I want to restrict an IAM user or group’s access to one particular Amazon EC2 resource or group of EC2 resources, and I want to do this for multiple groups of resources on the same AWS account. How can I do this? 

This is not currently possible for all API actions within EC2, but it is for some. Many essential EC2 actions do not support resource-level permissions or conditions, and isolating IAM users or groups of users’ access to EC2 resources by any criteria other than AWS region does not fit most use cases.

Instead, consider linking multiple different AWS accounts through AWS Organizations and isolating the IAM user groups in their own accounts.

If you must isolate your resources by region or any conditions on the same account, first, check the list of EC2 actions that support resource-level permissions and the conditions they support to make sure your use case supports this solution.

Next, create an IAM policy similar to the following:

    "Version": "2012-10-17",
    "Statement": [
            "Action": [
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Owner": "Bob"
            "Resource": [
            "Effect": "Allow"
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"

Note: Attaching a similar policy to an IAM user or group restricts their access only to Start/Stop/Reboot EC2 instances that have a Tag Key or Value of Owner:Bob in the US East (N. Virginia) [us-east-1] Region.

Lastly, create similar policies for each group of IAM users, using a different region for each one.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-07-20

Updated: 2017-08-26