I am trying to create an IAM user for the AWS Console with permission to list and perform action on only 1 instance.
So I have a total of 6 Instances and I tried hiding 5 of them via IAM Policies by adding the below policy:
Breakdown
1. First took all the permissions away
2. Added permission to only one instance
{
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"condition": {}
}
},
{
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0123456789abcdef",
"Condition": {
"condition": {}
}
}
]
}
This works for the 1st part only ie Denying to all Instances.
The 2nd part doesn't seem to work.
Don't the permissions work like that? Any help would be appreciated.
Best Answer
Your current policy would work in the AWS-CLI, e.g.
aws ec2 stop-instance
should work.However to actually use the web console you need a few more read-only permissions because the console tries to list and describe all the instances to build the list.
You may need at least
ec2:DescribeInstances
to get a basic half-broken list.If you only care about preventing that IAM user from modifying other instances you can give him a read-only access with
ec2:Describe*
- that should make the console usable while preventing him from modifying any non-permitted instances.I'm not aware of a way to restrict the listing of instances only to the one he can work with, he will probably see them all but can only manage that single one.
Hope that helps :)