- Newest
- Most votes
- Most comments
What IAM policies have you set up?
The following documentation shows that only a limited number of "Instances" can be set to "Resource".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlightsail.html#amazonlightsail-actions-as-permissions
For example, the following IAM policy will allow you to view all Lightsail instances, but restrict instance operations to those instances configured in "Resource".
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lightsail:*",
"Resource": "arn:aws:lightsail:us-west-2:xxxxxxxxxxxxx:Instance/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx"
},
{
"Effect": "Allow",
"Action": "lightsail:Get*",
"Resource": "*"
}
]
}
That worked, thank you!
However, the current IAM user can still see all the Lightsail VM's of the root account (even though they can not control it) Is there a way to restrict this access so they only see the designated resource in the policy?
Perhaps giving an outside IAM user (not under root) access to the Lightsail resource?
Tags can be used to filter access to Lightsail resources https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-controlling-access-using-tags
For example, just want the IAM user to see the server on the left.
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated 11 days ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
It may be possible with tag-based control, but it is not possible to hide it with resource-based control.