Amazon EC2 (ec2)

Additions

Actions

• AssociateVerifiedAccessInstanceWebAcl
  
  • Description:  Grants permission to associate an AWS Web Application Firewall (WAF) web access control list (ACL) with a Verified Access instance
  • Access:  Write
  • Resources: 

    Name: verified-access-instance

    Required: Yes

  • Conditions: 

    aws:ResourceTag/${TagKey}

    ec2:ResourceTag/${TagKey}

    ec2:Region

• DescribeVerifiedAccessInstanceWebAclAssociations
  
  • Description:  Grants permission to describe the AWS Web Application Firewall (WAF) web access control list (ACL) associations for a Verified Access instance
  • Access:  List
  • Conditions: 

    ec2:Region

• DisassociateVerifiedAccessInstanceWebAcl
  
  • Description:  Grants permission to disassociate an AWS Web Application Firewall (WAF) web access control list (ACL) from a Verified Access instance
  • Access:  Write
  • Resources: 

    Name: verified-access-instance

    Required: Yes

  • Conditions: 

    aws:ResourceTag/${TagKey}

    ec2:ResourceTag/${TagKey}

    ec2:Region

• GetVerifiedAccessInstanceWebAcl
  
  • Description:  Grants permission to show the AWS Web Application Firewall (WAF) web access control list (ACL) for a Verified Access instance
  • Access:  List
  • Resources: 

    Name: verified-access-instance

    Required: Yes

  • Conditions: 

    aws:ResourceTag/${TagKey}

    ec2:ResourceTag/${TagKey}

    ec2:Region

• GetVpnTunnelReplacementStatus
  
  • Description:  Grants permission to view available tunnel endpoint maintenance events
  • Access:  List
  • Resources: 

    Name: vpn-connection

    Required: Yes

  • Conditions: 

    aws:ResourceTag/${TagKey}

    ec2:ResourceTag/${TagKey}

    ec2:Region

• ImportByoipCidrToIpam
  
  • Description:  Grants permission to transfer existing BYOIP IPv4 CIDRs to IPAM
  • Access:  Write
  • Resources: 

    Name: ipam-pool

    Required: Yes

  • Conditions: 

    aws:ResourceTag/${TagKey}

    ec2:ResourceTag/${TagKey}

    ec2:Region

• ReplaceVpnTunnel
  
  • Description:  Grants permission to replace a VPN tunnel
  • Access:  Write
  • Resources: 

    Name: vpn-connection

    Required: Yes

  • Conditions: 

    aws:ResourceTag/${TagKey}

    ec2:ResourceTag/${TagKey}

    ec2:Region

Updates

Actions

• CreateCoipPool
  
  Conditions
  
  • ＋ aws:RequestTag/${TagKey}
  • ＋ aws:TagKeys
  Resources
  
  • ＋ coip-pool
• CreateFleet
  
  Conditions
  
  • － ec2:AssociatePublicIpAddress
  • － ec2:AuthorizedService
• CreateNetworkInsightsPath
  
  Conditions
  
  • － ec2:AssociatePublicIpAddress
  • － ec2:AuthorizedService
  Resources
  
  • ＋ vpc-endpoint-service
• CreateTags
  
  Conditions
  
  • － ec2:AssociatePublicIpAddress
  • － ec2:AuthorizedService
  • － ec2:DomainCertificateArn
  • － ec2:LoadBalancerArn
  • － ec2:VpceServicePrivateDnsName
• CreateVerifiedAccessEndpoint
  
  Conditions
  
  • － ec2:DomainCertificateArn
  • － ec2:LoadBalancerArn
  • － ec2:AssociatePublicIpAddress
  • － ec2:AuthorizedService
• DeleteNetworkInterfacePermission
  
  Conditions
  
  • － ec2:AssociatePublicIpAddress
  • － ec2:AuthorizedService
• DeleteSnapshot
  
  Conditions
  
  • － ec2:SourceOutpostArn
• DeleteVerifiedAccessEndpoint
  
  Conditions
  
  • － ec2:DomainCertificateArn
  • － ec2:LoadBalancerArn
• DescribeSnapshotAttribute
  
  Conditions
  
  • － ec2:AvailabilityZone
• DescribeVpcEndpointServicePermissions
  
  Conditions
  
  • ＋ aws:ResourceTag/${TagKey}
  • ＋ ec2:ResourceTag/${TagKey}
  Resources
  
  • ＋ vpc-endpoint-service
• DisassociateNatGatewayAddress
  
  Conditions
  
  • － ec2:AssociatePublicIpAddress
  • － ec2:AuthorizedService
• GetVerifiedAccessEndpointPolicy
  
  Conditions
  
  • － ec2:DomainCertificateArn
  • － ec2:LoadBalancerArn
• ListSnapshotsInRecycleBin
  
  Conditions
  
  • － ec2:AvailabilityZone
• ModifyFleet
  
  Conditions
  
  • － ec2:AssociatePublicIpAddress
  • － ec2:AuthorizedService
• ModifyLocalGatewayRoute
  
  Conditions
  
  • － ec2:AssociatePublicIpAddress
  • － ec2:AuthorizedService
• ModifySnapshotTier
  
  Conditions
  
  • － ec2:AvailabilityZone
• ModifyVerifiedAccessEndpoint
  
  Conditions
  
  • － ec2:DomainCertificateArn
  • － ec2:LoadBalancerArn
• ModifyVerifiedAccessEndpointPolicy
  
  Conditions
  
  • － ec2:DomainCertificateArn
  • － ec2:LoadBalancerArn
• ReplaceRouteTableAssociation
  
  Conditions
  
  • ＋ ec2:InternetGatewayID
  Resources
  
  • ＋ internet-gateway
• RequestSpotInstances
  
  Conditions
  
  • － ec2:AssociatePublicIpAddress
  • － ec2:AuthorizedService
• RestoreSnapshotFromRecycleBin
  
  Conditions
  
  • － ec2:AvailabilityZone
• RestoreSnapshotTier
  
  Conditions
  
  • － ec2:AvailabilityZone
• CreateVpcEndpointConnectionNotification
  
  Resources
  
  • ＋ vpc-endpoint-service

Resources

• verified-access-endpoint
  
  Conditions
  
  • － ec2:DomainCertificateArn
  • － ec2:LoadBalancerArn

Deletions

Conditions

• ec2:DomainCertificateArn
  
  • Description:  Filters access by the ARN of an Amazon Certificate Manager certificate
  • Type:  ARN
• ec2:LoadBalancerArn
  
  • Description:  Filters access by the ARN of an Elastic Load Balancer
  • Type:  ARN