Limiting Which EC2 Instances a Users Can See

Question

Hello,

I am trying to limit which EC2 instances a user can see.  My use case is that I am trying to setup a lab for a professor.  I want them to be able to see only their systems and be able to start / stop / reboot them as needed.  I am trying to limit them to their systems so they do not become confused as to what is and isn't theirs.

I know this can't be done with tagging.  I saw this post https://repost.aws/questions/QUUaWdSykIREW4HYDd8T7J7Q/restricting-access-to-ec-2-instances-using-iam-policy where they are trying to do the same thing I am doing but had little to no luck.  I also know it can be done in some form or another because if you have ever used AWS Academy you know you don't see other student's instances.

One suggestion I read was to create multiple AWS accounts and combine them into an organization.  While this may work it seems like I'm hitting a brass brad with a ten pound hammer.  So does anyone have any better ideas on how to do this?

Thank you,
TK

Accepted Answer

As you have read, you wont be able to limit which instances are displayed in the console even with tags.  You can restrict what operations a user can perform like starting and stop;ping instances.  See https://aws.amazon.com/premiumsupport/knowledge-center/restrict-ec2-iam/

Multiple accounts would be the best option to achieve what you are trying to do and you can setup a multi-account environment pretty easily with [Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/setting-up.html).

I dont think you can compare with AWS Academy as that seems to be a learning management system built on AWS which probably has its own mechanisms for filtering what can be seen between accounts.

One other simple thing you can do is give the professors a URL that contains the filter for their EC2 instances.  For example, you can tag all of your instances with "Owner" with a value of the name of the Professor.  Then give them a URL like this:

```https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#Instances:v=3;tag:Owner=ProfessorName```

Where ProfessorName is their name.

Answer

Thank you both for such quick replies.  I was hoping I had missed an easy solution but it looks like that is not the case.  I like Matt-B's idea of providing a like that is filtered.  It is not a perfect solution but should work.

I find it amazing that AWS does not provide someway to limit what users can see based on tagging or some other method as it seems I am not the only one trying to do something like this.  Again thank you both for your help.

Answer

I had a similar request from a question from a customer a while back; what I suggested is that they build a self-service portal for their users - that way they could precisely control the visibility and the actions that could be performed. But it's more work for you to do this.

In this particular case, my customer took some code I wrote [as part of this blog post](https://aws.amazon.com/blogs/desktop-and-application-streaming/creating-a-self-service-portal-for-amazon-workspaces-end-users/) and modified the Workspaces component to control EC2 instead.

That said (and to repeat): It's work that you have to do. I think that Matt-B's answer is better here because you're relying on native AWS constructs so you're not maintaining anything going forward.

Limiting Which EC2 Instances a Users Can See

関連するコンテンツ