RESTRICTION OF IAM USER PERMISSIONS

0

Good evening, Dear!

I have a question regarding IAM user policies. I need a user who, when entering EC2 in the instance part, cannot see all instances, but only some specific instances that I define in the policy. I used the following JSON template below to restrict the user, but unfortunately without success. can you help me? If this is not possible, what other alternatives do I have?

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DescribeInstances", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/instance-id": "i-0123456789abcdef0" } } } ] }

The instance ID shown in Json does not exist, it is just for example. I'm waiting the answer.

Paulo
asked a year ago287 views
2 Answers
0

Hi,

not all EC2 API actions support all condition keys. Please refer to the documentation to see which conditions are available for ´DescribeInstances` and other actions.

And please note:

To learn whether an Amazon EC2 API action supports controlling access using the aws:ResourceTag condition key, see Actions, resources, and condition keys for Amazon EC2. Note that the Describe actions do not support resource-level permissions, so you must specify them in a separate statement without conditions.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/control-access-with-tags.html

profile pictureAWS
EXPERT
answered a year ago
0

Hello.

Unfortunately, it is not possible to set an IAM policy to show/hide only specific EC2 instances in the console.
The reason is that ec2:DescribeInstances does not support "resource level permissions". This means that you can only set either "show all EC2 instances" or "hide all EC2 instances".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html

You can't limit the display, but you can use EC2 tags to limit things like suspension and deletion, so why not set that up?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Statement2",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEqualsIfExists": {
                    "ec2:ResourceTag/Owner": "HOGE"
                }
            }
        }
    ]
}
profile picture
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions