Creating IAM policy in AWS to protect EC2 instances with specific IDs

Question

Am working on a project hosted in AWS. The console has access by multiple users. I have created an IAM policy which allows specific users to create instances and volumes BUT they should not access or see existing instances in the console having specific Instance ID.

My custom policy is as the follows but is not working as expected:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
          "Action":[
            "ec2:RunInstances"
         ],
         "Resource":"*"
      },
      {
         "Effect":"Deny",
         "Action":[
            "ec2:StartInstances",
            "ec2:StopInstances",
            "ec2:RebootInstances"
         ],
         "Resource":"*",
         "Condition":{
            "StringEquals":{
               "ec2:ResourceTag/Owner":"Admin"
            }
         }
      }
   ]
}

Answer 1

if you wish to control that other IAM users cannot see instances created by other IAM users, then this is not possible, as describe instances api does not accepts resource level permissions.

However you have an option to restrict an IAM user to perform actions (start/stop/reboot...etc) on instances created by other user.

https://aws.amazon.com/premiumsupport/knowledge-center/restrict-ec2-iam/

Part 2:

Try using this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                 "ec2:RunInstances",
                "ec2:RebootInstances"            
              ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Owner": "${aws:username}"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*"
        }
    ]
}

make sure, your instance has the required tag-key value pair

Answer 2

如果字符串不等于 aws:userid 或 aws:username，您是否尝试将拒绝效果与操作 ec2:DescribeInstances 一起使用，向附加到实例的角色添加内联策略。

Answer 3

ec2:CreateVolume grants permission to create an Amazon EBS volume. The act of creating a volume is unrelated to an Amazon EC2 instance. A volume is only associated with an instance via the AttachVolume command.

ec2:RunInstances grants permission to launch new Amazon EC2 instances. It is not related to existing instances.

Therefore, both of these permissions will not use a condition that specifies an Instance ID.

To grant permission to view Amazon EC2 instances in the Management Console, use ec2:DescribeInstances . However, a user will either have permission to list all instances or none . It is not possible to limit which instances are returned by a DescribeInstances() call.

If you wish to limit such information from users, then you will either need to create your own "in-between" code that filters the information (so they call your code, which retrieves all instances but only returns some instances), or you could use separate AWS Accounts for each user so that they do not see other users' resources.