如何讓 IAM 使用者只看的到自己建立的資源 ( How to allow IAM users to only see resources they have created.)

1

如何讓 IAM 使用者, 只能夠看到自己建立的資源 以 EC2 舉例, 當 IAM userA 建立 EC2-A, IAM userB 建立 EC2-B 我希望登入 userA 只能看到 EC2-A 而看不到 EC2-B 我嘗試搜索過網路資訊, 但目前沒有看到任何相關文章 並且嘗試使用 Tag 的方式給予權限策略, 但也無法成功 以下是 Tag 實驗步驟

  1. 對 EC2-A 建立 TagKey : Owner, TagValue : userA
  2. 對 EC2-B 建立 TagKey : Owner, TagValue : userB
  3. 對 userA 加入以下權限政策

{ "Effect": "Allow", "Action": "ec2:DescribeInstances", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Owner": "userA" } } }

當我使用 userA 登入時, 並且進入 EC2 服務介面選取 instance 時我得到了 You are not authorized to perform this operation. because no permissions boundary allows the ec2:DescribeInstances action


How to allow IAM users to only see resources they have created. Taking EC2 as an example, when IAM userA creates EC2-A and IAM userB creates EC2-B, I want userA to only see EC2-A and not EC2-B. I have tried searching for information online but haven't found any relevant articles. I also tried using Tag to grant permission policies, but without success. Below are the steps of the Tag experiment:

  1. Create TagKey: Owner, TagValue: userA for EC2-A.
  2. Create TagKey: Owner, TagValue: userB for EC2-B.
  3. Add the following permission policy to userA: { "Effect": "Allow", "Action": "ec2:DescribeInstances", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Owner": "userA" } } }

When I log in as userA and navigate to the EC2 service interface and select the instance option, I receive the message: "You are not authorized to perform this operation because no permissions boundary allows the ec2:DescribeInstances action."

asked 2 months ago229 views
1 Answer
0
Accepted Answer

Hello.

The "ec2:DescribeInstances" action does not have "ec2:ResourceTag" as a condition, so it cannot be restricted by tag.
In other words, it is not possible to show only a specific EC2.
I think it is necessary to separate AWS accounts to accommodate such requirements.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html
a

profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Hi, Riku Thank you for your response. May I kindly inquire whether it is possible to conclude that AWS does not provide the capability to restrict IAM users to view only the services they have created?

  • I don't think it's for all AWS services, but at least in the case of EC2, I don't think it's possible to limit "ec2:DescribeInstances" to only a specific EC2.

  • Thank you for your assistance. I will accept this answer.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions