AWS IAM: Restrict Console Access to only One Instance

amazon ec2amazon-iamamazon-web-services

I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.

So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:

Breakdown
1. First took all the permissions away
2. Added permission to only one instance

    {
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "condition": {}
            }
        },
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",
            "Condition": {
                "condition": {}
            }
        }
    ]
}

This works for the 1st part only ie Denying to all Instances.
The 2nd part doesn't seem to work.

AWS Console with no permission to any instance data

Don't the permissions work like that? Any help would be appreciated.

Best Answer

Your current policy would work in the AWS-CLI, e.g. aws ec2 stop-instance should work.

However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.

You may need at least ec2:DescribeInstances to get a basic half-broken list.

If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with ec2:Describe* - that should make the console usable while preventing him from modifying any non-permitted instances.

I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.

Hope that helps :)

Related Topic