- 최신
- 최다 투표
- 가장 많은 댓글
According to the latest IAM Policy Reference for EC2, there are no resources or conditions that can be applied to the DescribeInstances action that can be used to restrict the scope of what can be described. So it is all-or-nothing: if you allow DescribeInstances to any principal, all instances can be described.
Hi Fred,
The ability to run the DescribeInstances API is required to gain visibility to these resources. You need this visibility to know what instances are there. The first part of your policy will allow additional commands on those resources matching the condition, in your case preventing changes to any instances not tagged with "Environment = Labs". You cannot prevent seeing the names of all resources but you can prevent actions on resources not matching the condition.
Describe instance can not be restricted using condition but Depending on your business requirement if it is must to avoid the user from seeing all instances you can consider moving to multi-account setup.
Or you can completely disable the describe instance permission for the user and provide the list of instance IDs by other means, e.g lambda + s3. But it depends on your use-case and problem you are trying to solve.
Thanks to all of you @Bert_Z @Michael_F and @hameedullah.
That was my understanding that the describe_instances can not be restricted, but I have to admit I was a bit confused with the blog post and that's why I tried it. I have to admit that it would be a great feature to be able to limit visibility using IAM policy instead of applying some filter later on when the full list is retrieved.