Hide EC2 Instances from other IAM users

Question

We have large number of IAM users ( in hundreds, can increase more then 1000 in future ).

All the IAM users have access to create EC2 instances. Simultaneously around 30-40 users will be working and creating EC2 instances.

In AWS Management Console, an IAM user can see all the instances created by other IAM users as well.

Is it possible to visibly make him see only those EC2 instances which he created and hide all the other instances created by other IAM users?

I do agree that IAM users can give names and tags to recognise their instances. However i am looking for visibly hiding those resources which he has not created.

Answer 1

If IAM policies allowed specifying a required filter, this would be possible. But you can't specify it, so it's not possible.

What you want is called Organizations - You can give each group their own AWS account, so they can see their own billing, etc.

• Reserved Instances can flow from the master account to sub account
• Bills flow from the sub accounts to the master account
• All your users can remain in the master account, you just give them AssumeRole capabilities to view their account.
• You can apply Service Control Policies that prevent sub-accounts from doing things.

You may think management is "easier" with one account - but the opposite is true. Just like you should treat servers as "Cattle not Pets" (i.e. they are disposable), you should think of AWS accounts as disposable. Some organizations give each developer their own AWS account, and only a build server can modify the Staging/Prod accounts via TerraForm or CloudFormation.

Answer 2

What you would typically use for this is resource level permissions. What resources / what you can control varies from API call to API call in AWS. In particular, what you would want is a resource-level permission on the DescribeInstances API call. Unfortunately, AWS does not currently support resource-level permissions on this API Call.