AWS Security ChangesHomeSearch

AWS AWSEC2 documentation change

Service: AWSEC2 · 2025-07-25 · Documentation low

File: AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md

Summary

Updated example IAM policies to use concrete account ID '111122223333' and region 'us-east-1' instead of placeholders. Standardized formatting of ARNs and region references.

Security assessment

Changes primarily replace placeholder values (account-id, region) with concrete examples. While proper resource ARN specification is a security best practice, this appears to be routine documentation standardization rather than addressing a specific security vulnerability. No evidence of patching a security flaw or introducing new security controls.

Diff

diff --git a/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md b/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md
index fdf6d7814..4df0355db 100644
--- a//AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md
+++ b//AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md
@@ -145 +145 @@ The users don't have permission to use any other API actions (unless another sta
-The following policy allows users to describe all instances, to start and stop only instances i-1234567890abcdef0 and i-0598c7d356eba48d7, and to terminate only instances in the US East (N. Virginia) Region (`us-east-1`) with the resource tag "`purpose=test`". 
+The following policy allows users to describe all instances, to start and stop only instances i-1234567890abcdef0 and i-0598c7d356eba48d7, and to terminate only instances in the `us-east-1` Region, with the resource tag "`purpose=test`". 
@@ -151 +151 @@ The second statement uses resource-level permissions for the `StopInstances` and
-The third statement allows users to terminate all instances in the US East (N. Virginia) Region (`us-east-1`) that belong to the specified AWS account, but only where the instance has the tag `"purpose=test"`. The `Condition` element qualifies when the policy statement is in effect. 
+The third statement allows users to terminate all instances in the `us-east-1` Region that belong to the specified AWS account, but only where the instance has the tag `"purpose=test"`. The `Condition` element qualifies when the policy statement is in effect. 
@@ -169,2 +169,2 @@ The third statement allows users to terminate all instances in the US East (N. V
-            "arn:aws:ec2:us-east-1:account-id:instance/i-1234567890abcdef0",
-            "arn:aws:ec2:us-east-1:account-id:instance/i-0598c7d356eba48d7"
+            "arn:aws:ec2:us-east-1:111122223333:instance/i-1234567890abcdef0",
+            "arn:aws:ec2:us-east-1:111122223333:instance/i-0598c7d356eba48d7"
@@ -176 +176 @@ The third statement allows users to terminate all instances in the US East (N. V
-          "Resource": "arn:aws:ec2:us-east-1:account-id:instance/*",
+          "Resource": "arn:aws:ec2:us-east-1:111122223333:instance/*",
@@ -228,8 +228,8 @@ The following policy allows users to launch instances using only the specified A
-            "arn:aws:ec2:region::image/ami-9e1670f7",
-            "arn:aws:ec2:region::image/ami-45cf5c3c",
-            "arn:aws:ec2:region:account-id:instance/*",
-            "arn:aws:ec2:region:account-id:volume/*",
-            "arn:aws:ec2:region:account-id:key-pair/*",
-            "arn:aws:ec2:region:account-id:security-group/*",
-            "arn:aws:ec2:region:account-id:subnet/*",
-            "arn:aws:ec2:region:account-id:network-interface/*"
+            "arn:aws:ec2:us-east-1::image/ami-9e1670f7",
+            "arn:aws:ec2:us-east-1::image/ami-45cf5c3c",
+            "arn:aws:ec2:us-east-1:111122223333:instance/*",
+            "arn:aws:ec2:us-east-1:111122223333:volume/*",
+            "arn:aws:ec2:us-east-1:111122223333:key-pair/*",
+            "arn:aws:ec2:us-east-1:111122223333:security-group/*",
+            "arn:aws:ec2:us-east-1:111122223333:subnet/*",
+            "arn:aws:ec2:us-east-1:111122223333:network-interface/*"
@@ -251 +251 @@ Alternatively, the following policy allows users to launch instances from all AM
-             "arn:aws:ec2:region::image/ami-*"
+             "arn:aws:ec2:us-east-1::image/ami-*"
@@ -263,6 +263,6 @@ Alternatively, the following policy allows users to launch instances from all AM
-             "arn:aws:ec2:region:account-id:instance/*",
-             "arn:aws:ec2:region:account-id:subnet/*",
-             "arn:aws:ec2:region:account-id:volume/*",
-             "arn:aws:ec2:region:account-id:network-interface/*",
-             "arn:aws:ec2:region:account-id:key-pair/*",
-             "arn:aws:ec2:region:account-id:security-group/*"
+             "arn:aws:ec2:us-east-1:111122223333:instance/*",
+             "arn:aws:ec2:us-east-1:111122223333:subnet/*",
+             "arn:aws:ec2:us-east-1:111122223333:volume/*",
+             "arn:aws:ec2:us-east-1:111122223333:network-interface/*",
+             "arn:aws:ec2:us-east-1:111122223333:key-pair/*",
+             "arn:aws:ec2:us-east-1:111122223333:security-group/*"
@@ -286 +286 @@ The following policy allows users to launch instances using only the `t2.micro`
-             "arn:aws:ec2:region:account-id:instance/*"
+             "arn:aws:ec2:us-east-1:111122223333:instance/*"
@@ -298,6 +298,6 @@ The following policy allows users to launch instances using only the `t2.micro`
-             "arn:aws:ec2:region::image/ami-*",
-             "arn:aws:ec2:region:account-id:subnet/*",
-             "arn:aws:ec2:region:account-id:network-interface/*",
-             "arn:aws:ec2:region:account-id:volume/*",
-             "arn:aws:ec2:region:account-id:key-pair/*",
-             "arn:aws:ec2:region:account-id:security-group/*"
+             "arn:aws:ec2:us-east-1::image/ami-*",
+             "arn:aws:ec2:us-east-1:111122223333:subnet/*",
+             "arn:aws:ec2:us-east-1:111122223333:network-interface/*",
+             "arn:aws:ec2:us-east-1:111122223333:volume/*",
+             "arn:aws:ec2:us-east-1:111122223333:key-pair/*",
+             "arn:aws:ec2:us-east-1:111122223333:security-group/*"
@@ -319 +319 @@ Alternatively, you can create a policy that denies users permissions to launch a
-             "arn:aws:ec2:region:account-id:instance/*"
+             "arn:aws:ec2:us-east-1:111122223333:instance/*"
@@ -331,7 +331,7 @@ Alternatively, you can create a policy that denies users permissions to launch a
-             "arn:aws:ec2:region::image/ami-*",
-             "arn:aws:ec2:region:account-id:network-interface/*",
-             "arn:aws:ec2:region:account-id:instance/*",
-             "arn:aws:ec2:region:account-id:subnet/*",
-             "arn:aws:ec2:region:account-id:volume/*",
-             "arn:aws:ec2:region:account-id:key-pair/*",
-             "arn:aws:ec2:region:account-id:security-group/*"
+             "arn:aws:ec2:us-east-1::image/ami-*",
+             "arn:aws:ec2:us-east-1:111122223333:network-interface/*",
+             "arn:aws:ec2:us-east-1:111122223333:instance/*",
+             "arn:aws:ec2:us-east-1:111122223333:subnet/*",
+             "arn:aws:ec2:us-east-1:111122223333:volume/*",
+             "arn:aws:ec2:us-east-1:111122223333:key-pair/*",
+             "arn:aws:ec2:us-east-1:111122223333:security-group/*"
@@ -355,7 +355,7 @@ The following policy allows users to launch instances using only the specified s
-            "arn:aws:ec2:region:account-id:subnet/subnet-12345678",
-            "arn:aws:ec2:region:account-id:network-interface/*",
-            "arn:aws:ec2:region:account-id:instance/*",
-            "arn:aws:ec2:region:account-id:volume/*",
-            "arn:aws:ec2:region::image/ami-*",
-            "arn:aws:ec2:region:account-id:key-pair/*",
-            "arn:aws:ec2:region:account-id:security-group/*"
+            "arn:aws:ec2:us-east-1:111122223333:subnet/subnet-12345678",
+            "arn:aws:ec2:us-east-1:111122223333:network-interface/*",
+            "arn:aws:ec2:us-east-1:111122223333:instance/*",
+            "arn:aws:ec2:us-east-1:111122223333:volume/*",
+            "arn:aws:ec2:us-east-1::image/ami-*",
+            "arn:aws:ec2:us-east-1:111122223333:key-pair/*",
+            "arn:aws:ec2:us-east-1:111122223333:security-group/*"
@@ -377 +377 @@ Alternatively, you could create a policy that denies users permissions to launch
-             "arn:aws:ec2:region:account-id:network-interface/*"
+             "arn:aws:ec2:us-east-1:111122223333:network-interface/*"
@@ -381 +381 @@ Alternatively, you could create a policy that denies users permissions to launch
-                "ec2:Subnet": "arn:aws:ec2:region:account-id:subnet/subnet-12345678"
+                "ec2:Subnet": "arn:aws:ec2:us-east-1:111122223333:subnet/subnet-12345678"
@@ -389,7 +389,7 @@ Alternatively, you could create a policy that denies users permissions to launch
-             "arn:aws:ec2:region::image/ami-*",
-             "arn:aws:ec2:region:account-id:network-interface/*",
-             "arn:aws:ec2:region:account-id:instance/*",
-             "arn:aws:ec2:region:account-id:subnet/*",
-             "arn:aws:ec2:region:account-id:volume/*",
-             "arn:aws:ec2:region:account-id:key-pair/*",
-             "arn:aws:ec2:region:account-id:security-group/*"
+             "arn:aws:ec2:us-east-1::image/ami-*",
+             "arn:aws:ec2:us-east-1:111122223333:network-interface/*",
+             "arn:aws:ec2:us-east-1:111122223333:instance/*",
+             "arn:aws:ec2:us-east-1:111122223333:subnet/*",
+             "arn:aws:ec2:us-east-1:111122223333:volume/*",
+             "arn:aws:ec2:us-east-1:111122223333:key-pair/*",
+             "arn:aws:ec2:us-east-1:111122223333:security-group/*"
@@ -460 +460 @@ For more information, see [Grant permission to tag Amazon EC2 resources during c
-          "Resource": "arn:aws:ec2:us-east-1:account-id:instance/*",
+          "Resource": "arn:aws:ec2:us-east-1:111122223333:instance/*",
@@ -484,5 +484,5 @@ The following policy includes the `aws:RequestTag` condition key that requires u
-             "arn:aws:ec2:region::image/*",
-             "arn:aws:ec2:region:account-id:subnet/*",
-             "arn:aws:ec2:region:account-id:network-interface/*",
-             "arn:aws:ec2:region:account-id:security-group/*",
-             "arn:aws:ec2:region:account-id:key-pair/*"
+             "arn:aws:ec2:us-east-1::image/*",
+             "arn:aws:ec2:us-east-1:111122223333:subnet/*",
+             "arn:aws:ec2:us-east-1:111122223333:network-interface/*",
+             "arn:aws:ec2:us-east-1:111122223333:security-group/*",
+             "arn:aws:ec2:us-east-1:111122223333:key-pair/*"
@@ -497,2 +497,2 @@ The following policy includes the `aws:RequestTag` condition key that requires u
-              "arn:aws:ec2:region:account-id:volume/*",
-              "arn:aws:ec2:region:account-id:instance/*"
+              "arn:aws:ec2:us-east-1:111122223333:volume/*",
+              "arn:aws:ec2:us-east-1:111122223333:instance/*"
@@ -512 +512 @@ The following policy includes the `aws:RequestTag` condition key that requires u
-          "Resource": "arn:aws:ec2:region:account-id:*/*",
+          "Resource": "arn:aws:ec2:us-east-1:111122223333:*/*",
@@ -536,5 +536,5 @@ The following policy uses the `ForAnyValue` modifier on the `aws:TagKeys` condit
-             "arn:aws:ec2:region::image/*",
-             "arn:aws:ec2:region:account-id:subnet/*",
-             "arn:aws:ec2:region:account-id:network-interface/*",
-             "arn:aws:ec2:region:account-id:security-group/*",
-             "arn:aws:ec2:region:account-id:key-pair/*"
+             "arn:aws:ec2:us-east-1::image/*",
+             "arn:aws:ec2:us-east-1:111122223333:subnet/*",
+             "arn:aws:ec2:us-east-1:111122223333:network-interface/*",
+             "arn:aws:ec2:us-east-1:111122223333:security-group/*",
+             "arn:aws:ec2:us-east-1:111122223333:key-pair/*"
@@ -549,2 +549,2 @@ The following policy uses the `ForAnyValue` modifier on the `aws:TagKeys` condit
-              "arn:aws:ec2:region:account-id:volume/*",
-              "arn:aws:ec2:region:account-id:instance/*"
+              "arn:aws:ec2:us-east-1:111122223333:volume/*",
+              "arn:aws:ec2:us-east-1:111122223333:instance/*"
@@ -563 +563 @@ The following policy uses the `ForAnyValue` modifier on the `aws:TagKeys` condit
-          "Resource": "arn:aws:ec2:region:account-id:*/*",
+          "Resource": "arn:aws:ec2:us-east-1:111122223333:*/*",
@@ -593 +593 @@ In the following policy, users do not have to specify tags in the request, but i
-          "Resource": "arn:aws:ec2:region:account-id:*/*",
+          "Resource": "arn:aws:ec2:us-east-1:111122223333:*/*",
@@ -631 +630,0 @@ To disallow anyone called tag on create for RunInstances
-                "Sid": "VisualEditor0",
@@ -662 +660,0 @@ Only allow specific tags for spot-instances-request. Surprise inconsistency numb
-                "Sid": "VisualEditor0",
@@ -689 +687 @@ In the following example, users can launch instances, but only if they use a spe
-                 "ec2:LaunchTemplate": "arn:aws:ec2:region:account-id:launch-template/lt-09477bcd97b0d310e" 
+                 "ec2:LaunchTemplate": "arn:aws:ec2:us-east-1:111122223333:launch-template/lt-09477bcd97b0d310e" 
@@ -701 +699 @@ In the following example, users can launch instances, but only if they use a spe
-          "Resource": "arn:aws:ec2:region:account-id:instance/*",
+          "Resource": "arn:aws:ec2:us-east-1:111122223333:instance/*",
@@ -727 +725 @@ The `ec2:ElasticGpuType` condition key ensures that instances use either the `eg
-                    "arn:aws:ec2:*:account-id:elastic-gpu/*"
+                    "arn:aws:ec2:*:111122223333:elastic-gpu/*"
@@ -744,6 +742,6 @@ The `ec2:ElasticGpuType` condition key ensures that instances use either the `eg
-                    "arn:aws:ec2:*:account-id:network-interface/*",
-                    "arn:aws:ec2:*:account-id:instance/*",
-                    "arn:aws:ec2:*:account-id:subnet/*",
-                    "arn:aws:ec2:*:account-id:volume/*",
-                    "arn:aws:ec2:*:account-id:key-pair/*",
-                    "arn:aws:ec2:*:account-id:security-group/*"
+                    "arn:aws:ec2:*:111122223333:network-interface/*",
+                    "arn:aws:ec2:*:111122223333:instance/*",
+                    "arn:aws:ec2:*:111122223333:subnet/*",
+                    "arn:aws:ec2:*:111122223333:volume/*",
+                    "arn:aws:ec2:*:111122223333:key-pair/*",
+                    "arn:aws:ec2:*:111122223333:security-group/*"
@@ -769 +767 @@ In the following example, users can launch instances, but only if they use a spe
-                 "ec2:LaunchTemplate": "arn:aws:ec2:region:account-id:launch-template/lt-09477bcd97b0d310e" 
+                 "ec2:LaunchTemplate": "arn:aws:ec2:us-east-1:111122223333:launch-template/lt-09477bcd97b0d310e" 
@@ -788 +786 @@ In this example, users can launch instances only if they use a launch template.
-                 "ec2:LaunchTemplate": "arn:aws:ec2:region:account-id:launch-template/*" 
+                 "ec2:LaunchTemplate": "arn:aws:ec2:us-east-1:111122223333:launch-template/*" 
@@ -807,2 +805,2 @@ The following example policy allows user to launch instances, but only if they u
-          "NotResource": ["arn:aws:ec2:region:account-id:subnet/*",
-                          "arn:aws:ec2:region:account-id:network-interface/*" ],