diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5055ff9..c03df1a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -81,3 +81,7 @@
   - created policies
     - policies/sc-readonly
     - included AWSSupportAccess in this policy
+
+* 1.6.1 -- 2026-03-25
+  - policies/sc-servicecatalog-t2
+    - granted select ec2 permissions
diff --git a/common/version.tf b/common/version.tf
index 2cc7061..78e6e8d 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.6.0"
+  _module_version = "1.6.1"
 }
diff --git a/policies/sc-servicecatalog-t2/policy.tf b/policies/sc-servicecatalog-t2/policy.tf
index 425ab7f..77c67fb 100644
--- a/policies/sc-servicecatalog-t2/policy.tf
+++ b/policies/sc-servicecatalog-t2/policy.tf
@@ -10,4 +10,26 @@ data "aws_iam_policy_document" "inline" {
     ]
     resources = ["*"]
   }
+  statement {
+    sid    = "EC2Actions"
+    effect = "Allow"
+    actions = [
+      "ec2:StopInstances",
+      "ec2:StartInstances",
+      "ec2:RunInstances",
+      "ec2:RebootInstances",
+      "ec2:ModifyInstanceAttribute",
+      "ec2:DescribeVolumesModifications",
+      "ec2:DescribeVolumes",
+      "ec2:DescribeVolumeStatus",
+      "ec2:DescribeVolumeAttribute",
+      "ec2:DescribeTags",
+      "ec2:DescribeSecurityGroups",
+      "ec2:DescribeSecurityGroupRules",
+      "ec2:AssociateSecurityGroupVpc",
+      "ec2:GetSecurityGroupsForVpc",
+    ]
+    resources = ["*"]
+  }
 }
+