Reputation: 273
Console view restriction by tag
Is there a policy action in IAM that will restrict the visibility of resources in the colnsole to only a tagged set? So for example can i use ec2:Describe with a StringEquals condition for the tag such that a group of users will only ever see the set of EC2 servers their project is using?
Ideally i dont want all users in this VPC to see all servers regardless if they are read only
Upvotes: 2
Views: 67
Answers (1)
Reputation: 46859
Its not currently possible:
Note Currently, the Amazon EC2 ec2:Describe* API actions do not support resource-level permissions, so you cannot control which individual resources users can view in the console. Therefore, the * wildcard is necessary in the Resource element of the above statement. For more information about which ARNs you can use with which Amazon EC2 API actions, see Supported Resource-Level Permissions for Amazon EC2 API Actions.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-ec2-console.html
On option you have, that might work is to use multiple, independent AWS accounts, so each user can get there own 'sandbox' to play in, but setup consolidate billing so that that aspect of the accounts are all shared by one master account.
Upvotes: 1
Related Questions
- Missing Security Credentials tab in IAM console
- AWS Workspaces - Unable to provide Console Access to IAM user
- AWS IAM policy restriction based on Tags not giving me any access
- IAM Role for an IAM User within same account for Console Access
- IAM policy to restrict EC2 access based on tag
- How a limited access to AWS Web Console can be provided?
- AWS IAM Show only untagged EC2 instances
- Limit AWS console by resource tags
- Hide services from management console
- Allow access to Amazon AWS console using IAM