amazon-web-servicespolicyidentity-management

Hide specific instaces for IAM users in AWS console


I have multiple instances in my AWS account. I would like to list specific instances to the IAM users from the console. Example: I have Instance1 and Instance 2. I would like to display Instance1 and hide Instance2 for IAM users.

I have attached the below policy. but still, all the instances are listed for IAM users in the AWS EC2 console.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/UserName": "${aws:username}"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:Describe*",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "ec2:CreateTags",
        "ec2:DeleteTags"
      ],
      "Resource": "*"
    }
  ]
}

Solution

  • This is not possible.

    If you take a look at Actions, resources, and condition keys for Amazon EC2 - Service Authorization Reference, the DescribeInstances API call only has a Condition Key to limit by Region. It is not possible to limit the result of this API call by any other critera (eg Tags).

    So, users either have permission to list ALL of the instances, or None of them.

    You can, of course, use filters in the management console to limit the instances displayed, but users would still be able to remove the filter or use the AWS CLI to list all instances.