Creating IAM policy in AWS to protect seeing all EC2 instances

1
votes

I want userA that is in guest group have a policy that allows to do everything with an EC2 instance BUT see only this instance. I don't want the user to see all my EC2 instances list.

I did:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "abc",
                "Effect": "Allow",
                "Action": [
                    "ec2:RebootInstances",
                    "ec2:StartInstances",
                    "ec2:StopInstances"
                ],
                "Resource": "arn:aws:ec2:us-east-1:33333333333:instance/i-444444444444444"
            },
            {
                "Sid": "abb",
                "Effect": "Allow",
                "Action": "ec2:DescribeInstances",
                "Resource": "arn:aws:ec2:us-east-1:33333333333:instance/i-444444444444444"
            }
        ]
    }

getting an error: "The actions in your policy do not support resource-level permissions and require you to choose All resources"

Tried adding

"Condition": {
            "StringEquals": {
                "ec2:ResourceTag,UserName": "abc"
            }
        }

While my EC2 has tag key: "name" and value: "abc"

In this case getting:

This means that it is impossible to grant access to ONE EC2 instance to a user without them seeing all my EC2 machines?

1
amazon-web-servicesamazon-ec2amazon-iam

1 Answers

2
votes

I recommend you review the actions related to EC2 that you can use for permissions. The DescribeInstances action has an Access level of List, which means it by definition applies to a list of instances.

List permissions:

List: Permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource. For example, the Amazon S3 action ListBucket has the List access level.

So, you are correct that with the DescribeInstances action you can't allow that for one instance without allowing it for all the others. That action doesn't give other access to the instance--just access to see instance info.

Here's an official AWS word about how "most essential Amazon EC2 actions don't support resource-level permissions" that also says:

If you must isolate your resources by Region or any conditions on the same account, first check the list of EC2 actions that support resource-level permissions and conditions to verify that your use case supports this solution.