I'm trying to create a AWS IAM policy to restrict the read access on EC2 instances.
Goal: I have many EC2 instances and many different users in AWS and I want to have a group of users who are able to see ONLY particular EC2 instances and not all of them.
Is there any possibility to do so?
I've tried to restrict access by tagging the instances but the Describe* API can't by restricted by Condition and not by Resource if I see right.
Unfortunately, the only clean way to do this is to have multiple AWS accounts (preferably under an Organization) and then restrict different groups of users to different accounts.
Some, but not all, actions support resource-level permissions so you can write a policy like the following that restricts which EC2 instances an IAM user can start/stop/reboot:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Environment": "Staging"
}
},
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/*"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}
]
}
Additionally, you can restrict the distribution of SSH keypairs or Windows credentials so that only certain users can physically access a given EC2 instance.