Naveen Kerati
Reputation: 971
Can not add AWS Resource level permissions to an Particular EC2 Instance
Referring to this Doc I have created IAM policy which allows accessing only one EC2 Instance.And I have created an IAM user with the policy with that policy. But when I logged in with that user into my AWS account I got the Error "An error occurred fetching instance data: You are not authorized to perform this operation."
Policy document:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/test": "test"
}
},
"Resource": [
"arn:aws:ec2:us-east-1:AccountNumber:instance/*
],
"Effect": "Allow"
}
]
}
Upvotes: 0
Views: 306
Answers (1)
Bui Anh Tuan
Reputation: 920
You must add EC2 describe to describe all EC2 resources, then base on other statement to filter resource by tag.
But with this policy, other IAM account still viewable other EC2 instances without any permission.
Here is what you need.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1507182214000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/TAG_NAME": "TAG_VALUE"
}
},
"Resource": [
"arn:aws:ec2:AWS_REGION:AWS_ACCOUNT:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeTags"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
}
]
}
Upvotes: 1
Related Questions
- AWS permission boundary won't apply to the secound user
- AWS IAM is failing with missing permissions that are unrecognized by AWS
- Can't edit permission JSON on AWS, despite it telling me I can
- IAM policy with ec2 full access not allowing to create EC2 instances
- AWS IAM Role permission issue
- IAM role fails to give permission to an EC2 instance
- AccessDenied for EC2 Instance with attached IAM Role
- Facing AccessDeniedException while my user has the required permission
- Adding permission to IAM role
- AWS IAM User Permission for a specific EC2 server not working