- Newest
- Most votes
- Most comments
Hi,
not all EC2 API actions support all condition keys. Please refer to the documentation to see which conditions are available for ´DescribeInstances` and other actions.
And please note:
To learn whether an Amazon EC2 API action supports controlling access using the aws:ResourceTag condition key, see Actions, resources, and condition keys for Amazon EC2. Note that the Describe actions do not support resource-level permissions, so you must specify them in a separate statement without conditions.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/control-access-with-tags.html
Hello.
Unfortunately, it is not possible to set an IAM policy to show/hide only specific EC2 instances in the console.
The reason is that ec2:DescribeInstances does not support "resource level permissions". This means that you can only set either "show all EC2 instances" or "hide all EC2 instances".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html
You can't limit the display, but you can use EC2 tags to limit things like suspension and deletion, so why not set that up?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "Statement2",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": [
"*"
],
"Condition": {
"StringEqualsIfExists": {
"ec2:ResourceTag/Owner": "HOGE"
}
}
}
]
}
Relevant content
- Accepted Answerasked a year ago
- asked 7 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 15 days ago