The ability to run the DescribeInstances API is required to gain visibility to these resources. You need this visibility to know what instances are there. The first part of your policy will allow additional commands on those resources matching the condition, in your case preventing changes to any instances not tagged with "Environment = Labs". You cannot prevent seeing the names of all resources but you can prevent actions on resources not matching the condition.
According to the latest IAM Policy Reference for EC2, there are no resources or conditions that can be applied to the DescribeInstances action that can be used to restrict the scope of what can be described. So it is all-or-nothing: if you allow DescribeInstances to any principal, all instances can be described.
Describe instance can not be restricted using condition but Depending on your business requirement if it is must to avoid the user from seeing all instances you can consider moving to multi-account setup.
Or you can completely disable the describe instance permission for the user and provide the list of instance IDs by other means, e.g lambda + s3. But it depends on your use-case and problem you are trying to solve.
Thanks to all of you @Bert_Z @Michael_F and @hameedullah.
That was my understanding that the describe_instances can not be restricted, but I have to admit I was a bit confused with the blog post and that's why I tried it. I have to admit that it would be a great feature to be able to limit visibility using IAM policy instead of applying some filter later on when the full list is retrieved.
Did not have IAM permissions to process tags on AWS::EC2::Instance resourceasked 2 years ago
Trying to isolate IAM user to have AmazonEC2ReadOnlyAccess to only select instances using python boto3Accepted Answerasked a year ago
How can you restrict EC2 instances to assuming an IAM role based on the instance's tags?asked a year ago
Need to restrict IAM userasked a month ago
Restricting access to EC2 instances using IAM PolicyAccepted Answerasked a year ago
IAM Tag policy for EC2 instancesAccepted Answerasked 2 months ago
Resource Policy Condition to restrict accessasked 5 months ago
S3: How to restrict IAM access to one Bucketasked 2 months ago
Using EC2 IAM role principal in SecretsManager resource policy together with autoscalingAccepted Answerasked a year ago
IAM Policy to access "Resource Group" using tags failingAccepted Answerasked 3 years ago