| ec2:AcceptTransitGatewayMulticastDomainAssociations | Admin |
| ec2:AcceptTransitGatewayPeeringAttachment | Admin |
| ec2:AcceptTransitGatewayVpcAttachment | Admin |
| ec2:AdvertiseByoipCidr | Admin |
| ec2:AllocateAddress | Admin |
| ec2:AllocateIpamPoolCidr | Admin |
| ec2:ApplySecurityGroupsToClientVpnTargetNetwork | Admin |
| ec2:AssociateAddress | Admin |
| ec2:AssociateClientVpnTargetNetwork | Admin |
| ec2:AssociateTransitGatewayMulticastDomain | Admin |
| ec2:AssociateTransitGatewayRouteTable | Admin |
| ec2:AttachClassicLinkVpc | Admin |
| ec2:AuthorizeClientVpnIngress | Admin |
| ec2:CreateCarrierGateway | Admin |
| ec2:CreateClientVpnEndpoint | Admin |
| ec2:CreateClientVpnRoute | Admin |
| ec2:CreateIpam | Admin |
| ec2:CreateIpamPool | Admin |
| ec2:CreateIpamScope | Admin |
| ec2:CreateLocalGatewayRoute | Admin |
| ec2:CreateLocalGatewayRouteTableVpcAssociation | Admin |
| ec2:CreateNetworkInsightsPath | Admin |
| ec2:CreateNetworkInsightsAccessScope | Admin |
| ec2:CreatePublicIpv4Pool | Admin |
| ec2:CreateSubnetCidrReservation | Admin |
| ec2:CreateTrafficMirrorFilter | Admin |
| ec2:CreateTrafficMirrorFilterRule | Admin |
| ec2:CreateTrafficMirrorSession | Admin |
| ec2:CreateTrafficMirrorTarget | Admin |
| ec2:CreateTransitGateway | Admin |
| ec2:CreateTransitGatewayConnect | Admin |
| ec2:CreateTransitGatewayConnectPeer | Admin |
| ec2:CreateTransitGatewayMulticastDomain | Admin |
| ec2:CreateTransitGatewayPeeringAttachment | Admin |
| ec2:CreateTransitGatewayPrefixListReference | Admin |
| ec2:CreateTransitGatewayRoute | Admin |
| ec2:CreateTransitGatewayRouteTable | Admin |
| ec2:CreateTransitGatewayVpcAttachment | Admin |
| ec2:CreateTransitGatewayVpcAttachment | Admin |
| ec2:DeleteCarrierGateway | Admin |
| ec2:DeleteClientVpnEndpoint | Admin |
| ec2:DeleteClientVpnRoute | Admin |
| ec2:DeleteIpam | Admin |
| ec2:DeleteIpamPool | Admin |
| ec2:DeleteIpamScope | Admin |
| ec2:DeleteLocalGatewayRoute | Admin |
| ec2:DeleteLocalGatewayRouteTableVpcAssociation | Admin |
| ec2:DeleteNetworkInsightsAnalysis | Admin |
| ec2:DeleteNetworkInsightsAccessScope | Admin |
| ec2:DeleteNetworkInsightsAccessScopeAnalysis | Admin |
| ec2:DeleteNetworkInsightsPath | Admin |
| ec2:DeletePublicIpv4Pool | Admin |
| ec2:DeleteSubnetCidrReservation | Admin |
| ec2:DeleteTrafficMirrorFilter | Admin |
| ec2:DeleteTrafficMirrorFilterRule | Admin |
| ec2:DeleteTrafficMirrorSession | Admin |
| ec2:DeleteTrafficMirrorTarget | Admin |
| ec2:DeleteTransitGateway | Admin |
| ec2:DeleteTransitGatewayConnect | Admin |
| ec2:DeleteTransitGatewayConnectPeer | Admin |
| ec2:DeleteTransitGatewayMulticastDomain | Admin |
| ec2:DeleteTransitGatewayPeeringAttachment | Admin |
| ec2:DeleteTransitGatewayPrefixListReference | Admin |
| ec2:DeleteTransitGatewayRoute | Admin |
| ec2:DeleteTransitGatewayRouteTable | Admin |
| ec2:DeleteTransitGatewayVpcAttachment | Admin |
| ec2:DeleteTransitGatewayVpcAttachment | Admin |
| ec2:DeprovisionByoipCidr | Admin |
| ec2:DeprovisionIpamPoolCidr | Admin |
| ec2:DeprovisionPublicIpv4PoolCidr | Admin |
| ec2:DeregisterTransitGatewayMulticastGroupMembers | Admin |
| ec2:DeregisterTransitGatewayMulticastGroupSources | Admin |
| ec2:DisableIpamOrganizationAdminAccount | Admin |
| ec2:DisableTransitGatewayRouteTablePropagation | Admin |
| ec2:DisassociateAddress | Admin |
| ec2:DisassociateClientVpnTargetNetwork | Admin |
| ec2:DisassociateTransitGatewayRouteTable | Admin |
| ec2:DisassociateTransitGatewayMulticastDomain | Admin |
| ec2:EnableIpamOrganizationAdminAccount | Admin |
| ec2:EnableTransitGatewayRouteTablePropagation | Admin |
| ec2:ExportClientVpnClientCertificateRevocationList | Admin |
| ec2:ExportClientVpnClientConfiguration | Admin |
| ec2:ExportTransitGatewayRoutes | Admin |
| ec2:ImportClientVpnClientCertificateRevocationList | Admin |
| ec2:ModifyAddressAttribute | Admin |
| ec2:ModifyCapacityReservation | Admin |
| ec2:ModifyClientVpnEndpoint | Admin |
| ec2:ModifyIpam | Admin |
| ec2:ModifyIpamPool | Admin |
| ec2:ModifyIpamResourceCidr | Admin |
| ec2:ModifyIpamScope | Admin |
| ec2:ModifyManagedPrefixList | Admin |
| ec2:ModifyTrafficMirrorFilterNetworkServices | Admin |
| ec2:ModifyTrafficMirrorFilterRule | Admin |
| ec2:ModifyTrafficMirrorSession | Admin |
| ec2:ModifyTransitGateway | Admin |
| ec2:ModifyTransitGatewayPrefixListReference | Admin |
| ec2:ModifyTransitGatewayVpcAttachment | Admin |
| ec2:ModifyVpnConnection | Admin |
| ec2:ModifyVpnConnection | Admin |
| ec2:ModifyVpnConnectionOptions | Admin |
| ec2:ModifyVpnTunnelCertificate | Admin |
| ec2:ModifyVpnTunnelOptions | Admin |
| ec2:MoveByoipCidrToIpam | Admin |
| ec2:ProvisionByoipCidr | Admin |
| ec2:ProvisionIpamPoolCidr | Admin |
| ec2:ProvisionPublicIpv4PoolCidr | Admin |
| ec2:RegisterTransitGatewayMulticastGroupMembers | Admin |
| ec2:RegisterTransitGatewayMulticastGroupSources | Admin |
| ec2:RejectTransitGatewayMulticastDomainAssociations | Admin |
| ec2:RejectTransitGatewayPeeringAttachment | Admin |
| ec2:RejectTransitGatewayVpcAttachment | Admin |
| ec2:ReleaseAddress | Admin |
| ec2:ReleaseIpamPoolAllocation | Admin |
| ec2:ReplaceTransitGatewayRoute | Admin |
| ec2:ResetAddressAttribute | Admin |
| ec2:RestoreManagedPrefixListVersion | Admin |
| ec2:RevokeClientVpnIngress | Admin |
| ec2:StartNetworkInsightsAnalysis | Admin |
| ec2:StartNetworkInsightsAccessScopeAnalysis | Admin |
| ec2:StartVpcEndpointServicePrivateDnsVerification | Admin |
| ec2:TerminateClientVpnConnections | Admin |
| ec2:WithdrawByoipCidr | Admin |
| tiros:CreateQuery | Admin |
| ec2:CreateTags | Operator |
| ec2:DeleteTags | Operator |
| acm:ListCertificates | Metadata |
| ec2:DescribeAddresses | Metadata |
| ec2:DescribeAggregateIdFormat | Metadata |
| ec2:DescribeByoipCidrs | Metadata |
| ec2:DescribeClientVpnAuthorizationRules | Metadata |
| ec2:DescribeClientVpnConnections | Metadata |
| ec2:DescribeClientVpnEndpoints | Metadata |
| ec2:DescribeClientVpnRoutes | Metadata |
| ec2:DescribeClientVpnTargetNetworks | Metadata |
| ec2:DescribeCoipPools | Metadata |
| ec2:DescribeCustomerGateways | Metadata |
| ec2:DescribeDhcpOptions | Metadata |
| ec2:DescribeEgressOnlyInternetGateways | Metadata |
| ec2:DescribeFlowLogs | Metadata |
| ec2:DescribeInternetGateways | Metadata |
| ec2:DescribeIpamPools | Metadata |
| ec2:DescribeIpamScopes | Metadata |
| ec2:DescribeIpams | Metadata |
| ec2:DescribeIpv6Pools | Metadata |
| ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations | Metadata |
| ec2:DescribeLocalGatewayRouteTableVpcAssociations | Metadata |
| ec2:DescribeLocalGatewayRouteTables | Metadata |
| ec2:DescribeLocalGatewayVirtualInterfaceGroups | Metadata |
| ec2:DescribeLocalGatewayVirtualInterfaces | Metadata |
| ec2:DescribeLocalGateways | Metadata |
| ec2:DescribeManagedPrefixLists | Metadata |
| ec2:DescribeMovingAddresses | Metadata |
| ec2:DescribeNatGateways | Metadata |
| ec2:DescribeNetworkAcls | Metadata |
| ec2:DescribeNetworkInsightsAccessScopeAnalyses | Metadata |
| ec2:DescribeNetworkInsightsAccessScopes | Metadata |
| ec2:DescribeNetworkInsightsAnalyses | Metadata |
| ec2:DescribeNetworkInsightsPaths | Metadata |
| ec2:DescribeNetworkInterfaces | Metadata |
| ec2:DescribePrefixLists | Metadata |
| ec2:DescribePrincipalIdFormat | Metadata |
| ec2:DescribePublicIpv4Pools | Metadata |
| ec2:DescribeRouteTables | Metadata |
| ec2:DescribeSecurityGroupReferences | Metadata |
| ec2:DescribeSecurityGroupRules | Metadata |
| ec2:DescribeSecurityGroups | Metadata |
| ec2:DescribeStaleSecurityGroups | Metadata |
| ec2:DescribeSubnets | Metadata |
| ec2:DescribeTags | Metadata |
| ec2:DescribeTrafficMirrorFilters | Metadata |
| ec2:DescribeTrafficMirrorSessions | Metadata |
| ec2:DescribeTrafficMirrorTargets | Metadata |
| ec2:DescribeTransitGatewayAttachments | Metadata |
| ec2:DescribeTransitGatewayConnectPeers | Metadata |
| ec2:DescribeTransitGatewayConnects | Metadata |
| ec2:DescribeTransitGatewayMulticastDomains | Metadata |
| ec2:DescribeTransitGatewayPeeringAttachments | Metadata |
| ec2:DescribeTransitGatewayRouteTables | Metadata |
| ec2:DescribeTransitGatewayVpcAttachments | Metadata |
| ec2:DescribeTransitGateways | Metadata |
| ec2:DescribeTrunkInterfaceAssociations | Metadata |
| ec2:DescribeVpcAttribute | Metadata |
| ec2:DescribeVpcClassicLink | Metadata |
| ec2:DescribeVpcClassicLinkDnsSupport | Metadata |
| ec2:DescribeVpcEndpointConnectionNotifications | Metadata |
| ec2:DescribeVpcEndpointConnections | Metadata |
| ec2:DescribeVpcEndpointServiceConfigurations | Metadata |
| ec2:DescribeVpcEndpointServicePermissions | Metadata |
| ec2:DescribeVpcEndpointServices | Metadata |
| ec2:DescribeVpcEndpoints | Metadata |
| ec2:DescribeVpcPeeringConnection | Metadata |
| ec2:DescribeVpcPeeringConnections | Metadata |
| ec2:DescribeVpcs | Metadata |
| ec2:DescribeVpnConnections | Metadata |
| ec2:DescribeVpnGateways | Metadata |
| ec2:GetAssociatedIpv6PoolCidrs | Metadata |
| ec2:GetCapacityReservationUsage | Metadata |
| ec2:GetCoipPoolUsage | Metadata |
| ec2:GetFlowLogsIntegrationTemplate | Metadata |
| ec2:GetIpamAddressHistory | Metadata |
| ec2:GetIpamPoolAllocations | Metadata |
| ec2:GetIpamPoolCidrs | Metadata |
| ec2:GetIpamResourceCidrs | Metadata |
| ec2:GetManagedPrefixListAssociations | Metadata |
| ec2:GetManagedPrefixListEntries | Metadata |
| ec2:GetNetworkInsightsAccessScopeAnalysisFindings | Metadata |
| ec2:GetNetworkInsightsAccessScopeContent | Metadata |
| ec2:GetSubnetCidrReservations | Metadata |
| ec2:GetTransitGatewayAttachmentPropagations | Metadata |
| ec2:GetTransitGatewayMulticastDomainAssociations | Metadata |
| ec2:GetTransitGatewayPrefixListReferences | Metadata |
| ec2:GetTransitGatewayRouteTableAssociations | Metadata |
| ec2:GetTransitGatewayRouteTablePropagations | Metadata |
| ec2:GetVpnConnectionDeviceSampleConfiguration | Metadata |
| ec2:GetVpnConnectionDeviceTypes | Metadata |
| ec2:SearchLocalGatewayRoutes | Metadata |
| ec2:SearchTransitGatewayMulticastGroups | Metadata |
| ec2:SearchTransitGatewayRoutes | Metadata |
| elasticloadbalancing:DescribeLoadBalancers | Metadata |
| logs:DescribeLogGroups | Metadata |
| logs:DescribeLogStreams | Metadata |
| ram:GetResourceShareAssociations | Metadata |
| tiros:GetQueryAnswer | Metadata |
| tiros:GetQueryExplanation | Metadata |
