Amazon EC2 (ec2)

Additions

Actions

• CreateReplaceRootVolumeTask
  
  • Description:  Grants permission to create a root volume replacement task
  • Access:  Write
  • Resources: 

    Name: instance

    Required: Yes

    Name: snapshot

    Required: No

  • Conditions: 

    aws:ResourceTag/${TagKey}

    ec2:AvailabilityZone

    ec2:EbsOptimized

    ec2:InstanceProfile

    ec2:InstanceType

    ec2:PlacementGroup

    ec2:Region

    ec2:ResourceTag/${TagKey}

    ec2:RootDeviceType

    ec2:Tenancy

    ec2:Owner

    ec2:ParentVolume

    ec2:SnapshotTime

    ec2:VolumeSize

• CreateRestoreImageTask
  
  • Description:  Grants permission to start a task that restores an AMI from an S3 object previously created by using CreateStoreImageTask
  • Access:  Write
  • Resources: 

    Name: image

    Required: Yes

  • Conditions: 

    aws:RequestTag/${TagKey}

    aws:TagKeys

    ec2:ImageType

    ec2:Owner

    ec2:Public

    ec2:Region

    ec2:RootDeviceType

• CreateStoreImageTask
  
  • Description:  Grants permission to store an AMI as a single object in an S3 bucket
  • Access:  Write
  • Resources: 

    Name: image

    Required: Yes

  • Conditions: 

    ec2:Owner

    ec2:Region

• DescribeReplaceRootVolumeTasks
  
  • Description:  Grants permission to describe a root volume replacement task
  • Access:  List
• DescribeStoreImageTasks
  
  • Description:  Grants permission to describe the progress of the AMI store tasks
  • Access:  List
• GetFlowLogsIntegrationTemplate
  
  • Description:  Grants permission to generate a CloudFormation template to streamline the integration of VPC flow logs with Amazon Athena
  • Access:  Read
  • Resources: 

    Name: vpc-flow-log

    Required: Yes

  • Conditions: 

    aws:ResourceTag/${TagKey}

    ec2:Region

    ec2:ResourceTag/${TagKey}

Resources

• replace-root-volume-task
  
  • Arn:  arn:${Partition}:ec2:${Region}:${Account}:replace-root-volume-task/${ReplaceRootVolumeTaskId}
  • Conditions: 

    aws:RequestTag/${TagKey}

    aws:ResourceTag/${TagKey}

    aws:TagKeys

    ec2:Region

    ec2:ResourceTag/${TagKey}

Updates

Actions

• CreateCarrierGateway
  
  Description
  
  • Old: Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers.
    New: Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers
• CreateSnapshot
  
  Conditions
  
  • ＋ ec2:OutpostArn
  • ＋ ec2:SourceOutpostArn
• CreateTags
  
  Resources
  
  • ＋ replace-root-volume-task
• DeleteTags
  
  Resources
  
  • ＋ replace-root-volume-task