IAM Policy isn't allowing EC2 access

Question

I have a policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1429817158000",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "arn:aws:ec2:*"
            ]
        }
    ]
}

That is attached to a group. That group has one user. When I log in to myloginthing.signin.aws.amazon.com with that user's credentials I can't do anything related to EC2. It gives me messages such as "You are not authorized to describe Running Instances" for every action on the page.

the IAM Policy Simulator tells me any action is denied because

Implicitly denied (no matching statements found).

What am I missing?

chris chris · Accepted Answer · 2015-04-24T00:23:40

This actually took me a while to figure out.

It turns out that you have to match each action (in your example, ec2:*) with a set of allowable resources (in your example, arn:aws:ec2:*).

The problem is that not every action has the same set of allowable resources - so while you can use a number of different resources for RunInstances, DescribeInstances ONLY supports *.

The whole list is available here

(Note: Link is posted because a) the list is very large, and b) it will probably change significantly over time.

IAM Policy isn't allowing EC2 access

3 Answers