ec2:DeleteTags is a Tagging access-level action in the ec2 service. Grants permission to delete one or more tags from Amazon EC2 resources
ARNs that ec2:DeleteTags can be scoped to in an IAM policy.
Keys you can use in the Condition block of a policy that grants ec2:DeleteTags.
Filters access by the initiation time of a snapshot
Filters access by the supported region of the VPC endpoint service
Filters access by the ID of a transit gateway attachment
Filters access by the ID of a transit gateway connect peer
Filters access by the ID of a transit gateway
Filters access by the ID of a metering policy id
Filters access by the ID of a transit gateway multicast domain
Filters access by the ID of a transit gateway policy table
Filters access by the ID of a transit gateway route table announcement
Filters access by the ID of a transit gateway route table
Filters access by a tag key and value pair that is allowed in the request
Filters access by a tag key and value pair of a resource
Filters access by a list of tag keys that are allowed in the request
Filters access by the ARN of an accepter VPC in a VPC peering connection
Filters access by the group being added to a snapshot
Filters access by the account id being added to a snapshot
Filters access by the allocation ID of the Elastic IP address
Filters access by whether the user wants to associate a public IP address with the instance
Filters access by an attribute of a resource
Filters access by an attribute being set on a resource
Filters access by the authentication type for the VPN tunnel endpoints
Filters access by the AWS service that has permission to use a resource
Filters access by an IAM principal that has permission to use a resource
Filters access by the Auto Placement properties of a Dedicated Host
Filters access by the name of an Availability Zone in an AWS Region
Filters access by the ID of an Availability Zone in an AWS Region
Filters access by the ARN of the Capacity Reservation Fleet
Filters access by the ARN of the client root certificate chain
Filters access by the ARN of the CloudWatch Logs log group
Filters access by the ARN of the CloudWatch Logs log stream
Filters access by commitment duration of the Capacity Reservation
Filters access by the state of AMD SEV-SNP CPU Options. Currently, only US East (Ohio) and Europe (Ireland) are supported
Filters access by the date and time at which the Capacity Reservation was created
Filters access by the duration after which DPD timeout occurs on a VPN tunnel
Filters access by the ID of the Capacity Reservation that you want to move capacity into
Filters access by the ID of a dynamic host configuration protocol (DHCP) options set
Filters access by the lifetime in seconds for phase 1 of the IKE negotiations for a VPN tunnel
Filters access by the ARN of the directory
Filters access by the Diffie-Hellman group numbers that are permitted for a VPN tunnel for the phase 2 IKE negotiations
Filters access by the domain of the Elastic IP address
Filters access by the encryption algorithms that are permitted for a VPN tunnel for the phase 2 IKE negotiations
Filters access by whether the instance is enabled for EBS optimization
Filters access by the integrity algorithms that are permitted for a VPN tunnel for the phase 2 IKE negotiations
Filters access by the type of Elastic Graphics accelerator
Filters access by the lifetime in seconds for phase 2 of the IKE negotiations for a VPN tunnel
Filters access by whether the EBS volume is encrypted
Filters access by the ARN of the placement group
Filters access by the date and time at which the Capacity Reservation ends
Filters access by the name of a placement group
Filters access by the way in which the Capacity Reservation ends
Filters access by the instance placement strategy used by the placement group (cluster, spread, or partition)
Filters access by whether the instance is enabled for ephemeral storage
Filters access by the product code that is associated with the AMI
Filters access by whether the image has public launch permissions
Filters access by a public IP address
Filters access by the gateway type for a VPN endpoint on the AWS side of a VPN connection
Filters access by the number of Dedicated Hosts in a request
Filters access by whether host recovery is enabled for a Dedicated Host
Filters access by the name of the AWS Region
Filters access by the internet key exchange (IKE) versions that are permitted for a VPN tunnel
Filters access by the percentage of increase of the rekey window (determined by the rekey margin time) within which the rekey time is randomly selected for a VPN tunnel
Filters access by the ID of an image
Filters access by the margin time before the phase 2 lifetime expires for a VPN tunnel
Filters access by the type of image (machine, aki, or ari)
Filters access by the group being removed from a snapshot
Filters access by the range of inside IP addresses for a VPN tunnel
Filters access by the account id being removed from a snapshot
Filters access by a range of inside IPv6 addresses for a VPN tunnel
Filters access by the number of packets in an IKE replay window
Filters access by whether the instance type supports auto recovery
Filters access by the ARN of a requester VPC in a VPC peering connection
Filters access by the bandwidth weighting of an instance
Filters access by the payment option of the Reserved Instance offering (No Upfront, Partial Upfront, or All Upfront)
Filters access by the number of instances
Filters access by a tag key and value pair of a resource
Filters access by the ID of an instance
Filters access by the market or purchasing option of an instance (capacity-block, on-demand, or spot)
Filters access by the root device type of the instance (ebs or instance-store)
Filters access by the type of instance launches that the Capacity Reservation accepts
Filters access by the ID of a route table
Filters access by whether the instance allows access to instance tags from the instance metadata
Filters access by the routing type for the VPN connection
Filters access by the type of operating system for which the Capacity Reservation reserves capacity
Filters access by the ARN of the IAM SAML identity provider
Filters access by the ARN of an instance profile
Filters access by the ID of a security group
Filters access by the type of instance
Filters access by the ARN of the server certificate
Filters access by the ID of an internet gateway
Filters access by the compliance mode cooling-off period
Filters access by the ID of an interruptible Capacity Reservation
Filters access by the ID of a snapshot
Filters access by the type of interruption
Filters access by the snapshot lock duration
Filters access by the IPAM prefix list resolver target ID that is syncing CIDRs to a managed prefix list
Filters access by the ID of an IPAM pool provided for IPv4 CIDR block allocation
Filters access by the name of the Availability Zone from which the request originated
Filters access by the ID of an IPAM pool provided for IPv6 CIDR block allocation
Filters access by the ID of the Capacity Reservation from which you want to move capacity
Filters access by whether Capacity Reservations are interruptible
Filters access by whether users are able to override resources that are specified in the launch template
Filters access by the ARN of the Outpost from which the request originated
Filters access by the name of a key pair
Filters access by the ARN of the subnet
Filters access by the type of a key pair
Filters access by the ID of a subnet
Filters access by the ID of an AWS KMS key provided in the request
Filters access by the number of instances the interruptible Capacity Reservation is assigned
Filters access by the ARN of a launch template
Filters access by the tenancy of the VPC or instance (default, dedicated, or host)
Filters access by the destination for the snapshot copy
Filters access by the ID of a volume
Filters access by the presence of an EC2 operator provisioning a managed resource
Filters access by the initialization rate of the volume, in MiBps
Filters access by whether the HTTP endpoint is enabled for the instance metadata service
Filters access by the the number of input/output operations per second (IOPS) provisioned for the volume
Filters access by the allowed number of hops when calling the instance metadata service
Filters access by the size of the volume, in GiB
Filters access by whether tokens are required when calling the instance metadata service (optional or required)
Filters access by the throughput of the volume, in MiBps
Filters access by the ID of a network access control list (ACL)
Filters access by the type of volume (gp2, gp3, io1, io2, st1, sc1, or standard)
Filters access by the ID of an elastic network interface
Filters access by the ARN of the VPC
Filters access by the ARN of the instance profile being attached
Filters access by the ID of a virtual private cloud (VPC)
Filters access by the ARN of the Outpost
Filters access by the ID of a VPC peering connection
Filters access by the owner of the resource (amazon, aws-marketplace, or an AWS account ID)
Filters access by multi region of the VPC endpoint service
Filters access by the ARN of the parent snapshot
Filters access by the private DNS preference
Filters access by the ARN of the parent volume from which the snapshot was created
Filters access by the private DNS domains
Filters access by the type of permission for a resource (INSTANCE-ATTACH or EIP-ASSOCIATE)
Filters access by the name of the VPC endpoint service
Filters access by the Diffie-Hellman group numbers that are permitted for a VPN tunnel for the phase 1 IKE negotiations
Filters access by the service owner of the VPC endpoint service (amazon, aws-marketplace, or an AWS account ID)
Filters access by the encryption algorithms that are permitted for a VPN tunnel for the phase 1 IKE negotiations
Filters access by the private DNS name of the VPC endpoint service
Filters access by the integrity algorithms that are permitted for a VPN tunnel for the phase 1 IKE negotiations
Filters access by the region of the VPC endpoint service
A minimal policy that allows ec2:DeleteTags. Replace "Resource": "*" with a specific ARN to follow least privilege.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEc2DeleteTags",
"Effect": "Allow",
"Action": "ec2:DeleteTags",
"Resource": "*"
}
]
}