Can I restrict the access of IAM users to specific Amazon EC2 resources?

Last updated: 2021-09-23

I want to restrict an AWS Identity and Access Management (IAM) user or group’s access to one partic ular Amazon Elastic Compute Cloud (Amazon EC2) resource or group of Amazon EC2 resources for multiple groups of resources on the same AWS account. How can I do this?


Most essential Amazon EC2 actions don't support resource-level permissions or conditions, and isolating IAM users or groups of user's access to Amazon EC2 resources by any criteria other than AWS Region doesn't fit most use cases.

Instead, consider linking multiple different AWS accounts through AWS Organizations. Then, isolate the IAM user groups in their own accounts.

If you must isolate your resources by Region or any conditions on the same account, first check the list of EC2 actions that support resource-level permissions and conditions to verify that your use case supports this solution.

Next, open the IAM console and create an IAM policy similar to the following:


Note: Replace the Owner, Bob, and the AWS Region with parameters from your environment.

This example policy restricts an IAM user or group access to only Start/Stop/Reboot EC2 instances in the US East (N. Virginia) [us-east-1] Region that have a tag key of Owner with a tag value of Bob.

Finally, create similar policies for each group of IAM users, using a different Region for each one.

For tagging use cases and best practices, see tagging best practices.