ec2:RunInstances
Literal appearances in AWS managed IAM policies. Statements that use wildcards (for example s3:*) are not counted here. This is not an IAM authorization simulation.
Policies (any)
65
Allow (Action)
62
Deny (Action)
6
NotAction
1
Index generated 4/7/2026, 3:29:24 AM. 559 policies include at least one wildcard action string (any service).
Action reference
SAR-style (unofficial)Service: Amazon EC2
Access level
WriteDescription
Grants permission to launch one or more instances
Resource types
- image*
- instance*
- network-interface*
- security-group*
- subnet*
- capacity-reservation
- elastic-gpu
- elastic-inference
- group
- key-pair
- launch-template
- license-configuration
- placement-group
- secondary-subnet
- snapshot
- volume
Dependent actions
- ec2:CreateTags
- iam:PassRole
- ssm:GetParameters
Allow (Action)
- AWSApplicationMigrationEC2Access
- AWSApplicationMigrationServiceRolePolicy
- AWSBackupServiceRolePolicyForRestores
- AWSBatchServiceRole
- AWSCloud9ServiceRolePolicy
- AWSConnector
- AWSDataPipelineRole
- AWSEC2FleetServiceRolePolicy
- AWSEC2SpotFleetServiceRolePolicy
- AWSEC2SpotServiceRolePolicy
- AWSElasticBeanstalkCustomPlatformforEC2Role
- AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy
- AWSElasticBeanstalkManagedUpdatesServiceRolePolicy
- AWSElasticBeanstalkRoleCore
- AWSElasticBeanstalkService
- AWSElasticDisasterRecoveryConsoleFullAccess
- AWSElasticDisasterRecoveryConsoleFullAccess_v2
- AWSElasticDisasterRecoveryServiceRolePolicy
- AWSGlueConsoleFullAccess
- AWSGlueConsoleSageMakerNotebookFullAccess
- AWSIoTDeviceTesterForFreeRTOSFullAccess
- AWSLambdaManagedEC2ResourceOperator
- AWSMarketplaceFullAccess
- AWSMarketplaceImageBuildFullAccess
- AWSOpsWorksCMServiceRole
- AWSPCSServiceRolePolicy
- AWSServiceRoleForAmazonEKSNodegroup
- AWSServiceRoleForGammaInternalAmazonEKSNodegroup
- AWSServiceRoleForImageBuilder
- AWSServiceRoleForSMS
- AWSThinkboxAWSPortalAdminPolicy
- AWSThinkboxDeadlineSpotEventPluginAdminPolicy
- AWSTransformApplicationDeploymentPolicy
- AdministratorAccess-AWSElasticBeanstalk
- AmazonApplicationWizardFullaccess
- AmazonDynamoDBFullAccesswithDataPipeline
- AmazonEC2SpotFleetTaggingRole
- AmazonECSInfrastructureRolePolicyForManagedInstances
- AmazonECS_FullAccess
- AmazonEKSComputePolicy
- AmazonEKSLocalOutpostServiceRolePolicy
- AmazonEMRServicePolicy_v2
- AmazonElasticMapReduceFullAccess
- AmazonElasticMapReduceRole
- AmazonLaunchWizardFullAccessV2
- AmazonLaunchWizardFullaccess
- AmazonLaunchWizard_Fullaccess
- AmazonRDSCustomPreviewServiceRolePolicy
- AmazonRDSCustomServiceRolePolicy
- AmazonSSMAutomationRole
- AutoScalingServiceRolePolicy
- BatchServiceRolePolicy
- DataScientist
- EC2FastLaunchFullAccess
- EC2FastLaunchServiceRolePolicy
- EC2FleetTimeShiftableServiceRolePolicy
- ROSAInstallerPolicy
- ROSANodePoolManagementPolicy
- SageMakerStudioEMRServiceRolePolicy
- SageMakerStudioProjectUserRolePermissionsBoundary
- ServerMigrationServiceLaunchRole
- SystemAdministrator
Deny (Action)
Thanks to Ian McKay for iam-dataset (MIT), structured data derived from the AWS Service Authorization Reference. Not maintained by AWS and not guaranteed current. IAMTrail's managed policy archive is separate.
Definitions bundle generated 4/7/2026, 3:29:24 AM