如何讓 IAM 使用者, 只能夠看到自己建立的資源
以 EC2 舉例,
當 IAM userA 建立 EC2-A, IAM userB 建立 EC2-B
我希望登入 userA 只能看到 EC2-A 而看不到 EC2-B
我嘗試搜索過網路資訊, 但目前沒有看到任何相關文章
並且嘗試使用 Tag 的方式給予權限策略, 但也無法成功
以下是 Tag 實驗步驟
- 對 EC2-A 建立 TagKey : Owner, TagValue : userA
- 對 EC2-B 建立 TagKey : Owner, TagValue : userB
- 對 userA 加入以下權限政策
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "userA"
}
}
}
當我使用 userA 登入時, 並且進入 EC2 服務介面選取 instance 時我得到了
You are not authorized to perform this operation. because no permissions boundary allows the ec2:DescribeInstances action
How to allow IAM users to only see resources they have created. Taking EC2 as an example, when IAM userA creates EC2-A and IAM userB creates EC2-B, I want userA to only see EC2-A and not EC2-B. I have tried searching for information online but haven't found any relevant articles. I also tried using Tag to grant permission policies, but without success. Below are the steps of the Tag experiment:
- Create TagKey: Owner, TagValue: userA for EC2-A.
- Create TagKey: Owner, TagValue: userB for EC2-B.
- Add the following permission policy to userA:
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "userA"
}
}
}
When I log in as userA and navigate to the EC2 service interface and select the instance option, I receive the message: "You are not authorized to perform this operation because no permissions boundary allows the ec2:DescribeInstances action."
AWS OFFICIALUpdated 2 months ago
Hi, Riku Thank you for your response. May I kindly inquire whether it is possible to conclude that AWS does not provide the capability to restrict IAM users to view only the services they have created?
I don't think it's for all AWS services, but at least in the case of EC2, I don't think it's possible to limit "ec2:DescribeInstances" to only a specific EC2.
Thank you for your assistance. I will accept this answer.