2:ResetInstanceAttribute	Admin	Instances are managed by accounts.
ec2:ResetNetworkInterfaceAttribute	Admin	Network interfaces can be safely used by the account inside the VPC context.
ec2:ResetSnapshotAttribute	Admin
ec2:RestoreAddressToClassic	Admin	EC2 classic should not be used
ec2:RestoreSnapshotTier	Admin
ec2:RestoreSnapshotFromRecycleBin	Admin
ec2:RunInstances	Admin	Only Admin can create new instances.
ec2:RunScheduledInstances	Admin
ec2:SendDiagnosticInterrupt	Admin
ec2:SendSpotInstanceInterruptions	Admin
ec2:StartInstances	Operator	Operators can start stop and reboot existing instances.
ec2:StopInstances	Operator	Operators can start stop and reboot existing instances.
ec2:TerminateInstances	Admin	Only Admin can terminate instances.
ec2:UnassignIpv6Addresses	Admin	Private IP addresses are within the allocated space to the account so can be safely managed by the account.
ec2:UnassignPrivateIpAddresses	Admin	Private IP addresses are within the allocated space to the account so can be safely managed by the account.
ec2:UnmonitorInstances	Admin	Monitoring frequency is managed by accounts.
elastic-inference:Connect	Admin
elasticloadbalancing:AddListenerCertificates	Admin	Admin can add specified certificate to the specified secure listener.
elasticloadbalancing:AddTags	Operator	Operators can manage tags metadata about ELB.
elasticloadbalancing:ApplySecurityGroupsToLoadBalancer	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:AttachLoadBalancerToSubnets	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:ConfigureHealthCheck	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateAppCookieStickinessPolicy	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateLBCookieStickinessPolicy	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateListener	Admin	Accounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateLoadBalancer	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateLoadBalancerListeners	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateLoadBalancerListeners	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateLoadBalancerPolicy	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateRule	Admin	Accounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:CreateTargetGroup	Admin	Accounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:DeleteListener	Admin	Accounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:DeleteLoadBalancer	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:DeleteLoadBalancerListeners	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:DeleteLoadBalancerPolicy	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:DeleteRule	Admin	Accounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:DeleteTargetGroup	Admin	Accounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:DeregisterInstancesFromLoadBalancer	Operator	Operators can manage individual instances on the ELB as part of being able to stop start and reboot servers.
elasticloadbalancing:DeregisterTargets	Operator	Operators can manage individual instances on the ALB as part of being able to stop start and reboot servers.
elasticloadbalancing:DescribeAccountLimits	Metadata
elasticloadbalancing:DescribeInstanceHealth	Metadata
elasticloadbalancing:DescribeListenerCertificates	Metadata
elasticloadbalancing:DescribeListeners	Metadata
elasticloadbalancing:DescribeLoadBalancerAttributes	Metadata
elasticloadbalancing:DescribeLoadBalancerPolicies	Metadata
elasticloadbalancing:DescribeLoadBalancerPolicyTypes	Metadata
elasticloadbalancing:DescribeLoadBalancers	Metadata
elasticloadbalancing:DescribeRules	Metadata
elasticloadbalancing:DescribeSSLPolicies	Metadata
elasticloadbalancing:DescribeTags	Metadata
elasticloadbalancing:DescribeTargetGroupAttributes	Metadata
elasticloadbalancing:DescribeTargetGroups	Metadata
elasticloadbalancing:DescribeTargetHealth	Metadata
elasticloadbalancing:DetachLoadBalancerFromSubnets	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:ModifyListener	Admin	Accounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:ModifyLoadBalancerAttributes	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:ModifyRule	Admin	Accounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:ModifyTargetGroup	Admin	Accounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:ModifyTargetGroupAttributes	Admin	Accounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:RegisterInstancesWithLoadBalancer	Operator	Operators can manage individual instances on the ELB as part of being able to stop start and reboot servers.
elasticloadbalancing:RegisterTargets	Operator	Operators can manage individual instances on the ELB as part of being able to stop start and reboot servers.
elasticloadbalancing:RemoveListenerCertificates	Admin	Admin can remove the specified certificate from the specified secure listener.
elasticloadbalancing:RemoveTags	Operator	Operators can manage tags metadata about ELB.
elasticloadbalancing:SetIpAddressType	Admin
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:SetLoadBalancerPoliciesOfListener	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:SetLoadBalancerPoliciesOfListener	Admin	Accounts can manage ELB configuration within cluster defined network boundaries.
elasticloadbalancing:SetRulePriorities	Admin	Accounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:SetSecurityGroups	Admin	Accounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:SetSubnets	Admin	Accounts can manage ALB configuration within cluster defined network boundaries.
elasticloadbalancing:SetWebAcl	Admin
health:DescribeEventAggregates	Metadata
iam:PassRole	Admin
kms:ListAliases	Metadata
marketplacecommerceanalytics:GenerateDataSet	Admin	Administrators may access product and customer data on the AWS Marketplace.
marketplacecommerceanalytics:StartSupportDataExport	Admin	Administrators may access product and customer data on the AWS Marketplace.