Permissions for @turbot/aws-ec2
Taking a look at permissions and associated grant levels for each permission for EC2:
Permission | Grant Level | Help |
---|---|---|
acm:ListCertificates | Metadata | Required for ELB launches. |
application-autoscaling:DeleteScalingPolicy | Admin | Admins can change the autoscaling process. |
application-autoscaling:DeleteScheduledAction | Admin | |
application-autoscaling:DeregisterScalableTarget | Operator | |
application-autoscaling:DescribeScalableTargets | Metadata | |
application-autoscaling:DescribeScalingActivities | Metadata | |
application-autoscaling:DescribeScalingPolicies | Metadata | |
application-autoscaling:DescribeScheduledActions | Metadata | |
application-autoscaling:PutScalingPolicy | Admin | Admins can change the autoscaling process. |
application-autoscaling:PutScheduledAction | Admin | |
application-autoscaling:RegisterScalableTarget | Operator | |
autoscaling-plans:CreateScalingPlan | Admin | |
autoscaling-plans:DeleteScalingPlan | Admin | |
autoscaling-plans:DescribeScalingPlanResources | Metadata | |
autoscaling-plans:DescribeScalingPlans | Metadata | |
autoscaling-plans:GetScalingPlanResourceForecastData | Metadata | |
autoscaling-plans:UpdateScalingPlan | Operator | |
autoscaling:AttachInstances | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:AttachLoadBalancerTargetGroups | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:AttachLoadBalancers | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:BatchDeleteScheduledAction | Whitelist | Admins can change the autoscaling process. |
autoscaling:BatchPutScheduledUpdateGroupAction | Whitelist | Admins can change the autoscaling process. |
autoscaling:CancelInstanceRefresh | Whitelist | |
autoscaling:CompleteLifecycleAction | Operator | Allows custom steps in the autoscaling lifecycle process |
autoscaling:CreateAutoScalingGroup | Whitelist | |
autoscaling:CreateLaunchConfiguration | Whitelist | |
autoscaling:CreateOrUpdateScalingTrigger | Whitelist | |
autoscaling:CreateOrUpdateTags | Operator | |
autoscaling:CreateScalingPlan | Whitelist | Admins can create autoscaling plan. |
autoscaling:DeleteAutoScalingGroup | Whitelist | |
autoscaling:DeleteLaunchConfiguration | Whitelist | |
autoscaling:DeleteLifecycleHook | Whitelist | Admins can change the autoscaling process. |
autoscaling:DeleteNotificationConfiguration | Operator | Operators can control monitoring & notification of the autoscaling group. |
autoscaling:DeletePolicy | Whitelist | Admins can change the autoscaling process. |
autoscaling:DeleteScalingPlan | Whitelist | Admins can delete autoscaling plan. |
autoscaling:DeleteScheduledAction | Whitelist | Admins can change the autoscaling process. |
autoscaling:DeleteTags | Operator | |
autoscaling:DeleteTrigger | Whitelist | |
autoscaling:DeleteWarmPool | Admin | |
autoscaling:DescribeAccountLimits | Metadata | |
autoscaling:DescribeAdjustmentTypes | Metadata | |
autoscaling:DescribeAutoScalingGroups | Metadata | |
autoscaling:DescribeAutoScalingInstances | Metadata | |
autoscaling:DescribeAutoScalingNotificationTypes | Metadata | |
autoscaling:DescribeInstanceRefreshes | Metadata | |
autoscaling:DescribeLaunchConfigurations | Metadata | |
autoscaling:DescribeLifecycleHookTypes | Metadata | |
autoscaling:DescribeLifecycleHooks | Metadata | |
autoscaling:DescribeLoadBalancerTargetGroups | Metadata | |
autoscaling:DescribeLoadBalancers | Metadata | |
autoscaling:DescribeMetricCollectionTypes | Metadata | |
autoscaling:DescribeNotificationConfigurations | Metadata | |
autoscaling:DescribePolicies | Metadata | |
autoscaling:DescribeScalingActivities | Metadata | |
autoscaling:DescribeScalingPlanResources | Metadata | Describes the scalable resources in the specified scaling plan. |
autoscaling:DescribeScalingPlans | Metadata | Describes the specified scaling plans or all of your scaling plans. |
autoscaling:DescribeScalingProcessTypes | Metadata | |
autoscaling:DescribeScheduledActions | Metadata | |
autoscaling:DescribeTags | Metadata | |
autoscaling:DescribeTerminationPolicyTypes | Metadata | |
autoscaling:DescribeTriggers | Metadata | |
autoscaling:DescribeWarmPool | Metadata | |
autoscaling:DetachInstances | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:DetachLoadBalancerTargetGroups | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:DetachLoadBalancers | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:DisableMetricsCollection | Operator | Operators can control monitoring & notification of the autoscaling group. |
autoscaling:EnableMetricsCollection | Operator | Operators can control monitoring & notification of the autoscaling group. |
autoscaling:EnterStandby | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:ExecutePolicy | Operator | Operators can execute a policy that was defined by an Admin. |
autoscaling:ExitStandby | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:PutLifecycleHook | Whitelist | Admins can change the autoscaling process. |
autoscaling:PutNotificationConfiguration | Operator | Operators can control monitoring & notification of the autoscaling group. |
autoscaling:PutScalingPolicy | Whitelist | Admins can change the autoscaling process. |
autoscaling:PutScheduledUpdateGroupAction | Whitelist | Admins can change the autoscaling process. |
autoscaling:PutWarmPool | Admin | |
autoscaling:RecordLifecycleActionHeartbeat | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:ResumeProcesses | Operator | |
autoscaling:SetDesiredCapacity | Whitelist | |
autoscaling:SetInstanceHealth | Operator | |
autoscaling:SetInstanceProtection | Operator | Operators can manage instances in an autoscaling group but not change its config. |
autoscaling:StartInstanceRefresh | Whitelist | |
autoscaling:SuspendProcesses | Operator | |
autoscaling:TerminateInstanceInAutoScalingGroup | Operator | |
autoscaling:UpdateAutoScalingGroup | Whitelist | |
aws-marketplace:BatchMeterUsage | Admin | Administrators may report software usage. |
aws-marketplace:GetEntitlements | Metadata | Viewing entitlement of a customer to a given product. http://docs.aws.amazon.com/marketplaceentitlement/latest/APIReference/Welcome.html. |
aws-marketplace:MeterUsage | Admin | Administrators may report software usage. |
aws-marketplace:ResolveCustomer | Admin | Used by SaaS application and returns customer identifier and product code based on registration token. |
aws-marketplace:Subscribe | Whitelist | Administrators may subscribe to marketplace software |
aws-marketplace:Unsubscribe | Whitelist | Administrators may subscribe to marketplace software |
aws-marketplace:ViewSubscriptions | Metadata | Viewing marketplace subscriptions is required for server management if the marketplace is used. |
cloudwatch:DescribeAlarmHistory | Metadata | For console access per EC2 ReadOnly policy |
cloudwatch:DescribeAlarms | Metadata | For console access per EC2 ReadOnly policy |
cloudwatch:DescribeAlarmsForMetric | Metadata | For console access per EC2 ReadOnly policy |
cloudwatch:GetMetricData | Metadata | This allows GetMetricData API to retrieve as many as metrics data and to perform mathematical expressions on this data. |
cloudwatch:GetMetricStatistics | Metadata | For console access per EC2 ReadOnly policy |
cloudwatch:ListMetrics | Metadata | For console access per EC2 ReadOnly policy |
ec2-reports:ViewInstanceUsageReport | Metadata | Obscure permission http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usage-reports.html#iam-access-ec2-reports |
ec2-reports:ViewReservedInstanceUtilizationReport | Metadata | Obscure permission http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usage-reports.html#iam-access-ec2-reports |
ec2:AcceptReservedInstancesExchangeQuote | Admin | Accounts can manage their own reserved instances (but cannot resell them). |
ec2:AllocateAddress | Admin | Admins can allocate new elastic IP addresses; this is considered safe as the proper routing still needs to be configured for public access. |
ec2:AllocateHosts | Admin | |
ec2:AssignIpv6Addresses | Admin | Private IP addresses are within the allocated space to the account so can be safely managed by the account. |
ec2:AssignPrivateIpAddresses | Admin | Private IP addresses are within the allocated space to the account so can be safely managed by the account. |
ec2:AssociateAddress | Admin | Admins can associate elastic IP addresses; this is considered safe as the proper routing still needs to be configured for public access. |
ec2:AssociateEnclaveCertificateIamRole | Admin | |
ec2:AssociateIamInstanceProfile | Admin | Admins manage IAM instance profile associations for existing instances. |
ec2:AssociateInstanceEventWindow | Admin | |
ec2:AssociateTrunkInterface | Admin | |
ec2:AttachNetworkInterface | Admin | Network interfaces can be safely used by the account inside the VPC context. |
ec2:AttachVolume | Admin | |
ec2:BidEvictedEvent | Admin | Admins can update or terminate spot instances. |
ec2:BundleInstance | Whitelist | Optional VM export |
ec2:CancelBundleTask | Whitelist | Optional VM export |
ec2:CancelCapacityReservation | Admin | |
ec2:CancelCapacityReservationFleets | Admin | |
ec2:CancelConversionTask | Whitelist | Optional VM export |
ec2:CancelExportTask | Whitelist | Optional VM export |
ec2:CancelImportTask | Whitelist | Optional VM import |
ec2:CancelReservedInstancesListing | Admin | Reserved instance reselling is at the cluster level. |
ec2:CancelSpotFleetRequests | Admin | |
ec2:CancelSpotInstanceRequests | Admin | Accounts can safely use spot instances within their VPC. |
ec2:ConfirmProductInstance | Admin | Only relevant to AMI marketplace sellers. |
ec2:CopyFpgaImage | Admin | Copies the specified Amazon FPGA Image (AFI) to the current region. |
ec2:CopyImage | Whitelist | Optional image management. Copies image between regions not across accounts |
ec2:CopySnapshot | Operator | Low risk operation to copy data within the same account. |
ec2:CreateCapacityReservation | Admin | |
ec2:CreateCapacityReservationFleet | Admin | |
ec2:CreateFleet | Admin | |
ec2:CreateFpgaImage | Whitelist | Optional FPGA image management. https://aws.amazon.com/ec2/instance-types/f1/ |
ec2:CreateImage | Whitelist | Optional image management. Creates a new AMI from an instance in the account. |
ec2:CreateInstanceExportTask | Whitelist | Optional VM export. |
ec2:CreateInstanceEventWindow | Admin | |
ec2:CreateKeyPair | Admin | Administrators use key pairs when starting new instances. This should be moved to an option in the future when Guardrails supports non-key pair based login. |
ec2:CreateLaunchTemplate | Admin | |
ec2:CreateLaunchTemplateVersion | Admin | |
ec2:CreateManagedPrefixList | Admin | |
ec2:CreateNetworkInterfacePermission | Admin | |
ec2:CreateNetworkInterface | Admin | Network interfaces can be safely used by the account inside the VPC context. |
ec2:CreatePlacementGroup | Admin | Servers can be safely placed within cluster managed networks. |
ec2:CreateReplaceRootVolumeTask | Admin | |
ec2:CreateReservedInstancesListing | Admin | Reserved instance reselling is at the cluster level. |
ec2:CreateRestoreImageTask | Admin | |
ec2:CreateSnapshot | Operator | Low risk operation to backup data within the same account. |
ec2:CreateSnapshots | Operator | Low risk operation to backup data within the same account. |
ec2:CreateSpotDatafeedSubscription | Admin | Accounts can safely use spot instances within their VPC. |
ec2:CreateStoreImageTask | Admin | |
ec2:CreateTags | Operator | Tags are low risk for management in Guardrails since accounts are the isolation boundary; not tags. |
ec2:CreateVolume | Admin | Storage management is safe within the account. |
ec2:DeleteFleets | Admin | |
ec2:DeleteFpgaImage | Admin | Deletes the specified Amazon FPGA Image. |
ec2:DeleteInstanceEventWindow | Admin | |
ec2:DeleteKeyPair | Admin | |
ec2:DeleteLaunchTemplate | Admin | |
ec2:DeleteLaunchTemplateVersions | Admin | |
ec2:DeleteManagedPrefixList | Admin | |
ec2:DeleteNetworkInterface | Admin | Network interfaces can be safely used by the account inside the VPC context. |
ec2:DeleteNetworkInterfacePermission | Admin | |
ec2:DeletePlacementGroup | Admin | |
ec2:DeleteSnapshot | Admin | Deletion of snapshots is limited to Admin though creation is open to Operator. |
ec2:DeleteSpotDatafeedSubscription | Admin | |
ec2:DeleteTags | Operator | Tags are low risk for management in Guardrails since accounts are the isolation boundary; not tags. Most deletions are denied to operator but tags are a low risk management activity even for deletion. |
ec2:DeleteQueuedReservedInstances | Admin | |
ec2:DeleteVolume | Admin | |
ec2:DeregisterImage | Whitelist | Optional image management. Deregisters an image preventing further launches |
ec2:DeregisterInstanceEventNotificationAttributes | Admin | |
ec2:DescribeAccountAttributes | Metadata | |
ec2:DescribeAddresses | Metadata | |
ec2:DescribeAddressesAttribute | Metadata | |
ec2:DescribeAvailabilityZones | Metadata | |
ec2:DescribeBundleTasks | Metadata | |
ec2:DescribeCapacityReservations | Metadata | |
ec2:DescribeCapacityReservationFleets | Metadata | |
ec2:DescribeCarrierGateways | Metadata | |
ec2:DescribeClassicLinkInstances | Metadata | |
ec2:DescribeConversionTasks | Metadata | |
ec2:DescribeElasticGpus | Metadata | |
ec2:DescribeExportImageTasks | Metadata | |
ec2:DescribeExportTasks | Metadata | |
ec2:DescribeFastSnapshotRestores | Metadata | |
ec2:DescribeFleetHistory | Metadata | |
ec2:DescribeFleetInstances | Metadata | |
ec2:DescribeFleets | Metadata | |
ec2:DescribeFpgaImageAttribute | Metadata | Describes the specified attribute of the specified Amazon FPGA Image. |
ec2:DescribeFpgaImages | Metadata | |
ec2:DescribeHostReservationOfferings | Metadata | |
ec2:DescribeHostReservations | Metadata | |
ec2:DescribeHosts | Metadata | |
ec2:DescribeIamInstanceProfileAssociations | Metadata | |
ec2:DescribeIdFormat | Metadata | |
ec2:DescribeIdentityIdFormat | Metadata | |
ec2:DescribeImageAttribute | Metadata | |
ec2:DescribeImages | Metadata | |
ec2:DescribeImportImageTasks | Metadata | |
ec2:DescribeImportSnapshotTasks | Metadata | |
ec2:DescribeInstanceAttribute | Metadata | |
ec2:DescribeInstanceCreditSpecifications | Metadata | |
ec2:DescribeInstanceEventNotificationAttributes | Metadata | |
ec2:DescribeInstanceEventWindows | Metadata | |
ec2:DescribeInstanceStatus | Metadata | |
ec2:DescribeInstances | Metadata | |
ec2:DescribeInstanceTypeOfferings | Metadata | |
ec2:DescribeInstanceTypes | Metadata | |
ec2:DescribeKeyPairs | Metadata | |
ec2:DescribeLaunchTemplateVersions | Metadata | |
ec2:DescribeLaunchTemplates | Metadata | |
ec2:DescribeLicenses | Metadata | Note: Not currently in use by AWS - http://aws.amazon.com/blogs/aws/bring\_your\_own\_ea\_windows\_server\_license\_to\_ec2/ |
ec2:DescribeMovingAddresses | Metadata | |
ec2:DescribeNetworkInterfaceAttribute | Metadata | |
ec2:DescribeNetworkInterfacePermissions | Metadata | Describes the permissions of network interfaces. |
ec2:DescribeNetworkInterfaces | Metadata | |
ec2:DescribePlacementGroups | Metadata | |
ec2:DescribePublicIpv4Pools | Metadata | |
ec2:DescribeIpv6Pools | Metadata | |
ec2:DescribeReplaceRootVolumeTasks | Metadata | |
ec2:DescribeRegions | Metadata | |
ec2:DescribeReservedInstances | Metadata | |
ec2:DescribeReservedInstancesListings | Metadata | |
ec2:DescribeReservedInstancesModifications | Metadata | |
ec2:DescribeReservedInstancesOfferings | Metadata | |
ec2:DescribeReplaceRootVolumeTasks | Metadata | |
ec2:DescribeScheduledInstanceAvailability | Metadata | |
ec2:DescribeScheduledInstances | Metadata | |
ec2:DescribeSecurityGroupReferences | Metadata | |
ec2:DescribeSecurityGroups | Metadata | |
ec2:DescribeSnapshotAttribute | Metadata | |
ec2:DescribeSnapshotTierStatus | Metadata | |
ec2:DescribeSnapshots | Metadata | |
ec2:DescribeSpotDatafeedSubscription | Metadata | |
ec2:DescribeSpotFleetInstances | Metadata | |
ec2:DescribeSpotFleetRequestHistory | Metadata | |
ec2:DescribeSpotFleetRequests | Metadata | |
ec2:DescribeSpotInstanceRequests | Metadata | |
ec2:DescribeSpotPriceHistory | Metadata | |
ec2:DescribeStaleSecurityGroups | Metadata | |
ec2:DescribeStoreImageTasks | Metadata | |
ec2:DescribeTags | Metadata | |
ec2:DescribeVolumeAttribute | Metadata | |
ec2:DescribeVolumeStatus | Metadata | |
ec2:DescribeVolumes | Metadata | |
ec2:DescribeVolumesModifications | Metadata | |
ec2:DetachClassicLinkVpc | Admin | |
ec2:DetachNetworkInterface | Admin | Network interfaces can be safely used by the account inside the VPC context. |
ec2:DetachVolume | Admin | |
ec2:DisableEbsEncryptionByDefault | Admin | Admins can disable EBS Encryption by Default. |
ec2:DisableFastSnapshotRestores | Admin | |
ec2:DisableImageDeprecation | Admin | |
ec2:DisableSerialConsoleAccess | Admin | |
ec2:DisassociateAddress | Admin | Admins can disassociate elastic IP addresses. |
ec2:DisassociateEnclaveCertificateIamRole | Admin | |
ec2:DisassociateIamInstanceProfile | Admin | Admins manage IAM instance profile associations for existing instances. |
ec2:DisassociateInstanceEventWindow | Admin | |
ec2:DisassociateTrunkInterface | Admin | |
ec2:EnableFastSnapshotRestores | Admin | |
ec2:DisableImageBlockPublicAccess | Admin | |
ec2:EnableImageBlockPublicAccess | Admin | |
ec2:EnableImageDeprecation | Admin | |
ec2:EnableSerialConsoleAccess | Admin | |
ec2:EnableEbsEncryptionByDefault | Admin | Admins can enable EBS Encryption by Default. |
ec2:EnableVolumeIO | Admin | |
ec2:ExportImage | Operator | |
ec2:GetAssociatedEnclaveCertificateIamRoles | Metadata | |
ec2:GetCapacityReservationUsage | Metadata | |
ec2:GetConsoleOutput | Metadata | Allows viewing of console data from machines; helpful for monitoring & investigating system during bootup. Considered to be metadata not ReadOnly since systems should not be logging sensitive information and it's a key part of troubleshooting before needing access to the actual machine (which would obviously be at least ReadOnly). |
ec2:GetConsoleScreenshot | Metadata | Allows viewing of on-demand screenshot of instance console for machines which is helpful for monitoring & investigating systems when they become unreachable via RDS and SSH. Considered to be metadata and not ReadOnly since it's a key part of troubleshooting when the instance is unreachable. |
ec2:GetDefaultCreditSpecification | Metadata | |
ec2:GetEbsDefaultKmsKeyId | Metadata | |
ec2:GetEbsEncryptionByDefault | Metadata | |
ec2:GetGroupsForCapacityReservation | Metadata | |
ec2:GetHostReservationPurchasePreview | Metadata | Allows preview of host reservation purchase but does not result in offering being purchased. |
ec2:GetInstanceTypesFromInstanceRequirements | Metadata | |
ec2:GetLaunchTemplateData | Metadata | Launch template data contains metadata about the EC2 instance. |
ec2:GetPasswordData | Admin | Required for launch of Windows machines and used with key pairs. |
ec2:GetReservedInstancesExchangeQuote | Metadata | |
ec2:GetSerialConsoleAccessStatus | Metadata | |
ec2:GetSpotPlacementScores | Metadata | |
ec2:ImportImage | Whitelist | Optional VM import |
ec2:ImportInstance | Whitelist | Optional VM import |
ec2:ImportKeyPair | Admin | Administrators use key pairs when starting new instances. This should be moved to an option in the future when Guardrails supports non-key pair based login. |
ec2:ImportSnapshot | Whitelist | Optional VM import |
ec2:ImportVolume | Whitelist | Optional VM import |
ec2:ListSnapshotsInRecycleBin | Metadata | |
ec2:ModifyAvailabilityZoneGroup | Admin | |
ec2:ModifyCapacityReservation | Admin | |
ec2:ModifyCapacityReservationFleet | Admin | |
ec2:ModifyDefaultCreditSpecification | Admin | |
ec2:ModifyEbsDefaultKmsKeyId | Admin | Admins can update default KMS key for EBS Encryption by Default. |
ec2:ModifyFleet | Admin | |
ec2:ModifyFpgaImageAttribute | Admin | Modifies the specified attributes(description |
ec2:ModifyHosts | Admin | |
ec2:ModifyIdFormat | Admin | |
ec2:ModifyIdentityIdFormat | Admin | |
ec2:ModifyInstanceEventWindow | Admin | |
ec2:ModifyImageAttribute | Whitelist | Optional image attribute management |
ec2:ModifyInstanceAttribute | Admin | Accounts can manage their own instances. |
ec2:ModifyInstanceCapacityReservationAttributes | Admin | |
ec2:ModifyInstanceCreditSpecification | Admin | |
ec2:ModifyInstanceEventStartTime | Admin | |
ec2:ModifyInstanceMetadataOptions | Admin | |
ec2:ModifyInstancePlacement | Admin | |
ec2:ModifyLaunchTemplate | Admin | |
ec2:ModifyNetworkInterfaceAttribute | Admin | Network interfaces can be safely used by the account inside the VPC context. |
ec2:ModifyReservedInstances | Admin | Accounts can manage their own reserved instances (but cannot resell them). |
ec2:ModifySnapshotTier | Admin | |
ec2:ModifySnapshotAttribute | Admin | Allows for cross-account access. |
ec2:ModifySpotFleetRequest | Admin | |
ec2:ModifyVolume | Admin | Within account storage performance changes. |
ec2:ModifyVolumeAttribute | Admin | Within account storage performance changes. |
ec2:MonitorInstances | Admin | Monitoring frequency is managed by accounts. |
ec2:MoveAddressToVpc | Admin | |
ec2:PurchaseHostReservation | Admin | Accounts can manage their own dedicated hosts. |
ec2:PurchaseReservedInstancesOffering | Admin | Accounts can manage their own reserved instances (but cannot resell them). |
ec2:PurchaseScheduledInstances | Owner | Long term subscriptions are managed by owners. |
ec2:RebootInstances | Operator | Operators can start stop and reboot existing instances. |
ec2:RegisterImage | Whitelist | Optional image management. Registers an AMI for launching; typically done automatically as part of CreateImage |
ec2:RegisterInstanceEventNotificationAttributes | Admin | |
ec2:ReleaseAddress | Admin | Admins can release elastic IP addresses. |
ec2:ReleaseHosts | Admin | |
ec2:ReplaceIamInstanceProfileAssociation | Admin | Admins manage IAM instance profile associations for existing instances. |
ec2:ReportInstanceStatus | Operator | Operators can report bad instances to AWS support. |
ec2:RequestSpotFleet | Admin | |
ec2:RequestSpotInstances | Admin | Accounts can safely use spot instances within their VPC. |
ec2:ResetEbsDefaultKmsKeyId | Admin | Admins can reset default KMS key for EBS Encryption by Default to the AWS managed CMK for EBS. |
ec2:ResetFpgaImageAttribute | Admin | Resets the the load permission attribute. |
ec2:ResetImageAttribute | Whitelist | Optional image attribute management |
ec2:ResetInstanceAttribute | Admin | Instances are managed by accounts. |
ec2:ResetNetworkInterfaceAttribute | Admin | Network interfaces can be safely used by the account inside the VPC context. |
ec2:ResetSnapshotAttribute | Admin | |
ec2:RestoreAddressToClassic | Admin | EC2 classic should not be used |
ec2:RestoreSnapshotTier | Admin | |
ec2:RestoreSnapshotFromRecycleBin | Admin | |
ec2:RunInstances | Admin | Only Admin can create new instances. |
ec2:RunScheduledInstances | Admin | |
ec2:SendDiagnosticInterrupt | Admin | |
ec2:SendSpotInstanceInterruptions | Admin | |
ec2:StartInstances | Operator | Operators can start stop and reboot existing instances. |
ec2:StopInstances | Operator | Operators can start stop and reboot existing instances. |
ec2:TerminateInstances | Admin | Only Admin can terminate instances. |
ec2:UnassignIpv6Addresses | Admin | Private IP addresses are within the allocated space to the account so can be safely managed by the account. |
ec2:UnassignPrivateIpAddresses | Admin | Private IP addresses are within the allocated space to the account so can be safely managed by the account. |
ec2:UnmonitorInstances | Admin | Monitoring frequency is managed by accounts. |
elastic-inference:Connect | Admin | |
elasticloadbalancing:AddListenerCertificates | Admin | Admin can add specified certificate to the specified secure listener. |
elasticloadbalancing:AddTags | Operator | Operators can manage tags metadata about ELB. |
elasticloadbalancing:ApplySecurityGroupsToLoadBalancer | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:AttachLoadBalancerToSubnets | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:ConfigureHealthCheck | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateAppCookieStickinessPolicy | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateLBCookieStickinessPolicy | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateListener | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateLoadBalancer | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateLoadBalancerListeners | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateLoadBalancerListeners | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateLoadBalancerPolicy | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateRule | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:CreateTargetGroup | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:DeleteListener | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:DeleteLoadBalancer | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:DeleteLoadBalancerListeners | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:DeleteLoadBalancerPolicy | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:DeleteRule | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:DeleteTargetGroup | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:DeregisterInstancesFromLoadBalancer | Operator | Operators can manage individual instances on the ELB as part of being able to stop start and reboot servers. |
elasticloadbalancing:DeregisterTargets | Operator | Operators can manage individual instances on the ALB as part of being able to stop start and reboot servers. |
elasticloadbalancing:DescribeAccountLimits | Metadata | |
elasticloadbalancing:DescribeInstanceHealth | Metadata | |
elasticloadbalancing:DescribeListenerCertificates | Metadata | |
elasticloadbalancing:DescribeListeners | Metadata | |
elasticloadbalancing:DescribeLoadBalancerAttributes | Metadata | |
elasticloadbalancing:DescribeLoadBalancerPolicies | Metadata | |
elasticloadbalancing:DescribeLoadBalancerPolicyTypes | Metadata | |
elasticloadbalancing:DescribeLoadBalancers | Metadata | |
elasticloadbalancing:DescribeRules | Metadata | |
elasticloadbalancing:DescribeSSLPolicies | Metadata | |
elasticloadbalancing:DescribeTags | Metadata | |
elasticloadbalancing:DescribeTargetGroupAttributes | Metadata | |
elasticloadbalancing:DescribeTargetGroups | Metadata | |
elasticloadbalancing:DescribeTargetHealth | Metadata | |
elasticloadbalancing:DetachLoadBalancerFromSubnets | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:ModifyListener | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:ModifyLoadBalancerAttributes | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:ModifyRule | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:ModifyTargetGroup | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:ModifyTargetGroupAttributes | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:RegisterInstancesWithLoadBalancer | Operator | Operators can manage individual instances on the ELB as part of being able to stop start and reboot servers. |
elasticloadbalancing:RegisterTargets | Operator | Operators can manage individual instances on the ELB as part of being able to stop start and reboot servers. |
elasticloadbalancing:RemoveListenerCertificates | Admin | Admin can remove the specified certificate from the specified secure listener. |
elasticloadbalancing:RemoveTags | Operator | Operators can manage tags metadata about ELB. |
elasticloadbalancing:SetIpAddressType | Admin | |
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetLoadBalancerPoliciesOfListener | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetLoadBalancerPoliciesOfListener | Admin | Accounts can manage ELB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetRulePriorities | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetSecurityGroups | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetSubnets | Admin | Accounts can manage ALB configuration within cluster defined network boundaries. |
elasticloadbalancing:SetWebAcl | Admin | |
health:DescribeEventAggregates | Metadata | |
iam:PassRole | Admin | |
kms:ListAliases | Metadata | |
marketplacecommerceanalytics:GenerateDataSet | Admin | Administrators may access product and customer data on the AWS Marketplace. |
marketplacecommerceanalytics:StartSupportDataExport | Admin | Administrators may access product and customer data on the AWS Marketplace. |