Can I restrict the access of IAM users to specific Amazon EC2 resources?

Last updated: 2019-04-15

I want to restrict an AWS Identity and Access Management (IAM) user or group’s access to one particular Amazon Elastic Compute Cloud (Amazon EC2) resource or group of Amazon EC2 resources, and I want to do this for multiple groups of resources on the same AWS account. How can I do this?

Resolution

Most essential Amazon EC2 actions don't support resource-level permissions or conditions, and isolating IAM users or groups of user's access to Amazon EC2 resources by any criteria other than AWS Region doesn't fit most use cases.

Instead, consider linking multiple different AWS accounts through AWS Organizations. Then, isolate the IAM user groups in their own accounts.

If you must isolate your resources by Region or any conditions on the same account, first check the list of EC2 actions that support resource-level permissions and the conditions they support to be sure your use case supports this solution.

Next, open the IAM console and create an IAM policy similar to the following:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":"ec2:Describe*",
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "ec2:StartInstances",
            "ec2:StopInstances",
            "ec2:RebootInstances"
         ],
         "Resource":[
            "arn:aws:ec2:us-east-1:111122223333:instance/*"
         ],
         "Condition":{
            "StringEquals":{
               "ec2:ResourceTag/Owner":"Bob"
            }
         }
      }
   ]
}

This example policy restricts an IAM user or group access to only Start/Stop/Reboot EC2 instances that have a Tag Key or Value of Owner:Bob in the US East (N. Virginia) [us-east-1] Region.

Note: Replace the Owner and Region with parameters from your environment.

Finally, create similar policies for each group of IAM users, using a different Region for each one.