- Newest
- Most votes
- Most comments
I think what you're asking is how to restrict visibility of EC2 instances in a specific account where there are multiple users in that account. The short answer is that you can't do that - you can restrict (using tag policies) what actions different users (i.e. callers to the EC2 API with different identities) can perform on EC2 instances; but you can't restrict the visibility of those instances in a "List" operation - either via the API or in the console.
Not really answering the question but for more information about tag-based access control: https://repost.aws/knowledge-center/restrict-ec2-iam
This is confirmed by https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#ec2-supported-iam-actions-resources
"Currently, the Amazon EC2 Describe* API actions do not support resource-level permissions. For more information about resource-level permissions for Amazon EC2, see IAM policies for Amazon EC2."
Why we can't hide the particular instance for that particular user???
See the comment on the other answer - the API doesn't support resource-level permissions. This is because the API is designed as a "list all the resources" rather than "list the specified resources".
You can leverage AWS Organizations and give each group their own AWS account.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
You want to restrict access to AWS resources for specific user or account? Here https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html Controlling access to AWS resources using tags. May be you need to use tag on that EC2 instance.