CODEWITHSUNDEEP
amazon-web-servicesamazon-ec2
hvs
hvs

Reputation: 536

assign IAM user to access only one EC2 instance

I am trying to apply policy to allow an IAM user to access only a particular instance of EC2. Here is the policy I am applying:

{
"Statement": [
    {
        "Action": [
            "ec2:StartInstances",
            "ec2:StopInstances",
            "ec2:RebootInstances",
            "ec2:TerminateInstances"
        ],
        "Resource": [
            "arn:aws:ec2:us-east-1:my_account_id:instance/my_instance_id"
        ],
        "Effect": "Allow"
    }
]
}

However, the user is unable to see any EC2 instances on the dashboard. What am I doing wrong?

Upvotes: 5

Views: 5770

Answers (2)

Volkan Paksoy
Volkan Paksoy

Reputation: 6967

This blogpost addresses your exact problem: https://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2-Resource-Level-Permissions

It uses this policy as example (same as yours except for the * instead of specific instance id):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TheseActionsSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*"
        }
    ]
}

And updates it as follows to address the not authorized problem:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TheseActionsDontSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": ["ec2:Describe*"],
            "Resource": "*"
        },
        {
            "Sid": "TheseActionsSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*"
        }
    ]
}

Upvotes: 5

mbdvg
mbdvg

Reputation: 2724

You need to add describe permission for the user to view the instances.

Upvotes: 3

Related Questions