Restricting access to EC2 instances using IAM Policy

Question

Hi all,

I'm trying to restrict access to EC2 instances (especially describe-instances) to a IAM User with a IAM Policy (using Tags) as described in the following post:
https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/

I added the following tag "Environment/Labs" to few EC2 instances.

I then created the following IAM Policy that I attached to a IAM user.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Environment": "Labs"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ec2:DeleteTags",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        }
    ]
}
```

Unfortunately, this is not working and I'm able to list all the instances. ;(

Any hint on what I'm missing here?

Note: I tried to attach the condition to the Describe*/DescribeInstances action and this was blocking any access to EC2 instances.

Many thanks in advance for the help,
Best regards,
Fred

Accepted Answer

Hi Fred,

The ability to run the DescribeInstances API is required to gain visibility to these resources.  You need this visibility to know what instances are there.  The first part of your policy will allow additional commands on those resources matching the condition, in your case preventing changes to any instances not tagged with "Environment = Labs".  You cannot prevent seeing the names of all resources but you can prevent actions on resources not matching the condition.

Answer

According to the latest [IAM Policy Reference for EC2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-actions-as-permissions), there are no resources or conditions that can be applied to the DescribeInstances action that can be used to restrict the scope of what can be described. So it is all-or-nothing: if you allow DescribeInstances to any principal, all instances can be described.

Answer

Describe instance can not be restricted using condition but Depending on your business requirement if it is must to avoid the user from seeing all instances you can consider moving to multi-account setup.

Or you can completely disable the describe instance permission for the user and provide the list of instance IDs by other means, e.g lambda + s3. But it depends on your use-case and problem you are trying to solve.

Answer

Thanks to all of you @Bert_Z @Michael_F and @hameedullah.

That was my understanding that the describe_instances can not be restricted, but I have to admit I was a bit confused with the blog post and that's why I tried it.
I have to admit that it would be a great feature to be able to limit visibility using IAM policy instead of applying some filter later on when the full list is retrieved.

Restricting access to EC2 instances using IAM Policy

관련 콘텐츠