I want to restrict an IAM user or group’s access to one particular Amazon EC2 resource or group of EC2 resources, and do this for multiple groups of resources on the same AWS account. Is this possible?
This is not currently possible for all API actions within EC2, but it is for some. Many essential EC2 actions do not support resource-level permissions or conditions, and isolating IAM users or groups of users’ access to EC2 resources by any criteria other than AWS region does not fit most use cases.
Instead, consider linking multiple different AWS accounts through Consolidated Billing and isolating the IAM user groups in their own accounts.
If you must isolate your resources by region or any conditions on the same account, first, check the list of EC2 actions that support resource-level permissions and the conditions they support to make sure your use case supports this solution.
Next, create an IAM policy similar to the following:
{
"Version": "2012-10-17",
"Statement": {
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-1"
}
}
}
}
Attaching a policy similar to this example to an IAM user or group restricts their access to resources in a specific EC2 region (in the above example, us-east-1). Create similar policies for each group of IAM users, making sure to use a different region for each one.
Amazon EC2, EC2 actions, IAM, policy, permissions, restrict, view, instances
Did this page help you? Yes | No
Back to the AWS Support Knowledge Center
Need help? Visit the AWS Support Center
Published: 2016-07-20
